moby--moby/contrib/mkseccomp.pl

#!/usr/bin/perl
#
# A simple helper script to help people build seccomp profiles for
# Docker/LXC.  The goal is mostly to reduce the attack surface to the
# kernel, by restricting access to rarely used, recently added or not used
# syscalls.
#
# This script processes one or more files which contain the list of system
# calls to be allowed.  See mkseccomp.sample for more information how you
# can configure the list of syscalls.  When run, this script produces output
# which, when stored in a file, can be passed to docker as follows:
#
# docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments>
#
# The included sample file shows how to cut about a quarter of all syscalls,
# which affecting most applications.
#
# For specific situations it is possible to reduce the list further. By
# reducing the list to just those syscalls required by a certain application
# you can make it difficult for unknown/unexpected code to run.
#
# Run this script as follows:
#
# ./mkseccomp.pl < mkseccomp.sample >syscalls.list
# or
# ./mkseccomp.pl mkseccomp.sample >syscalls.list
#
# Multiple files can be specified, in which case the lists of syscalls are
# combined.
#
# By Martijn van Oosterhout <kleptog@svana.org> Nov 2013

# How it works:
#
# This program basically spawns two processes to form a chain like:
#
# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>

use strict;
use warnings;

if( -t ) {
    print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
    print STDERR "Usage: mkseccomp.pl < [files...]\n";
    exit 1;
}

my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";

if($pid == 0) {  # Child
    $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";

    if($pid == 0) { # Child, which execs cpp
        exec "cpp" or die "Couldn't exec cpp ($!)\n";
        exit 1;
    }

    # Process the DATA section and output to cpp
    print $out "#include <sys/syscall.h>\n";
    while(<>) {
        if(/^\w/) {
            print $out "__NR_$_";
        }
    }
    close $out;
    exit 0;

}

# Print header and then process output from cpp.
print "1\n";
print "whitelist\n";

while(<$in>) {
    print if( /^[0-9]/ );
}
Add mkseccomp.pl, helper script to make seccomp profiles. 2013-11-26 10:03:36 -05:00			`#!/usr/bin/perl`
			`#`
			`# A simple helper script to help people build seccomp profiles for`
			`# Docker/LXC. The goal is mostly to reduce the attack surface to the`
			`# kernel, by restricting access to rarely used, recently added or not used`
			`# syscalls.`
			`#`
			`# This script processes one or more files which contain the list of system`
			`# calls to be allowed. See mkseccomp.sample for more information how you`
			`# can configure the list of syscalls. When run, this script produces output`
			`# which, when stored in a file, can be passed to docker as follows:`
			`#`
Update to double-dash everywhere These were found using `git grep -nE '[^-a-zA-Z0-9<>]-[a-zA-Z0-9]{2}'` (fair warning: _many_ false positives there). Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon) 2014-03-13 13:46:02 -04:00			`# docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments>`
Add mkseccomp.pl, helper script to make seccomp profiles. 2013-11-26 10:03:36 -05:00			`#`
			`# The included sample file shows how to cut about a quarter of all syscalls,`
			`# which affecting most applications.`
			`#`
			`# For specific situations it is possible to reduce the list further. By`
			`# reducing the list to just those syscalls required by a certain application`
			`# you can make it difficult for unknown/unexpected code to run.`
			`#`
			`# Run this script as follows:`
			`#`
			`# ./mkseccomp.pl < mkseccomp.sample >syscalls.list`
			`# or`
			`# ./mkseccomp.pl mkseccomp.sample >syscalls.list`
			`#`
			`# Multiple files can be specified, in which case the lists of syscalls are`
			`# combined.`
			`#`
			`# By Martijn van Oosterhout <kleptog@svana.org> Nov 2013`

			`# How it works:`
			`#`
			`# This program basically spawns two processes to form a chain like:`
			`#`
			`# <process data section to prefix __NR_> \| cpp \| <add header and filter unknown syscalls>`

			`use strict;`
			`use warnings;`

			`if( -t ) {`
			`print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";`
added capabilities needed by new sysinit Docker-DCO-1.1-Signed-off-by: Fernando Mayo <fernando@tutum.co> (github: fermayo) 2014-01-08 12:38:59 -05:00			`print STDERR "Usage: mkseccomp.pl < [files...]\n";`
Add mkseccomp.pl, helper script to make seccomp profiles. 2013-11-26 10:03:36 -05:00			`exit 1;`
			`}`

			`my $pid = open(my $in, "-\|") // die "Couldn't fork1 ($!)\n";`

			`if($pid == 0) { # Child`
			`$pid = open(my $out, "\|-") // die "Couldn't fork2 ($!)\n";`

			`if($pid == 0) { # Child, which execs cpp`
			`exec "cpp" or die "Couldn't exec cpp ($!)\n";`
			`exit 1;`
			`}`

			`# Process the DATA section and output to cpp`
			`print $out "#include <sys/syscall.h>\n";`
			`while(<>) {`
			`if(/^\w/) {`
			`print $out "__NR_$_";`
			`}`
			`}`
			`close $out;`
			`exit 0;`

			`}`

			`# Print header and then process output from cpp.`
			`print "1\n";`
			`print "whitelist\n";`

			`while(<$in>) {`
			`print if( /^[0-9]/ );`
			`}`