github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/profiles/seccomp/seccomp_default.go (about)

     1  // +build linux,seccomp
     2  
     3  package seccomp // import "github.com/demonoid81/moby/profiles/seccomp"
     4  
     5  import (
     6  	"github.com/demonoid81/moby/api/types"
     7  	"golang.org/x/sys/unix"
     8  )
     9  
    10  func arches() []types.Architecture {
    11  	return []types.Architecture{
    12  		{
    13  			Arch:      types.ArchX86_64,
    14  			SubArches: []types.Arch{types.ArchX86, types.ArchX32},
    15  		},
    16  		{
    17  			Arch:      types.ArchAARCH64,
    18  			SubArches: []types.Arch{types.ArchARM},
    19  		},
    20  		{
    21  			Arch:      types.ArchMIPS64,
    22  			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
    23  		},
    24  		{
    25  			Arch:      types.ArchMIPS64N32,
    26  			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
    27  		},
    28  		{
    29  			Arch:      types.ArchMIPSEL64,
    30  			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
    31  		},
    32  		{
    33  			Arch:      types.ArchMIPSEL64N32,
    34  			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
    35  		},
    36  		{
    37  			Arch:      types.ArchS390X,
    38  			SubArches: []types.Arch{types.ArchS390},
    39  		},
    40  	}
    41  }
    42  
    43  // DefaultProfile defines the whitelist for the default seccomp profile.
    44  func DefaultProfile() *types.Seccomp {
    45  	syscalls := []*types.Syscall{
    46  		{
    47  			Names: []string{
    48  				"accept",
    49  				"accept4",
    50  				"access",
    51  				"adjtimex",
    52  				"alarm",
    53  				"bind",
    54  				"brk",
    55  				"capget",
    56  				"capset",
    57  				"chdir",
    58  				"chmod",
    59  				"chown",
    60  				"chown32",
    61  				"clock_adjtime",
    62  				"clock_adjtime64",
    63  				"clock_getres",
    64  				"clock_getres_time64",
    65  				"clock_gettime",
    66  				"clock_gettime64",
    67  				"clock_nanosleep",
    68  				"clock_nanosleep_time64",
    69  				"close",
    70  				"connect",
    71  				"copy_file_range",
    72  				"creat",
    73  				"dup",
    74  				"dup2",
    75  				"dup3",
    76  				"epoll_create",
    77  				"epoll_create1",
    78  				"epoll_ctl",
    79  				"epoll_ctl_old",
    80  				"epoll_pwait",
    81  				"epoll_wait",
    82  				"epoll_wait_old",
    83  				"eventfd",
    84  				"eventfd2",
    85  				"execve",
    86  				"execveat",
    87  				"exit",
    88  				"exit_group",
    89  				"faccessat",
    90  				"fadvise64",
    91  				"fadvise64_64",
    92  				"fallocate",
    93  				"fanotify_mark",
    94  				"fchdir",
    95  				"fchmod",
    96  				"fchmodat",
    97  				"fchown",
    98  				"fchown32",
    99  				"fchownat",
   100  				"fcntl",
   101  				"fcntl64",
   102  				"fdatasync",
   103  				"fgetxattr",
   104  				"flistxattr",
   105  				"flock",
   106  				"fork",
   107  				"fremovexattr",
   108  				"fsetxattr",
   109  				"fstat",
   110  				"fstat64",
   111  				"fstatat64",
   112  				"fstatfs",
   113  				"fstatfs64",
   114  				"fsync",
   115  				"ftruncate",
   116  				"ftruncate64",
   117  				"futex",
   118  				"futex_time64",
   119  				"futimesat",
   120  				"getcpu",
   121  				"getcwd",
   122  				"getdents",
   123  				"getdents64",
   124  				"getegid",
   125  				"getegid32",
   126  				"geteuid",
   127  				"geteuid32",
   128  				"getgid",
   129  				"getgid32",
   130  				"getgroups",
   131  				"getgroups32",
   132  				"getitimer",
   133  				"getpeername",
   134  				"getpgid",
   135  				"getpgrp",
   136  				"getpid",
   137  				"getppid",
   138  				"getpriority",
   139  				"getrandom",
   140  				"getresgid",
   141  				"getresgid32",
   142  				"getresuid",
   143  				"getresuid32",
   144  				"getrlimit",
   145  				"get_robust_list",
   146  				"getrusage",
   147  				"getsid",
   148  				"getsockname",
   149  				"getsockopt",
   150  				"get_thread_area",
   151  				"gettid",
   152  				"gettimeofday",
   153  				"getuid",
   154  				"getuid32",
   155  				"getxattr",
   156  				"inotify_add_watch",
   157  				"inotify_init",
   158  				"inotify_init1",
   159  				"inotify_rm_watch",
   160  				"io_cancel",
   161  				"ioctl",
   162  				"io_destroy",
   163  				"io_getevents",
   164  				"io_pgetevents",
   165  				"io_pgetevents_time64",
   166  				"ioprio_get",
   167  				"ioprio_set",
   168  				"io_setup",
   169  				"io_submit",
   170  				"io_uring_enter",
   171  				"io_uring_register",
   172  				"io_uring_setup",
   173  				"ipc",
   174  				"kill",
   175  				"lchown",
   176  				"lchown32",
   177  				"lgetxattr",
   178  				"link",
   179  				"linkat",
   180  				"listen",
   181  				"listxattr",
   182  				"llistxattr",
   183  				"_llseek",
   184  				"lremovexattr",
   185  				"lseek",
   186  				"lsetxattr",
   187  				"lstat",
   188  				"lstat64",
   189  				"madvise",
   190  				"memfd_create",
   191  				"mincore",
   192  				"mkdir",
   193  				"mkdirat",
   194  				"mknod",
   195  				"mknodat",
   196  				"mlock",
   197  				"mlock2",
   198  				"mlockall",
   199  				"mmap",
   200  				"mmap2",
   201  				"mprotect",
   202  				"mq_getsetattr",
   203  				"mq_notify",
   204  				"mq_open",
   205  				"mq_timedreceive",
   206  				"mq_timedreceive_time64",
   207  				"mq_timedsend",
   208  				"mq_timedsend_time64",
   209  				"mq_unlink",
   210  				"mremap",
   211  				"msgctl",
   212  				"msgget",
   213  				"msgrcv",
   214  				"msgsnd",
   215  				"msync",
   216  				"munlock",
   217  				"munlockall",
   218  				"munmap",
   219  				"nanosleep",
   220  				"newfstatat",
   221  				"_newselect",
   222  				"open",
   223  				"openat",
   224  				"pause",
   225  				"pipe",
   226  				"pipe2",
   227  				"poll",
   228  				"ppoll",
   229  				"ppoll_time64",
   230  				"prctl",
   231  				"pread64",
   232  				"preadv",
   233  				"preadv2",
   234  				"prlimit64",
   235  				"pselect6",
   236  				"pselect6_time64",
   237  				"pwrite64",
   238  				"pwritev",
   239  				"pwritev2",
   240  				"read",
   241  				"readahead",
   242  				"readlink",
   243  				"readlinkat",
   244  				"readv",
   245  				"recv",
   246  				"recvfrom",
   247  				"recvmmsg",
   248  				"recvmmsg_time64",
   249  				"recvmsg",
   250  				"remap_file_pages",
   251  				"removexattr",
   252  				"rename",
   253  				"renameat",
   254  				"renameat2",
   255  				"restart_syscall",
   256  				"rmdir",
   257  				"rt_sigaction",
   258  				"rt_sigpending",
   259  				"rt_sigprocmask",
   260  				"rt_sigqueueinfo",
   261  				"rt_sigreturn",
   262  				"rt_sigsuspend",
   263  				"rt_sigtimedwait",
   264  				"rt_sigtimedwait_time64",
   265  				"rt_tgsigqueueinfo",
   266  				"sched_getaffinity",
   267  				"sched_getattr",
   268  				"sched_getparam",
   269  				"sched_get_priority_max",
   270  				"sched_get_priority_min",
   271  				"sched_getscheduler",
   272  				"sched_rr_get_interval",
   273  				"sched_rr_get_interval_time64",
   274  				"sched_setaffinity",
   275  				"sched_setattr",
   276  				"sched_setparam",
   277  				"sched_setscheduler",
   278  				"sched_yield",
   279  				"seccomp",
   280  				"select",
   281  				"semctl",
   282  				"semget",
   283  				"semop",
   284  				"semtimedop",
   285  				"semtimedop_time64",
   286  				"send",
   287  				"sendfile",
   288  				"sendfile64",
   289  				"sendmmsg",
   290  				"sendmsg",
   291  				"sendto",
   292  				"setfsgid",
   293  				"setfsgid32",
   294  				"setfsuid",
   295  				"setfsuid32",
   296  				"setgid",
   297  				"setgid32",
   298  				"setgroups",
   299  				"setgroups32",
   300  				"setitimer",
   301  				"setpgid",
   302  				"setpriority",
   303  				"setregid",
   304  				"setregid32",
   305  				"setresgid",
   306  				"setresgid32",
   307  				"setresuid",
   308  				"setresuid32",
   309  				"setreuid",
   310  				"setreuid32",
   311  				"setrlimit",
   312  				"set_robust_list",
   313  				"setsid",
   314  				"setsockopt",
   315  				"set_thread_area",
   316  				"set_tid_address",
   317  				"setuid",
   318  				"setuid32",
   319  				"setxattr",
   320  				"shmat",
   321  				"shmctl",
   322  				"shmdt",
   323  				"shmget",
   324  				"shutdown",
   325  				"sigaltstack",
   326  				"signalfd",
   327  				"signalfd4",
   328  				"sigprocmask",
   329  				"sigreturn",
   330  				"socket",
   331  				"socketcall",
   332  				"socketpair",
   333  				"splice",
   334  				"stat",
   335  				"stat64",
   336  				"statfs",
   337  				"statfs64",
   338  				"statx",
   339  				"symlink",
   340  				"symlinkat",
   341  				"sync",
   342  				"sync_file_range",
   343  				"syncfs",
   344  				"sysinfo",
   345  				"tee",
   346  				"tgkill",
   347  				"time",
   348  				"timer_create",
   349  				"timer_delete",
   350  				"timer_getoverrun",
   351  				"timer_gettime",
   352  				"timer_gettime64",
   353  				"timer_settime",
   354  				"timer_settime64",
   355  				"timerfd_create",
   356  				"timerfd_gettime",
   357  				"timerfd_gettime64",
   358  				"timerfd_settime",
   359  				"timerfd_settime64",
   360  				"times",
   361  				"tkill",
   362  				"truncate",
   363  				"truncate64",
   364  				"ugetrlimit",
   365  				"umask",
   366  				"uname",
   367  				"unlink",
   368  				"unlinkat",
   369  				"utime",
   370  				"utimensat",
   371  				"utimensat_time64",
   372  				"utimes",
   373  				"vfork",
   374  				"vmsplice",
   375  				"wait4",
   376  				"waitid",
   377  				"waitpid",
   378  				"write",
   379  				"writev",
   380  			},
   381  			Action: types.ActAllow,
   382  			Args:   []*types.Arg{},
   383  		},
   384  		{
   385  			Names:  []string{"ptrace"},
   386  			Action: types.ActAllow,
   387  			Includes: types.Filter{
   388  				MinKernel: "4.8",
   389  			},
   390  		},
   391  		{
   392  			Names:  []string{"personality"},
   393  			Action: types.ActAllow,
   394  			Args: []*types.Arg{
   395  				{
   396  					Index: 0,
   397  					Value: 0x0,
   398  					Op:    types.OpEqualTo,
   399  				},
   400  			},
   401  		},
   402  		{
   403  			Names:  []string{"personality"},
   404  			Action: types.ActAllow,
   405  			Args: []*types.Arg{
   406  				{
   407  					Index: 0,
   408  					Value: 0x0008,
   409  					Op:    types.OpEqualTo,
   410  				},
   411  			},
   412  		},
   413  		{
   414  			Names:  []string{"personality"},
   415  			Action: types.ActAllow,
   416  			Args: []*types.Arg{
   417  				{
   418  					Index: 0,
   419  					Value: 0x20000,
   420  					Op:    types.OpEqualTo,
   421  				},
   422  			},
   423  		},
   424  		{
   425  			Names:  []string{"personality"},
   426  			Action: types.ActAllow,
   427  			Args: []*types.Arg{
   428  				{
   429  					Index: 0,
   430  					Value: 0x20008,
   431  					Op:    types.OpEqualTo,
   432  				},
   433  			},
   434  		},
   435  		{
   436  			Names:  []string{"personality"},
   437  			Action: types.ActAllow,
   438  			Args: []*types.Arg{
   439  				{
   440  					Index: 0,
   441  					Value: 0xffffffff,
   442  					Op:    types.OpEqualTo,
   443  				},
   444  			},
   445  		},
   446  		{
   447  			Names: []string{
   448  				"sync_file_range2",
   449  			},
   450  			Action: types.ActAllow,
   451  			Args:   []*types.Arg{},
   452  			Includes: types.Filter{
   453  				Arches: []string{"ppc64le"},
   454  			},
   455  		},
   456  		{
   457  			Names: []string{
   458  				"arm_fadvise64_64",
   459  				"arm_sync_file_range",
   460  				"sync_file_range2",
   461  				"breakpoint",
   462  				"cacheflush",
   463  				"set_tls",
   464  			},
   465  			Action: types.ActAllow,
   466  			Args:   []*types.Arg{},
   467  			Includes: types.Filter{
   468  				Arches: []string{"arm", "arm64"},
   469  			},
   470  		},
   471  		{
   472  			Names: []string{
   473  				"arch_prctl",
   474  			},
   475  			Action: types.ActAllow,
   476  			Args:   []*types.Arg{},
   477  			Includes: types.Filter{
   478  				Arches: []string{"amd64", "x32"},
   479  			},
   480  		},
   481  		{
   482  			Names: []string{
   483  				"modify_ldt",
   484  			},
   485  			Action: types.ActAllow,
   486  			Args:   []*types.Arg{},
   487  			Includes: types.Filter{
   488  				Arches: []string{"amd64", "x32", "x86"},
   489  			},
   490  		},
   491  		{
   492  			Names: []string{
   493  				"s390_pci_mmio_read",
   494  				"s390_pci_mmio_write",
   495  				"s390_runtime_instr",
   496  			},
   497  			Action: types.ActAllow,
   498  			Args:   []*types.Arg{},
   499  			Includes: types.Filter{
   500  				Arches: []string{"s390", "s390x"},
   501  			},
   502  		},
   503  		{
   504  			Names: []string{
   505  				"open_by_handle_at",
   506  			},
   507  			Action: types.ActAllow,
   508  			Args:   []*types.Arg{},
   509  			Includes: types.Filter{
   510  				Caps: []string{"CAP_DAC_READ_SEARCH"},
   511  			},
   512  		},
   513  		{
   514  			Names: []string{
   515  				"bpf",
   516  				"clone",
   517  				"fanotify_init",
   518  				"lookup_dcookie",
   519  				"mount",
   520  				"name_to_handle_at",
   521  				"perf_event_open",
   522  				"quotactl",
   523  				"setdomainname",
   524  				"sethostname",
   525  				"setns",
   526  				"syslog",
   527  				"umount",
   528  				"umount2",
   529  				"unshare",
   530  			},
   531  			Action: types.ActAllow,
   532  			Args:   []*types.Arg{},
   533  			Includes: types.Filter{
   534  				Caps: []string{"CAP_SYS_ADMIN"},
   535  			},
   536  		},
   537  		{
   538  			Names: []string{
   539  				"clone",
   540  			},
   541  			Action: types.ActAllow,
   542  			Args: []*types.Arg{
   543  				{
   544  					Index:    0,
   545  					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
   546  					ValueTwo: 0,
   547  					Op:       types.OpMaskedEqual,
   548  				},
   549  			},
   550  			Excludes: types.Filter{
   551  				Caps:   []string{"CAP_SYS_ADMIN"},
   552  				Arches: []string{"s390", "s390x"},
   553  			},
   554  		},
   555  		{
   556  			Names: []string{
   557  				"clone",
   558  			},
   559  			Action: types.ActAllow,
   560  			Args: []*types.Arg{
   561  				{
   562  					Index:    1,
   563  					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
   564  					ValueTwo: 0,
   565  					Op:       types.OpMaskedEqual,
   566  				},
   567  			},
   568  			Comment: "s390 parameter ordering for clone is different",
   569  			Includes: types.Filter{
   570  				Arches: []string{"s390", "s390x"},
   571  			},
   572  			Excludes: types.Filter{
   573  				Caps: []string{"CAP_SYS_ADMIN"},
   574  			},
   575  		},
   576  		{
   577  			Names: []string{
   578  				"reboot",
   579  			},
   580  			Action: types.ActAllow,
   581  			Args:   []*types.Arg{},
   582  			Includes: types.Filter{
   583  				Caps: []string{"CAP_SYS_BOOT"},
   584  			},
   585  		},
   586  		{
   587  			Names: []string{
   588  				"chroot",
   589  			},
   590  			Action: types.ActAllow,
   591  			Args:   []*types.Arg{},
   592  			Includes: types.Filter{
   593  				Caps: []string{"CAP_SYS_CHROOT"},
   594  			},
   595  		},
   596  		{
   597  			Names: []string{
   598  				"delete_module",
   599  				"init_module",
   600  				"finit_module",
   601  				"query_module",
   602  			},
   603  			Action: types.ActAllow,
   604  			Args:   []*types.Arg{},
   605  			Includes: types.Filter{
   606  				Caps: []string{"CAP_SYS_MODULE"},
   607  			},
   608  		},
   609  		{
   610  			Names: []string{
   611  				"acct",
   612  			},
   613  			Action: types.ActAllow,
   614  			Args:   []*types.Arg{},
   615  			Includes: types.Filter{
   616  				Caps: []string{"CAP_SYS_PACCT"},
   617  			},
   618  		},
   619  		{
   620  			Names: []string{
   621  				"kcmp",
   622  				"process_vm_readv",
   623  				"process_vm_writev",
   624  				"ptrace",
   625  			},
   626  			Action: types.ActAllow,
   627  			Args:   []*types.Arg{},
   628  			Includes: types.Filter{
   629  				Caps: []string{"CAP_SYS_PTRACE"},
   630  			},
   631  		},
   632  		{
   633  			Names: []string{
   634  				"iopl",
   635  				"ioperm",
   636  			},
   637  			Action: types.ActAllow,
   638  			Args:   []*types.Arg{},
   639  			Includes: types.Filter{
   640  				Caps: []string{"CAP_SYS_RAWIO"},
   641  			},
   642  		},
   643  		{
   644  			Names: []string{
   645  				"settimeofday",
   646  				"stime",
   647  				"clock_settime",
   648  			},
   649  			Action: types.ActAllow,
   650  			Args:   []*types.Arg{},
   651  			Includes: types.Filter{
   652  				Caps: []string{"CAP_SYS_TIME"},
   653  			},
   654  		},
   655  		{
   656  			Names: []string{
   657  				"vhangup",
   658  			},
   659  			Action: types.ActAllow,
   660  			Args:   []*types.Arg{},
   661  			Includes: types.Filter{
   662  				Caps: []string{"CAP_SYS_TTY_CONFIG"},
   663  			},
   664  		},
   665  		{
   666  			Names: []string{
   667  				"get_mempolicy",
   668  				"mbind",
   669  				"set_mempolicy",
   670  			},
   671  			Action: types.ActAllow,
   672  			Args:   []*types.Arg{},
   673  			Includes: types.Filter{
   674  				Caps: []string{"CAP_SYS_NICE"},
   675  			},
   676  		},
   677  		{
   678  			Names: []string{
   679  				"syslog",
   680  			},
   681  			Action: types.ActAllow,
   682  			Args:   []*types.Arg{},
   683  			Includes: types.Filter{
   684  				Caps: []string{"CAP_SYSLOG"},
   685  			},
   686  		},
   687  	}
   688  
   689  	return &types.Seccomp{
   690  		DefaultAction: types.ActErrno,
   691  		ArchMap:       arches(),
   692  		Syscalls:      syscalls,
   693  	}
   694  }