From d90da1c8f5dacbd5b84195ce335a234b41a30aea Mon Sep 17 00:00:00 2001 From: Ophestra Date: Mon, 7 Jul 2025 14:58:03 +0900 Subject: [PATCH] container/seccomp: add arm64 constants Signed-off-by: Ophestra --- container/seccomp/hash_arm64_test.go | 22 + .../seccomp/syscall_extra_linux_arm64.go | 61 +++ container/seccomp/syscall_linux_arm64.go | 382 ++++++++++++++++++ 3 files changed, 465 insertions(+) create mode 100644 container/seccomp/hash_arm64_test.go create mode 100644 container/seccomp/syscall_extra_linux_arm64.go create mode 100644 container/seccomp/syscall_linux_arm64.go diff --git a/container/seccomp/hash_arm64_test.go b/container/seccomp/hash_arm64_test.go new file mode 100644 index 0000000..eb464c8 --- /dev/null +++ b/container/seccomp/hash_arm64_test.go @@ -0,0 +1,22 @@ +package seccomp_test + +import . "hakurei.app/container/seccomp" + +var bpfExpected = bpfLookup{ + {AllowMultiarch | AllowCAN | + AllowBluetooth, PresetExt | + PresetDenyNS | PresetDenyTTY | PresetDenyDevel | + PresetLinux32}: toHash( + "1431c013f2ddac3adae577821cb5d351b1514e7c754d62346ddffd31f46ea02fb368e46e3f8104f81019617e721fe687ddd83f1e79580622ccc991da12622170"), + + {0, 0}: toHash( + "450c21210dbf124dfa7ae56d0130f9c2e24b26f5bce8795ee75766c75850438ff9e7d91c5e73d63bbe51a5d4b06c2a0791c4de2903b2b9805f16265318183235"), + {0, PresetExt}: toHash( + "d971d0f2d30f54ac920fc6d84df2be279e9fd28cf2d48be775d7fdbd790b750e1369401cd3bb8bcf9ba3adb91874fe9792d9e3f62209b8ee59c9fdd2ddd10c7b"), + {0, PresetStrict}: toHash( + "79318538a3dc851314b6bd96f10d5861acb2aa7e13cb8de0619d0f6a76709d67f01ef3fd67e195862b02f9711e5b769bc4d1eb4fc0dfc41a723c89c968a93297"), + {0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash( + "228286c2f5df8e44463be0a57b91977b7f38b63b09e5d98dfabe5c61545b8f9ac3e5ea3d86df55d7edf2ce61875f0a5a85c0ab82800bef178c42533e8bdc9a6c"), + {0, PresetExt | PresetDenyDevel}: toHash( + "433ce9b911282d6dcc8029319fb79b816b60d5a795ec8fc94344dd027614d68f023166a91bb881faaeeedd26e3d89474e141e5a69a97e93b8984ca8f14999980"), +} diff --git a/container/seccomp/syscall_extra_linux_arm64.go b/container/seccomp/syscall_extra_linux_arm64.go new file mode 100644 index 0000000..65ea954 --- /dev/null +++ b/container/seccomp/syscall_extra_linux_arm64.go @@ -0,0 +1,61 @@ +package seccomp + +/* +#cgo linux pkg-config: --static libseccomp + +#include +*/ +import "C" +import "syscall" + +const ( + SYS_NEWFSTATAT = syscall.SYS_FSTATAT +) + +var syscallNumExtra = map[string]int{ + "uselib": SYS_USELIB, + "clock_adjtime64": SYS_CLOCK_ADJTIME64, + "clock_settime64": SYS_CLOCK_SETTIME64, + "umount": SYS_UMOUNT, + "chown": SYS_CHOWN, + "chown32": SYS_CHOWN32, + "fchown32": SYS_FCHOWN32, + "lchown": SYS_LCHOWN, + "lchown32": SYS_LCHOWN32, + "setgid32": SYS_SETGID32, + "setgroups32": SYS_SETGROUPS32, + "setregid32": SYS_SETREGID32, + "setresgid32": SYS_SETRESGID32, + "setresuid32": SYS_SETRESUID32, + "setreuid32": SYS_SETREUID32, + "setuid32": SYS_SETUID32, + "modify_ldt": SYS_MODIFY_LDT, + "subpage_prot": SYS_SUBPAGE_PROT, + "switch_endian": SYS_SWITCH_ENDIAN, + "vm86": SYS_VM86, + "vm86old": SYS_VM86OLD, +} + +const ( + SYS_USELIB = C.__SNR_uselib + SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64 + SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64 + SYS_UMOUNT = C.__SNR_umount + SYS_CHOWN = C.__SNR_chown + SYS_CHOWN32 = C.__SNR_chown32 + SYS_FCHOWN32 = C.__SNR_fchown32 + SYS_LCHOWN = C.__SNR_lchown + SYS_LCHOWN32 = C.__SNR_lchown32 + SYS_SETGID32 = C.__SNR_setgid32 + SYS_SETGROUPS32 = C.__SNR_setgroups32 + SYS_SETREGID32 = C.__SNR_setregid32 + SYS_SETRESGID32 = C.__SNR_setresgid32 + SYS_SETRESUID32 = C.__SNR_setresuid32 + SYS_SETREUID32 = C.__SNR_setreuid32 + SYS_SETUID32 = C.__SNR_setuid32 + SYS_MODIFY_LDT = C.__SNR_modify_ldt + SYS_SUBPAGE_PROT = C.__SNR_subpage_prot + SYS_SWITCH_ENDIAN = C.__SNR_switch_endian + SYS_VM86 = C.__SNR_vm86 + SYS_VM86OLD = C.__SNR_vm86old +) diff --git a/container/seccomp/syscall_linux_arm64.go b/container/seccomp/syscall_linux_arm64.go new file mode 100644 index 0000000..9790ad6 --- /dev/null +++ b/container/seccomp/syscall_linux_arm64.go @@ -0,0 +1,382 @@ +// mksysnum_linux.pl /usr/include/asm/unistd_64.h +// Code generated by the command above; DO NOT EDIT. + +package seccomp + +import . "syscall" + +var syscallNum = map[string]int{ + "io_setup": SYS_IO_SETUP, + "io_destroy": SYS_IO_DESTROY, + "io_submit": SYS_IO_SUBMIT, + "io_cancel": SYS_IO_CANCEL, + "io_getevents": SYS_IO_GETEVENTS, + "setxattr": SYS_SETXATTR, + "lsetxattr": SYS_LSETXATTR, + "fsetxattr": SYS_FSETXATTR, + "getxattr": SYS_GETXATTR, + "lgetxattr": SYS_LGETXATTR, + "fgetxattr": SYS_FGETXATTR, + "listxattr": SYS_LISTXATTR, + "llistxattr": SYS_LLISTXATTR, + "flistxattr": SYS_FLISTXATTR, + "removexattr": SYS_REMOVEXATTR, + "lremovexattr": SYS_LREMOVEXATTR, + "fremovexattr": SYS_FREMOVEXATTR, + "getcwd": SYS_GETCWD, + "lookup_dcookie": SYS_LOOKUP_DCOOKIE, + "eventfd2": SYS_EVENTFD2, + "epoll_create1": SYS_EPOLL_CREATE1, + "epoll_ctl": SYS_EPOLL_CTL, + "epoll_pwait": SYS_EPOLL_PWAIT, + "dup": SYS_DUP, + "dup3": SYS_DUP3, + "fcntl": SYS_FCNTL, + "inotify_init1": SYS_INOTIFY_INIT1, + "inotify_add_watch": SYS_INOTIFY_ADD_WATCH, + "inotify_rm_watch": SYS_INOTIFY_RM_WATCH, + "ioctl": SYS_IOCTL, + "ioprio_set": SYS_IOPRIO_SET, + "ioprio_get": SYS_IOPRIO_GET, + "flock": SYS_FLOCK, + "mknodat": SYS_MKNODAT, + "mkdirat": SYS_MKDIRAT, + "unlinkat": SYS_UNLINKAT, + "symlinkat": SYS_SYMLINKAT, + "linkat": SYS_LINKAT, + "renameat": SYS_RENAMEAT, + "umount2": SYS_UMOUNT2, + "mount": SYS_MOUNT, + "pivot_root": SYS_PIVOT_ROOT, + "nfsservctl": SYS_NFSSERVCTL, + "statfs": SYS_STATFS, + "fstatfs": SYS_FSTATFS, + "truncate": SYS_TRUNCATE, + "ftruncate": SYS_FTRUNCATE, + "fallocate": SYS_FALLOCATE, + "faccessat": SYS_FACCESSAT, + "chdir": SYS_CHDIR, + "fchdir": SYS_FCHDIR, + "chroot": SYS_CHROOT, + "fchmod": SYS_FCHMOD, + "fchmodat": SYS_FCHMODAT, + "fchownat": SYS_FCHOWNAT, + "fchown": SYS_FCHOWN, + "openat": SYS_OPENAT, + "close": SYS_CLOSE, + "vhangup": SYS_VHANGUP, + "pipe2": SYS_PIPE2, + "quotactl": SYS_QUOTACTL, + "getdents64": SYS_GETDENTS64, + "lseek": SYS_LSEEK, + "read": SYS_READ, + "write": SYS_WRITE, + "readv": SYS_READV, + "writev": SYS_WRITEV, + "pread64": SYS_PREAD64, + "pwrite64": SYS_PWRITE64, + "preadv": SYS_PREADV, + "pwritev": SYS_PWRITEV, + "sendfile": SYS_SENDFILE, + "pselect6": SYS_PSELECT6, + "ppoll": SYS_PPOLL, + "signalfd4": SYS_SIGNALFD4, + "vmsplice": SYS_VMSPLICE, + "splice": SYS_SPLICE, + "tee": SYS_TEE, + "readlinkat": SYS_READLINKAT, + "newfstatat": SYS_NEWFSTATAT, + "fstat": SYS_FSTAT, + "sync": SYS_SYNC, + "fsync": SYS_FSYNC, + "fdatasync": SYS_FDATASYNC, + "sync_file_range": SYS_SYNC_FILE_RANGE, + "timerfd_create": SYS_TIMERFD_CREATE, + "timerfd_settime": SYS_TIMERFD_SETTIME, + "timerfd_gettime": SYS_TIMERFD_GETTIME, + "utimensat": SYS_UTIMENSAT, + "acct": SYS_ACCT, + "capget": SYS_CAPGET, + "capset": SYS_CAPSET, + "personality": SYS_PERSONALITY, + "exit": SYS_EXIT, + "exit_group": SYS_EXIT_GROUP, + "waitid": SYS_WAITID, + "set_tid_address": SYS_SET_TID_ADDRESS, + "unshare": SYS_UNSHARE, + "futex": SYS_FUTEX, + "set_robust_list": SYS_SET_ROBUST_LIST, + "get_robust_list": SYS_GET_ROBUST_LIST, + "nanosleep": SYS_NANOSLEEP, + "getitimer": SYS_GETITIMER, + "setitimer": SYS_SETITIMER, + "kexec_load": SYS_KEXEC_LOAD, + "init_module": SYS_INIT_MODULE, + "delete_module": SYS_DELETE_MODULE, + "timer_create": SYS_TIMER_CREATE, + "timer_gettime": SYS_TIMER_GETTIME, + "timer_getoverrun": SYS_TIMER_GETOVERRUN, + "timer_settime": SYS_TIMER_SETTIME, + "timer_delete": SYS_TIMER_DELETE, + "clock_settime": SYS_CLOCK_SETTIME, + "clock_gettime": SYS_CLOCK_GETTIME, + "clock_getres": SYS_CLOCK_GETRES, + "clock_nanosleep": SYS_CLOCK_NANOSLEEP, + "syslog": SYS_SYSLOG, + "ptrace": SYS_PTRACE, + "sched_setparam": SYS_SCHED_SETPARAM, + "sched_setscheduler": SYS_SCHED_SETSCHEDULER, + "sched_getscheduler": SYS_SCHED_GETSCHEDULER, + "sched_getparam": SYS_SCHED_GETPARAM, + "sched_setaffinity": SYS_SCHED_SETAFFINITY, + "sched_getaffinity": SYS_SCHED_GETAFFINITY, + "sched_yield": SYS_SCHED_YIELD, + "sched_get_priority_max": SYS_SCHED_GET_PRIORITY_MAX, + "sched_get_priority_min": SYS_SCHED_GET_PRIORITY_MIN, + "sched_rr_get_interval": SYS_SCHED_RR_GET_INTERVAL, + "restart_syscall": SYS_RESTART_SYSCALL, + "kill": SYS_KILL, + "tkill": SYS_TKILL, + "tgkill": SYS_TGKILL, + "sigaltstack": SYS_SIGALTSTACK, + "rt_sigsuspend": SYS_RT_SIGSUSPEND, + "rt_sigaction": SYS_RT_SIGACTION, + "rt_sigprocmask": SYS_RT_SIGPROCMASK, + "rt_sigpending": SYS_RT_SIGPENDING, + "rt_sigtimedwait": SYS_RT_SIGTIMEDWAIT, + "rt_sigqueueinfo": SYS_RT_SIGQUEUEINFO, + "rt_sigreturn": SYS_RT_SIGRETURN, + "setpriority": SYS_SETPRIORITY, + "getpriority": SYS_GETPRIORITY, + "reboot": SYS_REBOOT, + "setregid": SYS_SETREGID, + "setgid": SYS_SETGID, + "setreuid": SYS_SETREUID, + "setuid": SYS_SETUID, + "setresuid": SYS_SETRESUID, + "getresuid": SYS_GETRESUID, + "setresgid": SYS_SETRESGID, + "getresgid": SYS_GETRESGID, + "setfsuid": SYS_SETFSUID, + "setfsgid": SYS_SETFSGID, + "times": SYS_TIMES, + "setpgid": SYS_SETPGID, + "getpgid": SYS_GETPGID, + "getsid": SYS_GETSID, + "setsid": SYS_SETSID, + "getgroups": SYS_GETGROUPS, + "setgroups": SYS_SETGROUPS, + "uname": SYS_UNAME, + "sethostname": SYS_SETHOSTNAME, + "setdomainname": SYS_SETDOMAINNAME, + "getrlimit": SYS_GETRLIMIT, + "setrlimit": SYS_SETRLIMIT, + "getrusage": SYS_GETRUSAGE, + "umask": SYS_UMASK, + "prctl": SYS_PRCTL, + "getcpu": SYS_GETCPU, + "gettimeofday": SYS_GETTIMEOFDAY, + "settimeofday": SYS_SETTIMEOFDAY, + "adjtimex": SYS_ADJTIMEX, + "getpid": SYS_GETPID, + "getppid": SYS_GETPPID, + "getuid": SYS_GETUID, + "geteuid": SYS_GETEUID, + "getgid": SYS_GETGID, + "getegid": SYS_GETEGID, + "gettid": SYS_GETTID, + "sysinfo": SYS_SYSINFO, + "mq_open": SYS_MQ_OPEN, + "mq_unlink": SYS_MQ_UNLINK, + "mq_timedsend": SYS_MQ_TIMEDSEND, + "mq_timedreceive": SYS_MQ_TIMEDRECEIVE, + "mq_notify": SYS_MQ_NOTIFY, + "mq_getsetattr": SYS_MQ_GETSETATTR, + "msgget": SYS_MSGGET, + "msgctl": SYS_MSGCTL, + "msgrcv": SYS_MSGRCV, + "msgsnd": SYS_MSGSND, + "semget": SYS_SEMGET, + "semctl": SYS_SEMCTL, + "semtimedop": SYS_SEMTIMEDOP, + "semop": SYS_SEMOP, + "shmget": SYS_SHMGET, + "shmctl": SYS_SHMCTL, + "shmat": SYS_SHMAT, + "shmdt": SYS_SHMDT, + "socket": SYS_SOCKET, + "socketpair": SYS_SOCKETPAIR, + "bind": SYS_BIND, + "listen": SYS_LISTEN, + "accept": SYS_ACCEPT, + "connect": SYS_CONNECT, + "getsockname": SYS_GETSOCKNAME, + "getpeername": SYS_GETPEERNAME, + "sendto": SYS_SENDTO, + "recvfrom": SYS_RECVFROM, + "setsockopt": SYS_SETSOCKOPT, + "getsockopt": SYS_GETSOCKOPT, + "shutdown": SYS_SHUTDOWN, + "sendmsg": SYS_SENDMSG, + "recvmsg": SYS_RECVMSG, + "readahead": SYS_READAHEAD, + "brk": SYS_BRK, + "munmap": SYS_MUNMAP, + "mremap": SYS_MREMAP, + "add_key": SYS_ADD_KEY, + "request_key": SYS_REQUEST_KEY, + "keyctl": SYS_KEYCTL, + "clone": SYS_CLONE, + "execve": SYS_EXECVE, + "mmap": SYS_MMAP, + "fadvise64": SYS_FADVISE64, + "swapon": SYS_SWAPON, + "swapoff": SYS_SWAPOFF, + "mprotect": SYS_MPROTECT, + "msync": SYS_MSYNC, + "mlock": SYS_MLOCK, + "munlock": SYS_MUNLOCK, + "mlockall": SYS_MLOCKALL, + "munlockall": SYS_MUNLOCKALL, + "mincore": SYS_MINCORE, + "madvise": SYS_MADVISE, + "remap_file_pages": SYS_REMAP_FILE_PAGES, + "mbind": SYS_MBIND, + "get_mempolicy": SYS_GET_MEMPOLICY, + "set_mempolicy": SYS_SET_MEMPOLICY, + "migrate_pages": SYS_MIGRATE_PAGES, + "move_pages": SYS_MOVE_PAGES, + "rt_tgsigqueueinfo": SYS_RT_TGSIGQUEUEINFO, + "perf_event_open": SYS_PERF_EVENT_OPEN, + "accept4": SYS_ACCEPT4, + "recvmmsg": SYS_RECVMMSG, + "wait4": SYS_WAIT4, + "prlimit64": SYS_PRLIMIT64, + "fanotify_init": SYS_FANOTIFY_INIT, + "fanotify_mark": SYS_FANOTIFY_MARK, + "name_to_handle_at": SYS_NAME_TO_HANDLE_AT, + "open_by_handle_at": SYS_OPEN_BY_HANDLE_AT, + "clock_adjtime": SYS_CLOCK_ADJTIME, + "syncfs": SYS_SYNCFS, + "setns": SYS_SETNS, + "sendmmsg": SYS_SENDMMSG, + "process_vm_readv": SYS_PROCESS_VM_READV, + "process_vm_writev": SYS_PROCESS_VM_WRITEV, + "kcmp": SYS_KCMP, + "finit_module": SYS_FINIT_MODULE, + "sched_setattr": SYS_SCHED_SETATTR, + "sched_getattr": SYS_SCHED_GETATTR, + "renameat2": SYS_RENAMEAT2, + "seccomp": SYS_SECCOMP, + "getrandom": SYS_GETRANDOM, + "memfd_create": SYS_MEMFD_CREATE, + "bpf": SYS_BPF, + "execveat": SYS_EXECVEAT, + "userfaultfd": SYS_USERFAULTFD, + "membarrier": SYS_MEMBARRIER, + "mlock2": SYS_MLOCK2, + "copy_file_range": SYS_COPY_FILE_RANGE, + "preadv2": SYS_PREADV2, + "pwritev2": SYS_PWRITEV2, + "pkey_mprotect": SYS_PKEY_MPROTECT, + "pkey_alloc": SYS_PKEY_ALLOC, + "pkey_free": SYS_PKEY_FREE, + "statx": SYS_STATX, + "io_pgetevents": SYS_IO_PGETEVENTS, + "rseq": SYS_RSEQ, + "kexec_file_load": SYS_KEXEC_FILE_LOAD, + "pidfd_send_signal": SYS_PIDFD_SEND_SIGNAL, + "io_uring_setup": SYS_IO_URING_SETUP, + "io_uring_enter": SYS_IO_URING_ENTER, + "io_uring_register": SYS_IO_URING_REGISTER, + "open_tree": SYS_OPEN_TREE, + "move_mount": SYS_MOVE_MOUNT, + "fsopen": SYS_FSOPEN, + "fsconfig": SYS_FSCONFIG, + "fsmount": SYS_FSMOUNT, + "fspick": SYS_FSPICK, + "pidfd_open": SYS_PIDFD_OPEN, + "clone3": SYS_CLONE3, + "close_range": SYS_CLOSE_RANGE, + "openat2": SYS_OPENAT2, + "pidfd_getfd": SYS_PIDFD_GETFD, + "faccessat2": SYS_FACCESSAT2, + "process_madvise": SYS_PROCESS_MADVISE, + "epoll_pwait2": SYS_EPOLL_PWAIT2, + "mount_setattr": SYS_MOUNT_SETATTR, + "quotactl_fd": SYS_QUOTACTL_FD, + "landlock_create_ruleset": SYS_LANDLOCK_CREATE_RULESET, + "landlock_add_rule": SYS_LANDLOCK_ADD_RULE, + "landlock_restrict_self": SYS_LANDLOCK_RESTRICT_SELF, + "memfd_secret": SYS_MEMFD_SECRET, + "process_mrelease": SYS_PROCESS_MRELEASE, + "futex_waitv": SYS_FUTEX_WAITV, + "set_mempolicy_home_node": SYS_SET_MEMPOLICY_HOME_NODE, + "cachestat": SYS_CACHESTAT, + "fchmodat2": SYS_FCHMODAT2, + "map_shadow_stack": SYS_MAP_SHADOW_STACK, + "futex_wake": SYS_FUTEX_WAKE, + "futex_wait": SYS_FUTEX_WAIT, + "futex_requeue": SYS_FUTEX_REQUEUE, + "statmount": SYS_STATMOUNT, + "listmount": SYS_LISTMOUNT, + "lsm_get_self_attr": SYS_LSM_GET_SELF_ATTR, + "lsm_set_self_attr": SYS_LSM_SET_SELF_ATTR, + "lsm_list_modules": SYS_LSM_LIST_MODULES, + "mseal": SYS_MSEAL, +} + +const ( + SYS_USERFAULTFD = 282 + SYS_MEMBARRIER = 283 + SYS_MLOCK2 = 284 + SYS_COPY_FILE_RANGE = 285 + SYS_PREADV2 = 286 + SYS_PWRITEV2 = 287 + SYS_PKEY_MPROTECT = 288 + SYS_PKEY_ALLOC = 289 + SYS_PKEY_FREE = 290 + SYS_STATX = 291 + SYS_IO_PGETEVENTS = 292 + SYS_RSEQ = 293 + SYS_KEXEC_FILE_LOAD = 294 + SYS_PIDFD_SEND_SIGNAL = 424 + SYS_IO_URING_SETUP = 425 + SYS_IO_URING_ENTER = 426 + SYS_IO_URING_REGISTER = 427 + SYS_OPEN_TREE = 428 + SYS_MOVE_MOUNT = 429 + SYS_FSOPEN = 430 + SYS_FSCONFIG = 431 + SYS_FSMOUNT = 432 + SYS_FSPICK = 433 + SYS_PIDFD_OPEN = 434 + SYS_CLONE3 = 435 + SYS_CLOSE_RANGE = 436 + SYS_OPENAT2 = 437 + SYS_PIDFD_GETFD = 438 + SYS_FACCESSAT2 = 439 + SYS_PROCESS_MADVISE = 440 + SYS_EPOLL_PWAIT2 = 441 + SYS_MOUNT_SETATTR = 442 + SYS_QUOTACTL_FD = 443 + SYS_LANDLOCK_CREATE_RULESET = 444 + SYS_LANDLOCK_ADD_RULE = 445 + SYS_LANDLOCK_RESTRICT_SELF = 446 + SYS_MEMFD_SECRET = 447 + SYS_PROCESS_MRELEASE = 448 + SYS_FUTEX_WAITV = 449 + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 + SYS_STATMOUNT = 457 + SYS_LISTMOUNT = 458 + SYS_LSM_GET_SELF_ATTR = 459 + SYS_LSM_SET_SELF_ATTR = 460 + SYS_LSM_LIST_MODULES = 461 + SYS_MSEAL = 462 +)