diff --git a/container/seccomp/presets_386_test.go b/container/seccomp/presets_386_test.go new file mode 100644 index 0000000..890d455 --- /dev/null +++ b/container/seccomp/presets_386_test.go @@ -0,0 +1,27 @@ +package seccomp_test + +import ( + . "hakurei.app/container/seccomp" + . "hakurei.app/container/std" +) + +var bpfExpected = bpfLookup{ + {AllowMultiarch | AllowCAN | + AllowBluetooth, PresetExt | + PresetDenyNS | PresetDenyTTY | PresetDenyDevel | + PresetLinux32}: toHash( + "e67735d24caba42b6801e829ea4393727a36c5e37b8a51e5648e7886047e8454484ff06872aaef810799c29cbd0c1b361f423ad0ef518e33f68436372cc90eb1"), + + {0, 0}: toHash( + "5dbcc08a4a1ccd8c12dd0cf6d9817ea6d4f40246e1db7a60e71a50111c4897d69f6fb6d710382d70c18910c2e4fa2d2aeb2daed835dd2fabe3f71def628ade59"), + {0, PresetExt}: toHash( + "d6c0f130dbb5c793d1c10f730455701875778138bd2d03ca009d674842fd97a10815a8c539b76b7801a73de19463938701216b756c053ec91cfe304cba04a0ed"), + {0, PresetStrict}: toHash( + "af7d7b66f2e83f9a850472170c1b83d1371426faa9d0dee4e85b179d3ec75ca92828cb8529eb3012b559497494b2eab4d4b140605e3a26c70dfdbe5efe33c105"), + {0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash( + "adfb4397e6eeae8c477d315d58204aae854d60071687b8df4c758e297780e02deee1af48328cef80e16e4d6ab1a66ef13e42247c3475cf447923f15cbc17a6a6"), + {0, PresetExt | PresetDenyDevel}: toHash( + "5d641321460cf54a7036a40a08e845082e1f6d65b9dee75db85ef179f2732f321b16aee2258b74273b04e0d24562e8b1e727930a7e787f41eb5c8aaa0bc22793"), + {0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash( + "b1f802d39de5897b1e4cb0e82a199f53df0a803ea88e2fd19491fb8c90387c9e2eaa7e323f565fecaa0202a579eb050531f22e6748e04cfd935b8faac35983ec"), +} diff --git a/container/std/mksysnum_linux.pl b/container/std/mksysnum_linux.pl index 0dee69d..95a636d 100755 --- a/container/std/mksysnum_linux.pl +++ b/container/std/mksysnum_linux.pl @@ -9,6 +9,7 @@ use POSIX (); my $command = "mksysnum_linux.pl ". join(' ', @ARGV); my $uname_arch = (POSIX::uname)[4]; my %syscall_cutoff_arch = ( + "x86" => 340, "x86_64" => 302, "aarch64" => 281, ); diff --git a/container/std/syscall_extra_linux_386.go b/container/std/syscall_extra_linux_386.go new file mode 100644 index 0000000..f23c919 --- /dev/null +++ b/container/std/syscall_extra_linux_386.go @@ -0,0 +1,13 @@ +package std + +var syscallNumExtra = map[string]int{ + "kexec_file_load": SYS_KEXEC_FILE_LOAD, + "subpage_prot": SYS_SUBPAGE_PROT, + "switch_endian": SYS_SWITCH_ENDIAN, +} + +const ( + SYS_KEXEC_FILE_LOAD = __PNR_kexec_file_load + SYS_SUBPAGE_PROT = __PNR_subpage_prot + SYS_SWITCH_ENDIAN = __PNR_switch_endian +) diff --git a/container/std/syscall_linux_386.go b/container/std/syscall_linux_386.go new file mode 100644 index 0000000..edc838b --- /dev/null +++ b/container/std/syscall_linux_386.go @@ -0,0 +1,579 @@ +// mksysnum_linux.pl /usr/include/asm/unistd_32.h +// Code generated by the command above; DO NOT EDIT. + +package std + +import . "syscall" + +var syscallNum = map[string]int{ + "restart_syscall": SYS_RESTART_SYSCALL, + "exit": SYS_EXIT, + "fork": SYS_FORK, + "read": SYS_READ, + "write": SYS_WRITE, + "open": SYS_OPEN, + "close": SYS_CLOSE, + "waitpid": SYS_WAITPID, + "creat": SYS_CREAT, + "link": SYS_LINK, + "unlink": SYS_UNLINK, + "execve": SYS_EXECVE, + "chdir": SYS_CHDIR, + "time": SYS_TIME, + "mknod": SYS_MKNOD, + "chmod": SYS_CHMOD, + "lchown": SYS_LCHOWN, + "break": SYS_BREAK, + "oldstat": SYS_OLDSTAT, + "lseek": SYS_LSEEK, + "getpid": SYS_GETPID, + "mount": SYS_MOUNT, + "umount": SYS_UMOUNT, + "setuid": SYS_SETUID, + "getuid": SYS_GETUID, + "stime": SYS_STIME, + "ptrace": SYS_PTRACE, + "alarm": SYS_ALARM, + "oldfstat": SYS_OLDFSTAT, + "pause": SYS_PAUSE, + "utime": SYS_UTIME, + "stty": SYS_STTY, + "gtty": SYS_GTTY, + "access": SYS_ACCESS, + "nice": SYS_NICE, + "ftime": SYS_FTIME, + "sync": SYS_SYNC, + "kill": SYS_KILL, + "rename": SYS_RENAME, + "mkdir": SYS_MKDIR, + "rmdir": SYS_RMDIR, + "dup": SYS_DUP, + "pipe": SYS_PIPE, + "times": SYS_TIMES, + "prof": SYS_PROF, + "brk": SYS_BRK, + "setgid": SYS_SETGID, + "getgid": SYS_GETGID, + "signal": SYS_SIGNAL, + "geteuid": SYS_GETEUID, + "getegid": SYS_GETEGID, + "acct": SYS_ACCT, + "umount2": SYS_UMOUNT2, + "lock": SYS_LOCK, + "ioctl": SYS_IOCTL, + "fcntl": SYS_FCNTL, + "mpx": SYS_MPX, + "setpgid": SYS_SETPGID, + "ulimit": SYS_ULIMIT, + "oldolduname": SYS_OLDOLDUNAME, + "umask": SYS_UMASK, + "chroot": SYS_CHROOT, + "ustat": SYS_USTAT, + "dup2": SYS_DUP2, + "getppid": SYS_GETPPID, + "getpgrp": SYS_GETPGRP, + "setsid": SYS_SETSID, + "sigaction": SYS_SIGACTION, + "sgetmask": SYS_SGETMASK, + "ssetmask": SYS_SSETMASK, + "setreuid": SYS_SETREUID, + "setregid": SYS_SETREGID, + "sigsuspend": SYS_SIGSUSPEND, + "sigpending": SYS_SIGPENDING, + "sethostname": SYS_SETHOSTNAME, + "setrlimit": SYS_SETRLIMIT, + "getrlimit": SYS_GETRLIMIT, + "getrusage": SYS_GETRUSAGE, + "gettimeofday": SYS_GETTIMEOFDAY, + "settimeofday": SYS_SETTIMEOFDAY, + "getgroups": SYS_GETGROUPS, + "setgroups": SYS_SETGROUPS, + "select": SYS_SELECT, + "symlink": SYS_SYMLINK, + "oldlstat": SYS_OLDLSTAT, + "readlink": SYS_READLINK, + "uselib": SYS_USELIB, + "swapon": SYS_SWAPON, + "reboot": SYS_REBOOT, + "readdir": SYS_READDIR, + "mmap": SYS_MMAP, + "munmap": SYS_MUNMAP, + "truncate": SYS_TRUNCATE, + "ftruncate": SYS_FTRUNCATE, + "fchmod": SYS_FCHMOD, + "fchown": SYS_FCHOWN, + "getpriority": SYS_GETPRIORITY, + "setpriority": SYS_SETPRIORITY, + "profil": SYS_PROFIL, + "statfs": SYS_STATFS, + "fstatfs": SYS_FSTATFS, + "ioperm": SYS_IOPERM, + "socketcall": SYS_SOCKETCALL, + "syslog": SYS_SYSLOG, + "setitimer": SYS_SETITIMER, + "getitimer": SYS_GETITIMER, + "stat": SYS_STAT, + "lstat": SYS_LSTAT, + "fstat": SYS_FSTAT, + "olduname": SYS_OLDUNAME, + "iopl": SYS_IOPL, + "vhangup": SYS_VHANGUP, + "idle": SYS_IDLE, + "vm86old": SYS_VM86OLD, + "wait4": SYS_WAIT4, + "swapoff": SYS_SWAPOFF, + "sysinfo": SYS_SYSINFO, + "ipc": SYS_IPC, + "fsync": SYS_FSYNC, + "sigreturn": SYS_SIGRETURN, + "clone": SYS_CLONE, + "setdomainname": SYS_SETDOMAINNAME, + "uname": SYS_UNAME, + "modify_ldt": SYS_MODIFY_LDT, + "adjtimex": SYS_ADJTIMEX, + "mprotect": SYS_MPROTECT, + "sigprocmask": SYS_SIGPROCMASK, + "create_module": SYS_CREATE_MODULE, + "init_module": SYS_INIT_MODULE, + "delete_module": SYS_DELETE_MODULE, + "get_kernel_syms": SYS_GET_KERNEL_SYMS, + "quotactl": SYS_QUOTACTL, + "getpgid": SYS_GETPGID, + "fchdir": SYS_FCHDIR, + "bdflush": SYS_BDFLUSH, + "sysfs": SYS_SYSFS, + "personality": SYS_PERSONALITY, + "afs_syscall": SYS_AFS_SYSCALL, + "setfsuid": SYS_SETFSUID, + "setfsgid": SYS_SETFSGID, + "_llseek": SYS__LLSEEK, + "getdents": SYS_GETDENTS, + "_newselect": SYS__NEWSELECT, + "flock": SYS_FLOCK, + "msync": SYS_MSYNC, + "readv": SYS_READV, + "writev": SYS_WRITEV, + "getsid": SYS_GETSID, + "fdatasync": SYS_FDATASYNC, + "_sysctl": SYS__SYSCTL, + "mlock": SYS_MLOCK, + "munlock": SYS_MUNLOCK, + "mlockall": SYS_MLOCKALL, + "munlockall": SYS_MUNLOCKALL, + "sched_setparam": SYS_SCHED_SETPARAM, + "sched_getparam": SYS_SCHED_GETPARAM, + "sched_setscheduler": SYS_SCHED_SETSCHEDULER, + "sched_getscheduler": SYS_SCHED_GETSCHEDULER, + "sched_yield": SYS_SCHED_YIELD, + "sched_get_priority_max": SYS_SCHED_GET_PRIORITY_MAX, + "sched_get_priority_min": SYS_SCHED_GET_PRIORITY_MIN, + "sched_rr_get_interval": SYS_SCHED_RR_GET_INTERVAL, + "nanosleep": SYS_NANOSLEEP, + "mremap": SYS_MREMAP, + "setresuid": SYS_SETRESUID, + "getresuid": SYS_GETRESUID, + "vm86": SYS_VM86, + "query_module": SYS_QUERY_MODULE, + "poll": SYS_POLL, + "nfsservctl": SYS_NFSSERVCTL, + "setresgid": SYS_SETRESGID, + "getresgid": SYS_GETRESGID, + "prctl": SYS_PRCTL, + "rt_sigreturn": SYS_RT_SIGRETURN, + "rt_sigaction": SYS_RT_SIGACTION, + "rt_sigprocmask": SYS_RT_SIGPROCMASK, + "rt_sigpending": SYS_RT_SIGPENDING, + "rt_sigtimedwait": SYS_RT_SIGTIMEDWAIT, + "rt_sigqueueinfo": SYS_RT_SIGQUEUEINFO, + "rt_sigsuspend": SYS_RT_SIGSUSPEND, + "pread64": SYS_PREAD64, + "pwrite64": SYS_PWRITE64, + "chown": SYS_CHOWN, + "getcwd": SYS_GETCWD, + "capget": SYS_CAPGET, + "capset": SYS_CAPSET, + "sigaltstack": SYS_SIGALTSTACK, + "sendfile": SYS_SENDFILE, + "getpmsg": SYS_GETPMSG, + "putpmsg": SYS_PUTPMSG, + "vfork": SYS_VFORK, + "ugetrlimit": SYS_UGETRLIMIT, + "mmap2": SYS_MMAP2, + "truncate64": SYS_TRUNCATE64, + "ftruncate64": SYS_FTRUNCATE64, + "stat64": SYS_STAT64, + "lstat64": SYS_LSTAT64, + "fstat64": SYS_FSTAT64, + "lchown32": SYS_LCHOWN32, + "getuid32": SYS_GETUID32, + "getgid32": SYS_GETGID32, + "geteuid32": SYS_GETEUID32, + "getegid32": SYS_GETEGID32, + "setreuid32": SYS_SETREUID32, + "setregid32": SYS_SETREGID32, + "getgroups32": SYS_GETGROUPS32, + "setgroups32": SYS_SETGROUPS32, + "fchown32": SYS_FCHOWN32, + "setresuid32": SYS_SETRESUID32, + "getresuid32": SYS_GETRESUID32, + "setresgid32": SYS_SETRESGID32, + "getresgid32": SYS_GETRESGID32, + "chown32": SYS_CHOWN32, + "setuid32": SYS_SETUID32, + "setgid32": SYS_SETGID32, + "setfsuid32": SYS_SETFSUID32, + "setfsgid32": SYS_SETFSGID32, + "pivot_root": SYS_PIVOT_ROOT, + "mincore": SYS_MINCORE, + "madvise": SYS_MADVISE, + "getdents64": SYS_GETDENTS64, + "fcntl64": SYS_FCNTL64, + "gettid": SYS_GETTID, + "readahead": SYS_READAHEAD, + "setxattr": SYS_SETXATTR, + "lsetxattr": SYS_LSETXATTR, + "fsetxattr": SYS_FSETXATTR, + "getxattr": SYS_GETXATTR, + "lgetxattr": SYS_LGETXATTR, + "fgetxattr": SYS_FGETXATTR, + "listxattr": SYS_LISTXATTR, + "llistxattr": SYS_LLISTXATTR, + "flistxattr": SYS_FLISTXATTR, + "removexattr": SYS_REMOVEXATTR, + "lremovexattr": SYS_LREMOVEXATTR, + "fremovexattr": SYS_FREMOVEXATTR, + "tkill": SYS_TKILL, + "sendfile64": SYS_SENDFILE64, + "futex": SYS_FUTEX, + "sched_setaffinity": SYS_SCHED_SETAFFINITY, + "sched_getaffinity": SYS_SCHED_GETAFFINITY, + "set_thread_area": SYS_SET_THREAD_AREA, + "get_thread_area": SYS_GET_THREAD_AREA, + "io_setup": SYS_IO_SETUP, + "io_destroy": SYS_IO_DESTROY, + "io_getevents": SYS_IO_GETEVENTS, + "io_submit": SYS_IO_SUBMIT, + "io_cancel": SYS_IO_CANCEL, + "fadvise64": SYS_FADVISE64, + "exit_group": SYS_EXIT_GROUP, + "lookup_dcookie": SYS_LOOKUP_DCOOKIE, + "epoll_create": SYS_EPOLL_CREATE, + "epoll_ctl": SYS_EPOLL_CTL, + "epoll_wait": SYS_EPOLL_WAIT, + "remap_file_pages": SYS_REMAP_FILE_PAGES, + "set_tid_address": SYS_SET_TID_ADDRESS, + "timer_create": SYS_TIMER_CREATE, + "timer_settime": SYS_TIMER_SETTIME, + "timer_gettime": SYS_TIMER_GETTIME, + "timer_getoverrun": SYS_TIMER_GETOVERRUN, + "timer_delete": SYS_TIMER_DELETE, + "clock_settime": SYS_CLOCK_SETTIME, + "clock_gettime": SYS_CLOCK_GETTIME, + "clock_getres": SYS_CLOCK_GETRES, + "clock_nanosleep": SYS_CLOCK_NANOSLEEP, + "statfs64": SYS_STATFS64, + "fstatfs64": SYS_FSTATFS64, + "tgkill": SYS_TGKILL, + "utimes": SYS_UTIMES, + "fadvise64_64": SYS_FADVISE64_64, + "vserver": SYS_VSERVER, + "mbind": SYS_MBIND, + "get_mempolicy": SYS_GET_MEMPOLICY, + "set_mempolicy": SYS_SET_MEMPOLICY, + "mq_open": SYS_MQ_OPEN, + "mq_unlink": SYS_MQ_UNLINK, + "mq_timedsend": SYS_MQ_TIMEDSEND, + "mq_timedreceive": SYS_MQ_TIMEDRECEIVE, + "mq_notify": SYS_MQ_NOTIFY, + "mq_getsetattr": SYS_MQ_GETSETATTR, + "kexec_load": SYS_KEXEC_LOAD, + "waitid": SYS_WAITID, + "add_key": SYS_ADD_KEY, + "request_key": SYS_REQUEST_KEY, + "keyctl": SYS_KEYCTL, + "ioprio_set": SYS_IOPRIO_SET, + "ioprio_get": SYS_IOPRIO_GET, + "inotify_init": SYS_INOTIFY_INIT, + "inotify_add_watch": SYS_INOTIFY_ADD_WATCH, + "inotify_rm_watch": SYS_INOTIFY_RM_WATCH, + "migrate_pages": SYS_MIGRATE_PAGES, + "openat": SYS_OPENAT, + "mkdirat": SYS_MKDIRAT, + "mknodat": SYS_MKNODAT, + "fchownat": SYS_FCHOWNAT, + "futimesat": SYS_FUTIMESAT, + "fstatat64": SYS_FSTATAT64, + "unlinkat": SYS_UNLINKAT, + "renameat": SYS_RENAMEAT, + "linkat": SYS_LINKAT, + "symlinkat": SYS_SYMLINKAT, + "readlinkat": SYS_READLINKAT, + "fchmodat": SYS_FCHMODAT, + "faccessat": SYS_FACCESSAT, + "pselect6": SYS_PSELECT6, + "ppoll": SYS_PPOLL, + "unshare": SYS_UNSHARE, + "set_robust_list": SYS_SET_ROBUST_LIST, + "get_robust_list": SYS_GET_ROBUST_LIST, + "splice": SYS_SPLICE, + "sync_file_range": SYS_SYNC_FILE_RANGE, + "tee": SYS_TEE, + "vmsplice": SYS_VMSPLICE, + "move_pages": SYS_MOVE_PAGES, + "getcpu": SYS_GETCPU, + "epoll_pwait": SYS_EPOLL_PWAIT, + "utimensat": SYS_UTIMENSAT, + "signalfd": SYS_SIGNALFD, + "timerfd_create": SYS_TIMERFD_CREATE, + "eventfd": SYS_EVENTFD, + "fallocate": SYS_FALLOCATE, + "timerfd_settime": SYS_TIMERFD_SETTIME, + "timerfd_gettime": SYS_TIMERFD_GETTIME, + "signalfd4": SYS_SIGNALFD4, + "eventfd2": SYS_EVENTFD2, + "epoll_create1": SYS_EPOLL_CREATE1, + "dup3": SYS_DUP3, + "pipe2": SYS_PIPE2, + "inotify_init1": SYS_INOTIFY_INIT1, + "preadv": SYS_PREADV, + "pwritev": SYS_PWRITEV, + "rt_tgsigqueueinfo": SYS_RT_TGSIGQUEUEINFO, + "perf_event_open": SYS_PERF_EVENT_OPEN, + "recvmmsg": __PNR_recvmmsg, + "fanotify_init": SYS_FANOTIFY_INIT, + "fanotify_mark": SYS_FANOTIFY_MARK, + "prlimit64": SYS_PRLIMIT64, + "name_to_handle_at": SYS_NAME_TO_HANDLE_AT, + "open_by_handle_at": SYS_OPEN_BY_HANDLE_AT, + "clock_adjtime": SYS_CLOCK_ADJTIME, + "syncfs": SYS_SYNCFS, + "sendmmsg": __PNR_sendmmsg, + "setns": SYS_SETNS, + "process_vm_readv": SYS_PROCESS_VM_READV, + "process_vm_writev": SYS_PROCESS_VM_WRITEV, + "kcmp": SYS_KCMP, + "finit_module": SYS_FINIT_MODULE, + "sched_setattr": SYS_SCHED_SETATTR, + "sched_getattr": SYS_SCHED_GETATTR, + "renameat2": SYS_RENAMEAT2, + "seccomp": SYS_SECCOMP, + "getrandom": SYS_GETRANDOM, + "memfd_create": SYS_MEMFD_CREATE, + "bpf": SYS_BPF, + "execveat": SYS_EXECVEAT, + "socket": __PNR_socket, + "socketpair": __PNR_socketpair, + "bind": __PNR_bind, + "connect": __PNR_connect, + "listen": __PNR_listen, + "accept4": __PNR_accept4, + "getsockopt": __PNR_getsockopt, + "setsockopt": __PNR_setsockopt, + "getsockname": __PNR_getsockname, + "getpeername": __PNR_getpeername, + "sendto": __PNR_sendto, + "sendmsg": __PNR_sendmsg, + "recvfrom": __PNR_recvfrom, + "recvmsg": __PNR_recvmsg, + "shutdown": __PNR_shutdown, + "userfaultfd": SYS_USERFAULTFD, + "membarrier": SYS_MEMBARRIER, + "mlock2": SYS_MLOCK2, + "copy_file_range": SYS_COPY_FILE_RANGE, + "preadv2": SYS_PREADV2, + "pwritev2": SYS_PWRITEV2, + "pkey_mprotect": SYS_PKEY_MPROTECT, + "pkey_alloc": SYS_PKEY_ALLOC, + "pkey_free": SYS_PKEY_FREE, + "statx": SYS_STATX, + "arch_prctl": SYS_ARCH_PRCTL, + "io_pgetevents": SYS_IO_PGETEVENTS, + "rseq": SYS_RSEQ, + "semget": __PNR_semget, + "semctl": __PNR_semctl, + "shmget": __PNR_shmget, + "shmctl": __PNR_shmctl, + "shmat": __PNR_shmat, + "shmdt": __PNR_shmdt, + "msgget": __PNR_msgget, + "msgsnd": __PNR_msgsnd, + "msgrcv": __PNR_msgrcv, + "msgctl": __PNR_msgctl, + "clock_gettime64": SYS_CLOCK_GETTIME64, + "clock_settime64": SYS_CLOCK_SETTIME64, + "clock_adjtime64": SYS_CLOCK_ADJTIME64, + "clock_getres_time64": SYS_CLOCK_GETRES_TIME64, + "clock_nanosleep_time64": SYS_CLOCK_NANOSLEEP_TIME64, + "timer_gettime64": SYS_TIMER_GETTIME64, + "timer_settime64": SYS_TIMER_SETTIME64, + "timerfd_gettime64": SYS_TIMERFD_GETTIME64, + "timerfd_settime64": SYS_TIMERFD_SETTIME64, + "utimensat_time64": SYS_UTIMENSAT_TIME64, + "pselect6_time64": SYS_PSELECT6_TIME64, + "ppoll_time64": SYS_PPOLL_TIME64, + "io_pgetevents_time64": SYS_IO_PGETEVENTS_TIME64, + "recvmmsg_time64": SYS_RECVMMSG_TIME64, + "mq_timedsend_time64": SYS_MQ_TIMEDSEND_TIME64, + "mq_timedreceive_time64": SYS_MQ_TIMEDRECEIVE_TIME64, + "semtimedop_time64": SYS_SEMTIMEDOP_TIME64, + "rt_sigtimedwait_time64": SYS_RT_SIGTIMEDWAIT_TIME64, + "futex_time64": SYS_FUTEX_TIME64, + "sched_rr_get_interval_time64": SYS_SCHED_RR_GET_INTERVAL_TIME64, + "pidfd_send_signal": SYS_PIDFD_SEND_SIGNAL, + "io_uring_setup": SYS_IO_URING_SETUP, + "io_uring_enter": SYS_IO_URING_ENTER, + "io_uring_register": SYS_IO_URING_REGISTER, + "open_tree": SYS_OPEN_TREE, + "move_mount": SYS_MOVE_MOUNT, + "fsopen": SYS_FSOPEN, + "fsconfig": SYS_FSCONFIG, + "fsmount": SYS_FSMOUNT, + "fspick": SYS_FSPICK, + "pidfd_open": SYS_PIDFD_OPEN, + "clone3": SYS_CLONE3, + "close_range": SYS_CLOSE_RANGE, + "openat2": SYS_OPENAT2, + "pidfd_getfd": SYS_PIDFD_GETFD, + "faccessat2": SYS_FACCESSAT2, + "process_madvise": SYS_PROCESS_MADVISE, + "epoll_pwait2": SYS_EPOLL_PWAIT2, + "mount_setattr": SYS_MOUNT_SETATTR, + "quotactl_fd": SYS_QUOTACTL_FD, + "landlock_create_ruleset": SYS_LANDLOCK_CREATE_RULESET, + "landlock_add_rule": SYS_LANDLOCK_ADD_RULE, + "landlock_restrict_self": SYS_LANDLOCK_RESTRICT_SELF, + "memfd_secret": SYS_MEMFD_SECRET, + "process_mrelease": SYS_PROCESS_MRELEASE, + "futex_waitv": SYS_FUTEX_WAITV, + "set_mempolicy_home_node": SYS_SET_MEMPOLICY_HOME_NODE, + "cachestat": SYS_CACHESTAT, + "fchmodat2": SYS_FCHMODAT2, + "map_shadow_stack": SYS_MAP_SHADOW_STACK, + "futex_wake": SYS_FUTEX_WAKE, + "futex_wait": SYS_FUTEX_WAIT, + "futex_requeue": SYS_FUTEX_REQUEUE, + "statmount": SYS_STATMOUNT, + "listmount": SYS_LISTMOUNT, + "lsm_get_self_attr": SYS_LSM_GET_SELF_ATTR, + "lsm_set_self_attr": SYS_LSM_SET_SELF_ATTR, + "lsm_list_modules": SYS_LSM_LIST_MODULES, + "mseal": SYS_MSEAL, +} + +const ( + SYS_NAME_TO_HANDLE_AT = 341 + SYS_OPEN_BY_HANDLE_AT = 342 + SYS_CLOCK_ADJTIME = 343 + SYS_SYNCFS = 344 + SYS_SENDMMSG = 345 + SYS_SETNS = 346 + SYS_PROCESS_VM_READV = 347 + SYS_PROCESS_VM_WRITEV = 348 + SYS_KCMP = 349 + SYS_FINIT_MODULE = 350 + SYS_SCHED_SETATTR = 351 + SYS_SCHED_GETATTR = 352 + SYS_RENAMEAT2 = 353 + SYS_SECCOMP = 354 + SYS_GETRANDOM = 355 + SYS_MEMFD_CREATE = 356 + SYS_BPF = 357 + SYS_EXECVEAT = 358 + SYS_SOCKET = 359 + SYS_SOCKETPAIR = 360 + SYS_BIND = 361 + SYS_CONNECT = 362 + SYS_LISTEN = 363 + SYS_ACCEPT4 = 364 + SYS_GETSOCKOPT = 365 + SYS_SETSOCKOPT = 366 + SYS_GETSOCKNAME = 367 + SYS_GETPEERNAME = 368 + SYS_SENDTO = 369 + SYS_SENDMSG = 370 + SYS_RECVFROM = 371 + SYS_RECVMSG = 372 + SYS_SHUTDOWN = 373 + SYS_USERFAULTFD = 374 + SYS_MEMBARRIER = 375 + SYS_MLOCK2 = 376 + SYS_COPY_FILE_RANGE = 377 + SYS_PREADV2 = 378 + SYS_PWRITEV2 = 379 + SYS_PKEY_MPROTECT = 380 + SYS_PKEY_ALLOC = 381 + SYS_PKEY_FREE = 382 + SYS_STATX = 383 + SYS_ARCH_PRCTL = 384 + SYS_IO_PGETEVENTS = 385 + SYS_RSEQ = 386 + SYS_SEMGET = 393 + SYS_SEMCTL = 394 + SYS_SHMGET = 395 + SYS_SHMCTL = 396 + SYS_SHMAT = 397 + SYS_SHMDT = 398 + SYS_MSGGET = 399 + SYS_MSGSND = 400 + SYS_MSGRCV = 401 + SYS_MSGCTL = 402 + SYS_CLOCK_GETTIME64 = 403 + SYS_CLOCK_SETTIME64 = 404 + SYS_CLOCK_ADJTIME64 = 405 + SYS_CLOCK_GETRES_TIME64 = 406 + SYS_CLOCK_NANOSLEEP_TIME64 = 407 + SYS_TIMER_GETTIME64 = 408 + SYS_TIMER_SETTIME64 = 409 + SYS_TIMERFD_GETTIME64 = 410 + SYS_TIMERFD_SETTIME64 = 411 + SYS_UTIMENSAT_TIME64 = 412 + SYS_PSELECT6_TIME64 = 413 + SYS_PPOLL_TIME64 = 414 + SYS_IO_PGETEVENTS_TIME64 = 416 + SYS_RECVMMSG_TIME64 = 417 + SYS_MQ_TIMEDSEND_TIME64 = 418 + SYS_MQ_TIMEDRECEIVE_TIME64 = 419 + SYS_SEMTIMEDOP_TIME64 = 420 + SYS_RT_SIGTIMEDWAIT_TIME64 = 421 + SYS_FUTEX_TIME64 = 422 + SYS_SCHED_RR_GET_INTERVAL_TIME64 = 423 + SYS_PIDFD_SEND_SIGNAL = 424 + SYS_IO_URING_SETUP = 425 + SYS_IO_URING_ENTER = 426 + SYS_IO_URING_REGISTER = 427 + SYS_OPEN_TREE = 428 + SYS_MOVE_MOUNT = 429 + SYS_FSOPEN = 430 + SYS_FSCONFIG = 431 + SYS_FSMOUNT = 432 + SYS_FSPICK = 433 + SYS_PIDFD_OPEN = 434 + SYS_CLONE3 = 435 + SYS_CLOSE_RANGE = 436 + SYS_OPENAT2 = 437 + SYS_PIDFD_GETFD = 438 + SYS_FACCESSAT2 = 439 + SYS_PROCESS_MADVISE = 440 + SYS_EPOLL_PWAIT2 = 441 + SYS_MOUNT_SETATTR = 442 + SYS_QUOTACTL_FD = 443 + SYS_LANDLOCK_CREATE_RULESET = 444 + SYS_LANDLOCK_ADD_RULE = 445 + SYS_LANDLOCK_RESTRICT_SELF = 446 + SYS_MEMFD_SECRET = 447 + SYS_PROCESS_MRELEASE = 448 + SYS_FUTEX_WAITV = 449 + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 + SYS_STATMOUNT = 457 + SYS_LISTMOUNT = 458 + SYS_LSM_GET_SELF_ATTR = 459 + SYS_LSM_SET_SELF_ATTR = 460 + SYS_LSM_LIST_MODULES = 461 + SYS_MSEAL = 462 +) diff --git a/container/syscall_386.go b/container/syscall_386.go new file mode 100644 index 0000000..4b8e2df --- /dev/null +++ b/container/syscall_386.go @@ -0,0 +1,7 @@ +package container + +const ( + O_PATH = 0x200000 + + PR_SET_NO_NEW_PRIVS = 0x26 +) diff --git a/flake.nix b/flake.nix index 2ffe455..e158b50 100644 --- a/flake.nix +++ b/flake.nix @@ -244,10 +244,10 @@ shellHook = "exec ${pkgs.writeShellScript "generate-syscall-table" '' set -e ${pkgs.perl}/bin/perl \ - container/seccomp/mksysnum_linux.pl \ + container/std/mksysnum_linux.pl \ ${pkgs.linuxHeaders}/include/asm/unistd_64.h | \ ${pkgs.go}/bin/gofmt > \ - container/seccomp/syscall_linux_${GOARCH.${system}}.go + container/std/syscall_linux_${GOARCH.${system}}.go ''}"; }; } diff --git a/test/configuration.nix b/test/configuration.nix index 4ac8f76..1c3cce0 100644 --- a/test/configuration.nix +++ b/test/configuration.nix @@ -84,7 +84,7 @@ virtualisation = { # Hopefully reduces spurious test failures: - memorySize = 8192; + memorySize = if pkgs.hostPlatform.is32bit then 2046 else 8192; qemu.options = [ # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch: