From e756f54b9d935526ae74b088202c04afbc918813 Mon Sep 17 00:00:00 2001
From: Demi Obenour <demiobenour@gmail.com>
Date: Sat, 8 Apr 2017 18:04:26 -0400
Subject: [PATCH] Add restrictive seccomp whitelist

---
 convert.py    | 16 +++++++++++
 src/docker.rs |  2 ++
 whitelist     | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100755 convert.py
 create mode 100644 whitelist

diff --git a/convert.py b/convert.py
new file mode 100755
index 0000000..af95ca7
--- /dev/null
+++ b/convert.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+import json
+def main():
+    json_ = dict(defaultAction='SCMP_ACT_ERRNO',
+                architectures=[
+                    'SCMP_ARCH_X86_64'
+                ])
+    with open('whitelist', 'r') as fhandle:
+        syscalls = [dict(name=i.replace('\n',''),action='SCMP_ACT_ALLOW',args=[])
+                for i in fhandle]
+    json_['syscalls'] = syscalls
+    with open('whitelist.json', 'w') as fhandle:
+       json.dump(json_, fhandle, indent=2, sort_keys=True)
+
+if __name__ == '__main__':
+    main()
diff --git a/src/docker.rs b/src/docker.rs
index eba6d23..41ea076 100644
--- a/src/docker.rs
+++ b/src/docker.rs
@@ -21,6 +21,8 @@ impl Container {
                                    .arg("create")
                                    .arg("--cap-drop=ALL")
                                    .arg("--memory=128m")
+                                   .arg("--security-opt")
+                                   .arg("seccomp=whitelist.json")
                                    .arg("--net=none")
                                    .arg("--pids-limit=20")
                                    .arg("--security-opt=no-new-privileges")
diff --git a/whitelist b/whitelist
new file mode 100644
index 0000000..b6210dd
--- /dev/null
+++ b/whitelist
@@ -0,0 +1,73 @@
+access
+arch_prctl
+brk
+chdir
+chmod
+clock_getres
+clock_gettime
+clone
+close
+dup
+dup2
+execve
+exit
+exit_group
+faccessat
+fadvise64
+fallocate
+fcntl
+fstat
+futex
+getcwd
+getdents
+getegid
+geteuid
+getgid
+getpgrp
+getpid
+getppid
+getrandom
+getresgid
+getresuid
+getrlimit
+getrusage
+gettid
+gettimeofday
+getuid
+ioctl
+lseek
+lstat
+madvise
+mkdir
+mmap
+mprotect
+mremap
+munmap
+nanosleep
+open
+openat
+pipe
+pipe2
+prctl
+pread64
+read
+readlink
+rmdir
+rt_sigaction
+rt_sigprocmask
+rt_sigreturn
+sched_getaffinity
+select
+set_robust_list
+set_tid_address
+setrlimit
+sigaltstack
+stat
+statfs
+sysinfo
+tgkill
+umask
+unlink
+vfork
+wait4
+write