From 2eeecce371854c75da0b13a7c51a3f83199c28f2 Mon Sep 17 00:00:00 2001 From: Kunhoon Baik Date: Fri, 16 Jul 2021 18:10:46 +0900 Subject: [PATCH] Add runner-sandbox.cfg for Tizen nsjail test Nsjail uses a specific configuration file for jailing. For testing nsjail in Tizen, sthub script engine runner sandbox.cfg is added. You can test it like following. nsjail -v --config /usr/share/runner-sandbox.cfg -- /usr/bin/nsjail_test/jail_mem_syscall_test --- packaging/nsjail.manifest | 5 + packaging/nsjail.spec | 8 + test/runner-sandbox.cfg | 510 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 523 insertions(+) create mode 100644 packaging/nsjail.manifest create mode 100644 test/runner-sandbox.cfg diff --git a/packaging/nsjail.manifest b/packaging/nsjail.manifest new file mode 100644 index 0000000..97e8c31 --- /dev/null +++ b/packaging/nsjail.manifest @@ -0,0 +1,5 @@ + + + + + diff --git a/packaging/nsjail.spec b/packaging/nsjail.spec index 8b84cb3..e698736 100644 --- a/packaging/nsjail.spec +++ b/packaging/nsjail.spec @@ -11,6 +11,7 @@ Group: System/Other URL: https://nsjail.com Source0: nsjail-%{version}.tar.gz #Source1: kafel.tar.gz +Source1001: %{name}.manifest BuildRequires: autoconf BuildRequires: bison BuildRequires: flex @@ -36,6 +37,7 @@ Tizen simple test programs to check nsjail execution validation in Tizen platfor %prep %setup -q +cp %{SOURCE1001} . %build export CFLAGS="$CFLAGS -DTIZEN" @@ -49,16 +51,22 @@ popd test %install mkdir -p %{buildroot}/%{_bindir}/ mkdir -p %{buildroot}/%{_bindir}/nsjail_test/ +mkdir -p %{buildroot}/usr/share/ cp nsjail %{buildroot}/%{_bindir}/ cp -a test/*_test %{buildroot}/%{_bindir}/nsjail_test/ +cp -a test/*.cfg %{buildroot}/usr/share/ + %files +%manifest %{name}.manifest %license LICENSE %{_bindir}/nsjail %files test +%manifest %{name}.manifest %{_bindir}/nsjail_test/* +/usr/share/* %changelog * Mon Jul 7 2021 Baik diff --git a/test/runner-sandbox.cfg b/test/runner-sandbox.cfg new file mode 100644 index 0000000..c7da9bf --- /dev/null +++ b/test/runner-sandbox.cfg @@ -0,0 +1,510 @@ +name: "runner-sandbox" +description: "Nsjail setup for scripting-engine-runner sandbox" + +# Run the command once +mode: ONCE + +# uts host name +hostname: "malort-jail" + +# Cwd +cwd: "/" + +# Allow the process to run indefinitely +time_limit: 0 + +## Environment variables +# Runner needs the location for lua-libs +envar: "HUBCORE_LUA_LIB_DIR=/usr/share/lua-libs" + +## Rlimit settings +# Address space +#rlimit_as: 0 + +# Core dump file size +#rlimit_core: 0 + +# Total CPU run time, seconds +#rlimit_cpu: 0 +rlimit_cpu_type: INF + +# Maximum file size +#rlimit_fsize: 0 + +# Maximum number of files +#rlimit_nofile: 0 + +# Maximum number of processes +# Warn: Documentation says this is tricky, fiddle at your own risk! +#rlimit_nproc: 0 + +# Maximum stack size +#rlimit_stack: 0 + +## Uid/Gid re-mapping +# set uid +uidmap { + inside_id: "9999" +} + +# set gid +gidmap { + inside_id: "9999" +} + +clone_newnet: true +clone_newuser: true +clone_newns: true +clone_newpid: true +clone_newipc: true +clone_newuts: true +clone_newcgroup: true + +cgroup_mem_max: 10000000 +cgroup_cpu_ms_per_sec: 100 + +pass_fd: 10 + +## Mount settings +mount_proc: false + +# Mount lib directory +mount { + src: "/lib" + dst: "/lib" + is_bind: true + nosuid: true + nodev: true + rw: false +} + +mount { + src: "/bin" + dst: "/bin" + is_bind: true + nosuid: true + nodev: true + rw: false +} + +mount { + src: "/usr" + dst: "/usr" + is_bind: true + nosuid: true + nodev: true + rw: false +} + +# Seccomp settings +seccomp_string: "ALLOW {" +seccomp_string: " SYSCALL[1]," #exit +#seccomp_string: " SYSCALL[2]," #fork +seccomp_string: " SYSCALL[3]," #read +seccomp_string: " SYSCALL[4]," #write +seccomp_string: " SYSCALL[5]," #open +seccomp_string: " SYSCALL[6]," #close +#seccomp_string: " SYSCALL[7]," #NA +#seccomp_string: " SYSCALL[8]," #creat +#seccomp_string: " SYSCALL[9]," #link +#seccomp_string: " SYSCALL[10]," #unlink +seccomp_string: " SYSCALL[11]," #execve +seccomp_string: " SYSCALL[12]," #chdir +#seccomp_string: " SYSCALL[13]," #NA +#seccomp_string: " SYSCALL[14]," #mknod +#seccomp_string: " SYSCALL[15]," #chmod +#seccomp_string: " SYSCALL[16]," #lchown +#seccomp_string: " SYSCALL[17]," #NA +#seccomp_string: " SYSCALL[18]," #NA +#seccomp_string: " SYSCALL[19]," #lseek +seccomp_string: " SYSCALL[20]," #getpid +#seccomp_string: " SYSCALL[21]," #mount +#seccomp_string: " SYSCALL[22]," #NA +#seccomp_string: " SYSCALL[23]," #setuid +seccomp_string: " SYSCALL[24]," #getuid +#seccomp_string: " SYSCALL[25]," #NA +#seccomp_string: " SYSCALL[26]," #ptrace +#seccomp_string: " SYSCALL[27]," #NA +#seccomp_string: " SYSCALL[28]," #NA +#seccomp_string: " SYSCALL[29]," #pause +#seccomp_string: " SYSCALL[30]," #NA +#seccomp_string: " SYSCALL[31]," #NA +#seccomp_string: " SYSCALL[32]," #NA +seccomp_string: " SYSCALL[33]," #access +#seccomp_string: " SYSCALL[34]," #nice +#seccomp_string: " SYSCALL[35]," #NA +#seccomp_string: " SYSCALL[36]," #sync +#seccomp_string: " SYSCALL[37]," #kill +#seccomp_string: " SYSCALL[38]," #rename +#seccomp_string: " SYSCALL[39]," #mkdir +#seccomp_string: " SYSCALL[40]," #rmdir +seccomp_string: " SYSCALL[41]," #dup +seccomp_string: " SYSCALL[42]," #pipe +#seccomp_string: " SYSCALL[43]," #times +#seccomp_string: " SYSCALL[44]," #NA +seccomp_string: " SYSCALL[45]," #brk +#seccomp_string: " SYSCALL[46]," #setgid +seccomp_string: " SYSCALL[47]," #getgid +#seccomp_string: " SYSCALL[48]," #NA +seccomp_string: " SYSCALL[49]," #geteuid +seccomp_string: " SYSCALL[50]," #getegid +#seccomp_string: " SYSCALL[51]," #acct +#seccomp_string: " SYSCALL[52]," #umount2 +#seccomp_string: " SYSCALL[53]," #NA +seccomp_string: " SYSCALL[54]," #ioctl +seccomp_string: " SYSCALL[55]," #fcntl +#seccomp_string: " SYSCALL[56]," #NA +#seccomp_string: " SYSCALL[57]," #setpgid +#seccomp_string: " SYSCALL[58]," #NA +#seccomp_string: " SYSCALL[59]," #NA +#seccomp_string: " SYSCALL[60]," #umask +#seccomp_string: " SYSCALL[61]," #chroot +#seccomp_string: " SYSCALL[62]," #ustat +seccomp_string: " SYSCALL[63]," #dup2 +seccomp_string: " SYSCALL[64]," #getppid +#seccomp_string: " SYSCALL[65]," #getpgrp +#seccomp_string: " SYSCALL[66]," #setsid +#seccomp_string: " SYSCALL[67]," #sigaction +#seccomp_string: " SYSCALL[68]," #NA +#seccomp_string: " SYSCALL[69]," #NA +#seccomp_string: " SYSCALL[70]," #setreuid +#seccomp_string: " SYSCALL[71]," #setregid +#seccomp_string: " SYSCALL[72]," #sigsuspend +#seccomp_string: " SYSCALL[73]," #sigpending +#seccomp_string: " SYSCALL[74]," #sethostname +#seccomp_string: " SYSCALL[75]," #setrlimit +#seccomp_string: " SYSCALL[76]," #old_getrlimit/NA +#seccomp_string: " SYSCALL[77]," #getrusage +seccomp_string: " SYSCALL[78]," #gettimeofday +#seccomp_string: " SYSCALL[79]," #settimeofday +#seccomp_string: " SYSCALL[80]," #getgroups +#seccomp_string: " SYSCALL[81]," #setgroups +#seccomp_string: " SYSCALL[82]," #NA +#seccomp_string: " SYSCALL[83]," #symlink +#seccomp_string: " SYSCALL[84]," #NA +seccomp_string: " SYSCALL[85]," #readlink +#seccomp_string: " SYSCALL[86]," #uselib +#seccomp_string: " SYSCALL[87]," #swapon +#seccomp_string: " SYSCALL[88]," #reboot +seccomp_string: " SYSCALL[89]," #readdir +seccomp_string: " SYSCALL[90]," #mmap +seccomp_string: " SYSCALL[91]," #munmap +#seccomp_string: " SYSCALL[92]," #truncate +#seccomp_string: " SYSCALL[93]," #ftruncate +#seccomp_string: " SYSCALL[94]," #fchmod +#seccomp_string: " SYSCALL[95]," #fchown +#seccomp_string: " SYSCALL[96]," #getpriority +#seccomp_string: " SYSCALL[97]," #setpriority +#seccomp_string: " SYSCALL[98]," #NA +#seccomp_string: " SYSCALL[99]," #statfs +#seccomp_string: " SYSCALL[100]," #fstatfs +#seccomp_string: " SYSCALL[101]," #NA +#seccomp_string: " SYSCALL[102]," #NA +#seccomp_string: " SYSCALL[103]," #syslog +#seccomp_string: " SYSCALL[104]," #setitimer +#seccomp_string: " SYSCALL[105]," #getitimer +seccomp_string: " SYSCALL[106]," #stat +seccomp_string: " SYSCALL[107]," #lstat +seccomp_string: " SYSCALL[108]," #fstat +#seccomp_string: " SYSCALL[109]," #NA +#seccomp_string: " SYSCALL[110]," #NA +#seccomp_string: " SYSCALL[111]," #vhangup +#seccomp_string: " SYSCALL[112]," #NA +#seccomp_string: " SYSCALL[113]," #NA +seccomp_string: " SYSCALL[114]," #wait4 +#seccomp_string: " SYSCALL[115]," #swapoff +#seccomp_string: " SYSCALL[116]," #sysinfo +#seccomp_string: " SYSCALL[117]," #NA +#seccomp_string: " SYSCALL[118]," #fsync +seccomp_string: " SYSCALL[119]," #sigreturn +#seccomp_string: " SYSCALL[120]," #clone +#seccomp_string: " SYSCALL[121]," #setdomainname +seccomp_string: " SYSCALL[122]," #uname +#seccomp_string: " SYSCALL[123]," #NA +#seccomp_string: " SYSCALL[124]," #adjtimex +seccomp_string: " SYSCALL[125]," #mprotect +seccomp_string: " SYSCALL[126]," #sigprocmask +#seccomp_string: " SYSCALL[127]," #NA +#seccomp_string: " SYSCALL[128]," #init_module +#seccomp_string: " SYSCALL[129]," #delete_module +#seccomp_string: " SYSCALL[130]," #NA +#seccomp_string: " SYSCALL[131]," #quotactl +seccomp_string: " SYSCALL[132]," #getpgid +seccomp_string: " SYSCALL[133]," #fchdir +#seccomp_string: " SYSCALL[134]," #bdflush +#seccomp_string: " SYSCALL[135]," #sysfs +#seccomp_string: " SYSCALL[136]," #personality +#seccomp_string: " SYSCALL[137]," #NA +#seccomp_string: " SYSCALL[138]," #setfsuid +#seccomp_string: " SYSCALL[139]," #setfsgid +#seccomp_string: " SYSCALL[140]," #_llseek +#seccomp_string: " SYSCALL[141]," #getdents +seccomp_string: " SYSCALL[142]," #_newselect +#seccomp_string: " SYSCALL[143]," #flock +#seccomp_string: " SYSCALL[144]," #msync +seccomp_string: " SYSCALL[145]," #readv +#seccomp_string: " SYSCALL[146]," #writev +#seccomp_string: " SYSCALL[147]," #getsid +#seccomp_string: " SYSCALL[148]," #fdatasync +#seccomp_string: " SYSCALL[149]," #_sysctl +#seccomp_string: " SYSCALL[150]," #mlock +#seccomp_string: " SYSCALL[151]," #munlock +#seccomp_string: " SYSCALL[152]," #mlockall +#seccomp_string: " SYSCALL[153]," #munlockall +#seccomp_string: " SYSCALL[154]," #sched_setparam +#seccomp_string: " SYSCALL[155]," #sched_getparam +#seccomp_string: " SYSCALL[156]," #sched_setscheduler +#seccomp_string: " SYSCALL[157]," #sched_getscheduler +seccomp_string: " SYSCALL[158]," #sched_yield +#seccomp_string: " SYSCALL[159]," #sched_get_priority_max +#seccomp_string: " SYSCALL[160]," #sched_get_priority_min +#seccomp_string: " SYSCALL[161]," #sched_rr_get_interval +seccomp_string: " SYSCALL[162]," #nanosleep +seccomp_string: " SYSCALL[163]," #mremap +#seccomp_string: " SYSCALL[164]," #setresuid +#seccomp_string: " SYSCALL[165]," #getresuid +#seccomp_string: " SYSCALL[166]," #NA +#seccomp_string: " SYSCALL[167]," #NA +seccomp_string: " SYSCALL[168]," #poll +#seccomp_string: " SYSCALL[169]," #nfsservctl +#seccomp_string: " SYSCALL[170]," #setresgid +#seccomp_string: " SYSCALL[171]," #getresgid +#seccomp_string: " SYSCALL[172]," #prctl +seccomp_string: " SYSCALL[173]," #rt_sigreturn +seccomp_string: " SYSCALL[174]," #rt_sigaction +seccomp_string: " SYSCALL[175]," #rt_sigprocmask +seccomp_string: " SYSCALL[176]," #rt_sigpending +seccomp_string: " SYSCALL[177]," #rt_sigtimedwait +#seccomp_string: " SYSCALL[178]," #rt_sigqueueinfo +seccomp_string: " SYSCALL[179]," #rt_sigsuspend +seccomp_string: " SYSCALL[180]," #pread64 +#seccomp_string: " SYSCALL[181]," #pwrite64 +#seccomp_string: " SYSCALL[182]," #chown +seccomp_string: " SYSCALL[183]," #getcwd +#seccomp_string: " SYSCALL[184]," #capget +#seccomp_string: " SYSCALL[185]," #capset +seccomp_string: " SYSCALL[186]," #sigaltstack +#seccomp_string: " SYSCALL[187]," #sendfile +#seccomp_string: " SYSCALL[188]," #NA +#seccomp_string: " SYSCALL[189]," #NA +#seccomp_string: " SYSCALL[190]," #vfork +seccomp_string: " SYSCALL[191]," #ugetrlimit +seccomp_string: " SYSCALL[192]," #mmap2 +#seccomp_string: " SYSCALL[193]," #truncate64 +#seccomp_string: " SYSCALL[194]," #ftruncate64 +seccomp_string: " SYSCALL[195]," #stat64 +seccomp_string: " SYSCALL[196]," #lstat64 +seccomp_string: " SYSCALL[197]," #fstat64 +#seccomp_string: " SYSCALL[198]," #lchown32 +seccomp_string: " SYSCALL[199]," #getuid32 +seccomp_string: " SYSCALL[200]," #getgid32 +seccomp_string: " SYSCALL[201]," #geteuid32 +seccomp_string: " SYSCALL[202]," #getegid32 +#seccomp_string: " SYSCALL[203]," #setreuid32 +#seccomp_string: " SYSCALL[204]," #setregid32 +#seccomp_string: " SYSCALL[205]," #getgroups32 +#seccomp_string: " SYSCALL[206]," #setgroups32 +#seccomp_string: " SYSCALL[207]," #fchown32 +#seccomp_string: " SYSCALL[208]," #setresuid32 +#seccomp_string: " SYSCALL[209]," #getresuid32 +#seccomp_string: " SYSCALL[210]," #setresgid32 +#seccomp_string: " SYSCALL[211]," #getresgid32 +#seccomp_string: " SYSCALL[212]," #chown32 +#seccomp_string: " SYSCALL[213]," #setuid32 +#seccomp_string: " SYSCALL[214]," #setgid32 +#seccomp_string: " SYSCALL[215]," #setfsuid32 +#seccomp_string: " SYSCALL[216]," #setfsgid32 +#seccomp_string: " SYSCALL[217]," #getdents64 +#seccomp_string: " SYSCALL[218]," #pivot_root +#seccomp_string: " SYSCALL[219]," #mincore +#seccomp_string: " SYSCALL[220]," #madvise +seccomp_string: " SYSCALL[221]," #fcntl64 +#seccomp_string: " SYSCALL[222]," #NA +#seccomp_string: " SYSCALL[223]," #NA +#seccomp_string: " SYSCALL[224]," #gettid +#seccomp_string: " SYSCALL[225]," #readahead +#seccomp_string: " SYSCALL[226]," #setxattr +#seccomp_string: " SYSCALL[227]," #lsetxattr +#seccomp_string: " SYSCALL[228]," #fsetxattr +#seccomp_string: " SYSCALL[229]," #getxattr +#seccomp_string: " SYSCALL[230]," #lgetxattr +#seccomp_string: " SYSCALL[231]," #fgetxattr +#seccomp_string: " SYSCALL[232]," #listxattr +#seccomp_string: " SYSCALL[233]," #llistxattr +#seccomp_string: " SYSCALL[234]," #flistxattr +#seccomp_string: " SYSCALL[235]," #removexattr +#seccomp_string: " SYSCALL[236]," #lremovexattr +#seccomp_string: " SYSCALL[237]," #fremovexattr +#seccomp_string: " SYSCALL[238]," #tkill +#seccomp_string: " SYSCALL[239]," #sendfile64 +seccomp_string: " SYSCALL[240]," #futex +#seccomp_string: " SYSCALL[241]," #sched_setaffinity +seccomp_string: " SYSCALL[242]," #sched_getaffinity +#seccomp_string: " SYSCALL[243]," #io_setup +#seccomp_string: " SYSCALL[244]," #io_destroy +#seccomp_string: " SYSCALL[245]," #io_getevents +#seccomp_string: " SYSCALL[246]," #io_submit +#seccomp_string: " SYSCALL[247]," #io_cancel +seccomp_string: " SYSCALL[248]," #exit_group +#seccomp_string: " SYSCALL[249]," #lookup_dcookie +seccomp_string: " SYSCALL[250]," #epoll_create +seccomp_string: " SYSCALL[251]," #epoll_ctl +seccomp_string: " SYSCALL[252]," #epoll_wait +#seccomp_string: " SYSCALL[253]," #remap_file_pages +#seccomp_string: " SYSCALL[254]," #NA +#seccomp_string: " SYSCALL[255]," #NA +seccomp_string: " SYSCALL[256]," #set_tid_address +#seccomp_string: " SYSCALL[257]," #timer_create +#seccomp_string: " SYSCALL[258]," #timer_settime +#seccomp_string: " SYSCALL[259]," #timer_gettime +#seccomp_string: " SYSCALL[260]," #timer_getoverrun +#seccomp_string: " SYSCALL[261]," #timer_delete +#seccomp_string: " SYSCALL[262]," #clock_settime +seccomp_string: " SYSCALL[263]," #clock_gettime +seccomp_string: " SYSCALL[264]," #clock_getres +seccomp_string: " SYSCALL[265]," #clock_nanosleep +#seccomp_string: " SYSCALL[266]," #statfs64 +#seccomp_string: " SYSCALL[267]," #fstatfs64 +#seccomp_string: " SYSCALL[268]," #tgkill +#seccomp_string: " SYSCALL[269]," #utimes +#seccomp_string: " SYSCALL[270]," #arm_fadvise64_64 +#seccomp_string: " SYSCALL[271]," #pciconfig_iobase +#seccomp_string: " SYSCALL[272]," #pciconfig_read +#seccomp_string: " SYSCALL[273]," #pciconfig_write +#seccomp_string: " SYSCALL[274]," #mq_open +#seccomp_string: " SYSCALL[275]," #mq_unlink +#seccomp_string: " SYSCALL[276]," #mq_timedsend +#seccomp_string: " SYSCALL[277]," #mq_timedreceive +#seccomp_string: " SYSCALL[278]," #mq_notify +#seccomp_string: " SYSCALL[279]," #mq_getsetattr +#seccomp_string: " SYSCALL[280]," #waitid +#seccomp_string: " SYSCALL[281]," #socket +#seccomp_string: " SYSCALL[282]," #bind +#seccomp_string: " SYSCALL[283]," #connect +seccomp_string: " SYSCALL[284]," #listen +seccomp_string: " SYSCALL[285]," #accept +#seccomp_string: " SYSCALL[286]," #getsockname +#seccomp_string: " SYSCALL[287]," #getpeername +#seccomp_string: " SYSCALL[288]," #socketpair +#seccomp_string: " SYSCALL[289]," #send +#seccomp_string: " SYSCALL[290]," #sendto +seccomp_string: " SYSCALL[291]," #recv +#seccomp_string: " SYSCALL[292]," #recvfrom +#seccomp_string: " SYSCALL[293]," #shutdown +#seccomp_string: " SYSCALL[294]," #setsockopt +#seccomp_string: " SYSCALL[295]," #getsockopt +#seccomp_string: " SYSCALL[296]," #sendmsg +#seccomp_string: " SYSCALL[297]," #recvmsg +#seccomp_string: " SYSCALL[298]," #semop +#seccomp_string: " SYSCALL[299]," #semget +#seccomp_string: " SYSCALL[300]," #semctl +#seccomp_string: " SYSCALL[301]," #msgsnd +#seccomp_string: " SYSCALL[302]," #msgrcv +#seccomp_string: " SYSCALL[303]," #msgget +#seccomp_string: " SYSCALL[304]," #msgctl +#seccomp_string: " SYSCALL[305]," #shmat +#seccomp_string: " SYSCALL[306]," #shmdt +#seccomp_string: " SYSCALL[307]," #shmget +#seccomp_string: " SYSCALL[308]," #shmctl +#seccomp_string: " SYSCALL[309]," #add_key +#seccomp_string: " SYSCALL[310]," #request_key +#seccomp_string: " SYSCALL[311]," #keyctl +#seccomp_string: " SYSCALL[312]," #semtimedop +#seccomp_string: " SYSCALL[313]," #vserver +#seccomp_string: " SYSCALL[314]," #ioprio_set +#seccomp_string: " SYSCALL[315]," #ioprio_get +#seccomp_string: " SYSCALL[316]," #inotify_init +#seccomp_string: " SYSCALL[317]," #inotify_add_watch +#seccomp_string: " SYSCALL[318]," #inotify_rm_watch +#seccomp_string: " SYSCALL[319]," #mbind +#seccomp_string: " SYSCALL[320]," #get_mempolicy +#seccomp_string: " SYSCALL[321]," #set_mempolicy +seccomp_string: " SYSCALL[322]," #openat +#seccomp_string: " SYSCALL[323]," #mkdirat +#seccomp_string: " SYSCALL[324]," #mknodat +#seccomp_string: " SYSCALL[325]," #fchownat +#seccomp_string: " SYSCALL[326]," #futimesat +seccomp_string: " SYSCALL[327]," #fstatat64 +#seccomp_string: " SYSCALL[328]," #unlinkat +#seccomp_string: " SYSCALL[329]," #renameat +#seccomp_string: " SYSCALL[330]," #linkat +#seccomp_string: " SYSCALL[331]," #symlinkat +seccomp_string: " SYSCALL[332]," #readlinkat +#seccomp_string: " SYSCALL[333]," #fchmodat +seccomp_string: " SYSCALL[334]," #faccessat +seccomp_string: " SYSCALL[335]," #pselect6 +seccomp_string: " SYSCALL[336]," #ppoll +#seccomp_string: " SYSCALL[337]," #unshare +seccomp_string: " SYSCALL[338]," #set_robust_list +seccomp_string: " SYSCALL[339]," #get_robust_list +#seccomp_string: " SYSCALL[340]," #splice +#seccomp_string: " SYSCALL[341]," #arm_sync_file_range +#seccomp_string: " SYSCALL[342]," #tee +#seccomp_string: " SYSCALL[343]," #vmsplice +#seccomp_string: " SYSCALL[344]," #move_pages +#seccomp_string: " SYSCALL[345]," #getcpu +seccomp_string: " SYSCALL[346]," #epoll_pwait +#seccomp_string: " SYSCALL[347]," #kexec_load +#seccomp_string: " SYSCALL[348]," #utimensat +#seccomp_string: " SYSCALL[349]," #signalfd +#seccomp_string: " SYSCALL[350]," #timerfd_create +#seccomp_string: " SYSCALL[351]," #eventfd +#seccomp_string: " SYSCALL[352]," #fallocate +#seccomp_string: " SYSCALL[353]," #timerfd_settime +#seccomp_string: " SYSCALL[354]," #timerfd_gettime +#seccomp_string: " SYSCALL[355]," #signalfd4 +#seccomp_string: " SYSCALL[356]," #eventfd2 +seccomp_string: " SYSCALL[357]," #epoll_create1 +seccomp_string: " SYSCALL[358]," #dup3 +seccomp_string: " SYSCALL[359]," #pipe2 +#seccomp_string: " SYSCALL[360]," #inotify_init1 +seccomp_string: " SYSCALL[361]," #preadv +seccomp_string: " SYSCALL[362]," #pwritev +#seccomp_string: " SYSCALL[363]," #rt_tgsigqueueinfo +#seccomp_string: " SYSCALL[364]," #perf_event_open +#seccomp_string: " SYSCALL[365]," #recvmmsg +seccomp_string: " SYSCALL[366]," #accept4 +#seccomp_string: " SYSCALL[367]," #fanotify_init +#seccomp_string: " SYSCALL[368]," #fanotify_mark +#seccomp_string: " SYSCALL[369]," #prlimit64 +#seccomp_string: " SYSCALL[370]," #name_to_handle_at +#seccomp_string: " SYSCALL[371]," #open_by_handle_at +#seccomp_string: " SYSCALL[372]," #clock_adjtime +#seccomp_string: " SYSCALL[373]," #syncfs +#seccomp_string: " SYSCALL[374]," #sendmmsg +#seccomp_string: " SYSCALL[375]," #setns +#seccomp_string: " SYSCALL[376]," #process_vm_readv +#seccomp_string: " SYSCALL[377]," #process_vm_writev +#seccomp_string: " SYSCALL[378]," #kcmp +#seccomp_string: " SYSCALL[379]," #finit_module +#seccomp_string: " SYSCALL[380]," #sched_setattr +#seccomp_string: " SYSCALL[381]," #sched_getattr +#seccomp_string: " SYSCALL[382]," #renameat2 +#seccomp_string: " SYSCALL[383]," #seccomp +seccomp_string: " SYSCALL[384]," #getrandom +#seccomp_string: " SYSCALL[385]," #memfd_create +#seccomp_string: " SYSCALL[386]," #bpf +#seccomp_string: " SYSCALL[387]," #execveat +#seccomp_string: " SYSCALL[388]," #userfaultfd +#seccomp_string: " SYSCALL[389]," #membarrier +#seccomp_string: " SYSCALL[390]," #mlock2 +#seccomp_string: " SYSCALL[391]," #copy_file_range +seccomp_string: " SYSCALL[392]," #preadv2 +seccomp_string: " SYSCALL[393]," #pwritev2 +#seccomp_string: " SYSCALL[394]," #pkey_mprotect +#seccomp_string: " SYSCALL[395]," #pkey_alloc +#seccomp_string: " SYSCALL[396]," #pkey_free +seccomp_string: " SYSCALL[397]," #statx +#seccomp_string: " SYSCALL[398]," #rseq +#seccomp_string: " SYSCALL[399]," #io_pgetevents +#seccomp_string: " SYSCALL[983041]," #ARM_breakpoint +#seccomp_string: " SYSCALL[983042]," #ARM_cacheflush +#seccomp_string: " SYSCALL[983043]," #ARM_usr26 +#seccomp_string: " SYSCALL[983044]," #ARM_usr32 +seccomp_string: " SYSCALL[983045]" #set_tls +seccomp_string: "}" +seccomp_string: "DEFAULT KILL" + +# Don't bring up the lo interface +iface_no_lo: true + -- 2.34.1