extrasafe_multiarch/builtins/
basic.rs

1//! Contains a [`RuleSet`] for allowing base syscalls that all programs will need, and are not
2//! dangerous for the most part.
3
4use std::collections::HashMap;
5
6use crate::{SeccompRule, RuleSet, syscalls::Sysno};
7
8/// A [`RuleSet`] allowing basic required syscalls to do things like allocate memory, and also a few that are used by
9/// Rust to set up panic handling and segfault handlers.
10pub struct BasicCapabilities;
11impl RuleSet for BasicCapabilities {
12    fn simple_rules(&self) -> Vec<Sysno> {
13        vec![
14            // If you want to constrain memory mapping and memory allocation, you probably want to
15            // write your own seccomp filters at that point.
16            Sysno::brk,
17            Sysno::mmap,
18            Sysno::munmap,
19            Sysno::madvise,
20            Sysno::mlock,
21            Sysno::mlock2,
22            Sysno::mlockall,
23            // TODO these could maybe be in a separate capability
24            Sysno::mprotect,
25            Sysno::munlock,
26            Sysno::munlockall,
27
28            // Rust installs a signal handler to distinguish stack overflows from other faults
29            // https://github.com/iximeow/rust/blob/master/src/libstd/sys/unix/stack_overflow.rs#L46
30            // (I learned this by getting a segfault when not allowing sigaction/etc and then
31            // googling rust sigaltstack and finding this issue
32            // https://github.com/rust-lang/rust/issues/69533)
33            Sysno::sigaltstack,
34            Sysno::rt_sigaction,
35            Sysno::rt_sigprocmask,
36            Sysno::rt_sigreturn,
37
38            // Futex management
39            Sysno::futex,
40            Sysno::get_robust_list,
41            Sysno::set_robust_list,
42
43            // Readlink isn't dangerous because you still need to be able to open the file to do
44            // anything with the resolved name.
45            #[cfg(enabled_arch = "x86_64")]
46            Sysno::readlink,
47            Sysno::readlinkat,
48
49            // Getpid/tid is fine.
50            Sysno::getpid,
51            Sysno::gettid,
52
53            // Get kernel info
54            Sysno::uname,
55
56            // Could maybe put in a separate ruleset
57            Sysno::getrandom,
58
59            // Thread affinity and yield seems okay to put here but I could be convinced to put it
60            // in the Multiprocessing ruleset. they probably should be there.
61            Sysno::sched_getaffinity, Sysno::sched_setaffinity,
62            Sysno::sched_yield,
63
64            // rseq is used in newer glibc for some initialization purposes.
65            // It's kind of complicated but does not appear to be dangerous.
66            Sysno::rseq,
67
68            // Exiting is probably fine.
69            Sysno::exit,
70            Sysno::exit_group,
71        ]
72    }
73
74    fn name(&self) -> &'static str {
75        "BasicCapabilities"
76    }
77}