github.com/Prakhar-Agarwal-byte/moby@v0.0.0-20231027092010-a14e3e8ab87e/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 1, 4 "archMap": [ 5 { 6 "architecture": "SCMP_ARCH_X86_64", 7 "subArchitectures": [ 8 "SCMP_ARCH_X86", 9 "SCMP_ARCH_X32" 10 ] 11 }, 12 { 13 "architecture": "SCMP_ARCH_AARCH64", 14 "subArchitectures": [ 15 "SCMP_ARCH_ARM" 16 ] 17 }, 18 { 19 "architecture": "SCMP_ARCH_MIPS64", 20 "subArchitectures": [ 21 "SCMP_ARCH_MIPS", 22 "SCMP_ARCH_MIPS64N32" 23 ] 24 }, 25 { 26 "architecture": "SCMP_ARCH_MIPS64N32", 27 "subArchitectures": [ 28 "SCMP_ARCH_MIPS", 29 "SCMP_ARCH_MIPS64" 30 ] 31 }, 32 { 33 "architecture": "SCMP_ARCH_MIPSEL64", 34 "subArchitectures": [ 35 "SCMP_ARCH_MIPSEL", 36 "SCMP_ARCH_MIPSEL64N32" 37 ] 38 }, 39 { 40 "architecture": "SCMP_ARCH_MIPSEL64N32", 41 "subArchitectures": [ 42 "SCMP_ARCH_MIPSEL", 43 "SCMP_ARCH_MIPSEL64" 44 ] 45 }, 46 { 47 "architecture": "SCMP_ARCH_S390X", 48 "subArchitectures": [ 49 "SCMP_ARCH_S390" 50 ] 51 }, 52 { 53 "architecture": "SCMP_ARCH_RISCV64", 54 "subArchitectures": null 55 } 56 ], 57 "syscalls": [ 58 { 59 "names": [ 60 "accept", 61 "accept4", 62 "access", 63 "adjtimex", 64 "alarm", 65 "bind", 66 "brk", 67 "capget", 68 "capset", 69 "chdir", 70 "chmod", 71 "chown", 72 "chown32", 73 "clock_adjtime", 74 "clock_adjtime64", 75 "clock_getres", 76 "clock_getres_time64", 77 "clock_gettime", 78 "clock_gettime64", 79 "clock_nanosleep", 80 "clock_nanosleep_time64", 81 "close", 82 "close_range", 83 "connect", 84 "copy_file_range", 85 "creat", 86 "dup", 87 "dup2", 88 "dup3", 89 "epoll_create", 90 "epoll_create1", 91 "epoll_ctl", 92 "epoll_ctl_old", 93 "epoll_pwait", 94 "epoll_pwait2", 95 "epoll_wait", 96 "epoll_wait_old", 97 "eventfd", 98 "eventfd2", 99 "execve", 100 "execveat", 101 "exit", 102 "exit_group", 103 "faccessat", 104 "faccessat2", 105 "fadvise64", 106 "fadvise64_64", 107 "fallocate", 108 "fanotify_mark", 109 "fchdir", 110 "fchmod", 111 "fchmodat", 112 "fchown", 113 "fchown32", 114 "fchownat", 115 "fcntl", 116 "fcntl64", 117 "fdatasync", 118 "fgetxattr", 119 "flistxattr", 120 "flock", 121 "fork", 122 "fremovexattr", 123 "fsetxattr", 124 "fstat", 125 "fstat64", 126 "fstatat64", 127 "fstatfs", 128 "fstatfs64", 129 "fsync", 130 "ftruncate", 131 "ftruncate64", 132 "futex", 133 "futex_time64", 134 "futex_waitv", 135 "futimesat", 136 "getcpu", 137 "getcwd", 138 "getdents", 139 "getdents64", 140 "getegid", 141 "getegid32", 142 "geteuid", 143 "geteuid32", 144 "getgid", 145 "getgid32", 146 "getgroups", 147 "getgroups32", 148 "getitimer", 149 "getpeername", 150 "getpgid", 151 "getpgrp", 152 "getpid", 153 "getppid", 154 "getpriority", 155 "getrandom", 156 "getresgid", 157 "getresgid32", 158 "getresuid", 159 "getresuid32", 160 "getrlimit", 161 "get_robust_list", 162 "getrusage", 163 "getsid", 164 "getsockname", 165 "getsockopt", 166 "get_thread_area", 167 "gettid", 168 "gettimeofday", 169 "getuid", 170 "getuid32", 171 "getxattr", 172 "inotify_add_watch", 173 "inotify_init", 174 "inotify_init1", 175 "inotify_rm_watch", 176 "io_cancel", 177 "ioctl", 178 "io_destroy", 179 "io_getevents", 180 "io_pgetevents", 181 "io_pgetevents_time64", 182 "ioprio_get", 183 "ioprio_set", 184 "io_setup", 185 "io_submit", 186 "io_uring_enter", 187 "io_uring_register", 188 "io_uring_setup", 189 "ipc", 190 "kill", 191 "landlock_add_rule", 192 "landlock_create_ruleset", 193 "landlock_restrict_self", 194 "lchown", 195 "lchown32", 196 "lgetxattr", 197 "link", 198 "linkat", 199 "listen", 200 "listxattr", 201 "llistxattr", 202 "_llseek", 203 "lremovexattr", 204 "lseek", 205 "lsetxattr", 206 "lstat", 207 "lstat64", 208 "madvise", 209 "membarrier", 210 "memfd_create", 211 "memfd_secret", 212 "mincore", 213 "mkdir", 214 "mkdirat", 215 "mknod", 216 "mknodat", 217 "mlock", 218 "mlock2", 219 "mlockall", 220 "mmap", 221 "mmap2", 222 "mprotect", 223 "mq_getsetattr", 224 "mq_notify", 225 "mq_open", 226 "mq_timedreceive", 227 "mq_timedreceive_time64", 228 "mq_timedsend", 229 "mq_timedsend_time64", 230 "mq_unlink", 231 "mremap", 232 "msgctl", 233 "msgget", 234 "msgrcv", 235 "msgsnd", 236 "msync", 237 "munlock", 238 "munlockall", 239 "munmap", 240 "name_to_handle_at", 241 "nanosleep", 242 "newfstatat", 243 "_newselect", 244 "open", 245 "openat", 246 "openat2", 247 "pause", 248 "pidfd_open", 249 "pidfd_send_signal", 250 "pipe", 251 "pipe2", 252 "pkey_alloc", 253 "pkey_free", 254 "pkey_mprotect", 255 "poll", 256 "ppoll", 257 "ppoll_time64", 258 "prctl", 259 "pread64", 260 "preadv", 261 "preadv2", 262 "prlimit64", 263 "process_mrelease", 264 "pselect6", 265 "pselect6_time64", 266 "pwrite64", 267 "pwritev", 268 "pwritev2", 269 "read", 270 "readahead", 271 "readlink", 272 "readlinkat", 273 "readv", 274 "recv", 275 "recvfrom", 276 "recvmmsg", 277 "recvmmsg_time64", 278 "recvmsg", 279 "remap_file_pages", 280 "removexattr", 281 "rename", 282 "renameat", 283 "renameat2", 284 "restart_syscall", 285 "rmdir", 286 "rseq", 287 "rt_sigaction", 288 "rt_sigpending", 289 "rt_sigprocmask", 290 "rt_sigqueueinfo", 291 "rt_sigreturn", 292 "rt_sigsuspend", 293 "rt_sigtimedwait", 294 "rt_sigtimedwait_time64", 295 "rt_tgsigqueueinfo", 296 "sched_getaffinity", 297 "sched_getattr", 298 "sched_getparam", 299 "sched_get_priority_max", 300 "sched_get_priority_min", 301 "sched_getscheduler", 302 "sched_rr_get_interval", 303 "sched_rr_get_interval_time64", 304 "sched_setaffinity", 305 "sched_setattr", 306 "sched_setparam", 307 "sched_setscheduler", 308 "sched_yield", 309 "seccomp", 310 "select", 311 "semctl", 312 "semget", 313 "semop", 314 "semtimedop", 315 "semtimedop_time64", 316 "send", 317 "sendfile", 318 "sendfile64", 319 "sendmmsg", 320 "sendmsg", 321 "sendto", 322 "setfsgid", 323 "setfsgid32", 324 "setfsuid", 325 "setfsuid32", 326 "setgid", 327 "setgid32", 328 "setgroups", 329 "setgroups32", 330 "setitimer", 331 "setpgid", 332 "setpriority", 333 "setregid", 334 "setregid32", 335 "setresgid", 336 "setresgid32", 337 "setresuid", 338 "setresuid32", 339 "setreuid", 340 "setreuid32", 341 "setrlimit", 342 "set_robust_list", 343 "setsid", 344 "setsockopt", 345 "set_thread_area", 346 "set_tid_address", 347 "setuid", 348 "setuid32", 349 "setxattr", 350 "shmat", 351 "shmctl", 352 "shmdt", 353 "shmget", 354 "shutdown", 355 "sigaltstack", 356 "signalfd", 357 "signalfd4", 358 "sigprocmask", 359 "sigreturn", 360 "socketcall", 361 "socketpair", 362 "splice", 363 "stat", 364 "stat64", 365 "statfs", 366 "statfs64", 367 "statx", 368 "symlink", 369 "symlinkat", 370 "sync", 371 "sync_file_range", 372 "syncfs", 373 "sysinfo", 374 "tee", 375 "tgkill", 376 "time", 377 "timer_create", 378 "timer_delete", 379 "timer_getoverrun", 380 "timer_gettime", 381 "timer_gettime64", 382 "timer_settime", 383 "timer_settime64", 384 "timerfd_create", 385 "timerfd_gettime", 386 "timerfd_gettime64", 387 "timerfd_settime", 388 "timerfd_settime64", 389 "times", 390 "tkill", 391 "truncate", 392 "truncate64", 393 "ugetrlimit", 394 "umask", 395 "uname", 396 "unlink", 397 "unlinkat", 398 "utime", 399 "utimensat", 400 "utimensat_time64", 401 "utimes", 402 "vfork", 403 "vmsplice", 404 "wait4", 405 "waitid", 406 "waitpid", 407 "write", 408 "writev" 409 ], 410 "action": "SCMP_ACT_ALLOW" 411 }, 412 { 413 "names": [ 414 "process_vm_readv", 415 "process_vm_writev", 416 "ptrace" 417 ], 418 "action": "SCMP_ACT_ALLOW", 419 "includes": { 420 "minKernel": "4.8" 421 } 422 }, 423 { 424 "names": [ 425 "socket" 426 ], 427 "action": "SCMP_ACT_ALLOW", 428 "args": [ 429 { 430 "index": 0, 431 "value": 40, 432 "op": "SCMP_CMP_NE" 433 } 434 ] 435 }, 436 { 437 "names": [ 438 "personality" 439 ], 440 "action": "SCMP_ACT_ALLOW", 441 "args": [ 442 { 443 "index": 0, 444 "value": 0, 445 "op": "SCMP_CMP_EQ" 446 } 447 ] 448 }, 449 { 450 "names": [ 451 "personality" 452 ], 453 "action": "SCMP_ACT_ALLOW", 454 "args": [ 455 { 456 "index": 0, 457 "value": 8, 458 "op": "SCMP_CMP_EQ" 459 } 460 ] 461 }, 462 { 463 "names": [ 464 "personality" 465 ], 466 "action": "SCMP_ACT_ALLOW", 467 "args": [ 468 { 469 "index": 0, 470 "value": 131072, 471 "op": "SCMP_CMP_EQ" 472 } 473 ] 474 }, 475 { 476 "names": [ 477 "personality" 478 ], 479 "action": "SCMP_ACT_ALLOW", 480 "args": [ 481 { 482 "index": 0, 483 "value": 131080, 484 "op": "SCMP_CMP_EQ" 485 } 486 ] 487 }, 488 { 489 "names": [ 490 "personality" 491 ], 492 "action": "SCMP_ACT_ALLOW", 493 "args": [ 494 { 495 "index": 0, 496 "value": 4294967295, 497 "op": "SCMP_CMP_EQ" 498 } 499 ] 500 }, 501 { 502 "names": [ 503 "sync_file_range2", 504 "swapcontext" 505 ], 506 "action": "SCMP_ACT_ALLOW", 507 "includes": { 508 "arches": [ 509 "ppc64le" 510 ] 511 } 512 }, 513 { 514 "names": [ 515 "arm_fadvise64_64", 516 "arm_sync_file_range", 517 "sync_file_range2", 518 "breakpoint", 519 "cacheflush", 520 "set_tls" 521 ], 522 "action": "SCMP_ACT_ALLOW", 523 "includes": { 524 "arches": [ 525 "arm", 526 "arm64" 527 ] 528 } 529 }, 530 { 531 "names": [ 532 "arch_prctl" 533 ], 534 "action": "SCMP_ACT_ALLOW", 535 "includes": { 536 "arches": [ 537 "amd64", 538 "x32" 539 ] 540 } 541 }, 542 { 543 "names": [ 544 "modify_ldt" 545 ], 546 "action": "SCMP_ACT_ALLOW", 547 "includes": { 548 "arches": [ 549 "amd64", 550 "x32", 551 "x86" 552 ] 553 } 554 }, 555 { 556 "names": [ 557 "s390_pci_mmio_read", 558 "s390_pci_mmio_write", 559 "s390_runtime_instr" 560 ], 561 "action": "SCMP_ACT_ALLOW", 562 "includes": { 563 "arches": [ 564 "s390", 565 "s390x" 566 ] 567 } 568 }, 569 { 570 "names": [ 571 "riscv_flush_icache" 572 ], 573 "action": "SCMP_ACT_ALLOW", 574 "includes": { 575 "arches": [ 576 "riscv64" 577 ] 578 } 579 }, 580 { 581 "names": [ 582 "open_by_handle_at" 583 ], 584 "action": "SCMP_ACT_ALLOW", 585 "includes": { 586 "caps": [ 587 "CAP_DAC_READ_SEARCH" 588 ] 589 } 590 }, 591 { 592 "names": [ 593 "bpf", 594 "clone", 595 "clone3", 596 "fanotify_init", 597 "fsconfig", 598 "fsmount", 599 "fsopen", 600 "fspick", 601 "lookup_dcookie", 602 "mount", 603 "mount_setattr", 604 "move_mount", 605 "open_tree", 606 "perf_event_open", 607 "quotactl", 608 "quotactl_fd", 609 "setdomainname", 610 "sethostname", 611 "setns", 612 "syslog", 613 "umount", 614 "umount2", 615 "unshare" 616 ], 617 "action": "SCMP_ACT_ALLOW", 618 "includes": { 619 "caps": [ 620 "CAP_SYS_ADMIN" 621 ] 622 } 623 }, 624 { 625 "names": [ 626 "clone" 627 ], 628 "action": "SCMP_ACT_ALLOW", 629 "args": [ 630 { 631 "index": 0, 632 "value": 2114060288, 633 "op": "SCMP_CMP_MASKED_EQ" 634 } 635 ], 636 "excludes": { 637 "caps": [ 638 "CAP_SYS_ADMIN" 639 ], 640 "arches": [ 641 "s390", 642 "s390x" 643 ] 644 } 645 }, 646 { 647 "names": [ 648 "clone" 649 ], 650 "action": "SCMP_ACT_ALLOW", 651 "args": [ 652 { 653 "index": 1, 654 "value": 2114060288, 655 "op": "SCMP_CMP_MASKED_EQ" 656 } 657 ], 658 "comment": "s390 parameter ordering for clone is different", 659 "includes": { 660 "arches": [ 661 "s390", 662 "s390x" 663 ] 664 }, 665 "excludes": { 666 "caps": [ 667 "CAP_SYS_ADMIN" 668 ] 669 } 670 }, 671 { 672 "names": [ 673 "clone3" 674 ], 675 "action": "SCMP_ACT_ERRNO", 676 "errnoRet": 38, 677 "excludes": { 678 "caps": [ 679 "CAP_SYS_ADMIN" 680 ] 681 } 682 }, 683 { 684 "names": [ 685 "reboot" 686 ], 687 "action": "SCMP_ACT_ALLOW", 688 "includes": { 689 "caps": [ 690 "CAP_SYS_BOOT" 691 ] 692 } 693 }, 694 { 695 "names": [ 696 "chroot" 697 ], 698 "action": "SCMP_ACT_ALLOW", 699 "includes": { 700 "caps": [ 701 "CAP_SYS_CHROOT" 702 ] 703 } 704 }, 705 { 706 "names": [ 707 "delete_module", 708 "init_module", 709 "finit_module" 710 ], 711 "action": "SCMP_ACT_ALLOW", 712 "includes": { 713 "caps": [ 714 "CAP_SYS_MODULE" 715 ] 716 } 717 }, 718 { 719 "names": [ 720 "acct" 721 ], 722 "action": "SCMP_ACT_ALLOW", 723 "includes": { 724 "caps": [ 725 "CAP_SYS_PACCT" 726 ] 727 } 728 }, 729 { 730 "names": [ 731 "kcmp", 732 "pidfd_getfd", 733 "process_madvise", 734 "process_vm_readv", 735 "process_vm_writev", 736 "ptrace" 737 ], 738 "action": "SCMP_ACT_ALLOW", 739 "includes": { 740 "caps": [ 741 "CAP_SYS_PTRACE" 742 ] 743 } 744 }, 745 { 746 "names": [ 747 "iopl", 748 "ioperm" 749 ], 750 "action": "SCMP_ACT_ALLOW", 751 "includes": { 752 "caps": [ 753 "CAP_SYS_RAWIO" 754 ] 755 } 756 }, 757 { 758 "names": [ 759 "settimeofday", 760 "stime", 761 "clock_settime", 762 "clock_settime64" 763 ], 764 "action": "SCMP_ACT_ALLOW", 765 "includes": { 766 "caps": [ 767 "CAP_SYS_TIME" 768 ] 769 } 770 }, 771 { 772 "names": [ 773 "vhangup" 774 ], 775 "action": "SCMP_ACT_ALLOW", 776 "includes": { 777 "caps": [ 778 "CAP_SYS_TTY_CONFIG" 779 ] 780 } 781 }, 782 { 783 "names": [ 784 "get_mempolicy", 785 "mbind", 786 "set_mempolicy" 787 ], 788 "action": "SCMP_ACT_ALLOW", 789 "includes": { 790 "caps": [ 791 "CAP_SYS_NICE" 792 ] 793 } 794 }, 795 { 796 "names": [ 797 "syslog" 798 ], 799 "action": "SCMP_ACT_ALLOW", 800 "includes": { 801 "caps": [ 802 "CAP_SYSLOG" 803 ] 804 } 805 }, 806 { 807 "names": [ 808 "bpf" 809 ], 810 "action": "SCMP_ACT_ALLOW", 811 "includes": { 812 "caps": [ 813 "CAP_BPF" 814 ] 815 } 816 }, 817 { 818 "names": [ 819 "perf_event_open" 820 ], 821 "action": "SCMP_ACT_ALLOW", 822 "includes": { 823 "caps": [ 824 "CAP_PERFMON" 825 ] 826 } 827 } 828 ] 829 }