Skip to content

Instantly share code, notes, and snippets.

@tiborvass

tiborvass/docker-syscalls.txt

Last active October 16, 2020 01:27
Show Gist options
  • Save tiborvass/bfbf9e8913b8404271aec786bd5f626d to your computer and use it in GitHub Desktop.
Save tiborvass/bfbf9e8913b8404271aec786bd5f626d to your computer and use it in GitHub Desktop.
Download ZIP
List of blocking Linux syscalls used in Docker
Raw
docker-syscalls.txt
# list-syscalls.sh ~/docker ~/containerd ~/cli ~/runc ~/go/src/github.com/docker/libnetwork ~/go/src/github.com/rootless-containers/rootlesskit
procCreateVirtualDisk.Addr()
procOpenVirtualDisk.Addr()
SYS_ACCEPT
SYS_ADD_KEY
SYS_BIND
SYS_CHDIR
SYS_CHROOT
SYS_CLOCK_GETTIME
SYS_CLONE
SYS_CLOSE
SYS_CONNECT
SYS_COPY_FILE_RANGE
SYS_DUP
SYS_EPOLL_WAIT
SYS_EVENTFD2
SYS_EXIT_GROUP
SYS_FACCESSAT
SYS_FALLOCATE
SYS_FCHDIR
SYS_FCHMOD
SYS_FCHMODAT
SYS_FCHOWN
SYS_FCHOWNAT
SYS_FCNTL
SYS_FDATASYNC
SYS_FLOCK
SYS_FSTAT
SYS_FSYNC
SYS_GETCWD
SYS_GETDENTS64
SYS_GETRANDOM
SYS_GETSOCKOPT
SYS_GETXATTR
SYS_INOTIFY_ADD_WATCH
SYS_IOCTL
SYS_KEYCTL
SYS_LCHOWN
SYS_LGETXATTR
SYS_LINKAT
SYS_LISTEN
SYS_LISTXATTR
SYS_LLISTXATTR
SYS_LREMOVEXATTR
SYS_LSEEK
SYS_LSETXATTR
SYS_MADVISE
SYS_MKDIRAT
SYS_MKNODAT
SYS_MLOCK
SYS_MMAP
SYS_MOUNT
SYS_MUNMAP
SYS_NEWFSTATAT
SYS_OPENAT
SYS_PAUSE
SYS_PERF_EVENT_OPEN
SYS_PIVOT_ROOT
SYS_POLL
SYS_PRCTL
SYS_PRLIMIT64
SYS_PSELECT6
SYS_READ
SYS_REBOOT
SYS_RECVFROM
SYS_REMOVEXATTR
SYS_RENAMEAT
SYS_REQUEST_KEY
SYS_SELECT
SYS_SENDTO
SYS_SETHOSTNAME
SYS_SETNS
SYS_SETSOCKOPT
SYS_SETXATTR
SYS_SHUTDOWN
SYS_SYMLINKAT
SYS_SYNC
SYS_SYSLOG
SYS_TEE
SYS_TRUNCATE
SYS_UMOUNT2
SYS_UNLINKAT
SYS_UNSHARE
SYS_UTIME
SYS_WAIT4
SYS_WAITID
SYS_WRITE
Raw
list-syscalls.sh
#!/usr/bin/env sh
paths="$@"
run_regexp="go run regexp.go"
# syscalls file comes from https://gist.github.com/tiborvass/eb0a4054679a43aaca22690a7c4452ed
syscalls=syscalls
(
x="\b(unix|syscall)\.[0-9A-Z_a-z]*Syscall[0-9A-Z_a-z]+\(([^,]+)"
# Print syscall numbers resulting from calling Syscall directly
for d in $paths; do
d=$(realpath "$d")
# only look in files matching linux tag and filter out golang.org/x/ packages
files=$(go list -tags linux -json $d/... $d/vendor/... | jq -r 'select(.GoFiles != null) | select(.Dir | contains("golang.org/x/") | not) | . as $root | .Dir | "." + ltrimstr("'"$d"'") as $dir | $root.GoFiles | map($dir + "/" + .)[]')
git -C "$d" grep -E "$x" -- $files | $run_regexp "$x" | cut -d'(' -f2- | sed -E 's/^(syscall|unix)\.//'
done
x=$(echo '('$(echo $(awk '{print $1}' $syscalls | sort -u) | tr ' ' '|')')');
# Print syscall numbers resulting from calling syscall functions
grep -E '^('$(
echo $(
echo
(
# print syscall functions used
for d in $paths; do
d=$(realpath "$d")
files=$(go list -tags linux -json $d/... $d/vendor/... | jq -r 'select(.GoFiles != null) | select(.Dir | contains("golang.org/x/") | not) | . as $root | .Dir | "." + ltrimstr("'"$d"'") as $dir | $root.GoFiles | map($dir + "/" + .)[]')
git -C "$d" grep -E "$x" -- $files | $run_regexp "$x" | sed -E 's/^(syscall|unix)\.//'
done
) | sort -u
) | tr ' ' '|'
# find corresponding syscall constant number
)') ' $syscalls | cut -d' ' -f2-
) | sort -u
Raw
regexp.go
package main
import (
"fmt"
"io/ioutil"
"os"
"regexp"
)
func main() {
s := os.Args[1]
r := regexp.MustCompile(s)
b, err := ioutil.ReadAll(os.Stdin)
if err != nil {
panic(err)
}
for _, s := range r.FindAll(b, -1) {
fmt.Println(string(s))
}
}
@tiborvass
Copy link
Author 

procCreateVirtualDisk.Addr()
procOpenVirtualDisk.Addr()

come from windows: https://github.com/microsoft/go-winio/blob/dcdaf955de651d5b5caff082fc6026f69f9fc31d/vhd/zvhd.go it is an outlier, it should have a windows tag but doesn't, just ignore these two.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment