in heartbeat/security/seccomp.go [27:292]
func mustConfigureSeccompPolicy() {
if runtime.GOOS != "linux" {
return
}
switch runtime.GOARCH {
case "amd64", "386":
if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
"access",
"arch_prctl",
"bind",
"brk",
"capget",
"capset",
"chdir",
"chmod",
"chown",
"clone",
"close",
"connect",
"creat",
"dup",
"dup2",
"dup3",
"epoll_ctl",
"epoll_pwait",
"eventfd2",
"execve",
"exit",
"faccessat",
"fadvise64",
"fallocate",
"fcntl",
"flock",
"fstat",
"fsync",
"futex",
"capget",
"getcwd",
"getdents64",
"getegid",
"geteuid",
"getgroups",
"getgid",
"getpeername",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresuid",
"getresgid",
"getrusage",
"getsockname",
"gettid",
"getuid",
"ioctl",
"inotify_init",
"lchown",
"link",
"lseek",
"madvise",
"memfd_create",
"mkdir",
"mkdirat",
"mlock",
"mmap",
"mprotect",
"munmap",
"nanosleep",
"name_to_handle_at",
"newfstatat",
"openat",
"pipe",
"pipe2",
"poll",
"prctl",
"pread64",
"prlimit64",
"pwrite64",
"read",
"readlink",
"readlinkat",
"recvfrom",
"rename",
"rmdir",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_getparam",
"sched_getscheduler",
"select",
"sendto",
"set_robust_list",
"set_tid_address",
"setgid",
"setgroups",
"setpriority",
"setsid",
"setuid",
"sigaltstack",
"socket",
"socketpair",
"stat",
"statx",
"symlink",
"umask",
"uname",
"unlink",
"utimensat",
"write",
); err != nil {
panic(err)
}
case "arm64":
// Register deny-by-default based policy for arm64.
arm64Policy := &seccomptypes.Policy{
DefaultAction: seccomptypes.ActionErrno,
Syscalls: []seccomptypes.SyscallGroup{
{
Action: seccomptypes.ActionAllow,
Names: []string{
"accept",
"accept4",
"bind",
"brk",
"capget",
"capset",
"chdir",
"clock_gettime",
"clone",
"clone3",
"close",
"connect",
"dup",
"dup3",
"epoll_create1",
"epoll_ctl",
"epoll_pwait",
"eventfd2",
"execve",
"exit",
"exit_group",
"faccessat",
"fadvise64",
"fallocate",
"fchdir",
"fchmod",
"fchmodat",
"fchown",
"fchownat",
"fcntl",
"fdatasync",
"flock",
"fstat",
"fstatat", // or newfstatat
"fstatfs",
"fsync",
"ftruncate",
"futex",
"getcwd",
"getdents64",
"getegid",
"geteuid",
"getgid",
"getgroups",
"getpeername",
"getpgid",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresuid",
"getrlimit",
"getrusage",
"getsockname",
"getsockopt",
"gettid",
"gettimeofday",
"getuid",
"inotify_add_watch",
"inotify_init1",
"inotify_rm_watch",
"ioctl",
"kill",
"linkat",
"listen",
"lseek",
"madvise",
"memfd_create",
"mincore",
"mkdirat",
"mlock",
"mmap",
"mprotect",
"munmap",
"name_to_handle_at",
"nanosleep",
"openat",
"pipe2",
"ppoll",
"prctl",
"pread64",
"prlimit64",
"pselect6",
"pwrite64",
"read",
"readlinkat",
"recvfrom",
"recvmmsg",
"recvmsg",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_getscheduler",
"sched_setaffinity",
"sched_setattr",
"sched_yield",
"seccomp",
"sendfile",
"sendmmsg",
"sendmsg",
"sendto",
"set_robust_list",
"set_tid_address",
"setgid",
"setgroups",
"setitimer",
"setpriority",
"setsid",
"setsockopt",
"setuid",
"shutdown",
"sigaltstack",
"socket",
"socketpair",
"splice",
"statfs",
"statx",
"symlinkat",
"sysinfo",
"tgkill",
"tkill",
"umask",
"uname",
"unlinkat",
"utimensat",
"wait4",
"waitid",
"write",
"writev",
},
},
},
}
seccomp.MustRegisterPolicy(arm64Policy)
}
}