github.com/devdivbcp/moby@v17.12.0-ce-rc1.0.20200726071732-2d4bfdc789ad+incompatible/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_getres", 62 "clock_getres_time64", 63 "clock_gettime", 64 "clock_gettime64", 65 "clock_nanosleep", 66 "clock_nanosleep_time64", 67 "close", 68 "connect", 69 "copy_file_range", 70 "creat", 71 "dup", 72 "dup2", 73 "dup3", 74 "epoll_create", 75 "epoll_create1", 76 "epoll_ctl", 77 "epoll_ctl_old", 78 "epoll_pwait", 79 "epoll_wait", 80 "epoll_wait_old", 81 "eventfd", 82 "eventfd2", 83 "execve", 84 "execveat", 85 "exit", 86 "exit_group", 87 "faccessat", 88 "fadvise64", 89 "fadvise64_64", 90 "fallocate", 91 "fanotify_mark", 92 "fchdir", 93 "fchmod", 94 "fchmodat", 95 "fchown", 96 "fchown32", 97 "fchownat", 98 "fcntl", 99 "fcntl64", 100 "fdatasync", 101 "fgetxattr", 102 "flistxattr", 103 "flock", 104 "fork", 105 "fremovexattr", 106 "fsetxattr", 107 "fstat", 108 "fstat64", 109 "fstatat64", 110 "fstatfs", 111 "fstatfs64", 112 "fsync", 113 "ftruncate", 114 "ftruncate64", 115 "futex", 116 "futex_time64", 117 "futimesat", 118 "getcpu", 119 "getcwd", 120 "getdents", 121 "getdents64", 122 "getegid", 123 "getegid32", 124 "geteuid", 125 "geteuid32", 126 "getgid", 127 "getgid32", 128 "getgroups", 129 "getgroups32", 130 "getitimer", 131 "getpeername", 132 "getpgid", 133 "getpgrp", 134 "getpid", 135 "getppid", 136 "getpriority", 137 "getrandom", 138 "getresgid", 139 "getresgid32", 140 "getresuid", 141 "getresuid32", 142 "getrlimit", 143 "get_robust_list", 144 "getrusage", 145 "getsid", 146 "getsockname", 147 "getsockopt", 148 "get_thread_area", 149 "gettid", 150 "gettimeofday", 151 "getuid", 152 "getuid32", 153 "getxattr", 154 "inotify_add_watch", 155 "inotify_init", 156 "inotify_init1", 157 "inotify_rm_watch", 158 "io_cancel", 159 "ioctl", 160 "io_destroy", 161 "io_getevents", 162 "io_pgetevents", 163 "io_pgetevents_time64", 164 "ioprio_get", 165 "ioprio_set", 166 "io_setup", 167 "io_submit", 168 "ipc", 169 "kill", 170 "lchown", 171 "lchown32", 172 "lgetxattr", 173 "link", 174 "linkat", 175 "listen", 176 "listxattr", 177 "llistxattr", 178 "_llseek", 179 "lremovexattr", 180 "lseek", 181 "lsetxattr", 182 "lstat", 183 "lstat64", 184 "madvise", 185 "memfd_create", 186 "mincore", 187 "mkdir", 188 "mkdirat", 189 "mknod", 190 "mknodat", 191 "mlock", 192 "mlock2", 193 "mlockall", 194 "mmap", 195 "mmap2", 196 "mprotect", 197 "mq_getsetattr", 198 "mq_notify", 199 "mq_open", 200 "mq_timedreceive", 201 "mq_timedreceive_time64", 202 "mq_timedsend", 203 "mq_timedsend_time64", 204 "mq_unlink", 205 "mremap", 206 "msgctl", 207 "msgget", 208 "msgrcv", 209 "msgsnd", 210 "msync", 211 "munlock", 212 "munlockall", 213 "munmap", 214 "nanosleep", 215 "newfstatat", 216 "_newselect", 217 "open", 218 "openat", 219 "pause", 220 "pipe", 221 "pipe2", 222 "poll", 223 "ppoll", 224 "ppoll_time64", 225 "prctl", 226 "pread64", 227 "preadv", 228 "preadv2", 229 "prlimit64", 230 "pselect6", 231 "pselect6_time64", 232 "pwrite64", 233 "pwritev", 234 "pwritev2", 235 "read", 236 "readahead", 237 "readlink", 238 "readlinkat", 239 "readv", 240 "recv", 241 "recvfrom", 242 "recvmmsg", 243 "recvmmsg_time64", 244 "recvmsg", 245 "remap_file_pages", 246 "removexattr", 247 "rename", 248 "renameat", 249 "renameat2", 250 "restart_syscall", 251 "rmdir", 252 "rt_sigaction", 253 "rt_sigpending", 254 "rt_sigprocmask", 255 "rt_sigqueueinfo", 256 "rt_sigreturn", 257 "rt_sigsuspend", 258 "rt_sigtimedwait", 259 "rt_sigtimedwait_time64", 260 "rt_tgsigqueueinfo", 261 "sched_getaffinity", 262 "sched_getattr", 263 "sched_getparam", 264 "sched_get_priority_max", 265 "sched_get_priority_min", 266 "sched_getscheduler", 267 "sched_rr_get_interval", 268 "sched_rr_get_interval_time64", 269 "sched_setaffinity", 270 "sched_setattr", 271 "sched_setparam", 272 "sched_setscheduler", 273 "sched_yield", 274 "seccomp", 275 "select", 276 "semctl", 277 "semget", 278 "semop", 279 "semtimedop", 280 "semtimedop_time64", 281 "send", 282 "sendfile", 283 "sendfile64", 284 "sendmmsg", 285 "sendmsg", 286 "sendto", 287 "setfsgid", 288 "setfsgid32", 289 "setfsuid", 290 "setfsuid32", 291 "setgid", 292 "setgid32", 293 "setgroups", 294 "setgroups32", 295 "setitimer", 296 "setpgid", 297 "setpriority", 298 "setregid", 299 "setregid32", 300 "setresgid", 301 "setresgid32", 302 "setresuid", 303 "setresuid32", 304 "setreuid", 305 "setreuid32", 306 "setrlimit", 307 "set_robust_list", 308 "setsid", 309 "setsockopt", 310 "set_thread_area", 311 "set_tid_address", 312 "setuid", 313 "setuid32", 314 "setxattr", 315 "shmat", 316 "shmctl", 317 "shmdt", 318 "shmget", 319 "shutdown", 320 "sigaltstack", 321 "signalfd", 322 "signalfd4", 323 "sigprocmask", 324 "sigreturn", 325 "socket", 326 "socketcall", 327 "socketpair", 328 "splice", 329 "stat", 330 "stat64", 331 "statfs", 332 "statfs64", 333 "statx", 334 "symlink", 335 "symlinkat", 336 "sync", 337 "sync_file_range", 338 "syncfs", 339 "sysinfo", 340 "tee", 341 "tgkill", 342 "time", 343 "timer_create", 344 "timer_delete", 345 "timer_getoverrun", 346 "timer_gettime", 347 "timer_gettime64", 348 "timer_settime", 349 "timer_settime64", 350 "timerfd_create", 351 "timerfd_gettime", 352 "timerfd_gettime64", 353 "timerfd_settime", 354 "timerfd_settime64", 355 "times", 356 "tkill", 357 "truncate", 358 "truncate64", 359 "ugetrlimit", 360 "umask", 361 "uname", 362 "unlink", 363 "unlinkat", 364 "utime", 365 "utimensat", 366 "utimensat_time64", 367 "utimes", 368 "vfork", 369 "vmsplice", 370 "wait4", 371 "waitid", 372 "waitpid", 373 "write", 374 "writev", 375 }, 376 Action: types.ActAllow, 377 Args: []*types.Arg{}, 378 }, 379 { 380 Names: []string{"ptrace"}, 381 Action: types.ActAllow, 382 Includes: types.Filter{ 383 MinKernel: "4.8", 384 }, 385 }, 386 { 387 Names: []string{"personality"}, 388 Action: types.ActAllow, 389 Args: []*types.Arg{ 390 { 391 Index: 0, 392 Value: 0x0, 393 Op: types.OpEqualTo, 394 }, 395 }, 396 }, 397 { 398 Names: []string{"personality"}, 399 Action: types.ActAllow, 400 Args: []*types.Arg{ 401 { 402 Index: 0, 403 Value: 0x0008, 404 Op: types.OpEqualTo, 405 }, 406 }, 407 }, 408 { 409 Names: []string{"personality"}, 410 Action: types.ActAllow, 411 Args: []*types.Arg{ 412 { 413 Index: 0, 414 Value: 0x20000, 415 Op: types.OpEqualTo, 416 }, 417 }, 418 }, 419 { 420 Names: []string{"personality"}, 421 Action: types.ActAllow, 422 Args: []*types.Arg{ 423 { 424 Index: 0, 425 Value: 0x20008, 426 Op: types.OpEqualTo, 427 }, 428 }, 429 }, 430 { 431 Names: []string{"personality"}, 432 Action: types.ActAllow, 433 Args: []*types.Arg{ 434 { 435 Index: 0, 436 Value: 0xffffffff, 437 Op: types.OpEqualTo, 438 }, 439 }, 440 }, 441 { 442 Names: []string{ 443 "sync_file_range2", 444 }, 445 Action: types.ActAllow, 446 Args: []*types.Arg{}, 447 Includes: types.Filter{ 448 Arches: []string{"ppc64le"}, 449 }, 450 }, 451 { 452 Names: []string{ 453 "arm_fadvise64_64", 454 "arm_sync_file_range", 455 "sync_file_range2", 456 "breakpoint", 457 "cacheflush", 458 "set_tls", 459 }, 460 Action: types.ActAllow, 461 Args: []*types.Arg{}, 462 Includes: types.Filter{ 463 Arches: []string{"arm", "arm64"}, 464 }, 465 }, 466 { 467 Names: []string{ 468 "arch_prctl", 469 }, 470 Action: types.ActAllow, 471 Args: []*types.Arg{}, 472 Includes: types.Filter{ 473 Arches: []string{"amd64", "x32"}, 474 }, 475 }, 476 { 477 Names: []string{ 478 "modify_ldt", 479 }, 480 Action: types.ActAllow, 481 Args: []*types.Arg{}, 482 Includes: types.Filter{ 483 Arches: []string{"amd64", "x32", "x86"}, 484 }, 485 }, 486 { 487 Names: []string{ 488 "s390_pci_mmio_read", 489 "s390_pci_mmio_write", 490 "s390_runtime_instr", 491 }, 492 Action: types.ActAllow, 493 Args: []*types.Arg{}, 494 Includes: types.Filter{ 495 Arches: []string{"s390", "s390x"}, 496 }, 497 }, 498 { 499 Names: []string{ 500 "open_by_handle_at", 501 }, 502 Action: types.ActAllow, 503 Args: []*types.Arg{}, 504 Includes: types.Filter{ 505 Caps: []string{"CAP_DAC_READ_SEARCH"}, 506 }, 507 }, 508 { 509 Names: []string{ 510 "bpf", 511 "clone", 512 "fanotify_init", 513 "lookup_dcookie", 514 "mount", 515 "name_to_handle_at", 516 "perf_event_open", 517 "quotactl", 518 "setdomainname", 519 "sethostname", 520 "setns", 521 "syslog", 522 "umount", 523 "umount2", 524 "unshare", 525 }, 526 Action: types.ActAllow, 527 Args: []*types.Arg{}, 528 Includes: types.Filter{ 529 Caps: []string{"CAP_SYS_ADMIN"}, 530 }, 531 }, 532 { 533 Names: []string{ 534 "clone", 535 }, 536 Action: types.ActAllow, 537 Args: []*types.Arg{ 538 { 539 Index: 0, 540 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 541 ValueTwo: 0, 542 Op: types.OpMaskedEqual, 543 }, 544 }, 545 Excludes: types.Filter{ 546 Caps: []string{"CAP_SYS_ADMIN"}, 547 Arches: []string{"s390", "s390x"}, 548 }, 549 }, 550 { 551 Names: []string{ 552 "clone", 553 }, 554 Action: types.ActAllow, 555 Args: []*types.Arg{ 556 { 557 Index: 1, 558 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 559 ValueTwo: 0, 560 Op: types.OpMaskedEqual, 561 }, 562 }, 563 Comment: "s390 parameter ordering for clone is different", 564 Includes: types.Filter{ 565 Arches: []string{"s390", "s390x"}, 566 }, 567 Excludes: types.Filter{ 568 Caps: []string{"CAP_SYS_ADMIN"}, 569 }, 570 }, 571 { 572 Names: []string{ 573 "reboot", 574 }, 575 Action: types.ActAllow, 576 Args: []*types.Arg{}, 577 Includes: types.Filter{ 578 Caps: []string{"CAP_SYS_BOOT"}, 579 }, 580 }, 581 { 582 Names: []string{ 583 "chroot", 584 }, 585 Action: types.ActAllow, 586 Args: []*types.Arg{}, 587 Includes: types.Filter{ 588 Caps: []string{"CAP_SYS_CHROOT"}, 589 }, 590 }, 591 { 592 Names: []string{ 593 "delete_module", 594 "init_module", 595 "finit_module", 596 "query_module", 597 }, 598 Action: types.ActAllow, 599 Args: []*types.Arg{}, 600 Includes: types.Filter{ 601 Caps: []string{"CAP_SYS_MODULE"}, 602 }, 603 }, 604 { 605 Names: []string{ 606 "acct", 607 }, 608 Action: types.ActAllow, 609 Args: []*types.Arg{}, 610 Includes: types.Filter{ 611 Caps: []string{"CAP_SYS_PACCT"}, 612 }, 613 }, 614 { 615 Names: []string{ 616 "kcmp", 617 "process_vm_readv", 618 "process_vm_writev", 619 "ptrace", 620 }, 621 Action: types.ActAllow, 622 Args: []*types.Arg{}, 623 Includes: types.Filter{ 624 Caps: []string{"CAP_SYS_PTRACE"}, 625 }, 626 }, 627 { 628 Names: []string{ 629 "iopl", 630 "ioperm", 631 }, 632 Action: types.ActAllow, 633 Args: []*types.Arg{}, 634 Includes: types.Filter{ 635 Caps: []string{"CAP_SYS_RAWIO"}, 636 }, 637 }, 638 { 639 Names: []string{ 640 "settimeofday", 641 "stime", 642 "clock_settime", 643 }, 644 Action: types.ActAllow, 645 Args: []*types.Arg{}, 646 Includes: types.Filter{ 647 Caps: []string{"CAP_SYS_TIME"}, 648 }, 649 }, 650 { 651 Names: []string{ 652 "vhangup", 653 }, 654 Action: types.ActAllow, 655 Args: []*types.Arg{}, 656 Includes: types.Filter{ 657 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 658 }, 659 }, 660 { 661 Names: []string{ 662 "get_mempolicy", 663 "mbind", 664 "set_mempolicy", 665 }, 666 Action: types.ActAllow, 667 Args: []*types.Arg{}, 668 Includes: types.Filter{ 669 Caps: []string{"CAP_SYS_NICE"}, 670 }, 671 }, 672 { 673 Names: []string{ 674 "syslog", 675 }, 676 Action: types.ActAllow, 677 Args: []*types.Arg{}, 678 Includes: types.Filter{ 679 Caps: []string{"CAP_SYSLOG"}, 680 }, 681 }, 682 } 683 684 return &types.Seccomp{ 685 DefaultAction: types.ActErrno, 686 ArchMap: arches(), 687 Syscalls: syscalls, 688 } 689 }