github.com/Prakhar-Agarwal-byte/moby@v0.0.0-20231027092010-a14e3e8ab87e/profiles/seccomp/default_linux.go (about) 1 package seccomp // import "github.com/Prakhar-Agarwal-byte/moby/profiles/seccomp" 2 3 import ( 4 "github.com/opencontainers/runtime-spec/specs-go" 5 "golang.org/x/sys/unix" 6 ) 7 8 func arches() []Architecture { 9 return []Architecture{ 10 { 11 Arch: specs.ArchX86_64, 12 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 13 }, 14 { 15 Arch: specs.ArchAARCH64, 16 SubArches: []specs.Arch{specs.ArchARM}, 17 }, 18 { 19 Arch: specs.ArchMIPS64, 20 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 21 }, 22 { 23 Arch: specs.ArchMIPS64N32, 24 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 25 }, 26 { 27 Arch: specs.ArchMIPSEL64, 28 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 29 }, 30 { 31 Arch: specs.ArchMIPSEL64N32, 32 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 33 }, 34 { 35 Arch: specs.ArchS390X, 36 SubArches: []specs.Arch{specs.ArchS390}, 37 }, 38 { 39 Arch: specs.ArchRISCV64, 40 SubArches: nil, 41 }, 42 } 43 } 44 45 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 46 func DefaultProfile() *Seccomp { 47 nosys := uint(unix.ENOSYS) 48 syscalls := []*Syscall{ 49 { 50 LinuxSyscall: specs.LinuxSyscall{ 51 Names: []string{ 52 "accept", 53 "accept4", 54 "access", 55 "adjtimex", 56 "alarm", 57 "bind", 58 "brk", 59 "capget", 60 "capset", 61 "chdir", 62 "chmod", 63 "chown", 64 "chown32", 65 "clock_adjtime", 66 "clock_adjtime64", 67 "clock_getres", 68 "clock_getres_time64", 69 "clock_gettime", 70 "clock_gettime64", 71 "clock_nanosleep", 72 "clock_nanosleep_time64", 73 "close", 74 "close_range", 75 "connect", 76 "copy_file_range", 77 "creat", 78 "dup", 79 "dup2", 80 "dup3", 81 "epoll_create", 82 "epoll_create1", 83 "epoll_ctl", 84 "epoll_ctl_old", 85 "epoll_pwait", 86 "epoll_pwait2", 87 "epoll_wait", 88 "epoll_wait_old", 89 "eventfd", 90 "eventfd2", 91 "execve", 92 "execveat", 93 "exit", 94 "exit_group", 95 "faccessat", 96 "faccessat2", 97 "fadvise64", 98 "fadvise64_64", 99 "fallocate", 100 "fanotify_mark", 101 "fchdir", 102 "fchmod", 103 "fchmodat", 104 "fchown", 105 "fchown32", 106 "fchownat", 107 "fcntl", 108 "fcntl64", 109 "fdatasync", 110 "fgetxattr", 111 "flistxattr", 112 "flock", 113 "fork", 114 "fremovexattr", 115 "fsetxattr", 116 "fstat", 117 "fstat64", 118 "fstatat64", 119 "fstatfs", 120 "fstatfs64", 121 "fsync", 122 "ftruncate", 123 "ftruncate64", 124 "futex", 125 "futex_time64", 126 "futex_waitv", 127 "futimesat", 128 "getcpu", 129 "getcwd", 130 "getdents", 131 "getdents64", 132 "getegid", 133 "getegid32", 134 "geteuid", 135 "geteuid32", 136 "getgid", 137 "getgid32", 138 "getgroups", 139 "getgroups32", 140 "getitimer", 141 "getpeername", 142 "getpgid", 143 "getpgrp", 144 "getpid", 145 "getppid", 146 "getpriority", 147 "getrandom", 148 "getresgid", 149 "getresgid32", 150 "getresuid", 151 "getresuid32", 152 "getrlimit", 153 "get_robust_list", 154 "getrusage", 155 "getsid", 156 "getsockname", 157 "getsockopt", 158 "get_thread_area", 159 "gettid", 160 "gettimeofday", 161 "getuid", 162 "getuid32", 163 "getxattr", 164 "inotify_add_watch", 165 "inotify_init", 166 "inotify_init1", 167 "inotify_rm_watch", 168 "io_cancel", 169 "ioctl", 170 "io_destroy", 171 "io_getevents", 172 "io_pgetevents", 173 "io_pgetevents_time64", 174 "ioprio_get", 175 "ioprio_set", 176 "io_setup", 177 "io_submit", 178 "io_uring_enter", 179 "io_uring_register", 180 "io_uring_setup", 181 "ipc", 182 "kill", 183 "landlock_add_rule", 184 "landlock_create_ruleset", 185 "landlock_restrict_self", 186 "lchown", 187 "lchown32", 188 "lgetxattr", 189 "link", 190 "linkat", 191 "listen", 192 "listxattr", 193 "llistxattr", 194 "_llseek", 195 "lremovexattr", 196 "lseek", 197 "lsetxattr", 198 "lstat", 199 "lstat64", 200 "madvise", 201 "membarrier", 202 "memfd_create", 203 "memfd_secret", 204 "mincore", 205 "mkdir", 206 "mkdirat", 207 "mknod", 208 "mknodat", 209 "mlock", 210 "mlock2", 211 "mlockall", 212 "mmap", 213 "mmap2", 214 "mprotect", 215 "mq_getsetattr", 216 "mq_notify", 217 "mq_open", 218 "mq_timedreceive", 219 "mq_timedreceive_time64", 220 "mq_timedsend", 221 "mq_timedsend_time64", 222 "mq_unlink", 223 "mremap", 224 "msgctl", 225 "msgget", 226 "msgrcv", 227 "msgsnd", 228 "msync", 229 "munlock", 230 "munlockall", 231 "munmap", 232 "name_to_handle_at", 233 "nanosleep", 234 "newfstatat", 235 "_newselect", 236 "open", 237 "openat", 238 "openat2", 239 "pause", 240 "pidfd_open", 241 "pidfd_send_signal", 242 "pipe", 243 "pipe2", 244 "pkey_alloc", 245 "pkey_free", 246 "pkey_mprotect", 247 "poll", 248 "ppoll", 249 "ppoll_time64", 250 "prctl", 251 "pread64", 252 "preadv", 253 "preadv2", 254 "prlimit64", 255 "process_mrelease", 256 "pselect6", 257 "pselect6_time64", 258 "pwrite64", 259 "pwritev", 260 "pwritev2", 261 "read", 262 "readahead", 263 "readlink", 264 "readlinkat", 265 "readv", 266 "recv", 267 "recvfrom", 268 "recvmmsg", 269 "recvmmsg_time64", 270 "recvmsg", 271 "remap_file_pages", 272 "removexattr", 273 "rename", 274 "renameat", 275 "renameat2", 276 "restart_syscall", 277 "rmdir", 278 "rseq", 279 "rt_sigaction", 280 "rt_sigpending", 281 "rt_sigprocmask", 282 "rt_sigqueueinfo", 283 "rt_sigreturn", 284 "rt_sigsuspend", 285 "rt_sigtimedwait", 286 "rt_sigtimedwait_time64", 287 "rt_tgsigqueueinfo", 288 "sched_getaffinity", 289 "sched_getattr", 290 "sched_getparam", 291 "sched_get_priority_max", 292 "sched_get_priority_min", 293 "sched_getscheduler", 294 "sched_rr_get_interval", 295 "sched_rr_get_interval_time64", 296 "sched_setaffinity", 297 "sched_setattr", 298 "sched_setparam", 299 "sched_setscheduler", 300 "sched_yield", 301 "seccomp", 302 "select", 303 "semctl", 304 "semget", 305 "semop", 306 "semtimedop", 307 "semtimedop_time64", 308 "send", 309 "sendfile", 310 "sendfile64", 311 "sendmmsg", 312 "sendmsg", 313 "sendto", 314 "setfsgid", 315 "setfsgid32", 316 "setfsuid", 317 "setfsuid32", 318 "setgid", 319 "setgid32", 320 "setgroups", 321 "setgroups32", 322 "setitimer", 323 "setpgid", 324 "setpriority", 325 "setregid", 326 "setregid32", 327 "setresgid", 328 "setresgid32", 329 "setresuid", 330 "setresuid32", 331 "setreuid", 332 "setreuid32", 333 "setrlimit", 334 "set_robust_list", 335 "setsid", 336 "setsockopt", 337 "set_thread_area", 338 "set_tid_address", 339 "setuid", 340 "setuid32", 341 "setxattr", 342 "shmat", 343 "shmctl", 344 "shmdt", 345 "shmget", 346 "shutdown", 347 "sigaltstack", 348 "signalfd", 349 "signalfd4", 350 "sigprocmask", 351 "sigreturn", 352 "socketcall", 353 "socketpair", 354 "splice", 355 "stat", 356 "stat64", 357 "statfs", 358 "statfs64", 359 "statx", 360 "symlink", 361 "symlinkat", 362 "sync", 363 "sync_file_range", 364 "syncfs", 365 "sysinfo", 366 "tee", 367 "tgkill", 368 "time", 369 "timer_create", 370 "timer_delete", 371 "timer_getoverrun", 372 "timer_gettime", 373 "timer_gettime64", 374 "timer_settime", 375 "timer_settime64", 376 "timerfd_create", 377 "timerfd_gettime", 378 "timerfd_gettime64", 379 "timerfd_settime", 380 "timerfd_settime64", 381 "times", 382 "tkill", 383 "truncate", 384 "truncate64", 385 "ugetrlimit", 386 "umask", 387 "uname", 388 "unlink", 389 "unlinkat", 390 "utime", 391 "utimensat", 392 "utimensat_time64", 393 "utimes", 394 "vfork", 395 "vmsplice", 396 "wait4", 397 "waitid", 398 "waitpid", 399 "write", 400 "writev", 401 }, 402 Action: specs.ActAllow, 403 }, 404 }, 405 { 406 LinuxSyscall: specs.LinuxSyscall{ 407 Names: []string{ 408 "process_vm_readv", 409 "process_vm_writev", 410 "ptrace", 411 }, 412 Action: specs.ActAllow, 413 }, 414 Includes: &Filter{ 415 MinKernel: &KernelVersion{4, 8}, 416 }, 417 }, 418 { 419 LinuxSyscall: specs.LinuxSyscall{ 420 Names: []string{"socket"}, 421 Action: specs.ActAllow, 422 Args: []specs.LinuxSeccompArg{ 423 { 424 Index: 0, 425 Value: unix.AF_VSOCK, 426 Op: specs.OpNotEqual, 427 }, 428 }, 429 }, 430 }, 431 { 432 LinuxSyscall: specs.LinuxSyscall{ 433 Names: []string{"personality"}, 434 Action: specs.ActAllow, 435 Args: []specs.LinuxSeccompArg{ 436 { 437 Index: 0, 438 Value: 0x0, 439 Op: specs.OpEqualTo, 440 }, 441 }, 442 }, 443 }, 444 { 445 LinuxSyscall: specs.LinuxSyscall{ 446 Names: []string{"personality"}, 447 Action: specs.ActAllow, 448 Args: []specs.LinuxSeccompArg{ 449 { 450 Index: 0, 451 Value: 0x0008, 452 Op: specs.OpEqualTo, 453 }, 454 }, 455 }, 456 }, 457 { 458 LinuxSyscall: specs.LinuxSyscall{ 459 Names: []string{"personality"}, 460 Action: specs.ActAllow, 461 Args: []specs.LinuxSeccompArg{ 462 { 463 Index: 0, 464 Value: 0x20000, 465 Op: specs.OpEqualTo, 466 }, 467 }, 468 }, 469 }, 470 { 471 LinuxSyscall: specs.LinuxSyscall{ 472 Names: []string{"personality"}, 473 Action: specs.ActAllow, 474 Args: []specs.LinuxSeccompArg{ 475 { 476 Index: 0, 477 Value: 0x20008, 478 Op: specs.OpEqualTo, 479 }, 480 }, 481 }, 482 }, 483 { 484 LinuxSyscall: specs.LinuxSyscall{ 485 Names: []string{"personality"}, 486 Action: specs.ActAllow, 487 Args: []specs.LinuxSeccompArg{ 488 { 489 Index: 0, 490 Value: 0xffffffff, 491 Op: specs.OpEqualTo, 492 }, 493 }, 494 }, 495 }, 496 { 497 LinuxSyscall: specs.LinuxSyscall{ 498 Names: []string{ 499 "sync_file_range2", 500 "swapcontext", 501 }, 502 Action: specs.ActAllow, 503 }, 504 Includes: &Filter{ 505 Arches: []string{"ppc64le"}, 506 }, 507 }, 508 { 509 LinuxSyscall: specs.LinuxSyscall{ 510 Names: []string{ 511 "arm_fadvise64_64", 512 "arm_sync_file_range", 513 "sync_file_range2", 514 "breakpoint", 515 "cacheflush", 516 "set_tls", 517 }, 518 Action: specs.ActAllow, 519 }, 520 Includes: &Filter{ 521 Arches: []string{"arm", "arm64"}, 522 }, 523 }, 524 { 525 LinuxSyscall: specs.LinuxSyscall{ 526 Names: []string{ 527 "arch_prctl", 528 }, 529 Action: specs.ActAllow, 530 }, 531 Includes: &Filter{ 532 Arches: []string{"amd64", "x32"}, 533 }, 534 }, 535 { 536 LinuxSyscall: specs.LinuxSyscall{ 537 Names: []string{ 538 "modify_ldt", 539 }, 540 Action: specs.ActAllow, 541 }, 542 Includes: &Filter{ 543 Arches: []string{"amd64", "x32", "x86"}, 544 }, 545 }, 546 { 547 LinuxSyscall: specs.LinuxSyscall{ 548 Names: []string{ 549 "s390_pci_mmio_read", 550 "s390_pci_mmio_write", 551 "s390_runtime_instr", 552 }, 553 Action: specs.ActAllow, 554 }, 555 Includes: &Filter{ 556 Arches: []string{"s390", "s390x"}, 557 }, 558 }, 559 { 560 LinuxSyscall: specs.LinuxSyscall{ 561 Names: []string{ 562 "riscv_flush_icache", 563 }, 564 Action: specs.ActAllow, 565 }, 566 Includes: &Filter{ 567 Arches: []string{"riscv64"}, 568 }, 569 }, 570 { 571 LinuxSyscall: specs.LinuxSyscall{ 572 Names: []string{ 573 "open_by_handle_at", 574 }, 575 Action: specs.ActAllow, 576 }, 577 Includes: &Filter{ 578 Caps: []string{"CAP_DAC_READ_SEARCH"}, 579 }, 580 }, 581 { 582 LinuxSyscall: specs.LinuxSyscall{ 583 Names: []string{ 584 "bpf", 585 "clone", 586 "clone3", 587 "fanotify_init", 588 "fsconfig", 589 "fsmount", 590 "fsopen", 591 "fspick", 592 "lookup_dcookie", 593 "mount", 594 "mount_setattr", 595 "move_mount", 596 "open_tree", 597 "perf_event_open", 598 "quotactl", 599 "quotactl_fd", 600 "setdomainname", 601 "sethostname", 602 "setns", 603 "syslog", 604 "umount", 605 "umount2", 606 "unshare", 607 }, 608 Action: specs.ActAllow, 609 }, 610 Includes: &Filter{ 611 Caps: []string{"CAP_SYS_ADMIN"}, 612 }, 613 }, 614 { 615 LinuxSyscall: specs.LinuxSyscall{ 616 Names: []string{ 617 "clone", 618 }, 619 Action: specs.ActAllow, 620 Args: []specs.LinuxSeccompArg{ 621 { 622 Index: 0, 623 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 624 ValueTwo: 0, 625 Op: specs.OpMaskedEqual, 626 }, 627 }, 628 }, 629 Excludes: &Filter{ 630 Caps: []string{"CAP_SYS_ADMIN"}, 631 Arches: []string{"s390", "s390x"}, 632 }, 633 }, 634 { 635 LinuxSyscall: specs.LinuxSyscall{ 636 Names: []string{ 637 "clone", 638 }, 639 Action: specs.ActAllow, 640 Args: []specs.LinuxSeccompArg{ 641 { 642 Index: 1, 643 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 644 ValueTwo: 0, 645 Op: specs.OpMaskedEqual, 646 }, 647 }, 648 }, 649 Comment: "s390 parameter ordering for clone is different", 650 Includes: &Filter{ 651 Arches: []string{"s390", "s390x"}, 652 }, 653 Excludes: &Filter{ 654 Caps: []string{"CAP_SYS_ADMIN"}, 655 }, 656 }, 657 { 658 LinuxSyscall: specs.LinuxSyscall{ 659 Names: []string{ 660 "clone3", 661 }, 662 Action: specs.ActErrno, 663 ErrnoRet: &nosys, 664 }, 665 Excludes: &Filter{ 666 Caps: []string{"CAP_SYS_ADMIN"}, 667 }, 668 }, 669 { 670 LinuxSyscall: specs.LinuxSyscall{ 671 Names: []string{ 672 "reboot", 673 }, 674 Action: specs.ActAllow, 675 }, 676 Includes: &Filter{ 677 Caps: []string{"CAP_SYS_BOOT"}, 678 }, 679 }, 680 { 681 LinuxSyscall: specs.LinuxSyscall{ 682 Names: []string{ 683 "chroot", 684 }, 685 Action: specs.ActAllow, 686 }, 687 Includes: &Filter{ 688 Caps: []string{"CAP_SYS_CHROOT"}, 689 }, 690 }, 691 { 692 LinuxSyscall: specs.LinuxSyscall{ 693 Names: []string{ 694 "delete_module", 695 "init_module", 696 "finit_module", 697 }, 698 Action: specs.ActAllow, 699 }, 700 Includes: &Filter{ 701 Caps: []string{"CAP_SYS_MODULE"}, 702 }, 703 }, 704 { 705 LinuxSyscall: specs.LinuxSyscall{ 706 Names: []string{ 707 "acct", 708 }, 709 Action: specs.ActAllow, 710 }, 711 Includes: &Filter{ 712 Caps: []string{"CAP_SYS_PACCT"}, 713 }, 714 }, 715 { 716 LinuxSyscall: specs.LinuxSyscall{ 717 Names: []string{ 718 "kcmp", 719 "pidfd_getfd", 720 "process_madvise", 721 "process_vm_readv", 722 "process_vm_writev", 723 "ptrace", 724 }, 725 Action: specs.ActAllow, 726 }, 727 Includes: &Filter{ 728 Caps: []string{"CAP_SYS_PTRACE"}, 729 }, 730 }, 731 { 732 LinuxSyscall: specs.LinuxSyscall{ 733 Names: []string{ 734 "iopl", 735 "ioperm", 736 }, 737 Action: specs.ActAllow, 738 }, 739 Includes: &Filter{ 740 Caps: []string{"CAP_SYS_RAWIO"}, 741 }, 742 }, 743 { 744 LinuxSyscall: specs.LinuxSyscall{ 745 Names: []string{ 746 "settimeofday", 747 "stime", 748 "clock_settime", 749 "clock_settime64", 750 }, 751 Action: specs.ActAllow, 752 }, 753 Includes: &Filter{ 754 Caps: []string{"CAP_SYS_TIME"}, 755 }, 756 }, 757 { 758 LinuxSyscall: specs.LinuxSyscall{ 759 Names: []string{ 760 "vhangup", 761 }, 762 Action: specs.ActAllow, 763 }, 764 Includes: &Filter{ 765 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 766 }, 767 }, 768 { 769 LinuxSyscall: specs.LinuxSyscall{ 770 Names: []string{ 771 "get_mempolicy", 772 "mbind", 773 "set_mempolicy", 774 }, 775 Action: specs.ActAllow, 776 }, 777 Includes: &Filter{ 778 Caps: []string{"CAP_SYS_NICE"}, 779 }, 780 }, 781 { 782 LinuxSyscall: specs.LinuxSyscall{ 783 Names: []string{ 784 "syslog", 785 }, 786 Action: specs.ActAllow, 787 }, 788 Includes: &Filter{ 789 Caps: []string{"CAP_SYSLOG"}, 790 }, 791 }, 792 { 793 LinuxSyscall: specs.LinuxSyscall{ 794 Names: []string{ 795 "bpf", 796 }, 797 Action: specs.ActAllow, 798 }, 799 Includes: &Filter{ 800 Caps: []string{"CAP_BPF"}, 801 }, 802 }, 803 { 804 LinuxSyscall: specs.LinuxSyscall{ 805 Names: []string{ 806 "perf_event_open", 807 }, 808 Action: specs.ActAllow, 809 }, 810 Includes: &Filter{ 811 Caps: []string{"CAP_PERFMON"}, 812 }, 813 }, 814 } 815 816 errnoRet := uint(unix.EPERM) 817 return &Seccomp{ 818 LinuxSeccomp: specs.LinuxSeccomp{ 819 DefaultAction: specs.ActErrno, 820 DefaultErrnoRet: &errnoRet, 821 }, 822 ArchMap: arches(), 823 Syscalls: syscalls, 824 } 825 }