rust-lang · DemiMarie · Apr 8, 2017
diff --git a/convert.py b/convert.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+import json
+def main():
+    json_ = dict(defaultAction='SCMP_ACT_ERRNO',
+                architectures=[
+                    'SCMP_ARCH_X86_64'
+                ])
+    with open('whitelist', 'r') as fhandle:
+        syscalls = [dict(name=i.replace('\n',''),action='SCMP_ACT_ALLOW',args=[])
+                for i in fhandle]
+    json_['syscalls'] = syscalls
+    with open('whitelist.json', 'w') as fhandle:
+       json.dump(json_, fhandle, indent=2, sort_keys=True)
+
+if __name__ == '__main__':
+    main()
diff --git a/src/docker.rs b/src/docker.rs
@@ -21,6 +21,8 @@ impl Container {
                                    .arg("create")
                                    .arg("--cap-drop=ALL")
                                    .arg("--memory=128m")
+                                   .arg("--security-opt")
+                                   .arg("seccomp=whitelist.json")
                                    .arg("--net=none")
                                    .arg("--pids-limit=20")
                                    .arg("--security-opt=no-new-privileges")

diff --git a/whitelist b/whitelist
@@ -0,0 +1,73 @@
+access
+arch_prctl
+brk
+chdir
+chmod
+clock_getres
+clock_gettime
+clone
+close
+dup
+dup2
+execve
+exit
+exit_group
+faccessat
+fadvise64
+fallocate
+fcntl
+fstat
+futex
+getcwd
+getdents
+getegid
+geteuid
+getgid
+getpgrp
+getpid
+getppid
+getrandom
+getresgid
+getresuid
+getrlimit
+getrusage
+gettid
+gettimeofday
+getuid
+ioctl
+lseek
+lstat
+madvise
+mkdir
+mmap
+mprotect
+mremap
+munmap
+nanosleep
+open
+openat
+pipe
+pipe2
+prctl
+pread64
+read
+readlink
+rmdir
+rt_sigaction
+rt_sigprocmask
+rt_sigreturn
+sched_getaffinity
+select
+set_robust_list
+set_tid_address
+setrlimit
+sigaltstack
+stat
+statfs
+sysinfo
+tgkill
+umask
+unlink
+vfork
+wait4
+write