github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/seccomp.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "preadv2", 227 "prlimit64", 228 "pselect6", 229 "pwrite64", 230 "pwritev", 231 "pwritev2", 232 "read", 233 "readahead", 234 "readlink", 235 "readlinkat", 236 "readv", 237 "recv", 238 "recvfrom", 239 "recvmmsg", 240 "recvmsg", 241 "remap_file_pages", 242 "removexattr", 243 "rename", 244 "renameat", 245 "renameat2", 246 "restart_syscall", 247 "rmdir", 248 "rt_sigaction", 249 "rt_sigpending", 250 "rt_sigprocmask", 251 "rt_sigqueueinfo", 252 "rt_sigreturn", 253 "rt_sigsuspend", 254 "rt_sigtimedwait", 255 "rt_tgsigqueueinfo", 256 "sched_getaffinity", 257 "sched_getattr", 258 "sched_getparam", 259 "sched_get_priority_max", 260 "sched_get_priority_min", 261 "sched_getscheduler", 262 "sched_rr_get_interval", 263 "sched_setaffinity", 264 "sched_setattr", 265 "sched_setparam", 266 "sched_setscheduler", 267 "sched_yield", 268 "seccomp", 269 "select", 270 "semctl", 271 "semget", 272 "semop", 273 "semtimedop", 274 "send", 275 "sendfile", 276 "sendfile64", 277 "sendmmsg", 278 "sendmsg", 279 "sendto", 280 "setfsgid", 281 "setfsgid32", 282 "setfsuid", 283 "setfsuid32", 284 "setgid", 285 "setgid32", 286 "setgroups", 287 "setgroups32", 288 "setitimer", 289 "setpgid", 290 "setpriority", 291 "setregid", 292 "setregid32", 293 "setresgid", 294 "setresgid32", 295 "setresuid", 296 "setresuid32", 297 "setreuid", 298 "setreuid32", 299 "setrlimit", 300 "set_robust_list", 301 "setsid", 302 "setsockopt", 303 "set_thread_area", 304 "set_tid_address", 305 "setuid", 306 "setuid32", 307 "setxattr", 308 "shmat", 309 "shmctl", 310 "shmdt", 311 "shmget", 312 "shutdown", 313 "sigaltstack", 314 "signalfd", 315 "signalfd4", 316 "sigreturn", 317 "socket", 318 "socketcall", 319 "socketpair", 320 "splice", 321 "stat", 322 "stat64", 323 "statfs", 324 "statfs64", 325 "statx", 326 "symlink", 327 "symlinkat", 328 "sync", 329 "sync_file_range", 330 "syncfs", 331 "sysinfo", 332 "tee", 333 "tgkill", 334 "time", 335 "timer_create", 336 "timer_delete", 337 "timerfd_create", 338 "timerfd_gettime", 339 "timerfd_settime", 340 "timer_getoverrun", 341 "timer_gettime", 342 "timer_settime", 343 "times", 344 "tkill", 345 "truncate", 346 "truncate64", 347 "ugetrlimit", 348 "umask", 349 "uname", 350 "unlink", 351 "unlinkat", 352 "utime", 353 "utimensat", 354 "utimes", 355 "vfork", 356 "vmsplice", 357 "wait4", 358 "waitid", 359 "waitpid", 360 "write", 361 "writev", 362 "mount", 363 "umount2", 364 "reboot", 365 "name_to_handle_at", 366 "unshare" 367 ], 368 "action": "SCMP_ACT_ALLOW", 369 "args": [], 370 "comment": "", 371 "includes": {}, 372 "excludes": {} 373 }, 374 { 375 "names": [ 376 "personality" 377 ], 378 "action": "SCMP_ACT_ALLOW", 379 "args": [ 380 { 381 "index": 0, 382 "value": 0, 383 "valueTwo": 0, 384 "op": "SCMP_CMP_EQ" 385 } 386 ], 387 "comment": "", 388 "includes": {}, 389 "excludes": {} 390 }, 391 { 392 "names": [ 393 "personality" 394 ], 395 "action": "SCMP_ACT_ALLOW", 396 "args": [ 397 { 398 "index": 0, 399 "value": 8, 400 "valueTwo": 0, 401 "op": "SCMP_CMP_EQ" 402 } 403 ], 404 "comment": "", 405 "includes": {}, 406 "excludes": {} 407 }, 408 { 409 "names": [ 410 "personality" 411 ], 412 "action": "SCMP_ACT_ALLOW", 413 "args": [ 414 { 415 "index": 0, 416 "value": 131072, 417 "valueTwo": 0, 418 "op": "SCMP_CMP_EQ" 419 } 420 ], 421 "comment": "", 422 "includes": {}, 423 "excludes": {} 424 }, 425 { 426 "names": [ 427 "personality" 428 ], 429 "action": "SCMP_ACT_ALLOW", 430 "args": [ 431 { 432 "index": 0, 433 "value": 131080, 434 "valueTwo": 0, 435 "op": "SCMP_CMP_EQ" 436 } 437 ], 438 "comment": "", 439 "includes": {}, 440 "excludes": {} 441 }, 442 { 443 "names": [ 444 "personality" 445 ], 446 "action": "SCMP_ACT_ALLOW", 447 "args": [ 448 { 449 "index": 0, 450 "value": 4294967295, 451 "valueTwo": 0, 452 "op": "SCMP_CMP_EQ" 453 } 454 ], 455 "comment": "", 456 "includes": {}, 457 "excludes": {} 458 }, 459 { 460 "names": [ 461 "sync_file_range2" 462 ], 463 "action": "SCMP_ACT_ALLOW", 464 "args": [], 465 "comment": "", 466 "includes": { 467 "arches": [ 468 "ppc64le" 469 ] 470 }, 471 "excludes": {} 472 }, 473 { 474 "names": [ 475 "arm_fadvise64_64", 476 "arm_sync_file_range", 477 "sync_file_range2", 478 "breakpoint", 479 "cacheflush", 480 "set_tls" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [], 484 "comment": "", 485 "includes": { 486 "arches": [ 487 "arm", 488 "arm64" 489 ] 490 }, 491 "excludes": {} 492 }, 493 { 494 "names": [ 495 "arch_prctl" 496 ], 497 "action": "SCMP_ACT_ALLOW", 498 "args": [], 499 "comment": "", 500 "includes": { 501 "arches": [ 502 "amd64", 503 "x32" 504 ] 505 }, 506 "excludes": {} 507 }, 508 { 509 "names": [ 510 "modify_ldt" 511 ], 512 "action": "SCMP_ACT_ALLOW", 513 "args": [], 514 "comment": "", 515 "includes": { 516 "arches": [ 517 "amd64", 518 "x32", 519 "x86" 520 ] 521 }, 522 "excludes": {} 523 }, 524 { 525 "names": [ 526 "s390_pci_mmio_read", 527 "s390_pci_mmio_write", 528 "s390_runtime_instr" 529 ], 530 "action": "SCMP_ACT_ALLOW", 531 "args": [], 532 "comment": "", 533 "includes": { 534 "arches": [ 535 "s390", 536 "s390x" 537 ] 538 }, 539 "excludes": {} 540 }, 541 { 542 "names": [ 543 "open_by_handle_at" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "args": [], 547 "comment": "", 548 "includes": { 549 "caps": [ 550 "CAP_DAC_READ_SEARCH" 551 ] 552 }, 553 "excludes": {} 554 }, 555 { 556 "names": [ 557 "bpf", 558 "clone", 559 "fanotify_init", 560 "lookup_dcookie", 561 "mount", 562 "name_to_handle_at", 563 "perf_event_open", 564 "quotactl", 565 "setdomainname", 566 "sethostname", 567 "setns", 568 "syslog", 569 "umount", 570 "umount2", 571 "unshare" 572 ], 573 "action": "SCMP_ACT_ALLOW", 574 "args": [], 575 "comment": "", 576 "includes": { 577 "caps": [ 578 "CAP_SYS_ADMIN" 579 ] 580 }, 581 "excludes": {} 582 }, 583 { 584 "names": [ 585 "clone" 586 ], 587 "action": "SCMP_ACT_ALLOW", 588 "args": [ 589 { 590 "index": 0, 591 "value": 2080505856, 592 "valueTwo": 0, 593 "op": "SCMP_CMP_MASKED_EQ" 594 } 595 ], 596 "comment": "", 597 "includes": {}, 598 "excludes": { 599 "caps": [ 600 "CAP_SYS_ADMIN" 601 ], 602 "arches": [ 603 "s390", 604 "s390x" 605 ] 606 } 607 }, 608 { 609 "names": [ 610 "clone" 611 ], 612 "action": "SCMP_ACT_ALLOW", 613 "args": [ 614 { 615 "index": 1, 616 "value": 2080505856, 617 "valueTwo": 0, 618 "op": "SCMP_CMP_MASKED_EQ" 619 } 620 ], 621 "comment": "s390 parameter ordering for clone is different", 622 "includes": { 623 "arches": [ 624 "s390", 625 "s390x" 626 ] 627 }, 628 "excludes": { 629 "caps": [ 630 "CAP_SYS_ADMIN" 631 ] 632 } 633 }, 634 { 635 "names": [ 636 "reboot" 637 ], 638 "action": "SCMP_ACT_ALLOW", 639 "args": [], 640 "comment": "", 641 "includes": { 642 "caps": [ 643 "CAP_SYS_BOOT" 644 ] 645 }, 646 "excludes": {} 647 }, 648 { 649 "names": [ 650 "chroot" 651 ], 652 "action": "SCMP_ACT_ALLOW", 653 "args": [], 654 "comment": "", 655 "includes": { 656 "caps": [ 657 "CAP_SYS_CHROOT" 658 ] 659 }, 660 "excludes": {} 661 }, 662 { 663 "names": [ 664 "delete_module", 665 "init_module", 666 "finit_module", 667 "query_module" 668 ], 669 "action": "SCMP_ACT_ALLOW", 670 "args": [], 671 "comment": "", 672 "includes": { 673 "caps": [ 674 "CAP_SYS_MODULE" 675 ] 676 }, 677 "excludes": {} 678 }, 679 { 680 "names": [ 681 "acct" 682 ], 683 "action": "SCMP_ACT_ALLOW", 684 "args": [], 685 "comment": "", 686 "includes": { 687 "caps": [ 688 "CAP_SYS_PACCT" 689 ] 690 }, 691 "excludes": {} 692 }, 693 { 694 "names": [ 695 "kcmp", 696 "process_vm_readv", 697 "process_vm_writev", 698 "ptrace" 699 ], 700 "action": "SCMP_ACT_ALLOW", 701 "args": [], 702 "comment": "", 703 "includes": { 704 "caps": [ 705 "CAP_SYS_PTRACE" 706 ] 707 }, 708 "excludes": {} 709 }, 710 { 711 "names": [ 712 "iopl", 713 "ioperm" 714 ], 715 "action": "SCMP_ACT_ALLOW", 716 "args": [], 717 "comment": "", 718 "includes": { 719 "caps": [ 720 "CAP_SYS_RAWIO" 721 ] 722 }, 723 "excludes": {} 724 }, 725 { 726 "names": [ 727 "settimeofday", 728 "stime", 729 "clock_settime" 730 ], 731 "action": "SCMP_ACT_ALLOW", 732 "args": [], 733 "comment": "", 734 "includes": { 735 "caps": [ 736 "CAP_SYS_TIME" 737 ] 738 }, 739 "excludes": {} 740 }, 741 { 742 "names": [ 743 "vhangup" 744 ], 745 "action": "SCMP_ACT_ALLOW", 746 "args": [], 747 "comment": "", 748 "includes": { 749 "caps": [ 750 "CAP_SYS_TTY_CONFIG" 751 ] 752 }, 753 "excludes": {} 754 }, 755 { 756 "names": [ 757 "get_mempolicy", 758 "mbind", 759 "set_mempolicy" 760 ], 761 "action": "SCMP_ACT_ALLOW", 762 "args": [], 763 "comment": "", 764 "includes": { 765 "caps": [ 766 "CAP_SYS_NICE" 767 ] 768 }, 769 "excludes": {} 770 }, 771 { 772 "names": [ 773 "syslog" 774 ], 775 "action": "SCMP_ACT_ALLOW", 776 "args": [], 777 "comment": "", 778 "includes": { 779 "caps": [ 780 "CAP_SYSLOG" 781 ] 782 }, 783 "excludes": {} 784 } 785 ] 786 }