From cd5323d56151932c548fd9519eda138ef77f45af Mon Sep 17 00:00:00 2001
From: Paul Pan <i@0x7f.app>
Date: Tue, 30 Jan 2024 11:40:28 +0800
Subject: [PATCH] feat: initial support for python

---
 rules/lang_c_cpp.c  |  1 -
 rules/lang_go.c     |  1 -
 rules/lang_python.c | 34 ++++++++++++++++++++++++++++++++++
 rules/rules.c       |  3 ++-
 4 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 rules/lang_python.c

diff --git a/rules/lang_c_cpp.c b/rules/lang_c_cpp.c
index d1a4e08..5e7d3e1 100644
--- a/rules/lang_c_cpp.c
+++ b/rules/lang_c_cpp.c
@@ -6,7 +6,6 @@ void setup_lang_c_cpp(scmp_filter_ctx ctx) {
     // some more syscall(s) that glibc uses
     int white[] = {
         SCMP_SYS(clone),           // 56
-        SCMP_SYS(arch_prctl),      // 158
         SCMP_SYS(futex),           // 202
         SCMP_SYS(set_tid_address), // 218
         SCMP_SYS(exit_group),      // 231
diff --git a/rules/lang_go.c b/rules/lang_go.c
index 1b64a35..94492c6 100644
--- a/rules/lang_go.c
+++ b/rules/lang_go.c
@@ -9,7 +9,6 @@ void setup_lang_go(scmp_filter_ctx ctx) {
         SCMP_SYS(madvise),           // 28
         SCMP_SYS(clone),             // 56
         SCMP_SYS(sigaltstack),       // 131
-        SCMP_SYS(arch_prctl),        // 158
         SCMP_SYS(gettid),            // 186
         SCMP_SYS(sched_getaffinity), // 204
         SCMP_SYS(exit_group),        // 231
diff --git a/rules/lang_python.c b/rules/lang_python.c
new file mode 100644
index 0000000..3e38546
--- /dev/null
+++ b/rules/lang_python.c
@@ -0,0 +1,34 @@
+#include "rules.h"
+
+#include <seccomp.h>
+
+void setup_lang_python(scmp_filter_ctx ctx) {
+    int white[] = {
+        SCMP_SYS(rt_sigaction),   // 13
+        SCMP_SYS(rt_sigprocmask), // 14
+        SCMP_SYS(ioctl),           // 16
+        SCMP_SYS(fcntl),           // 72
+        SCMP_SYS(getcwd),          // 79
+        SCMP_SYS(readlink),        // 89
+        SCMP_SYS(sysinfo),         // 99
+        SCMP_SYS(getuid),          // 102
+        SCMP_SYS(getgid),          // 104
+        SCMP_SYS(geteuid),         // 107
+        SCMP_SYS(getegid),         // 108
+        SCMP_SYS(gettid),          // 186
+        SCMP_SYS(futex),           // 202
+        SCMP_SYS(getdents64),      // 217
+        SCMP_SYS(set_tid_address), // 218
+        SCMP_SYS(pselect6),        // 270
+        SCMP_SYS(set_robust_list), // 273
+        SCMP_SYS(rseq),            // 334
+    };
+    ADD_RULE_LIST(white, SCMP_ACT_ALLOW);
+}
+
+struct rule lang_python_rule = {
+    .name  = "python3",
+    .setup = setup_lang_python,
+};
+
+void __attribute__((constructor(101))) register_lang_python(void) { register_rule(&lang_python_rule); }
diff --git a/rules/rules.c b/rules/rules.c
index d39a525..0262458 100644
--- a/rules/rules.c
+++ b/rules/rules.c
@@ -14,7 +14,7 @@ void setup_common(scmp_filter_ctx ctx, const char *exe_path) {
     // allow to execute self
     add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, &SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)exe_path));
 
-    // allow to read files - do not allow write, readwrite, append, create
+    // allow to read files - do not allow "write", "readwrite", "append", "create"
     add_syscall_nr_arg(SCMP_SYS(open), ctx, SCMP_ACT_ALLOW, 1,
                        &SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0));
     add_syscall_nr_arg(SCMP_SYS(openat), ctx, SCMP_ACT_ALLOW, 1,
@@ -39,6 +39,7 @@ void setup_common(scmp_filter_ctx ctx, const char *exe_path) {
         SCMP_SYS(access),          // 21
         SCMP_SYS(nanosleep),       // 35
         SCMP_SYS(getpid),          // 39
+        SCMP_SYS(arch_prctl),      // 158
         SCMP_SYS(clock_gettime),   // 228
         SCMP_SYS(clock_getres),    // 229
         SCMP_SYS(clock_nanosleep), // 230