github.com/afbjorklund/moby@v20.10.5+incompatible/profiles/seccomp/default_linux.go (about) 1 // +build seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/opencontainers/runtime-spec/specs-go" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []Architecture { 11 return []Architecture{ 12 { 13 Arch: specs.ArchX86_64, 14 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 15 }, 16 { 17 Arch: specs.ArchAARCH64, 18 SubArches: []specs.Arch{specs.ArchARM}, 19 }, 20 { 21 Arch: specs.ArchMIPS64, 22 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 23 }, 24 { 25 Arch: specs.ArchMIPS64N32, 26 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 27 }, 28 { 29 Arch: specs.ArchMIPSEL64, 30 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: specs.ArchMIPSEL64N32, 34 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 35 }, 36 { 37 Arch: specs.ArchS390X, 38 SubArches: []specs.Arch{specs.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 44 func DefaultProfile() *Seccomp { 45 syscalls := []*Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_adjtime", 62 "clock_adjtime64", 63 "clock_getres", 64 "clock_getres_time64", 65 "clock_gettime", 66 "clock_gettime64", 67 "clock_nanosleep", 68 "clock_nanosleep_time64", 69 "close", 70 "close_range", 71 "connect", 72 "copy_file_range", 73 "creat", 74 "dup", 75 "dup2", 76 "dup3", 77 "epoll_create", 78 "epoll_create1", 79 "epoll_ctl", 80 "epoll_ctl_old", 81 "epoll_pwait", 82 "epoll_pwait2", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "faccessat2", 93 "fadvise64", 94 "fadvise64_64", 95 "fallocate", 96 "fanotify_mark", 97 "fchdir", 98 "fchmod", 99 "fchmodat", 100 "fchown", 101 "fchown32", 102 "fchownat", 103 "fcntl", 104 "fcntl64", 105 "fdatasync", 106 "fgetxattr", 107 "flistxattr", 108 "flock", 109 "fork", 110 "fremovexattr", 111 "fsetxattr", 112 "fstat", 113 "fstat64", 114 "fstatat64", 115 "fstatfs", 116 "fstatfs64", 117 "fsync", 118 "ftruncate", 119 "ftruncate64", 120 "futex", 121 "futex_time64", 122 "futimesat", 123 "getcpu", 124 "getcwd", 125 "getdents", 126 "getdents64", 127 "getegid", 128 "getegid32", 129 "geteuid", 130 "geteuid32", 131 "getgid", 132 "getgid32", 133 "getgroups", 134 "getgroups32", 135 "getitimer", 136 "getpeername", 137 "getpgid", 138 "getpgrp", 139 "getpid", 140 "getppid", 141 "getpriority", 142 "getrandom", 143 "getresgid", 144 "getresgid32", 145 "getresuid", 146 "getresuid32", 147 "getrlimit", 148 "get_robust_list", 149 "getrusage", 150 "getsid", 151 "getsockname", 152 "getsockopt", 153 "get_thread_area", 154 "gettid", 155 "gettimeofday", 156 "getuid", 157 "getuid32", 158 "getxattr", 159 "inotify_add_watch", 160 "inotify_init", 161 "inotify_init1", 162 "inotify_rm_watch", 163 "io_cancel", 164 "ioctl", 165 "io_destroy", 166 "io_getevents", 167 "io_pgetevents", 168 "io_pgetevents_time64", 169 "ioprio_get", 170 "ioprio_set", 171 "io_setup", 172 "io_submit", 173 "io_uring_enter", 174 "io_uring_register", 175 "io_uring_setup", 176 "ipc", 177 "kill", 178 "lchown", 179 "lchown32", 180 "lgetxattr", 181 "link", 182 "linkat", 183 "listen", 184 "listxattr", 185 "llistxattr", 186 "_llseek", 187 "lremovexattr", 188 "lseek", 189 "lsetxattr", 190 "lstat", 191 "lstat64", 192 "madvise", 193 "membarrier", 194 "memfd_create", 195 "mincore", 196 "mkdir", 197 "mkdirat", 198 "mknod", 199 "mknodat", 200 "mlock", 201 "mlock2", 202 "mlockall", 203 "mmap", 204 "mmap2", 205 "mprotect", 206 "mq_getsetattr", 207 "mq_notify", 208 "mq_open", 209 "mq_timedreceive", 210 "mq_timedreceive_time64", 211 "mq_timedsend", 212 "mq_timedsend_time64", 213 "mq_unlink", 214 "mremap", 215 "msgctl", 216 "msgget", 217 "msgrcv", 218 "msgsnd", 219 "msync", 220 "munlock", 221 "munlockall", 222 "munmap", 223 "nanosleep", 224 "newfstatat", 225 "_newselect", 226 "open", 227 "openat", 228 "openat2", 229 "pause", 230 "pidfd_open", 231 "pidfd_send_signal", 232 "pipe", 233 "pipe2", 234 "poll", 235 "ppoll", 236 "ppoll_time64", 237 "prctl", 238 "pread64", 239 "preadv", 240 "preadv2", 241 "prlimit64", 242 "pselect6", 243 "pselect6_time64", 244 "pwrite64", 245 "pwritev", 246 "pwritev2", 247 "read", 248 "readahead", 249 "readlink", 250 "readlinkat", 251 "readv", 252 "recv", 253 "recvfrom", 254 "recvmmsg", 255 "recvmmsg_time64", 256 "recvmsg", 257 "remap_file_pages", 258 "removexattr", 259 "rename", 260 "renameat", 261 "renameat2", 262 "restart_syscall", 263 "rmdir", 264 "rseq", 265 "rt_sigaction", 266 "rt_sigpending", 267 "rt_sigprocmask", 268 "rt_sigqueueinfo", 269 "rt_sigreturn", 270 "rt_sigsuspend", 271 "rt_sigtimedwait", 272 "rt_sigtimedwait_time64", 273 "rt_tgsigqueueinfo", 274 "sched_getaffinity", 275 "sched_getattr", 276 "sched_getparam", 277 "sched_get_priority_max", 278 "sched_get_priority_min", 279 "sched_getscheduler", 280 "sched_rr_get_interval", 281 "sched_rr_get_interval_time64", 282 "sched_setaffinity", 283 "sched_setattr", 284 "sched_setparam", 285 "sched_setscheduler", 286 "sched_yield", 287 "seccomp", 288 "select", 289 "semctl", 290 "semget", 291 "semop", 292 "semtimedop", 293 "semtimedop_time64", 294 "send", 295 "sendfile", 296 "sendfile64", 297 "sendmmsg", 298 "sendmsg", 299 "sendto", 300 "setfsgid", 301 "setfsgid32", 302 "setfsuid", 303 "setfsuid32", 304 "setgid", 305 "setgid32", 306 "setgroups", 307 "setgroups32", 308 "setitimer", 309 "setpgid", 310 "setpriority", 311 "setregid", 312 "setregid32", 313 "setresgid", 314 "setresgid32", 315 "setresuid", 316 "setresuid32", 317 "setreuid", 318 "setreuid32", 319 "setrlimit", 320 "set_robust_list", 321 "setsid", 322 "setsockopt", 323 "set_thread_area", 324 "set_tid_address", 325 "setuid", 326 "setuid32", 327 "setxattr", 328 "shmat", 329 "shmctl", 330 "shmdt", 331 "shmget", 332 "shutdown", 333 "sigaltstack", 334 "signalfd", 335 "signalfd4", 336 "sigprocmask", 337 "sigreturn", 338 "socket", 339 "socketcall", 340 "socketpair", 341 "splice", 342 "stat", 343 "stat64", 344 "statfs", 345 "statfs64", 346 "statx", 347 "symlink", 348 "symlinkat", 349 "sync", 350 "sync_file_range", 351 "syncfs", 352 "sysinfo", 353 "tee", 354 "tgkill", 355 "time", 356 "timer_create", 357 "timer_delete", 358 "timer_getoverrun", 359 "timer_gettime", 360 "timer_gettime64", 361 "timer_settime", 362 "timer_settime64", 363 "timerfd_create", 364 "timerfd_gettime", 365 "timerfd_gettime64", 366 "timerfd_settime", 367 "timerfd_settime64", 368 "times", 369 "tkill", 370 "truncate", 371 "truncate64", 372 "ugetrlimit", 373 "umask", 374 "uname", 375 "unlink", 376 "unlinkat", 377 "utime", 378 "utimensat", 379 "utimensat_time64", 380 "utimes", 381 "vfork", 382 "vmsplice", 383 "wait4", 384 "waitid", 385 "waitpid", 386 "write", 387 "writev", 388 }, 389 Action: specs.ActAllow, 390 Args: []*specs.LinuxSeccompArg{}, 391 }, 392 { 393 Names: []string{"ptrace"}, 394 Action: specs.ActAllow, 395 Includes: Filter{ 396 MinKernel: &KernelVersion{4, 8}, 397 }, 398 }, 399 { 400 Names: []string{"personality"}, 401 Action: specs.ActAllow, 402 Args: []*specs.LinuxSeccompArg{ 403 { 404 Index: 0, 405 Value: 0x0, 406 Op: specs.OpEqualTo, 407 }, 408 }, 409 }, 410 { 411 Names: []string{"personality"}, 412 Action: specs.ActAllow, 413 Args: []*specs.LinuxSeccompArg{ 414 { 415 Index: 0, 416 Value: 0x0008, 417 Op: specs.OpEqualTo, 418 }, 419 }, 420 }, 421 { 422 Names: []string{"personality"}, 423 Action: specs.ActAllow, 424 Args: []*specs.LinuxSeccompArg{ 425 { 426 Index: 0, 427 Value: 0x20000, 428 Op: specs.OpEqualTo, 429 }, 430 }, 431 }, 432 { 433 Names: []string{"personality"}, 434 Action: specs.ActAllow, 435 Args: []*specs.LinuxSeccompArg{ 436 { 437 Index: 0, 438 Value: 0x20008, 439 Op: specs.OpEqualTo, 440 }, 441 }, 442 }, 443 { 444 Names: []string{"personality"}, 445 Action: specs.ActAllow, 446 Args: []*specs.LinuxSeccompArg{ 447 { 448 Index: 0, 449 Value: 0xffffffff, 450 Op: specs.OpEqualTo, 451 }, 452 }, 453 }, 454 { 455 Names: []string{ 456 "sync_file_range2", 457 }, 458 Action: specs.ActAllow, 459 Args: []*specs.LinuxSeccompArg{}, 460 Includes: Filter{ 461 Arches: []string{"ppc64le"}, 462 }, 463 }, 464 { 465 Names: []string{ 466 "arm_fadvise64_64", 467 "arm_sync_file_range", 468 "sync_file_range2", 469 "breakpoint", 470 "cacheflush", 471 "set_tls", 472 }, 473 Action: specs.ActAllow, 474 Args: []*specs.LinuxSeccompArg{}, 475 Includes: Filter{ 476 Arches: []string{"arm", "arm64"}, 477 }, 478 }, 479 { 480 Names: []string{ 481 "arch_prctl", 482 }, 483 Action: specs.ActAllow, 484 Args: []*specs.LinuxSeccompArg{}, 485 Includes: Filter{ 486 Arches: []string{"amd64", "x32"}, 487 }, 488 }, 489 { 490 Names: []string{ 491 "modify_ldt", 492 }, 493 Action: specs.ActAllow, 494 Args: []*specs.LinuxSeccompArg{}, 495 Includes: Filter{ 496 Arches: []string{"amd64", "x32", "x86"}, 497 }, 498 }, 499 { 500 Names: []string{ 501 "s390_pci_mmio_read", 502 "s390_pci_mmio_write", 503 "s390_runtime_instr", 504 }, 505 Action: specs.ActAllow, 506 Args: []*specs.LinuxSeccompArg{}, 507 Includes: Filter{ 508 Arches: []string{"s390", "s390x"}, 509 }, 510 }, 511 { 512 Names: []string{ 513 "open_by_handle_at", 514 }, 515 Action: specs.ActAllow, 516 Args: []*specs.LinuxSeccompArg{}, 517 Includes: Filter{ 518 Caps: []string{"CAP_DAC_READ_SEARCH"}, 519 }, 520 }, 521 { 522 Names: []string{ 523 "bpf", 524 "clone", 525 "fanotify_init", 526 "fsconfig", 527 "fsmount", 528 "fsopen", 529 "fspick", 530 "lookup_dcookie", 531 "mount", 532 "move_mount", 533 "name_to_handle_at", 534 "open_tree", 535 "perf_event_open", 536 "quotactl", 537 "setdomainname", 538 "sethostname", 539 "setns", 540 "syslog", 541 "umount", 542 "umount2", 543 "unshare", 544 }, 545 Action: specs.ActAllow, 546 Args: []*specs.LinuxSeccompArg{}, 547 Includes: Filter{ 548 Caps: []string{"CAP_SYS_ADMIN"}, 549 }, 550 }, 551 { 552 Names: []string{ 553 "clone", 554 }, 555 Action: specs.ActAllow, 556 Args: []*specs.LinuxSeccompArg{ 557 { 558 Index: 0, 559 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 560 ValueTwo: 0, 561 Op: specs.OpMaskedEqual, 562 }, 563 }, 564 Excludes: Filter{ 565 Caps: []string{"CAP_SYS_ADMIN"}, 566 Arches: []string{"s390", "s390x"}, 567 }, 568 }, 569 { 570 Names: []string{ 571 "clone", 572 }, 573 Action: specs.ActAllow, 574 Args: []*specs.LinuxSeccompArg{ 575 { 576 Index: 1, 577 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 578 ValueTwo: 0, 579 Op: specs.OpMaskedEqual, 580 }, 581 }, 582 Comment: "s390 parameter ordering for clone is different", 583 Includes: Filter{ 584 Arches: []string{"s390", "s390x"}, 585 }, 586 Excludes: Filter{ 587 Caps: []string{"CAP_SYS_ADMIN"}, 588 }, 589 }, 590 { 591 Names: []string{ 592 "reboot", 593 }, 594 Action: specs.ActAllow, 595 Args: []*specs.LinuxSeccompArg{}, 596 Includes: Filter{ 597 Caps: []string{"CAP_SYS_BOOT"}, 598 }, 599 }, 600 { 601 Names: []string{ 602 "chroot", 603 }, 604 Action: specs.ActAllow, 605 Args: []*specs.LinuxSeccompArg{}, 606 Includes: Filter{ 607 Caps: []string{"CAP_SYS_CHROOT"}, 608 }, 609 }, 610 { 611 Names: []string{ 612 "delete_module", 613 "init_module", 614 "finit_module", 615 }, 616 Action: specs.ActAllow, 617 Args: []*specs.LinuxSeccompArg{}, 618 Includes: Filter{ 619 Caps: []string{"CAP_SYS_MODULE"}, 620 }, 621 }, 622 { 623 Names: []string{ 624 "acct", 625 }, 626 Action: specs.ActAllow, 627 Args: []*specs.LinuxSeccompArg{}, 628 Includes: Filter{ 629 Caps: []string{"CAP_SYS_PACCT"}, 630 }, 631 }, 632 { 633 Names: []string{ 634 "kcmp", 635 "pidfd_getfd", 636 "process_madvise", 637 "process_vm_readv", 638 "process_vm_writev", 639 "ptrace", 640 }, 641 Action: specs.ActAllow, 642 Args: []*specs.LinuxSeccompArg{}, 643 Includes: Filter{ 644 Caps: []string{"CAP_SYS_PTRACE"}, 645 }, 646 }, 647 { 648 Names: []string{ 649 "iopl", 650 "ioperm", 651 }, 652 Action: specs.ActAllow, 653 Args: []*specs.LinuxSeccompArg{}, 654 Includes: Filter{ 655 Caps: []string{"CAP_SYS_RAWIO"}, 656 }, 657 }, 658 { 659 Names: []string{ 660 "settimeofday", 661 "stime", 662 "clock_settime", 663 }, 664 Action: specs.ActAllow, 665 Args: []*specs.LinuxSeccompArg{}, 666 Includes: Filter{ 667 Caps: []string{"CAP_SYS_TIME"}, 668 }, 669 }, 670 { 671 Names: []string{ 672 "vhangup", 673 }, 674 Action: specs.ActAllow, 675 Args: []*specs.LinuxSeccompArg{}, 676 Includes: Filter{ 677 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 678 }, 679 }, 680 { 681 Names: []string{ 682 "get_mempolicy", 683 "mbind", 684 "set_mempolicy", 685 }, 686 Action: specs.ActAllow, 687 Args: []*specs.LinuxSeccompArg{}, 688 Includes: Filter{ 689 Caps: []string{"CAP_SYS_NICE"}, 690 }, 691 }, 692 { 693 Names: []string{ 694 "syslog", 695 }, 696 Action: specs.ActAllow, 697 Args: []*specs.LinuxSeccompArg{}, 698 Includes: Filter{ 699 Caps: []string{"CAP_SYSLOG"}, 700 }, 701 }, 702 } 703 704 return &Seccomp{ 705 DefaultAction: specs.ActErrno, 706 ArchMap: arches(), 707 Syscalls: syscalls, 708 } 709 }