github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "connect", 78 "copy_file_range", 79 "creat", 80 "dup", 81 "dup2", 82 "dup3", 83 "epoll_create", 84 "epoll_create1", 85 "epoll_ctl", 86 "epoll_ctl_old", 87 "epoll_pwait", 88 "epoll_wait", 89 "epoll_wait_old", 90 "eventfd", 91 "eventfd2", 92 "execve", 93 "execveat", 94 "exit", 95 "exit_group", 96 "faccessat", 97 "fadvise64", 98 "fadvise64_64", 99 "fallocate", 100 "fanotify_mark", 101 "fchdir", 102 "fchmod", 103 "fchmodat", 104 "fchown", 105 "fchown32", 106 "fchownat", 107 "fcntl", 108 "fcntl64", 109 "fdatasync", 110 "fgetxattr", 111 "flistxattr", 112 "flock", 113 "fork", 114 "fremovexattr", 115 "fsetxattr", 116 "fstat", 117 "fstat64", 118 "fstatat64", 119 "fstatfs", 120 "fstatfs64", 121 "fsync", 122 "ftruncate", 123 "ftruncate64", 124 "futex", 125 "futex_time64", 126 "futimesat", 127 "getcpu", 128 "getcwd", 129 "getdents", 130 "getdents64", 131 "getegid", 132 "getegid32", 133 "geteuid", 134 "geteuid32", 135 "getgid", 136 "getgid32", 137 "getgroups", 138 "getgroups32", 139 "getitimer", 140 "getpeername", 141 "getpgid", 142 "getpgrp", 143 "getpid", 144 "getppid", 145 "getpriority", 146 "getrandom", 147 "getresgid", 148 "getresgid32", 149 "getresuid", 150 "getresuid32", 151 "getrlimit", 152 "get_robust_list", 153 "getrusage", 154 "getsid", 155 "getsockname", 156 "getsockopt", 157 "get_thread_area", 158 "gettid", 159 "gettimeofday", 160 "getuid", 161 "getuid32", 162 "getxattr", 163 "inotify_add_watch", 164 "inotify_init", 165 "inotify_init1", 166 "inotify_rm_watch", 167 "io_cancel", 168 "ioctl", 169 "io_destroy", 170 "io_getevents", 171 "io_pgetevents", 172 "io_pgetevents_time64", 173 "ioprio_get", 174 "ioprio_set", 175 "io_setup", 176 "io_submit", 177 "io_uring_enter", 178 "io_uring_register", 179 "io_uring_setup", 180 "ipc", 181 "kill", 182 "lchown", 183 "lchown32", 184 "lgetxattr", 185 "link", 186 "linkat", 187 "listen", 188 "listxattr", 189 "llistxattr", 190 "_llseek", 191 "lremovexattr", 192 "lseek", 193 "lsetxattr", 194 "lstat", 195 "lstat64", 196 "madvise", 197 "membarrier", 198 "memfd_create", 199 "mincore", 200 "mkdir", 201 "mkdirat", 202 "mknod", 203 "mknodat", 204 "mlock", 205 "mlock2", 206 "mlockall", 207 "mmap", 208 "mmap2", 209 "mprotect", 210 "mq_getsetattr", 211 "mq_notify", 212 "mq_open", 213 "mq_timedreceive", 214 "mq_timedreceive_time64", 215 "mq_timedsend", 216 "mq_timedsend_time64", 217 "mq_unlink", 218 "mremap", 219 "msgctl", 220 "msgget", 221 "msgrcv", 222 "msgsnd", 223 "msync", 224 "munlock", 225 "munlockall", 226 "munmap", 227 "nanosleep", 228 "newfstatat", 229 "_newselect", 230 "open", 231 "openat", 232 "pause", 233 "pipe", 234 "pipe2", 235 "poll", 236 "ppoll", 237 "ppoll_time64", 238 "prctl", 239 "pread64", 240 "preadv", 241 "preadv2", 242 "prlimit64", 243 "pselect6", 244 "pselect6_time64", 245 "pwrite64", 246 "pwritev", 247 "pwritev2", 248 "read", 249 "readahead", 250 "readlink", 251 "readlinkat", 252 "readv", 253 "recv", 254 "recvfrom", 255 "recvmmsg", 256 "recvmmsg_time64", 257 "recvmsg", 258 "remap_file_pages", 259 "removexattr", 260 "rename", 261 "renameat", 262 "renameat2", 263 "restart_syscall", 264 "rmdir", 265 "rt_sigaction", 266 "rt_sigpending", 267 "rt_sigprocmask", 268 "rt_sigqueueinfo", 269 "rt_sigreturn", 270 "rt_sigsuspend", 271 "rt_sigtimedwait", 272 "rt_sigtimedwait_time64", 273 "rt_tgsigqueueinfo", 274 "sched_getaffinity", 275 "sched_getattr", 276 "sched_getparam", 277 "sched_get_priority_max", 278 "sched_get_priority_min", 279 "sched_getscheduler", 280 "sched_rr_get_interval", 281 "sched_rr_get_interval_time64", 282 "sched_setaffinity", 283 "sched_setattr", 284 "sched_setparam", 285 "sched_setscheduler", 286 "sched_yield", 287 "seccomp", 288 "select", 289 "semctl", 290 "semget", 291 "semop", 292 "semtimedop", 293 "semtimedop_time64", 294 "send", 295 "sendfile", 296 "sendfile64", 297 "sendmmsg", 298 "sendmsg", 299 "sendto", 300 "setfsgid", 301 "setfsgid32", 302 "setfsuid", 303 "setfsuid32", 304 "setgid", 305 "setgid32", 306 "setgroups", 307 "setgroups32", 308 "setitimer", 309 "setpgid", 310 "setpriority", 311 "setregid", 312 "setregid32", 313 "setresgid", 314 "setresgid32", 315 "setresuid", 316 "setresuid32", 317 "setreuid", 318 "setreuid32", 319 "setrlimit", 320 "set_robust_list", 321 "setsid", 322 "setsockopt", 323 "set_thread_area", 324 "set_tid_address", 325 "setuid", 326 "setuid32", 327 "setxattr", 328 "shmat", 329 "shmctl", 330 "shmdt", 331 "shmget", 332 "shutdown", 333 "sigaltstack", 334 "signalfd", 335 "signalfd4", 336 "sigprocmask", 337 "sigreturn", 338 "socket", 339 "socketcall", 340 "socketpair", 341 "splice", 342 "stat", 343 "stat64", 344 "statfs", 345 "statfs64", 346 "statx", 347 "symlink", 348 "symlinkat", 349 "sync", 350 "sync_file_range", 351 "syncfs", 352 "sysinfo", 353 "tee", 354 "tgkill", 355 "time", 356 "timer_create", 357 "timer_delete", 358 "timer_getoverrun", 359 "timer_gettime", 360 "timer_gettime64", 361 "timer_settime", 362 "timer_settime64", 363 "timerfd_create", 364 "timerfd_gettime", 365 "timerfd_gettime64", 366 "timerfd_settime", 367 "timerfd_settime64", 368 "times", 369 "tkill", 370 "truncate", 371 "truncate64", 372 "ugetrlimit", 373 "umask", 374 "uname", 375 "unlink", 376 "unlinkat", 377 "utime", 378 "utimensat", 379 "utimensat_time64", 380 "utimes", 381 "vfork", 382 "vmsplice", 383 "wait4", 384 "waitid", 385 "waitpid", 386 "write", 387 "writev" 388 ], 389 "action": "SCMP_ACT_ALLOW", 390 "args": [], 391 "comment": "", 392 "includes": {}, 393 "excludes": {} 394 }, 395 { 396 "names": [ 397 "ptrace" 398 ], 399 "action": "SCMP_ACT_ALLOW", 400 "args": null, 401 "comment": "", 402 "includes": { 403 "minKernel": "4.8" 404 }, 405 "excludes": {} 406 }, 407 { 408 "names": [ 409 "personality" 410 ], 411 "action": "SCMP_ACT_ALLOW", 412 "args": [ 413 { 414 "index": 0, 415 "value": 0, 416 "valueTwo": 0, 417 "op": "SCMP_CMP_EQ" 418 } 419 ], 420 "comment": "", 421 "includes": {}, 422 "excludes": {} 423 }, 424 { 425 "names": [ 426 "personality" 427 ], 428 "action": "SCMP_ACT_ALLOW", 429 "args": [ 430 { 431 "index": 0, 432 "value": 8, 433 "valueTwo": 0, 434 "op": "SCMP_CMP_EQ" 435 } 436 ], 437 "comment": "", 438 "includes": {}, 439 "excludes": {} 440 }, 441 { 442 "names": [ 443 "personality" 444 ], 445 "action": "SCMP_ACT_ALLOW", 446 "args": [ 447 { 448 "index": 0, 449 "value": 131072, 450 "valueTwo": 0, 451 "op": "SCMP_CMP_EQ" 452 } 453 ], 454 "comment": "", 455 "includes": {}, 456 "excludes": {} 457 }, 458 { 459 "names": [ 460 "personality" 461 ], 462 "action": "SCMP_ACT_ALLOW", 463 "args": [ 464 { 465 "index": 0, 466 "value": 131080, 467 "valueTwo": 0, 468 "op": "SCMP_CMP_EQ" 469 } 470 ], 471 "comment": "", 472 "includes": {}, 473 "excludes": {} 474 }, 475 { 476 "names": [ 477 "personality" 478 ], 479 "action": "SCMP_ACT_ALLOW", 480 "args": [ 481 { 482 "index": 0, 483 "value": 4294967295, 484 "valueTwo": 0, 485 "op": "SCMP_CMP_EQ" 486 } 487 ], 488 "comment": "", 489 "includes": {}, 490 "excludes": {} 491 }, 492 { 493 "names": [ 494 "sync_file_range2" 495 ], 496 "action": "SCMP_ACT_ALLOW", 497 "args": [], 498 "comment": "", 499 "includes": { 500 "arches": [ 501 "ppc64le" 502 ] 503 }, 504 "excludes": {} 505 }, 506 { 507 "names": [ 508 "arm_fadvise64_64", 509 "arm_sync_file_range", 510 "sync_file_range2", 511 "breakpoint", 512 "cacheflush", 513 "set_tls" 514 ], 515 "action": "SCMP_ACT_ALLOW", 516 "args": [], 517 "comment": "", 518 "includes": { 519 "arches": [ 520 "arm", 521 "arm64" 522 ] 523 }, 524 "excludes": {} 525 }, 526 { 527 "names": [ 528 "arch_prctl" 529 ], 530 "action": "SCMP_ACT_ALLOW", 531 "args": [], 532 "comment": "", 533 "includes": { 534 "arches": [ 535 "amd64", 536 "x32" 537 ] 538 }, 539 "excludes": {} 540 }, 541 { 542 "names": [ 543 "modify_ldt" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "args": [], 547 "comment": "", 548 "includes": { 549 "arches": [ 550 "amd64", 551 "x32", 552 "x86" 553 ] 554 }, 555 "excludes": {} 556 }, 557 { 558 "names": [ 559 "s390_pci_mmio_read", 560 "s390_pci_mmio_write", 561 "s390_runtime_instr" 562 ], 563 "action": "SCMP_ACT_ALLOW", 564 "args": [], 565 "comment": "", 566 "includes": { 567 "arches": [ 568 "s390", 569 "s390x" 570 ] 571 }, 572 "excludes": {} 573 }, 574 { 575 "names": [ 576 "open_by_handle_at" 577 ], 578 "action": "SCMP_ACT_ALLOW", 579 "args": [], 580 "comment": "", 581 "includes": { 582 "caps": [ 583 "CAP_DAC_READ_SEARCH" 584 ] 585 }, 586 "excludes": {} 587 }, 588 { 589 "names": [ 590 "bpf", 591 "clone", 592 "fanotify_init", 593 "lookup_dcookie", 594 "mount", 595 "name_to_handle_at", 596 "perf_event_open", 597 "quotactl", 598 "setdomainname", 599 "sethostname", 600 "setns", 601 "syslog", 602 "umount", 603 "umount2", 604 "unshare" 605 ], 606 "action": "SCMP_ACT_ALLOW", 607 "args": [], 608 "comment": "", 609 "includes": { 610 "caps": [ 611 "CAP_SYS_ADMIN" 612 ] 613 }, 614 "excludes": {} 615 }, 616 { 617 "names": [ 618 "clone" 619 ], 620 "action": "SCMP_ACT_ALLOW", 621 "args": [ 622 { 623 "index": 0, 624 "value": 2114060288, 625 "valueTwo": 0, 626 "op": "SCMP_CMP_MASKED_EQ" 627 } 628 ], 629 "comment": "", 630 "includes": {}, 631 "excludes": { 632 "caps": [ 633 "CAP_SYS_ADMIN" 634 ], 635 "arches": [ 636 "s390", 637 "s390x" 638 ] 639 } 640 }, 641 { 642 "names": [ 643 "clone" 644 ], 645 "action": "SCMP_ACT_ALLOW", 646 "args": [ 647 { 648 "index": 1, 649 "value": 2114060288, 650 "valueTwo": 0, 651 "op": "SCMP_CMP_MASKED_EQ" 652 } 653 ], 654 "comment": "s390 parameter ordering for clone is different", 655 "includes": { 656 "arches": [ 657 "s390", 658 "s390x" 659 ] 660 }, 661 "excludes": { 662 "caps": [ 663 "CAP_SYS_ADMIN" 664 ] 665 } 666 }, 667 { 668 "names": [ 669 "reboot" 670 ], 671 "action": "SCMP_ACT_ALLOW", 672 "args": [], 673 "comment": "", 674 "includes": { 675 "caps": [ 676 "CAP_SYS_BOOT" 677 ] 678 }, 679 "excludes": {} 680 }, 681 { 682 "names": [ 683 "chroot" 684 ], 685 "action": "SCMP_ACT_ALLOW", 686 "args": [], 687 "comment": "", 688 "includes": { 689 "caps": [ 690 "CAP_SYS_CHROOT" 691 ] 692 }, 693 "excludes": {} 694 }, 695 { 696 "names": [ 697 "delete_module", 698 "init_module", 699 "finit_module" 700 ], 701 "action": "SCMP_ACT_ALLOW", 702 "args": [], 703 "comment": "", 704 "includes": { 705 "caps": [ 706 "CAP_SYS_MODULE" 707 ] 708 }, 709 "excludes": {} 710 }, 711 { 712 "names": [ 713 "acct" 714 ], 715 "action": "SCMP_ACT_ALLOW", 716 "args": [], 717 "comment": "", 718 "includes": { 719 "caps": [ 720 "CAP_SYS_PACCT" 721 ] 722 }, 723 "excludes": {} 724 }, 725 { 726 "names": [ 727 "kcmp", 728 "process_vm_readv", 729 "process_vm_writev", 730 "ptrace" 731 ], 732 "action": "SCMP_ACT_ALLOW", 733 "args": [], 734 "comment": "", 735 "includes": { 736 "caps": [ 737 "CAP_SYS_PTRACE" 738 ] 739 }, 740 "excludes": {} 741 }, 742 { 743 "names": [ 744 "iopl", 745 "ioperm" 746 ], 747 "action": "SCMP_ACT_ALLOW", 748 "args": [], 749 "comment": "", 750 "includes": { 751 "caps": [ 752 "CAP_SYS_RAWIO" 753 ] 754 }, 755 "excludes": {} 756 }, 757 { 758 "names": [ 759 "settimeofday", 760 "stime", 761 "clock_settime" 762 ], 763 "action": "SCMP_ACT_ALLOW", 764 "args": [], 765 "comment": "", 766 "includes": { 767 "caps": [ 768 "CAP_SYS_TIME" 769 ] 770 }, 771 "excludes": {} 772 }, 773 { 774 "names": [ 775 "vhangup" 776 ], 777 "action": "SCMP_ACT_ALLOW", 778 "args": [], 779 "comment": "", 780 "includes": { 781 "caps": [ 782 "CAP_SYS_TTY_CONFIG" 783 ] 784 }, 785 "excludes": {} 786 }, 787 { 788 "names": [ 789 "get_mempolicy", 790 "mbind", 791 "set_mempolicy" 792 ], 793 "action": "SCMP_ACT_ALLOW", 794 "args": [], 795 "comment": "", 796 "includes": { 797 "caps": [ 798 "CAP_SYS_NICE" 799 ] 800 }, 801 "excludes": {} 802 }, 803 { 804 "names": [ 805 "syslog" 806 ], 807 "action": "SCMP_ACT_ALLOW", 808 "args": [], 809 "comment": "", 810 "includes": { 811 "caps": [ 812 "CAP_SYSLOG" 813 ] 814 }, 815 "excludes": {} 816 } 817 ] 818 }