github.com/apptainer/singularity@v3.1.1+incompatible/etc/seccomp-profiles/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "preadv2", 227 "prlimit64", 228 "pselect6", 229 "pwrite64", 230 "pwritev", 231 "pwritev2", 232 "read", 233 "readahead", 234 "readlink", 235 "readlinkat", 236 "readv", 237 "recv", 238 "recvfrom", 239 "recvmmsg", 240 "recvmsg", 241 "remap_file_pages", 242 "removexattr", 243 "rename", 244 "renameat", 245 "renameat2", 246 "restart_syscall", 247 "rmdir", 248 "rt_sigaction", 249 "rt_sigpending", 250 "rt_sigprocmask", 251 "rt_sigqueueinfo", 252 "rt_sigreturn", 253 "rt_sigsuspend", 254 "rt_sigtimedwait", 255 "rt_tgsigqueueinfo", 256 "sched_getaffinity", 257 "sched_getattr", 258 "sched_getparam", 259 "sched_get_priority_max", 260 "sched_get_priority_min", 261 "sched_getscheduler", 262 "sched_rr_get_interval", 263 "sched_setaffinity", 264 "sched_setattr", 265 "sched_setparam", 266 "sched_setscheduler", 267 "sched_yield", 268 "seccomp", 269 "select", 270 "semctl", 271 "semget", 272 "semop", 273 "semtimedop", 274 "send", 275 "sendfile", 276 "sendfile64", 277 "sendmmsg", 278 "sendmsg", 279 "sendto", 280 "setfsgid", 281 "setfsgid32", 282 "setfsuid", 283 "setfsuid32", 284 "setgid", 285 "setgid32", 286 "setgroups", 287 "setgroups32", 288 "setitimer", 289 "setpgid", 290 "setpriority", 291 "setregid", 292 "setregid32", 293 "setresgid", 294 "setresgid32", 295 "setresuid", 296 "setresuid32", 297 "setreuid", 298 "setreuid32", 299 "setrlimit", 300 "set_robust_list", 301 "setsid", 302 "setsockopt", 303 "set_thread_area", 304 "set_tid_address", 305 "setuid", 306 "setuid32", 307 "setxattr", 308 "shmat", 309 "shmctl", 310 "shmdt", 311 "shmget", 312 "shutdown", 313 "sigaltstack", 314 "signalfd", 315 "signalfd4", 316 "sigreturn", 317 "socket", 318 "socketcall", 319 "socketpair", 320 "splice", 321 "stat", 322 "stat64", 323 "statfs", 324 "statfs64", 325 "symlink", 326 "symlinkat", 327 "sync", 328 "sync_file_range", 329 "syncfs", 330 "sysinfo", 331 "syslog", 332 "tee", 333 "tgkill", 334 "time", 335 "timer_create", 336 "timer_delete", 337 "timerfd_create", 338 "timerfd_gettime", 339 "timerfd_settime", 340 "timer_getoverrun", 341 "timer_gettime", 342 "timer_settime", 343 "times", 344 "tkill", 345 "truncate", 346 "truncate64", 347 "ugetrlimit", 348 "umask", 349 "uname", 350 "unlink", 351 "unlinkat", 352 "utime", 353 "utimensat", 354 "utimes", 355 "vfork", 356 "vmsplice", 357 "wait4", 358 "waitid", 359 "waitpid", 360 "write", 361 "writev", 362 "mount", 363 "umount2", 364 "reboot", 365 "name_to_handle_at", 366 "unshare" 367 ], 368 "action": "SCMP_ACT_ALLOW", 369 "args": [], 370 "comment": "", 371 "includes": {}, 372 "excludes": {} 373 }, 374 { 375 "names": [ 376 "personality" 377 ], 378 "action": "SCMP_ACT_ALLOW", 379 "args": [ 380 { 381 "index": 0, 382 "value": 0, 383 "valueTwo": 0, 384 "op": "SCMP_CMP_EQ" 385 } 386 ], 387 "comment": "", 388 "includes": {}, 389 "excludes": {} 390 }, 391 { 392 "names": [ 393 "personality" 394 ], 395 "action": "SCMP_ACT_ALLOW", 396 "args": [ 397 { 398 "index": 0, 399 "value": 8, 400 "valueTwo": 0, 401 "op": "SCMP_CMP_EQ" 402 } 403 ], 404 "comment": "", 405 "includes": {}, 406 "excludes": {} 407 }, 408 { 409 "names": [ 410 "personality" 411 ], 412 "action": "SCMP_ACT_ALLOW", 413 "args": [ 414 { 415 "index": 0, 416 "value": 131072, 417 "valueTwo": 0, 418 "op": "SCMP_CMP_EQ" 419 } 420 ], 421 "comment": "", 422 "includes": {}, 423 "excludes": {} 424 }, 425 { 426 "names": [ 427 "personality" 428 ], 429 "action": "SCMP_ACT_ALLOW", 430 "args": [ 431 { 432 "index": 0, 433 "value": 131080, 434 "valueTwo": 0, 435 "op": "SCMP_CMP_EQ" 436 } 437 ], 438 "comment": "", 439 "includes": {}, 440 "excludes": {} 441 }, 442 { 443 "names": [ 444 "personality" 445 ], 446 "action": "SCMP_ACT_ALLOW", 447 "args": [ 448 { 449 "index": 0, 450 "value": 4294967295, 451 "valueTwo": 0, 452 "op": "SCMP_CMP_EQ" 453 } 454 ], 455 "comment": "", 456 "includes": {}, 457 "excludes": {} 458 }, 459 { 460 "names": [ 461 "sync_file_range2" 462 ], 463 "action": "SCMP_ACT_ALLOW", 464 "args": [], 465 "comment": "", 466 "includes": { 467 "arches": [ 468 "ppc64le" 469 ] 470 }, 471 "excludes": {} 472 }, 473 { 474 "names": [ 475 "arm_fadvise64_64", 476 "arm_sync_file_range", 477 "sync_file_range2", 478 "breakpoint", 479 "cacheflush", 480 "set_tls" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [], 484 "comment": "", 485 "includes": { 486 "arches": [ 487 "arm", 488 "arm64" 489 ] 490 }, 491 "excludes": {} 492 }, 493 { 494 "names": [ 495 "arch_prctl" 496 ], 497 "action": "SCMP_ACT_ALLOW", 498 "args": [], 499 "comment": "", 500 "includes": { 501 "arches": [ 502 "amd64", 503 "x32" 504 ] 505 }, 506 "excludes": {} 507 }, 508 { 509 "names": [ 510 "modify_ldt" 511 ], 512 "action": "SCMP_ACT_ALLOW", 513 "args": [], 514 "comment": "", 515 "includes": { 516 "arches": [ 517 "amd64", 518 "x32", 519 "x86" 520 ] 521 }, 522 "excludes": {} 523 }, 524 { 525 "names": [ 526 "s390_pci_mmio_read", 527 "s390_pci_mmio_write", 528 "s390_runtime_instr" 529 ], 530 "action": "SCMP_ACT_ALLOW", 531 "args": [], 532 "comment": "", 533 "includes": { 534 "arches": [ 535 "s390", 536 "s390x" 537 ] 538 }, 539 "excludes": {} 540 }, 541 { 542 "names": [ 543 "open_by_handle_at" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "args": [], 547 "comment": "", 548 "includes": { 549 "caps": [ 550 "CAP_DAC_READ_SEARCH" 551 ] 552 }, 553 "excludes": {} 554 }, 555 { 556 "names": [ 557 "bpf", 558 "clone", 559 "fanotify_init", 560 "lookup_dcookie", 561 "mount", 562 "name_to_handle_at", 563 "perf_event_open", 564 "quotactl", 565 "setdomainname", 566 "sethostname", 567 "setns", 568 "umount", 569 "umount2", 570 "unshare" 571 ], 572 "action": "SCMP_ACT_ALLOW", 573 "args": [], 574 "comment": "", 575 "includes": { 576 "caps": [ 577 "CAP_SYS_ADMIN" 578 ] 579 }, 580 "excludes": {} 581 }, 582 { 583 "names": [ 584 "clone" 585 ], 586 "action": "SCMP_ACT_ALLOW", 587 "args": [ 588 { 589 "index": 0, 590 "value": 2080505856, 591 "valueTwo": 0, 592 "op": "SCMP_CMP_MASKED_EQ" 593 } 594 ], 595 "comment": "", 596 "includes": {}, 597 "excludes": { 598 "caps": [ 599 "CAP_SYS_ADMIN" 600 ], 601 "arches": [ 602 "s390", 603 "s390x" 604 ] 605 } 606 }, 607 { 608 "names": [ 609 "clone" 610 ], 611 "action": "SCMP_ACT_ALLOW", 612 "args": [ 613 { 614 "index": 1, 615 "value": 2080505856, 616 "valueTwo": 0, 617 "op": "SCMP_CMP_MASKED_EQ" 618 } 619 ], 620 "comment": "s390 parameter ordering for clone is different", 621 "includes": { 622 "arches": [ 623 "s390", 624 "s390x" 625 ] 626 }, 627 "excludes": { 628 "caps": [ 629 "CAP_SYS_ADMIN" 630 ] 631 } 632 }, 633 { 634 "names": [ 635 "reboot" 636 ], 637 "action": "SCMP_ACT_ALLOW", 638 "args": [], 639 "comment": "", 640 "includes": { 641 "caps": [ 642 "CAP_SYS_BOOT" 643 ] 644 }, 645 "excludes": {} 646 }, 647 { 648 "names": [ 649 "chroot" 650 ], 651 "action": "SCMP_ACT_ALLOW", 652 "args": [], 653 "comment": "", 654 "includes": { 655 "caps": [ 656 "CAP_SYS_CHROOT" 657 ] 658 }, 659 "excludes": {} 660 }, 661 { 662 "names": [ 663 "delete_module", 664 "init_module", 665 "finit_module", 666 "query_module" 667 ], 668 "action": "SCMP_ACT_ALLOW", 669 "args": [], 670 "comment": "", 671 "includes": { 672 "caps": [ 673 "CAP_SYS_MODULE" 674 ] 675 }, 676 "excludes": {} 677 }, 678 { 679 "names": [ 680 "acct" 681 ], 682 "action": "SCMP_ACT_ALLOW", 683 "args": [], 684 "comment": "", 685 "includes": { 686 "caps": [ 687 "CAP_SYS_PACCT" 688 ] 689 }, 690 "excludes": {} 691 }, 692 { 693 "names": [ 694 "kcmp", 695 "process_vm_readv", 696 "process_vm_writev", 697 "ptrace" 698 ], 699 "action": "SCMP_ACT_ALLOW", 700 "args": [], 701 "comment": "", 702 "includes": { 703 "caps": [ 704 "CAP_SYS_PTRACE" 705 ] 706 }, 707 "excludes": {} 708 }, 709 { 710 "names": [ 711 "iopl", 712 "ioperm" 713 ], 714 "action": "SCMP_ACT_ALLOW", 715 "args": [], 716 "comment": "", 717 "includes": { 718 "caps": [ 719 "CAP_SYS_RAWIO" 720 ] 721 }, 722 "excludes": {} 723 }, 724 { 725 "names": [ 726 "settimeofday", 727 "stime", 728 "clock_settime" 729 ], 730 "action": "SCMP_ACT_ALLOW", 731 "args": [], 732 "comment": "", 733 "includes": { 734 "caps": [ 735 "CAP_SYS_TIME" 736 ] 737 }, 738 "excludes": {} 739 }, 740 { 741 "names": [ 742 "vhangup" 743 ], 744 "action": "SCMP_ACT_ALLOW", 745 "args": [], 746 "comment": "", 747 "includes": { 748 "caps": [ 749 "CAP_SYS_TTY_CONFIG" 750 ] 751 }, 752 "excludes": {} 753 } 754 ] 755 }