Apply a seccomp-BPF syscall allowlist by default
Derived from Podman's default profile, stripped of capability-conditional rules (we never grant capabilities), argument filters, and the explicit EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf, perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the default ENOSYS action, which also keeps glibc's clone3 -> clone fallback working. x86_64 and aarch64 are supported; other archs error out. Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.
This commit is contained in:
@@ -5,6 +5,7 @@ pub mod config;
|
||||
mod errors;
|
||||
mod preflight;
|
||||
mod sandbox;
|
||||
mod seccomp;
|
||||
|
||||
pub use errors::SandboxError;
|
||||
|
||||
@@ -23,6 +24,7 @@ pub struct SandboxConfig {
|
||||
pub mode: SandboxMode,
|
||||
pub hardened: bool,
|
||||
pub unshare_net: bool,
|
||||
pub seccomp: bool,
|
||||
pub extra_rw: Vec<PathBuf>,
|
||||
pub extra_ro: Vec<PathBuf>,
|
||||
pub mask: Vec<PathBuf>,
|
||||
|
||||
Reference in New Issue
Block a user