github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/profiles/seccomp/default_linux.go (about) 1 package seccomp // import "github.com/docker/docker/profiles/seccomp" 2 3 import ( 4 "github.com/opencontainers/runtime-spec/specs-go" 5 "golang.org/x/sys/unix" 6 ) 7 8 func arches() []Architecture { 9 return []Architecture{ 10 { 11 Arch: specs.ArchX86_64, 12 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 13 }, 14 { 15 Arch: specs.ArchAARCH64, 16 SubArches: []specs.Arch{specs.ArchARM}, 17 }, 18 { 19 Arch: specs.ArchMIPS64, 20 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 21 }, 22 { 23 Arch: specs.ArchMIPS64N32, 24 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 25 }, 26 { 27 Arch: specs.ArchMIPSEL64, 28 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 29 }, 30 { 31 Arch: specs.ArchMIPSEL64N32, 32 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 33 }, 34 { 35 Arch: specs.ArchS390X, 36 SubArches: []specs.Arch{specs.ArchS390}, 37 }, 38 { 39 Arch: specs.ArchRISCV64, 40 SubArches: nil, 41 }, 42 } 43 } 44 45 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 46 func DefaultProfile() *Seccomp { 47 nosys := uint(unix.ENOSYS) 48 syscalls := []*Syscall{ 49 { 50 LinuxSyscall: specs.LinuxSyscall{ 51 Names: []string{ 52 "accept", 53 "accept4", 54 "access", 55 "adjtimex", 56 "alarm", 57 "bind", 58 "brk", 59 "capget", 60 "capset", 61 "chdir", 62 "chmod", 63 "chown", 64 "chown32", 65 "clock_adjtime", 66 "clock_adjtime64", 67 "clock_getres", 68 "clock_getres_time64", 69 "clock_gettime", 70 "clock_gettime64", 71 "clock_nanosleep", 72 "clock_nanosleep_time64", 73 "close", 74 "close_range", 75 "connect", 76 "copy_file_range", 77 "creat", 78 "dup", 79 "dup2", 80 "dup3", 81 "epoll_create", 82 "epoll_create1", 83 "epoll_ctl", 84 "epoll_ctl_old", 85 "epoll_pwait", 86 "epoll_pwait2", 87 "epoll_wait", 88 "epoll_wait_old", 89 "eventfd", 90 "eventfd2", 91 "execve", 92 "execveat", 93 "exit", 94 "exit_group", 95 "faccessat", 96 "faccessat2", 97 "fadvise64", 98 "fadvise64_64", 99 "fallocate", 100 "fanotify_mark", 101 "fchdir", 102 "fchmod", 103 "fchmodat", 104 "fchown", 105 "fchown32", 106 "fchownat", 107 "fcntl", 108 "fcntl64", 109 "fdatasync", 110 "fgetxattr", 111 "flistxattr", 112 "flock", 113 "fork", 114 "fremovexattr", 115 "fsetxattr", 116 "fstat", 117 "fstat64", 118 "fstatat64", 119 "fstatfs", 120 "fstatfs64", 121 "fsync", 122 "ftruncate", 123 "ftruncate64", 124 "futex", 125 "futex_time64", 126 "futex_waitv", 127 "futimesat", 128 "getcpu", 129 "getcwd", 130 "getdents", 131 "getdents64", 132 "getegid", 133 "getegid32", 134 "geteuid", 135 "geteuid32", 136 "getgid", 137 "getgid32", 138 "getgroups", 139 "getgroups32", 140 "getitimer", 141 "getpeername", 142 "getpgid", 143 "getpgrp", 144 "getpid", 145 "getppid", 146 "getpriority", 147 "getrandom", 148 "getresgid", 149 "getresgid32", 150 "getresuid", 151 "getresuid32", 152 "getrlimit", 153 "get_robust_list", 154 "getrusage", 155 "getsid", 156 "getsockname", 157 "getsockopt", 158 "get_thread_area", 159 "gettid", 160 "gettimeofday", 161 "getuid", 162 "getuid32", 163 "getxattr", 164 "inotify_add_watch", 165 "inotify_init", 166 "inotify_init1", 167 "inotify_rm_watch", 168 "io_cancel", 169 "ioctl", 170 "io_destroy", 171 "io_getevents", 172 "io_pgetevents", 173 "io_pgetevents_time64", 174 "ioprio_get", 175 "ioprio_set", 176 "io_setup", 177 "io_submit", 178 "io_uring_enter", 179 "io_uring_register", 180 "io_uring_setup", 181 "ipc", 182 "kill", 183 "landlock_add_rule", 184 "landlock_create_ruleset", 185 "landlock_restrict_self", 186 "lchown", 187 "lchown32", 188 "lgetxattr", 189 "link", 190 "linkat", 191 "listen", 192 "listxattr", 193 "llistxattr", 194 "_llseek", 195 "lremovexattr", 196 "lseek", 197 "lsetxattr", 198 "lstat", 199 "lstat64", 200 "madvise", 201 "membarrier", 202 "memfd_create", 203 "memfd_secret", 204 "mincore", 205 "mkdir", 206 "mkdirat", 207 "mknod", 208 "mknodat", 209 "mlock", 210 "mlock2", 211 "mlockall", 212 "mmap", 213 "mmap2", 214 "mprotect", 215 "mq_getsetattr", 216 "mq_notify", 217 "mq_open", 218 "mq_timedreceive", 219 "mq_timedreceive_time64", 220 "mq_timedsend", 221 "mq_timedsend_time64", 222 "mq_unlink", 223 "mremap", 224 "msgctl", 225 "msgget", 226 "msgrcv", 227 "msgsnd", 228 "msync", 229 "munlock", 230 "munlockall", 231 "munmap", 232 "nanosleep", 233 "newfstatat", 234 "_newselect", 235 "open", 236 "openat", 237 "openat2", 238 "pause", 239 "pidfd_open", 240 "pidfd_send_signal", 241 "pipe", 242 "pipe2", 243 "pkey_alloc", 244 "pkey_free", 245 "pkey_mprotect", 246 "poll", 247 "ppoll", 248 "ppoll_time64", 249 "prctl", 250 "pread64", 251 "preadv", 252 "preadv2", 253 "prlimit64", 254 "process_mrelease", 255 "pselect6", 256 "pselect6_time64", 257 "pwrite64", 258 "pwritev", 259 "pwritev2", 260 "read", 261 "readahead", 262 "readlink", 263 "readlinkat", 264 "readv", 265 "recv", 266 "recvfrom", 267 "recvmmsg", 268 "recvmmsg_time64", 269 "recvmsg", 270 "remap_file_pages", 271 "removexattr", 272 "rename", 273 "renameat", 274 "renameat2", 275 "restart_syscall", 276 "rmdir", 277 "rseq", 278 "rt_sigaction", 279 "rt_sigpending", 280 "rt_sigprocmask", 281 "rt_sigqueueinfo", 282 "rt_sigreturn", 283 "rt_sigsuspend", 284 "rt_sigtimedwait", 285 "rt_sigtimedwait_time64", 286 "rt_tgsigqueueinfo", 287 "sched_getaffinity", 288 "sched_getattr", 289 "sched_getparam", 290 "sched_get_priority_max", 291 "sched_get_priority_min", 292 "sched_getscheduler", 293 "sched_rr_get_interval", 294 "sched_rr_get_interval_time64", 295 "sched_setaffinity", 296 "sched_setattr", 297 "sched_setparam", 298 "sched_setscheduler", 299 "sched_yield", 300 "seccomp", 301 "select", 302 "semctl", 303 "semget", 304 "semop", 305 "semtimedop", 306 "semtimedop_time64", 307 "send", 308 "sendfile", 309 "sendfile64", 310 "sendmmsg", 311 "sendmsg", 312 "sendto", 313 "setfsgid", 314 "setfsgid32", 315 "setfsuid", 316 "setfsuid32", 317 "setgid", 318 "setgid32", 319 "setgroups", 320 "setgroups32", 321 "setitimer", 322 "setpgid", 323 "setpriority", 324 "setregid", 325 "setregid32", 326 "setresgid", 327 "setresgid32", 328 "setresuid", 329 "setresuid32", 330 "setreuid", 331 "setreuid32", 332 "setrlimit", 333 "set_robust_list", 334 "setsid", 335 "setsockopt", 336 "set_thread_area", 337 "set_tid_address", 338 "setuid", 339 "setuid32", 340 "setxattr", 341 "shmat", 342 "shmctl", 343 "shmdt", 344 "shmget", 345 "shutdown", 346 "sigaltstack", 347 "signalfd", 348 "signalfd4", 349 "sigprocmask", 350 "sigreturn", 351 "socket", 352 "socketcall", 353 "socketpair", 354 "splice", 355 "stat", 356 "stat64", 357 "statfs", 358 "statfs64", 359 "statx", 360 "symlink", 361 "symlinkat", 362 "sync", 363 "sync_file_range", 364 "syncfs", 365 "sysinfo", 366 "tee", 367 "tgkill", 368 "time", 369 "timer_create", 370 "timer_delete", 371 "timer_getoverrun", 372 "timer_gettime", 373 "timer_gettime64", 374 "timer_settime", 375 "timer_settime64", 376 "timerfd_create", 377 "timerfd_gettime", 378 "timerfd_gettime64", 379 "timerfd_settime", 380 "timerfd_settime64", 381 "times", 382 "tkill", 383 "truncate", 384 "truncate64", 385 "ugetrlimit", 386 "umask", 387 "uname", 388 "unlink", 389 "unlinkat", 390 "utime", 391 "utimensat", 392 "utimensat_time64", 393 "utimes", 394 "vfork", 395 "vmsplice", 396 "wait4", 397 "waitid", 398 "waitpid", 399 "write", 400 "writev", 401 }, 402 Action: specs.ActAllow, 403 }, 404 }, 405 { 406 LinuxSyscall: specs.LinuxSyscall{ 407 Names: []string{ 408 "process_vm_readv", 409 "process_vm_writev", 410 "ptrace", 411 }, 412 Action: specs.ActAllow, 413 }, 414 Includes: &Filter{ 415 MinKernel: &KernelVersion{4, 8}, 416 }, 417 }, 418 { 419 LinuxSyscall: specs.LinuxSyscall{ 420 Names: []string{"personality"}, 421 Action: specs.ActAllow, 422 Args: []specs.LinuxSeccompArg{ 423 { 424 Index: 0, 425 Value: 0x0, 426 Op: specs.OpEqualTo, 427 }, 428 }, 429 }, 430 }, 431 { 432 LinuxSyscall: specs.LinuxSyscall{ 433 Names: []string{"personality"}, 434 Action: specs.ActAllow, 435 Args: []specs.LinuxSeccompArg{ 436 { 437 Index: 0, 438 Value: 0x0008, 439 Op: specs.OpEqualTo, 440 }, 441 }, 442 }, 443 }, 444 { 445 LinuxSyscall: specs.LinuxSyscall{ 446 Names: []string{"personality"}, 447 Action: specs.ActAllow, 448 Args: []specs.LinuxSeccompArg{ 449 { 450 Index: 0, 451 Value: 0x20000, 452 Op: specs.OpEqualTo, 453 }, 454 }, 455 }, 456 }, 457 { 458 LinuxSyscall: specs.LinuxSyscall{ 459 Names: []string{"personality"}, 460 Action: specs.ActAllow, 461 Args: []specs.LinuxSeccompArg{ 462 { 463 Index: 0, 464 Value: 0x20008, 465 Op: specs.OpEqualTo, 466 }, 467 }, 468 }, 469 }, 470 { 471 LinuxSyscall: specs.LinuxSyscall{ 472 Names: []string{"personality"}, 473 Action: specs.ActAllow, 474 Args: []specs.LinuxSeccompArg{ 475 { 476 Index: 0, 477 Value: 0xffffffff, 478 Op: specs.OpEqualTo, 479 }, 480 }, 481 }, 482 }, 483 { 484 LinuxSyscall: specs.LinuxSyscall{ 485 Names: []string{ 486 "sync_file_range2", 487 "swapcontext", 488 }, 489 Action: specs.ActAllow, 490 }, 491 Includes: &Filter{ 492 Arches: []string{"ppc64le"}, 493 }, 494 }, 495 { 496 LinuxSyscall: specs.LinuxSyscall{ 497 Names: []string{ 498 "arm_fadvise64_64", 499 "arm_sync_file_range", 500 "sync_file_range2", 501 "breakpoint", 502 "cacheflush", 503 "set_tls", 504 }, 505 Action: specs.ActAllow, 506 }, 507 Includes: &Filter{ 508 Arches: []string{"arm", "arm64"}, 509 }, 510 }, 511 { 512 LinuxSyscall: specs.LinuxSyscall{ 513 Names: []string{ 514 "arch_prctl", 515 }, 516 Action: specs.ActAllow, 517 }, 518 Includes: &Filter{ 519 Arches: []string{"amd64", "x32"}, 520 }, 521 }, 522 { 523 LinuxSyscall: specs.LinuxSyscall{ 524 Names: []string{ 525 "modify_ldt", 526 }, 527 Action: specs.ActAllow, 528 }, 529 Includes: &Filter{ 530 Arches: []string{"amd64", "x32", "x86"}, 531 }, 532 }, 533 { 534 LinuxSyscall: specs.LinuxSyscall{ 535 Names: []string{ 536 "s390_pci_mmio_read", 537 "s390_pci_mmio_write", 538 "s390_runtime_instr", 539 }, 540 Action: specs.ActAllow, 541 }, 542 Includes: &Filter{ 543 Arches: []string{"s390", "s390x"}, 544 }, 545 }, 546 { 547 LinuxSyscall: specs.LinuxSyscall{ 548 Names: []string{ 549 "riscv_flush_icache", 550 }, 551 Action: specs.ActAllow, 552 }, 553 Includes: &Filter{ 554 Arches: []string{"riscv64"}, 555 }, 556 }, 557 { 558 LinuxSyscall: specs.LinuxSyscall{ 559 Names: []string{ 560 "open_by_handle_at", 561 }, 562 Action: specs.ActAllow, 563 }, 564 Includes: &Filter{ 565 Caps: []string{"CAP_DAC_READ_SEARCH"}, 566 }, 567 }, 568 { 569 LinuxSyscall: specs.LinuxSyscall{ 570 Names: []string{ 571 "bpf", 572 "clone", 573 "clone3", 574 "fanotify_init", 575 "fsconfig", 576 "fsmount", 577 "fsopen", 578 "fspick", 579 "lookup_dcookie", 580 "mount", 581 "mount_setattr", 582 "move_mount", 583 "name_to_handle_at", 584 "open_tree", 585 "perf_event_open", 586 "quotactl", 587 "quotactl_fd", 588 "setdomainname", 589 "sethostname", 590 "setns", 591 "syslog", 592 "umount", 593 "umount2", 594 "unshare", 595 }, 596 Action: specs.ActAllow, 597 }, 598 Includes: &Filter{ 599 Caps: []string{"CAP_SYS_ADMIN"}, 600 }, 601 }, 602 { 603 LinuxSyscall: specs.LinuxSyscall{ 604 Names: []string{ 605 "clone", 606 }, 607 Action: specs.ActAllow, 608 Args: []specs.LinuxSeccompArg{ 609 { 610 Index: 0, 611 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 612 ValueTwo: 0, 613 Op: specs.OpMaskedEqual, 614 }, 615 }, 616 }, 617 Excludes: &Filter{ 618 Caps: []string{"CAP_SYS_ADMIN"}, 619 Arches: []string{"s390", "s390x"}, 620 }, 621 }, 622 { 623 LinuxSyscall: specs.LinuxSyscall{ 624 Names: []string{ 625 "clone", 626 }, 627 Action: specs.ActAllow, 628 Args: []specs.LinuxSeccompArg{ 629 { 630 Index: 1, 631 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 632 ValueTwo: 0, 633 Op: specs.OpMaskedEqual, 634 }, 635 }, 636 }, 637 Comment: "s390 parameter ordering for clone is different", 638 Includes: &Filter{ 639 Arches: []string{"s390", "s390x"}, 640 }, 641 Excludes: &Filter{ 642 Caps: []string{"CAP_SYS_ADMIN"}, 643 }, 644 }, 645 { 646 LinuxSyscall: specs.LinuxSyscall{ 647 Names: []string{ 648 "clone3", 649 }, 650 Action: specs.ActErrno, 651 ErrnoRet: &nosys, 652 }, 653 Excludes: &Filter{ 654 Caps: []string{"CAP_SYS_ADMIN"}, 655 }, 656 }, 657 { 658 LinuxSyscall: specs.LinuxSyscall{ 659 Names: []string{ 660 "reboot", 661 }, 662 Action: specs.ActAllow, 663 }, 664 Includes: &Filter{ 665 Caps: []string{"CAP_SYS_BOOT"}, 666 }, 667 }, 668 { 669 LinuxSyscall: specs.LinuxSyscall{ 670 Names: []string{ 671 "chroot", 672 }, 673 Action: specs.ActAllow, 674 }, 675 Includes: &Filter{ 676 Caps: []string{"CAP_SYS_CHROOT"}, 677 }, 678 }, 679 { 680 LinuxSyscall: specs.LinuxSyscall{ 681 Names: []string{ 682 "delete_module", 683 "init_module", 684 "finit_module", 685 }, 686 Action: specs.ActAllow, 687 }, 688 Includes: &Filter{ 689 Caps: []string{"CAP_SYS_MODULE"}, 690 }, 691 }, 692 { 693 LinuxSyscall: specs.LinuxSyscall{ 694 Names: []string{ 695 "acct", 696 }, 697 Action: specs.ActAllow, 698 }, 699 Includes: &Filter{ 700 Caps: []string{"CAP_SYS_PACCT"}, 701 }, 702 }, 703 { 704 LinuxSyscall: specs.LinuxSyscall{ 705 Names: []string{ 706 "kcmp", 707 "pidfd_getfd", 708 "process_madvise", 709 "process_vm_readv", 710 "process_vm_writev", 711 "ptrace", 712 }, 713 Action: specs.ActAllow, 714 }, 715 Includes: &Filter{ 716 Caps: []string{"CAP_SYS_PTRACE"}, 717 }, 718 }, 719 { 720 LinuxSyscall: specs.LinuxSyscall{ 721 Names: []string{ 722 "iopl", 723 "ioperm", 724 }, 725 Action: specs.ActAllow, 726 }, 727 Includes: &Filter{ 728 Caps: []string{"CAP_SYS_RAWIO"}, 729 }, 730 }, 731 { 732 LinuxSyscall: specs.LinuxSyscall{ 733 Names: []string{ 734 "settimeofday", 735 "stime", 736 "clock_settime", 737 "clock_settime64", 738 }, 739 Action: specs.ActAllow, 740 }, 741 Includes: &Filter{ 742 Caps: []string{"CAP_SYS_TIME"}, 743 }, 744 }, 745 { 746 LinuxSyscall: specs.LinuxSyscall{ 747 Names: []string{ 748 "vhangup", 749 }, 750 Action: specs.ActAllow, 751 }, 752 Includes: &Filter{ 753 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 754 }, 755 }, 756 { 757 LinuxSyscall: specs.LinuxSyscall{ 758 Names: []string{ 759 "get_mempolicy", 760 "mbind", 761 "set_mempolicy", 762 }, 763 Action: specs.ActAllow, 764 }, 765 Includes: &Filter{ 766 Caps: []string{"CAP_SYS_NICE"}, 767 }, 768 }, 769 { 770 LinuxSyscall: specs.LinuxSyscall{ 771 Names: []string{ 772 "syslog", 773 }, 774 Action: specs.ActAllow, 775 }, 776 Includes: &Filter{ 777 Caps: []string{"CAP_SYSLOG"}, 778 }, 779 }, 780 { 781 LinuxSyscall: specs.LinuxSyscall{ 782 Names: []string{ 783 "bpf", 784 }, 785 Action: specs.ActAllow, 786 }, 787 Includes: &Filter{ 788 Caps: []string{"CAP_BPF"}, 789 }, 790 }, 791 { 792 LinuxSyscall: specs.LinuxSyscall{ 793 Names: []string{ 794 "perf_event_open", 795 }, 796 Action: specs.ActAllow, 797 }, 798 Includes: &Filter{ 799 Caps: []string{"CAP_PERFMON"}, 800 }, 801 }, 802 } 803 804 errnoRet := uint(unix.EPERM) 805 return &Seccomp{ 806 LinuxSeccomp: specs.LinuxSeccomp{ 807 DefaultAction: specs.ActErrno, 808 DefaultErrnoRet: &errnoRet, 809 }, 810 ArchMap: arches(), 811 Syscalls: syscalls, 812 } 813 }