These ones are pretty well defined and not likely to actually change. There's two provided by default, ::Seccomp::Plugin::Constant::POSIX and ::Seccomp::Plugin::Constant::LinuxClone POSIX provides most of the constants from POSIX and some specific to the clone(2) syscall.
constants:
plugins:
- 'POSIX'
- 'LinuxClone'
values:
TCGETS: 0x5401
FIOCLEX: 0x5451
FIONBIO: 0x5421
TIOCGPTN: 0x80045430
An example of the YAML above, that pulls in the two plugins, and here's how you use them:
file_readonly:
include:
- file_open
permute:
open_modes:
- 'O_NONBLOCK'
- 'O_EXCL'
- 'O_RDONLY'
- 'O_NOFOLLOW'
- 'O_CLOEXEC'
lang_ruby:
include:
- default
rules:
- syscall: clone
tests:
- [0, '==', 'CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID']
- syscall: sigaltstack
So now the rules you write don't need to have strange magic numbers in them, like 0x80045430, or having to worry so much about portability among architectures.
These are useful if you need to generate a rule a runtime, either because you need to look up some information that will change or you otherwise need to know about what's being generated. The API for these plugins is very likely going to change, to add in some more information that the plugins can use to make rules, things like the code and files being passed in, and other information about the whole setup.
https://github.com/perlbot/App-EvalServerAdvanced/blob/master/lib/App/EvalServerAdvanced/Seccomp/Plugin/ExecWrapper.pm
]]>