Perlbot/perlbot-blog
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Site update

Browse source
This commit is contained in:
Ryan Voots 2018-03-19 16:33:19 -07:00
parent d0e971f8c3
commit 9482bcd64c
18 changed files with 1329 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
blog/2017/09/28/new-blog/index.html
View file

@ -83,6 +83,8 @@ and perform an action on it.</p>
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

2
blog/2017/10/02/new-old-perls/index.html
View file

@ -90,6 +90,8 @@ directory on the root filesystem. This was done to make getting them to work in
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

6
blog/2017/10/23/seccomp-and-you/index.html
View file

@ -147,9 +147,9 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.</p>
</a>
</li>
<li class="next">
<button disabled>
<a class="button button-primary" href="/blog/2018/03/16/seccomp-and-us/index.html" rel="next">
Newer →
</button>
</a>
</li>
</ul>
@ -170,6 +170,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.</p>
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

159
blog/2018/03/16/seccomp-and-us/index.html Normal file
View file

@ -0,0 +1,159 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta content="width=device-width, initial-scale=1" name="viewport">
<link href="/theme/css/normalize.css" rel="stylesheet">
<link href="/theme/css/skeleton.css" rel="stylesheet">
<link href="/theme/css/statocles-default.css" rel="stylesheet">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet">
<title>Seccomp and Us - Perlbot.pl pastebin</title>
<meta content="Statocles 0.086" name="generator">
</head>
<body>
<header>
<nav class="navbar">
<div class="container">
<a class="brand" href="/">Perlbot.pl pastebin</a>
<ul>
<li>
<a href="/blog">Blog</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="main container">
<div class="row">
<div class="nine columns">
<main>
<header>
<h1>Seccomp and Us</h1>
<aside>
<time datetime="2018-03-16">
Posted on 2018-03-16
</time>
</aside>
<p class="tags">Tags:
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
</p>
</header>
<section id="section-1">
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
</section>
<ul class="pager">
<li class="prev">
<a class="button button-primary" href="/blog/2017/10/23/seccomp-and-you/index.html" rel="prev">
← Older
</a>
</li>
<li class="next">
<button disabled>
Newer →
</button>
</li>
</ul>
<h1>Comments</h1>
<section id="isso-thread"></section>
<noscript>Please enable JavaScript to view the comments. I promise it&#39;s not doing weird third party crap.</noscript>
<script data-isso="//isso.perlbot.pl/" data-isso-require-author="true" src="//isso.perlbot.pl/js/embed.min.js"></script>
</main>
</div>
<div class="three columns sidebar">
<nav id="tags">
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>
</div>
</div>
</div>
<footer>
<div class="container tagline">
<a href="http://preaction.me/statocles">Made with Statocles</a><br>
<a href="http://www.perl.org">Powered by Perl</a>
</div>
</footer>
</body>
</html>

76
blog/index.atom
View file

@ -2,11 +2,85 @@
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://perlbot.pl/blog/</id>
<title>Perlbot.pl pastebin</title>
<updated>2017-10-23T00:00:00Z</updated>
<updated>2018-03-16T00:00:00Z</updated>
<link href="https://perlbot.pl/blog/index.atom" rel="self" />
<link href="https://perlbot.pl/blog/" rel="alternate" />
<generator version="0.086">Statocles</generator>
<entry>
<id>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</id>
<title>Seccomp and Us</title>
<link href="https://perlbot.pl/blog/2018/03/16/seccomp-and-us/" rel="alternate" />
<content type="html"><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></content>
<updated>2018-03-16T00:00:00Z</updated>
<category term="perlbot" />
<category term="seccomp" />
<category term="plugins" />
</entry>
<entry>
<id>https://perlbot.pl/blog/2017/10/23/seccomp-and-you/</id>
<title>Seccomp and you</title>

79
blog/index.html
View file

@ -34,6 +34,83 @@
<main>
<article>
<header>
<h1><a href="/blog/2018/03/16/seccomp-and-us/">Seccomp and Us</a></h1>
<aside>
<time datetime="2018-03-16">
Posted on 2018-03-16
</time>
</aside>
<p class="tags">Tags:
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
</p>
</header>
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
</article>
<article>
<header>
<h1><a href="/blog/2017/10/23/seccomp-and-you/">Seccomp and you</a></h1>
@ -226,6 +303,8 @@ and perform an action on it.</p>
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

73
blog/index.rss
View file

@ -6,6 +6,79 @@
<atom:link href="https://perlbot.pl/blog/index.rss" rel="self" type="application/rss+xml" />
<description>Blog feed of Perlbot.pl pastebin</description>
<generator>Statocles 0.086</generator>
<item>
<title>Seccomp and Us</title>
<link>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</link>
<guid>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</guid>
<description><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></description>
<pubDate>
Fri, 16 Mar 2018 00:00:00 +0000
</pubDate>
</item>
<item>
<title>Seccomp and you</title>
<link>https://perlbot.pl/blog/2017/10/23/seccomp-and-you/</link>

2
blog/tag/evalserver/index.html
View file

@ -171,6 +171,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.</p>
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

85
blog/tag/perlbot.atom Normal file
View file

@ -0,0 +1,85 @@
<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://perlbot.pl/blog/tag/perlbot/</id>
<title>Perlbot.pl pastebin</title>
<updated>2018-03-16T00:00:00Z</updated>
<link href="https://perlbot.pl/blog/tag/perlbot.atom" rel="self" />
<link href="https://perlbot.pl/blog/tag/perlbot/" rel="alternate" />
<generator version="0.086">Statocles</generator>
<entry>
<id>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</id>
<title>Seccomp and Us</title>
<link href="https://perlbot.pl/blog/2018/03/16/seccomp-and-us/" rel="alternate" />
<content type="html"><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></content>
<updated>2018-03-16T00:00:00Z</updated>
<category term="perlbot" />
<category term="seccomp" />
<category term="plugins" />
</entry>
</feed>

84
blog/tag/perlbot.rss Normal file
View file

@ -0,0 +1,84 @@
<?xml version="1.0"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Perlbot.pl pastebin</title>
<link>https://perlbot.pl/blog/tag/perlbot/</link>
<atom:link href="https://perlbot.pl/blog/tag/perlbot.rss" rel="self" type="application/rss+xml" />
<description>Blog feed of Perlbot.pl pastebin</description>
<generator>Statocles 0.086</generator>
<item>
<title>Seccomp and Us</title>
<link>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</link>
<guid>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</guid>
<description><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></description>
<pubDate>
Fri, 16 Mar 2018 00:00:00 +0000
</pubDate>
</item>
</channel>
</rss>

173
blog/tag/perlbot/index.html Normal file
View file

@ -0,0 +1,173 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta content="width=device-width, initial-scale=1" name="viewport">
<link href="/theme/css/normalize.css" rel="stylesheet">
<link href="/theme/css/skeleton.css" rel="stylesheet">
<link href="/theme/css/statocles-default.css" rel="stylesheet">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet">
<title>Perlbot.pl pastebin</title>
<meta content="Statocles 0.086" name="generator">
<link href="/blog/tag/perlbot.atom" rel="alternate" type="application/atom+xml">
<link href="/blog/tag/perlbot.rss" rel="alternate" type="application/rss+xml">
</head>
<body>
<header>
<nav class="navbar">
<div class="container">
<a class="brand" href="/">Perlbot.pl pastebin</a>
<ul>
<li>
<a href="/blog">Blog</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="main container">
<div class="row">
<div class="nine columns">
<main>
<article>
<header>
<h1><a href="/blog/2018/03/16/seccomp-and-us/">Seccomp and Us</a></h1>
<aside>
<time datetime="2018-03-16">
Posted on 2018-03-16
</time>
</aside>
<p class="tags">Tags:
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
</p>
</header>
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
</article>
<ul class="pager">
<li class="prev">
<button disabled>
← Older
</button>
</li>
<li class="next">
<button disabled>
Newer →
</button>
</li>
</ul>
</main>
</div>
<div class="three columns sidebar">
<nav id="tags">
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>
<h1>Feeds</h1>
<ul class="list-inline">
<li>
<a href="/blog/tag/perlbot.atom" rel="alternate" type="application/atom+xml">
Atom
</a>
</li>
<li>
<a href="/blog/tag/perlbot.rss" rel="alternate" type="application/rss+xml">
RSS
</a>
</li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container tagline">
<a href="http://preaction.me/statocles">Made with Statocles</a><br>
<a href="http://www.perl.org">Powered by Perl</a>
</div>
</footer>
</body>
</html>

85
blog/tag/plugins.atom Normal file
View file

@ -0,0 +1,85 @@
<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://perlbot.pl/blog/tag/plugins/</id>
<title>Perlbot.pl pastebin</title>
<updated>2018-03-16T00:00:00Z</updated>
<link href="https://perlbot.pl/blog/tag/plugins.atom" rel="self" />
<link href="https://perlbot.pl/blog/tag/plugins/" rel="alternate" />
<generator version="0.086">Statocles</generator>
<entry>
<id>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</id>
<title>Seccomp and Us</title>
<link href="https://perlbot.pl/blog/2018/03/16/seccomp-and-us/" rel="alternate" />
<content type="html"><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></content>
<updated>2018-03-16T00:00:00Z</updated>
<category term="perlbot" />
<category term="seccomp" />
<category term="plugins" />
</entry>
</feed>

84
blog/tag/plugins.rss Normal file
View file

@ -0,0 +1,84 @@
<?xml version="1.0"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Perlbot.pl pastebin</title>
<link>https://perlbot.pl/blog/tag/plugins/</link>
<atom:link href="https://perlbot.pl/blog/tag/plugins.rss" rel="self" type="application/rss+xml" />
<description>Blog feed of Perlbot.pl pastebin</description>
<generator>Statocles 0.086</generator>
<item>
<title>Seccomp and Us</title>
<link>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</link>
<guid>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</guid>
<description><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></description>
<pubDate>
Fri, 16 Mar 2018 00:00:00 +0000
</pubDate>
</item>
</channel>
</rss>

173
blog/tag/plugins/index.html Normal file
View file

@ -0,0 +1,173 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta content="width=device-width, initial-scale=1" name="viewport">
<link href="/theme/css/normalize.css" rel="stylesheet">
<link href="/theme/css/skeleton.css" rel="stylesheet">
<link href="/theme/css/statocles-default.css" rel="stylesheet">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet">
<title>Perlbot.pl pastebin</title>
<meta content="Statocles 0.086" name="generator">
<link href="/blog/tag/plugins.atom" rel="alternate" type="application/atom+xml">
<link href="/blog/tag/plugins.rss" rel="alternate" type="application/rss+xml">
</head>
<body>
<header>
<nav class="navbar">
<div class="container">
<a class="brand" href="/">Perlbot.pl pastebin</a>
<ul>
<li>
<a href="/blog">Blog</a>
</li>
</ul>
</div>
</nav>
</header>
<div class="main container">
<div class="row">
<div class="nine columns">
<main>
<article>
<header>
<h1><a href="/blog/2018/03/16/seccomp-and-us/">Seccomp and Us</a></h1>
<aside>
<time datetime="2018-03-16">
Posted on 2018-03-16
</time>
</aside>
<p class="tags">Tags:
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
</p>
</header>
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
</article>
<ul class="pager">
<li class="prev">
<button disabled>
← Older
</button>
</li>
<li class="next">
<button disabled>
Newer →
</button>
</li>
</ul>
</main>
</div>
<div class="three columns sidebar">
<nav id="tags">
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>
<h1>Feeds</h1>
<ul class="list-inline">
<li>
<a href="/blog/tag/plugins.atom" rel="alternate" type="application/atom+xml">
Atom
</a>
</li>
<li>
<a href="/blog/tag/plugins.rss" rel="alternate" type="application/rss+xml">
RSS
</a>
</li>
</ul>
</div>
</div>
</div>
<footer>
<div class="container tagline">
<a href="http://preaction.me/statocles">Made with Statocles</a><br>
<a href="http://www.perl.org">Powered by Perl</a>
</div>
</footer>
</body>
</html>

76
blog/tag/seccomp.atom
View file

@ -2,11 +2,85 @@
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://perlbot.pl/blog/tag/seccomp/</id>
<title>Perlbot.pl pastebin</title>
<updated>2017-10-23T00:00:00Z</updated>
<updated>2018-03-16T00:00:00Z</updated>
<link href="https://perlbot.pl/blog/tag/seccomp.atom" rel="self" />
<link href="https://perlbot.pl/blog/tag/seccomp/" rel="alternate" />
<generator version="0.086">Statocles</generator>
<entry>
<id>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</id>
<title>Seccomp and Us</title>
<link href="https://perlbot.pl/blog/2018/03/16/seccomp-and-us/" rel="alternate" />
<content type="html"><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></content>
<updated>2018-03-16T00:00:00Z</updated>
<category term="perlbot" />
<category term="seccomp" />
<category term="plugins" />
</entry>
<entry>
<id>https://perlbot.pl/blog/2017/10/23/seccomp-and-you/</id>
<title>Seccomp and you</title>

73
blog/tag/seccomp.rss
View file

@ -6,6 +6,79 @@
<atom:link href="https://perlbot.pl/blog/tag/seccomp.rss" rel="self" type="application/rss+xml" />
<description>Blog feed of Perlbot.pl pastebin</description>
<generator>Statocles 0.086</generator>
<item>
<title>Seccomp and Us</title>
<link>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</link>
<guid>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</guid>
<description><![CDATA[
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
<p>Tags:
<a href="https://perlbot.pl/blog/tag/perlbot/">perlbot</a>
<a href="https://perlbot.pl/blog/tag/seccomp/">seccomp</a>
<a href="https://perlbot.pl/blog/tag/plugins/">plugins</a>
</p>
]]></description>
<pubDate>
Fri, 16 Mar 2018 00:00:00 +0000
</pubDate>
</item>
<item>
<title>Seccomp and you</title>
<link>https://perlbot.pl/blog/2017/10/23/seccomp-and-you/</link>

79
blog/tag/seccomp/index.html
View file

@ -34,6 +34,83 @@
<main>
<article>
<header>
<h1><a href="/blog/2018/03/16/seccomp-and-us/">Seccomp and Us</a></h1>
<aside>
<time datetime="2018-03-16">
Posted on 2018-03-16
</time>
</aside>
<p class="tags">Tags:
<a href="/blog/tag/perlbot/" rel="tag">perlbot</a>
<a href="/blog/tag/seccomp/" rel="tag">seccomp</a>
<a href="/blog/tag/plugins/" rel="tag">plugins</a>
</p>
</header>
<p>Back in october I wrote an article about how I was redesigning the seccomp system inside App::EvalServerAdvanced, a few months ago I finally finished that
and have gotten it ready to document it here. I ended up writing most of it as part of the module/project documentation and you can view it at https://metacpan.org/pod/App::EvalServerAdvanced::Seccomp so that it&#39;ll always be up to date.
What I didn&#39;t document there, were the plugins to enable more advanced behavior, since the API there hasn&#39;t fully been fleshed out, but I don&#39;t see them changing much in the future.</p>
<h2>Plugin Types</h2>
<h1>Constant Plugins</h1>
<p>These ones are pretty well defined and not likely to actually change. There&#39;s two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone
POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.</p>
<pre><code>constants:
plugins:
- &#39;POSIX&#39;
- &#39;LinuxClone&#39;
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
</code></pre>
<p>An example of the YAML above, that pulls in the two plugins, and here&#39;s how you use them:</p>
<pre><code> file_readonly:
include:
- file_open
permute:
open_modes:
- &#39;O_NONBLOCK&#39;
- &#39;O_EXCL&#39;
- &#39;O_RDONLY&#39;
- &#39;O_NOFOLLOW&#39;
- &#39;O_CLOEXEC&#39;
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, &#39;==&#39;, &#39;CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID&#39;]
- syscall: sigaltstack
</code></pre>
<p>So now the rules you write don&#39;t need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.</p>
<h1>Rule generating plugins</h1>
<p>These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change
or you otherwise need to know about what&#39;s being generated. The API for these plugins is very likely going to change, to add in
some more information that the plugins can use to make rules, things like the code and files being passed in, and other information
about the whole setup.</p>
<p>https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm</p>
</article>
<article>
<header>
<h1><a href="/blog/2017/10/23/seccomp-and-you/">Seccomp and you</a></h1>
@ -171,6 +248,8 @@ scheme using YAML 1.2 and the perl modules located in the sandbox root.</p>
<h1>Tags</h1>
<ul class="list-inline">
<li><a href="/blog/tag/evalserver/">evalserver</a></li>
<li><a href="/blog/tag/perlbot/">perlbot</a></li>
<li><a href="/blog/tag/plugins/">plugins</a></li>
<li><a href="/blog/tag/seccomp/">seccomp</a></li>
</ul>
</nav>

26
sitemap.xml
View file

@ -4,13 +4,13 @@
<loc>https://perlbot.pl/</loc>
<changefreq>weekly</changefreq>
<priority>0.5</priority>
<lastmod>2017-10-23</lastmod>
<lastmod>2018-03-19</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/</loc>
<changefreq>daily</changefreq>
<priority>0.3</priority>
<lastmod>2017-10-23</lastmod>
<lastmod>2018-03-16</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/2017/09/28/new-blog/</loc>
@ -30,23 +30,41 @@
<priority>0.5</priority>
<lastmod>2017-10-23</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/2018/03/16/seccomp-and-us/</loc>
<changefreq>weekly</changefreq>
<priority>0.5</priority>
<lastmod>2018-03-16</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/tag/evalserver/</loc>
<changefreq>daily</changefreq>
<priority>0.3</priority>
<lastmod>2017-10-23</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/tag/perlbot/</loc>
<changefreq>daily</changefreq>
<priority>0.3</priority>
<lastmod>2018-03-16</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/tag/plugins/</loc>
<changefreq>daily</changefreq>
<priority>0.3</priority>
<lastmod>2018-03-16</lastmod>
</url>
<url>
<loc>https://perlbot.pl/blog/tag/seccomp/</loc>
<changefreq>daily</changefreq>
<priority>0.3</priority>
<lastmod>2017-10-23</lastmod>
<lastmod>2018-03-16</lastmod>
</url>
<url>
<loc>https://perlbot.pl/page/seccomp/</loc>
<changefreq>weekly</changefreq>
<priority>0.5</priority>
<lastmod>2017-10-23</lastmod>
<lastmod>2018-03-19</lastmod>
</url>
</urlset>