github.com/damirazo/docker@v1.9.0/contrib/mkseccomp.sample (about)

     1  /* This sample file is an example for mkseccomp.pl to produce a seccomp file
     2   * which restricts syscalls that are only useful for an admin but allows the
     3   * vast majority of normal userspace programs to run normally.
     4   *
     5   * The format of this file is one line per syscall.  This is then processed
     6   * and passed to 'cpp' to convert the names to numbers using whatever is
     7   * correct for your platform.  As such C-style comments are permitted.  Note
     8   * this also means that C preprocessor macros are also allowed.  So it is
     9   * possible to create groups surrounded by #ifdef/#endif and control their
    10   * inclusion via #define (not #include).
    11   *
    12   * Syscalls that don't exist on your architecture are silently filtered out.
    13   * Syscalls marked with (*) are required for a container to spawn a bash
    14   * shell successfully (not necessarily full featured).  Listing the same
    15   * syscall multiple times is no problem.
    16   *
    17   * If you want to make a list specifically for one application the easiest
    18   * way is to run the application under strace, like so:
    19   *
    20   * $ strace -f -q -c -o strace.out application args...
    21   *
    22   * Once you have a reasonable sample of the execution of the program, exit
    23   * it.  The file strace.out will have a summary of the syscalls used.  Copy
    24   * that list into this file, comment out everything else except the starred
    25   * syscalls (which you need for the container to start) and you're done.
    26   *
    27   * To get the list of syscalls from the strace output this works well for
    28   * me
    29   *
    30   * $ cut -c52 < strace.out
    31   *
    32   * This sample list was compiled as a combination of all the syscalls
    33   * available on i386 and amd64 on Ubuntu Precise, as such it may not contain
    34   * everything and not everything may be relevant for your system.  This
    35   * shouldn't be a problem.
    36   */
    37  
    38  // Filesystem/File descriptor related
    39  access                 // (*)
    40  chdir                  // (*)
    41  chmod
    42  chown
    43  chown32
    44  close                  // (*)
    45  creat
    46  dup                    // (*)
    47  dup2                   // (*)
    48  dup3
    49  epoll_create
    50  epoll_create1
    51  epoll_ctl
    52  epoll_ctl_old
    53  epoll_pwait
    54  epoll_wait
    55  epoll_wait_old
    56  eventfd
    57  eventfd2
    58  faccessat              // (*)
    59  fadvise64
    60  fadvise64_64
    61  fallocate
    62  fanotify_init
    63  fanotify_mark
    64  ioctl                  // (*)
    65  fchdir
    66  fchmod
    67  fchmodat
    68  fchown
    69  fchown32
    70  fchownat
    71  fcntl                  // (*)
    72  fcntl64
    73  fdatasync
    74  fgetxattr
    75  flistxattr
    76  flock
    77  fremovexattr
    78  fsetxattr
    79  fstat                  // (*)
    80  fstat64
    81  fstatat64
    82  fstatfs
    83  fstatfs64
    84  fsync
    85  ftruncate
    86  ftruncate64
    87  getcwd                 // (*)
    88  getdents               // (*)
    89  getdents64
    90  getxattr
    91  inotify_add_watch
    92  inotify_init
    93  inotify_init1
    94  inotify_rm_watch
    95  io_cancel
    96  io_destroy
    97  io_getevents
    98  io_setup
    99  io_submit
   100  lchown
   101  lchown32
   102  lgetxattr
   103  link
   104  linkat
   105  listxattr
   106  llistxattr
   107  llseek
   108  _llseek
   109  lremovexattr
   110  lseek                  // (*)
   111  lsetxattr
   112  lstat
   113  lstat64
   114  mkdir
   115  mkdirat
   116  mknod
   117  mknodat
   118  newfstatat
   119  _newselect
   120  oldfstat
   121  oldlstat
   122  oldolduname
   123  oldstat
   124  olduname
   125  oldwait4
   126  open                   // (*)
   127  openat                 // (*)
   128  pipe                   // (*)
   129  pipe2
   130  poll
   131  ppoll
   132  pread64
   133  preadv
   134  futimesat
   135  pselect6
   136  pwrite64
   137  pwritev
   138  read                   // (*)
   139  readahead
   140  readdir
   141  readlink
   142  readlinkat
   143  readv
   144  removexattr
   145  rename
   146  renameat
   147  rmdir
   148  select
   149  sendfile
   150  sendfile64
   151  setxattr
   152  splice
   153  stat                   // (*)
   154  stat64
   155  statfs                 // (*)
   156  statfs64
   157  symlink
   158  symlinkat
   159  sync
   160  sync_file_range
   161  sync_file_range2
   162  syncfs
   163  tee
   164  truncate
   165  truncate64
   166  umask
   167  unlink
   168  unlinkat
   169  ustat
   170  utime
   171  utimensat
   172  utimes
   173  write                  // (*)
   174  writev
   175  
   176  // Network related
   177  accept
   178  accept4
   179  bind                   // (*)
   180  connect                // (*)
   181  getpeername
   182  getsockname            // (*)
   183  getsockopt
   184  listen
   185  recv
   186  recvfrom               // (*)
   187  recvmmsg
   188  recvmsg
   189  send
   190  sendmmsg
   191  sendmsg
   192  sendto                 // (*)
   193  setsockopt
   194  shutdown
   195  socket                 // (*)
   196  socketcall
   197  socketpair
   198  sethostname            // (*)
   199  
   200  // Signal related
   201  pause
   202  rt_sigaction           // (*)
   203  rt_sigpending
   204  rt_sigprocmask         // (*)
   205  rt_sigqueueinfo
   206  rt_sigreturn           // (*)
   207  rt_sigsuspend
   208  rt_sigtimedwait
   209  rt_tgsigqueueinfo
   210  sigaction
   211  sigaltstack            // (*)
   212  signal
   213  signalfd
   214  signalfd4
   215  sigpending
   216  sigprocmask
   217  sigreturn
   218  sigsuspend
   219  
   220  // Other needed POSIX
   221  alarm
   222  brk                    // (*)
   223  clock_adjtime
   224  clock_getres
   225  clock_gettime
   226  clock_nanosleep
   227  //clock_settime
   228  gettimeofday
   229  nanosleep
   230  nice
   231  sysinfo
   232  syslog
   233  time
   234  timer_create
   235  timer_delete
   236  timerfd_create
   237  timerfd_gettime
   238  timerfd_settime
   239  timer_getoverrun
   240  timer_gettime
   241  timer_settime
   242  times
   243  uname                  // (*)
   244  
   245  // Memory control
   246  madvise
   247  mbind
   248  mincore
   249  mlock
   250  mlockall
   251  mmap                   // (*)
   252  mmap2
   253  mprotect               // (*)
   254  mremap
   255  msync
   256  munlock
   257  munlockall
   258  munmap                 // (*)
   259  remap_file_pages
   260  set_mempolicy
   261  vmsplice
   262  
   263  // Process control
   264  capget
   265  capset                 // (*)
   266  clone                  // (*)
   267  execve                 // (*)
   268  exit                   // (*)
   269  exit_group             // (*)
   270  fork
   271  getcpu
   272  getpgid
   273  getpgrp                // (*)
   274  getpid                 // (*)
   275  getppid                // (*)
   276  getpriority
   277  getresgid
   278  getresgid32
   279  getresuid
   280  getresuid32
   281  getrlimit              // (*)
   282  getrusage
   283  getsid
   284  getuid                 // (*)
   285  getuid32
   286  getegid                // (*)
   287  getegid32
   288  geteuid                // (*)
   289  geteuid32
   290  getgid                 // (*)
   291  getgid32
   292  getgroups
   293  getgroups32
   294  getitimer
   295  get_mempolicy
   296  kill
   297  //personality
   298  prctl
   299  prlimit64
   300  sched_getaffinity
   301  sched_getparam
   302  sched_get_priority_max
   303  sched_get_priority_min
   304  sched_getscheduler
   305  sched_rr_get_interval
   306  //sched_setaffinity
   307  //sched_setparam
   308  //sched_setscheduler
   309  sched_yield
   310  setfsgid
   311  setfsgid32
   312  setfsuid
   313  setfsuid32
   314  setgid
   315  setgid32
   316  setgroups
   317  setgroups32
   318  setitimer
   319  setpgid                // (*)
   320  setpriority
   321  setregid
   322  setregid32
   323  setresgid
   324  setresgid32
   325  setresuid
   326  setresuid32
   327  setreuid
   328  setreuid32
   329  setrlimit
   330  setsid
   331  setuid
   332  setuid32
   333  ugetrlimit
   334  vfork
   335  wait4                  // (*)
   336  waitid
   337  waitpid
   338  
   339  // IPC
   340  ipc
   341  mq_getsetattr
   342  mq_notify
   343  mq_open
   344  mq_timedreceive
   345  mq_timedsend
   346  mq_unlink
   347  msgctl
   348  msgget
   349  msgrcv
   350  msgsnd
   351  semctl
   352  semget
   353  semop
   354  semtimedop
   355  shmat
   356  shmctl
   357  shmdt
   358  shmget
   359  
   360  // Linux specific, mostly needed for thread-related stuff
   361  arch_prctl             // (*)
   362  get_robust_list
   363  get_thread_area
   364  gettid
   365  futex                  // (*)
   366  restart_syscall        // (*)
   367  set_robust_list        // (*)
   368  set_thread_area
   369  set_tid_address        // (*)
   370  tgkill
   371  tkill
   372  
   373  // Admin syscalls, these are blocked
   374  //acct
   375  //adjtimex
   376  //bdflush
   377  //chroot
   378  //create_module
   379  //delete_module
   380  //get_kernel_syms      // Obsolete
   381  //idle                 // Obsolete
   382  //init_module
   383  //ioperm
   384  //iopl
   385  //ioprio_get
   386  //ioprio_set
   387  //kexec_load
   388  //lookup_dcookie       // oprofile only?
   389  //migrate_pages        // NUMA
   390  //modify_ldt
   391  //mount
   392  //move_pages           // NUMA
   393  //name_to_handle_at    // NFS server
   394  //nfsservctl           // NFS server
   395  //open_by_handle_at    // NFS server
   396  //perf_event_open
   397  //pivot_root
   398  //process_vm_readv     // For debugger
   399  //process_vm_writev    // For debugger
   400  //ptrace               // For debugger
   401  //query_module
   402  //quotactl
   403  //reboot
   404  //setdomainname
   405  //setns
   406  //settimeofday
   407  //sgetmask             // Obsolete
   408  //ssetmask             // Obsolete
   409  //stime
   410  //swapoff
   411  //swapon
   412  //_sysctl
   413  //sysfs
   414  //sys_setaltroot
   415  //umount
   416  //umount2
   417  //unshare
   418  //uselib
   419  //vhangup
   420  //vm86
   421  //vm86old
   422  
   423  // Kernel key management
   424  //add_key
   425  //keyctl
   426  //request_key
   427  
   428  // Unimplemented
   429  //afs_syscall
   430  //break
   431  //ftime
   432  //getpmsg
   433  //gtty
   434  //lock
   435  //madvise1
   436  //mpx
   437  //prof
   438  //profil
   439  //putpmsg
   440  //security
   441  //stty
   442  //tuxcall
   443  //ulimit
   444  //vserver