generated a seccomp profile

author: Jan Friedli 2020-04-12 15:44:53 +0200
committer: Jan Friedli 2020-05-09 21:25:45 +0200
commit: f3019b3b3221bbe795d56a433e889f8a9d39c87d (patch)
tree: e438c3865dffcf402dba6d1157847ceb07b91627
parent: 4122460dfd659d568acad4c3cb700ed919b875cf (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/README.md b/README.md
index 5ed5859..9d59bef 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,7 @@ This does mount the upload folder as tmpfs and servers the app on `localhost:818
 ##### Podman
 Build: `podman build -f Dockerfile.production -t matweb-podman .`
-Run: `podman run -ti -p8181:8080 --read-only  --tmpfs /tmp --tmpfs /run/uwsgi --tmpfs=/app/upload  --security-opt=no-new-privileges  matweb-podman:latest`
+Run: `podman run -ti -p8181:8080 --read-only  --tmpfs /tmp --tmpfs /run/uwsgi --tmpfs=/app/upload  --security-opt=no-new-privileges,seccomp=./config/seccomp.json matweb-podman:latest`
 # Configuration
diff --git a/config/seccomp.json b/config/seccomp.json
new file mode 100644
index 0000000..3c07a24
--- /dev/null
+++ b/config/seccomp.json
@@ -0,0 +1 @@
+{"defaultAction":"SCMP_ACT_ERRNO","syscalls":[{"names":["accept4","access","arch_prctl","bind","brk","capget","capset","chdir","chmod","clone","close","connect","dup","dup2","epoll_create","epoll_ctl","epoll_pwait","epoll_wait","eventfd2","execve","exit_group","fchown","fcntl","fstat","fstatfs","futex","getcwd","getdents64","getegid","geteuid","getgid","getpid","getppid","getrandom","getsockname","getsockopt","gettid","getuid","ioctl","kill","listen","lseek","lstat","mkdir","mmap","mprotect","mremap","munmap","nanosleep","newfstatat","openat","pipe2","poll","prctl","pread64","prlimit64","pwrite64","read","readlink","readv","recvfrom","recvmsg","rename","rmdir","rt_sigaction","rt_sigprocmask","rt_sigreturn","rt_sigsuspend","seccomp","sendfile","sendmsg","set_robust_list","set_tid_address","setgid","setgroups","setsid","setsockopt","setuid","sigaltstack","socket","socketpair","stat","statfs","sysinfo","tgkill","umask","uname","unlink","unlinkat","wait4","write","writev"],"action":"SCMP_ACT_ALLOW","args":[],"comment":"","includes":{},"excludes":{}},{"names":["ftruncate","pwritev","sched_yield"],"action":"SCMP_ACT_ALLOW","args":[],"comment":"","includes":{},"excludes":{}}]}
+\ No newline at end of file
author	Jan Friedli	2020-04-12 15:44:53 +0200
committer	Jan Friedli	2020-05-09 21:25:45 +0200
commit	f3019b3b3221bbe795d56a433e889f8a9d39c87d (patch)
tree	e438c3865dffcf402dba6d1157847ceb07b91627
parent	4122460dfd659d568acad4c3cb700ed919b875cf (diff)

diff --git a/README.md b/README.md index 5ed5859..9d59bef 100644 --- a/README.md +++ b/README.md
@@ -202,7 +202,7 @@ This does mount the upload folder as tmpfs and servers the app on `localhost:818
202	##### Podman	202	##### Podman
203	Build: `podman build -f Dockerfile.production -t matweb-podman .`	203	Build: `podman build -f Dockerfile.production -t matweb-podman .`
204		204
205	Run: `podman run -ti -p8181:8080 --read-only --tmpfs /tmp --tmpfs /run/uwsgi --tmpfs=/app/upload --security-opt=no-new-privileges matweb-podman:latest`	205	Run: `podman run -ti -p8181:8080 --read-only --tmpfs /tmp --tmpfs /run/uwsgi --tmpfs=/app/upload --security-opt=no-new-privileges,seccomp=./config/seccomp.json matweb-podman:latest`
206		206
207	# Configuration	207	# Configuration
208		208


diff --git a/config/seccomp.json b/config/seccomp.json new file mode 100644 index 0000000..3c07a24 --- /dev/null +++ b/config/seccomp.json
@@ -0,0 +1 @@
			{"defaultAction":"SCMP_ACT_ERRNO","syscalls":[{"names":["accept4","access","arch_prctl","bind","brk","capget","capset","chdir","chmod","clone","close","connect","dup","dup2","epoll_create","epoll_ctl","epoll_pwait","epoll_wait","eventfd2","execve","exit_group","fchown","fcntl","fstat","fstatfs","futex","getcwd","getdents64","getegid","geteuid","getgid","getpid","getppid","getrandom","getsockname","getsockopt","gettid","getuid","ioctl","kill","listen","lseek","lstat","mkdir","mmap","mprotect","mremap","munmap","nanosleep","newfstatat","openat","pipe2","poll","prctl","pread64","prlimit64","pwrite64","read","readlink","readv","recvfrom","recvmsg","rename","rmdir","rt_sigaction","rt_sigprocmask","rt_sigreturn","rt_sigsuspend","seccomp","sendfile","sendmsg","set_robust_list","set_tid_address","setgid","setgroups","setsid","setsockopt","setuid","sigaltstack","socket","socketpair","stat","statfs","sysinfo","tgkill","umask","uname","unlink","unlinkat","wait4","write","writev"],"action":"SCMP_ACT_ALLOW","args":[],"comment":"","includes":{},"excludes":{}},{"names":["ftruncate","pwritev","sched_yield"],"action":"SCMP_ACT_ALLOW","args":[],"comment":"","includes":{},"excludes":{}}]} \ No newline at end of file