github.com/flavio/docker@v0.1.3-0.20170117145210-f63d1a6eec47/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "syscall" 7 8 "github.com/docker/docker/api/types" 9 ) 10 11 func arches() []types.Architecture { 12 return []types.Architecture{ 13 { 14 Arch: types.ArchX86_64, 15 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 16 }, 17 { 18 Arch: types.ArchAARCH64, 19 SubArches: []types.Arch{types.ArchARM}, 20 }, 21 { 22 Arch: types.ArchMIPS64, 23 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 24 }, 25 { 26 Arch: types.ArchMIPS64N32, 27 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 28 }, 29 { 30 Arch: types.ArchMIPSEL64, 31 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 32 }, 33 { 34 Arch: types.ArchMIPSEL64N32, 35 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 36 }, 37 { 38 Arch: types.ArchS390X, 39 SubArches: []types.Arch{types.ArchS390}, 40 }, 41 } 42 } 43 44 // DefaultProfile defines the whitelist for the default seccomp profile. 45 func DefaultProfile() *types.Seccomp { 46 syscalls := []*types.Syscall{ 47 { 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "alarm", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_getres", 63 "clock_gettime", 64 "clock_nanosleep", 65 "close", 66 "connect", 67 "copy_file_range", 68 "creat", 69 "dup", 70 "dup2", 71 "dup3", 72 "epoll_create", 73 "epoll_create1", 74 "epoll_ctl", 75 "epoll_ctl_old", 76 "epoll_pwait", 77 "epoll_wait", 78 "epoll_wait_old", 79 "eventfd", 80 "eventfd2", 81 "execve", 82 "execveat", 83 "exit", 84 "exit_group", 85 "faccessat", 86 "fadvise64", 87 "fadvise64_64", 88 "fallocate", 89 "fanotify_mark", 90 "fchdir", 91 "fchmod", 92 "fchmodat", 93 "fchown", 94 "fchown32", 95 "fchownat", 96 "fcntl", 97 "fcntl64", 98 "fdatasync", 99 "fgetxattr", 100 "flistxattr", 101 "flock", 102 "fork", 103 "fremovexattr", 104 "fsetxattr", 105 "fstat", 106 "fstat64", 107 "fstatat64", 108 "fstatfs", 109 "fstatfs64", 110 "fsync", 111 "ftruncate", 112 "ftruncate64", 113 "futex", 114 "futimesat", 115 "getcpu", 116 "getcwd", 117 "getdents", 118 "getdents64", 119 "getegid", 120 "getegid32", 121 "geteuid", 122 "geteuid32", 123 "getgid", 124 "getgid32", 125 "getgroups", 126 "getgroups32", 127 "getitimer", 128 "getpeername", 129 "getpgid", 130 "getpgrp", 131 "getpid", 132 "getppid", 133 "getpriority", 134 "getrandom", 135 "getresgid", 136 "getresgid32", 137 "getresuid", 138 "getresuid32", 139 "getrlimit", 140 "get_robust_list", 141 "getrusage", 142 "getsid", 143 "getsockname", 144 "getsockopt", 145 "get_thread_area", 146 "gettid", 147 "gettimeofday", 148 "getuid", 149 "getuid32", 150 "getxattr", 151 "inotify_add_watch", 152 "inotify_init", 153 "inotify_init1", 154 "inotify_rm_watch", 155 "io_cancel", 156 "ioctl", 157 "io_destroy", 158 "io_getevents", 159 "ioprio_get", 160 "ioprio_set", 161 "io_setup", 162 "io_submit", 163 "ipc", 164 "kill", 165 "lchown", 166 "lchown32", 167 "lgetxattr", 168 "link", 169 "linkat", 170 "listen", 171 "listxattr", 172 "llistxattr", 173 "_llseek", 174 "lremovexattr", 175 "lseek", 176 "lsetxattr", 177 "lstat", 178 "lstat64", 179 "madvise", 180 "memfd_create", 181 "mincore", 182 "mkdir", 183 "mkdirat", 184 "mknod", 185 "mknodat", 186 "mlock", 187 "mlock2", 188 "mlockall", 189 "mmap", 190 "mmap2", 191 "mprotect", 192 "mq_getsetattr", 193 "mq_notify", 194 "mq_open", 195 "mq_timedreceive", 196 "mq_timedsend", 197 "mq_unlink", 198 "mremap", 199 "msgctl", 200 "msgget", 201 "msgrcv", 202 "msgsnd", 203 "msync", 204 "munlock", 205 "munlockall", 206 "munmap", 207 "nanosleep", 208 "newfstatat", 209 "_newselect", 210 "open", 211 "openat", 212 "pause", 213 "pipe", 214 "pipe2", 215 "poll", 216 "ppoll", 217 "prctl", 218 "pread64", 219 "preadv", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "read", 225 "readahead", 226 "readlink", 227 "readlinkat", 228 "readv", 229 "recv", 230 "recvfrom", 231 "recvmmsg", 232 "recvmsg", 233 "remap_file_pages", 234 "removexattr", 235 "rename", 236 "renameat", 237 "renameat2", 238 "restart_syscall", 239 "rmdir", 240 "rt_sigaction", 241 "rt_sigpending", 242 "rt_sigprocmask", 243 "rt_sigqueueinfo", 244 "rt_sigreturn", 245 "rt_sigsuspend", 246 "rt_sigtimedwait", 247 "rt_tgsigqueueinfo", 248 "sched_getaffinity", 249 "sched_getattr", 250 "sched_getparam", 251 "sched_get_priority_max", 252 "sched_get_priority_min", 253 "sched_getscheduler", 254 "sched_rr_get_interval", 255 "sched_setaffinity", 256 "sched_setattr", 257 "sched_setparam", 258 "sched_setscheduler", 259 "sched_yield", 260 "seccomp", 261 "select", 262 "semctl", 263 "semget", 264 "semop", 265 "semtimedop", 266 "send", 267 "sendfile", 268 "sendfile64", 269 "sendmmsg", 270 "sendmsg", 271 "sendto", 272 "setfsgid", 273 "setfsgid32", 274 "setfsuid", 275 "setfsuid32", 276 "setgid", 277 "setgid32", 278 "setgroups", 279 "setgroups32", 280 "setitimer", 281 "setpgid", 282 "setpriority", 283 "setregid", 284 "setregid32", 285 "setresgid", 286 "setresgid32", 287 "setresuid", 288 "setresuid32", 289 "setreuid", 290 "setreuid32", 291 "setrlimit", 292 "set_robust_list", 293 "setsid", 294 "setsockopt", 295 "set_thread_area", 296 "set_tid_address", 297 "setuid", 298 "setuid32", 299 "setxattr", 300 "shmat", 301 "shmctl", 302 "shmdt", 303 "shmget", 304 "shutdown", 305 "sigaltstack", 306 "signalfd", 307 "signalfd4", 308 "sigreturn", 309 "socket", 310 "socketcall", 311 "socketpair", 312 "splice", 313 "stat", 314 "stat64", 315 "statfs", 316 "statfs64", 317 "symlink", 318 "symlinkat", 319 "sync", 320 "sync_file_range", 321 "syncfs", 322 "sysinfo", 323 "syslog", 324 "tee", 325 "tgkill", 326 "time", 327 "timer_create", 328 "timer_delete", 329 "timerfd_create", 330 "timerfd_gettime", 331 "timerfd_settime", 332 "timer_getoverrun", 333 "timer_gettime", 334 "timer_settime", 335 "times", 336 "tkill", 337 "truncate", 338 "truncate64", 339 "ugetrlimit", 340 "umask", 341 "uname", 342 "unlink", 343 "unlinkat", 344 "utime", 345 "utimensat", 346 "utimes", 347 "vfork", 348 "vmsplice", 349 "wait4", 350 "waitid", 351 "waitpid", 352 "write", 353 "writev", 354 }, 355 Action: types.ActAllow, 356 Args: []*types.Arg{}, 357 }, 358 { 359 Names: []string{"personality"}, 360 Action: types.ActAllow, 361 Args: []*types.Arg{ 362 { 363 Index: 0, 364 Value: 0x0, 365 Op: types.OpEqualTo, 366 }, 367 }, 368 }, 369 { 370 Names: []string{"personality"}, 371 Action: types.ActAllow, 372 Args: []*types.Arg{ 373 { 374 Index: 0, 375 Value: 0x0008, 376 Op: types.OpEqualTo, 377 }, 378 }, 379 }, 380 { 381 Names: []string{"personality"}, 382 Action: types.ActAllow, 383 Args: []*types.Arg{ 384 { 385 Index: 0, 386 Value: 0xffffffff, 387 Op: types.OpEqualTo, 388 }, 389 }, 390 }, 391 { 392 Names: []string{ 393 "breakpoint", 394 "cacheflush", 395 "set_tls", 396 }, 397 Action: types.ActAllow, 398 Args: []*types.Arg{}, 399 Includes: types.Filter{ 400 Arches: []string{"arm", "arm64"}, 401 }, 402 }, 403 { 404 Names: []string{ 405 "arch_prctl", 406 }, 407 Action: types.ActAllow, 408 Args: []*types.Arg{}, 409 Includes: types.Filter{ 410 Arches: []string{"amd64", "x32"}, 411 }, 412 }, 413 { 414 Names: []string{ 415 "modify_ldt", 416 }, 417 Action: types.ActAllow, 418 Args: []*types.Arg{}, 419 Includes: types.Filter{ 420 Arches: []string{"amd64", "x32", "x86"}, 421 }, 422 }, 423 { 424 Names: []string{ 425 "s390_pci_mmio_read", 426 "s390_pci_mmio_write", 427 "s390_runtime_instr", 428 }, 429 Action: types.ActAllow, 430 Args: []*types.Arg{}, 431 Includes: types.Filter{ 432 Arches: []string{"s390", "s390x"}, 433 }, 434 }, 435 { 436 Names: []string{ 437 "open_by_handle_at", 438 }, 439 Action: types.ActAllow, 440 Args: []*types.Arg{}, 441 Includes: types.Filter{ 442 Caps: []string{"CAP_DAC_READ_SEARCH"}, 443 }, 444 }, 445 { 446 Names: []string{ 447 "bpf", 448 "clone", 449 "fanotify_init", 450 "lookup_dcookie", 451 "mount", 452 "name_to_handle_at", 453 "perf_event_open", 454 "setdomainname", 455 "sethostname", 456 "setns", 457 "umount", 458 "umount2", 459 "unshare", 460 }, 461 Action: types.ActAllow, 462 Args: []*types.Arg{}, 463 Includes: types.Filter{ 464 Caps: []string{"CAP_SYS_ADMIN"}, 465 }, 466 }, 467 { 468 Names: []string{ 469 "clone", 470 }, 471 Action: types.ActAllow, 472 Args: []*types.Arg{ 473 { 474 Index: 0, 475 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 476 ValueTwo: 0, 477 Op: types.OpMaskedEqual, 478 }, 479 }, 480 Excludes: types.Filter{ 481 Caps: []string{"CAP_SYS_ADMIN"}, 482 Arches: []string{"s390", "s390x"}, 483 }, 484 }, 485 { 486 Names: []string{ 487 "clone", 488 }, 489 Action: types.ActAllow, 490 Args: []*types.Arg{ 491 { 492 Index: 1, 493 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 494 ValueTwo: 0, 495 Op: types.OpMaskedEqual, 496 }, 497 }, 498 Comment: "s390 parameter ordering for clone is different", 499 Includes: types.Filter{ 500 Arches: []string{"s390", "s390x"}, 501 }, 502 Excludes: types.Filter{ 503 Caps: []string{"CAP_SYS_ADMIN"}, 504 }, 505 }, 506 { 507 Names: []string{ 508 "reboot", 509 }, 510 Action: types.ActAllow, 511 Args: []*types.Arg{}, 512 Includes: types.Filter{ 513 Caps: []string{"CAP_SYS_BOOT"}, 514 }, 515 }, 516 { 517 Names: []string{ 518 "chroot", 519 }, 520 Action: types.ActAllow, 521 Args: []*types.Arg{}, 522 Includes: types.Filter{ 523 Caps: []string{"CAP_SYS_CHROOT"}, 524 }, 525 }, 526 { 527 Names: []string{ 528 "delete_module", 529 "init_module", 530 "finit_module", 531 "query_module", 532 }, 533 Action: types.ActAllow, 534 Args: []*types.Arg{}, 535 Includes: types.Filter{ 536 Caps: []string{"CAP_SYS_MODULE"}, 537 }, 538 }, 539 { 540 Names: []string{ 541 "acct", 542 }, 543 Action: types.ActAllow, 544 Args: []*types.Arg{}, 545 Includes: types.Filter{ 546 Caps: []string{"CAP_SYS_PACCT"}, 547 }, 548 }, 549 { 550 Names: []string{ 551 "kcmp", 552 "process_vm_readv", 553 "process_vm_writev", 554 "ptrace", 555 }, 556 Action: types.ActAllow, 557 Args: []*types.Arg{}, 558 Includes: types.Filter{ 559 Caps: []string{"CAP_SYS_PTRACE"}, 560 }, 561 }, 562 { 563 Names: []string{ 564 "iopl", 565 "ioperm", 566 }, 567 Action: types.ActAllow, 568 Args: []*types.Arg{}, 569 Includes: types.Filter{ 570 Caps: []string{"CAP_SYS_RAWIO"}, 571 }, 572 }, 573 { 574 Names: []string{ 575 "settimeofday", 576 "stime", 577 "adjtimex", 578 }, 579 Action: types.ActAllow, 580 Args: []*types.Arg{}, 581 Includes: types.Filter{ 582 Caps: []string{"CAP_SYS_TIME"}, 583 }, 584 }, 585 { 586 Names: []string{ 587 "vhangup", 588 }, 589 Action: types.ActAllow, 590 Args: []*types.Arg{}, 591 Includes: types.Filter{ 592 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 593 }, 594 }, 595 } 596 597 return &types.Seccomp{ 598 DefaultAction: types.ActErrno, 599 ArchMap: arches(), 600 Syscalls: syscalls, 601 } 602 }