├── tests
├── tty.conf.command
├── uid.conf.command
├── mount.conf.command
├── bind.conf.command
├── cwd.conf.command
├── hostname.conf.command
├── mount-label.conf.command
├── rootfs.conf.command
├── env.conf.command
├── label.conf.command
├── seccomp.conf.command
├── tests-runner
├── hostname.conf.expected
├── rootfs.conf.expected
├── seccomp.conf.expected
├── uid.conf.expected
├── cwd.conf.expected
├── bind.conf.expected
├── mount.conf.expected
├── mount-label.conf.expected
├── tty.conf.expected
├── devtmpfs.conf.expected
├── env.conf.expected
├── label.conf.expected
├── devtmpfs.conf
├── devtmpfs.conf.command
├── hostname.conf
├── rootfs.conf
├── uid.conf
├── cwd.conf
├── tty.conf
├── env.conf
├── mount-label.conf
├── label.conf
├── bind.conf
└── mount.conf
├── autogen.sh
├── README.md
├── .papr.yml
├── cfg.mk
├── spec.h
├── list.h
├── kill.h
├── demos
└── run-systemd
│ ├── run_demo.sh
│ └── config.json
├── rpm
└── bwrap-oci.spec.template
├── subugidmap.h
├── safe-read-write.h
├── configure.ac
├── safe-read-write.c
├── run.h
├── kill.c
├── Makefile.am
├── bwrap-oci.xml
├── util.h
├── subugidmap.c
├── list.c
├── GNUmakefile
├── spec.c
├── bwrap-oci.c
└── git.mk
/tests/tty.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --tty
3 |
4 |
--------------------------------------------------------------------------------
/tests/uid.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --uid=10
3 |
--------------------------------------------------------------------------------
/tests/mount.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --bind=foo:bar
3 |
--------------------------------------------------------------------------------
/tests/bind.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --bind=foo:bar:rw
3 |
--------------------------------------------------------------------------------
/tests/cwd.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --cwd=/usr/local/bin
3 |
--------------------------------------------------------------------------------
/tests/hostname.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --hostname=atomic
3 |
--------------------------------------------------------------------------------
/tests/mount-label.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --mount-label=foo
3 |
--------------------------------------------------------------------------------
/tests/rootfs.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --rootfs-path=rootfs
3 |
--------------------------------------------------------------------------------
/tests/env.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --env=foo=bar --env=bar=baz --env=bar=foo
3 |
--------------------------------------------------------------------------------
/tests/label.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --selinux-label=unconfined_u:object_r:user_home_t:s1
3 |
--------------------------------------------------------------------------------
/tests/seccomp.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | oci-runtime-tool generate --seccomp-arch=amd64 --seccomp-allow=read --seccomp-errno=write
3 |
--------------------------------------------------------------------------------
/autogen.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test -n "$srcdir" || srcdir=`dirname "$0"`
4 | test -n "$srcdir" || srcdir=.
5 |
6 | olddir=`pwd`
7 | cd $srcdir
8 |
9 | if ! (autoreconf --version >/dev/null 2>&1); then
10 | echo "*** No autoreconf found, please install it ***"
11 | exit 1
12 | fi
13 |
14 | mkdir -p m4
15 |
16 | autoreconf --force --install --verbose
17 |
18 | cd $olddir
19 | test -n "$NOCONFIGURE" || "$srcdir/configure" "$@"
20 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | bwrap-oci
2 | ==========
3 |
4 | Run an OCI container using Bubblewrap (https://github.com/projectatomic/bubblewrap/).
5 |
6 | By default `bwrap-oci` reads the file `config.json` in the
7 | current directory, generates the command line arguments for bubblewrap
8 | and execute it.
9 |
10 | You can specify a different configuration file with `--configuration`.
11 |
12 | If you are interested to see the generated command line, you can use the `--dry-run`
13 | option to `bwrap-oci`. This will also stops the creation of the container.
14 |
--------------------------------------------------------------------------------
/.papr.yml:
--------------------------------------------------------------------------------
1 | container:
2 | image: registry.fedoraproject.org/fedora:26
3 |
4 | packages:
5 | - autoconf
6 | - automake
7 | - make
8 | - gcc
9 | - git
10 | - pkgconfig(json-glib-1.0)
11 | - libseccomp-devel
12 | - libxslt
13 | - bubblewrap
14 | - docbook-style-xsl
15 | - pkgconfig(gio-unix-2.0)
16 |
17 | build: true
18 |
19 | tests:
20 | - make syntax-check
21 | - make check
22 |
23 | branches:
24 | - master
25 | - auto
26 | - try
27 |
28 | timeout: 30m
29 |
30 | artifacts:
31 | - test-suite.log
32 |
--------------------------------------------------------------------------------
/cfg.mk:
--------------------------------------------------------------------------------
1 | export VC_LIST_EXCEPT_DEFAULT=^(lib/.*|m4/.*|md5/.*|build-aux/.*|src/gettext\.h|.*ChangeLog)$$
2 |
3 | local-checks-to-skip = \
4 | sc_immutable_NEWS \
5 | sc_copyright_check \
6 | \
7 | sc_program_name \
8 | sc_bindtextdomain \
9 | sc_error_message_period \
10 | sc_unmarked_diagnostics \
11 | sc_prohibit_always_true_header_tests \
12 | sc_prohibit_intprops_without_use \
13 |
14 |
15 | #SHELL=bash -x
16 | show-vc-list-except:
17 | @$(VC_LIST_EXCEPT)
18 |
19 | VC_LIST_ALWAYS_EXCLUDE_REGEX = ^ABOUT-NLS|maint.mk|git.mk|tests.*|COPYING$$
20 |
--------------------------------------------------------------------------------
/tests/tests-runner:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -euo pipefail
3 |
4 | # Used internally by bwrap-oci to generate more deterministic output
5 | export TEST=1
6 |
7 | export TMP_DIR=$(mktemp -p $(pwd) -d -t .tmp.XXXXXXXXXX)
8 |
9 | teardown () {
10 | rm -rf $TMP_DIR
11 | }
12 | trap teardown EXIT
13 |
14 | if test "x${REGENERATE_TESTS_DATA-}" != x && test -e $1.command; then
15 | sh $1.command > $TMP_DIR/new-file
16 | mv $TMP_DIR/new-file $1
17 | fi
18 |
19 | ./bwrap-oci -c $1 --dry-run | sed -e "s|/.*/bwrap|bwrap|g" > $TMP_DIR/output
20 |
21 | if test "x${REGENERATE_TESTS_DATA-}" != x; then
22 | cp $TMP_DIR/output $1.expected
23 | exit 0
24 | fi
25 |
26 | diff -Naur $1.expected $TMP_DIR/output
27 |
--------------------------------------------------------------------------------
/tests/hostname.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname atomic --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/rootfs.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/seccomp.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/uid.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 10 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/cwd.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir /usr/local/bin --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/bind.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --bind foo bar --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/mount.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --bind foo bar --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/mount-label.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --file-label foo --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/tty.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/devtmpfs.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --ro-bind /sys/fs/cgroup /sys/fs/cgroup --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname runc --block-fd FD --sync-fd FD --info-fd FD --bind /dev/null /proc/kcore --bind /dev/null /proc/latency_stats --bind /dev/null /proc/timer_stats --bind /dev/null /proc/sched_debug --ro-bind /proc/asound /proc/asound --ro-bind /proc/bus /proc/bus --ro-bind /proc/fs /proc/fs --ro-bind /proc/irq /proc/irq --ro-bind /proc/sys /proc/sys --ro-bind /proc/sysrq-trigger /proc/sysrq-trigger sh
2 |
--------------------------------------------------------------------------------
/tests/env.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --setenv foo bar --setenv bar foo --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/tests/label.conf.expected:
--------------------------------------------------------------------------------
1 | bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-cgroup --unshare-pid --unshare-net --unshare-ipc --unshare-uts --unshare-user --cap-drop ALL --cap-add CAP_AUDIT_WRITE --cap-add CAP_NET_RAW --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SETPCAP --cap-add CAP_FSETID --cap-add CAP_FOWNER --cap-add CAP_SETUID --cap-add CAP_MKNOD --cap-add CAP_CHOWN --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_KILL --cap-add CAP_SETGID --cap-add CAP_SETFCAP --cap-add CAP_SYS_CHROOT --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --exec-label unconfined_u:object_r:user_home_t:s1 --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --ro-bind /sys /sys --tmpfs /tmp --hostname mrsdalloway --block-fd FD --sync-fd FD --info-fd FD --seccomp FD sh
2 |
--------------------------------------------------------------------------------
/spec.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2018 Red Hat, Inc.
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _SPEC_H
19 | # define _SPEC_H
20 | # include
21 |
22 | void spec ();
23 |
24 | #endif
25 |
--------------------------------------------------------------------------------
/list.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _LIST_H
19 | # define _LIST_H
20 | # include
21 |
22 | void list_containers (void);
23 |
24 | #endif
25 |
--------------------------------------------------------------------------------
/kill.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _KILL_H
19 | # define _KILL_H
20 | # include
21 |
22 | void kill_container (const char *name, const char *signal);
23 |
24 | #endif
25 |
--------------------------------------------------------------------------------
/demos/run-systemd/run_demo.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | rm -rf cache
4 | mkdir cache
5 | bwrap --ro-bind / / --dev /dev --proc /proc --bind $(pwd) $(pwd) skopeo copy docker://fedora oci:cache:latest
6 |
7 | mkdir rootfs
8 |
9 | (
10 | cd rootfs
11 | # Hack, this works only because fedora is a single layer image
12 | for i in ../cache/blobs/sha256/*
13 | do
14 | bwrap --ro-bind / / --dev /dev --proc /proc --bind $(pwd) $(pwd) tar xf $i || true
15 | done
16 | mkdir {dev,proc,sys}
17 | )
18 |
19 | bwrap --uid 0 --gid 0 --unshare-user --bind rootfs / --dev /dev --proc /proc --tmpfs /run --tmpfs /var --tmpfs /var/log systemd-tmpfiles --create
20 |
21 | bwrap --uid 0 --gid 0 --unshare-user --bind rootfs / --dev /dev --proc /proc --tmpfs /run --tmpfs /var --tmpfs /var/log systemctl mask dev-hugepages.mount systemd-update-utmp.service systemd-tmpfiles-setup.service
22 |
23 | systemd-run --user --scope bwrap-oci --pid-file=/tmp/pidfile
24 |
25 | kill -37 $(cat /tmp/pidfile)
26 |
--------------------------------------------------------------------------------
/rpm/bwrap-oci.spec.template:
--------------------------------------------------------------------------------
1 | Summary: Run OCI containers with bubblewrap
2 | Name: bwrap-oci
3 | Version: #VERSION#
4 | Release: 5%{?dist}
5 | Source0: %{url}/archive/%{name}-%{version}.tar.gz
6 | License: LGPLv2+
7 | URL: https://github.com/projectatomic/bwrap-oci
8 |
9 | Requires: bubblewrap
10 | # We always run autogen.sh
11 | BuildRequires: autoconf automake
12 | BuildRequires: pkgconfig(json-glib-1.0)
13 | BuildRequires: libseccomp-devel
14 | BuildRequires: libxslt
15 | BuildRequires: bubblewrap
16 | BuildRequires: docbook-style-xsl
17 | BuildRequires: gcc
18 | BuildRequires: pkgconfig(gio-unix-2.0)
19 |
20 | %description
21 | bwrap-oci uses Bubblewrap to run a container from an OCI spec file.
22 |
23 | %prep
24 | %autosetup -n %{name}-%{version}
25 |
26 | %build
27 | env NOCONFIGURE=1 ./autogen.sh
28 | %configure --disable-silent-rules
29 |
30 | %make_build
31 |
32 | %install
33 | %make_install INSTALL="install -p"
34 |
35 | %files
36 | %license COPYING
37 | %{_bindir}/%{name}
38 | %{_mandir}/man1/%{name}.1*
39 |
--------------------------------------------------------------------------------
/subugidmap.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _SUBUGIDMAP_H
19 | # define _SUBUGIDMAP_H
20 |
21 | # include
22 | # include
23 | # include
24 |
25 | int getsubidrange (uid_t id, int is_uid, uint32_t *from, uint32_t *len);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/safe-read-write.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #ifndef SAFE_BWRAP_OCI_READ_WRITE
20 | # define SAFE_BWRAP_OCI_READ_WRITE
21 |
22 | # include
23 |
24 | ssize_t safe_read (int fd, void *buf, size_t count);
25 | ssize_t safe_write (int fd, const void *buf, size_t count);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/configure.ac:
--------------------------------------------------------------------------------
1 | AC_PREREQ([2.63])
2 | AC_INIT([bwrap-oci], [0.2], [atomic-devel@projectatomic.io])
3 | AC_CONFIG_HEADER([config.h])
4 | AC_CONFIG_MACRO_DIR([m4])
5 | AC_CONFIG_AUX_DIR([build-aux])
6 |
7 | AC_USE_SYSTEM_EXTENSIONS
8 |
9 | AM_INIT_AUTOMAKE([1.11 -Wno-portability foreign tar-ustar no-dist-gzip dist-xz subdir-objects])
10 | AM_MAINTAINER_MODE([enable])
11 | AM_SILENT_RULES([yes])
12 |
13 | AC_PROG_SED
14 | AC_PROG_CC
15 | AM_PROG_CC_C_O
16 |
17 | PKG_CHECK_MODULES(JSON_GLIB, [json-glib-1.0])
18 | PKG_CHECK_MODULES(GIO_UNIX, [gio-unix-2.0])
19 | AC_CHECK_LIB(seccomp, seccomp_rule_add)
20 |
21 | AC_CHECK_HEADERS([error.h])
22 |
23 | AC_PATH_PROG(BWRAP, [bwrap])
24 | AC_DEFINE_UNQUOTED([BWRAP], ["$BWRAP"], [Path to bwrap])
25 |
26 | AC_CONFIG_FILES([
27 | Makefile
28 | ])
29 |
30 | AH_BOTTOM([
31 | #ifndef HAVE_ERROR_H
32 | #ifndef _ERROR_LOCAL
33 | #define _ERROR_LOCAL 1
34 | #include
35 | #include
36 | #include
37 |
38 | static void error(int status, int errnum, const char *msg, ...) {
39 | if (errnum)
40 | fprintf(stderr, ": %s\n", strerror(errnum));
41 | else
42 | fputc('\n', stderr);
43 | if (status)
44 | exit(status);
45 | }
46 | #endif
47 | #endif
48 | ])
49 | AC_OUTPUT
50 |
--------------------------------------------------------------------------------
/safe-read-write.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #include
20 | #include "safe-read-write.h"
21 | #include
22 |
23 | #define safe_io_op(OP) \
24 | do \
25 | { \
26 | ssize_t result; \
27 | do \
28 | result = OP (fd, buf, count); \
29 | while (result < 0 && errno == EINTR); \
30 | return result; \
31 | } \
32 | while (0)
33 |
34 | ssize_t
35 | safe_read (int fd, void *buf, size_t count)
36 | {
37 | safe_io_op(read);
38 | }
39 |
40 | ssize_t
41 | safe_write (int fd, const void *buf, size_t count)
42 | {
43 | safe_io_op(write);
44 | }
45 |
--------------------------------------------------------------------------------
/run.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _RUN_H
19 | # define _RUN_H
20 | # include
21 |
22 | struct context
23 | {
24 | GList *options;
25 | GList *readonly_paths;
26 | GList *args;
27 | size_t total_elements;
28 | gboolean remount_ro_rootfs;
29 | scmp_filter_ctx seccomp;
30 | gchar *rootfs;
31 | GList *prestart_hooks;
32 | GList *poststop_hooks;
33 |
34 | uid_t uid;
35 | gid_t gid;
36 |
37 | gboolean has_user_mappings;
38 |
39 | int userns_block_pipe[2];
40 |
41 | struct user_mapping user_mapping;
42 |
43 | gboolean has_terminal;
44 | gboolean has_container_env;
45 |
46 | gboolean detach;
47 | };
48 |
49 | int run_container (const char *container_id,
50 | const char *configuration_file,
51 | gboolean detach,
52 | const char *pid_file,
53 | gboolean enable_hooks,
54 | gboolean dry_run);
55 |
56 | #endif
57 |
--------------------------------------------------------------------------------
/kill.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #include
20 | #include "util.h"
21 | #include "kill.h"
22 | #ifdef HAVE_ERROR_H
23 | #include
24 | #endif
25 | #include
26 | #include
27 |
28 | void
29 | kill_container (const char *name, const char *signal)
30 | {
31 | cleanup_free gchar *run_directory = get_run_directory ();
32 | cleanup_free gchar *path = NULL;
33 | pid_t pid;
34 | int r;
35 | long signal_value;
36 | char *endptr = NULL;
37 |
38 | path = g_strdup_printf ("%s/%s/status.json", run_directory, name);
39 |
40 | if (! file_exist_p ("", path))
41 | error (EXIT_FAILURE, 0, "container %s doesn't exist", name);
42 |
43 | read_container_status_file (path, &pid, NULL);
44 |
45 | if (pid == 0)
46 | error (EXIT_FAILURE, 0, "container %s doesn't exist", name);
47 |
48 | errno = 0;
49 | signal_value = strtol (signal, &endptr, 10);
50 | if (errno != 0 || signal_value == 0 || *endptr != '\0')
51 | error (EXIT_FAILURE, errno, "invalid signal specified");
52 |
53 | r = kill (pid, signal_value);
54 | if (r < 0)
55 | error (EXIT_FAILURE, errno, "kill %lu", signal_value);
56 | }
57 |
--------------------------------------------------------------------------------
/Makefile.am:
--------------------------------------------------------------------------------
1 | XSLTPROC = xsltproc
2 |
3 | XSLTPROC_FLAGS = \
4 | --nonet \
5 | --stringparam man.output.quietly 1 \
6 | --stringparam funcsynopsis.style ansi \
7 | --stringparam man.th.extra1.suppress 1 \
8 | --stringparam man.authors.section.enabled 0 \
9 | --stringparam man.copyright.section.enabled 0
10 |
11 | .xml.1:
12 | $(XSLTPROC) $(XSLTPROC_FLAGS) http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
13 |
14 | # Based on rpmbuild-cwd, that is:
15 | # Licensed under the new-BSD license (http://www.opensource.org/licenses/bsd-license.php)
16 | # Copyright (C) 2010 Red Hat, Inc.
17 | # Written by Colin Walters
18 | WD := $(shell pwd)
19 |
20 | .PHONY: rpm
21 |
22 | bwrap-oci.spec: $(srcdir)/rpm/bwrap-oci.spec.template
23 | sed -e 's|#VERSION#|$(VERSION)|g' < $< > $@
24 |
25 | rpm: dist-gzip bwrap-oci.spec
26 | echo $(VERSION)
27 | $(MAKE) -C $(WD) dist-xz
28 | rpmbuild -ba --define "_sourcedir $(WD)" --define "_specdir $(WD)" --define "_builddir $(WD)" --define "_srcrpmdir $(WD)" --define "_rpmdir $(WD)" --define "_buildrootdir $(WD)/.build" bwrap-oci.spec
29 |
30 | man_MANS = bwrap-oci.1
31 |
32 | CLEANFILES = $(man_MANS) bwrap-oci.spec
33 |
34 | AM_CFLAGS = $(WARN_CFLAGS)
35 |
36 | GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4
37 |
38 | bin_PROGRAMS = bwrap-oci
39 |
40 | bwrap_oci_SOURCES = \
41 | bwrap-oci.c \
42 | list.c \
43 | safe-read-write.c \
44 | util.c \
45 | run.c \
46 | kill.c \
47 | spec.c \
48 | subugidmap.c \
49 | $(NULL)
50 |
51 | bwrap_oci_CFLAGS = $(AM_CFLAGS) $(JSON_GLIB_CFLAGS) $(GIO_UNIX_CFLAGS)
52 | bwrap_oci_LDADD = $(SELINUX_LIBS) $(JSON_GLIB_LIBS) $(GIO_UNIX_LIBS)
53 |
54 | -include $(top_srcdir)/git.mk
55 |
56 | TESTS = tests/bind.conf tests/cwd.conf tests/env.conf tests/hostname.conf \
57 | tests/label.conf tests/mount.conf tests/mount-label.conf tests/rootfs.conf \
58 | tests/seccomp.conf tests/tty.conf tests/uid.conf tests/devtmpfs.conf
59 |
60 | TEST_EXTENSIONS = .conf
61 | CONF_LOG_COMPILER = $(top_srcdir)/tests/tests-runner
62 |
63 | EXTRA_DIST = autogen.sh bwrap-oci.xml safe-read-write.h util.h list.h run.h kill.h spec.h subugidmap.h
64 |
65 | EXTRA_DIST += $(TESTS:.conf=.conf.expected)
66 | EXTRA_DIST += $(TESTS:.conf=.conf.command)
67 |
--------------------------------------------------------------------------------
/bwrap-oci.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
8 | bwrap-oci
9 | Project Atomic
10 |
11 |
12 | Developer
13 | Giuseppe
14 | Scrivano
15 |
16 |
17 |
18 |
19 |
20 | bwrap-oci
21 | 1
22 | User Commands
23 |
24 |
25 |
26 | bwrap-oci
27 | Run an OCI (Open Container Initiative) container through
28 | bubblewrap. bwrap-oci converts the OCI configuration file, a JSON
29 | document which specifies how to run the container, to a command line
30 | for bubblewrap.
31 |
32 |
33 |
34 |
35 | bwrap-oci
36 | OPTION
37 | COMMAND
38 |
39 |
40 |
41 | Description
42 |
43 | bwrap-oci converts an open containers spec file
44 | to a command line for bubblewrap and run a container through it.
45 |
46 |
47 |
48 | Options
49 | General options:
50 |
51 |
52 |
53 | Print help and exit
54 |
55 |
56 |
57 | Specify the configuration file to use. If not specified
58 | 'configuration.json' is used.
59 |
60 |
61 |
62 |
63 | Print the command line used for bubblewrap but do not execute it.
64 |
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/util.h:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #ifndef _UTIL_H
19 | # define _UTIL_H
20 | # include
21 | # include
22 | # include
23 | # include
24 | # include
25 | # include
26 |
27 | void cleanup_freep (void *p);
28 | void cleanup_filep (FILE **f);
29 |
30 | #define cleanup_free __attribute__((cleanup (cleanup_freep)))
31 | #define cleanup_file __attribute__((cleanup (cleanup_filep)))
32 |
33 | struct user_mapping
34 | {
35 | uint32_t first_subuid, n_subuid;
36 | uint32_t first_subgid, n_subgid;
37 | };
38 |
39 | gchar *get_run_directory (void);
40 | guint64 get_seccomp_action (const char *name);
41 | uint32_t get_seccomp_operator (const char *name);
42 | gboolean bwrap_has_option (const gchar *option);
43 | void write_container_state (const char *container_state, pid_t child_pid, const char *bundle_path);
44 | void detach_process ();
45 | void write_user_group_mappings (struct user_mapping *user_mapping, uid_t uid, gid_t gid, pid_t pid);
46 | gboolean file_exist_p (const char *root, const char *file);
47 | gboolean can_mask_or_ro_p (const char *path);
48 | gchar *get_bundle_path (const char *rootfs);
49 | char *create_container (const char *name);
50 | void delete_container (const char *name);
51 | gchar *format_fd (gchar *buf, int fd);
52 | void set_test_environment (gboolean status);
53 | int generate_seccomp_rules_file (scmp_filter_ctx seccomp);
54 | void set_bwrap_path (const char *bwrap);
55 | const char *get_bwrap_path ();
56 | void read_container_status_file (const char *path, pid_t *pid, char **bundlePath);
57 | gboolean pid_running_p (pid_t pid);
58 |
59 | #endif
60 |
--------------------------------------------------------------------------------
/subugidmap.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #include
20 | #include "subugidmap.h"
21 | #include "util.h"
22 |
23 | #include
24 | #include
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 |
35 | /*if subuid or subgid exist, take the first range for the user */
36 | int
37 | getsubidrange (uid_t id, int is_uid, uint32_t *from, uint32_t *len)
38 | {
39 | cleanup_file FILE *input = NULL;
40 | cleanup_free char *lineptr = NULL;
41 | size_t lenlineptr = 0, len_name;
42 | const char *name;
43 |
44 | if (is_uid)
45 | {
46 | struct passwd *pwd = getpwuid (id);
47 | if (pwd == NULL)
48 | return -1;
49 | name = pwd->pw_name;
50 | }
51 | else
52 | {
53 | struct group *grp = getgrgid (id);
54 | if (grp == NULL)
55 | return -1;
56 | name = grp->gr_name;
57 | }
58 |
59 | len_name = strlen (name);
60 |
61 | input = fopen (is_uid ? "/etc/subuid" : "/etc/subgid", "r");
62 | if (input == NULL)
63 | return -1;
64 |
65 | for (;;)
66 | {
67 | char *endptr;
68 | int read = getline (&lineptr, &lenlineptr, input);
69 | if (read < 0)
70 | return -1;
71 |
72 | if (read < len_name + 2)
73 | continue;
74 |
75 | if (memcmp (lineptr, name, len_name) || lineptr[len_name] != ':')
76 | continue;
77 |
78 | *from = strtoull (&lineptr[len_name + 1], &endptr, 10);
79 |
80 | if (endptr >= &lineptr[read])
81 | return -1;
82 |
83 | *len = strtoull (&endptr[1], &endptr, 10);
84 |
85 | return 0;
86 | }
87 | }
88 |
--------------------------------------------------------------------------------
/list.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #ifdef HAVE_ERROR_H
23 | #include
24 | #endif
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 | #include
40 | #include
41 | #include
42 | #include "safe-read-write.h"
43 | #include "subugidmap.h"
44 | #include "util.h"
45 |
46 | void
47 | list_containers ()
48 | {
49 | cleanup_free gchar *run_directory = get_run_directory ();
50 | DIR *dir = opendir (run_directory);
51 | struct dirent *dp;
52 | if (dir == NULL)
53 | {
54 | if (errno == ENOENT)
55 | {
56 | g_free (run_directory);
57 | return;
58 | }
59 | error (EXIT_FAILURE, errno, "error opening %s", run_directory);
60 | }
61 |
62 | printf ("%-30s%-10s%-10s%s\n", "NAME", "PID", "STATUS", "BUNDLE");
63 | do
64 | {
65 | cleanup_free gchar *path = NULL;
66 | cleanup_free gchar *bundlePath = NULL;
67 | const char *process_status;
68 | pid_t pid;
69 |
70 | if ((dp = readdir(dir)) != NULL)
71 | {
72 | if (dp->d_name[0] == '.')
73 | continue;
74 |
75 | path = g_strdup_printf ("%s/%s/status.json", run_directory, dp->d_name);
76 | read_container_status_file (path, &pid, &bundlePath);
77 |
78 | process_status = pid_running_p (pid) ? "running" : "stopped";
79 |
80 | printf ("%-30s%-10d%-10s%s\n", dp->d_name, pid, process_status, bundlePath ? : "(none)");
81 | }
82 | }
83 | while (dp != NULL);
84 |
85 | closedir (dir);
86 | }
87 |
--------------------------------------------------------------------------------
/tests/devtmpfs.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "0.6.0-dev",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "terminal": true,
9 | "user": {},
10 | "args": [
11 | "sh"
12 | ],
13 | "env": [
14 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
15 | "TERM=xterm"
16 | ],
17 | "cwd": "/",
18 | "capabilities": [
19 | "CAP_AUDIT_WRITE",
20 | "CAP_KILL",
21 | "CAP_NET_BIND_SERVICE"
22 | ],
23 | "rlimits": [
24 | {
25 | "type": "RLIMIT_NOFILE",
26 | "hard": 1024,
27 | "soft": 1024
28 | }
29 | ],
30 | "noNewPrivileges": true
31 | },
32 | "root": {
33 | "path": "rootfs",
34 | "readonly": false
35 | },
36 | "hostname": "runc",
37 | "mounts": [
38 | {
39 | "destination": "/proc",
40 | "type": "proc",
41 | "source": "proc"
42 | },
43 | {
44 | "destination": "/dev",
45 | "type": "devtmpfs",
46 | "source": "devtmpfs"
47 | },
48 | {
49 | "destination": "/dev/pts",
50 | "type": "devpts",
51 | "source": "devpts",
52 | "options": [
53 | "nosuid",
54 | "noexec",
55 | "newinstance",
56 | "ptmxmode=0666",
57 | "mode=0620",
58 | "gid=5"
59 | ]
60 | },
61 | {
62 | "destination": "/dev/shm",
63 | "type": "tmpfs",
64 | "source": "shm",
65 | "options": [
66 | "nosuid",
67 | "noexec",
68 | "nodev",
69 | "mode=1777",
70 | "size=65536k"
71 | ]
72 | },
73 | {
74 | "destination": "/dev/mqueue",
75 | "type": "mqueue",
76 | "source": "mqueue",
77 | "options": [
78 | "nosuid",
79 | "noexec",
80 | "nodev"
81 | ]
82 | },
83 | {
84 | "destination": "/sys",
85 | "type": "sysfs",
86 | "source": "sysfs",
87 | "options": [
88 | "nosuid",
89 | "noexec",
90 | "nodev",
91 | "ro"
92 | ]
93 | },
94 | {
95 | "destination": "/sys/fs/cgroup",
96 | "type": "cgroup",
97 | "source": "cgroup",
98 | "options": [
99 | "nosuid",
100 | "noexec",
101 | "nodev",
102 | "relatime",
103 | "ro"
104 | ]
105 | }
106 | ],
107 | "hooks": {},
108 | "linux": {
109 | "resources": {
110 | "devices": [
111 | {
112 | "allow": false,
113 | "access": "rwm"
114 | }
115 | ]
116 | },
117 | "namespaces": [
118 | {
119 | "type": "pid"
120 | },
121 | {
122 | "type": "network"
123 | },
124 | {
125 | "type": "ipc"
126 | },
127 | {
128 | "type": "uts"
129 | },
130 | {
131 | "type": "mount"
132 | }
133 | ],
134 | "maskedPaths": [
135 | "/proc/kcore",
136 | "/proc/latency_stats",
137 | "/proc/timer_stats",
138 | "/proc/sched_debug"
139 | ],
140 | "readonlyPaths": [
141 | "/proc/asound",
142 | "/proc/bus",
143 | "/proc/fs",
144 | "/proc/irq",
145 | "/proc/sys",
146 | "/proc/sysrq-trigger"
147 | ]
148 | }
149 | }
150 |
--------------------------------------------------------------------------------
/tests/devtmpfs.conf.command:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | cat << EOF
3 | {
4 | "ociVersion": "0.6.0-dev",
5 | "platform": {
6 | "os": "linux",
7 | "arch": "amd64"
8 | },
9 | "process": {
10 | "terminal": true,
11 | "user": {},
12 | "args": [
13 | "sh"
14 | ],
15 | "env": [
16 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
17 | "TERM=xterm"
18 | ],
19 | "cwd": "/",
20 | "capabilities": [
21 | "CAP_AUDIT_WRITE",
22 | "CAP_KILL",
23 | "CAP_NET_BIND_SERVICE"
24 | ],
25 | "rlimits": [
26 | {
27 | "type": "RLIMIT_NOFILE",
28 | "hard": 1024,
29 | "soft": 1024
30 | }
31 | ],
32 | "noNewPrivileges": true
33 | },
34 | "root": {
35 | "path": "rootfs",
36 | "readonly": false
37 | },
38 | "hostname": "runc",
39 | "mounts": [
40 | {
41 | "destination": "/proc",
42 | "type": "proc",
43 | "source": "proc"
44 | },
45 | {
46 | "destination": "/dev",
47 | "type": "devtmpfs",
48 | "source": "devtmpfs"
49 | },
50 | {
51 | "destination": "/dev/pts",
52 | "type": "devpts",
53 | "source": "devpts",
54 | "options": [
55 | "nosuid",
56 | "noexec",
57 | "newinstance",
58 | "ptmxmode=0666",
59 | "mode=0620",
60 | "gid=5"
61 | ]
62 | },
63 | {
64 | "destination": "/dev/shm",
65 | "type": "tmpfs",
66 | "source": "shm",
67 | "options": [
68 | "nosuid",
69 | "noexec",
70 | "nodev",
71 | "mode=1777",
72 | "size=65536k"
73 | ]
74 | },
75 | {
76 | "destination": "/dev/mqueue",
77 | "type": "mqueue",
78 | "source": "mqueue",
79 | "options": [
80 | "nosuid",
81 | "noexec",
82 | "nodev"
83 | ]
84 | },
85 | {
86 | "destination": "/sys",
87 | "type": "sysfs",
88 | "source": "sysfs",
89 | "options": [
90 | "nosuid",
91 | "noexec",
92 | "nodev",
93 | "ro"
94 | ]
95 | },
96 | {
97 | "destination": "/sys/fs/cgroup",
98 | "type": "cgroup",
99 | "source": "cgroup",
100 | "options": [
101 | "nosuid",
102 | "noexec",
103 | "nodev",
104 | "relatime",
105 | "ro"
106 | ]
107 | }
108 | ],
109 | "hooks": {},
110 | "linux": {
111 | "resources": {
112 | "devices": [
113 | {
114 | "allow": false,
115 | "access": "rwm"
116 | }
117 | ]
118 | },
119 | "namespaces": [
120 | {
121 | "type": "pid"
122 | },
123 | {
124 | "type": "network"
125 | },
126 | {
127 | "type": "ipc"
128 | },
129 | {
130 | "type": "uts"
131 | },
132 | {
133 | "type": "mount"
134 | }
135 | ],
136 | "maskedPaths": [
137 | "/proc/kcore",
138 | "/proc/latency_stats",
139 | "/proc/timer_stats",
140 | "/proc/sched_debug"
141 | ],
142 | "readonlyPaths": [
143 | "/proc/asound",
144 | "/proc/bus",
145 | "/proc/fs",
146 | "/proc/irq",
147 | "/proc/sys",
148 | "/proc/sysrq-trigger"
149 | ]
150 | }
151 | }
152 | EOF
153 |
--------------------------------------------------------------------------------
/GNUmakefile:
--------------------------------------------------------------------------------
1 | # Having a separate GNUmakefile lets me 'include' the dynamically
2 | # generated rules created via cfg.mk (package-local configuration)
3 | # as well as maint.mk (generic maintainer rules).
4 | # This makefile is used only if you run GNU Make.
5 | # It is necessary if you want to build targets usually of interest
6 | # only to the maintainer.
7 |
8 | # Copyright (C) 2001, 2003, 2006-2014 Free Software Foundation, Inc.
9 |
10 | # This program is free software: you can redistribute it and/or modify
11 | # it under the terms of the GNU General Public License as published by
12 | # the Free Software Foundation, either version 3 of the License, or
13 | # (at your option) any later version.
14 |
15 | # This program is distributed in the hope that it will be useful,
16 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 | # GNU General Public License for more details.
19 |
20 | # You should have received a copy of the GNU General Public License
21 | # along with this program. If not, see .
22 |
23 | # If the user runs GNU make but has not yet run ./configure,
24 | # give them a diagnostic.
25 | _gl-Makefile := $(wildcard [M]akefile)
26 | ifneq ($(_gl-Makefile),)
27 |
28 | # Make tar archive easier to reproduce.
29 | export TAR_OPTIONS = --owner=0 --group=0 --numeric-owner
30 |
31 | # Allow the user to add to this in the Makefile.
32 | ALL_RECURSIVE_TARGETS =
33 |
34 | include Makefile
35 |
36 | # Some projects override e.g., _autoreconf here.
37 | -include $(srcdir)/cfg.mk
38 |
39 | # Allow cfg.mk to override these.
40 | _build-aux ?= build-aux
41 | _autoreconf ?= autoreconf -v
42 |
43 | include $(srcdir)/maint.mk
44 |
45 | # Ensure that $(VERSION) is up to date for dist-related targets, but not
46 | # for others: rerunning autoreconf and recompiling everything isn't cheap.
47 | _have-git-version-gen := \
48 | $(shell test -f $(srcdir)/$(_build-aux)/git-version-gen && echo yes)
49 | ifeq ($(_have-git-version-gen)0,yes$(MAKELEVEL))
50 | _is-dist-target ?= $(filter-out %clean, \
51 | $(filter maintainer-% dist% alpha beta stable,$(MAKECMDGOALS)))
52 | _is-install-target ?= $(filter-out %check, $(filter install%,$(MAKECMDGOALS)))
53 | ifneq (,$(_is-dist-target)$(_is-install-target))
54 | _curr-ver := $(shell cd $(srcdir) \
55 | && $(_build-aux)/git-version-gen \
56 | .tarball-version \
57 | $(git-version-gen-tag-sed-script))
58 | ifneq ($(_curr-ver),$(VERSION))
59 | ifeq ($(_curr-ver),UNKNOWN)
60 | $(info WARNING: unable to verify if $(VERSION) is the correct version)
61 | else
62 | ifneq (,$(_is-install-target))
63 | # GNU Coding Standards state that 'make install' should not cause
64 | # recompilation after 'make all'. But as long as changing the version
65 | # string alters config.h, the cost of having 'make all' always have an
66 | # up-to-date version is prohibitive. So, as a compromise, we merely
67 | # warn when installing a version string that is out of date; the user
68 | # should run 'autoreconf' (or something like 'make distcheck') to
69 | # fix the version, 'make all' to propagate it, then 'make install'.
70 | $(info WARNING: version string $(VERSION) is out of date;)
71 | $(info run '$(MAKE) _version' to fix it)
72 | else
73 | $(info INFO: running autoreconf for new version string: $(_curr-ver))
74 | GNUmakefile: _version
75 | touch GNUmakefile
76 | endif
77 | endif
78 | endif
79 | endif
80 | endif
81 |
82 | .PHONY: _version
83 | _version:
84 | cd $(srcdir) && rm -rf autom4te.cache .version && $(_autoreconf)
85 | $(MAKE) $(AM_MAKEFLAGS) Makefile
86 |
87 | else
88 |
89 | .DEFAULT_GOAL := abort-due-to-no-makefile
90 | srcdir = .
91 |
92 | # The package can override .DEFAULT_GOAL to run actions like autoreconf.
93 | -include ./cfg.mk
94 |
95 | # Allow cfg.mk to override these.
96 | _build-aux ?= build-aux
97 | _autoreconf ?= autoreconf -v
98 |
99 | include ./maint.mk
100 |
101 | ifeq ($(.DEFAULT_GOAL),abort-due-to-no-makefile)
102 | $(MAKECMDGOALS): abort-due-to-no-makefile
103 | endif
104 |
105 | abort-due-to-no-makefile:
106 | @echo There seems to be no Makefile in this directory. 1>&2
107 | @echo "You must run ./configure before running 'make'." 1>&2
108 | @exit 1
109 |
110 | endif
111 |
112 | # Tell version 3.79 and up of GNU make to not build goals in this
113 | # directory in parallel, in case someone tries to build multiple
114 | # targets, and one of them can cause a recursive target to be invoked.
115 |
116 | # Only set this if Automake doesn't provide it.
117 | AM_RECURSIVE_TARGETS ?= $(RECURSIVE_TARGETS:-recursive=) \
118 | $(RECURSIVE_CLEAN_TARGETS:-recursive=) \
119 | dist distcheck tags ctags
120 |
121 | ALL_RECURSIVE_TARGETS += $(AM_RECURSIVE_TARGETS)
122 |
123 | ifneq ($(word 2, $(MAKECMDGOALS)), )
124 | ifneq ($(filter $(ALL_RECURSIVE_TARGETS), $(MAKECMDGOALS)), )
125 | .NOTPARALLEL:
126 | endif
127 | endif
128 |
--------------------------------------------------------------------------------
/spec.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2018 Red Hat, Inc.
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 | #include
19 | #include "spec.h"
20 | #include
21 |
22 | static const char *spec_data = \
23 | "{\n\
24 | \"ociVersion\": \"1.0.0\",\n\
25 | \"process\": {\n\
26 | \"terminal\": true,\n\
27 | \"user\": {\n\
28 | \"uid\": 0,\n\
29 | \"gid\": 0\n\
30 | },\n\
31 | \"args\": [\n\
32 | \"sh\"\n\
33 | ],\n\
34 | \"env\": [\n\
35 | \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\n\
36 | \"TERM=xterm\"\n\
37 | ],\n\
38 | \"cwd\": \"/\",\n\
39 | \"capabilities\": {\n\
40 | \"bounding\": [\n\
41 | \"CAP_AUDIT_WRITE\",\n\
42 | \"CAP_KILL\",\n\
43 | \"CAP_NET_BIND_SERVICE\"\n\
44 | ],\n\
45 | \"effective\": [\n\
46 | \"CAP_AUDIT_WRITE\",\n\
47 | \"CAP_KILL\",\n\
48 | \"CAP_NET_BIND_SERVICE\"\n\
49 | ],\n\
50 | \"inheritable\": [\n\
51 | \"CAP_AUDIT_WRITE\",\n\
52 | \"CAP_KILL\",\n\
53 | \"CAP_NET_BIND_SERVICE\"\n\
54 | ],\n\
55 | \"permitted\": [\n\
56 | \"CAP_AUDIT_WRITE\",\n\
57 | \"CAP_KILL\",\n\
58 | \"CAP_NET_BIND_SERVICE\"\n\
59 | ],\n\
60 | \"ambient\": [\n\
61 | \"CAP_AUDIT_WRITE\",\n\
62 | \"CAP_KILL\",\n\
63 | \"CAP_NET_BIND_SERVICE\"\n\
64 | ]\n\
65 | },\n\
66 | \"rlimits\": [\n\
67 | {\n\
68 | \"type\": \"RLIMIT_NOFILE\",\n\
69 | \"hard\": 1024,\n\
70 | \"soft\": 1024\n\
71 | }\n\
72 | ],\n\
73 | \"noNewPrivileges\": true\n\
74 | },\n\
75 | \"root\": {\n\
76 | \"path\": \"rootfs\",\n\
77 | \"readonly\": true\n\
78 | },\n\
79 | \"hostname\": \"runc\",\n\
80 | \"mounts\": [\n\
81 | {\n\
82 | \"destination\": \"/proc\",\n\
83 | \"type\": \"proc\",\n\
84 | \"source\": \"proc\"\n\
85 | },\n\
86 | {\n\
87 | \"destination\": \"/dev\",\n\
88 | \"type\": \"tmpfs\",\n\
89 | \"source\": \"tmpfs\",\n\
90 | \"options\": [\n\
91 | \"nosuid\",\n\
92 | \"strictatime\",\n\
93 | \"mode=755\",\n\
94 | \"size=65536k\"\n\
95 | ]\n\
96 | },\n\
97 | {\n\
98 | \"destination\": \"/dev/pts\",\n\
99 | \"type\": \"devpts\",\n\
100 | \"source\": \"devpts\",\n\
101 | \"options\": [\n\
102 | \"nosuid\",\n\
103 | \"noexec\",\n\
104 | \"newinstance\",\n\
105 | \"ptmxmode=0666\",\n\
106 | \"mode=0620\",\n\
107 | \"gid=5\"\n\
108 | ]\n\
109 | },\n\
110 | {\n\
111 | \"destination\": \"/dev/shm\",\n\
112 | \"type\": \"tmpfs\",\n\
113 | \"source\": \"shm\",\n\
114 | \"options\": [\n\
115 | \"nosuid\",\n\
116 | \"noexec\",\n\
117 | \"nodev\",\n\
118 | \"mode=1777\",\n\
119 | \"size=65536k\"\n\
120 | ]\n\
121 | },\n\
122 | {\n\
123 | \"destination\": \"/dev/mqueue\",\n\
124 | \"type\": \"mqueue\",\n\
125 | \"source\": \"mqueue\",\n\
126 | \"options\": [\n\
127 | \"nosuid\",\n\
128 | \"noexec\",\n\
129 | \"nodev\"\n\
130 | ]\n\
131 | },\n\
132 | {\n\
133 | \"destination\": \"/sys\",\n\
134 | \"type\": \"sysfs\",\n\
135 | \"source\": \"sysfs\",\n\
136 | \"options\": [\n\
137 | \"nosuid\",\n\
138 | \"noexec\",\n\
139 | \"nodev\",\n\
140 | \"ro\"\n\
141 | ]\n\
142 | },\n\
143 | {\n\
144 | \"destination\": \"/sys/fs/cgroup\",\n\
145 | \"type\": \"cgroup\",\n\
146 | \"source\": \"cgroup\",\n\
147 | \"options\": [\n\
148 | \"nosuid\",\n\
149 | \"noexec\",\n\
150 | \"nodev\",\n\
151 | \"relatime\",\n\
152 | \"ro\"\n\
153 | ]\n\
154 | }\n\
155 | ],\n\
156 | \"linux\": {\n\
157 | \"resources\": {\n\
158 | \"devices\": [\n\
159 | {\n\
160 | \"allow\": false,\n\
161 | \"access\": \"rwm\"\n\
162 | }\n\
163 | ]\n\
164 | },\n\
165 | \"namespaces\": [\n\
166 | {\n\
167 | \"type\": \"pid\"\n\
168 | },\n\
169 | {\n\
170 | \"type\": \"network\"\n\
171 | },\n\
172 | {\n\
173 | \"type\": \"ipc\"\n\
174 | },\n\
175 | {\n\
176 | \"type\": \"uts\"\n\
177 | },\n\
178 | {\n\
179 | \"type\": \"user\"\n\
180 | },\n\
181 | {\n\
182 | \"type\": \"mount\"\n\
183 | }\n\
184 | ],\n\
185 | \"maskedPaths\": [\n\
186 | \"/proc/kcore\",\n\
187 | \"/proc/latency_stats\",\n\
188 | \"/proc/timer_list\",\n\
189 | \"/proc/timer_stats\",\n\
190 | \"/proc/sched_debug\",\n\
191 | \"/sys/firmware\",\n\
192 | \"/proc/scsi\"\n\
193 | ],\n\
194 | \"readonlyPaths\": [\n\
195 | \"/proc/asound\",\n\
196 | \"/proc/bus\",\n\
197 | \"/proc/fs\",\n\
198 | \"/proc/irq\",\n\
199 | \"/proc/sys\",\n\
200 | \"/proc/sysrq-trigger\"\n\
201 | ]\n\
202 | }\n\
203 | }\n";
204 |
205 |
206 | void
207 | spec ()
208 | {
209 | FILE *f = fopen ("config.json", "w+");
210 | fprintf (f, "%s", spec_data);
211 | fclose (f);
212 | }
213 |
--------------------------------------------------------------------------------
/bwrap-oci.c:
--------------------------------------------------------------------------------
1 | /* bubblewrap-oci
2 | * Copyright (C) 2016, 2017 Giuseppe Scrivano
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU Lesser General Public
6 | * License as published by the Free Software Foundation; either
7 | * version 2 of the License, or (at your option) any later version.
8 | *
9 | * This library is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | * Lesser General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU Lesser General Public
15 | * License along with this library. If not, see .
16 | *
17 | */
18 |
19 | #include
20 | #include
21 | #include
22 | #ifdef HAVE_ERROR_H
23 | #include
24 | #endif
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 | #include
40 | #include "safe-read-write.h"
41 | #include "util.h"
42 | #include "list.h"
43 | #include "run.h"
44 | #include "spec.h"
45 | #include "kill.h"
46 |
47 | static gboolean opt_dry_run;
48 | static gboolean opt_version;
49 | static gboolean opt_enable_hooks;
50 | static gboolean opt_systemd_cgroup;
51 | static const char *opt_configuration = "config.json";
52 | static char *opt_bwrap = BWRAP;
53 | static char *opt_pid_file;
54 | static char *opt_bundle;
55 | static gboolean opt_detach;
56 |
57 | static GOptionEntry entries[] =
58 | {
59 | { "configuration", 'c', 0, G_OPTION_ARG_STRING, &opt_configuration, "Configuration file", "FILE" },
60 | { "dry-run", 0, 0, G_OPTION_ARG_NONE, &opt_dry_run, "Print the command line for bubblewrap", NULL },
61 | { "enable-hooks", 0, 0, G_OPTION_ARG_NONE, &opt_enable_hooks, "Execute the OCI hooks", NULL },
62 | { "detach", 'd', 0, G_OPTION_ARG_NONE, &opt_detach, "Do not wait for termination", NULL },
63 | { "version", 0, 0, G_OPTION_ARG_NONE, &opt_version, "Print version information and exit", NULL },
64 | { "systemd-cgroup", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &opt_systemd_cgroup, "Use systemd cgroup", NULL}, /* noop, added for compatibility with runC. */
65 | { "bwrap", 0, 0, G_OPTION_ARG_STRING, &opt_bwrap, "Specify the path to the bubblewrap executable to use", "PATH" },
66 | { "pid-file", 0, 0, G_OPTION_ARG_STRING, &opt_pid_file, "Specify the path to the file where write the PID of the sandboxed process", "PIDFILE" },
67 | { "bundle", 'b', 0, G_OPTION_ARG_STRING, &opt_bundle, "Specify the path to the bundle", "PATH" },
68 | { NULL }
69 | };
70 |
71 | static const char *summary = "\
72 | List of commands: \
73 | \n delete CONTAINER - delete a stopped container \
74 | \n list - list current containers \
75 | \n run [CONTAINER] - run a container with id CONTAINER \
76 | \n kill CONTAINER SIGNAL - kill CONTAINER with signal SIGNAL \
77 | \n spec - generate a config.json file \
78 | ";
79 |
80 | int
81 | main (int argc, char *argv[])
82 | {
83 | const char *cmd = "run";
84 | GOptionContext *opt_context;
85 | GError *gerror = NULL;
86 |
87 | opt_context = g_option_context_new ("[COMMAND] [ARGUMENTS] - converter from OCI configuration to bubblewrap command line");
88 |
89 | g_option_context_set_summary (opt_context, summary);
90 |
91 | g_option_context_add_main_entries (opt_context, entries, PACKAGE_STRING);
92 | if (!g_option_context_parse (opt_context, &argc, &argv, &gerror))
93 | {
94 | error (EXIT_FAILURE, 0, "option parsing failed: %s", gerror->message);
95 | }
96 | g_option_context_free (opt_context);
97 |
98 | if (opt_version)
99 | {
100 | g_print ("%s\n", PACKAGE_STRING);
101 | exit (EXIT_SUCCESS);
102 | }
103 | if (opt_dry_run)
104 | set_test_environment (TRUE);
105 | set_bwrap_path (opt_bwrap);
106 |
107 | if (argc > 1)
108 | cmd = argv[1];
109 |
110 | if (g_strcmp0 (cmd, "run") == 0)
111 | {
112 | const char *id;
113 |
114 | if (opt_bundle && chdir (opt_bundle) < 0)
115 | error (EXIT_FAILURE, errno, "chdir");
116 |
117 | if (argc > 2)
118 | id = argv[2];
119 | else
120 | {
121 | cleanup_free char *cwd = get_current_dir_name ();
122 | if (cwd == NULL)
123 | error (EXIT_FAILURE, errno, "error cwd");
124 | id = g_strdup (basename (cwd));
125 | }
126 | return run_container (id, opt_configuration,
127 | opt_detach,
128 | opt_pid_file,
129 | opt_enable_hooks,
130 | opt_dry_run);
131 | }
132 | else if (g_strcmp0 (cmd, "delete") == 0)
133 | {
134 | if (argc < 3)
135 | error (EXIT_FAILURE, 0, "delete needs an argument");
136 |
137 | delete_container (argv[2]);
138 | }
139 | else if (g_strcmp0 (cmd, "list") == 0)
140 | {
141 | list_containers ();
142 | }
143 | else if (g_strcmp0 (cmd, "kill") == 0)
144 | {
145 | if (argc < 4)
146 | error (EXIT_FAILURE, 0, "kill needs two arguments");
147 | kill_container (argv[2], argv[3]);
148 | }
149 | else if (g_strcmp0 (cmd, "spec") == 0)
150 | {
151 | spec ();
152 | }
153 | else
154 | {
155 | error (EXIT_FAILURE, 0, "unknown command %s", cmd);
156 | _exit (1);
157 | }
158 | }
159 |
--------------------------------------------------------------------------------
/demos/run-systemd/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "terminal": false,
9 | "consoleSize": {
10 | "height": 0,
11 | "width": 0
12 | },
13 | "user": {
14 | "uid": 0,
15 | "gid": 0
16 | },
17 | "args": [
18 | "/usr/lib/systemd/systemd", "--system"
19 | ],
20 | "env": [
21 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
22 | "TERM=xterm"
23 | ],
24 | "cwd": "/",
25 | "capabilities": {
26 | "bounding": [
27 | "CAP_CHOWN",
28 | "CAP_DAC_OVERRIDE",
29 | "CAP_DAC_READ_SEARCH",
30 | "CAP_FOWNER",
31 | "CAP_FSETID",
32 | "CAP_KILL",
33 | "CAP_SETGID",
34 | "CAP_SETUID",
35 | "CAP_SETPCAP",
36 | "CAP_LINUX_IMMUTABLE",
37 | "CAP_NET_BIND_SERVICE",
38 | "CAP_NET_BROADCAST",
39 | "CAP_NET_ADMIN",
40 | "CAP_NET_RAW",
41 | "CAP_IPC_LOCK",
42 | "CAP_IPC_OWNER",
43 | "CAP_SYS_MODULE",
44 | "CAP_SYS_RAWIO",
45 | "CAP_SYS_CHROOT",
46 | "CAP_SYS_PTRACE",
47 | "CAP_SYS_PACCT",
48 | "CAP_SYS_ADMIN",
49 | "CAP_SYS_BOOT",
50 | "CAP_SYS_NICE",
51 | "CAP_SYS_RESOURCE",
52 | "CAP_SYS_TIME",
53 | "CAP_SYS_TTY_CONFIG",
54 | "CAP_MKNOD",
55 | "CAP_LEASE",
56 | "CAP_AUDIT_WRITE",
57 | "CAP_AUDIT_CONTROL",
58 | "CAP_SETFCAP",
59 | "CAP_MAC_OVERRIDE",
60 | "CAP_MAC_ADMIN",
61 | "CAP_SYSLOG",
62 | "CAP_WAKE_ALARM",
63 | "CAP_BLOCK_SUSPEND"
64 | ],
65 | "effective": [
66 | "CAP_CHOWN",
67 | "CAP_DAC_OVERRIDE",
68 | "CAP_DAC_READ_SEARCH",
69 | "CAP_FOWNER",
70 | "CAP_FSETID",
71 | "CAP_KILL",
72 | "CAP_SETGID",
73 | "CAP_SETUID",
74 | "CAP_SETPCAP",
75 | "CAP_LINUX_IMMUTABLE",
76 | "CAP_NET_BIND_SERVICE",
77 | "CAP_NET_BROADCAST",
78 | "CAP_NET_ADMIN",
79 | "CAP_NET_RAW",
80 | "CAP_IPC_LOCK",
81 | "CAP_IPC_OWNER",
82 | "CAP_SYS_MODULE",
83 | "CAP_SYS_RAWIO",
84 | "CAP_SYS_CHROOT",
85 | "CAP_SYS_PTRACE",
86 | "CAP_SYS_PACCT",
87 | "CAP_SYS_ADMIN",
88 | "CAP_SYS_BOOT",
89 | "CAP_SYS_NICE",
90 | "CAP_SYS_RESOURCE",
91 | "CAP_SYS_TIME",
92 | "CAP_SYS_TTY_CONFIG",
93 | "CAP_MKNOD",
94 | "CAP_LEASE",
95 | "CAP_AUDIT_WRITE",
96 | "CAP_AUDIT_CONTROL",
97 | "CAP_SETFCAP",
98 | "CAP_MAC_OVERRIDE",
99 | "CAP_MAC_ADMIN",
100 | "CAP_SYSLOG",
101 | "CAP_WAKE_ALARM",
102 | "CAP_BLOCK_SUSPEND"
103 | ],
104 | "inheritable": [
105 | "CAP_CHOWN",
106 | "CAP_DAC_OVERRIDE",
107 | "CAP_DAC_READ_SEARCH",
108 | "CAP_FOWNER",
109 | "CAP_FSETID",
110 | "CAP_KILL",
111 | "CAP_SETGID",
112 | "CAP_SETUID",
113 | "CAP_SETPCAP",
114 | "CAP_LINUX_IMMUTABLE",
115 | "CAP_NET_BIND_SERVICE",
116 | "CAP_NET_BROADCAST",
117 | "CAP_NET_ADMIN",
118 | "CAP_NET_RAW",
119 | "CAP_IPC_LOCK",
120 | "CAP_IPC_OWNER",
121 | "CAP_SYS_MODULE",
122 | "CAP_SYS_RAWIO",
123 | "CAP_SYS_CHROOT",
124 | "CAP_SYS_PTRACE",
125 | "CAP_SYS_PACCT",
126 | "CAP_SYS_ADMIN",
127 | "CAP_SYS_BOOT",
128 | "CAP_SYS_NICE",
129 | "CAP_SYS_RESOURCE",
130 | "CAP_SYS_TIME",
131 | "CAP_SYS_TTY_CONFIG",
132 | "CAP_MKNOD",
133 | "CAP_LEASE",
134 | "CAP_AUDIT_WRITE",
135 | "CAP_AUDIT_CONTROL",
136 | "CAP_SETFCAP",
137 | "CAP_MAC_OVERRIDE",
138 | "CAP_MAC_ADMIN",
139 | "CAP_SYSLOG",
140 | "CAP_WAKE_ALARM",
141 | "CAP_BLOCK_SUSPEND"
142 | ],
143 | "permitted": [
144 | "CAP_CHOWN",
145 | "CAP_DAC_OVERRIDE",
146 | "CAP_DAC_READ_SEARCH",
147 | "CAP_FOWNER",
148 | "CAP_FSETID",
149 | "CAP_KILL",
150 | "CAP_SETGID",
151 | "CAP_SETUID",
152 | "CAP_SETPCAP",
153 | "CAP_LINUX_IMMUTABLE",
154 | "CAP_NET_BIND_SERVICE",
155 | "CAP_NET_BROADCAST",
156 | "CAP_NET_ADMIN",
157 | "CAP_NET_RAW",
158 | "CAP_IPC_LOCK",
159 | "CAP_IPC_OWNER",
160 | "CAP_SYS_MODULE",
161 | "CAP_SYS_RAWIO",
162 | "CAP_SYS_CHROOT",
163 | "CAP_SYS_PTRACE",
164 | "CAP_SYS_PACCT",
165 | "CAP_SYS_ADMIN",
166 | "CAP_SYS_BOOT",
167 | "CAP_SYS_NICE",
168 | "CAP_SYS_RESOURCE",
169 | "CAP_SYS_TIME",
170 | "CAP_SYS_TTY_CONFIG",
171 | "CAP_MKNOD",
172 | "CAP_LEASE",
173 | "CAP_AUDIT_WRITE",
174 | "CAP_AUDIT_CONTROL",
175 | "CAP_SETFCAP",
176 | "CAP_MAC_OVERRIDE",
177 | "CAP_MAC_ADMIN",
178 | "CAP_SYSLOG",
179 | "CAP_WAKE_ALARM",
180 | "CAP_BLOCK_SUSPEND"
181 | ],
182 | "ambient": [
183 | "CAP_CHOWN",
184 | "CAP_DAC_OVERRIDE",
185 | "CAP_DAC_READ_SEARCH",
186 | "CAP_FOWNER",
187 | "CAP_FSETID",
188 | "CAP_KILL",
189 | "CAP_SETGID",
190 | "CAP_SETUID",
191 | "CAP_SETPCAP",
192 | "CAP_LINUX_IMMUTABLE",
193 | "CAP_NET_BIND_SERVICE",
194 | "CAP_NET_BROADCAST",
195 | "CAP_NET_ADMIN",
196 | "CAP_NET_RAW",
197 | "CAP_IPC_LOCK",
198 | "CAP_IPC_OWNER",
199 | "CAP_SYS_MODULE",
200 | "CAP_SYS_RAWIO",
201 | "CAP_SYS_CHROOT",
202 | "CAP_SYS_PTRACE",
203 | "CAP_SYS_PACCT",
204 | "CAP_SYS_ADMIN",
205 | "CAP_SYS_BOOT",
206 | "CAP_SYS_NICE",
207 | "CAP_SYS_RESOURCE",
208 | "CAP_SYS_TIME",
209 | "CAP_SYS_TTY_CONFIG",
210 | "CAP_MKNOD",
211 | "CAP_LEASE",
212 | "CAP_AUDIT_WRITE",
213 | "CAP_AUDIT_CONTROL",
214 | "CAP_SETFCAP",
215 | "CAP_MAC_OVERRIDE",
216 | "CAP_MAC_ADMIN",
217 | "CAP_SYSLOG",
218 | "CAP_WAKE_ALARM",
219 | "CAP_BLOCK_SUSPEND"
220 | ]
221 | },
222 | "rlimits": [
223 | {
224 | "type": "RLIMIT_NOFILE",
225 | "hard": 1024,
226 | "soft": 1024
227 | }
228 | ],
229 | "noNewPrivileges": true
230 | },
231 | "root": {
232 | "path": "rootfs",
233 | "readonly": true
234 | },
235 | "hostname": "runc",
236 | "mounts": [
237 | {
238 | "destination": "/proc",
239 | "type": "proc",
240 | "source": "proc"
241 | },
242 | {
243 | "destination": "/dev",
244 | "type": "tmpfs",
245 | "source": "tmpfs",
246 | "options": [
247 | "nosuid",
248 | "strictatime",
249 | "mode=755",
250 | "size=65536k"
251 | ]
252 | },
253 | {
254 | "destination": "/dev/pts",
255 | "type": "devpts",
256 | "source": "devpts",
257 | "options": [
258 | "nosuid",
259 | "noexec",
260 | "newinstance",
261 | "ptmxmode=0666",
262 | "mode=0620",
263 | "gid=5"
264 | ]
265 | },
266 | {
267 | "destination": "/dev/shm",
268 | "type": "tmpfs",
269 | "source": "shm",
270 | "options": [
271 | "nosuid",
272 | "noexec",
273 | "nodev",
274 | "mode=1777",
275 | "size=65536k"
276 | ]
277 | },
278 | {
279 | "destination": "/dev/mqueue",
280 | "type": "mqueue",
281 | "source": "mqueue",
282 | "options": [
283 | "nosuid",
284 | "noexec",
285 | "nodev"
286 | ]
287 | },
288 | {
289 | "destination": "/sys",
290 | "type": "sysfs",
291 | "source": "sysfs",
292 | "options": [
293 | "nosuid",
294 | "noexec",
295 | "nodev",
296 | "ro"
297 | ]
298 | },
299 | {
300 | "destination": "/sys/fs/cgroup",
301 | "type": "cgroup",
302 | "source": "cgroup",
303 | "options": [
304 | "nosuid",
305 | "noexec",
306 | "nodev",
307 | "relatime",
308 | "rw"
309 | ]
310 | }
311 | ],
312 | "linux": {
313 | "resources": {
314 | "devices": [
315 | {
316 | "allow": false,
317 | "access": "rwm"
318 | }
319 | ]
320 | },
321 | "namespaces": [
322 | {
323 | "type": "pid"
324 | },
325 | {
326 | "type": "network"
327 | },
328 | {
329 | "type": "ipc"
330 | },
331 | {
332 | "type": "uts"
333 | },
334 | {
335 | "type": "mount"
336 | }
337 | ]
338 | }
339 | }
340 |
--------------------------------------------------------------------------------
/git.mk:
--------------------------------------------------------------------------------
1 | # git.mk, a small Makefile to autogenerate .gitignore files
2 | # for autotools-based projects.
3 | #
4 | # Copyright 2009, Red Hat, Inc.
5 | # Copyright 2010,2011,2012,2013 Behdad Esfahbod
6 | # Written by Behdad Esfahbod
7 | #
8 | # Copying and distribution of this file, with or without modification,
9 | # is permitted in any medium without royalty provided the copyright
10 | # notice and this notice are preserved.
11 | #
12 | # The latest version of this file can be downloaded from:
13 | GIT_MK_URL = https://raw.githubusercontent.com/behdad/git.mk/master/git.mk
14 | #
15 | # Bugs, etc, should be reported upstream at:
16 | # https://github.com/behdad/git.mk
17 | #
18 | # To use in your project, import this file in your git repo's toplevel,
19 | # then do "make -f git.mk". This modifies all Makefile.am files in
20 | # your project to -include git.mk. Remember to add that line to new
21 | # Makefile.am files you create in your project, or just rerun the
22 | # "make -f git.mk".
23 | #
24 | # This enables automatic .gitignore generation. If you need to ignore
25 | # more files, add them to the GITIGNOREFILES variable in your Makefile.am.
26 | # But think twice before doing that. If a file has to be in .gitignore,
27 | # chances are very high that it's a generated file and should be in one
28 | # of MOSTLYCLEANFILES, CLEANFILES, DISTCLEANFILES, or MAINTAINERCLEANFILES.
29 | #
30 | # The only case that you need to manually add a file to GITIGNOREFILES is
31 | # when remove files in one of mostlyclean-local, clean-local, distclean-local,
32 | # or maintainer-clean-local make targets.
33 | #
34 | # Note that for files like editor backup, etc, there are better places to
35 | # ignore them. See "man gitignore".
36 | #
37 | # If "make maintainer-clean" removes the files but they are not recognized
38 | # by this script (that is, if "git status" shows untracked files still), send
39 | # me the output of "git status" as well as your Makefile.am and Makefile for
40 | # the directories involved and I'll diagnose.
41 | #
42 | # For a list of toplevel files that should be in MAINTAINERCLEANFILES, see
43 | # Makefile.am.sample in the git.mk git repo.
44 | #
45 | # Don't EXTRA_DIST this file. It is supposed to only live in git clones,
46 | # not tarballs. It serves no useful purpose in tarballs and clutters the
47 | # build dir.
48 | #
49 | # This file knows how to handle autoconf, automake, libtool, gtk-doc,
50 | # gnome-doc-utils, yelp.m4, mallard, intltool, gsettings, dejagnu, appdata,
51 | # appstream.
52 | #
53 | # This makefile provides the following targets:
54 | #
55 | # - all: "make all" will build all gitignore files.
56 | # - gitignore: makes all gitignore files in the current dir and subdirs.
57 | # - .gitignore: make gitignore file for the current dir.
58 | # - gitignore-recurse: makes all gitignore files in the subdirs.
59 | #
60 | # KNOWN ISSUES:
61 | #
62 | # - Recursive configure doesn't work as $(top_srcdir)/git.mk inside the
63 | # submodule doesn't find us. If you have configure.{in,ac} files in
64 | # subdirs, add a proxy git.mk file in those dirs that simply does:
65 | # "include $(top_srcdir)/../git.mk". Add more ..'s to your taste.
66 | # And add those files to git. See vte/gnome-pty-helper/git.mk for
67 | # example.
68 | #
69 |
70 |
71 |
72 | ###############################################################################
73 | # Variables user modules may want to add to toplevel MAINTAINERCLEANFILES:
74 | ###############################################################################
75 |
76 | #
77 | # Most autotools-using modules should be fine including this variable in their
78 | # toplevel MAINTAINERCLEANFILES:
79 | GITIGNORE_MAINTAINERCLEANFILES_TOPLEVEL = \
80 | $(srcdir)/aclocal.m4 \
81 | $(srcdir)/autoscan.log \
82 | $(srcdir)/configure.scan \
83 | `AUX_DIR=$(srcdir)/$$(cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_AUX_DIR:$$1' ./configure.ac); \
84 | test "x$$AUX_DIR" = "x$(srcdir)/" && AUX_DIR=$(srcdir); \
85 | for x in \
86 | ar-lib \
87 | compile \
88 | config.guess \
89 | config.sub \
90 | depcomp \
91 | install-sh \
92 | ltmain.sh \
93 | missing \
94 | mkinstalldirs \
95 | test-driver \
96 | ylwrap \
97 | ; do echo "$$AUX_DIR/$$x"; done` \
98 | `cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_HEADERS:$$1' ./configure.ac | \
99 | head -n 1 | while read f; do echo "$(srcdir)/$$f.in"; done`
100 | #
101 | # All modules should also be fine including the following variable, which
102 | # removes automake-generated Makefile.in files:
103 | GITIGNORE_MAINTAINERCLEANFILES_MAKEFILE_IN = \
104 | `cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_FILES:$$1' ./configure.ac | \
105 | while read f; do \
106 | case $$f in Makefile|*/Makefile) \
107 | test -f "$(srcdir)/$$f.am" && echo "$(srcdir)/$$f.in";; esac; \
108 | done`
109 | #
110 | # Modules that use libtool and use AC_CONFIG_MACRO_DIR() may also include this,
111 | # though it's harmless to include regardless.
112 | GITIGNORE_MAINTAINERCLEANFILES_M4_LIBTOOL = \
113 | `MACRO_DIR=$(srcdir)/$$(cd $(top_srcdir); $(AUTOCONF) --trace 'AC_CONFIG_MACRO_DIR:$$1' ./configure.ac); \
114 | if test "x$$MACRO_DIR" != "x$(srcdir)/"; then \
115 | for x in \
116 | libtool.m4 \
117 | ltoptions.m4 \
118 | ltsugar.m4 \
119 | ltversion.m4 \
120 | lt~obsolete.m4 \
121 | ; do echo "$$MACRO_DIR/$$x"; done; \
122 | fi`
123 |
124 |
125 |
126 | ###############################################################################
127 | # Default rule is to install ourselves in all Makefile.am files:
128 | ###############################################################################
129 |
130 | git-all: git-mk-install
131 |
132 | git-mk-install:
133 | @echo "Installing git makefile"
134 | @any_failed=; \
135 | find "`test -z "$(top_srcdir)" && echo . || echo "$(top_srcdir)"`" -name Makefile.am | while read x; do \
136 | if grep 'include .*/git.mk' $$x >/dev/null; then \
137 | echo "$$x already includes git.mk"; \
138 | else \
139 | failed=; \
140 | echo "Updating $$x"; \
141 | { cat $$x; \
142 | echo ''; \
143 | echo '-include $$(top_srcdir)/git.mk'; \
144 | } > $$x.tmp || failed=1; \
145 | if test x$$failed = x; then \
146 | mv $$x.tmp $$x || failed=1; \
147 | fi; \
148 | if test x$$failed = x; then : else \
149 | echo "Failed updating $$x"; >&2 \
150 | any_failed=1; \
151 | fi; \
152 | fi; done; test -z "$$any_failed"
153 |
154 | git-mk-update:
155 | wget $(GIT_MK_URL) -O $(top_srcdir)/git.mk
156 |
157 | .PHONY: git-all git-mk-install git-mk-update
158 |
159 |
160 |
161 | ###############################################################################
162 | # Actual .gitignore generation:
163 | ###############################################################################
164 |
165 | $(srcdir)/.gitignore: Makefile.am $(top_srcdir)/git.mk
166 | @echo "git.mk: Generating $@"
167 | @{ \
168 | if test "x$(DOC_MODULE)" = x -o "x$(DOC_MAIN_SGML_FILE)" = x; then :; else \
169 | for x in \
170 | $(DOC_MODULE)-decl-list.txt \
171 | $(DOC_MODULE)-decl.txt \
172 | tmpl/$(DOC_MODULE)-unused.sgml \
173 | "tmpl/*.bak" \
174 | $(REPORT_FILES) \
175 | $(DOC_MODULE).pdf \
176 | xml html \
177 | ; do echo "/$$x"; done; \
178 | FLAVOR=$$(cd $(top_srcdir); $(AUTOCONF) --trace 'GTK_DOC_CHECK:$$2' ./configure.ac); \
179 | case $$FLAVOR in *no-tmpl*) echo /tmpl;; esac; \
180 | if echo "$(SCAN_OPTIONS)" | grep -q "\-\-rebuild-types"; then \
181 | echo "/$(DOC_MODULE).types"; \
182 | fi; \
183 | if echo "$(SCAN_OPTIONS)" | grep -q "\-\-rebuild-sections"; then \
184 | echo "/$(DOC_MODULE)-sections.txt"; \
185 | fi; \
186 | if test "$(abs_srcdir)" != "$(abs_builddir)" ; then \
187 | for x in \
188 | $(SETUP_FILES) \
189 | $(DOC_MODULE).types \
190 | ; do echo "/$$x"; done; \
191 | fi; \
192 | fi; \
193 | if test "x$(DOC_MODULE)$(DOC_ID)" = x -o "x$(DOC_LINGUAS)" = x; then :; else \
194 | for lc in $(DOC_LINGUAS); do \
195 | for x in \
196 | $(if $(DOC_MODULE),$(DOC_MODULE).xml) \
197 | $(DOC_PAGES) \
198 | $(DOC_INCLUDES) \
199 | ; do echo "/$$lc/$$x"; done; \
200 | done; \
201 | for x in \
202 | $(_DOC_OMF_ALL) \
203 | $(_DOC_DSK_ALL) \
204 | $(_DOC_HTML_ALL) \
205 | $(_DOC_MOFILES) \
206 | $(DOC_H_FILE) \
207 | "*/.xml2po.mo" \
208 | "*/*.omf.out" \
209 | ; do echo /$$x; done; \
210 | fi; \
211 | if test "x$(HELP_ID)" = x -o "x$(HELP_LINGUAS)" = x; then :; else \
212 | for lc in $(HELP_LINGUAS); do \
213 | for x in \
214 | $(HELP_FILES) \
215 | "$$lc.stamp" \
216 | "$$lc.mo" \
217 | ; do echo "/$$lc/$$x"; done; \
218 | done; \
219 | fi; \
220 | if test "x$(gsettings_SCHEMAS)" = x; then :; else \
221 | for x in \
222 | $(gsettings_SCHEMAS:.xml=.valid) \
223 | $(gsettings__enum_file) \
224 | ; do echo "/$$x"; done; \
225 | fi; \
226 | if test "x$(appdata_XML)" = x; then :; else \
227 | for x in \
228 | $(appdata_XML:.xml=.valid) \
229 | ; do echo "/$$x"; done; \
230 | fi; \
231 | if test "x$(appstream_XML)" = x; then :; else \
232 | for x in \
233 | $(appstream_XML:.xml=.valid) \
234 | ; do echo "/$$x"; done; \
235 | fi; \
236 | if test -f $(srcdir)/po/Makefile.in.in; then \
237 | for x in \
238 | po/Makefile.in.in \
239 | po/Makefile.in.in~ \
240 | po/Makefile.in \
241 | po/Makefile \
242 | po/Makevars.template \
243 | po/POTFILES \
244 | po/Rules-quot \
245 | po/stamp-it \
246 | po/stamp-po \
247 | po/.intltool-merge-cache \
248 | "po/*.gmo" \
249 | "po/*.header" \
250 | "po/*.mo" \
251 | "po/*.sed" \
252 | "po/*.sin" \
253 | po/$(GETTEXT_PACKAGE).pot \
254 | intltool-extract.in \
255 | intltool-merge.in \
256 | intltool-update.in \
257 | ; do echo "/$$x"; done; \
258 | fi; \
259 | if test -f $(srcdir)/configure; then \
260 | for x in \
261 | autom4te.cache \
262 | configure \
263 | config.h \
264 | stamp-h1 \
265 | libtool \
266 | config.lt \
267 | ; do echo "/$$x"; done; \
268 | fi; \
269 | if test "x$(DEJATOOL)" = x; then :; else \
270 | for x in \
271 | $(DEJATOOL) \
272 | ; do echo "/$$x.sum"; echo "/$$x.log"; done; \
273 | echo /site.exp; \
274 | fi; \
275 | if test "x$(am__dirstamp)" = x; then :; else \
276 | echo "$(am__dirstamp)"; \
277 | fi; \
278 | if test "x$(LTCOMPILE)" = x -a "x$(LTCXXCOMPILE)" = x -a "x$(GTKDOC_RUN)" = x; then :; else \
279 | for x in \
280 | "*.lo" \
281 | ".libs" "_libs" \
282 | ; do echo "$$x"; done; \
283 | fi; \
284 | for x in \
285 | .gitignore \
286 | $(GITIGNOREFILES) \
287 | $(CLEANFILES) \
288 | $(PROGRAMS) $(check_PROGRAMS) $(EXTRA_PROGRAMS) \
289 | $(LIBRARIES) $(check_LIBRARIES) $(EXTRA_LIBRARIES) \
290 | $(LTLIBRARIES) $(check_LTLIBRARIES) $(EXTRA_LTLIBRARIES) \
291 | so_locations \
292 | $(MOSTLYCLEANFILES) \
293 | $(TEST_LOGS) \
294 | $(TEST_LOGS:.log=.trs) \
295 | $(TEST_SUITE_LOG) \
296 | $(TESTS:=.test) \
297 | "*.gcda" \
298 | "*.gcno" \
299 | $(DISTCLEANFILES) \
300 | $(am__CONFIG_DISTCLEAN_FILES) \
301 | $(CONFIG_CLEAN_FILES) \
302 | TAGS ID GTAGS GRTAGS GSYMS GPATH tags \
303 | "*.tab.c" \
304 | $(MAINTAINERCLEANFILES) \
305 | $(BUILT_SOURCES) \
306 | $(patsubst %.vala,%.c,$(filter %.vala,$(SOURCES))) \
307 | $(filter %_vala.stamp,$(DIST_COMMON)) \
308 | $(filter %.vapi,$(DIST_COMMON)) \
309 | $(filter $(addprefix %,$(notdir $(patsubst %.vapi,%.h,$(filter %.vapi,$(DIST_COMMON))))),$(DIST_COMMON)) \
310 | Makefile \
311 | Makefile.in \
312 | "*.orig" \
313 | "*.rej" \
314 | "*.bak" \
315 | "*~" \
316 | ".*.sw[nop]" \
317 | ".dirstamp" \
318 | ; do echo "/$$x"; done; \
319 | for x in \
320 | "*.$(OBJEXT)" \
321 | $(DEPDIR) \
322 | ; do echo "$$x"; done; \
323 | } | \
324 | sed "s@^/`echo "$(srcdir)" | sed 's/\(.\)/[\1]/g'`/@/@" | \
325 | sed 's@/[.]/@/@g' | \
326 | LC_ALL=C sort | uniq > $@.tmp && \
327 | mv $@.tmp $@;
328 |
329 | all: $(srcdir)/.gitignore gitignore-recurse-maybe
330 | gitignore: $(srcdir)/.gitignore gitignore-recurse
331 |
332 | gitignore-recurse-maybe:
333 | @for subdir in $(DIST_SUBDIRS); do \
334 | case " $(SUBDIRS) " in \
335 | *" $$subdir "*) :;; \
336 | *) test "$$subdir" = . -o -e "$$subdir/.git" || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) gitignore || echo "Skipping $$subdir");; \
337 | esac; \
338 | done
339 | gitignore-recurse:
340 | @for subdir in $(DIST_SUBDIRS); do \
341 | test "$$subdir" = . -o -e "$$subdir/.git" || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) gitignore || echo "Skipping $$subdir"); \
342 | done
343 |
344 | maintainer-clean: gitignore-clean
345 | gitignore-clean:
346 | -rm -f $(srcdir)/.gitignore
347 |
348 | .PHONY: gitignore-clean gitignore gitignore-recurse gitignore-recurse-maybe
349 |
--------------------------------------------------------------------------------
/tests/hostname.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "atomic",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | }
181 | ],
182 | "linux": {
183 | "resources": {
184 | "devices": [
185 | {
186 | "allow": false,
187 | "access": "rwm"
188 | }
189 | ]
190 | },
191 | "namespaces": [
192 | {
193 | "type": "pid"
194 | },
195 | {
196 | "type": "network"
197 | },
198 | {
199 | "type": "ipc"
200 | },
201 | {
202 | "type": "uts"
203 | },
204 | {
205 | "type": "mount"
206 | }
207 | ],
208 | "seccomp": {
209 | "defaultAction": "SCMP_ACT_ERRNO",
210 | "architectures": [
211 | "SCMP_ARCH_X86_64",
212 | "SCMP_ARCH_X86",
213 | "SCMP_ARCH_X32"
214 | ],
215 | "syscalls": [
216 | {
217 | "names": [
218 | "accept",
219 | "accept4",
220 | "access",
221 | "alarm",
222 | "bind",
223 | "brk",
224 | "capget",
225 | "capset",
226 | "chdir",
227 | "chmod",
228 | "chown",
229 | "chown32",
230 | "clock_getres",
231 | "clock_gettime",
232 | "clock_nanosleep",
233 | "close",
234 | "connect",
235 | "copy_file_range",
236 | "creat",
237 | "dup",
238 | "dup2",
239 | "dup3",
240 | "epoll_create",
241 | "epoll_create1",
242 | "epoll_ctl",
243 | "epoll_ctl_old",
244 | "epoll_pwait",
245 | "epoll_wait",
246 | "epoll_wait_old",
247 | "eventfd",
248 | "eventfd2",
249 | "execve",
250 | "execveat",
251 | "exit",
252 | "exit_group",
253 | "faccessat",
254 | "fadvise64",
255 | "fadvise64_64",
256 | "fallocate",
257 | "fanotify_mark",
258 | "fchdir",
259 | "fchmod",
260 | "fchmodat",
261 | "fchown",
262 | "fchown32",
263 | "fchownat",
264 | "fcntl",
265 | "fcntl64",
266 | "fdatasync",
267 | "fgetxattr",
268 | "flistxattr",
269 | "flock",
270 | "fork",
271 | "fremovexattr",
272 | "fsetxattr",
273 | "fstat",
274 | "fstat64",
275 | "fstatat64",
276 | "fstatfs",
277 | "fstatfs64",
278 | "fsync",
279 | "ftruncate",
280 | "ftruncate64",
281 | "futex",
282 | "futimesat",
283 | "getcpu",
284 | "getcwd",
285 | "getdents",
286 | "getdents64",
287 | "getegid",
288 | "getegid32",
289 | "geteuid",
290 | "geteuid32",
291 | "getgid",
292 | "getgid32",
293 | "getgroups",
294 | "getgroups32",
295 | "getitimer",
296 | "getpeername",
297 | "getpgid",
298 | "getpgrp",
299 | "getpid",
300 | "getppid",
301 | "getpriority",
302 | "getrandom",
303 | "getresgid",
304 | "getresgid32",
305 | "getresuid",
306 | "getresuid32",
307 | "getrlimit",
308 | "get_robust_list",
309 | "getrusage",
310 | "getsid",
311 | "getsockname",
312 | "getsockopt",
313 | "get_thread_area",
314 | "gettid",
315 | "gettimeofday",
316 | "getuid",
317 | "getuid32",
318 | "getxattr",
319 | "inotify_add_watch",
320 | "inotify_init",
321 | "inotify_init1",
322 | "inotify_rm_watch",
323 | "io_cancel",
324 | "ioctl",
325 | "io_destroy",
326 | "io_getevents",
327 | "ioprio_get",
328 | "ioprio_set",
329 | "io_setup",
330 | "io_submit",
331 | "ipc",
332 | "kill",
333 | "lchown",
334 | "lchown32",
335 | "lgetxattr",
336 | "link",
337 | "linkat",
338 | "listen",
339 | "listxattr",
340 | "llistxattr",
341 | "_llseek",
342 | "lremovexattr",
343 | "lseek",
344 | "lsetxattr",
345 | "lstat",
346 | "lstat64",
347 | "madvise",
348 | "memfd_create",
349 | "mincore",
350 | "mkdir",
351 | "mkdirat",
352 | "mknod",
353 | "mknodat",
354 | "mlock",
355 | "mlock2",
356 | "mlockall",
357 | "mmap",
358 | "mmap2",
359 | "mprotect",
360 | "mq_getsetattr",
361 | "mq_notify",
362 | "mq_open",
363 | "mq_timedreceive",
364 | "mq_timedsend",
365 | "mq_unlink",
366 | "mremap",
367 | "msgctl",
368 | "msgget",
369 | "msgrcv",
370 | "msgsnd",
371 | "msync",
372 | "munlock",
373 | "munlockall",
374 | "munmap",
375 | "nanosleep",
376 | "newfstatat",
377 | "_newselect",
378 | "open",
379 | "openat",
380 | "pause",
381 | "pipe",
382 | "pipe2",
383 | "poll",
384 | "ppoll",
385 | "prctl",
386 | "pread64",
387 | "preadv",
388 | "prlimit64",
389 | "pselect6",
390 | "pwrite64",
391 | "pwritev",
392 | "read",
393 | "readahead",
394 | "readlink",
395 | "readlinkat",
396 | "readv",
397 | "recv",
398 | "recvfrom",
399 | "recvmmsg",
400 | "recvmsg",
401 | "remap_file_pages",
402 | "removexattr",
403 | "rename",
404 | "renameat",
405 | "renameat2",
406 | "restart_syscall",
407 | "rmdir",
408 | "rt_sigaction",
409 | "rt_sigpending",
410 | "rt_sigprocmask",
411 | "rt_sigqueueinfo",
412 | "rt_sigreturn",
413 | "rt_sigsuspend",
414 | "rt_sigtimedwait",
415 | "rt_tgsigqueueinfo",
416 | "sched_getaffinity",
417 | "sched_getattr",
418 | "sched_getparam",
419 | "sched_get_priority_max",
420 | "sched_get_priority_min",
421 | "sched_getscheduler",
422 | "sched_rr_get_interval",
423 | "sched_setaffinity",
424 | "sched_setattr",
425 | "sched_setparam",
426 | "sched_setscheduler",
427 | "sched_yield",
428 | "seccomp",
429 | "select",
430 | "semctl",
431 | "semget",
432 | "semop",
433 | "semtimedop",
434 | "send",
435 | "sendfile",
436 | "sendfile64",
437 | "sendmmsg",
438 | "sendmsg",
439 | "sendto",
440 | "setfsgid",
441 | "setfsgid32",
442 | "setfsuid",
443 | "setfsuid32",
444 | "setgid",
445 | "setgid32",
446 | "setgroups",
447 | "setgroups32",
448 | "setitimer",
449 | "setpgid",
450 | "setpriority",
451 | "setregid",
452 | "setregid32",
453 | "setresgid",
454 | "setresgid32",
455 | "setresuid",
456 | "setresuid32",
457 | "setreuid",
458 | "setreuid32",
459 | "setrlimit",
460 | "set_robust_list",
461 | "setsid",
462 | "setsockopt",
463 | "set_thread_area",
464 | "set_tid_address",
465 | "setuid",
466 | "setuid32",
467 | "setxattr",
468 | "shmat",
469 | "shmctl",
470 | "shmdt",
471 | "shmget",
472 | "shutdown",
473 | "sigaltstack",
474 | "signalfd",
475 | "signalfd4",
476 | "sigreturn",
477 | "socket",
478 | "socketcall",
479 | "socketpair",
480 | "splice",
481 | "stat",
482 | "stat64",
483 | "statfs",
484 | "statfs64",
485 | "symlink",
486 | "symlinkat",
487 | "sync",
488 | "sync_file_range",
489 | "syncfs",
490 | "sysinfo",
491 | "syslog",
492 | "tee",
493 | "tgkill",
494 | "time",
495 | "timer_create",
496 | "timer_delete",
497 | "timerfd_create",
498 | "timerfd_gettime",
499 | "timerfd_settime",
500 | "timer_getoverrun",
501 | "timer_gettime",
502 | "timer_settime",
503 | "times",
504 | "tkill",
505 | "truncate",
506 | "truncate64",
507 | "ugetrlimit",
508 | "umask",
509 | "uname",
510 | "unlink",
511 | "unlinkat",
512 | "utime",
513 | "utimensat",
514 | "utimes",
515 | "vfork",
516 | "vmsplice",
517 | "wait4",
518 | "waitid",
519 | "waitpid",
520 | "write",
521 | "writev"
522 | ],
523 | "action": "SCMP_ACT_ALLOW",
524 | "args": [],
525 | "comment": ""
526 | },
527 | {
528 | "names": [
529 | "personality"
530 | ],
531 | "action": "SCMP_ACT_ALLOW",
532 | "args": [
533 | {
534 | "index": 0,
535 | "value": 0,
536 | "valueTwo": 0,
537 | "op": "SCMP_CMP_EQ"
538 | },
539 | {
540 | "index": 0,
541 | "value": 8,
542 | "valueTwo": 0,
543 | "op": "SCMP_CMP_EQ"
544 | },
545 | {
546 | "index": 0,
547 | "value": 4294967295,
548 | "valueTwo": 0,
549 | "op": "SCMP_CMP_EQ"
550 | }
551 | ],
552 | "comment": ""
553 | },
554 | {
555 | "names": [
556 | "chroot"
557 | ],
558 | "action": "SCMP_ACT_ALLOW",
559 | "args": [],
560 | "comment": ""
561 | },
562 | {
563 | "names": [
564 | "chroot"
565 | ],
566 | "action": "SCMP_ACT_ALLOW",
567 | "args": [],
568 | "comment": ""
569 | },
570 | {
571 | "names": [
572 | "chroot"
573 | ],
574 | "action": "SCMP_ACT_ALLOW",
575 | "args": [],
576 | "comment": ""
577 | },
578 | {
579 | "names": [
580 | "chroot"
581 | ],
582 | "action": "SCMP_ACT_ALLOW",
583 | "args": [],
584 | "comment": ""
585 | },
586 | {
587 | "names": [
588 | "chroot"
589 | ],
590 | "action": "SCMP_ACT_ALLOW",
591 | "args": [],
592 | "comment": ""
593 | },
594 | {
595 | "names": [
596 | "clone"
597 | ],
598 | "action": "SCMP_ACT_ALLOW",
599 | "args": [
600 | {
601 | "index": 0,
602 | "value": 2080505856,
603 | "valueTwo": 0,
604 | "op": "SCMP_CMP_MASKED_EQ"
605 | }
606 | ],
607 | "comment": ""
608 | },
609 | {
610 | "names": [
611 | "arch_prctl"
612 | ],
613 | "action": "SCMP_ACT_ALLOW",
614 | "args": [],
615 | "comment": ""
616 | },
617 | {
618 | "names": [
619 | "modify_ldt"
620 | ],
621 | "action": "SCMP_ACT_ALLOW",
622 | "args": [],
623 | "comment": ""
624 | }
625 | ]
626 | }
627 | }
628 | }
--------------------------------------------------------------------------------
/tests/rootfs.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | }
181 | ],
182 | "linux": {
183 | "resources": {
184 | "devices": [
185 | {
186 | "allow": false,
187 | "access": "rwm"
188 | }
189 | ]
190 | },
191 | "namespaces": [
192 | {
193 | "type": "pid"
194 | },
195 | {
196 | "type": "network"
197 | },
198 | {
199 | "type": "ipc"
200 | },
201 | {
202 | "type": "uts"
203 | },
204 | {
205 | "type": "mount"
206 | }
207 | ],
208 | "seccomp": {
209 | "defaultAction": "SCMP_ACT_ERRNO",
210 | "architectures": [
211 | "SCMP_ARCH_X86_64",
212 | "SCMP_ARCH_X86",
213 | "SCMP_ARCH_X32"
214 | ],
215 | "syscalls": [
216 | {
217 | "names": [
218 | "accept",
219 | "accept4",
220 | "access",
221 | "alarm",
222 | "bind",
223 | "brk",
224 | "capget",
225 | "capset",
226 | "chdir",
227 | "chmod",
228 | "chown",
229 | "chown32",
230 | "clock_getres",
231 | "clock_gettime",
232 | "clock_nanosleep",
233 | "close",
234 | "connect",
235 | "copy_file_range",
236 | "creat",
237 | "dup",
238 | "dup2",
239 | "dup3",
240 | "epoll_create",
241 | "epoll_create1",
242 | "epoll_ctl",
243 | "epoll_ctl_old",
244 | "epoll_pwait",
245 | "epoll_wait",
246 | "epoll_wait_old",
247 | "eventfd",
248 | "eventfd2",
249 | "execve",
250 | "execveat",
251 | "exit",
252 | "exit_group",
253 | "faccessat",
254 | "fadvise64",
255 | "fadvise64_64",
256 | "fallocate",
257 | "fanotify_mark",
258 | "fchdir",
259 | "fchmod",
260 | "fchmodat",
261 | "fchown",
262 | "fchown32",
263 | "fchownat",
264 | "fcntl",
265 | "fcntl64",
266 | "fdatasync",
267 | "fgetxattr",
268 | "flistxattr",
269 | "flock",
270 | "fork",
271 | "fremovexattr",
272 | "fsetxattr",
273 | "fstat",
274 | "fstat64",
275 | "fstatat64",
276 | "fstatfs",
277 | "fstatfs64",
278 | "fsync",
279 | "ftruncate",
280 | "ftruncate64",
281 | "futex",
282 | "futimesat",
283 | "getcpu",
284 | "getcwd",
285 | "getdents",
286 | "getdents64",
287 | "getegid",
288 | "getegid32",
289 | "geteuid",
290 | "geteuid32",
291 | "getgid",
292 | "getgid32",
293 | "getgroups",
294 | "getgroups32",
295 | "getitimer",
296 | "getpeername",
297 | "getpgid",
298 | "getpgrp",
299 | "getpid",
300 | "getppid",
301 | "getpriority",
302 | "getrandom",
303 | "getresgid",
304 | "getresgid32",
305 | "getresuid",
306 | "getresuid32",
307 | "getrlimit",
308 | "get_robust_list",
309 | "getrusage",
310 | "getsid",
311 | "getsockname",
312 | "getsockopt",
313 | "get_thread_area",
314 | "gettid",
315 | "gettimeofday",
316 | "getuid",
317 | "getuid32",
318 | "getxattr",
319 | "inotify_add_watch",
320 | "inotify_init",
321 | "inotify_init1",
322 | "inotify_rm_watch",
323 | "io_cancel",
324 | "ioctl",
325 | "io_destroy",
326 | "io_getevents",
327 | "ioprio_get",
328 | "ioprio_set",
329 | "io_setup",
330 | "io_submit",
331 | "ipc",
332 | "kill",
333 | "lchown",
334 | "lchown32",
335 | "lgetxattr",
336 | "link",
337 | "linkat",
338 | "listen",
339 | "listxattr",
340 | "llistxattr",
341 | "_llseek",
342 | "lremovexattr",
343 | "lseek",
344 | "lsetxattr",
345 | "lstat",
346 | "lstat64",
347 | "madvise",
348 | "memfd_create",
349 | "mincore",
350 | "mkdir",
351 | "mkdirat",
352 | "mknod",
353 | "mknodat",
354 | "mlock",
355 | "mlock2",
356 | "mlockall",
357 | "mmap",
358 | "mmap2",
359 | "mprotect",
360 | "mq_getsetattr",
361 | "mq_notify",
362 | "mq_open",
363 | "mq_timedreceive",
364 | "mq_timedsend",
365 | "mq_unlink",
366 | "mremap",
367 | "msgctl",
368 | "msgget",
369 | "msgrcv",
370 | "msgsnd",
371 | "msync",
372 | "munlock",
373 | "munlockall",
374 | "munmap",
375 | "nanosleep",
376 | "newfstatat",
377 | "_newselect",
378 | "open",
379 | "openat",
380 | "pause",
381 | "pipe",
382 | "pipe2",
383 | "poll",
384 | "ppoll",
385 | "prctl",
386 | "pread64",
387 | "preadv",
388 | "prlimit64",
389 | "pselect6",
390 | "pwrite64",
391 | "pwritev",
392 | "read",
393 | "readahead",
394 | "readlink",
395 | "readlinkat",
396 | "readv",
397 | "recv",
398 | "recvfrom",
399 | "recvmmsg",
400 | "recvmsg",
401 | "remap_file_pages",
402 | "removexattr",
403 | "rename",
404 | "renameat",
405 | "renameat2",
406 | "restart_syscall",
407 | "rmdir",
408 | "rt_sigaction",
409 | "rt_sigpending",
410 | "rt_sigprocmask",
411 | "rt_sigqueueinfo",
412 | "rt_sigreturn",
413 | "rt_sigsuspend",
414 | "rt_sigtimedwait",
415 | "rt_tgsigqueueinfo",
416 | "sched_getaffinity",
417 | "sched_getattr",
418 | "sched_getparam",
419 | "sched_get_priority_max",
420 | "sched_get_priority_min",
421 | "sched_getscheduler",
422 | "sched_rr_get_interval",
423 | "sched_setaffinity",
424 | "sched_setattr",
425 | "sched_setparam",
426 | "sched_setscheduler",
427 | "sched_yield",
428 | "seccomp",
429 | "select",
430 | "semctl",
431 | "semget",
432 | "semop",
433 | "semtimedop",
434 | "send",
435 | "sendfile",
436 | "sendfile64",
437 | "sendmmsg",
438 | "sendmsg",
439 | "sendto",
440 | "setfsgid",
441 | "setfsgid32",
442 | "setfsuid",
443 | "setfsuid32",
444 | "setgid",
445 | "setgid32",
446 | "setgroups",
447 | "setgroups32",
448 | "setitimer",
449 | "setpgid",
450 | "setpriority",
451 | "setregid",
452 | "setregid32",
453 | "setresgid",
454 | "setresgid32",
455 | "setresuid",
456 | "setresuid32",
457 | "setreuid",
458 | "setreuid32",
459 | "setrlimit",
460 | "set_robust_list",
461 | "setsid",
462 | "setsockopt",
463 | "set_thread_area",
464 | "set_tid_address",
465 | "setuid",
466 | "setuid32",
467 | "setxattr",
468 | "shmat",
469 | "shmctl",
470 | "shmdt",
471 | "shmget",
472 | "shutdown",
473 | "sigaltstack",
474 | "signalfd",
475 | "signalfd4",
476 | "sigreturn",
477 | "socket",
478 | "socketcall",
479 | "socketpair",
480 | "splice",
481 | "stat",
482 | "stat64",
483 | "statfs",
484 | "statfs64",
485 | "symlink",
486 | "symlinkat",
487 | "sync",
488 | "sync_file_range",
489 | "syncfs",
490 | "sysinfo",
491 | "syslog",
492 | "tee",
493 | "tgkill",
494 | "time",
495 | "timer_create",
496 | "timer_delete",
497 | "timerfd_create",
498 | "timerfd_gettime",
499 | "timerfd_settime",
500 | "timer_getoverrun",
501 | "timer_gettime",
502 | "timer_settime",
503 | "times",
504 | "tkill",
505 | "truncate",
506 | "truncate64",
507 | "ugetrlimit",
508 | "umask",
509 | "uname",
510 | "unlink",
511 | "unlinkat",
512 | "utime",
513 | "utimensat",
514 | "utimes",
515 | "vfork",
516 | "vmsplice",
517 | "wait4",
518 | "waitid",
519 | "waitpid",
520 | "write",
521 | "writev"
522 | ],
523 | "action": "SCMP_ACT_ALLOW",
524 | "args": [],
525 | "comment": ""
526 | },
527 | {
528 | "names": [
529 | "personality"
530 | ],
531 | "action": "SCMP_ACT_ALLOW",
532 | "args": [
533 | {
534 | "index": 0,
535 | "value": 0,
536 | "valueTwo": 0,
537 | "op": "SCMP_CMP_EQ"
538 | },
539 | {
540 | "index": 0,
541 | "value": 8,
542 | "valueTwo": 0,
543 | "op": "SCMP_CMP_EQ"
544 | },
545 | {
546 | "index": 0,
547 | "value": 4294967295,
548 | "valueTwo": 0,
549 | "op": "SCMP_CMP_EQ"
550 | }
551 | ],
552 | "comment": ""
553 | },
554 | {
555 | "names": [
556 | "chroot"
557 | ],
558 | "action": "SCMP_ACT_ALLOW",
559 | "args": [],
560 | "comment": ""
561 | },
562 | {
563 | "names": [
564 | "chroot"
565 | ],
566 | "action": "SCMP_ACT_ALLOW",
567 | "args": [],
568 | "comment": ""
569 | },
570 | {
571 | "names": [
572 | "chroot"
573 | ],
574 | "action": "SCMP_ACT_ALLOW",
575 | "args": [],
576 | "comment": ""
577 | },
578 | {
579 | "names": [
580 | "chroot"
581 | ],
582 | "action": "SCMP_ACT_ALLOW",
583 | "args": [],
584 | "comment": ""
585 | },
586 | {
587 | "names": [
588 | "chroot"
589 | ],
590 | "action": "SCMP_ACT_ALLOW",
591 | "args": [],
592 | "comment": ""
593 | },
594 | {
595 | "names": [
596 | "clone"
597 | ],
598 | "action": "SCMP_ACT_ALLOW",
599 | "args": [
600 | {
601 | "index": 0,
602 | "value": 2080505856,
603 | "valueTwo": 0,
604 | "op": "SCMP_CMP_MASKED_EQ"
605 | }
606 | ],
607 | "comment": ""
608 | },
609 | {
610 | "names": [
611 | "arch_prctl"
612 | ],
613 | "action": "SCMP_ACT_ALLOW",
614 | "args": [],
615 | "comment": ""
616 | },
617 | {
618 | "names": [
619 | "modify_ldt"
620 | ],
621 | "action": "SCMP_ACT_ALLOW",
622 | "args": [],
623 | "comment": ""
624 | }
625 | ]
626 | }
627 | }
628 | }
--------------------------------------------------------------------------------
/tests/uid.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 10,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | }
181 | ],
182 | "linux": {
183 | "resources": {
184 | "devices": [
185 | {
186 | "allow": false,
187 | "access": "rwm"
188 | }
189 | ]
190 | },
191 | "namespaces": [
192 | {
193 | "type": "pid"
194 | },
195 | {
196 | "type": "network"
197 | },
198 | {
199 | "type": "ipc"
200 | },
201 | {
202 | "type": "uts"
203 | },
204 | {
205 | "type": "mount"
206 | }
207 | ],
208 | "seccomp": {
209 | "defaultAction": "SCMP_ACT_ERRNO",
210 | "architectures": [
211 | "SCMP_ARCH_X86_64",
212 | "SCMP_ARCH_X86",
213 | "SCMP_ARCH_X32"
214 | ],
215 | "syscalls": [
216 | {
217 | "names": [
218 | "accept",
219 | "accept4",
220 | "access",
221 | "alarm",
222 | "bind",
223 | "brk",
224 | "capget",
225 | "capset",
226 | "chdir",
227 | "chmod",
228 | "chown",
229 | "chown32",
230 | "clock_getres",
231 | "clock_gettime",
232 | "clock_nanosleep",
233 | "close",
234 | "connect",
235 | "copy_file_range",
236 | "creat",
237 | "dup",
238 | "dup2",
239 | "dup3",
240 | "epoll_create",
241 | "epoll_create1",
242 | "epoll_ctl",
243 | "epoll_ctl_old",
244 | "epoll_pwait",
245 | "epoll_wait",
246 | "epoll_wait_old",
247 | "eventfd",
248 | "eventfd2",
249 | "execve",
250 | "execveat",
251 | "exit",
252 | "exit_group",
253 | "faccessat",
254 | "fadvise64",
255 | "fadvise64_64",
256 | "fallocate",
257 | "fanotify_mark",
258 | "fchdir",
259 | "fchmod",
260 | "fchmodat",
261 | "fchown",
262 | "fchown32",
263 | "fchownat",
264 | "fcntl",
265 | "fcntl64",
266 | "fdatasync",
267 | "fgetxattr",
268 | "flistxattr",
269 | "flock",
270 | "fork",
271 | "fremovexattr",
272 | "fsetxattr",
273 | "fstat",
274 | "fstat64",
275 | "fstatat64",
276 | "fstatfs",
277 | "fstatfs64",
278 | "fsync",
279 | "ftruncate",
280 | "ftruncate64",
281 | "futex",
282 | "futimesat",
283 | "getcpu",
284 | "getcwd",
285 | "getdents",
286 | "getdents64",
287 | "getegid",
288 | "getegid32",
289 | "geteuid",
290 | "geteuid32",
291 | "getgid",
292 | "getgid32",
293 | "getgroups",
294 | "getgroups32",
295 | "getitimer",
296 | "getpeername",
297 | "getpgid",
298 | "getpgrp",
299 | "getpid",
300 | "getppid",
301 | "getpriority",
302 | "getrandom",
303 | "getresgid",
304 | "getresgid32",
305 | "getresuid",
306 | "getresuid32",
307 | "getrlimit",
308 | "get_robust_list",
309 | "getrusage",
310 | "getsid",
311 | "getsockname",
312 | "getsockopt",
313 | "get_thread_area",
314 | "gettid",
315 | "gettimeofday",
316 | "getuid",
317 | "getuid32",
318 | "getxattr",
319 | "inotify_add_watch",
320 | "inotify_init",
321 | "inotify_init1",
322 | "inotify_rm_watch",
323 | "io_cancel",
324 | "ioctl",
325 | "io_destroy",
326 | "io_getevents",
327 | "ioprio_get",
328 | "ioprio_set",
329 | "io_setup",
330 | "io_submit",
331 | "ipc",
332 | "kill",
333 | "lchown",
334 | "lchown32",
335 | "lgetxattr",
336 | "link",
337 | "linkat",
338 | "listen",
339 | "listxattr",
340 | "llistxattr",
341 | "_llseek",
342 | "lremovexattr",
343 | "lseek",
344 | "lsetxattr",
345 | "lstat",
346 | "lstat64",
347 | "madvise",
348 | "memfd_create",
349 | "mincore",
350 | "mkdir",
351 | "mkdirat",
352 | "mknod",
353 | "mknodat",
354 | "mlock",
355 | "mlock2",
356 | "mlockall",
357 | "mmap",
358 | "mmap2",
359 | "mprotect",
360 | "mq_getsetattr",
361 | "mq_notify",
362 | "mq_open",
363 | "mq_timedreceive",
364 | "mq_timedsend",
365 | "mq_unlink",
366 | "mremap",
367 | "msgctl",
368 | "msgget",
369 | "msgrcv",
370 | "msgsnd",
371 | "msync",
372 | "munlock",
373 | "munlockall",
374 | "munmap",
375 | "nanosleep",
376 | "newfstatat",
377 | "_newselect",
378 | "open",
379 | "openat",
380 | "pause",
381 | "pipe",
382 | "pipe2",
383 | "poll",
384 | "ppoll",
385 | "prctl",
386 | "pread64",
387 | "preadv",
388 | "prlimit64",
389 | "pselect6",
390 | "pwrite64",
391 | "pwritev",
392 | "read",
393 | "readahead",
394 | "readlink",
395 | "readlinkat",
396 | "readv",
397 | "recv",
398 | "recvfrom",
399 | "recvmmsg",
400 | "recvmsg",
401 | "remap_file_pages",
402 | "removexattr",
403 | "rename",
404 | "renameat",
405 | "renameat2",
406 | "restart_syscall",
407 | "rmdir",
408 | "rt_sigaction",
409 | "rt_sigpending",
410 | "rt_sigprocmask",
411 | "rt_sigqueueinfo",
412 | "rt_sigreturn",
413 | "rt_sigsuspend",
414 | "rt_sigtimedwait",
415 | "rt_tgsigqueueinfo",
416 | "sched_getaffinity",
417 | "sched_getattr",
418 | "sched_getparam",
419 | "sched_get_priority_max",
420 | "sched_get_priority_min",
421 | "sched_getscheduler",
422 | "sched_rr_get_interval",
423 | "sched_setaffinity",
424 | "sched_setattr",
425 | "sched_setparam",
426 | "sched_setscheduler",
427 | "sched_yield",
428 | "seccomp",
429 | "select",
430 | "semctl",
431 | "semget",
432 | "semop",
433 | "semtimedop",
434 | "send",
435 | "sendfile",
436 | "sendfile64",
437 | "sendmmsg",
438 | "sendmsg",
439 | "sendto",
440 | "setfsgid",
441 | "setfsgid32",
442 | "setfsuid",
443 | "setfsuid32",
444 | "setgid",
445 | "setgid32",
446 | "setgroups",
447 | "setgroups32",
448 | "setitimer",
449 | "setpgid",
450 | "setpriority",
451 | "setregid",
452 | "setregid32",
453 | "setresgid",
454 | "setresgid32",
455 | "setresuid",
456 | "setresuid32",
457 | "setreuid",
458 | "setreuid32",
459 | "setrlimit",
460 | "set_robust_list",
461 | "setsid",
462 | "setsockopt",
463 | "set_thread_area",
464 | "set_tid_address",
465 | "setuid",
466 | "setuid32",
467 | "setxattr",
468 | "shmat",
469 | "shmctl",
470 | "shmdt",
471 | "shmget",
472 | "shutdown",
473 | "sigaltstack",
474 | "signalfd",
475 | "signalfd4",
476 | "sigreturn",
477 | "socket",
478 | "socketcall",
479 | "socketpair",
480 | "splice",
481 | "stat",
482 | "stat64",
483 | "statfs",
484 | "statfs64",
485 | "symlink",
486 | "symlinkat",
487 | "sync",
488 | "sync_file_range",
489 | "syncfs",
490 | "sysinfo",
491 | "syslog",
492 | "tee",
493 | "tgkill",
494 | "time",
495 | "timer_create",
496 | "timer_delete",
497 | "timerfd_create",
498 | "timerfd_gettime",
499 | "timerfd_settime",
500 | "timer_getoverrun",
501 | "timer_gettime",
502 | "timer_settime",
503 | "times",
504 | "tkill",
505 | "truncate",
506 | "truncate64",
507 | "ugetrlimit",
508 | "umask",
509 | "uname",
510 | "unlink",
511 | "unlinkat",
512 | "utime",
513 | "utimensat",
514 | "utimes",
515 | "vfork",
516 | "vmsplice",
517 | "wait4",
518 | "waitid",
519 | "waitpid",
520 | "write",
521 | "writev"
522 | ],
523 | "action": "SCMP_ACT_ALLOW",
524 | "args": [],
525 | "comment": ""
526 | },
527 | {
528 | "names": [
529 | "personality"
530 | ],
531 | "action": "SCMP_ACT_ALLOW",
532 | "args": [
533 | {
534 | "index": 0,
535 | "value": 0,
536 | "valueTwo": 0,
537 | "op": "SCMP_CMP_EQ"
538 | },
539 | {
540 | "index": 0,
541 | "value": 8,
542 | "valueTwo": 0,
543 | "op": "SCMP_CMP_EQ"
544 | },
545 | {
546 | "index": 0,
547 | "value": 4294967295,
548 | "valueTwo": 0,
549 | "op": "SCMP_CMP_EQ"
550 | }
551 | ],
552 | "comment": ""
553 | },
554 | {
555 | "names": [
556 | "chroot"
557 | ],
558 | "action": "SCMP_ACT_ALLOW",
559 | "args": [],
560 | "comment": ""
561 | },
562 | {
563 | "names": [
564 | "chroot"
565 | ],
566 | "action": "SCMP_ACT_ALLOW",
567 | "args": [],
568 | "comment": ""
569 | },
570 | {
571 | "names": [
572 | "chroot"
573 | ],
574 | "action": "SCMP_ACT_ALLOW",
575 | "args": [],
576 | "comment": ""
577 | },
578 | {
579 | "names": [
580 | "chroot"
581 | ],
582 | "action": "SCMP_ACT_ALLOW",
583 | "args": [],
584 | "comment": ""
585 | },
586 | {
587 | "names": [
588 | "chroot"
589 | ],
590 | "action": "SCMP_ACT_ALLOW",
591 | "args": [],
592 | "comment": ""
593 | },
594 | {
595 | "names": [
596 | "clone"
597 | ],
598 | "action": "SCMP_ACT_ALLOW",
599 | "args": [
600 | {
601 | "index": 0,
602 | "value": 2080505856,
603 | "valueTwo": 0,
604 | "op": "SCMP_CMP_MASKED_EQ"
605 | }
606 | ],
607 | "comment": ""
608 | },
609 | {
610 | "names": [
611 | "arch_prctl"
612 | ],
613 | "action": "SCMP_ACT_ALLOW",
614 | "args": [],
615 | "comment": ""
616 | },
617 | {
618 | "names": [
619 | "modify_ldt"
620 | ],
621 | "action": "SCMP_ACT_ALLOW",
622 | "args": [],
623 | "comment": ""
624 | }
625 | ]
626 | }
627 | }
628 | }
--------------------------------------------------------------------------------
/tests/cwd.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/usr/local/bin",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | }
181 | ],
182 | "linux": {
183 | "resources": {
184 | "devices": [
185 | {
186 | "allow": false,
187 | "access": "rwm"
188 | }
189 | ]
190 | },
191 | "namespaces": [
192 | {
193 | "type": "pid"
194 | },
195 | {
196 | "type": "network"
197 | },
198 | {
199 | "type": "ipc"
200 | },
201 | {
202 | "type": "uts"
203 | },
204 | {
205 | "type": "mount"
206 | }
207 | ],
208 | "seccomp": {
209 | "defaultAction": "SCMP_ACT_ERRNO",
210 | "architectures": [
211 | "SCMP_ARCH_X86_64",
212 | "SCMP_ARCH_X86",
213 | "SCMP_ARCH_X32"
214 | ],
215 | "syscalls": [
216 | {
217 | "names": [
218 | "accept",
219 | "accept4",
220 | "access",
221 | "alarm",
222 | "bind",
223 | "brk",
224 | "capget",
225 | "capset",
226 | "chdir",
227 | "chmod",
228 | "chown",
229 | "chown32",
230 | "clock_getres",
231 | "clock_gettime",
232 | "clock_nanosleep",
233 | "close",
234 | "connect",
235 | "copy_file_range",
236 | "creat",
237 | "dup",
238 | "dup2",
239 | "dup3",
240 | "epoll_create",
241 | "epoll_create1",
242 | "epoll_ctl",
243 | "epoll_ctl_old",
244 | "epoll_pwait",
245 | "epoll_wait",
246 | "epoll_wait_old",
247 | "eventfd",
248 | "eventfd2",
249 | "execve",
250 | "execveat",
251 | "exit",
252 | "exit_group",
253 | "faccessat",
254 | "fadvise64",
255 | "fadvise64_64",
256 | "fallocate",
257 | "fanotify_mark",
258 | "fchdir",
259 | "fchmod",
260 | "fchmodat",
261 | "fchown",
262 | "fchown32",
263 | "fchownat",
264 | "fcntl",
265 | "fcntl64",
266 | "fdatasync",
267 | "fgetxattr",
268 | "flistxattr",
269 | "flock",
270 | "fork",
271 | "fremovexattr",
272 | "fsetxattr",
273 | "fstat",
274 | "fstat64",
275 | "fstatat64",
276 | "fstatfs",
277 | "fstatfs64",
278 | "fsync",
279 | "ftruncate",
280 | "ftruncate64",
281 | "futex",
282 | "futimesat",
283 | "getcpu",
284 | "getcwd",
285 | "getdents",
286 | "getdents64",
287 | "getegid",
288 | "getegid32",
289 | "geteuid",
290 | "geteuid32",
291 | "getgid",
292 | "getgid32",
293 | "getgroups",
294 | "getgroups32",
295 | "getitimer",
296 | "getpeername",
297 | "getpgid",
298 | "getpgrp",
299 | "getpid",
300 | "getppid",
301 | "getpriority",
302 | "getrandom",
303 | "getresgid",
304 | "getresgid32",
305 | "getresuid",
306 | "getresuid32",
307 | "getrlimit",
308 | "get_robust_list",
309 | "getrusage",
310 | "getsid",
311 | "getsockname",
312 | "getsockopt",
313 | "get_thread_area",
314 | "gettid",
315 | "gettimeofday",
316 | "getuid",
317 | "getuid32",
318 | "getxattr",
319 | "inotify_add_watch",
320 | "inotify_init",
321 | "inotify_init1",
322 | "inotify_rm_watch",
323 | "io_cancel",
324 | "ioctl",
325 | "io_destroy",
326 | "io_getevents",
327 | "ioprio_get",
328 | "ioprio_set",
329 | "io_setup",
330 | "io_submit",
331 | "ipc",
332 | "kill",
333 | "lchown",
334 | "lchown32",
335 | "lgetxattr",
336 | "link",
337 | "linkat",
338 | "listen",
339 | "listxattr",
340 | "llistxattr",
341 | "_llseek",
342 | "lremovexattr",
343 | "lseek",
344 | "lsetxattr",
345 | "lstat",
346 | "lstat64",
347 | "madvise",
348 | "memfd_create",
349 | "mincore",
350 | "mkdir",
351 | "mkdirat",
352 | "mknod",
353 | "mknodat",
354 | "mlock",
355 | "mlock2",
356 | "mlockall",
357 | "mmap",
358 | "mmap2",
359 | "mprotect",
360 | "mq_getsetattr",
361 | "mq_notify",
362 | "mq_open",
363 | "mq_timedreceive",
364 | "mq_timedsend",
365 | "mq_unlink",
366 | "mremap",
367 | "msgctl",
368 | "msgget",
369 | "msgrcv",
370 | "msgsnd",
371 | "msync",
372 | "munlock",
373 | "munlockall",
374 | "munmap",
375 | "nanosleep",
376 | "newfstatat",
377 | "_newselect",
378 | "open",
379 | "openat",
380 | "pause",
381 | "pipe",
382 | "pipe2",
383 | "poll",
384 | "ppoll",
385 | "prctl",
386 | "pread64",
387 | "preadv",
388 | "prlimit64",
389 | "pselect6",
390 | "pwrite64",
391 | "pwritev",
392 | "read",
393 | "readahead",
394 | "readlink",
395 | "readlinkat",
396 | "readv",
397 | "recv",
398 | "recvfrom",
399 | "recvmmsg",
400 | "recvmsg",
401 | "remap_file_pages",
402 | "removexattr",
403 | "rename",
404 | "renameat",
405 | "renameat2",
406 | "restart_syscall",
407 | "rmdir",
408 | "rt_sigaction",
409 | "rt_sigpending",
410 | "rt_sigprocmask",
411 | "rt_sigqueueinfo",
412 | "rt_sigreturn",
413 | "rt_sigsuspend",
414 | "rt_sigtimedwait",
415 | "rt_tgsigqueueinfo",
416 | "sched_getaffinity",
417 | "sched_getattr",
418 | "sched_getparam",
419 | "sched_get_priority_max",
420 | "sched_get_priority_min",
421 | "sched_getscheduler",
422 | "sched_rr_get_interval",
423 | "sched_setaffinity",
424 | "sched_setattr",
425 | "sched_setparam",
426 | "sched_setscheduler",
427 | "sched_yield",
428 | "seccomp",
429 | "select",
430 | "semctl",
431 | "semget",
432 | "semop",
433 | "semtimedop",
434 | "send",
435 | "sendfile",
436 | "sendfile64",
437 | "sendmmsg",
438 | "sendmsg",
439 | "sendto",
440 | "setfsgid",
441 | "setfsgid32",
442 | "setfsuid",
443 | "setfsuid32",
444 | "setgid",
445 | "setgid32",
446 | "setgroups",
447 | "setgroups32",
448 | "setitimer",
449 | "setpgid",
450 | "setpriority",
451 | "setregid",
452 | "setregid32",
453 | "setresgid",
454 | "setresgid32",
455 | "setresuid",
456 | "setresuid32",
457 | "setreuid",
458 | "setreuid32",
459 | "setrlimit",
460 | "set_robust_list",
461 | "setsid",
462 | "setsockopt",
463 | "set_thread_area",
464 | "set_tid_address",
465 | "setuid",
466 | "setuid32",
467 | "setxattr",
468 | "shmat",
469 | "shmctl",
470 | "shmdt",
471 | "shmget",
472 | "shutdown",
473 | "sigaltstack",
474 | "signalfd",
475 | "signalfd4",
476 | "sigreturn",
477 | "socket",
478 | "socketcall",
479 | "socketpair",
480 | "splice",
481 | "stat",
482 | "stat64",
483 | "statfs",
484 | "statfs64",
485 | "symlink",
486 | "symlinkat",
487 | "sync",
488 | "sync_file_range",
489 | "syncfs",
490 | "sysinfo",
491 | "syslog",
492 | "tee",
493 | "tgkill",
494 | "time",
495 | "timer_create",
496 | "timer_delete",
497 | "timerfd_create",
498 | "timerfd_gettime",
499 | "timerfd_settime",
500 | "timer_getoverrun",
501 | "timer_gettime",
502 | "timer_settime",
503 | "times",
504 | "tkill",
505 | "truncate",
506 | "truncate64",
507 | "ugetrlimit",
508 | "umask",
509 | "uname",
510 | "unlink",
511 | "unlinkat",
512 | "utime",
513 | "utimensat",
514 | "utimes",
515 | "vfork",
516 | "vmsplice",
517 | "wait4",
518 | "waitid",
519 | "waitpid",
520 | "write",
521 | "writev"
522 | ],
523 | "action": "SCMP_ACT_ALLOW",
524 | "args": [],
525 | "comment": ""
526 | },
527 | {
528 | "names": [
529 | "personality"
530 | ],
531 | "action": "SCMP_ACT_ALLOW",
532 | "args": [
533 | {
534 | "index": 0,
535 | "value": 0,
536 | "valueTwo": 0,
537 | "op": "SCMP_CMP_EQ"
538 | },
539 | {
540 | "index": 0,
541 | "value": 8,
542 | "valueTwo": 0,
543 | "op": "SCMP_CMP_EQ"
544 | },
545 | {
546 | "index": 0,
547 | "value": 4294967295,
548 | "valueTwo": 0,
549 | "op": "SCMP_CMP_EQ"
550 | }
551 | ],
552 | "comment": ""
553 | },
554 | {
555 | "names": [
556 | "chroot"
557 | ],
558 | "action": "SCMP_ACT_ALLOW",
559 | "args": [],
560 | "comment": ""
561 | },
562 | {
563 | "names": [
564 | "chroot"
565 | ],
566 | "action": "SCMP_ACT_ALLOW",
567 | "args": [],
568 | "comment": ""
569 | },
570 | {
571 | "names": [
572 | "chroot"
573 | ],
574 | "action": "SCMP_ACT_ALLOW",
575 | "args": [],
576 | "comment": ""
577 | },
578 | {
579 | "names": [
580 | "chroot"
581 | ],
582 | "action": "SCMP_ACT_ALLOW",
583 | "args": [],
584 | "comment": ""
585 | },
586 | {
587 | "names": [
588 | "chroot"
589 | ],
590 | "action": "SCMP_ACT_ALLOW",
591 | "args": [],
592 | "comment": ""
593 | },
594 | {
595 | "names": [
596 | "clone"
597 | ],
598 | "action": "SCMP_ACT_ALLOW",
599 | "args": [
600 | {
601 | "index": 0,
602 | "value": 2080505856,
603 | "valueTwo": 0,
604 | "op": "SCMP_CMP_MASKED_EQ"
605 | }
606 | ],
607 | "comment": ""
608 | },
609 | {
610 | "names": [
611 | "arch_prctl"
612 | ],
613 | "action": "SCMP_ACT_ALLOW",
614 | "args": [],
615 | "comment": ""
616 | },
617 | {
618 | "names": [
619 | "modify_ldt"
620 | ],
621 | "action": "SCMP_ACT_ALLOW",
622 | "args": [],
623 | "comment": ""
624 | }
625 | ]
626 | }
627 | }
628 | }
--------------------------------------------------------------------------------
/tests/tty.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "terminal": true,
9 | "consoleSize": {
10 | "height": 0,
11 | "width": 0
12 | },
13 | "user": {
14 | "uid": 0,
15 | "gid": 0
16 | },
17 | "args": [
18 | "sh"
19 | ],
20 | "env": [
21 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
22 | "TERM=xterm"
23 | ],
24 | "cwd": "/",
25 | "capabilities": {
26 | "bounding": [
27 | "CAP_CHOWN",
28 | "CAP_DAC_OVERRIDE",
29 | "CAP_FSETID",
30 | "CAP_FOWNER",
31 | "CAP_MKNOD",
32 | "CAP_NET_RAW",
33 | "CAP_SETGID",
34 | "CAP_SETUID",
35 | "CAP_SETFCAP",
36 | "CAP_SETPCAP",
37 | "CAP_NET_BIND_SERVICE",
38 | "CAP_SYS_CHROOT",
39 | "CAP_KILL",
40 | "CAP_AUDIT_WRITE"
41 | ],
42 | "effective": [
43 | "CAP_CHOWN",
44 | "CAP_DAC_OVERRIDE",
45 | "CAP_FSETID",
46 | "CAP_FOWNER",
47 | "CAP_MKNOD",
48 | "CAP_NET_RAW",
49 | "CAP_SETGID",
50 | "CAP_SETUID",
51 | "CAP_SETFCAP",
52 | "CAP_SETPCAP",
53 | "CAP_NET_BIND_SERVICE",
54 | "CAP_SYS_CHROOT",
55 | "CAP_KILL",
56 | "CAP_AUDIT_WRITE"
57 | ],
58 | "inheritable": [
59 | "CAP_CHOWN",
60 | "CAP_DAC_OVERRIDE",
61 | "CAP_FSETID",
62 | "CAP_FOWNER",
63 | "CAP_MKNOD",
64 | "CAP_NET_RAW",
65 | "CAP_SETGID",
66 | "CAP_SETUID",
67 | "CAP_SETFCAP",
68 | "CAP_SETPCAP",
69 | "CAP_NET_BIND_SERVICE",
70 | "CAP_SYS_CHROOT",
71 | "CAP_KILL",
72 | "CAP_AUDIT_WRITE"
73 | ],
74 | "permitted": [
75 | "CAP_CHOWN",
76 | "CAP_DAC_OVERRIDE",
77 | "CAP_FSETID",
78 | "CAP_FOWNER",
79 | "CAP_MKNOD",
80 | "CAP_NET_RAW",
81 | "CAP_SETGID",
82 | "CAP_SETUID",
83 | "CAP_SETFCAP",
84 | "CAP_SETPCAP",
85 | "CAP_NET_BIND_SERVICE",
86 | "CAP_SYS_CHROOT",
87 | "CAP_KILL",
88 | "CAP_AUDIT_WRITE"
89 | ],
90 | "ambient": [
91 | "CAP_CHOWN",
92 | "CAP_DAC_OVERRIDE",
93 | "CAP_FSETID",
94 | "CAP_FOWNER",
95 | "CAP_MKNOD",
96 | "CAP_NET_RAW",
97 | "CAP_SETGID",
98 | "CAP_SETUID",
99 | "CAP_SETFCAP",
100 | "CAP_SETPCAP",
101 | "CAP_NET_BIND_SERVICE",
102 | "CAP_SYS_CHROOT",
103 | "CAP_KILL",
104 | "CAP_AUDIT_WRITE"
105 | ]
106 | },
107 | "rlimits": [
108 | {
109 | "type": "RLIMIT_NOFILE",
110 | "hard": 1024,
111 | "soft": 1024
112 | }
113 | ]
114 | },
115 | "root": {
116 | "path": "rootfs"
117 | },
118 | "hostname": "mrsdalloway",
119 | "mounts": [
120 | {
121 | "destination": "/proc",
122 | "type": "proc",
123 | "source": "proc"
124 | },
125 | {
126 | "destination": "/dev",
127 | "type": "tmpfs",
128 | "source": "tmpfs",
129 | "options": [
130 | "nosuid",
131 | "strictatime",
132 | "mode=755",
133 | "size=65536k"
134 | ]
135 | },
136 | {
137 | "destination": "/dev/pts",
138 | "type": "devpts",
139 | "source": "devpts",
140 | "options": [
141 | "nosuid",
142 | "noexec",
143 | "newinstance",
144 | "ptmxmode=0666",
145 | "mode=0620",
146 | "gid=5"
147 | ]
148 | },
149 | {
150 | "destination": "/dev/shm",
151 | "type": "tmpfs",
152 | "source": "shm",
153 | "options": [
154 | "nosuid",
155 | "noexec",
156 | "nodev",
157 | "mode=1777",
158 | "size=65536k"
159 | ]
160 | },
161 | {
162 | "destination": "/dev/mqueue",
163 | "type": "mqueue",
164 | "source": "mqueue",
165 | "options": [
166 | "nosuid",
167 | "noexec",
168 | "nodev"
169 | ]
170 | },
171 | {
172 | "destination": "/sys",
173 | "type": "sysfs",
174 | "source": "sysfs",
175 | "options": [
176 | "nosuid",
177 | "noexec",
178 | "nodev",
179 | "ro"
180 | ]
181 | }
182 | ],
183 | "linux": {
184 | "resources": {
185 | "devices": [
186 | {
187 | "allow": false,
188 | "access": "rwm"
189 | }
190 | ]
191 | },
192 | "namespaces": [
193 | {
194 | "type": "pid"
195 | },
196 | {
197 | "type": "network"
198 | },
199 | {
200 | "type": "ipc"
201 | },
202 | {
203 | "type": "uts"
204 | },
205 | {
206 | "type": "mount"
207 | }
208 | ],
209 | "seccomp": {
210 | "defaultAction": "SCMP_ACT_ERRNO",
211 | "architectures": [
212 | "SCMP_ARCH_X86_64",
213 | "SCMP_ARCH_X86",
214 | "SCMP_ARCH_X32"
215 | ],
216 | "syscalls": [
217 | {
218 | "names": [
219 | "accept",
220 | "accept4",
221 | "access",
222 | "alarm",
223 | "bind",
224 | "brk",
225 | "capget",
226 | "capset",
227 | "chdir",
228 | "chmod",
229 | "chown",
230 | "chown32",
231 | "clock_getres",
232 | "clock_gettime",
233 | "clock_nanosleep",
234 | "close",
235 | "connect",
236 | "copy_file_range",
237 | "creat",
238 | "dup",
239 | "dup2",
240 | "dup3",
241 | "epoll_create",
242 | "epoll_create1",
243 | "epoll_ctl",
244 | "epoll_ctl_old",
245 | "epoll_pwait",
246 | "epoll_wait",
247 | "epoll_wait_old",
248 | "eventfd",
249 | "eventfd2",
250 | "execve",
251 | "execveat",
252 | "exit",
253 | "exit_group",
254 | "faccessat",
255 | "fadvise64",
256 | "fadvise64_64",
257 | "fallocate",
258 | "fanotify_mark",
259 | "fchdir",
260 | "fchmod",
261 | "fchmodat",
262 | "fchown",
263 | "fchown32",
264 | "fchownat",
265 | "fcntl",
266 | "fcntl64",
267 | "fdatasync",
268 | "fgetxattr",
269 | "flistxattr",
270 | "flock",
271 | "fork",
272 | "fremovexattr",
273 | "fsetxattr",
274 | "fstat",
275 | "fstat64",
276 | "fstatat64",
277 | "fstatfs",
278 | "fstatfs64",
279 | "fsync",
280 | "ftruncate",
281 | "ftruncate64",
282 | "futex",
283 | "futimesat",
284 | "getcpu",
285 | "getcwd",
286 | "getdents",
287 | "getdents64",
288 | "getegid",
289 | "getegid32",
290 | "geteuid",
291 | "geteuid32",
292 | "getgid",
293 | "getgid32",
294 | "getgroups",
295 | "getgroups32",
296 | "getitimer",
297 | "getpeername",
298 | "getpgid",
299 | "getpgrp",
300 | "getpid",
301 | "getppid",
302 | "getpriority",
303 | "getrandom",
304 | "getresgid",
305 | "getresgid32",
306 | "getresuid",
307 | "getresuid32",
308 | "getrlimit",
309 | "get_robust_list",
310 | "getrusage",
311 | "getsid",
312 | "getsockname",
313 | "getsockopt",
314 | "get_thread_area",
315 | "gettid",
316 | "gettimeofday",
317 | "getuid",
318 | "getuid32",
319 | "getxattr",
320 | "inotify_add_watch",
321 | "inotify_init",
322 | "inotify_init1",
323 | "inotify_rm_watch",
324 | "io_cancel",
325 | "ioctl",
326 | "io_destroy",
327 | "io_getevents",
328 | "ioprio_get",
329 | "ioprio_set",
330 | "io_setup",
331 | "io_submit",
332 | "ipc",
333 | "kill",
334 | "lchown",
335 | "lchown32",
336 | "lgetxattr",
337 | "link",
338 | "linkat",
339 | "listen",
340 | "listxattr",
341 | "llistxattr",
342 | "_llseek",
343 | "lremovexattr",
344 | "lseek",
345 | "lsetxattr",
346 | "lstat",
347 | "lstat64",
348 | "madvise",
349 | "memfd_create",
350 | "mincore",
351 | "mkdir",
352 | "mkdirat",
353 | "mknod",
354 | "mknodat",
355 | "mlock",
356 | "mlock2",
357 | "mlockall",
358 | "mmap",
359 | "mmap2",
360 | "mprotect",
361 | "mq_getsetattr",
362 | "mq_notify",
363 | "mq_open",
364 | "mq_timedreceive",
365 | "mq_timedsend",
366 | "mq_unlink",
367 | "mremap",
368 | "msgctl",
369 | "msgget",
370 | "msgrcv",
371 | "msgsnd",
372 | "msync",
373 | "munlock",
374 | "munlockall",
375 | "munmap",
376 | "nanosleep",
377 | "newfstatat",
378 | "_newselect",
379 | "open",
380 | "openat",
381 | "pause",
382 | "pipe",
383 | "pipe2",
384 | "poll",
385 | "ppoll",
386 | "prctl",
387 | "pread64",
388 | "preadv",
389 | "prlimit64",
390 | "pselect6",
391 | "pwrite64",
392 | "pwritev",
393 | "read",
394 | "readahead",
395 | "readlink",
396 | "readlinkat",
397 | "readv",
398 | "recv",
399 | "recvfrom",
400 | "recvmmsg",
401 | "recvmsg",
402 | "remap_file_pages",
403 | "removexattr",
404 | "rename",
405 | "renameat",
406 | "renameat2",
407 | "restart_syscall",
408 | "rmdir",
409 | "rt_sigaction",
410 | "rt_sigpending",
411 | "rt_sigprocmask",
412 | "rt_sigqueueinfo",
413 | "rt_sigreturn",
414 | "rt_sigsuspend",
415 | "rt_sigtimedwait",
416 | "rt_tgsigqueueinfo",
417 | "sched_getaffinity",
418 | "sched_getattr",
419 | "sched_getparam",
420 | "sched_get_priority_max",
421 | "sched_get_priority_min",
422 | "sched_getscheduler",
423 | "sched_rr_get_interval",
424 | "sched_setaffinity",
425 | "sched_setattr",
426 | "sched_setparam",
427 | "sched_setscheduler",
428 | "sched_yield",
429 | "seccomp",
430 | "select",
431 | "semctl",
432 | "semget",
433 | "semop",
434 | "semtimedop",
435 | "send",
436 | "sendfile",
437 | "sendfile64",
438 | "sendmmsg",
439 | "sendmsg",
440 | "sendto",
441 | "setfsgid",
442 | "setfsgid32",
443 | "setfsuid",
444 | "setfsuid32",
445 | "setgid",
446 | "setgid32",
447 | "setgroups",
448 | "setgroups32",
449 | "setitimer",
450 | "setpgid",
451 | "setpriority",
452 | "setregid",
453 | "setregid32",
454 | "setresgid",
455 | "setresgid32",
456 | "setresuid",
457 | "setresuid32",
458 | "setreuid",
459 | "setreuid32",
460 | "setrlimit",
461 | "set_robust_list",
462 | "setsid",
463 | "setsockopt",
464 | "set_thread_area",
465 | "set_tid_address",
466 | "setuid",
467 | "setuid32",
468 | "setxattr",
469 | "shmat",
470 | "shmctl",
471 | "shmdt",
472 | "shmget",
473 | "shutdown",
474 | "sigaltstack",
475 | "signalfd",
476 | "signalfd4",
477 | "sigreturn",
478 | "socket",
479 | "socketcall",
480 | "socketpair",
481 | "splice",
482 | "stat",
483 | "stat64",
484 | "statfs",
485 | "statfs64",
486 | "symlink",
487 | "symlinkat",
488 | "sync",
489 | "sync_file_range",
490 | "syncfs",
491 | "sysinfo",
492 | "syslog",
493 | "tee",
494 | "tgkill",
495 | "time",
496 | "timer_create",
497 | "timer_delete",
498 | "timerfd_create",
499 | "timerfd_gettime",
500 | "timerfd_settime",
501 | "timer_getoverrun",
502 | "timer_gettime",
503 | "timer_settime",
504 | "times",
505 | "tkill",
506 | "truncate",
507 | "truncate64",
508 | "ugetrlimit",
509 | "umask",
510 | "uname",
511 | "unlink",
512 | "unlinkat",
513 | "utime",
514 | "utimensat",
515 | "utimes",
516 | "vfork",
517 | "vmsplice",
518 | "wait4",
519 | "waitid",
520 | "waitpid",
521 | "write",
522 | "writev"
523 | ],
524 | "action": "SCMP_ACT_ALLOW",
525 | "args": [],
526 | "comment": ""
527 | },
528 | {
529 | "names": [
530 | "personality"
531 | ],
532 | "action": "SCMP_ACT_ALLOW",
533 | "args": [
534 | {
535 | "index": 0,
536 | "value": 0,
537 | "valueTwo": 0,
538 | "op": "SCMP_CMP_EQ"
539 | },
540 | {
541 | "index": 0,
542 | "value": 8,
543 | "valueTwo": 0,
544 | "op": "SCMP_CMP_EQ"
545 | },
546 | {
547 | "index": 0,
548 | "value": 4294967295,
549 | "valueTwo": 0,
550 | "op": "SCMP_CMP_EQ"
551 | }
552 | ],
553 | "comment": ""
554 | },
555 | {
556 | "names": [
557 | "chroot"
558 | ],
559 | "action": "SCMP_ACT_ALLOW",
560 | "args": [],
561 | "comment": ""
562 | },
563 | {
564 | "names": [
565 | "chroot"
566 | ],
567 | "action": "SCMP_ACT_ALLOW",
568 | "args": [],
569 | "comment": ""
570 | },
571 | {
572 | "names": [
573 | "chroot"
574 | ],
575 | "action": "SCMP_ACT_ALLOW",
576 | "args": [],
577 | "comment": ""
578 | },
579 | {
580 | "names": [
581 | "chroot"
582 | ],
583 | "action": "SCMP_ACT_ALLOW",
584 | "args": [],
585 | "comment": ""
586 | },
587 | {
588 | "names": [
589 | "chroot"
590 | ],
591 | "action": "SCMP_ACT_ALLOW",
592 | "args": [],
593 | "comment": ""
594 | },
595 | {
596 | "names": [
597 | "clone"
598 | ],
599 | "action": "SCMP_ACT_ALLOW",
600 | "args": [
601 | {
602 | "index": 0,
603 | "value": 2080505856,
604 | "valueTwo": 0,
605 | "op": "SCMP_CMP_MASKED_EQ"
606 | }
607 | ],
608 | "comment": ""
609 | },
610 | {
611 | "names": [
612 | "arch_prctl"
613 | ],
614 | "action": "SCMP_ACT_ALLOW",
615 | "args": [],
616 | "comment": ""
617 | },
618 | {
619 | "names": [
620 | "modify_ldt"
621 | ],
622 | "action": "SCMP_ACT_ALLOW",
623 | "args": [],
624 | "comment": ""
625 | }
626 | ]
627 | }
628 | }
629 | }
--------------------------------------------------------------------------------
/tests/env.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm",
22 | "foo=bar",
23 | "bar=foo"
24 | ],
25 | "cwd": "/",
26 | "capabilities": {
27 | "bounding": [
28 | "CAP_CHOWN",
29 | "CAP_DAC_OVERRIDE",
30 | "CAP_FSETID",
31 | "CAP_FOWNER",
32 | "CAP_MKNOD",
33 | "CAP_NET_RAW",
34 | "CAP_SETGID",
35 | "CAP_SETUID",
36 | "CAP_SETFCAP",
37 | "CAP_SETPCAP",
38 | "CAP_NET_BIND_SERVICE",
39 | "CAP_SYS_CHROOT",
40 | "CAP_KILL",
41 | "CAP_AUDIT_WRITE"
42 | ],
43 | "effective": [
44 | "CAP_CHOWN",
45 | "CAP_DAC_OVERRIDE",
46 | "CAP_FSETID",
47 | "CAP_FOWNER",
48 | "CAP_MKNOD",
49 | "CAP_NET_RAW",
50 | "CAP_SETGID",
51 | "CAP_SETUID",
52 | "CAP_SETFCAP",
53 | "CAP_SETPCAP",
54 | "CAP_NET_BIND_SERVICE",
55 | "CAP_SYS_CHROOT",
56 | "CAP_KILL",
57 | "CAP_AUDIT_WRITE"
58 | ],
59 | "inheritable": [
60 | "CAP_CHOWN",
61 | "CAP_DAC_OVERRIDE",
62 | "CAP_FSETID",
63 | "CAP_FOWNER",
64 | "CAP_MKNOD",
65 | "CAP_NET_RAW",
66 | "CAP_SETGID",
67 | "CAP_SETUID",
68 | "CAP_SETFCAP",
69 | "CAP_SETPCAP",
70 | "CAP_NET_BIND_SERVICE",
71 | "CAP_SYS_CHROOT",
72 | "CAP_KILL",
73 | "CAP_AUDIT_WRITE"
74 | ],
75 | "permitted": [
76 | "CAP_CHOWN",
77 | "CAP_DAC_OVERRIDE",
78 | "CAP_FSETID",
79 | "CAP_FOWNER",
80 | "CAP_MKNOD",
81 | "CAP_NET_RAW",
82 | "CAP_SETGID",
83 | "CAP_SETUID",
84 | "CAP_SETFCAP",
85 | "CAP_SETPCAP",
86 | "CAP_NET_BIND_SERVICE",
87 | "CAP_SYS_CHROOT",
88 | "CAP_KILL",
89 | "CAP_AUDIT_WRITE"
90 | ],
91 | "ambient": [
92 | "CAP_CHOWN",
93 | "CAP_DAC_OVERRIDE",
94 | "CAP_FSETID",
95 | "CAP_FOWNER",
96 | "CAP_MKNOD",
97 | "CAP_NET_RAW",
98 | "CAP_SETGID",
99 | "CAP_SETUID",
100 | "CAP_SETFCAP",
101 | "CAP_SETPCAP",
102 | "CAP_NET_BIND_SERVICE",
103 | "CAP_SYS_CHROOT",
104 | "CAP_KILL",
105 | "CAP_AUDIT_WRITE"
106 | ]
107 | },
108 | "rlimits": [
109 | {
110 | "type": "RLIMIT_NOFILE",
111 | "hard": 1024,
112 | "soft": 1024
113 | }
114 | ]
115 | },
116 | "root": {
117 | "path": "rootfs"
118 | },
119 | "hostname": "mrsdalloway",
120 | "mounts": [
121 | {
122 | "destination": "/proc",
123 | "type": "proc",
124 | "source": "proc"
125 | },
126 | {
127 | "destination": "/dev",
128 | "type": "tmpfs",
129 | "source": "tmpfs",
130 | "options": [
131 | "nosuid",
132 | "strictatime",
133 | "mode=755",
134 | "size=65536k"
135 | ]
136 | },
137 | {
138 | "destination": "/dev/pts",
139 | "type": "devpts",
140 | "source": "devpts",
141 | "options": [
142 | "nosuid",
143 | "noexec",
144 | "newinstance",
145 | "ptmxmode=0666",
146 | "mode=0620",
147 | "gid=5"
148 | ]
149 | },
150 | {
151 | "destination": "/dev/shm",
152 | "type": "tmpfs",
153 | "source": "shm",
154 | "options": [
155 | "nosuid",
156 | "noexec",
157 | "nodev",
158 | "mode=1777",
159 | "size=65536k"
160 | ]
161 | },
162 | {
163 | "destination": "/dev/mqueue",
164 | "type": "mqueue",
165 | "source": "mqueue",
166 | "options": [
167 | "nosuid",
168 | "noexec",
169 | "nodev"
170 | ]
171 | },
172 | {
173 | "destination": "/sys",
174 | "type": "sysfs",
175 | "source": "sysfs",
176 | "options": [
177 | "nosuid",
178 | "noexec",
179 | "nodev",
180 | "ro"
181 | ]
182 | }
183 | ],
184 | "linux": {
185 | "resources": {
186 | "devices": [
187 | {
188 | "allow": false,
189 | "access": "rwm"
190 | }
191 | ]
192 | },
193 | "namespaces": [
194 | {
195 | "type": "pid"
196 | },
197 | {
198 | "type": "network"
199 | },
200 | {
201 | "type": "ipc"
202 | },
203 | {
204 | "type": "uts"
205 | },
206 | {
207 | "type": "mount"
208 | }
209 | ],
210 | "seccomp": {
211 | "defaultAction": "SCMP_ACT_ERRNO",
212 | "architectures": [
213 | "SCMP_ARCH_X86_64",
214 | "SCMP_ARCH_X86",
215 | "SCMP_ARCH_X32"
216 | ],
217 | "syscalls": [
218 | {
219 | "names": [
220 | "accept",
221 | "accept4",
222 | "access",
223 | "alarm",
224 | "bind",
225 | "brk",
226 | "capget",
227 | "capset",
228 | "chdir",
229 | "chmod",
230 | "chown",
231 | "chown32",
232 | "clock_getres",
233 | "clock_gettime",
234 | "clock_nanosleep",
235 | "close",
236 | "connect",
237 | "copy_file_range",
238 | "creat",
239 | "dup",
240 | "dup2",
241 | "dup3",
242 | "epoll_create",
243 | "epoll_create1",
244 | "epoll_ctl",
245 | "epoll_ctl_old",
246 | "epoll_pwait",
247 | "epoll_wait",
248 | "epoll_wait_old",
249 | "eventfd",
250 | "eventfd2",
251 | "execve",
252 | "execveat",
253 | "exit",
254 | "exit_group",
255 | "faccessat",
256 | "fadvise64",
257 | "fadvise64_64",
258 | "fallocate",
259 | "fanotify_mark",
260 | "fchdir",
261 | "fchmod",
262 | "fchmodat",
263 | "fchown",
264 | "fchown32",
265 | "fchownat",
266 | "fcntl",
267 | "fcntl64",
268 | "fdatasync",
269 | "fgetxattr",
270 | "flistxattr",
271 | "flock",
272 | "fork",
273 | "fremovexattr",
274 | "fsetxattr",
275 | "fstat",
276 | "fstat64",
277 | "fstatat64",
278 | "fstatfs",
279 | "fstatfs64",
280 | "fsync",
281 | "ftruncate",
282 | "ftruncate64",
283 | "futex",
284 | "futimesat",
285 | "getcpu",
286 | "getcwd",
287 | "getdents",
288 | "getdents64",
289 | "getegid",
290 | "getegid32",
291 | "geteuid",
292 | "geteuid32",
293 | "getgid",
294 | "getgid32",
295 | "getgroups",
296 | "getgroups32",
297 | "getitimer",
298 | "getpeername",
299 | "getpgid",
300 | "getpgrp",
301 | "getpid",
302 | "getppid",
303 | "getpriority",
304 | "getrandom",
305 | "getresgid",
306 | "getresgid32",
307 | "getresuid",
308 | "getresuid32",
309 | "getrlimit",
310 | "get_robust_list",
311 | "getrusage",
312 | "getsid",
313 | "getsockname",
314 | "getsockopt",
315 | "get_thread_area",
316 | "gettid",
317 | "gettimeofday",
318 | "getuid",
319 | "getuid32",
320 | "getxattr",
321 | "inotify_add_watch",
322 | "inotify_init",
323 | "inotify_init1",
324 | "inotify_rm_watch",
325 | "io_cancel",
326 | "ioctl",
327 | "io_destroy",
328 | "io_getevents",
329 | "ioprio_get",
330 | "ioprio_set",
331 | "io_setup",
332 | "io_submit",
333 | "ipc",
334 | "kill",
335 | "lchown",
336 | "lchown32",
337 | "lgetxattr",
338 | "link",
339 | "linkat",
340 | "listen",
341 | "listxattr",
342 | "llistxattr",
343 | "_llseek",
344 | "lremovexattr",
345 | "lseek",
346 | "lsetxattr",
347 | "lstat",
348 | "lstat64",
349 | "madvise",
350 | "memfd_create",
351 | "mincore",
352 | "mkdir",
353 | "mkdirat",
354 | "mknod",
355 | "mknodat",
356 | "mlock",
357 | "mlock2",
358 | "mlockall",
359 | "mmap",
360 | "mmap2",
361 | "mprotect",
362 | "mq_getsetattr",
363 | "mq_notify",
364 | "mq_open",
365 | "mq_timedreceive",
366 | "mq_timedsend",
367 | "mq_unlink",
368 | "mremap",
369 | "msgctl",
370 | "msgget",
371 | "msgrcv",
372 | "msgsnd",
373 | "msync",
374 | "munlock",
375 | "munlockall",
376 | "munmap",
377 | "nanosleep",
378 | "newfstatat",
379 | "_newselect",
380 | "open",
381 | "openat",
382 | "pause",
383 | "pipe",
384 | "pipe2",
385 | "poll",
386 | "ppoll",
387 | "prctl",
388 | "pread64",
389 | "preadv",
390 | "prlimit64",
391 | "pselect6",
392 | "pwrite64",
393 | "pwritev",
394 | "read",
395 | "readahead",
396 | "readlink",
397 | "readlinkat",
398 | "readv",
399 | "recv",
400 | "recvfrom",
401 | "recvmmsg",
402 | "recvmsg",
403 | "remap_file_pages",
404 | "removexattr",
405 | "rename",
406 | "renameat",
407 | "renameat2",
408 | "restart_syscall",
409 | "rmdir",
410 | "rt_sigaction",
411 | "rt_sigpending",
412 | "rt_sigprocmask",
413 | "rt_sigqueueinfo",
414 | "rt_sigreturn",
415 | "rt_sigsuspend",
416 | "rt_sigtimedwait",
417 | "rt_tgsigqueueinfo",
418 | "sched_getaffinity",
419 | "sched_getattr",
420 | "sched_getparam",
421 | "sched_get_priority_max",
422 | "sched_get_priority_min",
423 | "sched_getscheduler",
424 | "sched_rr_get_interval",
425 | "sched_setaffinity",
426 | "sched_setattr",
427 | "sched_setparam",
428 | "sched_setscheduler",
429 | "sched_yield",
430 | "seccomp",
431 | "select",
432 | "semctl",
433 | "semget",
434 | "semop",
435 | "semtimedop",
436 | "send",
437 | "sendfile",
438 | "sendfile64",
439 | "sendmmsg",
440 | "sendmsg",
441 | "sendto",
442 | "setfsgid",
443 | "setfsgid32",
444 | "setfsuid",
445 | "setfsuid32",
446 | "setgid",
447 | "setgid32",
448 | "setgroups",
449 | "setgroups32",
450 | "setitimer",
451 | "setpgid",
452 | "setpriority",
453 | "setregid",
454 | "setregid32",
455 | "setresgid",
456 | "setresgid32",
457 | "setresuid",
458 | "setresuid32",
459 | "setreuid",
460 | "setreuid32",
461 | "setrlimit",
462 | "set_robust_list",
463 | "setsid",
464 | "setsockopt",
465 | "set_thread_area",
466 | "set_tid_address",
467 | "setuid",
468 | "setuid32",
469 | "setxattr",
470 | "shmat",
471 | "shmctl",
472 | "shmdt",
473 | "shmget",
474 | "shutdown",
475 | "sigaltstack",
476 | "signalfd",
477 | "signalfd4",
478 | "sigreturn",
479 | "socket",
480 | "socketcall",
481 | "socketpair",
482 | "splice",
483 | "stat",
484 | "stat64",
485 | "statfs",
486 | "statfs64",
487 | "symlink",
488 | "symlinkat",
489 | "sync",
490 | "sync_file_range",
491 | "syncfs",
492 | "sysinfo",
493 | "syslog",
494 | "tee",
495 | "tgkill",
496 | "time",
497 | "timer_create",
498 | "timer_delete",
499 | "timerfd_create",
500 | "timerfd_gettime",
501 | "timerfd_settime",
502 | "timer_getoverrun",
503 | "timer_gettime",
504 | "timer_settime",
505 | "times",
506 | "tkill",
507 | "truncate",
508 | "truncate64",
509 | "ugetrlimit",
510 | "umask",
511 | "uname",
512 | "unlink",
513 | "unlinkat",
514 | "utime",
515 | "utimensat",
516 | "utimes",
517 | "vfork",
518 | "vmsplice",
519 | "wait4",
520 | "waitid",
521 | "waitpid",
522 | "write",
523 | "writev"
524 | ],
525 | "action": "SCMP_ACT_ALLOW",
526 | "args": [],
527 | "comment": ""
528 | },
529 | {
530 | "names": [
531 | "personality"
532 | ],
533 | "action": "SCMP_ACT_ALLOW",
534 | "args": [
535 | {
536 | "index": 0,
537 | "value": 0,
538 | "valueTwo": 0,
539 | "op": "SCMP_CMP_EQ"
540 | },
541 | {
542 | "index": 0,
543 | "value": 8,
544 | "valueTwo": 0,
545 | "op": "SCMP_CMP_EQ"
546 | },
547 | {
548 | "index": 0,
549 | "value": 4294967295,
550 | "valueTwo": 0,
551 | "op": "SCMP_CMP_EQ"
552 | }
553 | ],
554 | "comment": ""
555 | },
556 | {
557 | "names": [
558 | "chroot"
559 | ],
560 | "action": "SCMP_ACT_ALLOW",
561 | "args": [],
562 | "comment": ""
563 | },
564 | {
565 | "names": [
566 | "chroot"
567 | ],
568 | "action": "SCMP_ACT_ALLOW",
569 | "args": [],
570 | "comment": ""
571 | },
572 | {
573 | "names": [
574 | "chroot"
575 | ],
576 | "action": "SCMP_ACT_ALLOW",
577 | "args": [],
578 | "comment": ""
579 | },
580 | {
581 | "names": [
582 | "chroot"
583 | ],
584 | "action": "SCMP_ACT_ALLOW",
585 | "args": [],
586 | "comment": ""
587 | },
588 | {
589 | "names": [
590 | "chroot"
591 | ],
592 | "action": "SCMP_ACT_ALLOW",
593 | "args": [],
594 | "comment": ""
595 | },
596 | {
597 | "names": [
598 | "clone"
599 | ],
600 | "action": "SCMP_ACT_ALLOW",
601 | "args": [
602 | {
603 | "index": 0,
604 | "value": 2080505856,
605 | "valueTwo": 0,
606 | "op": "SCMP_CMP_MASKED_EQ"
607 | }
608 | ],
609 | "comment": ""
610 | },
611 | {
612 | "names": [
613 | "arch_prctl"
614 | ],
615 | "action": "SCMP_ACT_ALLOW",
616 | "args": [],
617 | "comment": ""
618 | },
619 | {
620 | "names": [
621 | "modify_ldt"
622 | ],
623 | "action": "SCMP_ACT_ALLOW",
624 | "args": [],
625 | "comment": ""
626 | }
627 | ]
628 | }
629 | }
630 | }
--------------------------------------------------------------------------------
/tests/mount-label.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | }
181 | ],
182 | "linux": {
183 | "resources": {
184 | "devices": [
185 | {
186 | "allow": false,
187 | "access": "rwm"
188 | }
189 | ]
190 | },
191 | "namespaces": [
192 | {
193 | "type": "pid"
194 | },
195 | {
196 | "type": "network"
197 | },
198 | {
199 | "type": "ipc"
200 | },
201 | {
202 | "type": "uts"
203 | },
204 | {
205 | "type": "mount"
206 | }
207 | ],
208 | "seccomp": {
209 | "defaultAction": "SCMP_ACT_ERRNO",
210 | "architectures": [
211 | "SCMP_ARCH_X86_64",
212 | "SCMP_ARCH_X86",
213 | "SCMP_ARCH_X32"
214 | ],
215 | "syscalls": [
216 | {
217 | "names": [
218 | "accept",
219 | "accept4",
220 | "access",
221 | "alarm",
222 | "bind",
223 | "brk",
224 | "capget",
225 | "capset",
226 | "chdir",
227 | "chmod",
228 | "chown",
229 | "chown32",
230 | "clock_getres",
231 | "clock_gettime",
232 | "clock_nanosleep",
233 | "close",
234 | "connect",
235 | "copy_file_range",
236 | "creat",
237 | "dup",
238 | "dup2",
239 | "dup3",
240 | "epoll_create",
241 | "epoll_create1",
242 | "epoll_ctl",
243 | "epoll_ctl_old",
244 | "epoll_pwait",
245 | "epoll_wait",
246 | "epoll_wait_old",
247 | "eventfd",
248 | "eventfd2",
249 | "execve",
250 | "execveat",
251 | "exit",
252 | "exit_group",
253 | "faccessat",
254 | "fadvise64",
255 | "fadvise64_64",
256 | "fallocate",
257 | "fanotify_mark",
258 | "fchdir",
259 | "fchmod",
260 | "fchmodat",
261 | "fchown",
262 | "fchown32",
263 | "fchownat",
264 | "fcntl",
265 | "fcntl64",
266 | "fdatasync",
267 | "fgetxattr",
268 | "flistxattr",
269 | "flock",
270 | "fork",
271 | "fremovexattr",
272 | "fsetxattr",
273 | "fstat",
274 | "fstat64",
275 | "fstatat64",
276 | "fstatfs",
277 | "fstatfs64",
278 | "fsync",
279 | "ftruncate",
280 | "ftruncate64",
281 | "futex",
282 | "futimesat",
283 | "getcpu",
284 | "getcwd",
285 | "getdents",
286 | "getdents64",
287 | "getegid",
288 | "getegid32",
289 | "geteuid",
290 | "geteuid32",
291 | "getgid",
292 | "getgid32",
293 | "getgroups",
294 | "getgroups32",
295 | "getitimer",
296 | "getpeername",
297 | "getpgid",
298 | "getpgrp",
299 | "getpid",
300 | "getppid",
301 | "getpriority",
302 | "getrandom",
303 | "getresgid",
304 | "getresgid32",
305 | "getresuid",
306 | "getresuid32",
307 | "getrlimit",
308 | "get_robust_list",
309 | "getrusage",
310 | "getsid",
311 | "getsockname",
312 | "getsockopt",
313 | "get_thread_area",
314 | "gettid",
315 | "gettimeofday",
316 | "getuid",
317 | "getuid32",
318 | "getxattr",
319 | "inotify_add_watch",
320 | "inotify_init",
321 | "inotify_init1",
322 | "inotify_rm_watch",
323 | "io_cancel",
324 | "ioctl",
325 | "io_destroy",
326 | "io_getevents",
327 | "ioprio_get",
328 | "ioprio_set",
329 | "io_setup",
330 | "io_submit",
331 | "ipc",
332 | "kill",
333 | "lchown",
334 | "lchown32",
335 | "lgetxattr",
336 | "link",
337 | "linkat",
338 | "listen",
339 | "listxattr",
340 | "llistxattr",
341 | "_llseek",
342 | "lremovexattr",
343 | "lseek",
344 | "lsetxattr",
345 | "lstat",
346 | "lstat64",
347 | "madvise",
348 | "memfd_create",
349 | "mincore",
350 | "mkdir",
351 | "mkdirat",
352 | "mknod",
353 | "mknodat",
354 | "mlock",
355 | "mlock2",
356 | "mlockall",
357 | "mmap",
358 | "mmap2",
359 | "mprotect",
360 | "mq_getsetattr",
361 | "mq_notify",
362 | "mq_open",
363 | "mq_timedreceive",
364 | "mq_timedsend",
365 | "mq_unlink",
366 | "mremap",
367 | "msgctl",
368 | "msgget",
369 | "msgrcv",
370 | "msgsnd",
371 | "msync",
372 | "munlock",
373 | "munlockall",
374 | "munmap",
375 | "nanosleep",
376 | "newfstatat",
377 | "_newselect",
378 | "open",
379 | "openat",
380 | "pause",
381 | "pipe",
382 | "pipe2",
383 | "poll",
384 | "ppoll",
385 | "prctl",
386 | "pread64",
387 | "preadv",
388 | "prlimit64",
389 | "pselect6",
390 | "pwrite64",
391 | "pwritev",
392 | "read",
393 | "readahead",
394 | "readlink",
395 | "readlinkat",
396 | "readv",
397 | "recv",
398 | "recvfrom",
399 | "recvmmsg",
400 | "recvmsg",
401 | "remap_file_pages",
402 | "removexattr",
403 | "rename",
404 | "renameat",
405 | "renameat2",
406 | "restart_syscall",
407 | "rmdir",
408 | "rt_sigaction",
409 | "rt_sigpending",
410 | "rt_sigprocmask",
411 | "rt_sigqueueinfo",
412 | "rt_sigreturn",
413 | "rt_sigsuspend",
414 | "rt_sigtimedwait",
415 | "rt_tgsigqueueinfo",
416 | "sched_getaffinity",
417 | "sched_getattr",
418 | "sched_getparam",
419 | "sched_get_priority_max",
420 | "sched_get_priority_min",
421 | "sched_getscheduler",
422 | "sched_rr_get_interval",
423 | "sched_setaffinity",
424 | "sched_setattr",
425 | "sched_setparam",
426 | "sched_setscheduler",
427 | "sched_yield",
428 | "seccomp",
429 | "select",
430 | "semctl",
431 | "semget",
432 | "semop",
433 | "semtimedop",
434 | "send",
435 | "sendfile",
436 | "sendfile64",
437 | "sendmmsg",
438 | "sendmsg",
439 | "sendto",
440 | "setfsgid",
441 | "setfsgid32",
442 | "setfsuid",
443 | "setfsuid32",
444 | "setgid",
445 | "setgid32",
446 | "setgroups",
447 | "setgroups32",
448 | "setitimer",
449 | "setpgid",
450 | "setpriority",
451 | "setregid",
452 | "setregid32",
453 | "setresgid",
454 | "setresgid32",
455 | "setresuid",
456 | "setresuid32",
457 | "setreuid",
458 | "setreuid32",
459 | "setrlimit",
460 | "set_robust_list",
461 | "setsid",
462 | "setsockopt",
463 | "set_thread_area",
464 | "set_tid_address",
465 | "setuid",
466 | "setuid32",
467 | "setxattr",
468 | "shmat",
469 | "shmctl",
470 | "shmdt",
471 | "shmget",
472 | "shutdown",
473 | "sigaltstack",
474 | "signalfd",
475 | "signalfd4",
476 | "sigreturn",
477 | "socket",
478 | "socketcall",
479 | "socketpair",
480 | "splice",
481 | "stat",
482 | "stat64",
483 | "statfs",
484 | "statfs64",
485 | "symlink",
486 | "symlinkat",
487 | "sync",
488 | "sync_file_range",
489 | "syncfs",
490 | "sysinfo",
491 | "syslog",
492 | "tee",
493 | "tgkill",
494 | "time",
495 | "timer_create",
496 | "timer_delete",
497 | "timerfd_create",
498 | "timerfd_gettime",
499 | "timerfd_settime",
500 | "timer_getoverrun",
501 | "timer_gettime",
502 | "timer_settime",
503 | "times",
504 | "tkill",
505 | "truncate",
506 | "truncate64",
507 | "ugetrlimit",
508 | "umask",
509 | "uname",
510 | "unlink",
511 | "unlinkat",
512 | "utime",
513 | "utimensat",
514 | "utimes",
515 | "vfork",
516 | "vmsplice",
517 | "wait4",
518 | "waitid",
519 | "waitpid",
520 | "write",
521 | "writev"
522 | ],
523 | "action": "SCMP_ACT_ALLOW",
524 | "args": [],
525 | "comment": ""
526 | },
527 | {
528 | "names": [
529 | "personality"
530 | ],
531 | "action": "SCMP_ACT_ALLOW",
532 | "args": [
533 | {
534 | "index": 0,
535 | "value": 0,
536 | "valueTwo": 0,
537 | "op": "SCMP_CMP_EQ"
538 | },
539 | {
540 | "index": 0,
541 | "value": 8,
542 | "valueTwo": 0,
543 | "op": "SCMP_CMP_EQ"
544 | },
545 | {
546 | "index": 0,
547 | "value": 4294967295,
548 | "valueTwo": 0,
549 | "op": "SCMP_CMP_EQ"
550 | }
551 | ],
552 | "comment": ""
553 | },
554 | {
555 | "names": [
556 | "chroot"
557 | ],
558 | "action": "SCMP_ACT_ALLOW",
559 | "args": [],
560 | "comment": ""
561 | },
562 | {
563 | "names": [
564 | "chroot"
565 | ],
566 | "action": "SCMP_ACT_ALLOW",
567 | "args": [],
568 | "comment": ""
569 | },
570 | {
571 | "names": [
572 | "chroot"
573 | ],
574 | "action": "SCMP_ACT_ALLOW",
575 | "args": [],
576 | "comment": ""
577 | },
578 | {
579 | "names": [
580 | "chroot"
581 | ],
582 | "action": "SCMP_ACT_ALLOW",
583 | "args": [],
584 | "comment": ""
585 | },
586 | {
587 | "names": [
588 | "chroot"
589 | ],
590 | "action": "SCMP_ACT_ALLOW",
591 | "args": [],
592 | "comment": ""
593 | },
594 | {
595 | "names": [
596 | "clone"
597 | ],
598 | "action": "SCMP_ACT_ALLOW",
599 | "args": [
600 | {
601 | "index": 0,
602 | "value": 2080505856,
603 | "valueTwo": 0,
604 | "op": "SCMP_CMP_MASKED_EQ"
605 | }
606 | ],
607 | "comment": ""
608 | },
609 | {
610 | "names": [
611 | "arch_prctl"
612 | ],
613 | "action": "SCMP_ACT_ALLOW",
614 | "args": [],
615 | "comment": ""
616 | },
617 | {
618 | "names": [
619 | "modify_ldt"
620 | ],
621 | "action": "SCMP_ACT_ALLOW",
622 | "args": [],
623 | "comment": ""
624 | }
625 | ]
626 | },
627 | "mountLabel": "foo"
628 | }
629 | }
--------------------------------------------------------------------------------
/tests/label.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ],
113 | "selinuxLabel": "unconfined_u:object_r:user_home_t:s1"
114 | },
115 | "root": {
116 | "path": "rootfs"
117 | },
118 | "hostname": "mrsdalloway",
119 | "mounts": [
120 | {
121 | "destination": "/proc",
122 | "type": "proc",
123 | "source": "proc"
124 | },
125 | {
126 | "destination": "/dev",
127 | "type": "tmpfs",
128 | "source": "tmpfs",
129 | "options": [
130 | "nosuid",
131 | "strictatime",
132 | "mode=755",
133 | "size=65536k"
134 | ]
135 | },
136 | {
137 | "destination": "/dev/pts",
138 | "type": "devpts",
139 | "source": "devpts",
140 | "options": [
141 | "nosuid",
142 | "noexec",
143 | "newinstance",
144 | "ptmxmode=0666",
145 | "mode=0620",
146 | "gid=5"
147 | ]
148 | },
149 | {
150 | "destination": "/dev/shm",
151 | "type": "tmpfs",
152 | "source": "shm",
153 | "options": [
154 | "nosuid",
155 | "noexec",
156 | "nodev",
157 | "mode=1777",
158 | "size=65536k"
159 | ]
160 | },
161 | {
162 | "destination": "/dev/mqueue",
163 | "type": "mqueue",
164 | "source": "mqueue",
165 | "options": [
166 | "nosuid",
167 | "noexec",
168 | "nodev"
169 | ]
170 | },
171 | {
172 | "destination": "/sys",
173 | "type": "sysfs",
174 | "source": "sysfs",
175 | "options": [
176 | "nosuid",
177 | "noexec",
178 | "nodev",
179 | "ro"
180 | ]
181 | }
182 | ],
183 | "linux": {
184 | "resources": {
185 | "devices": [
186 | {
187 | "allow": false,
188 | "access": "rwm"
189 | }
190 | ]
191 | },
192 | "namespaces": [
193 | {
194 | "type": "pid"
195 | },
196 | {
197 | "type": "network"
198 | },
199 | {
200 | "type": "ipc"
201 | },
202 | {
203 | "type": "uts"
204 | },
205 | {
206 | "type": "mount"
207 | }
208 | ],
209 | "seccomp": {
210 | "defaultAction": "SCMP_ACT_ERRNO",
211 | "architectures": [
212 | "SCMP_ARCH_X86_64",
213 | "SCMP_ARCH_X86",
214 | "SCMP_ARCH_X32"
215 | ],
216 | "syscalls": [
217 | {
218 | "names": [
219 | "accept",
220 | "accept4",
221 | "access",
222 | "alarm",
223 | "bind",
224 | "brk",
225 | "capget",
226 | "capset",
227 | "chdir",
228 | "chmod",
229 | "chown",
230 | "chown32",
231 | "clock_getres",
232 | "clock_gettime",
233 | "clock_nanosleep",
234 | "close",
235 | "connect",
236 | "copy_file_range",
237 | "creat",
238 | "dup",
239 | "dup2",
240 | "dup3",
241 | "epoll_create",
242 | "epoll_create1",
243 | "epoll_ctl",
244 | "epoll_ctl_old",
245 | "epoll_pwait",
246 | "epoll_wait",
247 | "epoll_wait_old",
248 | "eventfd",
249 | "eventfd2",
250 | "execve",
251 | "execveat",
252 | "exit",
253 | "exit_group",
254 | "faccessat",
255 | "fadvise64",
256 | "fadvise64_64",
257 | "fallocate",
258 | "fanotify_mark",
259 | "fchdir",
260 | "fchmod",
261 | "fchmodat",
262 | "fchown",
263 | "fchown32",
264 | "fchownat",
265 | "fcntl",
266 | "fcntl64",
267 | "fdatasync",
268 | "fgetxattr",
269 | "flistxattr",
270 | "flock",
271 | "fork",
272 | "fremovexattr",
273 | "fsetxattr",
274 | "fstat",
275 | "fstat64",
276 | "fstatat64",
277 | "fstatfs",
278 | "fstatfs64",
279 | "fsync",
280 | "ftruncate",
281 | "ftruncate64",
282 | "futex",
283 | "futimesat",
284 | "getcpu",
285 | "getcwd",
286 | "getdents",
287 | "getdents64",
288 | "getegid",
289 | "getegid32",
290 | "geteuid",
291 | "geteuid32",
292 | "getgid",
293 | "getgid32",
294 | "getgroups",
295 | "getgroups32",
296 | "getitimer",
297 | "getpeername",
298 | "getpgid",
299 | "getpgrp",
300 | "getpid",
301 | "getppid",
302 | "getpriority",
303 | "getrandom",
304 | "getresgid",
305 | "getresgid32",
306 | "getresuid",
307 | "getresuid32",
308 | "getrlimit",
309 | "get_robust_list",
310 | "getrusage",
311 | "getsid",
312 | "getsockname",
313 | "getsockopt",
314 | "get_thread_area",
315 | "gettid",
316 | "gettimeofday",
317 | "getuid",
318 | "getuid32",
319 | "getxattr",
320 | "inotify_add_watch",
321 | "inotify_init",
322 | "inotify_init1",
323 | "inotify_rm_watch",
324 | "io_cancel",
325 | "ioctl",
326 | "io_destroy",
327 | "io_getevents",
328 | "ioprio_get",
329 | "ioprio_set",
330 | "io_setup",
331 | "io_submit",
332 | "ipc",
333 | "kill",
334 | "lchown",
335 | "lchown32",
336 | "lgetxattr",
337 | "link",
338 | "linkat",
339 | "listen",
340 | "listxattr",
341 | "llistxattr",
342 | "_llseek",
343 | "lremovexattr",
344 | "lseek",
345 | "lsetxattr",
346 | "lstat",
347 | "lstat64",
348 | "madvise",
349 | "memfd_create",
350 | "mincore",
351 | "mkdir",
352 | "mkdirat",
353 | "mknod",
354 | "mknodat",
355 | "mlock",
356 | "mlock2",
357 | "mlockall",
358 | "mmap",
359 | "mmap2",
360 | "mprotect",
361 | "mq_getsetattr",
362 | "mq_notify",
363 | "mq_open",
364 | "mq_timedreceive",
365 | "mq_timedsend",
366 | "mq_unlink",
367 | "mremap",
368 | "msgctl",
369 | "msgget",
370 | "msgrcv",
371 | "msgsnd",
372 | "msync",
373 | "munlock",
374 | "munlockall",
375 | "munmap",
376 | "nanosleep",
377 | "newfstatat",
378 | "_newselect",
379 | "open",
380 | "openat",
381 | "pause",
382 | "pipe",
383 | "pipe2",
384 | "poll",
385 | "ppoll",
386 | "prctl",
387 | "pread64",
388 | "preadv",
389 | "prlimit64",
390 | "pselect6",
391 | "pwrite64",
392 | "pwritev",
393 | "read",
394 | "readahead",
395 | "readlink",
396 | "readlinkat",
397 | "readv",
398 | "recv",
399 | "recvfrom",
400 | "recvmmsg",
401 | "recvmsg",
402 | "remap_file_pages",
403 | "removexattr",
404 | "rename",
405 | "renameat",
406 | "renameat2",
407 | "restart_syscall",
408 | "rmdir",
409 | "rt_sigaction",
410 | "rt_sigpending",
411 | "rt_sigprocmask",
412 | "rt_sigqueueinfo",
413 | "rt_sigreturn",
414 | "rt_sigsuspend",
415 | "rt_sigtimedwait",
416 | "rt_tgsigqueueinfo",
417 | "sched_getaffinity",
418 | "sched_getattr",
419 | "sched_getparam",
420 | "sched_get_priority_max",
421 | "sched_get_priority_min",
422 | "sched_getscheduler",
423 | "sched_rr_get_interval",
424 | "sched_setaffinity",
425 | "sched_setattr",
426 | "sched_setparam",
427 | "sched_setscheduler",
428 | "sched_yield",
429 | "seccomp",
430 | "select",
431 | "semctl",
432 | "semget",
433 | "semop",
434 | "semtimedop",
435 | "send",
436 | "sendfile",
437 | "sendfile64",
438 | "sendmmsg",
439 | "sendmsg",
440 | "sendto",
441 | "setfsgid",
442 | "setfsgid32",
443 | "setfsuid",
444 | "setfsuid32",
445 | "setgid",
446 | "setgid32",
447 | "setgroups",
448 | "setgroups32",
449 | "setitimer",
450 | "setpgid",
451 | "setpriority",
452 | "setregid",
453 | "setregid32",
454 | "setresgid",
455 | "setresgid32",
456 | "setresuid",
457 | "setresuid32",
458 | "setreuid",
459 | "setreuid32",
460 | "setrlimit",
461 | "set_robust_list",
462 | "setsid",
463 | "setsockopt",
464 | "set_thread_area",
465 | "set_tid_address",
466 | "setuid",
467 | "setuid32",
468 | "setxattr",
469 | "shmat",
470 | "shmctl",
471 | "shmdt",
472 | "shmget",
473 | "shutdown",
474 | "sigaltstack",
475 | "signalfd",
476 | "signalfd4",
477 | "sigreturn",
478 | "socket",
479 | "socketcall",
480 | "socketpair",
481 | "splice",
482 | "stat",
483 | "stat64",
484 | "statfs",
485 | "statfs64",
486 | "symlink",
487 | "symlinkat",
488 | "sync",
489 | "sync_file_range",
490 | "syncfs",
491 | "sysinfo",
492 | "syslog",
493 | "tee",
494 | "tgkill",
495 | "time",
496 | "timer_create",
497 | "timer_delete",
498 | "timerfd_create",
499 | "timerfd_gettime",
500 | "timerfd_settime",
501 | "timer_getoverrun",
502 | "timer_gettime",
503 | "timer_settime",
504 | "times",
505 | "tkill",
506 | "truncate",
507 | "truncate64",
508 | "ugetrlimit",
509 | "umask",
510 | "uname",
511 | "unlink",
512 | "unlinkat",
513 | "utime",
514 | "utimensat",
515 | "utimes",
516 | "vfork",
517 | "vmsplice",
518 | "wait4",
519 | "waitid",
520 | "waitpid",
521 | "write",
522 | "writev"
523 | ],
524 | "action": "SCMP_ACT_ALLOW",
525 | "args": [],
526 | "comment": ""
527 | },
528 | {
529 | "names": [
530 | "personality"
531 | ],
532 | "action": "SCMP_ACT_ALLOW",
533 | "args": [
534 | {
535 | "index": 0,
536 | "value": 0,
537 | "valueTwo": 0,
538 | "op": "SCMP_CMP_EQ"
539 | },
540 | {
541 | "index": 0,
542 | "value": 8,
543 | "valueTwo": 0,
544 | "op": "SCMP_CMP_EQ"
545 | },
546 | {
547 | "index": 0,
548 | "value": 4294967295,
549 | "valueTwo": 0,
550 | "op": "SCMP_CMP_EQ"
551 | }
552 | ],
553 | "comment": ""
554 | },
555 | {
556 | "names": [
557 | "chroot"
558 | ],
559 | "action": "SCMP_ACT_ALLOW",
560 | "args": [],
561 | "comment": ""
562 | },
563 | {
564 | "names": [
565 | "chroot"
566 | ],
567 | "action": "SCMP_ACT_ALLOW",
568 | "args": [],
569 | "comment": ""
570 | },
571 | {
572 | "names": [
573 | "chroot"
574 | ],
575 | "action": "SCMP_ACT_ALLOW",
576 | "args": [],
577 | "comment": ""
578 | },
579 | {
580 | "names": [
581 | "chroot"
582 | ],
583 | "action": "SCMP_ACT_ALLOW",
584 | "args": [],
585 | "comment": ""
586 | },
587 | {
588 | "names": [
589 | "chroot"
590 | ],
591 | "action": "SCMP_ACT_ALLOW",
592 | "args": [],
593 | "comment": ""
594 | },
595 | {
596 | "names": [
597 | "clone"
598 | ],
599 | "action": "SCMP_ACT_ALLOW",
600 | "args": [
601 | {
602 | "index": 0,
603 | "value": 2080505856,
604 | "valueTwo": 0,
605 | "op": "SCMP_CMP_MASKED_EQ"
606 | }
607 | ],
608 | "comment": ""
609 | },
610 | {
611 | "names": [
612 | "arch_prctl"
613 | ],
614 | "action": "SCMP_ACT_ALLOW",
615 | "args": [],
616 | "comment": ""
617 | },
618 | {
619 | "names": [
620 | "modify_ldt"
621 | ],
622 | "action": "SCMP_ACT_ALLOW",
623 | "args": [],
624 | "comment": ""
625 | }
626 | ]
627 | }
628 | }
629 | }
--------------------------------------------------------------------------------
/tests/bind.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | },
181 | {
182 | "destination": "bar",
183 | "type": "bind",
184 | "source": "foo",
185 | "options": [
186 | "rw",
187 | "bind"
188 | ]
189 | }
190 | ],
191 | "linux": {
192 | "resources": {
193 | "devices": [
194 | {
195 | "allow": false,
196 | "access": "rwm"
197 | }
198 | ]
199 | },
200 | "namespaces": [
201 | {
202 | "type": "pid"
203 | },
204 | {
205 | "type": "network"
206 | },
207 | {
208 | "type": "ipc"
209 | },
210 | {
211 | "type": "uts"
212 | },
213 | {
214 | "type": "mount"
215 | }
216 | ],
217 | "seccomp": {
218 | "defaultAction": "SCMP_ACT_ERRNO",
219 | "architectures": [
220 | "SCMP_ARCH_X86_64",
221 | "SCMP_ARCH_X86",
222 | "SCMP_ARCH_X32"
223 | ],
224 | "syscalls": [
225 | {
226 | "names": [
227 | "accept",
228 | "accept4",
229 | "access",
230 | "alarm",
231 | "bind",
232 | "brk",
233 | "capget",
234 | "capset",
235 | "chdir",
236 | "chmod",
237 | "chown",
238 | "chown32",
239 | "clock_getres",
240 | "clock_gettime",
241 | "clock_nanosleep",
242 | "close",
243 | "connect",
244 | "copy_file_range",
245 | "creat",
246 | "dup",
247 | "dup2",
248 | "dup3",
249 | "epoll_create",
250 | "epoll_create1",
251 | "epoll_ctl",
252 | "epoll_ctl_old",
253 | "epoll_pwait",
254 | "epoll_wait",
255 | "epoll_wait_old",
256 | "eventfd",
257 | "eventfd2",
258 | "execve",
259 | "execveat",
260 | "exit",
261 | "exit_group",
262 | "faccessat",
263 | "fadvise64",
264 | "fadvise64_64",
265 | "fallocate",
266 | "fanotify_mark",
267 | "fchdir",
268 | "fchmod",
269 | "fchmodat",
270 | "fchown",
271 | "fchown32",
272 | "fchownat",
273 | "fcntl",
274 | "fcntl64",
275 | "fdatasync",
276 | "fgetxattr",
277 | "flistxattr",
278 | "flock",
279 | "fork",
280 | "fremovexattr",
281 | "fsetxattr",
282 | "fstat",
283 | "fstat64",
284 | "fstatat64",
285 | "fstatfs",
286 | "fstatfs64",
287 | "fsync",
288 | "ftruncate",
289 | "ftruncate64",
290 | "futex",
291 | "futimesat",
292 | "getcpu",
293 | "getcwd",
294 | "getdents",
295 | "getdents64",
296 | "getegid",
297 | "getegid32",
298 | "geteuid",
299 | "geteuid32",
300 | "getgid",
301 | "getgid32",
302 | "getgroups",
303 | "getgroups32",
304 | "getitimer",
305 | "getpeername",
306 | "getpgid",
307 | "getpgrp",
308 | "getpid",
309 | "getppid",
310 | "getpriority",
311 | "getrandom",
312 | "getresgid",
313 | "getresgid32",
314 | "getresuid",
315 | "getresuid32",
316 | "getrlimit",
317 | "get_robust_list",
318 | "getrusage",
319 | "getsid",
320 | "getsockname",
321 | "getsockopt",
322 | "get_thread_area",
323 | "gettid",
324 | "gettimeofday",
325 | "getuid",
326 | "getuid32",
327 | "getxattr",
328 | "inotify_add_watch",
329 | "inotify_init",
330 | "inotify_init1",
331 | "inotify_rm_watch",
332 | "io_cancel",
333 | "ioctl",
334 | "io_destroy",
335 | "io_getevents",
336 | "ioprio_get",
337 | "ioprio_set",
338 | "io_setup",
339 | "io_submit",
340 | "ipc",
341 | "kill",
342 | "lchown",
343 | "lchown32",
344 | "lgetxattr",
345 | "link",
346 | "linkat",
347 | "listen",
348 | "listxattr",
349 | "llistxattr",
350 | "_llseek",
351 | "lremovexattr",
352 | "lseek",
353 | "lsetxattr",
354 | "lstat",
355 | "lstat64",
356 | "madvise",
357 | "memfd_create",
358 | "mincore",
359 | "mkdir",
360 | "mkdirat",
361 | "mknod",
362 | "mknodat",
363 | "mlock",
364 | "mlock2",
365 | "mlockall",
366 | "mmap",
367 | "mmap2",
368 | "mprotect",
369 | "mq_getsetattr",
370 | "mq_notify",
371 | "mq_open",
372 | "mq_timedreceive",
373 | "mq_timedsend",
374 | "mq_unlink",
375 | "mremap",
376 | "msgctl",
377 | "msgget",
378 | "msgrcv",
379 | "msgsnd",
380 | "msync",
381 | "munlock",
382 | "munlockall",
383 | "munmap",
384 | "nanosleep",
385 | "newfstatat",
386 | "_newselect",
387 | "open",
388 | "openat",
389 | "pause",
390 | "pipe",
391 | "pipe2",
392 | "poll",
393 | "ppoll",
394 | "prctl",
395 | "pread64",
396 | "preadv",
397 | "prlimit64",
398 | "pselect6",
399 | "pwrite64",
400 | "pwritev",
401 | "read",
402 | "readahead",
403 | "readlink",
404 | "readlinkat",
405 | "readv",
406 | "recv",
407 | "recvfrom",
408 | "recvmmsg",
409 | "recvmsg",
410 | "remap_file_pages",
411 | "removexattr",
412 | "rename",
413 | "renameat",
414 | "renameat2",
415 | "restart_syscall",
416 | "rmdir",
417 | "rt_sigaction",
418 | "rt_sigpending",
419 | "rt_sigprocmask",
420 | "rt_sigqueueinfo",
421 | "rt_sigreturn",
422 | "rt_sigsuspend",
423 | "rt_sigtimedwait",
424 | "rt_tgsigqueueinfo",
425 | "sched_getaffinity",
426 | "sched_getattr",
427 | "sched_getparam",
428 | "sched_get_priority_max",
429 | "sched_get_priority_min",
430 | "sched_getscheduler",
431 | "sched_rr_get_interval",
432 | "sched_setaffinity",
433 | "sched_setattr",
434 | "sched_setparam",
435 | "sched_setscheduler",
436 | "sched_yield",
437 | "seccomp",
438 | "select",
439 | "semctl",
440 | "semget",
441 | "semop",
442 | "semtimedop",
443 | "send",
444 | "sendfile",
445 | "sendfile64",
446 | "sendmmsg",
447 | "sendmsg",
448 | "sendto",
449 | "setfsgid",
450 | "setfsgid32",
451 | "setfsuid",
452 | "setfsuid32",
453 | "setgid",
454 | "setgid32",
455 | "setgroups",
456 | "setgroups32",
457 | "setitimer",
458 | "setpgid",
459 | "setpriority",
460 | "setregid",
461 | "setregid32",
462 | "setresgid",
463 | "setresgid32",
464 | "setresuid",
465 | "setresuid32",
466 | "setreuid",
467 | "setreuid32",
468 | "setrlimit",
469 | "set_robust_list",
470 | "setsid",
471 | "setsockopt",
472 | "set_thread_area",
473 | "set_tid_address",
474 | "setuid",
475 | "setuid32",
476 | "setxattr",
477 | "shmat",
478 | "shmctl",
479 | "shmdt",
480 | "shmget",
481 | "shutdown",
482 | "sigaltstack",
483 | "signalfd",
484 | "signalfd4",
485 | "sigreturn",
486 | "socket",
487 | "socketcall",
488 | "socketpair",
489 | "splice",
490 | "stat",
491 | "stat64",
492 | "statfs",
493 | "statfs64",
494 | "symlink",
495 | "symlinkat",
496 | "sync",
497 | "sync_file_range",
498 | "syncfs",
499 | "sysinfo",
500 | "syslog",
501 | "tee",
502 | "tgkill",
503 | "time",
504 | "timer_create",
505 | "timer_delete",
506 | "timerfd_create",
507 | "timerfd_gettime",
508 | "timerfd_settime",
509 | "timer_getoverrun",
510 | "timer_gettime",
511 | "timer_settime",
512 | "times",
513 | "tkill",
514 | "truncate",
515 | "truncate64",
516 | "ugetrlimit",
517 | "umask",
518 | "uname",
519 | "unlink",
520 | "unlinkat",
521 | "utime",
522 | "utimensat",
523 | "utimes",
524 | "vfork",
525 | "vmsplice",
526 | "wait4",
527 | "waitid",
528 | "waitpid",
529 | "write",
530 | "writev"
531 | ],
532 | "action": "SCMP_ACT_ALLOW",
533 | "args": [],
534 | "comment": ""
535 | },
536 | {
537 | "names": [
538 | "personality"
539 | ],
540 | "action": "SCMP_ACT_ALLOW",
541 | "args": [
542 | {
543 | "index": 0,
544 | "value": 0,
545 | "valueTwo": 0,
546 | "op": "SCMP_CMP_EQ"
547 | },
548 | {
549 | "index": 0,
550 | "value": 8,
551 | "valueTwo": 0,
552 | "op": "SCMP_CMP_EQ"
553 | },
554 | {
555 | "index": 0,
556 | "value": 4294967295,
557 | "valueTwo": 0,
558 | "op": "SCMP_CMP_EQ"
559 | }
560 | ],
561 | "comment": ""
562 | },
563 | {
564 | "names": [
565 | "chroot"
566 | ],
567 | "action": "SCMP_ACT_ALLOW",
568 | "args": [],
569 | "comment": ""
570 | },
571 | {
572 | "names": [
573 | "chroot"
574 | ],
575 | "action": "SCMP_ACT_ALLOW",
576 | "args": [],
577 | "comment": ""
578 | },
579 | {
580 | "names": [
581 | "chroot"
582 | ],
583 | "action": "SCMP_ACT_ALLOW",
584 | "args": [],
585 | "comment": ""
586 | },
587 | {
588 | "names": [
589 | "chroot"
590 | ],
591 | "action": "SCMP_ACT_ALLOW",
592 | "args": [],
593 | "comment": ""
594 | },
595 | {
596 | "names": [
597 | "chroot"
598 | ],
599 | "action": "SCMP_ACT_ALLOW",
600 | "args": [],
601 | "comment": ""
602 | },
603 | {
604 | "names": [
605 | "clone"
606 | ],
607 | "action": "SCMP_ACT_ALLOW",
608 | "args": [
609 | {
610 | "index": 0,
611 | "value": 2080505856,
612 | "valueTwo": 0,
613 | "op": "SCMP_CMP_MASKED_EQ"
614 | }
615 | ],
616 | "comment": ""
617 | },
618 | {
619 | "names": [
620 | "arch_prctl"
621 | ],
622 | "action": "SCMP_ACT_ALLOW",
623 | "args": [],
624 | "comment": ""
625 | },
626 | {
627 | "names": [
628 | "modify_ldt"
629 | ],
630 | "action": "SCMP_ACT_ALLOW",
631 | "args": [],
632 | "comment": ""
633 | }
634 | ]
635 | }
636 | }
637 | }
--------------------------------------------------------------------------------
/tests/mount.conf:
--------------------------------------------------------------------------------
1 | {
2 | "ociVersion": "1.0.0-rc5",
3 | "platform": {
4 | "os": "linux",
5 | "arch": "amd64"
6 | },
7 | "process": {
8 | "consoleSize": {
9 | "height": 0,
10 | "width": 0
11 | },
12 | "user": {
13 | "uid": 0,
14 | "gid": 0
15 | },
16 | "args": [
17 | "sh"
18 | ],
19 | "env": [
20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
21 | "TERM=xterm"
22 | ],
23 | "cwd": "/",
24 | "capabilities": {
25 | "bounding": [
26 | "CAP_CHOWN",
27 | "CAP_DAC_OVERRIDE",
28 | "CAP_FSETID",
29 | "CAP_FOWNER",
30 | "CAP_MKNOD",
31 | "CAP_NET_RAW",
32 | "CAP_SETGID",
33 | "CAP_SETUID",
34 | "CAP_SETFCAP",
35 | "CAP_SETPCAP",
36 | "CAP_NET_BIND_SERVICE",
37 | "CAP_SYS_CHROOT",
38 | "CAP_KILL",
39 | "CAP_AUDIT_WRITE"
40 | ],
41 | "effective": [
42 | "CAP_CHOWN",
43 | "CAP_DAC_OVERRIDE",
44 | "CAP_FSETID",
45 | "CAP_FOWNER",
46 | "CAP_MKNOD",
47 | "CAP_NET_RAW",
48 | "CAP_SETGID",
49 | "CAP_SETUID",
50 | "CAP_SETFCAP",
51 | "CAP_SETPCAP",
52 | "CAP_NET_BIND_SERVICE",
53 | "CAP_SYS_CHROOT",
54 | "CAP_KILL",
55 | "CAP_AUDIT_WRITE"
56 | ],
57 | "inheritable": [
58 | "CAP_CHOWN",
59 | "CAP_DAC_OVERRIDE",
60 | "CAP_FSETID",
61 | "CAP_FOWNER",
62 | "CAP_MKNOD",
63 | "CAP_NET_RAW",
64 | "CAP_SETGID",
65 | "CAP_SETUID",
66 | "CAP_SETFCAP",
67 | "CAP_SETPCAP",
68 | "CAP_NET_BIND_SERVICE",
69 | "CAP_SYS_CHROOT",
70 | "CAP_KILL",
71 | "CAP_AUDIT_WRITE"
72 | ],
73 | "permitted": [
74 | "CAP_CHOWN",
75 | "CAP_DAC_OVERRIDE",
76 | "CAP_FSETID",
77 | "CAP_FOWNER",
78 | "CAP_MKNOD",
79 | "CAP_NET_RAW",
80 | "CAP_SETGID",
81 | "CAP_SETUID",
82 | "CAP_SETFCAP",
83 | "CAP_SETPCAP",
84 | "CAP_NET_BIND_SERVICE",
85 | "CAP_SYS_CHROOT",
86 | "CAP_KILL",
87 | "CAP_AUDIT_WRITE"
88 | ],
89 | "ambient": [
90 | "CAP_CHOWN",
91 | "CAP_DAC_OVERRIDE",
92 | "CAP_FSETID",
93 | "CAP_FOWNER",
94 | "CAP_MKNOD",
95 | "CAP_NET_RAW",
96 | "CAP_SETGID",
97 | "CAP_SETUID",
98 | "CAP_SETFCAP",
99 | "CAP_SETPCAP",
100 | "CAP_NET_BIND_SERVICE",
101 | "CAP_SYS_CHROOT",
102 | "CAP_KILL",
103 | "CAP_AUDIT_WRITE"
104 | ]
105 | },
106 | "rlimits": [
107 | {
108 | "type": "RLIMIT_NOFILE",
109 | "hard": 1024,
110 | "soft": 1024
111 | }
112 | ]
113 | },
114 | "root": {
115 | "path": "rootfs"
116 | },
117 | "hostname": "mrsdalloway",
118 | "mounts": [
119 | {
120 | "destination": "/proc",
121 | "type": "proc",
122 | "source": "proc"
123 | },
124 | {
125 | "destination": "/dev",
126 | "type": "tmpfs",
127 | "source": "tmpfs",
128 | "options": [
129 | "nosuid",
130 | "strictatime",
131 | "mode=755",
132 | "size=65536k"
133 | ]
134 | },
135 | {
136 | "destination": "/dev/pts",
137 | "type": "devpts",
138 | "source": "devpts",
139 | "options": [
140 | "nosuid",
141 | "noexec",
142 | "newinstance",
143 | "ptmxmode=0666",
144 | "mode=0620",
145 | "gid=5"
146 | ]
147 | },
148 | {
149 | "destination": "/dev/shm",
150 | "type": "tmpfs",
151 | "source": "shm",
152 | "options": [
153 | "nosuid",
154 | "noexec",
155 | "nodev",
156 | "mode=1777",
157 | "size=65536k"
158 | ]
159 | },
160 | {
161 | "destination": "/dev/mqueue",
162 | "type": "mqueue",
163 | "source": "mqueue",
164 | "options": [
165 | "nosuid",
166 | "noexec",
167 | "nodev"
168 | ]
169 | },
170 | {
171 | "destination": "/sys",
172 | "type": "sysfs",
173 | "source": "sysfs",
174 | "options": [
175 | "nosuid",
176 | "noexec",
177 | "nodev",
178 | "ro"
179 | ]
180 | },
181 | {
182 | "destination": "bar",
183 | "type": "bind",
184 | "source": "foo",
185 | "options": [
186 | "rw",
187 | "bind"
188 | ]
189 | }
190 | ],
191 | "linux": {
192 | "resources": {
193 | "devices": [
194 | {
195 | "allow": false,
196 | "access": "rwm"
197 | }
198 | ]
199 | },
200 | "namespaces": [
201 | {
202 | "type": "pid"
203 | },
204 | {
205 | "type": "network"
206 | },
207 | {
208 | "type": "ipc"
209 | },
210 | {
211 | "type": "uts"
212 | },
213 | {
214 | "type": "mount"
215 | }
216 | ],
217 | "seccomp": {
218 | "defaultAction": "SCMP_ACT_ERRNO",
219 | "architectures": [
220 | "SCMP_ARCH_X86_64",
221 | "SCMP_ARCH_X86",
222 | "SCMP_ARCH_X32"
223 | ],
224 | "syscalls": [
225 | {
226 | "names": [
227 | "accept",
228 | "accept4",
229 | "access",
230 | "alarm",
231 | "bind",
232 | "brk",
233 | "capget",
234 | "capset",
235 | "chdir",
236 | "chmod",
237 | "chown",
238 | "chown32",
239 | "clock_getres",
240 | "clock_gettime",
241 | "clock_nanosleep",
242 | "close",
243 | "connect",
244 | "copy_file_range",
245 | "creat",
246 | "dup",
247 | "dup2",
248 | "dup3",
249 | "epoll_create",
250 | "epoll_create1",
251 | "epoll_ctl",
252 | "epoll_ctl_old",
253 | "epoll_pwait",
254 | "epoll_wait",
255 | "epoll_wait_old",
256 | "eventfd",
257 | "eventfd2",
258 | "execve",
259 | "execveat",
260 | "exit",
261 | "exit_group",
262 | "faccessat",
263 | "fadvise64",
264 | "fadvise64_64",
265 | "fallocate",
266 | "fanotify_mark",
267 | "fchdir",
268 | "fchmod",
269 | "fchmodat",
270 | "fchown",
271 | "fchown32",
272 | "fchownat",
273 | "fcntl",
274 | "fcntl64",
275 | "fdatasync",
276 | "fgetxattr",
277 | "flistxattr",
278 | "flock",
279 | "fork",
280 | "fremovexattr",
281 | "fsetxattr",
282 | "fstat",
283 | "fstat64",
284 | "fstatat64",
285 | "fstatfs",
286 | "fstatfs64",
287 | "fsync",
288 | "ftruncate",
289 | "ftruncate64",
290 | "futex",
291 | "futimesat",
292 | "getcpu",
293 | "getcwd",
294 | "getdents",
295 | "getdents64",
296 | "getegid",
297 | "getegid32",
298 | "geteuid",
299 | "geteuid32",
300 | "getgid",
301 | "getgid32",
302 | "getgroups",
303 | "getgroups32",
304 | "getitimer",
305 | "getpeername",
306 | "getpgid",
307 | "getpgrp",
308 | "getpid",
309 | "getppid",
310 | "getpriority",
311 | "getrandom",
312 | "getresgid",
313 | "getresgid32",
314 | "getresuid",
315 | "getresuid32",
316 | "getrlimit",
317 | "get_robust_list",
318 | "getrusage",
319 | "getsid",
320 | "getsockname",
321 | "getsockopt",
322 | "get_thread_area",
323 | "gettid",
324 | "gettimeofday",
325 | "getuid",
326 | "getuid32",
327 | "getxattr",
328 | "inotify_add_watch",
329 | "inotify_init",
330 | "inotify_init1",
331 | "inotify_rm_watch",
332 | "io_cancel",
333 | "ioctl",
334 | "io_destroy",
335 | "io_getevents",
336 | "ioprio_get",
337 | "ioprio_set",
338 | "io_setup",
339 | "io_submit",
340 | "ipc",
341 | "kill",
342 | "lchown",
343 | "lchown32",
344 | "lgetxattr",
345 | "link",
346 | "linkat",
347 | "listen",
348 | "listxattr",
349 | "llistxattr",
350 | "_llseek",
351 | "lremovexattr",
352 | "lseek",
353 | "lsetxattr",
354 | "lstat",
355 | "lstat64",
356 | "madvise",
357 | "memfd_create",
358 | "mincore",
359 | "mkdir",
360 | "mkdirat",
361 | "mknod",
362 | "mknodat",
363 | "mlock",
364 | "mlock2",
365 | "mlockall",
366 | "mmap",
367 | "mmap2",
368 | "mprotect",
369 | "mq_getsetattr",
370 | "mq_notify",
371 | "mq_open",
372 | "mq_timedreceive",
373 | "mq_timedsend",
374 | "mq_unlink",
375 | "mremap",
376 | "msgctl",
377 | "msgget",
378 | "msgrcv",
379 | "msgsnd",
380 | "msync",
381 | "munlock",
382 | "munlockall",
383 | "munmap",
384 | "nanosleep",
385 | "newfstatat",
386 | "_newselect",
387 | "open",
388 | "openat",
389 | "pause",
390 | "pipe",
391 | "pipe2",
392 | "poll",
393 | "ppoll",
394 | "prctl",
395 | "pread64",
396 | "preadv",
397 | "prlimit64",
398 | "pselect6",
399 | "pwrite64",
400 | "pwritev",
401 | "read",
402 | "readahead",
403 | "readlink",
404 | "readlinkat",
405 | "readv",
406 | "recv",
407 | "recvfrom",
408 | "recvmmsg",
409 | "recvmsg",
410 | "remap_file_pages",
411 | "removexattr",
412 | "rename",
413 | "renameat",
414 | "renameat2",
415 | "restart_syscall",
416 | "rmdir",
417 | "rt_sigaction",
418 | "rt_sigpending",
419 | "rt_sigprocmask",
420 | "rt_sigqueueinfo",
421 | "rt_sigreturn",
422 | "rt_sigsuspend",
423 | "rt_sigtimedwait",
424 | "rt_tgsigqueueinfo",
425 | "sched_getaffinity",
426 | "sched_getattr",
427 | "sched_getparam",
428 | "sched_get_priority_max",
429 | "sched_get_priority_min",
430 | "sched_getscheduler",
431 | "sched_rr_get_interval",
432 | "sched_setaffinity",
433 | "sched_setattr",
434 | "sched_setparam",
435 | "sched_setscheduler",
436 | "sched_yield",
437 | "seccomp",
438 | "select",
439 | "semctl",
440 | "semget",
441 | "semop",
442 | "semtimedop",
443 | "send",
444 | "sendfile",
445 | "sendfile64",
446 | "sendmmsg",
447 | "sendmsg",
448 | "sendto",
449 | "setfsgid",
450 | "setfsgid32",
451 | "setfsuid",
452 | "setfsuid32",
453 | "setgid",
454 | "setgid32",
455 | "setgroups",
456 | "setgroups32",
457 | "setitimer",
458 | "setpgid",
459 | "setpriority",
460 | "setregid",
461 | "setregid32",
462 | "setresgid",
463 | "setresgid32",
464 | "setresuid",
465 | "setresuid32",
466 | "setreuid",
467 | "setreuid32",
468 | "setrlimit",
469 | "set_robust_list",
470 | "setsid",
471 | "setsockopt",
472 | "set_thread_area",
473 | "set_tid_address",
474 | "setuid",
475 | "setuid32",
476 | "setxattr",
477 | "shmat",
478 | "shmctl",
479 | "shmdt",
480 | "shmget",
481 | "shutdown",
482 | "sigaltstack",
483 | "signalfd",
484 | "signalfd4",
485 | "sigreturn",
486 | "socket",
487 | "socketcall",
488 | "socketpair",
489 | "splice",
490 | "stat",
491 | "stat64",
492 | "statfs",
493 | "statfs64",
494 | "symlink",
495 | "symlinkat",
496 | "sync",
497 | "sync_file_range",
498 | "syncfs",
499 | "sysinfo",
500 | "syslog",
501 | "tee",
502 | "tgkill",
503 | "time",
504 | "timer_create",
505 | "timer_delete",
506 | "timerfd_create",
507 | "timerfd_gettime",
508 | "timerfd_settime",
509 | "timer_getoverrun",
510 | "timer_gettime",
511 | "timer_settime",
512 | "times",
513 | "tkill",
514 | "truncate",
515 | "truncate64",
516 | "ugetrlimit",
517 | "umask",
518 | "uname",
519 | "unlink",
520 | "unlinkat",
521 | "utime",
522 | "utimensat",
523 | "utimes",
524 | "vfork",
525 | "vmsplice",
526 | "wait4",
527 | "waitid",
528 | "waitpid",
529 | "write",
530 | "writev"
531 | ],
532 | "action": "SCMP_ACT_ALLOW",
533 | "args": [],
534 | "comment": ""
535 | },
536 | {
537 | "names": [
538 | "personality"
539 | ],
540 | "action": "SCMP_ACT_ALLOW",
541 | "args": [
542 | {
543 | "index": 0,
544 | "value": 0,
545 | "valueTwo": 0,
546 | "op": "SCMP_CMP_EQ"
547 | },
548 | {
549 | "index": 0,
550 | "value": 8,
551 | "valueTwo": 0,
552 | "op": "SCMP_CMP_EQ"
553 | },
554 | {
555 | "index": 0,
556 | "value": 4294967295,
557 | "valueTwo": 0,
558 | "op": "SCMP_CMP_EQ"
559 | }
560 | ],
561 | "comment": ""
562 | },
563 | {
564 | "names": [
565 | "chroot"
566 | ],
567 | "action": "SCMP_ACT_ALLOW",
568 | "args": [],
569 | "comment": ""
570 | },
571 | {
572 | "names": [
573 | "chroot"
574 | ],
575 | "action": "SCMP_ACT_ALLOW",
576 | "args": [],
577 | "comment": ""
578 | },
579 | {
580 | "names": [
581 | "chroot"
582 | ],
583 | "action": "SCMP_ACT_ALLOW",
584 | "args": [],
585 | "comment": ""
586 | },
587 | {
588 | "names": [
589 | "chroot"
590 | ],
591 | "action": "SCMP_ACT_ALLOW",
592 | "args": [],
593 | "comment": ""
594 | },
595 | {
596 | "names": [
597 | "chroot"
598 | ],
599 | "action": "SCMP_ACT_ALLOW",
600 | "args": [],
601 | "comment": ""
602 | },
603 | {
604 | "names": [
605 | "clone"
606 | ],
607 | "action": "SCMP_ACT_ALLOW",
608 | "args": [
609 | {
610 | "index": 0,
611 | "value": 2080505856,
612 | "valueTwo": 0,
613 | "op": "SCMP_CMP_MASKED_EQ"
614 | }
615 | ],
616 | "comment": ""
617 | },
618 | {
619 | "names": [
620 | "arch_prctl"
621 | ],
622 | "action": "SCMP_ACT_ALLOW",
623 | "args": [],
624 | "comment": ""
625 | },
626 | {
627 | "names": [
628 | "modify_ldt"
629 | ],
630 | "action": "SCMP_ACT_ALLOW",
631 | "args": [],
632 | "comment": ""
633 | }
634 | ]
635 | }
636 | }
637 | }
--------------------------------------------------------------------------------