blob: cc81a483db94aaee14cfa47f333ec786dd9a8b64 [file] [log] [blame]
name: "hardening by nsjail (seccomp-bpf)"
mode: ONCE
# keep_env = true
mount_proc: true
# it runs in docker container, so ok to mount / as RO.
mount <
src: "/"
dst: "/"
is_bind: true
rw: false
is_dir: true
>
mount <
dst: "/tmp"
fstype: "tmpfs"
options: "size=5000000"
rw: true
is_dir: true
>
# input root is per request, so ok to mount it as RW.
# (does not affect to other requests).
mount <
prefix_src_env: "INPUT_ROOT"
src: ""
prefix_dst_env: "INPUT_ROOT"
dst: ""
is_bind: true
rw: true
is_dir: true
>
# default may fail with "File too large"
rlimit_fsize_type: INF
rlimit_as_type: INF
# syscalls used by clang.
seccomp_string: "ALLOW {"
seccomp_string: " access,"
seccomp_string: " alarm,"
seccomp_string: " arch_prctl,"
seccomp_string: " brk,"
seccomp_string: " chdir,"
seccomp_string: " clone,"
seccomp_string: " close,"
seccomp_string: " connect,"
seccomp_string: " dup,"
seccomp_string: " dup2,"
seccomp_string: " epoll_create1,"
seccomp_string: " execve,"
seccomp_string: " exit_group,"
seccomp_string: " fcntl,"
seccomp_string: " fstatfs,"
seccomp_string: " futex,"
seccomp_string: " getcwd,"
seccomp_string: " getdents,"
seccomp_string: " getdents64,"
seccomp_string: " getegid,"
seccomp_string: " geteuid,"
seccomp_string: " getgid,"
seccomp_string: " getpeername,"
seccomp_string: " getpgrp,"
seccomp_string: " getpid,"
seccomp_string: " getppid,"
seccomp_string: " getrandom,"
seccomp_string: " getrlimit,"
seccomp_string: " gettid,"
seccomp_string: " getuid,"
seccomp_string: " ioctl,"
seccomp_string: " lseek,"
seccomp_string: " mkdir,"
seccomp_string: " mmap,"
seccomp_string: " mprotect,"
seccomp_string: " mremap,"
seccomp_string: " munmap,"
seccomp_string: " nanosleep,"
seccomp_string: " newfstat,"
seccomp_string: " newfstatat,"
seccomp_string: " newlstat,"
seccomp_string: " newstat,"
seccomp_string: " newuname,"
seccomp_string: " open,"
seccomp_string: " openat,"
seccomp_string: " pipe,"
seccomp_string: " pipe2,"
seccomp_string: " pread64,"
seccomp_string: " prlimit64,"
seccomp_string: " read,"
seccomp_string: " readlink,"
seccomp_string: " readlinkat,"
seccomp_string: " rename,"
seccomp_string: " SYSCALL[334]," # rseq, waiting https://github.com/google/kafel/pull/26
seccomp_string: " rt_sigaction,"
seccomp_string: " rt_sigprocmask,"
seccomp_string: " rt_sigreturn,"
seccomp_string: " sched_getaffinity,"
seccomp_string: " sched_yield,"
seccomp_string: " set_robust_list,"
seccomp_string: " set_tid_address,"
seccomp_string: " sigaltstack,"
seccomp_string: " socket,"
seccomp_string: " sysinfo,"
seccomp_string: " tgkill,"
seccomp_string: " unlink,"
seccomp_string: " vfork,"
seccomp_string: " wait4,"
seccomp_string: " write,"
seccomp_string: " writev"
seccomp_string: "}"
seccomp_string: "DEFAULT KILL_PROCESS"
#seccomp_log: true
iface_no_lo: true