/
entitlements.go
210 lines (191 loc) · 4.09 KB
/
entitlements.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
package entitlements
// Entitlement represents a grouping of system call rules
type Entitlement struct {
Name string `toml:"Name,omitempty"`
Syscalls []string `toml:"Syscalls,omitempty"`
}
// SpecialFiles describes the creation of FIFOs and special files
var SpecialFiles = Entitlement{
Name: "special_files",
Syscalls: []string{
"mknod",
},
}
// Chown describes the ability to change ownership of files
var Chown = Entitlement{
Name: "chown",
Syscalls: []string{
"chown",
"fchown",
"fchownat",
"lchown",
},
}
// Exec includes the exec, fork, and clone syscalls.
var Exec = Entitlement{
Name: "exec",
Syscalls: []string{
"execve",
"execveat",
"fork",
"vfork",
},
}
// NetworkConnection describes the system calls needed for using any network functionality
// This includes creating and using sockets, and sending/receving messages over them
var NetworkConnection = Entitlement{
Name: "network_connection",
Syscalls: []string{
"socket",
"getsockopt",
"setsockopt",
"getsockname",
"socketpair",
"socket",
"socketcall",
"bind",
"listen",
//TODO: Probably need ones for sending/receiving messages
},
}
// Mount describes the system calls for mounting and unmounting file systems
var Mount = Entitlement{
Name: "mount",
Syscalls: []string{
"mount",
"umount",
"umount2",
},
}
// SetTime describes the system calls for dealing with the systems clock
var SetTime = Entitlement{
Name: "set_time",
Syscalls: []string{
"ntp_adjtime",
"adjtimex",
"clock_adjtime",
"clock_settime",
"settimeofday",
"stime",
},
}
// Tracing describes the system calls for dealing with the tracing
// facilities of the kernel - this includes ptrace and bpf
var Tracing = Entitlement{
Name: "tracing",
Syscalls: []string{
"acct",
"ptrace",
"lookup_dcookie",
"bpf",
"perf_event_open",
"process_vm_readv",
"process_vm_writev",
},
}
// KernelKeyring includes the system calls needed for interacting
// with the kernel management facility
var KernelKeyring = Entitlement{
Name: "kernel_keyring",
Syscalls: []string{
"add_key",
"request_key",
"keyctl",
},
}
// Modules includes the system cals for creating, deleting,
// and interacting with kernel modules
var Modules = Entitlement{
Name: "modules",
Syscalls: []string{
"create_module",
"delete_module",
"finit_module",
"get_kernel_syms",
"init_module",
"query_module",
},
}
// LoadNewKernel includes the system calls used for loading
// a new kernel into memory
var LoadNewKernel = Entitlement{
Name: "load_new_kernel",
Syscalls: []string{
"kexec_file_load",
"kexec_load",
},
}
// KernelMemory describes system calls that modify kernel memory
// and NUMA settings
var KernelMemory = Entitlement{
Name: "kernel_memory",
Syscalls: []string{
"get_mempolicy",
"set_mempolicy",
"move_pages",
"mbind",
},
}
// KernelIO includes system calls that modify kernel I/O privleges
var KernelIO = Entitlement{
Name: "kernel_io",
Syscalls: []string{
"ioperm",
"iopl",
},
}
// RootFS describes the system call for modifying the root filesystem
var RootFS = Entitlement{
Name: "rootfs",
Syscalls: []string{
"pivot_root",
},
}
// Namespaces describes the system calls for changing the namespaces
// of a process
var Namespaces = Entitlement{
Name: "namespaces",
Syscalls: []string{
"unshare",
"setns",
},
}
// SwapMemory describes system calls for
var SwapMemory = Entitlement{
Name: "swap_memory",
Syscalls: []string{
"swapon",
"swapoff",
},
}
// Reboot contains the system call for allowing a program
// to restart the system
var Reboot = Entitlement{
Name: "reboot",
Syscalls: []string{
"reboot",
},
}
// ResourceQuota contains the system call for interacting with the
// per-user, per-group, and per-project disk quota
var ResourceQuota = Entitlement{
Name: "resource_quota",
Syscalls: []string{
"quotactl",
},
}
// obsolete contains the system calls that are not used and probably
// have no business being allowed
var obsolete = Entitlement{
Name: "obsolete",
Syscalls: []string{
"sysfs",
"_sysctl",
"personality",
"ustat",
"nfsservctl",
"vm86",
"uselib",
"vm86old",
},
}