view release on metacpan or  search on metacpan

skel-sandbox/etc/seccomp.yaml  view on Meta::CPAN

        tests:
          - [2, '==', '{{open_modes}}']
      - syscall: close
      - syscall: select
      - syscall: read
      - syscall: pread64
      - syscall: lseek
      - syscall: fstat
      - syscall: stat
      - syscall: lstat
      - syscall: fcntl
# ioctl(4, TCGETS, 0xDEADCAFEBABE) = -1 ENOTTY (Inappropriate ioctl for device)
# Check if the opened file is a TTY
      - syscall: ioctl
        tests:
          - [1, '==', 'TCGETS']

  file_opendir:
    include:
      - file_open
    rules:
      - syscall: getdents
      - syscall: open
        tests:
          - [1, '==', 'O_DIRECTORY|O_RDONLY|O_NONBLOCK|O_CLOEXEC']

  file_readonly:
    include:
      - file_open
    permute:
      open_modes:
        - 'O_NONBLOCK'
        - 'O_EXCL'
        - 'O_RDONLY'
        - 'O_NOFOLLOW'
        - 'O_CLOEXEC'

  file_tty:
    include:
      - file_open
    permute:
      open_modes:
        - 'O_NOCTTY'

  file_write:
    include:
      - file_open
      - file_readonly
    permute:
      open_modes:
        - 'O_CREAT'
        - 'O_WRONLY'
        - 'O_TRUNC'
        - 'O_RDWR'
    rules:
      - syscall: write
      - syscall: pwrite64

  file_temp:
    rules:
      - syscall: chmod
        tests:
          - [1, '==', 0o600]
      - syscall: unlink

  lang_javascript:
    include:
      - default
      - file_temp
    rules:
      - syscall: pipe2
      - syscall: epoll_create1
      - syscall: eventfd2
      - syscall: epoll_ctl
      - syscall: epoll_wait
      - syscall: ioctl
        tests:
          - [1, '==', 'FIOCLEX']
      - syscall: clone
        tests:
          - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
      - syscall: ioctl
        tests:
          - [1, '==', 'TIOCGPTN']
      - syscall: ioctl
        tests:
          - [1, '==', 'FIONBIO']
      - syscall: ioctl
        tests: # Let node do any ioctl to stdout
          - [0, '==', 1]
      - syscall: ioctl
        tests: # let node do any ioctl to stderr
          - [0, '==', 2]

  lang_perl:
    include:
      - default
    rules: []

  lang_ruby:
    include:
      - default
    rules:
      - syscall: clone
        tests:
          - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
      - syscall: sigaltstack
      - syscall: pipe2
      - syscall: write
        tests: # Used for inter thread communication.  FDs might change number depending on release
          - [0, '==', 5]
      - syscall: write
        tests: # Used for inter thread communication.  FDs might change number depending on release
          - [0, '==', 7]

  stdio:
    rules:
      - syscall: read # Read from STDIN
        tests:
          - [0, '==', 0]
      - syscall: write # Write to STDOUT