App-EvalServerAdvanced
view release on metacpan or search on metacpan
skel-sandbox/etc/seccomp.yaml view on Meta::CPAN
constants:
plugins:
- 'POSIX'
- 'LinuxClone'
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
profiles:
default:
include:
- time_calls
- file_readonly
- stdio
- exec_wrapper
- file_write
- file_tty
- file_opendir
- file_temp
rules:
# Memory related calls
- syscall: mmap
- syscall: munmap
- syscall: mremap
- syscall: mprotect
- syscall: madvise
- syscall: brk
# Exit and signal related
- syscall: exit
- syscall: exit_group
- syscall: rt_sigaction
- syscall: rt_sigprocmask
- syscall: rt_sigreturn
# User related calls
- syscall: getuid
- syscall: geteuid
- syscall: getcwd
- syscall: getpid
- syscall: gettid
- syscall: getgid
- syscall: getegid
- syscall: getgroups
# System related
- syscall: uname
# Non-opening file related calls
- syscall: access
- syscall: poll
- syscall: readlink
# Safe threading related calls
- syscall: arch_prctl
- syscall: set_tid_address
- syscall: set_robust_list
- syscall: futex
# Limit/Capabilities related
- syscall: getrlimit
- syscall: prctl
time_calls:
rules:
- syscall: nanosleep
- syscall: clock_gettime
- syscall: clock_getres
exec_wrapper:
rule_generator: "ExecWrapper::exec_wrapper_gen"
file_open:
rules:
- syscall: open
tests:
- [1, '==', '{{open_modes}}']
- syscall: openat
tests:
- [2, '==', '{{open_modes}}']
- syscall: close
- syscall: select
- syscall: read
- syscall: pread64
- syscall: lseek
- syscall: fstat
- syscall: stat
- syscall: lstat
- syscall: fcntl
# ioctl(4, TCGETS, 0xDEADCAFEBABE) = -1 ENOTTY (Inappropriate ioctl for device)
# Check if the opened file is a TTY
- syscall: ioctl
tests:
- [1, '==', 'TCGETS']
file_opendir:
include:
- file_open
rules:
- syscall: getdents
- syscall: open
tests:
- [1, '==', 'O_DIRECTORY|O_RDONLY|O_NONBLOCK|O_CLOEXEC']
file_readonly:
include:
- file_open
( run in 3.646 seconds using v1.01-cache-2.11-cpan-5735350b133 )