github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "connect", 78 "copy_file_range", 79 "creat", 80 "dup", 81 "dup2", 82 "dup3", 83 "epoll_create", 84 "epoll_create1", 85 "epoll_ctl", 86 "epoll_ctl_old", 87 "epoll_pwait", 88 "epoll_wait", 89 "epoll_wait_old", 90 "eventfd", 91 "eventfd2", 92 "execve", 93 "execveat", 94 "exit", 95 "exit_group", 96 "faccessat", 97 "fadvise64", 98 "fadvise64_64", 99 "fallocate", 100 "fanotify_mark", 101 "fchdir", 102 "fchmod", 103 "fchmodat", 104 "fchown", 105 "fchown32", 106 "fchownat", 107 "fcntl", 108 "fcntl64", 109 "fdatasync", 110 "fgetxattr", 111 "flistxattr", 112 "flock", 113 "fork", 114 "fremovexattr", 115 "fsetxattr", 116 "fstat", 117 "fstat64", 118 "fstatat64", 119 "fstatfs", 120 "fstatfs64", 121 "fsync", 122 "ftruncate", 123 "ftruncate64", 124 "futex", 125 "futex_time64", 126 "futimesat", 127 "getcpu", 128 "getcwd", 129 "getdents", 130 "getdents64", 131 "getegid", 132 "getegid32", 133 "geteuid", 134 "geteuid32", 135 "getgid", 136 "getgid32", 137 "getgroups", 138 "getgroups32", 139 "getitimer", 140 "getpeername", 141 "getpgid", 142 "getpgrp", 143 "getpid", 144 "getppid", 145 "getpriority", 146 "getrandom", 147 "getresgid", 148 "getresgid32", 149 "getresuid", 150 "getresuid32", 151 "getrlimit", 152 "get_robust_list", 153 "getrusage", 154 "getsid", 155 "getsockname", 156 "getsockopt", 157 "get_thread_area", 158 "gettid", 159 "gettimeofday", 160 "getuid", 161 "getuid32", 162 "getxattr", 163 "inotify_add_watch", 164 "inotify_init", 165 "inotify_init1", 166 "inotify_rm_watch", 167 "io_cancel", 168 "ioctl", 169 "io_destroy", 170 "io_getevents", 171 "io_pgetevents", 172 "io_pgetevents_time64", 173 "ioprio_get", 174 "ioprio_set", 175 "io_setup", 176 "io_submit", 177 "io_uring_enter", 178 "io_uring_register", 179 "io_uring_setup", 180 "ipc", 181 "kill", 182 "lchown", 183 "lchown32", 184 "lgetxattr", 185 "link", 186 "linkat", 187 "listen", 188 "listxattr", 189 "llistxattr", 190 "_llseek", 191 "lremovexattr", 192 "lseek", 193 "lsetxattr", 194 "lstat", 195 "lstat64", 196 "madvise", 197 "memfd_create", 198 "mincore", 199 "mkdir", 200 "mkdirat", 201 "mknod", 202 "mknodat", 203 "mlock", 204 "mlock2", 205 "mlockall", 206 "mmap", 207 "mmap2", 208 "mprotect", 209 "mq_getsetattr", 210 "mq_notify", 211 "mq_open", 212 "mq_timedreceive", 213 "mq_timedreceive_time64", 214 "mq_timedsend", 215 "mq_timedsend_time64", 216 "mq_unlink", 217 "mremap", 218 "msgctl", 219 "msgget", 220 "msgrcv", 221 "msgsnd", 222 "msync", 223 "munlock", 224 "munlockall", 225 "munmap", 226 "nanosleep", 227 "newfstatat", 228 "_newselect", 229 "open", 230 "openat", 231 "pause", 232 "pipe", 233 "pipe2", 234 "poll", 235 "ppoll", 236 "ppoll_time64", 237 "prctl", 238 "pread64", 239 "preadv", 240 "preadv2", 241 "prlimit64", 242 "pselect6", 243 "pselect6_time64", 244 "pwrite64", 245 "pwritev", 246 "pwritev2", 247 "read", 248 "readahead", 249 "readlink", 250 "readlinkat", 251 "readv", 252 "recv", 253 "recvfrom", 254 "recvmmsg", 255 "recvmmsg_time64", 256 "recvmsg", 257 "remap_file_pages", 258 "removexattr", 259 "rename", 260 "renameat", 261 "renameat2", 262 "restart_syscall", 263 "rmdir", 264 "rt_sigaction", 265 "rt_sigpending", 266 "rt_sigprocmask", 267 "rt_sigqueueinfo", 268 "rt_sigreturn", 269 "rt_sigsuspend", 270 "rt_sigtimedwait", 271 "rt_sigtimedwait_time64", 272 "rt_tgsigqueueinfo", 273 "sched_getaffinity", 274 "sched_getattr", 275 "sched_getparam", 276 "sched_get_priority_max", 277 "sched_get_priority_min", 278 "sched_getscheduler", 279 "sched_rr_get_interval", 280 "sched_rr_get_interval_time64", 281 "sched_setaffinity", 282 "sched_setattr", 283 "sched_setparam", 284 "sched_setscheduler", 285 "sched_yield", 286 "seccomp", 287 "select", 288 "semctl", 289 "semget", 290 "semop", 291 "semtimedop", 292 "semtimedop_time64", 293 "send", 294 "sendfile", 295 "sendfile64", 296 "sendmmsg", 297 "sendmsg", 298 "sendto", 299 "setfsgid", 300 "setfsgid32", 301 "setfsuid", 302 "setfsuid32", 303 "setgid", 304 "setgid32", 305 "setgroups", 306 "setgroups32", 307 "setitimer", 308 "setpgid", 309 "setpriority", 310 "setregid", 311 "setregid32", 312 "setresgid", 313 "setresgid32", 314 "setresuid", 315 "setresuid32", 316 "setreuid", 317 "setreuid32", 318 "setrlimit", 319 "set_robust_list", 320 "setsid", 321 "setsockopt", 322 "set_thread_area", 323 "set_tid_address", 324 "setuid", 325 "setuid32", 326 "setxattr", 327 "shmat", 328 "shmctl", 329 "shmdt", 330 "shmget", 331 "shutdown", 332 "sigaltstack", 333 "signalfd", 334 "signalfd4", 335 "sigprocmask", 336 "sigreturn", 337 "socket", 338 "socketcall", 339 "socketpair", 340 "splice", 341 "stat", 342 "stat64", 343 "statfs", 344 "statfs64", 345 "statx", 346 "symlink", 347 "symlinkat", 348 "sync", 349 "sync_file_range", 350 "syncfs", 351 "sysinfo", 352 "tee", 353 "tgkill", 354 "time", 355 "timer_create", 356 "timer_delete", 357 "timer_getoverrun", 358 "timer_gettime", 359 "timer_gettime64", 360 "timer_settime", 361 "timer_settime64", 362 "timerfd_create", 363 "timerfd_gettime", 364 "timerfd_gettime64", 365 "timerfd_settime", 366 "timerfd_settime64", 367 "times", 368 "tkill", 369 "truncate", 370 "truncate64", 371 "ugetrlimit", 372 "umask", 373 "uname", 374 "unlink", 375 "unlinkat", 376 "utime", 377 "utimensat", 378 "utimensat_time64", 379 "utimes", 380 "vfork", 381 "vmsplice", 382 "wait4", 383 "waitid", 384 "waitpid", 385 "write", 386 "writev" 387 ], 388 "action": "SCMP_ACT_ALLOW", 389 "args": [], 390 "comment": "", 391 "includes": {}, 392 "excludes": {} 393 }, 394 { 395 "names": [ 396 "ptrace" 397 ], 398 "action": "SCMP_ACT_ALLOW", 399 "args": null, 400 "comment": "", 401 "includes": { 402 "minKernel": "4.8" 403 }, 404 "excludes": {} 405 }, 406 { 407 "names": [ 408 "personality" 409 ], 410 "action": "SCMP_ACT_ALLOW", 411 "args": [ 412 { 413 "index": 0, 414 "value": 0, 415 "valueTwo": 0, 416 "op": "SCMP_CMP_EQ" 417 } 418 ], 419 "comment": "", 420 "includes": {}, 421 "excludes": {} 422 }, 423 { 424 "names": [ 425 "personality" 426 ], 427 "action": "SCMP_ACT_ALLOW", 428 "args": [ 429 { 430 "index": 0, 431 "value": 8, 432 "valueTwo": 0, 433 "op": "SCMP_CMP_EQ" 434 } 435 ], 436 "comment": "", 437 "includes": {}, 438 "excludes": {} 439 }, 440 { 441 "names": [ 442 "personality" 443 ], 444 "action": "SCMP_ACT_ALLOW", 445 "args": [ 446 { 447 "index": 0, 448 "value": 131072, 449 "valueTwo": 0, 450 "op": "SCMP_CMP_EQ" 451 } 452 ], 453 "comment": "", 454 "includes": {}, 455 "excludes": {} 456 }, 457 { 458 "names": [ 459 "personality" 460 ], 461 "action": "SCMP_ACT_ALLOW", 462 "args": [ 463 { 464 "index": 0, 465 "value": 131080, 466 "valueTwo": 0, 467 "op": "SCMP_CMP_EQ" 468 } 469 ], 470 "comment": "", 471 "includes": {}, 472 "excludes": {} 473 }, 474 { 475 "names": [ 476 "personality" 477 ], 478 "action": "SCMP_ACT_ALLOW", 479 "args": [ 480 { 481 "index": 0, 482 "value": 4294967295, 483 "valueTwo": 0, 484 "op": "SCMP_CMP_EQ" 485 } 486 ], 487 "comment": "", 488 "includes": {}, 489 "excludes": {} 490 }, 491 { 492 "names": [ 493 "sync_file_range2" 494 ], 495 "action": "SCMP_ACT_ALLOW", 496 "args": [], 497 "comment": "", 498 "includes": { 499 "arches": [ 500 "ppc64le" 501 ] 502 }, 503 "excludes": {} 504 }, 505 { 506 "names": [ 507 "arm_fadvise64_64", 508 "arm_sync_file_range", 509 "sync_file_range2", 510 "breakpoint", 511 "cacheflush", 512 "set_tls" 513 ], 514 "action": "SCMP_ACT_ALLOW", 515 "args": [], 516 "comment": "", 517 "includes": { 518 "arches": [ 519 "arm", 520 "arm64" 521 ] 522 }, 523 "excludes": {} 524 }, 525 { 526 "names": [ 527 "arch_prctl" 528 ], 529 "action": "SCMP_ACT_ALLOW", 530 "args": [], 531 "comment": "", 532 "includes": { 533 "arches": [ 534 "amd64", 535 "x32" 536 ] 537 }, 538 "excludes": {} 539 }, 540 { 541 "names": [ 542 "modify_ldt" 543 ], 544 "action": "SCMP_ACT_ALLOW", 545 "args": [], 546 "comment": "", 547 "includes": { 548 "arches": [ 549 "amd64", 550 "x32", 551 "x86" 552 ] 553 }, 554 "excludes": {} 555 }, 556 { 557 "names": [ 558 "s390_pci_mmio_read", 559 "s390_pci_mmio_write", 560 "s390_runtime_instr" 561 ], 562 "action": "SCMP_ACT_ALLOW", 563 "args": [], 564 "comment": "", 565 "includes": { 566 "arches": [ 567 "s390", 568 "s390x" 569 ] 570 }, 571 "excludes": {} 572 }, 573 { 574 "names": [ 575 "open_by_handle_at" 576 ], 577 "action": "SCMP_ACT_ALLOW", 578 "args": [], 579 "comment": "", 580 "includes": { 581 "caps": [ 582 "CAP_DAC_READ_SEARCH" 583 ] 584 }, 585 "excludes": {} 586 }, 587 { 588 "names": [ 589 "bpf", 590 "clone", 591 "fanotify_init", 592 "lookup_dcookie", 593 "mount", 594 "name_to_handle_at", 595 "perf_event_open", 596 "quotactl", 597 "setdomainname", 598 "sethostname", 599 "setns", 600 "syslog", 601 "umount", 602 "umount2", 603 "unshare" 604 ], 605 "action": "SCMP_ACT_ALLOW", 606 "args": [], 607 "comment": "", 608 "includes": { 609 "caps": [ 610 "CAP_SYS_ADMIN" 611 ] 612 }, 613 "excludes": {} 614 }, 615 { 616 "names": [ 617 "clone" 618 ], 619 "action": "SCMP_ACT_ALLOW", 620 "args": [ 621 { 622 "index": 0, 623 "value": 2114060288, 624 "valueTwo": 0, 625 "op": "SCMP_CMP_MASKED_EQ" 626 } 627 ], 628 "comment": "", 629 "includes": {}, 630 "excludes": { 631 "caps": [ 632 "CAP_SYS_ADMIN" 633 ], 634 "arches": [ 635 "s390", 636 "s390x" 637 ] 638 } 639 }, 640 { 641 "names": [ 642 "clone" 643 ], 644 "action": "SCMP_ACT_ALLOW", 645 "args": [ 646 { 647 "index": 1, 648 "value": 2114060288, 649 "valueTwo": 0, 650 "op": "SCMP_CMP_MASKED_EQ" 651 } 652 ], 653 "comment": "s390 parameter ordering for clone is different", 654 "includes": { 655 "arches": [ 656 "s390", 657 "s390x" 658 ] 659 }, 660 "excludes": { 661 "caps": [ 662 "CAP_SYS_ADMIN" 663 ] 664 } 665 }, 666 { 667 "names": [ 668 "reboot" 669 ], 670 "action": "SCMP_ACT_ALLOW", 671 "args": [], 672 "comment": "", 673 "includes": { 674 "caps": [ 675 "CAP_SYS_BOOT" 676 ] 677 }, 678 "excludes": {} 679 }, 680 { 681 "names": [ 682 "chroot" 683 ], 684 "action": "SCMP_ACT_ALLOW", 685 "args": [], 686 "comment": "", 687 "includes": { 688 "caps": [ 689 "CAP_SYS_CHROOT" 690 ] 691 }, 692 "excludes": {} 693 }, 694 { 695 "names": [ 696 "delete_module", 697 "init_module", 698 "finit_module", 699 "query_module" 700 ], 701 "action": "SCMP_ACT_ALLOW", 702 "args": [], 703 "comment": "", 704 "includes": { 705 "caps": [ 706 "CAP_SYS_MODULE" 707 ] 708 }, 709 "excludes": {} 710 }, 711 { 712 "names": [ 713 "acct" 714 ], 715 "action": "SCMP_ACT_ALLOW", 716 "args": [], 717 "comment": "", 718 "includes": { 719 "caps": [ 720 "CAP_SYS_PACCT" 721 ] 722 }, 723 "excludes": {} 724 }, 725 { 726 "names": [ 727 "kcmp", 728 "process_vm_readv", 729 "process_vm_writev", 730 "ptrace" 731 ], 732 "action": "SCMP_ACT_ALLOW", 733 "args": [], 734 "comment": "", 735 "includes": { 736 "caps": [ 737 "CAP_SYS_PTRACE" 738 ] 739 }, 740 "excludes": {} 741 }, 742 { 743 "names": [ 744 "iopl", 745 "ioperm" 746 ], 747 "action": "SCMP_ACT_ALLOW", 748 "args": [], 749 "comment": "", 750 "includes": { 751 "caps": [ 752 "CAP_SYS_RAWIO" 753 ] 754 }, 755 "excludes": {} 756 }, 757 { 758 "names": [ 759 "settimeofday", 760 "stime", 761 "clock_settime" 762 ], 763 "action": "SCMP_ACT_ALLOW", 764 "args": [], 765 "comment": "", 766 "includes": { 767 "caps": [ 768 "CAP_SYS_TIME" 769 ] 770 }, 771 "excludes": {} 772 }, 773 { 774 "names": [ 775 "vhangup" 776 ], 777 "action": "SCMP_ACT_ALLOW", 778 "args": [], 779 "comment": "", 780 "includes": { 781 "caps": [ 782 "CAP_SYS_TTY_CONFIG" 783 ] 784 }, 785 "excludes": {} 786 }, 787 { 788 "names": [ 789 "get_mempolicy", 790 "mbind", 791 "set_mempolicy" 792 ], 793 "action": "SCMP_ACT_ALLOW", 794 "args": [], 795 "comment": "", 796 "includes": { 797 "caps": [ 798 "CAP_SYS_NICE" 799 ] 800 }, 801 "excludes": {} 802 }, 803 { 804 "names": [ 805 "syslog" 806 ], 807 "action": "SCMP_ACT_ALLOW", 808 "args": [], 809 "comment": "", 810 "includes": { 811 "caps": [ 812 "CAP_SYSLOG" 813 ] 814 }, 815 "excludes": {} 816 } 817 ] 818 }