github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_adjtime", 62 "clock_adjtime64", 63 "clock_getres", 64 "clock_getres_time64", 65 "clock_gettime", 66 "clock_gettime64", 67 "clock_nanosleep", 68 "clock_nanosleep_time64", 69 "close", 70 "connect", 71 "copy_file_range", 72 "creat", 73 "dup", 74 "dup2", 75 "dup3", 76 "epoll_create", 77 "epoll_create1", 78 "epoll_ctl", 79 "epoll_ctl_old", 80 "epoll_pwait", 81 "epoll_wait", 82 "epoll_wait_old", 83 "eventfd", 84 "eventfd2", 85 "execve", 86 "execveat", 87 "exit", 88 "exit_group", 89 "faccessat", 90 "fadvise64", 91 "fadvise64_64", 92 "fallocate", 93 "fanotify_mark", 94 "fchdir", 95 "fchmod", 96 "fchmodat", 97 "fchown", 98 "fchown32", 99 "fchownat", 100 "fcntl", 101 "fcntl64", 102 "fdatasync", 103 "fgetxattr", 104 "flistxattr", 105 "flock", 106 "fork", 107 "fremovexattr", 108 "fsetxattr", 109 "fstat", 110 "fstat64", 111 "fstatat64", 112 "fstatfs", 113 "fstatfs64", 114 "fsync", 115 "ftruncate", 116 "ftruncate64", 117 "futex", 118 "futex_time64", 119 "futimesat", 120 "getcpu", 121 "getcwd", 122 "getdents", 123 "getdents64", 124 "getegid", 125 "getegid32", 126 "geteuid", 127 "geteuid32", 128 "getgid", 129 "getgid32", 130 "getgroups", 131 "getgroups32", 132 "getitimer", 133 "getpeername", 134 "getpgid", 135 "getpgrp", 136 "getpid", 137 "getppid", 138 "getpriority", 139 "getrandom", 140 "getresgid", 141 "getresgid32", 142 "getresuid", 143 "getresuid32", 144 "getrlimit", 145 "get_robust_list", 146 "getrusage", 147 "getsid", 148 "getsockname", 149 "getsockopt", 150 "get_thread_area", 151 "gettid", 152 "gettimeofday", 153 "getuid", 154 "getuid32", 155 "getxattr", 156 "inotify_add_watch", 157 "inotify_init", 158 "inotify_init1", 159 "inotify_rm_watch", 160 "io_cancel", 161 "ioctl", 162 "io_destroy", 163 "io_getevents", 164 "io_pgetevents", 165 "io_pgetevents_time64", 166 "ioprio_get", 167 "ioprio_set", 168 "io_setup", 169 "io_submit", 170 "io_uring_enter", 171 "io_uring_register", 172 "io_uring_setup", 173 "ipc", 174 "kill", 175 "lchown", 176 "lchown32", 177 "lgetxattr", 178 "link", 179 "linkat", 180 "listen", 181 "listxattr", 182 "llistxattr", 183 "_llseek", 184 "lremovexattr", 185 "lseek", 186 "lsetxattr", 187 "lstat", 188 "lstat64", 189 "madvise", 190 "membarrier", 191 "memfd_create", 192 "mincore", 193 "mkdir", 194 "mkdirat", 195 "mknod", 196 "mknodat", 197 "mlock", 198 "mlock2", 199 "mlockall", 200 "mmap", 201 "mmap2", 202 "mprotect", 203 "mq_getsetattr", 204 "mq_notify", 205 "mq_open", 206 "mq_timedreceive", 207 "mq_timedreceive_time64", 208 "mq_timedsend", 209 "mq_timedsend_time64", 210 "mq_unlink", 211 "mremap", 212 "msgctl", 213 "msgget", 214 "msgrcv", 215 "msgsnd", 216 "msync", 217 "munlock", 218 "munlockall", 219 "munmap", 220 "nanosleep", 221 "newfstatat", 222 "_newselect", 223 "open", 224 "openat", 225 "pause", 226 "pipe", 227 "pipe2", 228 "poll", 229 "ppoll", 230 "ppoll_time64", 231 "prctl", 232 "pread64", 233 "preadv", 234 "preadv2", 235 "prlimit64", 236 "pselect6", 237 "pselect6_time64", 238 "pwrite64", 239 "pwritev", 240 "pwritev2", 241 "read", 242 "readahead", 243 "readlink", 244 "readlinkat", 245 "readv", 246 "recv", 247 "recvfrom", 248 "recvmmsg", 249 "recvmmsg_time64", 250 "recvmsg", 251 "remap_file_pages", 252 "removexattr", 253 "rename", 254 "renameat", 255 "renameat2", 256 "restart_syscall", 257 "rmdir", 258 "rt_sigaction", 259 "rt_sigpending", 260 "rt_sigprocmask", 261 "rt_sigqueueinfo", 262 "rt_sigreturn", 263 "rt_sigsuspend", 264 "rt_sigtimedwait", 265 "rt_sigtimedwait_time64", 266 "rt_tgsigqueueinfo", 267 "sched_getaffinity", 268 "sched_getattr", 269 "sched_getparam", 270 "sched_get_priority_max", 271 "sched_get_priority_min", 272 "sched_getscheduler", 273 "sched_rr_get_interval", 274 "sched_rr_get_interval_time64", 275 "sched_setaffinity", 276 "sched_setattr", 277 "sched_setparam", 278 "sched_setscheduler", 279 "sched_yield", 280 "seccomp", 281 "select", 282 "semctl", 283 "semget", 284 "semop", 285 "semtimedop", 286 "semtimedop_time64", 287 "send", 288 "sendfile", 289 "sendfile64", 290 "sendmmsg", 291 "sendmsg", 292 "sendto", 293 "setfsgid", 294 "setfsgid32", 295 "setfsuid", 296 "setfsuid32", 297 "setgid", 298 "setgid32", 299 "setgroups", 300 "setgroups32", 301 "setitimer", 302 "setpgid", 303 "setpriority", 304 "setregid", 305 "setregid32", 306 "setresgid", 307 "setresgid32", 308 "setresuid", 309 "setresuid32", 310 "setreuid", 311 "setreuid32", 312 "setrlimit", 313 "set_robust_list", 314 "setsid", 315 "setsockopt", 316 "set_thread_area", 317 "set_tid_address", 318 "setuid", 319 "setuid32", 320 "setxattr", 321 "shmat", 322 "shmctl", 323 "shmdt", 324 "shmget", 325 "shutdown", 326 "sigaltstack", 327 "signalfd", 328 "signalfd4", 329 "sigprocmask", 330 "sigreturn", 331 "socket", 332 "socketcall", 333 "socketpair", 334 "splice", 335 "stat", 336 "stat64", 337 "statfs", 338 "statfs64", 339 "statx", 340 "symlink", 341 "symlinkat", 342 "sync", 343 "sync_file_range", 344 "syncfs", 345 "sysinfo", 346 "tee", 347 "tgkill", 348 "time", 349 "timer_create", 350 "timer_delete", 351 "timer_getoverrun", 352 "timer_gettime", 353 "timer_gettime64", 354 "timer_settime", 355 "timer_settime64", 356 "timerfd_create", 357 "timerfd_gettime", 358 "timerfd_gettime64", 359 "timerfd_settime", 360 "timerfd_settime64", 361 "times", 362 "tkill", 363 "truncate", 364 "truncate64", 365 "ugetrlimit", 366 "umask", 367 "uname", 368 "unlink", 369 "unlinkat", 370 "utime", 371 "utimensat", 372 "utimensat_time64", 373 "utimes", 374 "vfork", 375 "vmsplice", 376 "wait4", 377 "waitid", 378 "waitpid", 379 "write", 380 "writev", 381 }, 382 Action: types.ActAllow, 383 Args: []*types.Arg{}, 384 }, 385 { 386 Names: []string{"ptrace"}, 387 Action: types.ActAllow, 388 Includes: types.Filter{ 389 MinKernel: "4.8", 390 }, 391 }, 392 { 393 Names: []string{"personality"}, 394 Action: types.ActAllow, 395 Args: []*types.Arg{ 396 { 397 Index: 0, 398 Value: 0x0, 399 Op: types.OpEqualTo, 400 }, 401 }, 402 }, 403 { 404 Names: []string{"personality"}, 405 Action: types.ActAllow, 406 Args: []*types.Arg{ 407 { 408 Index: 0, 409 Value: 0x0008, 410 Op: types.OpEqualTo, 411 }, 412 }, 413 }, 414 { 415 Names: []string{"personality"}, 416 Action: types.ActAllow, 417 Args: []*types.Arg{ 418 { 419 Index: 0, 420 Value: 0x20000, 421 Op: types.OpEqualTo, 422 }, 423 }, 424 }, 425 { 426 Names: []string{"personality"}, 427 Action: types.ActAllow, 428 Args: []*types.Arg{ 429 { 430 Index: 0, 431 Value: 0x20008, 432 Op: types.OpEqualTo, 433 }, 434 }, 435 }, 436 { 437 Names: []string{"personality"}, 438 Action: types.ActAllow, 439 Args: []*types.Arg{ 440 { 441 Index: 0, 442 Value: 0xffffffff, 443 Op: types.OpEqualTo, 444 }, 445 }, 446 }, 447 { 448 Names: []string{ 449 "sync_file_range2", 450 }, 451 Action: types.ActAllow, 452 Args: []*types.Arg{}, 453 Includes: types.Filter{ 454 Arches: []string{"ppc64le"}, 455 }, 456 }, 457 { 458 Names: []string{ 459 "arm_fadvise64_64", 460 "arm_sync_file_range", 461 "sync_file_range2", 462 "breakpoint", 463 "cacheflush", 464 "set_tls", 465 }, 466 Action: types.ActAllow, 467 Args: []*types.Arg{}, 468 Includes: types.Filter{ 469 Arches: []string{"arm", "arm64"}, 470 }, 471 }, 472 { 473 Names: []string{ 474 "arch_prctl", 475 }, 476 Action: types.ActAllow, 477 Args: []*types.Arg{}, 478 Includes: types.Filter{ 479 Arches: []string{"amd64", "x32"}, 480 }, 481 }, 482 { 483 Names: []string{ 484 "modify_ldt", 485 }, 486 Action: types.ActAllow, 487 Args: []*types.Arg{}, 488 Includes: types.Filter{ 489 Arches: []string{"amd64", "x32", "x86"}, 490 }, 491 }, 492 { 493 Names: []string{ 494 "s390_pci_mmio_read", 495 "s390_pci_mmio_write", 496 "s390_runtime_instr", 497 }, 498 Action: types.ActAllow, 499 Args: []*types.Arg{}, 500 Includes: types.Filter{ 501 Arches: []string{"s390", "s390x"}, 502 }, 503 }, 504 { 505 Names: []string{ 506 "open_by_handle_at", 507 }, 508 Action: types.ActAllow, 509 Args: []*types.Arg{}, 510 Includes: types.Filter{ 511 Caps: []string{"CAP_DAC_READ_SEARCH"}, 512 }, 513 }, 514 { 515 Names: []string{ 516 "bpf", 517 "clone", 518 "fanotify_init", 519 "lookup_dcookie", 520 "mount", 521 "name_to_handle_at", 522 "perf_event_open", 523 "quotactl", 524 "setdomainname", 525 "sethostname", 526 "setns", 527 "syslog", 528 "umount", 529 "umount2", 530 "unshare", 531 }, 532 Action: types.ActAllow, 533 Args: []*types.Arg{}, 534 Includes: types.Filter{ 535 Caps: []string{"CAP_SYS_ADMIN"}, 536 }, 537 }, 538 { 539 Names: []string{ 540 "clone", 541 }, 542 Action: types.ActAllow, 543 Args: []*types.Arg{ 544 { 545 Index: 0, 546 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 547 ValueTwo: 0, 548 Op: types.OpMaskedEqual, 549 }, 550 }, 551 Excludes: types.Filter{ 552 Caps: []string{"CAP_SYS_ADMIN"}, 553 Arches: []string{"s390", "s390x"}, 554 }, 555 }, 556 { 557 Names: []string{ 558 "clone", 559 }, 560 Action: types.ActAllow, 561 Args: []*types.Arg{ 562 { 563 Index: 1, 564 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 565 ValueTwo: 0, 566 Op: types.OpMaskedEqual, 567 }, 568 }, 569 Comment: "s390 parameter ordering for clone is different", 570 Includes: types.Filter{ 571 Arches: []string{"s390", "s390x"}, 572 }, 573 Excludes: types.Filter{ 574 Caps: []string{"CAP_SYS_ADMIN"}, 575 }, 576 }, 577 { 578 Names: []string{ 579 "reboot", 580 }, 581 Action: types.ActAllow, 582 Args: []*types.Arg{}, 583 Includes: types.Filter{ 584 Caps: []string{"CAP_SYS_BOOT"}, 585 }, 586 }, 587 { 588 Names: []string{ 589 "chroot", 590 }, 591 Action: types.ActAllow, 592 Args: []*types.Arg{}, 593 Includes: types.Filter{ 594 Caps: []string{"CAP_SYS_CHROOT"}, 595 }, 596 }, 597 { 598 Names: []string{ 599 "delete_module", 600 "init_module", 601 "finit_module", 602 }, 603 Action: types.ActAllow, 604 Args: []*types.Arg{}, 605 Includes: types.Filter{ 606 Caps: []string{"CAP_SYS_MODULE"}, 607 }, 608 }, 609 { 610 Names: []string{ 611 "acct", 612 }, 613 Action: types.ActAllow, 614 Args: []*types.Arg{}, 615 Includes: types.Filter{ 616 Caps: []string{"CAP_SYS_PACCT"}, 617 }, 618 }, 619 { 620 Names: []string{ 621 "kcmp", 622 "process_vm_readv", 623 "process_vm_writev", 624 "ptrace", 625 }, 626 Action: types.ActAllow, 627 Args: []*types.Arg{}, 628 Includes: types.Filter{ 629 Caps: []string{"CAP_SYS_PTRACE"}, 630 }, 631 }, 632 { 633 Names: []string{ 634 "iopl", 635 "ioperm", 636 }, 637 Action: types.ActAllow, 638 Args: []*types.Arg{}, 639 Includes: types.Filter{ 640 Caps: []string{"CAP_SYS_RAWIO"}, 641 }, 642 }, 643 { 644 Names: []string{ 645 "settimeofday", 646 "stime", 647 "clock_settime", 648 }, 649 Action: types.ActAllow, 650 Args: []*types.Arg{}, 651 Includes: types.Filter{ 652 Caps: []string{"CAP_SYS_TIME"}, 653 }, 654 }, 655 { 656 Names: []string{ 657 "vhangup", 658 }, 659 Action: types.ActAllow, 660 Args: []*types.Arg{}, 661 Includes: types.Filter{ 662 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 663 }, 664 }, 665 { 666 Names: []string{ 667 "get_mempolicy", 668 "mbind", 669 "set_mempolicy", 670 }, 671 Action: types.ActAllow, 672 Args: []*types.Arg{}, 673 Includes: types.Filter{ 674 Caps: []string{"CAP_SYS_NICE"}, 675 }, 676 }, 677 { 678 Names: []string{ 679 "syslog", 680 }, 681 Action: types.ActAllow, 682 Args: []*types.Arg{}, 683 Includes: types.Filter{ 684 Caps: []string{"CAP_SYSLOG"}, 685 }, 686 }, 687 } 688 689 return &types.Seccomp{ 690 DefaultAction: types.ActErrno, 691 ArchMap: arches(), 692 Syscalls: syscalls, 693 } 694 }