We use cookies to ensure you get the best experience on our website
Página inicial Explorar Ajuda
Registrar Entrar
0ct0pu5
/
moby
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: d74b6095c9
Branches Tags
moby
/
contrib
/
mkseccomp.pl

mkseccomp.pl 2.1 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. #!/usr/bin/perl
    2. 

  2. #
    3. 

  3. # A simple helper script to help people build seccomp profiles for
    4. 

  4. # Docker/LXC.  The goal is mostly to reduce the attack surface to the
    5. 

  5. # kernel, by restricting access to rarely used, recently added or not used
    6. 

  6. # syscalls.
    7. 

  7. #
    8. 

  8. # This script processes one or more files which contain the list of system
    9. 

  9. # calls to be allowed.  See mkseccomp.sample for more information how you
    10. 

  10. # can configure the list of syscalls.  When run, this script produces output
    11. 

  11. # which, when stored in a file, can be passed to docker as follows:
    12. 

  12. #
    13. 

  13. # docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments>
    14. 

  14. #
    15. 

  15. # The included sample file shows how to cut about a quarter of all syscalls,
    16. 

  16. # which affecting most applications.
    17. 

  17. #
    18. 

  18. # For specific situations it is possible to reduce the list further. By
    19. 

  19. # reducing the list to just those syscalls required by a certain application
    20. 

  20. # you can make it difficult for unknown/unexpected code to run.
    21. 

  21. #
    22. 

  22. # Run this script as follows:
    23. 

  23. #
    24. 

  24. # ./mkseccomp.pl < mkseccomp.sample >syscalls.list
    25. 

  25. # or
    26. 

  26. # ./mkseccomp.pl mkseccomp.sample >syscalls.list
    27. 

  27. #
    28. 

  28. # Multiple files can be specified, in which case the lists of syscalls are
    29. 

  29. # combined.
    30. 

  30. #
    31. 

  31. # By Martijn van Oosterhout <kleptog@svana.org> Nov 2013
    32. 

  32. 

  33. # How it works:
    34. 

  34. #
    35. 

  35. # This program basically spawns two processes to form a chain like:
    36. 

  36. #
    37. 

  37. # <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>
    38. 

  38. 

  39. use strict;
    40. 

  40. use warnings;
    41. 

  41. 

  42. if( -t ) {
    43. 

  43.     print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
    44. 

  44.     print STDERR "Usage: mkseccomp.pl < [files...]\n";
    45. 

  45.     exit 1;
    46. 

  46. }
    47. 

  47. 

  48. my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";
    49. 

  49. 

  50. if($pid == 0) {  # Child
    51. 

  51.     $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
    52. 

  52. 

  53.     if($pid == 0) { # Child, which execs cpp
    54. 

  54.         exec "cpp" or die "Couldn't exec cpp ($!)\n";
    55. 

  55.         exit 1;
    56. 

  56.     }
    57. 

  57. 

  58.     # Process the DATA section and output to cpp
    59. 

  59.     print $out "#include <sys/syscall.h>\n";
    60. 

  60.     while(<>) {
    61. 

  61.         if(/^\w/) {
    62. 

  62.             print $out "__NR_$_";
    63. 

  63.         }
    64. 

  64.     }
    65. 

  65.     close $out;
    66. 

  66.     exit 0;
    67. 

  67. 

  68. }
    69. 

  69. 

  70. # Print header and then process output from cpp.
    71. 

  71. print "1\n";
    72. 

  72. print "whitelist\n";
    73. 

  73. 

  74. while(<$in>) {
    75. 

  75.     print if( /^[0-9]/ );
    76. 

  76. }
    77. 

  77.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5