From 9482bcd64c269d0afab22f74e25734688780aa01 Mon Sep 17 00:00:00 2001 From: Ryan Voots Date: Mon, 19 Mar 2018 16:33:19 -0700 Subject: [PATCH] Site update --- blog/2017/09/28/new-blog/index.html | 2 + blog/2017/10/02/new-old-perls/index.html | 2 + blog/2017/10/23/seccomp-and-you/index.html | 6 +- blog/2018/03/16/seccomp-and-us/index.html | 159 +++++++++++++++++++ blog/index.atom | 76 ++++++++- blog/index.html | 79 ++++++++++ blog/index.rss | 73 +++++++++ blog/tag/evalserver/index.html | 2 + blog/tag/perlbot.atom | 85 ++++++++++ blog/tag/perlbot.rss | 84 ++++++++++ blog/tag/perlbot/index.html | 173 +++++++++++++++++++++ blog/tag/plugins.atom | 85 ++++++++++ blog/tag/plugins.rss | 84 ++++++++++ blog/tag/plugins/index.html | 173 +++++++++++++++++++++ blog/tag/seccomp.atom | 76 ++++++++- blog/tag/seccomp.rss | 73 +++++++++ blog/tag/seccomp/index.html | 79 ++++++++++ sitemap.xml | 26 +++- 18 files changed, 1329 insertions(+), 8 deletions(-) create mode 100644 blog/2018/03/16/seccomp-and-us/index.html create mode 100644 blog/tag/perlbot.atom create mode 100644 blog/tag/perlbot.rss create mode 100644 blog/tag/perlbot/index.html create mode 100644 blog/tag/plugins.atom create mode 100644 blog/tag/plugins.rss create mode 100644 blog/tag/plugins/index.html diff --git a/blog/2017/09/28/new-blog/index.html b/blog/2017/09/28/new-blog/index.html index 5bfc2fe..0452605 100644 --- a/blog/2017/09/28/new-blog/index.html +++ b/blog/2017/09/28/new-blog/index.html @@ -83,6 +83,8 @@ and perform an action on it.

Tags

diff --git a/blog/2017/10/02/new-old-perls/index.html b/blog/2017/10/02/new-old-perls/index.html index d5640b9..d9fbc65 100644 --- a/blog/2017/10/02/new-old-perls/index.html +++ b/blog/2017/10/02/new-old-perls/index.html @@ -90,6 +90,8 @@ directory on the root filesystem. This was done to make getting them to work in

Tags

diff --git a/blog/2017/10/23/seccomp-and-you/index.html b/blog/2017/10/23/seccomp-and-you/index.html index 650fb78..94f4f1f 100644 --- a/blog/2017/10/23/seccomp-and-you/index.html +++ b/blog/2017/10/23/seccomp-and-you/index.html @@ -147,9 +147,9 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.

@@ -170,6 +170,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.

Tags

diff --git a/blog/2018/03/16/seccomp-and-us/index.html b/blog/2018/03/16/seccomp-and-us/index.html new file mode 100644 index 0000000..583b7ec --- /dev/null +++ b/blog/2018/03/16/seccomp-and-us/index.html @@ -0,0 +1,159 @@ + + + + + + + + + + Seccomp and Us - Perlbot.pl pastebin + + + + +
+ + +
+
+
+
+
+
+

Seccomp and Us

+ + + +

Tags: + + + +

+ + +
+
+

Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ +
+ + + + +

Comments

+
+ + + + + +
+
+ +
+ + + + +
+
+
+ + + + + diff --git a/blog/index.atom b/blog/index.atom index 58a9df4..3dfba14 100644 --- a/blog/index.atom +++ b/blog/index.atom @@ -2,11 +2,85 @@ https://perlbot.pl/blog/ Perlbot.pl pastebin - 2017-10-23T00:00:00Z + 2018-03-16T00:00:00Z Statocles + + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Seccomp and Us + + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + 2018-03-16T00:00:00Z + + + + https://perlbot.pl/blog/2017/10/23/seccomp-and-you/ Seccomp and you diff --git a/blog/index.html b/blog/index.html index e7745a0..12510b4 100644 --- a/blog/index.html +++ b/blog/index.html @@ -34,6 +34,83 @@
+
+
+

Seccomp and Us

+ + + +

Tags: + + + +

+ +
+ +

Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + + +

Seccomp and you

@@ -226,6 +303,8 @@ and perform an action on it.

Tags

diff --git a/blog/index.rss b/blog/index.rss index 500bc27..4ce5982 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -6,6 +6,79 @@ Blog feed of Perlbot.pl pastebin Statocles 0.086 + + Seccomp and Us + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + + Fri, 16 Mar 2018 00:00:00 +0000 + + Seccomp and you https://perlbot.pl/blog/2017/10/23/seccomp-and-you/ diff --git a/blog/tag/evalserver/index.html b/blog/tag/evalserver/index.html index b462c4d..4eb0c26 100644 --- a/blog/tag/evalserver/index.html +++ b/blog/tag/evalserver/index.html @@ -171,6 +171,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.

Tags

diff --git a/blog/tag/perlbot.atom b/blog/tag/perlbot.atom new file mode 100644 index 0000000..78a46ca --- /dev/null +++ b/blog/tag/perlbot.atom @@ -0,0 +1,85 @@ + + + https://perlbot.pl/blog/tag/perlbot/ + Perlbot.pl pastebin + 2018-03-16T00:00:00Z + + + Statocles + + + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Seccomp and Us + + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + 2018-03-16T00:00:00Z + + + + + + diff --git a/blog/tag/perlbot.rss b/blog/tag/perlbot.rss new file mode 100644 index 0000000..975a369 --- /dev/null +++ b/blog/tag/perlbot.rss @@ -0,0 +1,84 @@ + + + + Perlbot.pl pastebin + https://perlbot.pl/blog/tag/perlbot/ + + Blog feed of Perlbot.pl pastebin + Statocles 0.086 + + Seccomp and Us + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + + Fri, 16 Mar 2018 00:00:00 +0000 + + + + + diff --git a/blog/tag/perlbot/index.html b/blog/tag/perlbot/index.html new file mode 100644 index 0000000..ccaf4ab --- /dev/null +++ b/blog/tag/perlbot/index.html @@ -0,0 +1,173 @@ + + + + + + + + + + Perlbot.pl pastebin + + + + + + +
+ + +
+
+
+
+
+ + +
+
+

Seccomp and Us

+ + + +

Tags: + + + +

+ +
+ +

Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + + +
+ +
    + + +
+ + + + +
+
+ +
+ + + +

Feeds

+ + +
+
+
+ + + + + diff --git a/blog/tag/plugins.atom b/blog/tag/plugins.atom new file mode 100644 index 0000000..df401e6 --- /dev/null +++ b/blog/tag/plugins.atom @@ -0,0 +1,85 @@ + + + https://perlbot.pl/blog/tag/plugins/ + Perlbot.pl pastebin + 2018-03-16T00:00:00Z + + + Statocles + + + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Seccomp and Us + + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + 2018-03-16T00:00:00Z + + + + + + diff --git a/blog/tag/plugins.rss b/blog/tag/plugins.rss new file mode 100644 index 0000000..eee0a34 --- /dev/null +++ b/blog/tag/plugins.rss @@ -0,0 +1,84 @@ + + + + Perlbot.pl pastebin + https://perlbot.pl/blog/tag/plugins/ + + Blog feed of Perlbot.pl pastebin + Statocles 0.086 + + Seccomp and Us + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + + Fri, 16 Mar 2018 00:00:00 +0000 + + + + + diff --git a/blog/tag/plugins/index.html b/blog/tag/plugins/index.html new file mode 100644 index 0000000..a6b76b8 --- /dev/null +++ b/blog/tag/plugins/index.html @@ -0,0 +1,173 @@ + + + + + + + + + + Perlbot.pl pastebin + + + + + + +
+ + +
+
+
+
+
+ + +
+
+

Seccomp and Us

+ + + +

Tags: + + + +

+ +
+ +

Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + + +
+ +
    + + +
+ + + + +
+
+ +
+ + + +

Feeds

+ + +
+
+
+ + + + + diff --git a/blog/tag/seccomp.atom b/blog/tag/seccomp.atom index 47d7de9..769058f 100644 --- a/blog/tag/seccomp.atom +++ b/blog/tag/seccomp.atom @@ -2,11 +2,85 @@ https://perlbot.pl/blog/tag/seccomp/ Perlbot.pl pastebin - 2017-10-23T00:00:00Z + 2018-03-16T00:00:00Z Statocles + + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Seccomp and Us + + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + 2018-03-16T00:00:00Z + + + + https://perlbot.pl/blog/2017/10/23/seccomp-and-you/ Seccomp and you diff --git a/blog/tag/seccomp.rss b/blog/tag/seccomp.rss index a6db0f9..1f01b94 100644 --- a/blog/tag/seccomp.rss +++ b/blog/tag/seccomp.rss @@ -6,6 +6,79 @@ Blog feed of Perlbot.pl pastebin Statocles 0.086 + + Seccomp and Us + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + +

Tags: + perlbot + seccomp + plugins +

+ + ]]> + + Fri, 16 Mar 2018 00:00:00 +0000 + + Seccomp and you https://perlbot.pl/blog/2017/10/23/seccomp-and-you/ diff --git a/blog/tag/seccomp/index.html b/blog/tag/seccomp/index.html index 9915c4c..51c1bc8 100644 --- a/blog/tag/seccomp/index.html +++ b/blog/tag/seccomp/index.html @@ -34,6 +34,83 @@
+
+
+

Seccomp and Us

+ + + +

Tags: + + + +

+ +
+ +

Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that +and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it'll always be up to date. +What I didn't document there, were the plugins to enable more advanced behavior, since the API there hasn't fully been fleshed out, but I don't see them changing much in the future.

+ +

Plugin Types

+ +

Constant Plugins

+ +

These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone +POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.

+ +
constants:
+  plugins:
+    - 'POSIX'
+    - 'LinuxClone'
+  values:
+    TCGETS: 0x5401
+    FIOCLEX: 0x5451
+    FIONBIO: 0x5421
+    TIOCGPTN: 0x80045430
+
+ +

An example of the YAML above, that pulls in the two plugins, and here's how you use them:

+ +
  file_readonly:
+    include:
+      - file_open
+    permute:
+      open_modes:
+    - 'O_NONBLOCK'
+    - 'O_EXCL'
+    - 'O_RDONLY'
+    - 'O_NOFOLLOW'
+    - 'O_CLOEXEC'
+
+  lang_ruby:
+    include:
+      - default
+    rules:
+      - syscall: clone
+    tests:
+      - [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
+      - syscall: sigaltstack
+
+ +

So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.

+ +

Rule generating plugins

+ +

These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change +or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in +some more information that the plugins can use to make rules, things like the code and files being passed in, and other information +about the whole setup.

+ +

https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm

+ + + +

Seccomp and you

@@ -171,6 +248,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.

Tags

diff --git a/sitemap.xml b/sitemap.xml index 226cc37..598bedf 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -4,13 +4,13 @@ https://perlbot.pl/ weekly 0.5 - 2017-10-23 + 2018-03-19 https://perlbot.pl/blog/ daily 0.3 - 2017-10-23 + 2018-03-16 https://perlbot.pl/blog/2017/09/28/new-blog/ @@ -30,23 +30,41 @@ 0.5 2017-10-23 + + https://perlbot.pl/blog/2018/03/16/seccomp-and-us/ + weekly + 0.5 + 2018-03-16 + https://perlbot.pl/blog/tag/evalserver/ daily 0.3 2017-10-23 + + https://perlbot.pl/blog/tag/perlbot/ + daily + 0.3 + 2018-03-16 + + + https://perlbot.pl/blog/tag/plugins/ + daily + 0.3 + 2018-03-16 + https://perlbot.pl/blog/tag/seccomp/ daily 0.3 - 2017-10-23 + 2018-03-16 https://perlbot.pl/page/seccomp/ weekly 0.5 - 2017-10-23 + 2018-03-19