From 645ee30aa917bb506015a1a394f02720099c2223 Mon Sep 17 00:00:00 2001 From: Andrew Rumble Date: Tue, 20 Jan 2026 16:20:33 +0000 Subject: [PATCH] Merge pull request #30887 from overleaf/ar-give-engagement-modify-institution-manager-capability [web] Allow engagement role to modify institution managers GitOrigin-RevId: 3fca81ea1aaa1427da62102cb638f0b288e609b2 --- services/clsi/app/js/DockerRunner.js | 609 ----------------- services/clsi/seccomp/clsi-profile.json | 856 ------------------------ 2 files changed, 1465 deletions(-) delete mode 100644 services/clsi/app/js/DockerRunner.js delete mode 100644 services/clsi/seccomp/clsi-profile.json diff --git a/services/clsi/app/js/DockerRunner.js b/services/clsi/app/js/DockerRunner.js deleted file mode 100644 index 113b4baf37..0000000000 --- a/services/clsi/app/js/DockerRunner.js +++ /dev/null @@ -1,609 +0,0 @@ -const { promisify } = require('node:util') -const Settings = require('@overleaf/settings') -const logger = require('@overleaf/logger') -const Docker = require('dockerode') -const dockerode = new Docker() -const crypto = require('node:crypto') -const async = require('async') -const LockManager = require('./DockerLockManager') -const Path = require('node:path') -const _ = require('lodash') - -const ONE_HOUR_IN_MS = 60 * 60 * 1000 -logger.debug('using docker runner') - -let containerMonitorTimeout -let containerMonitorInterval - -const DockerRunner = { - run( - projectId, - command, - directory, - image, - timeout, - environment, - compileGroup, - callback - ) { - command = command.map(arg => - arg.toString().replace('$COMPILE_DIR', '/compile') - ) - if (image == null) { - image = Settings.clsi.docker.image - } - - if ( - Settings.clsi.docker.allowedImages && - !Settings.clsi.docker.allowedImages.includes(image) - ) { - return callback(new Error('image not allowed')) - } - - if (Settings.texliveImageNameOveride != null) { - const img = image.split('/') - image = `${Settings.texliveImageNameOveride}/${img[2]}` - } - - if (compileGroup === 'synctex-output') { - // In: directory = '/overleaf/services/clsi/output/projectId-userId/generated-files/buildId' - // directory.split('/').slice(-3) === 'projectId-userId/generated-files/buildId' - // sandboxedCompilesHostDirOutput = '/host/output' - // Out: directory = '/host/output/projectId-userId/generated-files/buildId' - directory = Path.join( - Settings.path.sandboxedCompilesHostDirOutput, - ...directory.split('/').slice(-3) - ) - } else { - // In: directory = '/overleaf/services/clsi/compiles/projectId-userId' - // Path.basename(directory) === 'projectId-userId' - // sandboxedCompilesHostDirCompiles = '/host/compiles' - // Out: directory = '/host/compiles/projectId-userId' - directory = Path.join( - Settings.path.sandboxedCompilesHostDirCompiles, - Path.basename(directory) - ) - } - - const volumes = { [directory]: '/compile' } - if ( - compileGroup === 'synctex' || - compileGroup === 'synctex-output' || - compileGroup === 'wordcount' - ) { - volumes[directory] += ':ro' - } - - const options = DockerRunner._getContainerOptions( - command, - image, - volumes, - timeout, - environment, - compileGroup - ) - const fingerprint = DockerRunner._fingerprintContainer(options) - const name = `project-${projectId}-${fingerprint}` - options.name = name - - // logOptions = _.clone(options) - // logOptions?.HostConfig?.SecurityOpt = "secomp used, removed in logging" - logger.debug({ projectId }, 'running docker container') - DockerRunner._runAndWaitForContainer( - options, - volumes, - timeout, - (error, output) => { - if (error && error.statusCode === 500) { - logger.debug( - { err: error, projectId }, - 'error running container so destroying and retrying' - ) - DockerRunner.destroyContainer(name, null, true, error => { - if (error != null) { - return callback(error) - } - DockerRunner._runAndWaitForContainer( - options, - volumes, - timeout, - callback - ) - }) - } else { - callback(error, output) - } - } - ) - - // pass back the container name to allow it to be killed - return name - }, - - kill(containerId, callback) { - logger.debug({ containerId }, 'sending kill signal to container') - const container = dockerode.getContainer(containerId) - container.kill(error => { - if ( - error != null && - error.message != null && - error.message.match(/Cannot kill container .* is not running/) - ) { - logger.warn( - { err: error, containerId }, - 'container not running, continuing' - ) - error = null - } - if (error != null) { - logger.error({ err: error, containerId }, 'error killing container') - callback(error) - } else { - callback() - } - }) - }, - - _runAndWaitForContainer(options, volumes, timeout, _callback) { - const callback = _.once(_callback) - const { name } = options - - let streamEnded = false - let containerReturned = false - let output = {} - - function callbackIfFinished() { - if (streamEnded && containerReturned) { - callback(null, output) - } - } - - function attachStreamHandler(error, _output) { - if (error != null) { - return callback(error) - } - output = _output - streamEnded = true - callbackIfFinished() - } - - DockerRunner.startContainer( - options, - volumes, - attachStreamHandler, - (error, containerId) => { - if (error != null) { - return callback(error) - } - - DockerRunner.waitForContainer( - name, - timeout, - options, - (error, exitCode) => { - if (error != null) { - return callback(error) - } - if (exitCode === 137) { - // exit status from kill -9 - const err = new Error('terminated') - err.terminated = true - return callback(err) - } - if (exitCode === 1) { - // exit status from chktex - const err = new Error('exited') - err.code = exitCode - return callback(err) - } - containerReturned = true - logger.debug( - // The seccomp policy is very large. Avoid logging it. _.omit deep clones. - { exitCode, options: _.omit(options, 'HostConfig.SecurityOpt') }, - 'docker container has exited' - ) - callbackIfFinished() - } - ) - } - ) - }, - - _getContainerOptions( - command, - image, - volumes, - timeout, - environment, - compileGroup - ) { - const timeoutInSeconds = timeout / 1000 - - for (const hostVol in volumes) { - const dockerVol = volumes[hostVol] - if (volumes[hostVol].slice(-3).indexOf(':r') === -1) { - volumes[hostVol] = `${dockerVol}:rw` - } - } - - // merge settings and environment parameter - const env = {} - for (const src of [Settings.clsi.docker.env, environment || {}]) { - for (const key in src) { - const value = src[key] - env[key] = value - } - } - // set the path based on the image year - const match = image.match(/:([0-9]+)\.[0-9]+/) - // the rolling build does not follow our .. convention - const year = match ? match[1] : 'rolling' - - env.PATH = `/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/texlive/${year}/bin/x86_64-linux/` - const options = { - Cmd: command, - Image: image, - WorkingDir: '/compile', - NetworkDisabled: true, - Memory: 1024 * 1024 * 1024 * 1024, // 1 Gb - User: Settings.clsi.docker.user, - Env: Object.entries(env).map(([key, value]) => `${key}=${value}`), - HostConfig: { - Binds: Object.entries(volumes).map( - ([hostVol, dockerVol]) => `${hostVol}:${dockerVol}` - ), - LogConfig: { Type: 'none', Config: {} }, - Ulimits: [ - { - Name: 'cpu', - Soft: timeoutInSeconds + 5, - Hard: timeoutInSeconds + 10, - }, - ], - CapDrop: ['ALL'], - SecurityOpt: ['no-new-privileges'], - }, - } - - if (Settings.clsi.docker.seccomp_profile != null) { - options.HostConfig.SecurityOpt.push( - `seccomp=${Settings.clsi.docker.seccomp_profile}` - ) - } - - if (Settings.clsi.docker.apparmor_profile != null) { - options.HostConfig.SecurityOpt.push( - `apparmor=${Settings.clsi.docker.apparmor_profile}` - ) - } - - if (Settings.clsi.docker.runtime) { - options.HostConfig.Runtime = Settings.clsi.docker.runtime - } - - if (Settings.clsi.docker.Readonly) { - options.HostConfig.ReadonlyRootfs = true - options.HostConfig.Tmpfs = { '/tmp': 'rw,noexec,nosuid,size=65536k' } - options.Volumes['/home/tex'] = {} - } - - // Allow per-compile group overriding of individual settings - if ( - Settings.clsi.docker.compileGroupConfig && - Settings.clsi.docker.compileGroupConfig[compileGroup] - ) { - const override = Settings.clsi.docker.compileGroupConfig[compileGroup] - for (const key in override) { - _.set(options, key, override[key]) - } - } - - return options - }, - - _fingerprintContainer(containerOptions) { - // Yay, Hashing! - const json = JSON.stringify(containerOptions) - return crypto.createHash('md5').update(json).digest('hex') - }, - - startContainer(options, volumes, attachStreamHandler, callback) { - LockManager.runWithLock( - options.name, - releaseLock => - DockerRunner._startContainer( - options, - volumes, - attachStreamHandler, - releaseLock - ), - callback - ) - }, - - // Check that volumes exist and are directories - _startContainer(options, volumes, attachStreamHandler, callback) { - callback = _.once(callback) - const { name } = options - - logger.debug({ containerName: name }, 'starting container') - const container = dockerode.getContainer(name) - - function createAndStartContainer() { - dockerode.createContainer(options, (error, container) => { - if (error != null) { - return callback(error) - } - startExistingContainer() - }) - } - - function startExistingContainer() { - DockerRunner.attachToContainer( - options.name, - attachStreamHandler, - error => { - if (error != null) { - return callback(error) - } - container.start(error => { - if (error != null && error.statusCode !== 304) { - callback(error) - } else { - // already running - callback() - } - }) - } - ) - } - - container.inspect((error, stats) => { - if (error != null && error.statusCode === 404) { - createAndStartContainer() - } else if (error != null) { - logger.err( - { containerName: name, error }, - 'unable to inspect container to start' - ) - callback(error) - } else { - startExistingContainer() - } - }) - }, - - attachToContainer(containerId, attachStreamHandler, attachStartCallback) { - const container = dockerode.getContainer(containerId) - container.attach({ stdout: 1, stderr: 1, stream: 1 }, (error, stream) => { - if (error != null) { - logger.error( - { err: error, containerId }, - 'error attaching to container' - ) - return attachStartCallback(error) - } else { - attachStartCallback() - } - - logger.debug({ containerId }, 'attached to container') - - const MAX_OUTPUT = 1024 * 1024 * 2 // limit output to 2MB - function createStringOutputStream(name) { - return { - data: '', - overflowed: false, - write(data) { - if (this.overflowed) { - return - } - if (this.data.length < MAX_OUTPUT) { - this.data += data - } else { - logger.info( - { - containerId, - length: this.data.length, - maxLen: MAX_OUTPUT, - }, - `${name} exceeds max size` - ) - this.data += `(...truncated at ${MAX_OUTPUT} chars...)` - this.overflowed = true - } - }, - // kill container if too much output - // docker.containers.kill(containerId, () ->) - } - } - - const stdout = createStringOutputStream('stdout') - const stderr = createStringOutputStream('stderr') - - container.modem.demuxStream(stream, stdout, stderr) - - stream.on('error', err => - logger.error( - { err, containerId }, - 'error reading from container stream' - ) - ) - - stream.on('end', () => - attachStreamHandler(null, { stdout: stdout.data, stderr: stderr.data }) - ) - }) - }, - - waitForContainer(containerId, timeout, options, _callback) { - const callback = _.once(_callback) - - const container = dockerode.getContainer(containerId) - - let timedOut = false - const timeoutId = setTimeout(() => { - timedOut = true - logger.debug({ containerId }, 'timeout reached, killing container') - container.kill(err => { - logger.warn({ err, containerId }, 'failed to kill container') - }) - }, timeout) - - logger.debug({ containerId }, 'waiting for docker container') - container.wait((error, res) => { - if (error?.statusCode === 404 && options.HostConfig.AutoRemove) { - logger.debug( - { containerId }, - 'auto-destroy container destroyed before starting to wait' - ) - clearTimeout(timeoutId) - return callback(null, 0) - } - if (error != null) { - clearTimeout(timeoutId) - logger.warn({ err: error, containerId }, 'error waiting for container') - return callback(error) - } - if (timedOut) { - logger.debug({ containerId }, 'docker container timed out') - error = new Error('container timed out') - error.timedout = true - callback(error) - } else { - clearTimeout(timeoutId) - logger.debug( - { containerId, exitCode: res.StatusCode }, - 'docker container returned' - ) - callback(null, res.StatusCode) - } - }) - }, - - destroyContainer(containerName, containerId, shouldForce, callback) { - // We want the containerName for the lock and, ideally, the - // containerId to delete. There is a bug in the docker.io module - // where if you delete by name and there is an error, it throws an - // async exception, but if you delete by id it just does a normal - // error callback. We fall back to deleting by name if no id is - // supplied. - LockManager.runWithLock( - containerName, - releaseLock => - DockerRunner._destroyContainer( - containerId || containerName, - shouldForce, - releaseLock - ), - callback - ) - }, - - _destroyContainer(containerId, shouldForce, callback) { - logger.debug({ containerId }, 'destroying docker container') - const container = dockerode.getContainer(containerId) - container.remove({ force: shouldForce === true, v: true }, error => { - if (error != null && error.statusCode === 404) { - logger.warn( - { err: error, containerId }, - 'container not found, continuing' - ) - error = null - } - if (error != null) { - logger.error({ err: error, containerId }, 'error destroying container') - } else { - logger.debug({ containerId }, 'destroyed container') - } - callback(error) - }) - }, - - // handle expiry of docker containers - - MAX_CONTAINER_AGE: Settings.clsi.docker.maxContainerAge || ONE_HOUR_IN_MS, - - examineOldContainer(container, callback) { - const name = container.Name || (container.Names && container.Names[0]) - const created = container.Created * 1000 // creation time is returned in seconds - const now = Date.now() - const age = now - created - const maxAge = DockerRunner.MAX_CONTAINER_AGE - const ttl = maxAge - age - logger.debug( - { containerName: name, created, now, age, maxAge, ttl }, - 'checking whether to destroy container' - ) - return { name, id: container.Id, ttl } - }, - - destroyOldContainers(callback) { - dockerode.listContainers({ all: true }, (error, containers) => { - if (error != null) { - return callback(error) - } - const jobs = [] - for (const container of containers) { - const { name, id, ttl } = DockerRunner.examineOldContainer(container) - if (name.slice(0, 9) === '/project-' && ttl <= 0) { - // strip the / prefix - // the LockManager uses the plain container name - const plainName = name.slice(1) - jobs.push(cb => - DockerRunner.destroyContainer(plainName, id, false, () => cb()) - ) - } - } - // Ignore errors because some containers get stuck but - // will be destroyed next time - async.series(jobs, callback) - }) - }, - - startContainerMonitor() { - logger.debug( - { maxAge: DockerRunner.MAX_CONTAINER_AGE }, - 'starting container expiry' - ) - - // guarantee only one monitor is running - DockerRunner.stopContainerMonitor() - - // randomise the start time - const randomDelay = Math.floor(Math.random() * 5 * 60 * 1000) - containerMonitorTimeout = setTimeout(() => { - containerMonitorInterval = setInterval( - () => - DockerRunner.destroyOldContainers(err => { - if (err) { - logger.error({ err }, 'failed to destroy old containers') - } - }), - ONE_HOUR_IN_MS - ) - }, randomDelay) - }, - - stopContainerMonitor() { - if (containerMonitorTimeout) { - clearTimeout(containerMonitorTimeout) - containerMonitorTimeout = undefined - } - if (containerMonitorInterval) { - clearInterval(containerMonitorInterval) - containerMonitorInterval = undefined - } - }, - - canRunSyncTeXInOutputDir() { - return Boolean(Settings.path.sandboxedCompilesHostDirOutput) - }, -} - -DockerRunner.startContainerMonitor() - -module.exports = DockerRunner -module.exports.promises = { - run: promisify(DockerRunner.run), - kill: promisify(DockerRunner.kill), -} diff --git a/services/clsi/seccomp/clsi-profile.json b/services/clsi/seccomp/clsi-profile.json deleted file mode 100644 index c78027b15e..0000000000 --- a/services/clsi/seccomp/clsi-profile.json +++ /dev/null @@ -1,856 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "architectures": [ - "SCMP_ARCH_X86_64", - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ], - "syscalls": [ - { - "name": "getrandom", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "access", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "arch_prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "brk", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_getres", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clone", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2080505856, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ] - }, - { - "name": "clone3", - "action": "SCMP_ACT_ERRNO", - "errnoRet": 38 - }, - { - "name": "close", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "copy_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "creat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup3", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execve", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execveat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit_group", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "faccessat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64_64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fallocate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmodat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fdatasync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fsync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futex", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futimesat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcpu", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcwd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgrp", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getppid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpriority", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "get_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrusage", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "kill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "_llseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "madvise", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdirat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mprotect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mremap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "newfstatat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "openat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "openat2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pause", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pipe", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pipe2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pread64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "preadv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prlimit64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwrite64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwritev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "read", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rename", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "restart_syscall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rmdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigaction", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigpending", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigprocmask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigsuspend", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigtimedwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_tgsigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getaffinity", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getparam", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_max", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_min", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getscheduler", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_rr_get_interval", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_yield", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_tid_address", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sigaltstack", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statx", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syncfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sysinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tgkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_delete", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_getoverrun", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_settime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "times", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "umask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "uname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimensat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimes", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vfork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vhangup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "wait4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "waitid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "write", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "writev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pread", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capset", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettimeofday", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, { - "name": "epoll_pwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - } - ] -}