github.com/afbjorklund/moby@v20.10.5+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "close_range", 78 "connect", 79 "copy_file_range", 80 "creat", 81 "dup", 82 "dup2", 83 "dup3", 84 "epoll_create", 85 "epoll_create1", 86 "epoll_ctl", 87 "epoll_ctl_old", 88 "epoll_pwait", 89 "epoll_pwait2", 90 "epoll_wait", 91 "epoll_wait_old", 92 "eventfd", 93 "eventfd2", 94 "execve", 95 "execveat", 96 "exit", 97 "exit_group", 98 "faccessat", 99 "faccessat2", 100 "fadvise64", 101 "fadvise64_64", 102 "fallocate", 103 "fanotify_mark", 104 "fchdir", 105 "fchmod", 106 "fchmodat", 107 "fchown", 108 "fchown32", 109 "fchownat", 110 "fcntl", 111 "fcntl64", 112 "fdatasync", 113 "fgetxattr", 114 "flistxattr", 115 "flock", 116 "fork", 117 "fremovexattr", 118 "fsetxattr", 119 "fstat", 120 "fstat64", 121 "fstatat64", 122 "fstatfs", 123 "fstatfs64", 124 "fsync", 125 "ftruncate", 126 "ftruncate64", 127 "futex", 128 "futex_time64", 129 "futimesat", 130 "getcpu", 131 "getcwd", 132 "getdents", 133 "getdents64", 134 "getegid", 135 "getegid32", 136 "geteuid", 137 "geteuid32", 138 "getgid", 139 "getgid32", 140 "getgroups", 141 "getgroups32", 142 "getitimer", 143 "getpeername", 144 "getpgid", 145 "getpgrp", 146 "getpid", 147 "getppid", 148 "getpriority", 149 "getrandom", 150 "getresgid", 151 "getresgid32", 152 "getresuid", 153 "getresuid32", 154 "getrlimit", 155 "get_robust_list", 156 "getrusage", 157 "getsid", 158 "getsockname", 159 "getsockopt", 160 "get_thread_area", 161 "gettid", 162 "gettimeofday", 163 "getuid", 164 "getuid32", 165 "getxattr", 166 "inotify_add_watch", 167 "inotify_init", 168 "inotify_init1", 169 "inotify_rm_watch", 170 "io_cancel", 171 "ioctl", 172 "io_destroy", 173 "io_getevents", 174 "io_pgetevents", 175 "io_pgetevents_time64", 176 "ioprio_get", 177 "ioprio_set", 178 "io_setup", 179 "io_submit", 180 "io_uring_enter", 181 "io_uring_register", 182 "io_uring_setup", 183 "ipc", 184 "kill", 185 "lchown", 186 "lchown32", 187 "lgetxattr", 188 "link", 189 "linkat", 190 "listen", 191 "listxattr", 192 "llistxattr", 193 "_llseek", 194 "lremovexattr", 195 "lseek", 196 "lsetxattr", 197 "lstat", 198 "lstat64", 199 "madvise", 200 "membarrier", 201 "memfd_create", 202 "mincore", 203 "mkdir", 204 "mkdirat", 205 "mknod", 206 "mknodat", 207 "mlock", 208 "mlock2", 209 "mlockall", 210 "mmap", 211 "mmap2", 212 "mprotect", 213 "mq_getsetattr", 214 "mq_notify", 215 "mq_open", 216 "mq_timedreceive", 217 "mq_timedreceive_time64", 218 "mq_timedsend", 219 "mq_timedsend_time64", 220 "mq_unlink", 221 "mremap", 222 "msgctl", 223 "msgget", 224 "msgrcv", 225 "msgsnd", 226 "msync", 227 "munlock", 228 "munlockall", 229 "munmap", 230 "nanosleep", 231 "newfstatat", 232 "_newselect", 233 "open", 234 "openat", 235 "openat2", 236 "pause", 237 "pidfd_open", 238 "pidfd_send_signal", 239 "pipe", 240 "pipe2", 241 "poll", 242 "ppoll", 243 "ppoll_time64", 244 "prctl", 245 "pread64", 246 "preadv", 247 "preadv2", 248 "prlimit64", 249 "pselect6", 250 "pselect6_time64", 251 "pwrite64", 252 "pwritev", 253 "pwritev2", 254 "read", 255 "readahead", 256 "readlink", 257 "readlinkat", 258 "readv", 259 "recv", 260 "recvfrom", 261 "recvmmsg", 262 "recvmmsg_time64", 263 "recvmsg", 264 "remap_file_pages", 265 "removexattr", 266 "rename", 267 "renameat", 268 "renameat2", 269 "restart_syscall", 270 "rmdir", 271 "rseq", 272 "rt_sigaction", 273 "rt_sigpending", 274 "rt_sigprocmask", 275 "rt_sigqueueinfo", 276 "rt_sigreturn", 277 "rt_sigsuspend", 278 "rt_sigtimedwait", 279 "rt_sigtimedwait_time64", 280 "rt_tgsigqueueinfo", 281 "sched_getaffinity", 282 "sched_getattr", 283 "sched_getparam", 284 "sched_get_priority_max", 285 "sched_get_priority_min", 286 "sched_getscheduler", 287 "sched_rr_get_interval", 288 "sched_rr_get_interval_time64", 289 "sched_setaffinity", 290 "sched_setattr", 291 "sched_setparam", 292 "sched_setscheduler", 293 "sched_yield", 294 "seccomp", 295 "select", 296 "semctl", 297 "semget", 298 "semop", 299 "semtimedop", 300 "semtimedop_time64", 301 "send", 302 "sendfile", 303 "sendfile64", 304 "sendmmsg", 305 "sendmsg", 306 "sendto", 307 "setfsgid", 308 "setfsgid32", 309 "setfsuid", 310 "setfsuid32", 311 "setgid", 312 "setgid32", 313 "setgroups", 314 "setgroups32", 315 "setitimer", 316 "setpgid", 317 "setpriority", 318 "setregid", 319 "setregid32", 320 "setresgid", 321 "setresgid32", 322 "setresuid", 323 "setresuid32", 324 "setreuid", 325 "setreuid32", 326 "setrlimit", 327 "set_robust_list", 328 "setsid", 329 "setsockopt", 330 "set_thread_area", 331 "set_tid_address", 332 "setuid", 333 "setuid32", 334 "setxattr", 335 "shmat", 336 "shmctl", 337 "shmdt", 338 "shmget", 339 "shutdown", 340 "sigaltstack", 341 "signalfd", 342 "signalfd4", 343 "sigprocmask", 344 "sigreturn", 345 "socket", 346 "socketcall", 347 "socketpair", 348 "splice", 349 "stat", 350 "stat64", 351 "statfs", 352 "statfs64", 353 "statx", 354 "symlink", 355 "symlinkat", 356 "sync", 357 "sync_file_range", 358 "syncfs", 359 "sysinfo", 360 "tee", 361 "tgkill", 362 "time", 363 "timer_create", 364 "timer_delete", 365 "timer_getoverrun", 366 "timer_gettime", 367 "timer_gettime64", 368 "timer_settime", 369 "timer_settime64", 370 "timerfd_create", 371 "timerfd_gettime", 372 "timerfd_gettime64", 373 "timerfd_settime", 374 "timerfd_settime64", 375 "times", 376 "tkill", 377 "truncate", 378 "truncate64", 379 "ugetrlimit", 380 "umask", 381 "uname", 382 "unlink", 383 "unlinkat", 384 "utime", 385 "utimensat", 386 "utimensat_time64", 387 "utimes", 388 "vfork", 389 "vmsplice", 390 "wait4", 391 "waitid", 392 "waitpid", 393 "write", 394 "writev" 395 ], 396 "action": "SCMP_ACT_ALLOW", 397 "args": [], 398 "comment": "", 399 "includes": {}, 400 "excludes": {} 401 }, 402 { 403 "names": [ 404 "ptrace" 405 ], 406 "action": "SCMP_ACT_ALLOW", 407 "args": null, 408 "comment": "", 409 "includes": { 410 "minKernel": "4.8" 411 }, 412 "excludes": {} 413 }, 414 { 415 "names": [ 416 "personality" 417 ], 418 "action": "SCMP_ACT_ALLOW", 419 "args": [ 420 { 421 "index": 0, 422 "value": 0, 423 "op": "SCMP_CMP_EQ" 424 } 425 ], 426 "comment": "", 427 "includes": {}, 428 "excludes": {} 429 }, 430 { 431 "names": [ 432 "personality" 433 ], 434 "action": "SCMP_ACT_ALLOW", 435 "args": [ 436 { 437 "index": 0, 438 "value": 8, 439 "op": "SCMP_CMP_EQ" 440 } 441 ], 442 "comment": "", 443 "includes": {}, 444 "excludes": {} 445 }, 446 { 447 "names": [ 448 "personality" 449 ], 450 "action": "SCMP_ACT_ALLOW", 451 "args": [ 452 { 453 "index": 0, 454 "value": 131072, 455 "op": "SCMP_CMP_EQ" 456 } 457 ], 458 "comment": "", 459 "includes": {}, 460 "excludes": {} 461 }, 462 { 463 "names": [ 464 "personality" 465 ], 466 "action": "SCMP_ACT_ALLOW", 467 "args": [ 468 { 469 "index": 0, 470 "value": 131080, 471 "op": "SCMP_CMP_EQ" 472 } 473 ], 474 "comment": "", 475 "includes": {}, 476 "excludes": {} 477 }, 478 { 479 "names": [ 480 "personality" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [ 484 { 485 "index": 0, 486 "value": 4294967295, 487 "op": "SCMP_CMP_EQ" 488 } 489 ], 490 "comment": "", 491 "includes": {}, 492 "excludes": {} 493 }, 494 { 495 "names": [ 496 "sync_file_range2" 497 ], 498 "action": "SCMP_ACT_ALLOW", 499 "args": [], 500 "comment": "", 501 "includes": { 502 "arches": [ 503 "ppc64le" 504 ] 505 }, 506 "excludes": {} 507 }, 508 { 509 "names": [ 510 "arm_fadvise64_64", 511 "arm_sync_file_range", 512 "sync_file_range2", 513 "breakpoint", 514 "cacheflush", 515 "set_tls" 516 ], 517 "action": "SCMP_ACT_ALLOW", 518 "args": [], 519 "comment": "", 520 "includes": { 521 "arches": [ 522 "arm", 523 "arm64" 524 ] 525 }, 526 "excludes": {} 527 }, 528 { 529 "names": [ 530 "arch_prctl" 531 ], 532 "action": "SCMP_ACT_ALLOW", 533 "args": [], 534 "comment": "", 535 "includes": { 536 "arches": [ 537 "amd64", 538 "x32" 539 ] 540 }, 541 "excludes": {} 542 }, 543 { 544 "names": [ 545 "modify_ldt" 546 ], 547 "action": "SCMP_ACT_ALLOW", 548 "args": [], 549 "comment": "", 550 "includes": { 551 "arches": [ 552 "amd64", 553 "x32", 554 "x86" 555 ] 556 }, 557 "excludes": {} 558 }, 559 { 560 "names": [ 561 "s390_pci_mmio_read", 562 "s390_pci_mmio_write", 563 "s390_runtime_instr" 564 ], 565 "action": "SCMP_ACT_ALLOW", 566 "args": [], 567 "comment": "", 568 "includes": { 569 "arches": [ 570 "s390", 571 "s390x" 572 ] 573 }, 574 "excludes": {} 575 }, 576 { 577 "names": [ 578 "open_by_handle_at" 579 ], 580 "action": "SCMP_ACT_ALLOW", 581 "args": [], 582 "comment": "", 583 "includes": { 584 "caps": [ 585 "CAP_DAC_READ_SEARCH" 586 ] 587 }, 588 "excludes": {} 589 }, 590 { 591 "names": [ 592 "bpf", 593 "clone", 594 "fanotify_init", 595 "fsconfig", 596 "fsmount", 597 "fsopen", 598 "fspick", 599 "lookup_dcookie", 600 "mount", 601 "move_mount", 602 "name_to_handle_at", 603 "open_tree", 604 "perf_event_open", 605 "quotactl", 606 "setdomainname", 607 "sethostname", 608 "setns", 609 "syslog", 610 "umount", 611 "umount2", 612 "unshare" 613 ], 614 "action": "SCMP_ACT_ALLOW", 615 "args": [], 616 "comment": "", 617 "includes": { 618 "caps": [ 619 "CAP_SYS_ADMIN" 620 ] 621 }, 622 "excludes": {} 623 }, 624 { 625 "names": [ 626 "clone" 627 ], 628 "action": "SCMP_ACT_ALLOW", 629 "args": [ 630 { 631 "index": 0, 632 "value": 2114060288, 633 "op": "SCMP_CMP_MASKED_EQ" 634 } 635 ], 636 "comment": "", 637 "includes": {}, 638 "excludes": { 639 "caps": [ 640 "CAP_SYS_ADMIN" 641 ], 642 "arches": [ 643 "s390", 644 "s390x" 645 ] 646 } 647 }, 648 { 649 "names": [ 650 "clone" 651 ], 652 "action": "SCMP_ACT_ALLOW", 653 "args": [ 654 { 655 "index": 1, 656 "value": 2114060288, 657 "op": "SCMP_CMP_MASKED_EQ" 658 } 659 ], 660 "comment": "s390 parameter ordering for clone is different", 661 "includes": { 662 "arches": [ 663 "s390", 664 "s390x" 665 ] 666 }, 667 "excludes": { 668 "caps": [ 669 "CAP_SYS_ADMIN" 670 ] 671 } 672 }, 673 { 674 "names": [ 675 "reboot" 676 ], 677 "action": "SCMP_ACT_ALLOW", 678 "args": [], 679 "comment": "", 680 "includes": { 681 "caps": [ 682 "CAP_SYS_BOOT" 683 ] 684 }, 685 "excludes": {} 686 }, 687 { 688 "names": [ 689 "chroot" 690 ], 691 "action": "SCMP_ACT_ALLOW", 692 "args": [], 693 "comment": "", 694 "includes": { 695 "caps": [ 696 "CAP_SYS_CHROOT" 697 ] 698 }, 699 "excludes": {} 700 }, 701 { 702 "names": [ 703 "delete_module", 704 "init_module", 705 "finit_module" 706 ], 707 "action": "SCMP_ACT_ALLOW", 708 "args": [], 709 "comment": "", 710 "includes": { 711 "caps": [ 712 "CAP_SYS_MODULE" 713 ] 714 }, 715 "excludes": {} 716 }, 717 { 718 "names": [ 719 "acct" 720 ], 721 "action": "SCMP_ACT_ALLOW", 722 "args": [], 723 "comment": "", 724 "includes": { 725 "caps": [ 726 "CAP_SYS_PACCT" 727 ] 728 }, 729 "excludes": {} 730 }, 731 { 732 "names": [ 733 "kcmp", 734 "pidfd_getfd", 735 "process_madvise", 736 "process_vm_readv", 737 "process_vm_writev", 738 "ptrace" 739 ], 740 "action": "SCMP_ACT_ALLOW", 741 "args": [], 742 "comment": "", 743 "includes": { 744 "caps": [ 745 "CAP_SYS_PTRACE" 746 ] 747 }, 748 "excludes": {} 749 }, 750 { 751 "names": [ 752 "iopl", 753 "ioperm" 754 ], 755 "action": "SCMP_ACT_ALLOW", 756 "args": [], 757 "comment": "", 758 "includes": { 759 "caps": [ 760 "CAP_SYS_RAWIO" 761 ] 762 }, 763 "excludes": {} 764 }, 765 { 766 "names": [ 767 "settimeofday", 768 "stime", 769 "clock_settime" 770 ], 771 "action": "SCMP_ACT_ALLOW", 772 "args": [], 773 "comment": "", 774 "includes": { 775 "caps": [ 776 "CAP_SYS_TIME" 777 ] 778 }, 779 "excludes": {} 780 }, 781 { 782 "names": [ 783 "vhangup" 784 ], 785 "action": "SCMP_ACT_ALLOW", 786 "args": [], 787 "comment": "", 788 "includes": { 789 "caps": [ 790 "CAP_SYS_TTY_CONFIG" 791 ] 792 }, 793 "excludes": {} 794 }, 795 { 796 "names": [ 797 "get_mempolicy", 798 "mbind", 799 "set_mempolicy" 800 ], 801 "action": "SCMP_ACT_ALLOW", 802 "args": [], 803 "comment": "", 804 "includes": { 805 "caps": [ 806 "CAP_SYS_NICE" 807 ] 808 }, 809 "excludes": {} 810 }, 811 { 812 "names": [ 813 "syslog" 814 ], 815 "action": "SCMP_ACT_ALLOW", 816 "args": [], 817 "comment": "", 818 "includes": { 819 "caps": [ 820 "CAP_SYSLOG" 821 ] 822 }, 823 "excludes": {} 824 } 825 ] 826 }