github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 1, 4 "archMap": [ 5 { 6 "architecture": "SCMP_ARCH_X86_64", 7 "subArchitectures": [ 8 "SCMP_ARCH_X86", 9 "SCMP_ARCH_X32" 10 ] 11 }, 12 { 13 "architecture": "SCMP_ARCH_AARCH64", 14 "subArchitectures": [ 15 "SCMP_ARCH_ARM" 16 ] 17 }, 18 { 19 "architecture": "SCMP_ARCH_MIPS64", 20 "subArchitectures": [ 21 "SCMP_ARCH_MIPS", 22 "SCMP_ARCH_MIPS64N32" 23 ] 24 }, 25 { 26 "architecture": "SCMP_ARCH_MIPS64N32", 27 "subArchitectures": [ 28 "SCMP_ARCH_MIPS", 29 "SCMP_ARCH_MIPS64" 30 ] 31 }, 32 { 33 "architecture": "SCMP_ARCH_MIPSEL64", 34 "subArchitectures": [ 35 "SCMP_ARCH_MIPSEL", 36 "SCMP_ARCH_MIPSEL64N32" 37 ] 38 }, 39 { 40 "architecture": "SCMP_ARCH_MIPSEL64N32", 41 "subArchitectures": [ 42 "SCMP_ARCH_MIPSEL", 43 "SCMP_ARCH_MIPSEL64" 44 ] 45 }, 46 { 47 "architecture": "SCMP_ARCH_S390X", 48 "subArchitectures": [ 49 "SCMP_ARCH_S390" 50 ] 51 }, 52 { 53 "architecture": "SCMP_ARCH_RISCV64", 54 "subArchitectures": null 55 } 56 ], 57 "syscalls": [ 58 { 59 "names": [ 60 "accept", 61 "accept4", 62 "access", 63 "adjtimex", 64 "alarm", 65 "bind", 66 "brk", 67 "capget", 68 "capset", 69 "chdir", 70 "chmod", 71 "chown", 72 "chown32", 73 "clock_adjtime", 74 "clock_adjtime64", 75 "clock_getres", 76 "clock_getres_time64", 77 "clock_gettime", 78 "clock_gettime64", 79 "clock_nanosleep", 80 "clock_nanosleep_time64", 81 "close", 82 "close_range", 83 "connect", 84 "copy_file_range", 85 "creat", 86 "dup", 87 "dup2", 88 "dup3", 89 "epoll_create", 90 "epoll_create1", 91 "epoll_ctl", 92 "epoll_ctl_old", 93 "epoll_pwait", 94 "epoll_pwait2", 95 "epoll_wait", 96 "epoll_wait_old", 97 "eventfd", 98 "eventfd2", 99 "execve", 100 "execveat", 101 "exit", 102 "exit_group", 103 "faccessat", 104 "faccessat2", 105 "fadvise64", 106 "fadvise64_64", 107 "fallocate", 108 "fanotify_mark", 109 "fchdir", 110 "fchmod", 111 "fchmodat", 112 "fchown", 113 "fchown32", 114 "fchownat", 115 "fcntl", 116 "fcntl64", 117 "fdatasync", 118 "fgetxattr", 119 "flistxattr", 120 "flock", 121 "fork", 122 "fremovexattr", 123 "fsetxattr", 124 "fstat", 125 "fstat64", 126 "fstatat64", 127 "fstatfs", 128 "fstatfs64", 129 "fsync", 130 "ftruncate", 131 "ftruncate64", 132 "futex", 133 "futex_time64", 134 "futex_waitv", 135 "futimesat", 136 "getcpu", 137 "getcwd", 138 "getdents", 139 "getdents64", 140 "getegid", 141 "getegid32", 142 "geteuid", 143 "geteuid32", 144 "getgid", 145 "getgid32", 146 "getgroups", 147 "getgroups32", 148 "getitimer", 149 "getpeername", 150 "getpgid", 151 "getpgrp", 152 "getpid", 153 "getppid", 154 "getpriority", 155 "getrandom", 156 "getresgid", 157 "getresgid32", 158 "getresuid", 159 "getresuid32", 160 "getrlimit", 161 "get_robust_list", 162 "getrusage", 163 "getsid", 164 "getsockname", 165 "getsockopt", 166 "get_thread_area", 167 "gettid", 168 "gettimeofday", 169 "getuid", 170 "getuid32", 171 "getxattr", 172 "inotify_add_watch", 173 "inotify_init", 174 "inotify_init1", 175 "inotify_rm_watch", 176 "io_cancel", 177 "ioctl", 178 "io_destroy", 179 "io_getevents", 180 "io_pgetevents", 181 "io_pgetevents_time64", 182 "ioprio_get", 183 "ioprio_set", 184 "io_setup", 185 "io_submit", 186 "io_uring_enter", 187 "io_uring_register", 188 "io_uring_setup", 189 "ipc", 190 "kill", 191 "landlock_add_rule", 192 "landlock_create_ruleset", 193 "landlock_restrict_self", 194 "lchown", 195 "lchown32", 196 "lgetxattr", 197 "link", 198 "linkat", 199 "listen", 200 "listxattr", 201 "llistxattr", 202 "_llseek", 203 "lremovexattr", 204 "lseek", 205 "lsetxattr", 206 "lstat", 207 "lstat64", 208 "madvise", 209 "membarrier", 210 "memfd_create", 211 "memfd_secret", 212 "mincore", 213 "mkdir", 214 "mkdirat", 215 "mknod", 216 "mknodat", 217 "mlock", 218 "mlock2", 219 "mlockall", 220 "mmap", 221 "mmap2", 222 "mprotect", 223 "mq_getsetattr", 224 "mq_notify", 225 "mq_open", 226 "mq_timedreceive", 227 "mq_timedreceive_time64", 228 "mq_timedsend", 229 "mq_timedsend_time64", 230 "mq_unlink", 231 "mremap", 232 "msgctl", 233 "msgget", 234 "msgrcv", 235 "msgsnd", 236 "msync", 237 "munlock", 238 "munlockall", 239 "munmap", 240 "nanosleep", 241 "newfstatat", 242 "_newselect", 243 "open", 244 "openat", 245 "openat2", 246 "pause", 247 "pidfd_open", 248 "pidfd_send_signal", 249 "pipe", 250 "pipe2", 251 "pkey_alloc", 252 "pkey_free", 253 "pkey_mprotect", 254 "poll", 255 "ppoll", 256 "ppoll_time64", 257 "prctl", 258 "pread64", 259 "preadv", 260 "preadv2", 261 "prlimit64", 262 "process_mrelease", 263 "pselect6", 264 "pselect6_time64", 265 "pwrite64", 266 "pwritev", 267 "pwritev2", 268 "read", 269 "readahead", 270 "readlink", 271 "readlinkat", 272 "readv", 273 "recv", 274 "recvfrom", 275 "recvmmsg", 276 "recvmmsg_time64", 277 "recvmsg", 278 "remap_file_pages", 279 "removexattr", 280 "rename", 281 "renameat", 282 "renameat2", 283 "restart_syscall", 284 "rmdir", 285 "rseq", 286 "rt_sigaction", 287 "rt_sigpending", 288 "rt_sigprocmask", 289 "rt_sigqueueinfo", 290 "rt_sigreturn", 291 "rt_sigsuspend", 292 "rt_sigtimedwait", 293 "rt_sigtimedwait_time64", 294 "rt_tgsigqueueinfo", 295 "sched_getaffinity", 296 "sched_getattr", 297 "sched_getparam", 298 "sched_get_priority_max", 299 "sched_get_priority_min", 300 "sched_getscheduler", 301 "sched_rr_get_interval", 302 "sched_rr_get_interval_time64", 303 "sched_setaffinity", 304 "sched_setattr", 305 "sched_setparam", 306 "sched_setscheduler", 307 "sched_yield", 308 "seccomp", 309 "select", 310 "semctl", 311 "semget", 312 "semop", 313 "semtimedop", 314 "semtimedop_time64", 315 "send", 316 "sendfile", 317 "sendfile64", 318 "sendmmsg", 319 "sendmsg", 320 "sendto", 321 "setfsgid", 322 "setfsgid32", 323 "setfsuid", 324 "setfsuid32", 325 "setgid", 326 "setgid32", 327 "setgroups", 328 "setgroups32", 329 "setitimer", 330 "setpgid", 331 "setpriority", 332 "setregid", 333 "setregid32", 334 "setresgid", 335 "setresgid32", 336 "setresuid", 337 "setresuid32", 338 "setreuid", 339 "setreuid32", 340 "setrlimit", 341 "set_robust_list", 342 "setsid", 343 "setsockopt", 344 "set_thread_area", 345 "set_tid_address", 346 "setuid", 347 "setuid32", 348 "setxattr", 349 "shmat", 350 "shmctl", 351 "shmdt", 352 "shmget", 353 "shutdown", 354 "sigaltstack", 355 "signalfd", 356 "signalfd4", 357 "sigprocmask", 358 "sigreturn", 359 "socket", 360 "socketcall", 361 "socketpair", 362 "splice", 363 "stat", 364 "stat64", 365 "statfs", 366 "statfs64", 367 "statx", 368 "symlink", 369 "symlinkat", 370 "sync", 371 "sync_file_range", 372 "syncfs", 373 "sysinfo", 374 "tee", 375 "tgkill", 376 "time", 377 "timer_create", 378 "timer_delete", 379 "timer_getoverrun", 380 "timer_gettime", 381 "timer_gettime64", 382 "timer_settime", 383 "timer_settime64", 384 "timerfd_create", 385 "timerfd_gettime", 386 "timerfd_gettime64", 387 "timerfd_settime", 388 "timerfd_settime64", 389 "times", 390 "tkill", 391 "truncate", 392 "truncate64", 393 "ugetrlimit", 394 "umask", 395 "uname", 396 "unlink", 397 "unlinkat", 398 "utime", 399 "utimensat", 400 "utimensat_time64", 401 "utimes", 402 "vfork", 403 "vmsplice", 404 "wait4", 405 "waitid", 406 "waitpid", 407 "write", 408 "writev" 409 ], 410 "action": "SCMP_ACT_ALLOW" 411 }, 412 { 413 "names": [ 414 "process_vm_readv", 415 "process_vm_writev", 416 "ptrace" 417 ], 418 "action": "SCMP_ACT_ALLOW", 419 "includes": { 420 "minKernel": "4.8" 421 } 422 }, 423 { 424 "names": [ 425 "personality" 426 ], 427 "action": "SCMP_ACT_ALLOW", 428 "args": [ 429 { 430 "index": 0, 431 "value": 0, 432 "op": "SCMP_CMP_EQ" 433 } 434 ] 435 }, 436 { 437 "names": [ 438 "personality" 439 ], 440 "action": "SCMP_ACT_ALLOW", 441 "args": [ 442 { 443 "index": 0, 444 "value": 8, 445 "op": "SCMP_CMP_EQ" 446 } 447 ] 448 }, 449 { 450 "names": [ 451 "personality" 452 ], 453 "action": "SCMP_ACT_ALLOW", 454 "args": [ 455 { 456 "index": 0, 457 "value": 131072, 458 "op": "SCMP_CMP_EQ" 459 } 460 ] 461 }, 462 { 463 "names": [ 464 "personality" 465 ], 466 "action": "SCMP_ACT_ALLOW", 467 "args": [ 468 { 469 "index": 0, 470 "value": 131080, 471 "op": "SCMP_CMP_EQ" 472 } 473 ] 474 }, 475 { 476 "names": [ 477 "personality" 478 ], 479 "action": "SCMP_ACT_ALLOW", 480 "args": [ 481 { 482 "index": 0, 483 "value": 4294967295, 484 "op": "SCMP_CMP_EQ" 485 } 486 ] 487 }, 488 { 489 "names": [ 490 "sync_file_range2", 491 "swapcontext" 492 ], 493 "action": "SCMP_ACT_ALLOW", 494 "includes": { 495 "arches": [ 496 "ppc64le" 497 ] 498 } 499 }, 500 { 501 "names": [ 502 "arm_fadvise64_64", 503 "arm_sync_file_range", 504 "sync_file_range2", 505 "breakpoint", 506 "cacheflush", 507 "set_tls" 508 ], 509 "action": "SCMP_ACT_ALLOW", 510 "includes": { 511 "arches": [ 512 "arm", 513 "arm64" 514 ] 515 } 516 }, 517 { 518 "names": [ 519 "arch_prctl" 520 ], 521 "action": "SCMP_ACT_ALLOW", 522 "includes": { 523 "arches": [ 524 "amd64", 525 "x32" 526 ] 527 } 528 }, 529 { 530 "names": [ 531 "modify_ldt" 532 ], 533 "action": "SCMP_ACT_ALLOW", 534 "includes": { 535 "arches": [ 536 "amd64", 537 "x32", 538 "x86" 539 ] 540 } 541 }, 542 { 543 "names": [ 544 "s390_pci_mmio_read", 545 "s390_pci_mmio_write", 546 "s390_runtime_instr" 547 ], 548 "action": "SCMP_ACT_ALLOW", 549 "includes": { 550 "arches": [ 551 "s390", 552 "s390x" 553 ] 554 } 555 }, 556 { 557 "names": [ 558 "riscv_flush_icache" 559 ], 560 "action": "SCMP_ACT_ALLOW", 561 "includes": { 562 "arches": [ 563 "riscv64" 564 ] 565 } 566 }, 567 { 568 "names": [ 569 "open_by_handle_at" 570 ], 571 "action": "SCMP_ACT_ALLOW", 572 "includes": { 573 "caps": [ 574 "CAP_DAC_READ_SEARCH" 575 ] 576 } 577 }, 578 { 579 "names": [ 580 "bpf", 581 "clone", 582 "clone3", 583 "fanotify_init", 584 "fsconfig", 585 "fsmount", 586 "fsopen", 587 "fspick", 588 "lookup_dcookie", 589 "mount", 590 "mount_setattr", 591 "move_mount", 592 "name_to_handle_at", 593 "open_tree", 594 "perf_event_open", 595 "quotactl", 596 "quotactl_fd", 597 "setdomainname", 598 "sethostname", 599 "setns", 600 "syslog", 601 "umount", 602 "umount2", 603 "unshare" 604 ], 605 "action": "SCMP_ACT_ALLOW", 606 "includes": { 607 "caps": [ 608 "CAP_SYS_ADMIN" 609 ] 610 } 611 }, 612 { 613 "names": [ 614 "clone" 615 ], 616 "action": "SCMP_ACT_ALLOW", 617 "args": [ 618 { 619 "index": 0, 620 "value": 2114060288, 621 "op": "SCMP_CMP_MASKED_EQ" 622 } 623 ], 624 "excludes": { 625 "caps": [ 626 "CAP_SYS_ADMIN" 627 ], 628 "arches": [ 629 "s390", 630 "s390x" 631 ] 632 } 633 }, 634 { 635 "names": [ 636 "clone" 637 ], 638 "action": "SCMP_ACT_ALLOW", 639 "args": [ 640 { 641 "index": 1, 642 "value": 2114060288, 643 "op": "SCMP_CMP_MASKED_EQ" 644 } 645 ], 646 "comment": "s390 parameter ordering for clone is different", 647 "includes": { 648 "arches": [ 649 "s390", 650 "s390x" 651 ] 652 }, 653 "excludes": { 654 "caps": [ 655 "CAP_SYS_ADMIN" 656 ] 657 } 658 }, 659 { 660 "names": [ 661 "clone3" 662 ], 663 "action": "SCMP_ACT_ERRNO", 664 "errnoRet": 38, 665 "excludes": { 666 "caps": [ 667 "CAP_SYS_ADMIN" 668 ] 669 } 670 }, 671 { 672 "names": [ 673 "reboot" 674 ], 675 "action": "SCMP_ACT_ALLOW", 676 "includes": { 677 "caps": [ 678 "CAP_SYS_BOOT" 679 ] 680 } 681 }, 682 { 683 "names": [ 684 "chroot" 685 ], 686 "action": "SCMP_ACT_ALLOW", 687 "includes": { 688 "caps": [ 689 "CAP_SYS_CHROOT" 690 ] 691 } 692 }, 693 { 694 "names": [ 695 "delete_module", 696 "init_module", 697 "finit_module" 698 ], 699 "action": "SCMP_ACT_ALLOW", 700 "includes": { 701 "caps": [ 702 "CAP_SYS_MODULE" 703 ] 704 } 705 }, 706 { 707 "names": [ 708 "acct" 709 ], 710 "action": "SCMP_ACT_ALLOW", 711 "includes": { 712 "caps": [ 713 "CAP_SYS_PACCT" 714 ] 715 } 716 }, 717 { 718 "names": [ 719 "kcmp", 720 "pidfd_getfd", 721 "process_madvise", 722 "process_vm_readv", 723 "process_vm_writev", 724 "ptrace" 725 ], 726 "action": "SCMP_ACT_ALLOW", 727 "includes": { 728 "caps": [ 729 "CAP_SYS_PTRACE" 730 ] 731 } 732 }, 733 { 734 "names": [ 735 "iopl", 736 "ioperm" 737 ], 738 "action": "SCMP_ACT_ALLOW", 739 "includes": { 740 "caps": [ 741 "CAP_SYS_RAWIO" 742 ] 743 } 744 }, 745 { 746 "names": [ 747 "settimeofday", 748 "stime", 749 "clock_settime", 750 "clock_settime64" 751 ], 752 "action": "SCMP_ACT_ALLOW", 753 "includes": { 754 "caps": [ 755 "CAP_SYS_TIME" 756 ] 757 } 758 }, 759 { 760 "names": [ 761 "vhangup" 762 ], 763 "action": "SCMP_ACT_ALLOW", 764 "includes": { 765 "caps": [ 766 "CAP_SYS_TTY_CONFIG" 767 ] 768 } 769 }, 770 { 771 "names": [ 772 "get_mempolicy", 773 "mbind", 774 "set_mempolicy" 775 ], 776 "action": "SCMP_ACT_ALLOW", 777 "includes": { 778 "caps": [ 779 "CAP_SYS_NICE" 780 ] 781 } 782 }, 783 { 784 "names": [ 785 "syslog" 786 ], 787 "action": "SCMP_ACT_ALLOW", 788 "includes": { 789 "caps": [ 790 "CAP_SYSLOG" 791 ] 792 } 793 }, 794 { 795 "names": [ 796 "bpf" 797 ], 798 "action": "SCMP_ACT_ALLOW", 799 "includes": { 800 "caps": [ 801 "CAP_BPF" 802 ] 803 } 804 }, 805 { 806 "names": [ 807 "perf_event_open" 808 ], 809 "action": "SCMP_ACT_ALLOW", 810 "includes": { 811 "caps": [ 812 "CAP_PERFMON" 813 ] 814 } 815 } 816 ] 817 }