remoteexec/nsjail.cfg - infra/goma/server - Git at Google

 name: "hardening by nsjail (seccomp-bpf)"
 mode: ONCE
 # keep_env = true
 mount_proc: true
 # it runs in docker container, so ok to mount / as RO.
 mount <
  src: "/"
  dst: "/"
  is_bind: true
  rw: false
  is_dir: true
 >
 mount <
  dst: "/tmp"
  fstype: "tmpfs"
  options: "size=5000000"
  rw: true
  is_dir: true
 >
 # input root is per request, so ok to mount it as RW.
 # (does not affect to other requests).
 mount <
  prefix_src_env: "INPUT_ROOT"
  src: ""
  prefix_dst_env: "INPUT_ROOT"
  dst: ""
  is_bind: true
  rw: true
  is_dir: true
 >
 # default may fail with "File too large"
 rlimit_fsize_type: INF
 rlimit_as_type: INF
 # syscalls used by clang.
 seccomp_string: "ALLOW {"
 seccomp_string: "  access,"
 seccomp_string: "  alarm,"
 seccomp_string: "  arch_prctl,"
 seccomp_string: "  brk,"
 seccomp_string: "  chdir,"
 seccomp_string: "  clone,"
 seccomp_string: "  close,"
 seccomp_string: "  connect,"
 seccomp_string: "  dup,"
 seccomp_string: "  dup2,"
 seccomp_string: "  epoll_create1,"
 seccomp_string: "  execve,"
 seccomp_string: "  exit_group,"
 seccomp_string: "  fcntl,"
 seccomp_string: "  fstatfs,"
 seccomp_string: "  futex,"
 seccomp_string: "  getcwd,"
 seccomp_string: "  getdents,"
 seccomp_string: "  getdents64,"
 seccomp_string: "  getegid,"
 seccomp_string: "  geteuid,"
 seccomp_string: "  getgid,"
 seccomp_string: "  getpeername,"
 seccomp_string: "  getpgrp,"
 seccomp_string: "  getpid,"
 seccomp_string: "  getppid,"
 seccomp_string: "  getrandom,"
 seccomp_string: "  getrlimit,"
 seccomp_string: "  gettid,"
 seccomp_string: "  getuid,"
 seccomp_string: "  ioctl,"
 seccomp_string: "  lseek,"
 seccomp_string: "  mkdir,"
 seccomp_string: "  mmap,"
 seccomp_string: "  mprotect,"
 seccomp_string: "  mremap,"
 seccomp_string: "  munmap,"
 seccomp_string: "  nanosleep,"
 seccomp_string: "  newfstat,"
 seccomp_string: "  newfstatat,"
 seccomp_string: "  newlstat,"
 seccomp_string: "  newstat,"
 seccomp_string: "  newuname,"
 seccomp_string: "  open,"
 seccomp_string: "  openat,"
 seccomp_string: "  pipe,"
 seccomp_string: "  pipe2,"
 seccomp_string: "  pread64,"
 seccomp_string: "  prlimit64,"
 seccomp_string: "  read,"
 seccomp_string: "  readlink,"
 seccomp_string: "  readlinkat,"
 seccomp_string: "  rename,"
 seccomp_string: "  rt_sigaction,"
 seccomp_string: "  rt_sigprocmask,"
 seccomp_string: "  rt_sigreturn,"
 seccomp_string: "  sched_getaffinity,"
 seccomp_string: "  sched_yield,"
 seccomp_string: "  set_robust_list,"
 seccomp_string: "  set_tid_address,"
 seccomp_string: "  sigaltstack,"
 seccomp_string: "  socket,"
 seccomp_string: "  sysinfo,"
 seccomp_string: "  tgkill,"
 seccomp_string: "  unlink,"
 seccomp_string: "  vfork,"
 seccomp_string: "  wait4,"
 seccomp_string: "  write,"
 seccomp_string: "  writev"
 seccomp_string: "}"
 seccomp_string: "DEFAULT KILL_PROCESS"
 #seccomp_log: true
 iface_no_lo: true
	name: "hardening by nsjail (seccomp-bpf)"
	mode: ONCE
	# keep_env = true
	mount_proc: true
	# it runs in docker container, so ok to mount / as RO.
	mount <
	src: "/"
	dst: "/"
	is_bind: true
	rw: false
	is_dir: true
	>
	mount <
	dst: "/tmp"
	fstype: "tmpfs"
	options: "size=5000000"
	rw: true
	is_dir: true
	>
	# input root is per request, so ok to mount it as RW.
	# (does not affect to other requests).
	mount <
	prefix_src_env: "INPUT_ROOT"
	src: ""
	prefix_dst_env: "INPUT_ROOT"
	dst: ""
	is_bind: true
	rw: true
	is_dir: true
	>
	# default may fail with "File too large"
	rlimit_fsize_type: INF
	rlimit_as_type: INF
	# syscalls used by clang.
	seccomp_string: "ALLOW {"
	seccomp_string: " access,"
	seccomp_string: " alarm,"
	seccomp_string: " arch_prctl,"
	seccomp_string: " brk,"
	seccomp_string: " chdir,"
	seccomp_string: " clone,"
	seccomp_string: " close,"
	seccomp_string: " connect,"
	seccomp_string: " dup,"
	seccomp_string: " dup2,"
	seccomp_string: " epoll_create1,"
	seccomp_string: " execve,"
	seccomp_string: " exit_group,"
	seccomp_string: " fcntl,"
	seccomp_string: " fstatfs,"
	seccomp_string: " futex,"
	seccomp_string: " getcwd,"
	seccomp_string: " getdents,"
	seccomp_string: " getdents64,"
	seccomp_string: " getegid,"
	seccomp_string: " geteuid,"
	seccomp_string: " getgid,"
	seccomp_string: " getpeername,"
	seccomp_string: " getpgrp,"
	seccomp_string: " getpid,"
	seccomp_string: " getppid,"
	seccomp_string: " getrandom,"
	seccomp_string: " getrlimit,"
	seccomp_string: " gettid,"
	seccomp_string: " getuid,"
	seccomp_string: " ioctl,"
	seccomp_string: " lseek,"
	seccomp_string: " mkdir,"
	seccomp_string: " mmap,"
	seccomp_string: " mprotect,"
	seccomp_string: " mremap,"
	seccomp_string: " munmap,"
	seccomp_string: " nanosleep,"
	seccomp_string: " newfstat,"
	seccomp_string: " newfstatat,"
	seccomp_string: " newlstat,"
	seccomp_string: " newstat,"
	seccomp_string: " newuname,"
	seccomp_string: " open,"
	seccomp_string: " openat,"
	seccomp_string: " pipe,"
	seccomp_string: " pipe2,"
	seccomp_string: " pread64,"
	seccomp_string: " prlimit64,"
	seccomp_string: " read,"
	seccomp_string: " readlink,"
	seccomp_string: " readlinkat,"
	seccomp_string: " rename,"
	seccomp_string: " rt_sigaction,"
	seccomp_string: " rt_sigprocmask,"
	seccomp_string: " rt_sigreturn,"
	seccomp_string: " sched_getaffinity,"
	seccomp_string: " sched_yield,"
	seccomp_string: " set_robust_list,"
	seccomp_string: " set_tid_address,"
	seccomp_string: " sigaltstack,"
	seccomp_string: " socket,"
	seccomp_string: " sysinfo,"
	seccomp_string: " tgkill,"
	seccomp_string: " unlink,"
	seccomp_string: " vfork,"
	seccomp_string: " wait4,"
	seccomp_string: " write,"
	seccomp_string: " writev"
	seccomp_string: "}"
	seccomp_string: "DEFAULT KILL_PROCESS"
	#seccomp_log: true
	iface_no_lo: true