github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp // import "github.com/demonoid81/moby/profiles/seccomp" 4 5 import ( 6 "github.com/demonoid81/moby/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_adjtime", 62 "clock_adjtime64", 63 "clock_getres", 64 "clock_getres_time64", 65 "clock_gettime", 66 "clock_gettime64", 67 "clock_nanosleep", 68 "clock_nanosleep_time64", 69 "close", 70 "connect", 71 "copy_file_range", 72 "creat", 73 "dup", 74 "dup2", 75 "dup3", 76 "epoll_create", 77 "epoll_create1", 78 "epoll_ctl", 79 "epoll_ctl_old", 80 "epoll_pwait", 81 "epoll_wait", 82 "epoll_wait_old", 83 "eventfd", 84 "eventfd2", 85 "execve", 86 "execveat", 87 "exit", 88 "exit_group", 89 "faccessat", 90 "fadvise64", 91 "fadvise64_64", 92 "fallocate", 93 "fanotify_mark", 94 "fchdir", 95 "fchmod", 96 "fchmodat", 97 "fchown", 98 "fchown32", 99 "fchownat", 100 "fcntl", 101 "fcntl64", 102 "fdatasync", 103 "fgetxattr", 104 "flistxattr", 105 "flock", 106 "fork", 107 "fremovexattr", 108 "fsetxattr", 109 "fstat", 110 "fstat64", 111 "fstatat64", 112 "fstatfs", 113 "fstatfs64", 114 "fsync", 115 "ftruncate", 116 "ftruncate64", 117 "futex", 118 "futex_time64", 119 "futimesat", 120 "getcpu", 121 "getcwd", 122 "getdents", 123 "getdents64", 124 "getegid", 125 "getegid32", 126 "geteuid", 127 "geteuid32", 128 "getgid", 129 "getgid32", 130 "getgroups", 131 "getgroups32", 132 "getitimer", 133 "getpeername", 134 "getpgid", 135 "getpgrp", 136 "getpid", 137 "getppid", 138 "getpriority", 139 "getrandom", 140 "getresgid", 141 "getresgid32", 142 "getresuid", 143 "getresuid32", 144 "getrlimit", 145 "get_robust_list", 146 "getrusage", 147 "getsid", 148 "getsockname", 149 "getsockopt", 150 "get_thread_area", 151 "gettid", 152 "gettimeofday", 153 "getuid", 154 "getuid32", 155 "getxattr", 156 "inotify_add_watch", 157 "inotify_init", 158 "inotify_init1", 159 "inotify_rm_watch", 160 "io_cancel", 161 "ioctl", 162 "io_destroy", 163 "io_getevents", 164 "io_pgetevents", 165 "io_pgetevents_time64", 166 "ioprio_get", 167 "ioprio_set", 168 "io_setup", 169 "io_submit", 170 "io_uring_enter", 171 "io_uring_register", 172 "io_uring_setup", 173 "ipc", 174 "kill", 175 "lchown", 176 "lchown32", 177 "lgetxattr", 178 "link", 179 "linkat", 180 "listen", 181 "listxattr", 182 "llistxattr", 183 "_llseek", 184 "lremovexattr", 185 "lseek", 186 "lsetxattr", 187 "lstat", 188 "lstat64", 189 "madvise", 190 "memfd_create", 191 "mincore", 192 "mkdir", 193 "mkdirat", 194 "mknod", 195 "mknodat", 196 "mlock", 197 "mlock2", 198 "mlockall", 199 "mmap", 200 "mmap2", 201 "mprotect", 202 "mq_getsetattr", 203 "mq_notify", 204 "mq_open", 205 "mq_timedreceive", 206 "mq_timedreceive_time64", 207 "mq_timedsend", 208 "mq_timedsend_time64", 209 "mq_unlink", 210 "mremap", 211 "msgctl", 212 "msgget", 213 "msgrcv", 214 "msgsnd", 215 "msync", 216 "munlock", 217 "munlockall", 218 "munmap", 219 "nanosleep", 220 "newfstatat", 221 "_newselect", 222 "open", 223 "openat", 224 "pause", 225 "pipe", 226 "pipe2", 227 "poll", 228 "ppoll", 229 "ppoll_time64", 230 "prctl", 231 "pread64", 232 "preadv", 233 "preadv2", 234 "prlimit64", 235 "pselect6", 236 "pselect6_time64", 237 "pwrite64", 238 "pwritev", 239 "pwritev2", 240 "read", 241 "readahead", 242 "readlink", 243 "readlinkat", 244 "readv", 245 "recv", 246 "recvfrom", 247 "recvmmsg", 248 "recvmmsg_time64", 249 "recvmsg", 250 "remap_file_pages", 251 "removexattr", 252 "rename", 253 "renameat", 254 "renameat2", 255 "restart_syscall", 256 "rmdir", 257 "rt_sigaction", 258 "rt_sigpending", 259 "rt_sigprocmask", 260 "rt_sigqueueinfo", 261 "rt_sigreturn", 262 "rt_sigsuspend", 263 "rt_sigtimedwait", 264 "rt_sigtimedwait_time64", 265 "rt_tgsigqueueinfo", 266 "sched_getaffinity", 267 "sched_getattr", 268 "sched_getparam", 269 "sched_get_priority_max", 270 "sched_get_priority_min", 271 "sched_getscheduler", 272 "sched_rr_get_interval", 273 "sched_rr_get_interval_time64", 274 "sched_setaffinity", 275 "sched_setattr", 276 "sched_setparam", 277 "sched_setscheduler", 278 "sched_yield", 279 "seccomp", 280 "select", 281 "semctl", 282 "semget", 283 "semop", 284 "semtimedop", 285 "semtimedop_time64", 286 "send", 287 "sendfile", 288 "sendfile64", 289 "sendmmsg", 290 "sendmsg", 291 "sendto", 292 "setfsgid", 293 "setfsgid32", 294 "setfsuid", 295 "setfsuid32", 296 "setgid", 297 "setgid32", 298 "setgroups", 299 "setgroups32", 300 "setitimer", 301 "setpgid", 302 "setpriority", 303 "setregid", 304 "setregid32", 305 "setresgid", 306 "setresgid32", 307 "setresuid", 308 "setresuid32", 309 "setreuid", 310 "setreuid32", 311 "setrlimit", 312 "set_robust_list", 313 "setsid", 314 "setsockopt", 315 "set_thread_area", 316 "set_tid_address", 317 "setuid", 318 "setuid32", 319 "setxattr", 320 "shmat", 321 "shmctl", 322 "shmdt", 323 "shmget", 324 "shutdown", 325 "sigaltstack", 326 "signalfd", 327 "signalfd4", 328 "sigprocmask", 329 "sigreturn", 330 "socket", 331 "socketcall", 332 "socketpair", 333 "splice", 334 "stat", 335 "stat64", 336 "statfs", 337 "statfs64", 338 "statx", 339 "symlink", 340 "symlinkat", 341 "sync", 342 "sync_file_range", 343 "syncfs", 344 "sysinfo", 345 "tee", 346 "tgkill", 347 "time", 348 "timer_create", 349 "timer_delete", 350 "timer_getoverrun", 351 "timer_gettime", 352 "timer_gettime64", 353 "timer_settime", 354 "timer_settime64", 355 "timerfd_create", 356 "timerfd_gettime", 357 "timerfd_gettime64", 358 "timerfd_settime", 359 "timerfd_settime64", 360 "times", 361 "tkill", 362 "truncate", 363 "truncate64", 364 "ugetrlimit", 365 "umask", 366 "uname", 367 "unlink", 368 "unlinkat", 369 "utime", 370 "utimensat", 371 "utimensat_time64", 372 "utimes", 373 "vfork", 374 "vmsplice", 375 "wait4", 376 "waitid", 377 "waitpid", 378 "write", 379 "writev", 380 }, 381 Action: types.ActAllow, 382 Args: []*types.Arg{}, 383 }, 384 { 385 Names: []string{"ptrace"}, 386 Action: types.ActAllow, 387 Includes: types.Filter{ 388 MinKernel: "4.8", 389 }, 390 }, 391 { 392 Names: []string{"personality"}, 393 Action: types.ActAllow, 394 Args: []*types.Arg{ 395 { 396 Index: 0, 397 Value: 0x0, 398 Op: types.OpEqualTo, 399 }, 400 }, 401 }, 402 { 403 Names: []string{"personality"}, 404 Action: types.ActAllow, 405 Args: []*types.Arg{ 406 { 407 Index: 0, 408 Value: 0x0008, 409 Op: types.OpEqualTo, 410 }, 411 }, 412 }, 413 { 414 Names: []string{"personality"}, 415 Action: types.ActAllow, 416 Args: []*types.Arg{ 417 { 418 Index: 0, 419 Value: 0x20000, 420 Op: types.OpEqualTo, 421 }, 422 }, 423 }, 424 { 425 Names: []string{"personality"}, 426 Action: types.ActAllow, 427 Args: []*types.Arg{ 428 { 429 Index: 0, 430 Value: 0x20008, 431 Op: types.OpEqualTo, 432 }, 433 }, 434 }, 435 { 436 Names: []string{"personality"}, 437 Action: types.ActAllow, 438 Args: []*types.Arg{ 439 { 440 Index: 0, 441 Value: 0xffffffff, 442 Op: types.OpEqualTo, 443 }, 444 }, 445 }, 446 { 447 Names: []string{ 448 "sync_file_range2", 449 }, 450 Action: types.ActAllow, 451 Args: []*types.Arg{}, 452 Includes: types.Filter{ 453 Arches: []string{"ppc64le"}, 454 }, 455 }, 456 { 457 Names: []string{ 458 "arm_fadvise64_64", 459 "arm_sync_file_range", 460 "sync_file_range2", 461 "breakpoint", 462 "cacheflush", 463 "set_tls", 464 }, 465 Action: types.ActAllow, 466 Args: []*types.Arg{}, 467 Includes: types.Filter{ 468 Arches: []string{"arm", "arm64"}, 469 }, 470 }, 471 { 472 Names: []string{ 473 "arch_prctl", 474 }, 475 Action: types.ActAllow, 476 Args: []*types.Arg{}, 477 Includes: types.Filter{ 478 Arches: []string{"amd64", "x32"}, 479 }, 480 }, 481 { 482 Names: []string{ 483 "modify_ldt", 484 }, 485 Action: types.ActAllow, 486 Args: []*types.Arg{}, 487 Includes: types.Filter{ 488 Arches: []string{"amd64", "x32", "x86"}, 489 }, 490 }, 491 { 492 Names: []string{ 493 "s390_pci_mmio_read", 494 "s390_pci_mmio_write", 495 "s390_runtime_instr", 496 }, 497 Action: types.ActAllow, 498 Args: []*types.Arg{}, 499 Includes: types.Filter{ 500 Arches: []string{"s390", "s390x"}, 501 }, 502 }, 503 { 504 Names: []string{ 505 "open_by_handle_at", 506 }, 507 Action: types.ActAllow, 508 Args: []*types.Arg{}, 509 Includes: types.Filter{ 510 Caps: []string{"CAP_DAC_READ_SEARCH"}, 511 }, 512 }, 513 { 514 Names: []string{ 515 "bpf", 516 "clone", 517 "fanotify_init", 518 "lookup_dcookie", 519 "mount", 520 "name_to_handle_at", 521 "perf_event_open", 522 "quotactl", 523 "setdomainname", 524 "sethostname", 525 "setns", 526 "syslog", 527 "umount", 528 "umount2", 529 "unshare", 530 }, 531 Action: types.ActAllow, 532 Args: []*types.Arg{}, 533 Includes: types.Filter{ 534 Caps: []string{"CAP_SYS_ADMIN"}, 535 }, 536 }, 537 { 538 Names: []string{ 539 "clone", 540 }, 541 Action: types.ActAllow, 542 Args: []*types.Arg{ 543 { 544 Index: 0, 545 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 546 ValueTwo: 0, 547 Op: types.OpMaskedEqual, 548 }, 549 }, 550 Excludes: types.Filter{ 551 Caps: []string{"CAP_SYS_ADMIN"}, 552 Arches: []string{"s390", "s390x"}, 553 }, 554 }, 555 { 556 Names: []string{ 557 "clone", 558 }, 559 Action: types.ActAllow, 560 Args: []*types.Arg{ 561 { 562 Index: 1, 563 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 564 ValueTwo: 0, 565 Op: types.OpMaskedEqual, 566 }, 567 }, 568 Comment: "s390 parameter ordering for clone is different", 569 Includes: types.Filter{ 570 Arches: []string{"s390", "s390x"}, 571 }, 572 Excludes: types.Filter{ 573 Caps: []string{"CAP_SYS_ADMIN"}, 574 }, 575 }, 576 { 577 Names: []string{ 578 "reboot", 579 }, 580 Action: types.ActAllow, 581 Args: []*types.Arg{}, 582 Includes: types.Filter{ 583 Caps: []string{"CAP_SYS_BOOT"}, 584 }, 585 }, 586 { 587 Names: []string{ 588 "chroot", 589 }, 590 Action: types.ActAllow, 591 Args: []*types.Arg{}, 592 Includes: types.Filter{ 593 Caps: []string{"CAP_SYS_CHROOT"}, 594 }, 595 }, 596 { 597 Names: []string{ 598 "delete_module", 599 "init_module", 600 "finit_module", 601 "query_module", 602 }, 603 Action: types.ActAllow, 604 Args: []*types.Arg{}, 605 Includes: types.Filter{ 606 Caps: []string{"CAP_SYS_MODULE"}, 607 }, 608 }, 609 { 610 Names: []string{ 611 "acct", 612 }, 613 Action: types.ActAllow, 614 Args: []*types.Arg{}, 615 Includes: types.Filter{ 616 Caps: []string{"CAP_SYS_PACCT"}, 617 }, 618 }, 619 { 620 Names: []string{ 621 "kcmp", 622 "process_vm_readv", 623 "process_vm_writev", 624 "ptrace", 625 }, 626 Action: types.ActAllow, 627 Args: []*types.Arg{}, 628 Includes: types.Filter{ 629 Caps: []string{"CAP_SYS_PTRACE"}, 630 }, 631 }, 632 { 633 Names: []string{ 634 "iopl", 635 "ioperm", 636 }, 637 Action: types.ActAllow, 638 Args: []*types.Arg{}, 639 Includes: types.Filter{ 640 Caps: []string{"CAP_SYS_RAWIO"}, 641 }, 642 }, 643 { 644 Names: []string{ 645 "settimeofday", 646 "stime", 647 "clock_settime", 648 }, 649 Action: types.ActAllow, 650 Args: []*types.Arg{}, 651 Includes: types.Filter{ 652 Caps: []string{"CAP_SYS_TIME"}, 653 }, 654 }, 655 { 656 Names: []string{ 657 "vhangup", 658 }, 659 Action: types.ActAllow, 660 Args: []*types.Arg{}, 661 Includes: types.Filter{ 662 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 663 }, 664 }, 665 { 666 Names: []string{ 667 "get_mempolicy", 668 "mbind", 669 "set_mempolicy", 670 }, 671 Action: types.ActAllow, 672 Args: []*types.Arg{}, 673 Includes: types.Filter{ 674 Caps: []string{"CAP_SYS_NICE"}, 675 }, 676 }, 677 { 678 Names: []string{ 679 "syslog", 680 }, 681 Action: types.ActAllow, 682 Args: []*types.Arg{}, 683 Includes: types.Filter{ 684 Caps: []string{"CAP_SYSLOG"}, 685 }, 686 }, 687 } 688 689 return &types.Seccomp{ 690 DefaultAction: types.ActErrno, 691 ArchMap: arches(), 692 Syscalls: syscalls, 693 } 694 }