github.com/brahmaroutu/docker@v1.2.1-0.20160809185609-eb28dde01f16/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "syscall" 7 8 "github.com/docker/engine-api/types" 9 "github.com/opencontainers/specs/specs-go" 10 libseccomp "github.com/seccomp/libseccomp-golang" 11 ) 12 13 func arches() []types.Arch { 14 var native, err = libseccomp.GetNativeArch() 15 if err != nil { 16 return []types.Arch{} 17 } 18 var a = native.String() 19 switch a { 20 case "amd64": 21 return []types.Arch{types.ArchX86_64, types.ArchX86, types.ArchX32} 22 case "arm64": 23 return []types.Arch{types.ArchARM, types.ArchAARCH64} 24 case "mips64": 25 return []types.Arch{types.ArchMIPS, types.ArchMIPS64, types.ArchMIPS64N32} 26 case "mips64n32": 27 return []types.Arch{types.ArchMIPS, types.ArchMIPS64, types.ArchMIPS64N32} 28 case "mipsel64": 29 return []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64, types.ArchMIPSEL64N32} 30 case "mipsel64n32": 31 return []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64, types.ArchMIPSEL64N32} 32 case "s390x": 33 return []types.Arch{types.ArchS390, types.ArchS390X} 34 default: 35 return []types.Arch{} 36 } 37 } 38 39 // DefaultProfile defines the whitelist for the default seccomp profile. 40 func DefaultProfile(rs *specs.Spec) *types.Seccomp { 41 42 syscalls := []*types.Syscall{ 43 { 44 Name: "accept", 45 Action: types.ActAllow, 46 Args: []*types.Arg{}, 47 }, 48 { 49 Name: "accept4", 50 Action: types.ActAllow, 51 Args: []*types.Arg{}, 52 }, 53 { 54 Name: "access", 55 Action: types.ActAllow, 56 Args: []*types.Arg{}, 57 }, 58 { 59 Name: "alarm", 60 Action: types.ActAllow, 61 Args: []*types.Arg{}, 62 }, 63 { 64 Name: "bind", 65 Action: types.ActAllow, 66 Args: []*types.Arg{}, 67 }, 68 { 69 Name: "brk", 70 Action: types.ActAllow, 71 Args: []*types.Arg{}, 72 }, 73 { 74 Name: "capget", 75 Action: types.ActAllow, 76 Args: []*types.Arg{}, 77 }, 78 { 79 Name: "capset", 80 Action: types.ActAllow, 81 Args: []*types.Arg{}, 82 }, 83 { 84 Name: "chdir", 85 Action: types.ActAllow, 86 Args: []*types.Arg{}, 87 }, 88 { 89 Name: "chmod", 90 Action: types.ActAllow, 91 Args: []*types.Arg{}, 92 }, 93 { 94 Name: "chown", 95 Action: types.ActAllow, 96 Args: []*types.Arg{}, 97 }, 98 { 99 Name: "chown32", 100 Action: types.ActAllow, 101 Args: []*types.Arg{}, 102 }, 103 104 { 105 Name: "clock_getres", 106 Action: types.ActAllow, 107 Args: []*types.Arg{}, 108 }, 109 { 110 Name: "clock_gettime", 111 Action: types.ActAllow, 112 Args: []*types.Arg{}, 113 }, 114 { 115 Name: "clock_nanosleep", 116 Action: types.ActAllow, 117 Args: []*types.Arg{}, 118 }, 119 { 120 Name: "close", 121 Action: types.ActAllow, 122 Args: []*types.Arg{}, 123 }, 124 { 125 Name: "connect", 126 Action: types.ActAllow, 127 Args: []*types.Arg{}, 128 }, 129 { 130 Name: "copy_file_range", 131 Action: types.ActAllow, 132 Args: []*types.Arg{}, 133 }, 134 { 135 Name: "creat", 136 Action: types.ActAllow, 137 Args: []*types.Arg{}, 138 }, 139 { 140 Name: "dup", 141 Action: types.ActAllow, 142 Args: []*types.Arg{}, 143 }, 144 { 145 Name: "dup2", 146 Action: types.ActAllow, 147 Args: []*types.Arg{}, 148 }, 149 { 150 Name: "dup3", 151 Action: types.ActAllow, 152 Args: []*types.Arg{}, 153 }, 154 { 155 Name: "epoll_create", 156 Action: types.ActAllow, 157 Args: []*types.Arg{}, 158 }, 159 { 160 Name: "epoll_create1", 161 Action: types.ActAllow, 162 Args: []*types.Arg{}, 163 }, 164 { 165 Name: "epoll_ctl", 166 Action: types.ActAllow, 167 Args: []*types.Arg{}, 168 }, 169 { 170 Name: "epoll_ctl_old", 171 Action: types.ActAllow, 172 Args: []*types.Arg{}, 173 }, 174 { 175 Name: "epoll_pwait", 176 Action: types.ActAllow, 177 Args: []*types.Arg{}, 178 }, 179 { 180 Name: "epoll_wait", 181 Action: types.ActAllow, 182 Args: []*types.Arg{}, 183 }, 184 { 185 Name: "epoll_wait_old", 186 Action: types.ActAllow, 187 Args: []*types.Arg{}, 188 }, 189 { 190 Name: "eventfd", 191 Action: types.ActAllow, 192 Args: []*types.Arg{}, 193 }, 194 { 195 Name: "eventfd2", 196 Action: types.ActAllow, 197 Args: []*types.Arg{}, 198 }, 199 { 200 Name: "execve", 201 Action: types.ActAllow, 202 Args: []*types.Arg{}, 203 }, 204 { 205 Name: "execveat", 206 Action: types.ActAllow, 207 Args: []*types.Arg{}, 208 }, 209 { 210 Name: "exit", 211 Action: types.ActAllow, 212 Args: []*types.Arg{}, 213 }, 214 { 215 Name: "exit_group", 216 Action: types.ActAllow, 217 Args: []*types.Arg{}, 218 }, 219 { 220 Name: "faccessat", 221 Action: types.ActAllow, 222 Args: []*types.Arg{}, 223 }, 224 { 225 Name: "fadvise64", 226 Action: types.ActAllow, 227 Args: []*types.Arg{}, 228 }, 229 { 230 Name: "fadvise64_64", 231 Action: types.ActAllow, 232 Args: []*types.Arg{}, 233 }, 234 { 235 Name: "fallocate", 236 Action: types.ActAllow, 237 Args: []*types.Arg{}, 238 }, 239 { 240 Name: "fanotify_mark", 241 Action: types.ActAllow, 242 Args: []*types.Arg{}, 243 }, 244 { 245 Name: "fchdir", 246 Action: types.ActAllow, 247 Args: []*types.Arg{}, 248 }, 249 { 250 Name: "fchmod", 251 Action: types.ActAllow, 252 Args: []*types.Arg{}, 253 }, 254 { 255 Name: "fchmodat", 256 Action: types.ActAllow, 257 Args: []*types.Arg{}, 258 }, 259 { 260 Name: "fchown", 261 Action: types.ActAllow, 262 Args: []*types.Arg{}, 263 }, 264 { 265 Name: "fchown32", 266 Action: types.ActAllow, 267 Args: []*types.Arg{}, 268 }, 269 { 270 Name: "fchownat", 271 Action: types.ActAllow, 272 Args: []*types.Arg{}, 273 }, 274 { 275 Name: "fcntl", 276 Action: types.ActAllow, 277 Args: []*types.Arg{}, 278 }, 279 { 280 Name: "fcntl64", 281 Action: types.ActAllow, 282 Args: []*types.Arg{}, 283 }, 284 { 285 Name: "fdatasync", 286 Action: types.ActAllow, 287 Args: []*types.Arg{}, 288 }, 289 { 290 Name: "fgetxattr", 291 Action: types.ActAllow, 292 Args: []*types.Arg{}, 293 }, 294 { 295 Name: "flistxattr", 296 Action: types.ActAllow, 297 Args: []*types.Arg{}, 298 }, 299 { 300 Name: "flock", 301 Action: types.ActAllow, 302 Args: []*types.Arg{}, 303 }, 304 { 305 Name: "fork", 306 Action: types.ActAllow, 307 Args: []*types.Arg{}, 308 }, 309 { 310 Name: "fremovexattr", 311 Action: types.ActAllow, 312 Args: []*types.Arg{}, 313 }, 314 { 315 Name: "fsetxattr", 316 Action: types.ActAllow, 317 Args: []*types.Arg{}, 318 }, 319 { 320 Name: "fstat", 321 Action: types.ActAllow, 322 Args: []*types.Arg{}, 323 }, 324 { 325 Name: "fstat64", 326 Action: types.ActAllow, 327 Args: []*types.Arg{}, 328 }, 329 { 330 Name: "fstatat64", 331 Action: types.ActAllow, 332 Args: []*types.Arg{}, 333 }, 334 { 335 Name: "fstatfs", 336 Action: types.ActAllow, 337 Args: []*types.Arg{}, 338 }, 339 { 340 Name: "fstatfs64", 341 Action: types.ActAllow, 342 Args: []*types.Arg{}, 343 }, 344 { 345 Name: "fsync", 346 Action: types.ActAllow, 347 Args: []*types.Arg{}, 348 }, 349 { 350 Name: "ftruncate", 351 Action: types.ActAllow, 352 Args: []*types.Arg{}, 353 }, 354 { 355 Name: "ftruncate64", 356 Action: types.ActAllow, 357 Args: []*types.Arg{}, 358 }, 359 { 360 Name: "futex", 361 Action: types.ActAllow, 362 Args: []*types.Arg{}, 363 }, 364 { 365 Name: "futimesat", 366 Action: types.ActAllow, 367 Args: []*types.Arg{}, 368 }, 369 { 370 Name: "getcpu", 371 Action: types.ActAllow, 372 Args: []*types.Arg{}, 373 }, 374 { 375 Name: "getcwd", 376 Action: types.ActAllow, 377 Args: []*types.Arg{}, 378 }, 379 { 380 Name: "getdents", 381 Action: types.ActAllow, 382 Args: []*types.Arg{}, 383 }, 384 { 385 Name: "getdents64", 386 Action: types.ActAllow, 387 Args: []*types.Arg{}, 388 }, 389 { 390 Name: "getegid", 391 Action: types.ActAllow, 392 Args: []*types.Arg{}, 393 }, 394 { 395 Name: "getegid32", 396 Action: types.ActAllow, 397 Args: []*types.Arg{}, 398 }, 399 { 400 Name: "geteuid", 401 Action: types.ActAllow, 402 Args: []*types.Arg{}, 403 }, 404 { 405 Name: "geteuid32", 406 Action: types.ActAllow, 407 Args: []*types.Arg{}, 408 }, 409 { 410 Name: "getgid", 411 Action: types.ActAllow, 412 Args: []*types.Arg{}, 413 }, 414 { 415 Name: "getgid32", 416 Action: types.ActAllow, 417 Args: []*types.Arg{}, 418 }, 419 { 420 Name: "getgroups", 421 Action: types.ActAllow, 422 Args: []*types.Arg{}, 423 }, 424 { 425 Name: "getgroups32", 426 Action: types.ActAllow, 427 Args: []*types.Arg{}, 428 }, 429 { 430 Name: "getitimer", 431 Action: types.ActAllow, 432 Args: []*types.Arg{}, 433 }, 434 { 435 Name: "getpeername", 436 Action: types.ActAllow, 437 Args: []*types.Arg{}, 438 }, 439 { 440 Name: "getpgid", 441 Action: types.ActAllow, 442 Args: []*types.Arg{}, 443 }, 444 { 445 Name: "getpgrp", 446 Action: types.ActAllow, 447 Args: []*types.Arg{}, 448 }, 449 { 450 Name: "getpid", 451 Action: types.ActAllow, 452 Args: []*types.Arg{}, 453 }, 454 { 455 Name: "getppid", 456 Action: types.ActAllow, 457 Args: []*types.Arg{}, 458 }, 459 { 460 Name: "getpriority", 461 Action: types.ActAllow, 462 Args: []*types.Arg{}, 463 }, 464 { 465 Name: "getrandom", 466 Action: types.ActAllow, 467 Args: []*types.Arg{}, 468 }, 469 { 470 Name: "getresgid", 471 Action: types.ActAllow, 472 Args: []*types.Arg{}, 473 }, 474 { 475 Name: "getresgid32", 476 Action: types.ActAllow, 477 Args: []*types.Arg{}, 478 }, 479 { 480 Name: "getresuid", 481 Action: types.ActAllow, 482 Args: []*types.Arg{}, 483 }, 484 { 485 Name: "getresuid32", 486 Action: types.ActAllow, 487 Args: []*types.Arg{}, 488 }, 489 { 490 Name: "getrlimit", 491 Action: types.ActAllow, 492 Args: []*types.Arg{}, 493 }, 494 { 495 Name: "get_robust_list", 496 Action: types.ActAllow, 497 Args: []*types.Arg{}, 498 }, 499 { 500 Name: "getrusage", 501 Action: types.ActAllow, 502 Args: []*types.Arg{}, 503 }, 504 { 505 Name: "getsid", 506 Action: types.ActAllow, 507 Args: []*types.Arg{}, 508 }, 509 { 510 Name: "getsockname", 511 Action: types.ActAllow, 512 Args: []*types.Arg{}, 513 }, 514 { 515 Name: "getsockopt", 516 Action: types.ActAllow, 517 Args: []*types.Arg{}, 518 }, 519 { 520 Name: "get_thread_area", 521 Action: types.ActAllow, 522 Args: []*types.Arg{}, 523 }, 524 { 525 Name: "gettid", 526 Action: types.ActAllow, 527 Args: []*types.Arg{}, 528 }, 529 { 530 Name: "gettimeofday", 531 Action: types.ActAllow, 532 Args: []*types.Arg{}, 533 }, 534 { 535 Name: "getuid", 536 Action: types.ActAllow, 537 Args: []*types.Arg{}, 538 }, 539 { 540 Name: "getuid32", 541 Action: types.ActAllow, 542 Args: []*types.Arg{}, 543 }, 544 { 545 Name: "getxattr", 546 Action: types.ActAllow, 547 Args: []*types.Arg{}, 548 }, 549 { 550 Name: "inotify_add_watch", 551 Action: types.ActAllow, 552 Args: []*types.Arg{}, 553 }, 554 { 555 Name: "inotify_init", 556 Action: types.ActAllow, 557 Args: []*types.Arg{}, 558 }, 559 { 560 Name: "inotify_init1", 561 Action: types.ActAllow, 562 Args: []*types.Arg{}, 563 }, 564 { 565 Name: "inotify_rm_watch", 566 Action: types.ActAllow, 567 Args: []*types.Arg{}, 568 }, 569 { 570 Name: "io_cancel", 571 Action: types.ActAllow, 572 Args: []*types.Arg{}, 573 }, 574 { 575 Name: "ioctl", 576 Action: types.ActAllow, 577 Args: []*types.Arg{}, 578 }, 579 { 580 Name: "io_destroy", 581 Action: types.ActAllow, 582 Args: []*types.Arg{}, 583 }, 584 { 585 Name: "io_getevents", 586 Action: types.ActAllow, 587 Args: []*types.Arg{}, 588 }, 589 { 590 Name: "ioprio_get", 591 Action: types.ActAllow, 592 Args: []*types.Arg{}, 593 }, 594 { 595 Name: "ioprio_set", 596 Action: types.ActAllow, 597 Args: []*types.Arg{}, 598 }, 599 { 600 Name: "io_setup", 601 Action: types.ActAllow, 602 Args: []*types.Arg{}, 603 }, 604 { 605 Name: "io_submit", 606 Action: types.ActAllow, 607 Args: []*types.Arg{}, 608 }, 609 { 610 Name: "ipc", 611 Action: types.ActAllow, 612 Args: []*types.Arg{}, 613 }, 614 { 615 Name: "kill", 616 Action: types.ActAllow, 617 Args: []*types.Arg{}, 618 }, 619 { 620 Name: "lchown", 621 Action: types.ActAllow, 622 Args: []*types.Arg{}, 623 }, 624 { 625 Name: "lchown32", 626 Action: types.ActAllow, 627 Args: []*types.Arg{}, 628 }, 629 { 630 Name: "lgetxattr", 631 Action: types.ActAllow, 632 Args: []*types.Arg{}, 633 }, 634 { 635 Name: "link", 636 Action: types.ActAllow, 637 Args: []*types.Arg{}, 638 }, 639 { 640 Name: "linkat", 641 Action: types.ActAllow, 642 Args: []*types.Arg{}, 643 }, 644 { 645 Name: "listen", 646 Action: types.ActAllow, 647 Args: []*types.Arg{}, 648 }, 649 { 650 Name: "listxattr", 651 Action: types.ActAllow, 652 Args: []*types.Arg{}, 653 }, 654 { 655 Name: "llistxattr", 656 Action: types.ActAllow, 657 Args: []*types.Arg{}, 658 }, 659 { 660 Name: "_llseek", 661 Action: types.ActAllow, 662 Args: []*types.Arg{}, 663 }, 664 { 665 Name: "lremovexattr", 666 Action: types.ActAllow, 667 Args: []*types.Arg{}, 668 }, 669 { 670 Name: "lseek", 671 Action: types.ActAllow, 672 Args: []*types.Arg{}, 673 }, 674 { 675 Name: "lsetxattr", 676 Action: types.ActAllow, 677 Args: []*types.Arg{}, 678 }, 679 { 680 Name: "lstat", 681 Action: types.ActAllow, 682 Args: []*types.Arg{}, 683 }, 684 { 685 Name: "lstat64", 686 Action: types.ActAllow, 687 Args: []*types.Arg{}, 688 }, 689 { 690 Name: "madvise", 691 Action: types.ActAllow, 692 Args: []*types.Arg{}, 693 }, 694 { 695 Name: "memfd_create", 696 Action: types.ActAllow, 697 Args: []*types.Arg{}, 698 }, 699 { 700 Name: "mincore", 701 Action: types.ActAllow, 702 Args: []*types.Arg{}, 703 }, 704 { 705 Name: "mkdir", 706 Action: types.ActAllow, 707 Args: []*types.Arg{}, 708 }, 709 { 710 Name: "mkdirat", 711 Action: types.ActAllow, 712 Args: []*types.Arg{}, 713 }, 714 { 715 Name: "mknod", 716 Action: types.ActAllow, 717 Args: []*types.Arg{}, 718 }, 719 { 720 Name: "mknodat", 721 Action: types.ActAllow, 722 Args: []*types.Arg{}, 723 }, 724 { 725 Name: "mlock", 726 Action: types.ActAllow, 727 Args: []*types.Arg{}, 728 }, 729 { 730 Name: "mlock2", 731 Action: types.ActAllow, 732 Args: []*types.Arg{}, 733 }, 734 { 735 Name: "mlockall", 736 Action: types.ActAllow, 737 Args: []*types.Arg{}, 738 }, 739 { 740 Name: "mmap", 741 Action: types.ActAllow, 742 Args: []*types.Arg{}, 743 }, 744 { 745 Name: "mmap2", 746 Action: types.ActAllow, 747 Args: []*types.Arg{}, 748 }, 749 { 750 Name: "mprotect", 751 Action: types.ActAllow, 752 Args: []*types.Arg{}, 753 }, 754 { 755 Name: "mq_getsetattr", 756 Action: types.ActAllow, 757 Args: []*types.Arg{}, 758 }, 759 { 760 Name: "mq_notify", 761 Action: types.ActAllow, 762 Args: []*types.Arg{}, 763 }, 764 { 765 Name: "mq_open", 766 Action: types.ActAllow, 767 Args: []*types.Arg{}, 768 }, 769 { 770 Name: "mq_timedreceive", 771 Action: types.ActAllow, 772 Args: []*types.Arg{}, 773 }, 774 { 775 Name: "mq_timedsend", 776 Action: types.ActAllow, 777 Args: []*types.Arg{}, 778 }, 779 { 780 Name: "mq_unlink", 781 Action: types.ActAllow, 782 Args: []*types.Arg{}, 783 }, 784 { 785 Name: "mremap", 786 Action: types.ActAllow, 787 Args: []*types.Arg{}, 788 }, 789 { 790 Name: "msgctl", 791 Action: types.ActAllow, 792 Args: []*types.Arg{}, 793 }, 794 { 795 Name: "msgget", 796 Action: types.ActAllow, 797 Args: []*types.Arg{}, 798 }, 799 { 800 Name: "msgrcv", 801 Action: types.ActAllow, 802 Args: []*types.Arg{}, 803 }, 804 { 805 Name: "msgsnd", 806 Action: types.ActAllow, 807 Args: []*types.Arg{}, 808 }, 809 { 810 Name: "msync", 811 Action: types.ActAllow, 812 Args: []*types.Arg{}, 813 }, 814 { 815 Name: "munlock", 816 Action: types.ActAllow, 817 Args: []*types.Arg{}, 818 }, 819 { 820 Name: "munlockall", 821 Action: types.ActAllow, 822 Args: []*types.Arg{}, 823 }, 824 { 825 Name: "munmap", 826 Action: types.ActAllow, 827 Args: []*types.Arg{}, 828 }, 829 { 830 Name: "nanosleep", 831 Action: types.ActAllow, 832 Args: []*types.Arg{}, 833 }, 834 { 835 Name: "newfstatat", 836 Action: types.ActAllow, 837 Args: []*types.Arg{}, 838 }, 839 { 840 Name: "_newselect", 841 Action: types.ActAllow, 842 Args: []*types.Arg{}, 843 }, 844 { 845 Name: "open", 846 Action: types.ActAllow, 847 Args: []*types.Arg{}, 848 }, 849 { 850 Name: "openat", 851 Action: types.ActAllow, 852 Args: []*types.Arg{}, 853 }, 854 { 855 Name: "pause", 856 Action: types.ActAllow, 857 Args: []*types.Arg{}, 858 }, 859 { 860 Name: "personality", 861 Action: types.ActAllow, 862 Args: []*types.Arg{ 863 { 864 Index: 0, 865 Value: 0x0, 866 Op: types.OpEqualTo, 867 }, 868 }, 869 }, 870 { 871 Name: "personality", 872 Action: types.ActAllow, 873 Args: []*types.Arg{ 874 { 875 Index: 0, 876 Value: 0x0008, 877 Op: types.OpEqualTo, 878 }, 879 }, 880 }, 881 { 882 Name: "personality", 883 Action: types.ActAllow, 884 Args: []*types.Arg{ 885 { 886 Index: 0, 887 Value: 0xffffffff, 888 Op: types.OpEqualTo, 889 }, 890 }, 891 }, 892 { 893 Name: "pipe", 894 Action: types.ActAllow, 895 Args: []*types.Arg{}, 896 }, 897 { 898 Name: "pipe2", 899 Action: types.ActAllow, 900 Args: []*types.Arg{}, 901 }, 902 { 903 Name: "poll", 904 Action: types.ActAllow, 905 Args: []*types.Arg{}, 906 }, 907 { 908 Name: "ppoll", 909 Action: types.ActAllow, 910 Args: []*types.Arg{}, 911 }, 912 { 913 Name: "prctl", 914 Action: types.ActAllow, 915 Args: []*types.Arg{}, 916 }, 917 { 918 Name: "pread64", 919 Action: types.ActAllow, 920 Args: []*types.Arg{}, 921 }, 922 { 923 Name: "preadv", 924 Action: types.ActAllow, 925 Args: []*types.Arg{}, 926 }, 927 { 928 Name: "prlimit64", 929 Action: types.ActAllow, 930 Args: []*types.Arg{}, 931 }, 932 { 933 Name: "pselect6", 934 Action: types.ActAllow, 935 Args: []*types.Arg{}, 936 }, 937 { 938 Name: "pwrite64", 939 Action: types.ActAllow, 940 Args: []*types.Arg{}, 941 }, 942 { 943 Name: "pwritev", 944 Action: types.ActAllow, 945 Args: []*types.Arg{}, 946 }, 947 { 948 Name: "read", 949 Action: types.ActAllow, 950 Args: []*types.Arg{}, 951 }, 952 { 953 Name: "readahead", 954 Action: types.ActAllow, 955 Args: []*types.Arg{}, 956 }, 957 { 958 Name: "readlink", 959 Action: types.ActAllow, 960 Args: []*types.Arg{}, 961 }, 962 { 963 Name: "readlinkat", 964 Action: types.ActAllow, 965 Args: []*types.Arg{}, 966 }, 967 { 968 Name: "readv", 969 Action: types.ActAllow, 970 Args: []*types.Arg{}, 971 }, 972 { 973 Name: "recv", 974 Action: types.ActAllow, 975 Args: []*types.Arg{}, 976 }, 977 { 978 Name: "recvfrom", 979 Action: types.ActAllow, 980 Args: []*types.Arg{}, 981 }, 982 { 983 Name: "recvmmsg", 984 Action: types.ActAllow, 985 Args: []*types.Arg{}, 986 }, 987 { 988 Name: "recvmsg", 989 Action: types.ActAllow, 990 Args: []*types.Arg{}, 991 }, 992 { 993 Name: "remap_file_pages", 994 Action: types.ActAllow, 995 Args: []*types.Arg{}, 996 }, 997 { 998 Name: "removexattr", 999 Action: types.ActAllow, 1000 Args: []*types.Arg{}, 1001 }, 1002 { 1003 Name: "rename", 1004 Action: types.ActAllow, 1005 Args: []*types.Arg{}, 1006 }, 1007 { 1008 Name: "renameat", 1009 Action: types.ActAllow, 1010 Args: []*types.Arg{}, 1011 }, 1012 { 1013 Name: "renameat2", 1014 Action: types.ActAllow, 1015 Args: []*types.Arg{}, 1016 }, 1017 { 1018 Name: "restart_syscall", 1019 Action: types.ActAllow, 1020 Args: []*types.Arg{}, 1021 }, 1022 { 1023 Name: "rmdir", 1024 Action: types.ActAllow, 1025 Args: []*types.Arg{}, 1026 }, 1027 { 1028 Name: "rt_sigaction", 1029 Action: types.ActAllow, 1030 Args: []*types.Arg{}, 1031 }, 1032 { 1033 Name: "rt_sigpending", 1034 Action: types.ActAllow, 1035 Args: []*types.Arg{}, 1036 }, 1037 { 1038 Name: "rt_sigprocmask", 1039 Action: types.ActAllow, 1040 Args: []*types.Arg{}, 1041 }, 1042 { 1043 Name: "rt_sigqueueinfo", 1044 Action: types.ActAllow, 1045 Args: []*types.Arg{}, 1046 }, 1047 { 1048 Name: "rt_sigreturn", 1049 Action: types.ActAllow, 1050 Args: []*types.Arg{}, 1051 }, 1052 { 1053 Name: "rt_sigsuspend", 1054 Action: types.ActAllow, 1055 Args: []*types.Arg{}, 1056 }, 1057 { 1058 Name: "rt_sigtimedwait", 1059 Action: types.ActAllow, 1060 Args: []*types.Arg{}, 1061 }, 1062 { 1063 Name: "rt_tgsigqueueinfo", 1064 Action: types.ActAllow, 1065 Args: []*types.Arg{}, 1066 }, 1067 { 1068 Name: "sched_getaffinity", 1069 Action: types.ActAllow, 1070 Args: []*types.Arg{}, 1071 }, 1072 { 1073 Name: "sched_getattr", 1074 Action: types.ActAllow, 1075 Args: []*types.Arg{}, 1076 }, 1077 { 1078 Name: "sched_getparam", 1079 Action: types.ActAllow, 1080 Args: []*types.Arg{}, 1081 }, 1082 { 1083 Name: "sched_get_priority_max", 1084 Action: types.ActAllow, 1085 Args: []*types.Arg{}, 1086 }, 1087 { 1088 Name: "sched_get_priority_min", 1089 Action: types.ActAllow, 1090 Args: []*types.Arg{}, 1091 }, 1092 { 1093 Name: "sched_getscheduler", 1094 Action: types.ActAllow, 1095 Args: []*types.Arg{}, 1096 }, 1097 { 1098 Name: "sched_rr_get_interval", 1099 Action: types.ActAllow, 1100 Args: []*types.Arg{}, 1101 }, 1102 { 1103 Name: "sched_setaffinity", 1104 Action: types.ActAllow, 1105 Args: []*types.Arg{}, 1106 }, 1107 { 1108 Name: "sched_setattr", 1109 Action: types.ActAllow, 1110 Args: []*types.Arg{}, 1111 }, 1112 { 1113 Name: "sched_setparam", 1114 Action: types.ActAllow, 1115 Args: []*types.Arg{}, 1116 }, 1117 { 1118 Name: "sched_setscheduler", 1119 Action: types.ActAllow, 1120 Args: []*types.Arg{}, 1121 }, 1122 { 1123 Name: "sched_yield", 1124 Action: types.ActAllow, 1125 Args: []*types.Arg{}, 1126 }, 1127 { 1128 Name: "seccomp", 1129 Action: types.ActAllow, 1130 Args: []*types.Arg{}, 1131 }, 1132 { 1133 Name: "select", 1134 Action: types.ActAllow, 1135 Args: []*types.Arg{}, 1136 }, 1137 { 1138 Name: "semctl", 1139 Action: types.ActAllow, 1140 Args: []*types.Arg{}, 1141 }, 1142 { 1143 Name: "semget", 1144 Action: types.ActAllow, 1145 Args: []*types.Arg{}, 1146 }, 1147 { 1148 Name: "semop", 1149 Action: types.ActAllow, 1150 Args: []*types.Arg{}, 1151 }, 1152 { 1153 Name: "semtimedop", 1154 Action: types.ActAllow, 1155 Args: []*types.Arg{}, 1156 }, 1157 { 1158 Name: "send", 1159 Action: types.ActAllow, 1160 Args: []*types.Arg{}, 1161 }, 1162 { 1163 Name: "sendfile", 1164 Action: types.ActAllow, 1165 Args: []*types.Arg{}, 1166 }, 1167 { 1168 Name: "sendfile64", 1169 Action: types.ActAllow, 1170 Args: []*types.Arg{}, 1171 }, 1172 { 1173 Name: "sendmmsg", 1174 Action: types.ActAllow, 1175 Args: []*types.Arg{}, 1176 }, 1177 { 1178 Name: "sendmsg", 1179 Action: types.ActAllow, 1180 Args: []*types.Arg{}, 1181 }, 1182 { 1183 Name: "sendto", 1184 Action: types.ActAllow, 1185 Args: []*types.Arg{}, 1186 }, 1187 { 1188 Name: "setfsgid", 1189 Action: types.ActAllow, 1190 Args: []*types.Arg{}, 1191 }, 1192 { 1193 Name: "setfsgid32", 1194 Action: types.ActAllow, 1195 Args: []*types.Arg{}, 1196 }, 1197 { 1198 Name: "setfsuid", 1199 Action: types.ActAllow, 1200 Args: []*types.Arg{}, 1201 }, 1202 { 1203 Name: "setfsuid32", 1204 Action: types.ActAllow, 1205 Args: []*types.Arg{}, 1206 }, 1207 { 1208 Name: "setgid", 1209 Action: types.ActAllow, 1210 Args: []*types.Arg{}, 1211 }, 1212 { 1213 Name: "setgid32", 1214 Action: types.ActAllow, 1215 Args: []*types.Arg{}, 1216 }, 1217 { 1218 Name: "setgroups", 1219 Action: types.ActAllow, 1220 Args: []*types.Arg{}, 1221 }, 1222 { 1223 Name: "setgroups32", 1224 Action: types.ActAllow, 1225 Args: []*types.Arg{}, 1226 }, 1227 { 1228 Name: "setitimer", 1229 Action: types.ActAllow, 1230 Args: []*types.Arg{}, 1231 }, 1232 { 1233 Name: "setpgid", 1234 Action: types.ActAllow, 1235 Args: []*types.Arg{}, 1236 }, 1237 { 1238 Name: "setpriority", 1239 Action: types.ActAllow, 1240 Args: []*types.Arg{}, 1241 }, 1242 { 1243 Name: "setregid", 1244 Action: types.ActAllow, 1245 Args: []*types.Arg{}, 1246 }, 1247 { 1248 Name: "setregid32", 1249 Action: types.ActAllow, 1250 Args: []*types.Arg{}, 1251 }, 1252 { 1253 Name: "setresgid", 1254 Action: types.ActAllow, 1255 Args: []*types.Arg{}, 1256 }, 1257 { 1258 Name: "setresgid32", 1259 Action: types.ActAllow, 1260 Args: []*types.Arg{}, 1261 }, 1262 { 1263 Name: "setresuid", 1264 Action: types.ActAllow, 1265 Args: []*types.Arg{}, 1266 }, 1267 { 1268 Name: "setresuid32", 1269 Action: types.ActAllow, 1270 Args: []*types.Arg{}, 1271 }, 1272 { 1273 Name: "setreuid", 1274 Action: types.ActAllow, 1275 Args: []*types.Arg{}, 1276 }, 1277 { 1278 Name: "setreuid32", 1279 Action: types.ActAllow, 1280 Args: []*types.Arg{}, 1281 }, 1282 { 1283 Name: "setrlimit", 1284 Action: types.ActAllow, 1285 Args: []*types.Arg{}, 1286 }, 1287 { 1288 Name: "set_robust_list", 1289 Action: types.ActAllow, 1290 Args: []*types.Arg{}, 1291 }, 1292 { 1293 Name: "setsid", 1294 Action: types.ActAllow, 1295 Args: []*types.Arg{}, 1296 }, 1297 { 1298 Name: "setsockopt", 1299 Action: types.ActAllow, 1300 Args: []*types.Arg{}, 1301 }, 1302 { 1303 Name: "set_thread_area", 1304 Action: types.ActAllow, 1305 Args: []*types.Arg{}, 1306 }, 1307 { 1308 Name: "set_tid_address", 1309 Action: types.ActAllow, 1310 Args: []*types.Arg{}, 1311 }, 1312 { 1313 Name: "setuid", 1314 Action: types.ActAllow, 1315 Args: []*types.Arg{}, 1316 }, 1317 { 1318 Name: "setuid32", 1319 Action: types.ActAllow, 1320 Args: []*types.Arg{}, 1321 }, 1322 { 1323 Name: "setxattr", 1324 Action: types.ActAllow, 1325 Args: []*types.Arg{}, 1326 }, 1327 { 1328 Name: "shmat", 1329 Action: types.ActAllow, 1330 Args: []*types.Arg{}, 1331 }, 1332 { 1333 Name: "shmctl", 1334 Action: types.ActAllow, 1335 Args: []*types.Arg{}, 1336 }, 1337 { 1338 Name: "shmdt", 1339 Action: types.ActAllow, 1340 Args: []*types.Arg{}, 1341 }, 1342 { 1343 Name: "shmget", 1344 Action: types.ActAllow, 1345 Args: []*types.Arg{}, 1346 }, 1347 { 1348 Name: "shutdown", 1349 Action: types.ActAllow, 1350 Args: []*types.Arg{}, 1351 }, 1352 { 1353 Name: "sigaltstack", 1354 Action: types.ActAllow, 1355 Args: []*types.Arg{}, 1356 }, 1357 { 1358 Name: "signalfd", 1359 Action: types.ActAllow, 1360 Args: []*types.Arg{}, 1361 }, 1362 { 1363 Name: "signalfd4", 1364 Action: types.ActAllow, 1365 Args: []*types.Arg{}, 1366 }, 1367 { 1368 Name: "sigreturn", 1369 Action: types.ActAllow, 1370 Args: []*types.Arg{}, 1371 }, 1372 { 1373 Name: "socket", 1374 Action: types.ActAllow, 1375 Args: []*types.Arg{}, 1376 }, 1377 { 1378 Name: "socketcall", 1379 Action: types.ActAllow, 1380 Args: []*types.Arg{}, 1381 }, 1382 { 1383 Name: "socketpair", 1384 Action: types.ActAllow, 1385 Args: []*types.Arg{}, 1386 }, 1387 { 1388 Name: "splice", 1389 Action: types.ActAllow, 1390 Args: []*types.Arg{}, 1391 }, 1392 { 1393 Name: "stat", 1394 Action: types.ActAllow, 1395 Args: []*types.Arg{}, 1396 }, 1397 { 1398 Name: "stat64", 1399 Action: types.ActAllow, 1400 Args: []*types.Arg{}, 1401 }, 1402 { 1403 Name: "statfs", 1404 Action: types.ActAllow, 1405 Args: []*types.Arg{}, 1406 }, 1407 { 1408 Name: "statfs64", 1409 Action: types.ActAllow, 1410 Args: []*types.Arg{}, 1411 }, 1412 { 1413 Name: "symlink", 1414 Action: types.ActAllow, 1415 Args: []*types.Arg{}, 1416 }, 1417 { 1418 Name: "symlinkat", 1419 Action: types.ActAllow, 1420 Args: []*types.Arg{}, 1421 }, 1422 { 1423 Name: "sync", 1424 Action: types.ActAllow, 1425 Args: []*types.Arg{}, 1426 }, 1427 { 1428 Name: "sync_file_range", 1429 Action: types.ActAllow, 1430 Args: []*types.Arg{}, 1431 }, 1432 { 1433 Name: "syncfs", 1434 Action: types.ActAllow, 1435 Args: []*types.Arg{}, 1436 }, 1437 { 1438 Name: "sysinfo", 1439 Action: types.ActAllow, 1440 Args: []*types.Arg{}, 1441 }, 1442 { 1443 Name: "syslog", 1444 Action: types.ActAllow, 1445 Args: []*types.Arg{}, 1446 }, 1447 { 1448 Name: "tee", 1449 Action: types.ActAllow, 1450 Args: []*types.Arg{}, 1451 }, 1452 { 1453 Name: "tgkill", 1454 Action: types.ActAllow, 1455 Args: []*types.Arg{}, 1456 }, 1457 { 1458 Name: "time", 1459 Action: types.ActAllow, 1460 Args: []*types.Arg{}, 1461 }, 1462 { 1463 Name: "timer_create", 1464 Action: types.ActAllow, 1465 Args: []*types.Arg{}, 1466 }, 1467 { 1468 Name: "timer_delete", 1469 Action: types.ActAllow, 1470 Args: []*types.Arg{}, 1471 }, 1472 { 1473 Name: "timerfd_create", 1474 Action: types.ActAllow, 1475 Args: []*types.Arg{}, 1476 }, 1477 { 1478 Name: "timerfd_gettime", 1479 Action: types.ActAllow, 1480 Args: []*types.Arg{}, 1481 }, 1482 { 1483 Name: "timerfd_settime", 1484 Action: types.ActAllow, 1485 Args: []*types.Arg{}, 1486 }, 1487 { 1488 Name: "timer_getoverrun", 1489 Action: types.ActAllow, 1490 Args: []*types.Arg{}, 1491 }, 1492 { 1493 Name: "timer_gettime", 1494 Action: types.ActAllow, 1495 Args: []*types.Arg{}, 1496 }, 1497 { 1498 Name: "timer_settime", 1499 Action: types.ActAllow, 1500 Args: []*types.Arg{}, 1501 }, 1502 { 1503 Name: "times", 1504 Action: types.ActAllow, 1505 Args: []*types.Arg{}, 1506 }, 1507 { 1508 Name: "tkill", 1509 Action: types.ActAllow, 1510 Args: []*types.Arg{}, 1511 }, 1512 { 1513 Name: "truncate", 1514 Action: types.ActAllow, 1515 Args: []*types.Arg{}, 1516 }, 1517 { 1518 Name: "truncate64", 1519 Action: types.ActAllow, 1520 Args: []*types.Arg{}, 1521 }, 1522 { 1523 Name: "ugetrlimit", 1524 Action: types.ActAllow, 1525 Args: []*types.Arg{}, 1526 }, 1527 { 1528 Name: "umask", 1529 Action: types.ActAllow, 1530 Args: []*types.Arg{}, 1531 }, 1532 { 1533 Name: "uname", 1534 Action: types.ActAllow, 1535 Args: []*types.Arg{}, 1536 }, 1537 { 1538 Name: "unlink", 1539 Action: types.ActAllow, 1540 Args: []*types.Arg{}, 1541 }, 1542 { 1543 Name: "unlinkat", 1544 Action: types.ActAllow, 1545 Args: []*types.Arg{}, 1546 }, 1547 { 1548 Name: "utime", 1549 Action: types.ActAllow, 1550 Args: []*types.Arg{}, 1551 }, 1552 { 1553 Name: "utimensat", 1554 Action: types.ActAllow, 1555 Args: []*types.Arg{}, 1556 }, 1557 { 1558 Name: "utimes", 1559 Action: types.ActAllow, 1560 Args: []*types.Arg{}, 1561 }, 1562 { 1563 Name: "vfork", 1564 Action: types.ActAllow, 1565 Args: []*types.Arg{}, 1566 }, 1567 { 1568 Name: "vmsplice", 1569 Action: types.ActAllow, 1570 Args: []*types.Arg{}, 1571 }, 1572 { 1573 Name: "wait4", 1574 Action: types.ActAllow, 1575 Args: []*types.Arg{}, 1576 }, 1577 { 1578 Name: "waitid", 1579 Action: types.ActAllow, 1580 Args: []*types.Arg{}, 1581 }, 1582 { 1583 Name: "waitpid", 1584 Action: types.ActAllow, 1585 Args: []*types.Arg{}, 1586 }, 1587 { 1588 Name: "write", 1589 Action: types.ActAllow, 1590 Args: []*types.Arg{}, 1591 }, 1592 { 1593 Name: "writev", 1594 Action: types.ActAllow, 1595 Args: []*types.Arg{}, 1596 }, 1597 } 1598 1599 var sysCloneFlagsIndex uint 1600 var arch string 1601 var native, err = libseccomp.GetNativeArch() 1602 if err == nil { 1603 arch = native.String() 1604 } 1605 switch arch { 1606 case "arm", "arm64": 1607 syscalls = append(syscalls, []*types.Syscall{ 1608 { 1609 Name: "breakpoint", 1610 Action: types.ActAllow, 1611 Args: []*types.Arg{}, 1612 }, 1613 { 1614 Name: "cacheflush", 1615 Action: types.ActAllow, 1616 Args: []*types.Arg{}, 1617 }, 1618 { 1619 Name: "set_tls", 1620 Action: types.ActAllow, 1621 Args: []*types.Arg{}, 1622 }, 1623 }...) 1624 case "amd64", "x32": 1625 syscalls = append(syscalls, []*types.Syscall{ 1626 { 1627 Name: "arch_prctl", 1628 Action: types.ActAllow, 1629 Args: []*types.Arg{}, 1630 }, 1631 }...) 1632 fallthrough 1633 case "x86": 1634 syscalls = append(syscalls, []*types.Syscall{ 1635 { 1636 Name: "modify_ldt", 1637 Action: types.ActAllow, 1638 Args: []*types.Arg{}, 1639 }, 1640 }...) 1641 case "s390", "s390x": 1642 syscalls = append(syscalls, []*types.Syscall{ 1643 { 1644 Name: "s390_pci_mmio_read", 1645 Action: types.ActAllow, 1646 Args: []*types.Arg{}, 1647 }, 1648 { 1649 Name: "s390_pci_mmio_write", 1650 Action: types.ActAllow, 1651 Args: []*types.Arg{}, 1652 }, 1653 { 1654 Name: "s390_runtime_instr", 1655 Action: types.ActAllow, 1656 Args: []*types.Arg{}, 1657 }, 1658 }...) 1659 /* Flags parameter of the clone syscall is the 2nd on s390 */ 1660 sysCloneFlagsIndex = 1 1661 } 1662 1663 capSysAdmin := false 1664 1665 var cap string 1666 for _, cap = range rs.Process.Capabilities { 1667 switch cap { 1668 case "CAP_DAC_READ_SEARCH": 1669 syscalls = append(syscalls, []*types.Syscall{ 1670 { 1671 Name: "name_to_handle_at", 1672 Action: types.ActAllow, 1673 Args: []*types.Arg{}, 1674 }, 1675 { 1676 Name: "open_by_handle_at", 1677 Action: types.ActAllow, 1678 Args: []*types.Arg{}, 1679 }, 1680 }...) 1681 case "CAP_SYS_ADMIN": 1682 capSysAdmin = true 1683 syscalls = append(syscalls, []*types.Syscall{ 1684 { 1685 Name: "bpf", 1686 Action: types.ActAllow, 1687 Args: []*types.Arg{}, 1688 }, 1689 { 1690 Name: "clone", 1691 Action: types.ActAllow, 1692 Args: []*types.Arg{}, 1693 }, 1694 { 1695 Name: "fanotify_init", 1696 Action: types.ActAllow, 1697 Args: []*types.Arg{}, 1698 }, 1699 { 1700 Name: "lookup_dcookie", 1701 Action: types.ActAllow, 1702 Args: []*types.Arg{}, 1703 }, 1704 { 1705 Name: "mount", 1706 Action: types.ActAllow, 1707 Args: []*types.Arg{}, 1708 }, 1709 { 1710 Name: "perf_event_open", 1711 Action: types.ActAllow, 1712 Args: []*types.Arg{}, 1713 }, 1714 { 1715 Name: "setdomainname", 1716 Action: types.ActAllow, 1717 Args: []*types.Arg{}, 1718 }, 1719 { 1720 Name: "sethostname", 1721 Action: types.ActAllow, 1722 Args: []*types.Arg{}, 1723 }, 1724 { 1725 Name: "setns", 1726 Action: types.ActAllow, 1727 Args: []*types.Arg{}, 1728 }, 1729 { 1730 Name: "umount", 1731 Action: types.ActAllow, 1732 Args: []*types.Arg{}, 1733 }, 1734 { 1735 Name: "umount2", 1736 Action: types.ActAllow, 1737 Args: []*types.Arg{}, 1738 }, 1739 { 1740 Name: "unshare", 1741 Action: types.ActAllow, 1742 Args: []*types.Arg{}, 1743 }, 1744 }...) 1745 case "CAP_SYS_BOOT": 1746 syscalls = append(syscalls, []*types.Syscall{ 1747 { 1748 Name: "reboot", 1749 Action: types.ActAllow, 1750 Args: []*types.Arg{}, 1751 }, 1752 }...) 1753 case "CAP_SYS_CHROOT": 1754 syscalls = append(syscalls, []*types.Syscall{ 1755 { 1756 Name: "chroot", 1757 Action: types.ActAllow, 1758 Args: []*types.Arg{}, 1759 }, 1760 }...) 1761 case "CAP_SYS_MODULE": 1762 syscalls = append(syscalls, []*types.Syscall{ 1763 { 1764 Name: "delete_module", 1765 Action: types.ActAllow, 1766 Args: []*types.Arg{}, 1767 }, 1768 { 1769 Name: "init_module", 1770 Action: types.ActAllow, 1771 Args: []*types.Arg{}, 1772 }, 1773 { 1774 Name: "finit_module", 1775 Action: types.ActAllow, 1776 Args: []*types.Arg{}, 1777 }, 1778 { 1779 Name: "query_module", 1780 Action: types.ActAllow, 1781 Args: []*types.Arg{}, 1782 }, 1783 }...) 1784 case "CAP_SYS_PACCT": 1785 syscalls = append(syscalls, []*types.Syscall{ 1786 { 1787 Name: "acct", 1788 Action: types.ActAllow, 1789 Args: []*types.Arg{}, 1790 }, 1791 }...) 1792 case "CAP_SYS_PTRACE": 1793 syscalls = append(syscalls, []*types.Syscall{ 1794 { 1795 Name: "kcmp", 1796 Action: types.ActAllow, 1797 Args: []*types.Arg{}, 1798 }, 1799 { 1800 Name: "process_vm_readv", 1801 Action: types.ActAllow, 1802 Args: []*types.Arg{}, 1803 }, 1804 { 1805 Name: "process_vm_writev", 1806 Action: types.ActAllow, 1807 Args: []*types.Arg{}, 1808 }, 1809 { 1810 Name: "ptrace", 1811 Action: types.ActAllow, 1812 Args: []*types.Arg{}, 1813 }, 1814 }...) 1815 case "CAP_SYS_RAWIO": 1816 syscalls = append(syscalls, []*types.Syscall{ 1817 { 1818 Name: "iopl", 1819 Action: types.ActAllow, 1820 Args: []*types.Arg{}, 1821 }, 1822 { 1823 Name: "ioperm", 1824 Action: types.ActAllow, 1825 Args: []*types.Arg{}, 1826 }, 1827 }...) 1828 case "CAP_SYS_TIME": 1829 syscalls = append(syscalls, []*types.Syscall{ 1830 { 1831 Name: "settimeofday", 1832 Action: types.ActAllow, 1833 Args: []*types.Arg{}, 1834 }, 1835 { 1836 Name: "stime", 1837 Action: types.ActAllow, 1838 Args: []*types.Arg{}, 1839 }, 1840 { 1841 Name: "adjtimex", 1842 Action: types.ActAllow, 1843 Args: []*types.Arg{}, 1844 }, 1845 }...) 1846 case "CAP_SYS_TTY_CONFIG": 1847 syscalls = append(syscalls, []*types.Syscall{ 1848 { 1849 Name: "vhangup", 1850 Action: types.ActAllow, 1851 Args: []*types.Arg{}, 1852 }, 1853 }...) 1854 } 1855 } 1856 1857 if !capSysAdmin { 1858 syscalls = append(syscalls, []*types.Syscall{ 1859 { 1860 Name: "clone", 1861 Action: types.ActAllow, 1862 Args: []*types.Arg{ 1863 { 1864 Index: sysCloneFlagsIndex, 1865 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 1866 ValueTwo: 0, 1867 Op: types.OpMaskedEqual, 1868 }, 1869 }, 1870 }, 1871 }...) 1872 } 1873 1874 return &types.Seccomp{ 1875 DefaultAction: types.ActErrno, 1876 Architectures: arches(), 1877 Syscalls: syscalls, 1878 } 1879 }