App-EvalServerAdvanced
view release on metacpan or search on metacpan
skel-sandbox/etc/seccomp.yaml view on Meta::CPAN
constants:
plugins:
- 'POSIX'
- 'LinuxClone'
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
profiles:
default:
include:
- time_calls
- file_readonly
- stdio
- exec_wrapper
- file_write
- file_tty
- file_opendir
- file_temp
rules:
# Memory related calls
- syscall: mmap
- syscall: munmap
- syscall: mremap
- syscall: mprotect
- syscall: madvise
- syscall: brk
# Exit and signal related
- syscall: exit
- syscall: exit_group
- syscall: rt_sigaction
- syscall: rt_sigprocmask
- syscall: rt_sigreturn
# User related calls
- syscall: getuid
- syscall: geteuid
- syscall: getcwd
- syscall: getpid
- syscall: gettid
- syscall: getgid
- syscall: getegid
- syscall: getgroups
# System related
- syscall: uname
# Non-opening file related calls
- syscall: access
- syscall: poll
- syscall: readlink
# Safe threading related calls
- syscall: arch_prctl
- syscall: set_tid_address
- syscall: set_robust_list
- syscall: futex
# Limit/Capabilities related
- syscall: getrlimit
- syscall: prctl
time_calls:
rules:
- syscall: nanosleep
- syscall: clock_gettime
- syscall: clock_getres
exec_wrapper:
rule_generator: "ExecWrapper::exec_wrapper_gen"
file_open:
rules:
- syscall: open
tests:
- [1, '==', '{{open_modes}}']
- syscall: openat
tests:
- [2, '==', '{{open_modes}}']
- syscall: close
- syscall: select
- syscall: read
- syscall: pread64
- syscall: lseek
- syscall: fstat
- syscall: stat
- syscall: lstat
- syscall: fcntl
# ioctl(4, TCGETS, 0xDEADCAFEBABE) = -1 ENOTTY (Inappropriate ioctl for device)
# Check if the opened file is a TTY
- syscall: ioctl
tests:
- [1, '==', 'TCGETS']
file_opendir:
include:
- file_open
rules:
- syscall: getdents
- syscall: open
tests:
- [1, '==', 'O_DIRECTORY|O_RDONLY|O_NONBLOCK|O_CLOEXEC']
file_readonly:
include:
- file_open
permute:
open_modes:
- 'O_NONBLOCK'
- 'O_EXCL'
- 'O_RDONLY'
- 'O_NOFOLLOW'
- 'O_CLOEXEC'
skel-sandbox/etc/seccomp.yaml view on Meta::CPAN
open_modes:
- 'O_CREAT'
- 'O_WRONLY'
- 'O_TRUNC'
- 'O_RDWR'
rules:
- syscall: write
- syscall: pwrite64
file_temp:
rules:
- syscall: chmod
tests:
- [1, '==', 0o600]
- syscall: unlink
lang_javascript:
include:
- default
- file_temp
rules:
- syscall: pipe2
- syscall: epoll_create1
- syscall: eventfd2
- syscall: epoll_ctl
- syscall: epoll_wait
- syscall: ioctl
tests:
- [1, '==', 'FIOCLEX']
- syscall: clone
tests:
- [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
- syscall: ioctl
tests:
- [1, '==', 'TIOCGPTN']
- syscall: ioctl
tests:
- [1, '==', 'FIONBIO']
- syscall: ioctl
tests: # Let node do any ioctl to stdout
- [0, '==', 1]
- syscall: ioctl
tests: # let node do any ioctl to stderr
- [0, '==', 2]
lang_perl:
include:
- default
rules: []
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
- syscall: sigaltstack
- syscall: pipe2
- syscall: write
tests: # Used for inter thread communication. FDs might change number depending on release
- [0, '==', 5]
- syscall: write
tests: # Used for inter thread communication. FDs might change number depending on release
- [0, '==', 7]
stdio:
rules:
- syscall: read # Read from STDIN
tests:
- [0, '==', 0]
- syscall: write # Write to STDOUT
tests:
- [0, '==', 1]
- syscall: write # Write to STDERR
tests:
- [0, '==', 2]
( run in 0.532 second using v1.01-cache-2.11-cpan-cdf2f3d4e48 )