github.com/damirazo/docker@v1.9.0/contrib/mkseccomp.sample (about) 1 /* This sample file is an example for mkseccomp.pl to produce a seccomp file 2 * which restricts syscalls that are only useful for an admin but allows the 3 * vast majority of normal userspace programs to run normally. 4 * 5 * The format of this file is one line per syscall. This is then processed 6 * and passed to 'cpp' to convert the names to numbers using whatever is 7 * correct for your platform. As such C-style comments are permitted. Note 8 * this also means that C preprocessor macros are also allowed. So it is 9 * possible to create groups surrounded by #ifdef/#endif and control their 10 * inclusion via #define (not #include). 11 * 12 * Syscalls that don't exist on your architecture are silently filtered out. 13 * Syscalls marked with (*) are required for a container to spawn a bash 14 * shell successfully (not necessarily full featured). Listing the same 15 * syscall multiple times is no problem. 16 * 17 * If you want to make a list specifically for one application the easiest 18 * way is to run the application under strace, like so: 19 * 20 * $ strace -f -q -c -o strace.out application args... 21 * 22 * Once you have a reasonable sample of the execution of the program, exit 23 * it. The file strace.out will have a summary of the syscalls used. Copy 24 * that list into this file, comment out everything else except the starred 25 * syscalls (which you need for the container to start) and you're done. 26 * 27 * To get the list of syscalls from the strace output this works well for 28 * me 29 * 30 * $ cut -c52 < strace.out 31 * 32 * This sample list was compiled as a combination of all the syscalls 33 * available on i386 and amd64 on Ubuntu Precise, as such it may not contain 34 * everything and not everything may be relevant for your system. This 35 * shouldn't be a problem. 36 */ 37 38 // Filesystem/File descriptor related 39 access // (*) 40 chdir // (*) 41 chmod 42 chown 43 chown32 44 close // (*) 45 creat 46 dup // (*) 47 dup2 // (*) 48 dup3 49 epoll_create 50 epoll_create1 51 epoll_ctl 52 epoll_ctl_old 53 epoll_pwait 54 epoll_wait 55 epoll_wait_old 56 eventfd 57 eventfd2 58 faccessat // (*) 59 fadvise64 60 fadvise64_64 61 fallocate 62 fanotify_init 63 fanotify_mark 64 ioctl // (*) 65 fchdir 66 fchmod 67 fchmodat 68 fchown 69 fchown32 70 fchownat 71 fcntl // (*) 72 fcntl64 73 fdatasync 74 fgetxattr 75 flistxattr 76 flock 77 fremovexattr 78 fsetxattr 79 fstat // (*) 80 fstat64 81 fstatat64 82 fstatfs 83 fstatfs64 84 fsync 85 ftruncate 86 ftruncate64 87 getcwd // (*) 88 getdents // (*) 89 getdents64 90 getxattr 91 inotify_add_watch 92 inotify_init 93 inotify_init1 94 inotify_rm_watch 95 io_cancel 96 io_destroy 97 io_getevents 98 io_setup 99 io_submit 100 lchown 101 lchown32 102 lgetxattr 103 link 104 linkat 105 listxattr 106 llistxattr 107 llseek 108 _llseek 109 lremovexattr 110 lseek // (*) 111 lsetxattr 112 lstat 113 lstat64 114 mkdir 115 mkdirat 116 mknod 117 mknodat 118 newfstatat 119 _newselect 120 oldfstat 121 oldlstat 122 oldolduname 123 oldstat 124 olduname 125 oldwait4 126 open // (*) 127 openat // (*) 128 pipe // (*) 129 pipe2 130 poll 131 ppoll 132 pread64 133 preadv 134 futimesat 135 pselect6 136 pwrite64 137 pwritev 138 read // (*) 139 readahead 140 readdir 141 readlink 142 readlinkat 143 readv 144 removexattr 145 rename 146 renameat 147 rmdir 148 select 149 sendfile 150 sendfile64 151 setxattr 152 splice 153 stat // (*) 154 stat64 155 statfs // (*) 156 statfs64 157 symlink 158 symlinkat 159 sync 160 sync_file_range 161 sync_file_range2 162 syncfs 163 tee 164 truncate 165 truncate64 166 umask 167 unlink 168 unlinkat 169 ustat 170 utime 171 utimensat 172 utimes 173 write // (*) 174 writev 175 176 // Network related 177 accept 178 accept4 179 bind // (*) 180 connect // (*) 181 getpeername 182 getsockname // (*) 183 getsockopt 184 listen 185 recv 186 recvfrom // (*) 187 recvmmsg 188 recvmsg 189 send 190 sendmmsg 191 sendmsg 192 sendto // (*) 193 setsockopt 194 shutdown 195 socket // (*) 196 socketcall 197 socketpair 198 sethostname // (*) 199 200 // Signal related 201 pause 202 rt_sigaction // (*) 203 rt_sigpending 204 rt_sigprocmask // (*) 205 rt_sigqueueinfo 206 rt_sigreturn // (*) 207 rt_sigsuspend 208 rt_sigtimedwait 209 rt_tgsigqueueinfo 210 sigaction 211 sigaltstack // (*) 212 signal 213 signalfd 214 signalfd4 215 sigpending 216 sigprocmask 217 sigreturn 218 sigsuspend 219 220 // Other needed POSIX 221 alarm 222 brk // (*) 223 clock_adjtime 224 clock_getres 225 clock_gettime 226 clock_nanosleep 227 //clock_settime 228 gettimeofday 229 nanosleep 230 nice 231 sysinfo 232 syslog 233 time 234 timer_create 235 timer_delete 236 timerfd_create 237 timerfd_gettime 238 timerfd_settime 239 timer_getoverrun 240 timer_gettime 241 timer_settime 242 times 243 uname // (*) 244 245 // Memory control 246 madvise 247 mbind 248 mincore 249 mlock 250 mlockall 251 mmap // (*) 252 mmap2 253 mprotect // (*) 254 mremap 255 msync 256 munlock 257 munlockall 258 munmap // (*) 259 remap_file_pages 260 set_mempolicy 261 vmsplice 262 263 // Process control 264 capget 265 capset // (*) 266 clone // (*) 267 execve // (*) 268 exit // (*) 269 exit_group // (*) 270 fork 271 getcpu 272 getpgid 273 getpgrp // (*) 274 getpid // (*) 275 getppid // (*) 276 getpriority 277 getresgid 278 getresgid32 279 getresuid 280 getresuid32 281 getrlimit // (*) 282 getrusage 283 getsid 284 getuid // (*) 285 getuid32 286 getegid // (*) 287 getegid32 288 geteuid // (*) 289 geteuid32 290 getgid // (*) 291 getgid32 292 getgroups 293 getgroups32 294 getitimer 295 get_mempolicy 296 kill 297 //personality 298 prctl 299 prlimit64 300 sched_getaffinity 301 sched_getparam 302 sched_get_priority_max 303 sched_get_priority_min 304 sched_getscheduler 305 sched_rr_get_interval 306 //sched_setaffinity 307 //sched_setparam 308 //sched_setscheduler 309 sched_yield 310 setfsgid 311 setfsgid32 312 setfsuid 313 setfsuid32 314 setgid 315 setgid32 316 setgroups 317 setgroups32 318 setitimer 319 setpgid // (*) 320 setpriority 321 setregid 322 setregid32 323 setresgid 324 setresgid32 325 setresuid 326 setresuid32 327 setreuid 328 setreuid32 329 setrlimit 330 setsid 331 setuid 332 setuid32 333 ugetrlimit 334 vfork 335 wait4 // (*) 336 waitid 337 waitpid 338 339 // IPC 340 ipc 341 mq_getsetattr 342 mq_notify 343 mq_open 344 mq_timedreceive 345 mq_timedsend 346 mq_unlink 347 msgctl 348 msgget 349 msgrcv 350 msgsnd 351 semctl 352 semget 353 semop 354 semtimedop 355 shmat 356 shmctl 357 shmdt 358 shmget 359 360 // Linux specific, mostly needed for thread-related stuff 361 arch_prctl // (*) 362 get_robust_list 363 get_thread_area 364 gettid 365 futex // (*) 366 restart_syscall // (*) 367 set_robust_list // (*) 368 set_thread_area 369 set_tid_address // (*) 370 tgkill 371 tkill 372 373 // Admin syscalls, these are blocked 374 //acct 375 //adjtimex 376 //bdflush 377 //chroot 378 //create_module 379 //delete_module 380 //get_kernel_syms // Obsolete 381 //idle // Obsolete 382 //init_module 383 //ioperm 384 //iopl 385 //ioprio_get 386 //ioprio_set 387 //kexec_load 388 //lookup_dcookie // oprofile only? 389 //migrate_pages // NUMA 390 //modify_ldt 391 //mount 392 //move_pages // NUMA 393 //name_to_handle_at // NFS server 394 //nfsservctl // NFS server 395 //open_by_handle_at // NFS server 396 //perf_event_open 397 //pivot_root 398 //process_vm_readv // For debugger 399 //process_vm_writev // For debugger 400 //ptrace // For debugger 401 //query_module 402 //quotactl 403 //reboot 404 //setdomainname 405 //setns 406 //settimeofday 407 //sgetmask // Obsolete 408 //ssetmask // Obsolete 409 //stime 410 //swapoff 411 //swapon 412 //_sysctl 413 //sysfs 414 //sys_setaltroot 415 //umount 416 //umount2 417 //unshare 418 //uselib 419 //vhangup 420 //vm86 421 //vm86old 422 423 // Kernel key management 424 //add_key 425 //keyctl 426 //request_key 427 428 // Unimplemented 429 //afs_syscall 430 //break 431 //ftime 432 //getpmsg 433 //gtty 434 //lock 435 //madvise1 436 //mpx 437 //prof 438 //profil 439 //putpmsg 440 //security 441 //stty 442 //tuxcall 443 //ulimit 444 //vserver