github.com/freiheit-com/kuberpult@v1.24.2-0.20240328135542-315d5630abe6/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_TRACE", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "close_range", 78 "connect", 79 "copy_file_range", 80 "creat", 81 "dup", 82 "dup2", 83 "dup3", 84 "epoll_create", 85 "epoll_create1", 86 "epoll_ctl", 87 "epoll_ctl_old", 88 "epoll_pwait", 89 "epoll_pwait2", 90 "epoll_wait", 91 "epoll_wait_old", 92 "eventfd", 93 "eventfd2", 94 "execve", 95 "execveat", 96 "exit", 97 "exit_group", 98 "faccessat", 99 "faccessat2", 100 "fadvise64", 101 "fadvise64_64", 102 "fallocate", 103 "fanotify_mark", 104 "fchdir", 105 "fchmod", 106 "fchmodat", 107 "fchown", 108 "fchown32", 109 "fchownat", 110 "fcntl", 111 "fcntl64", 112 "fdatasync", 113 "fgetxattr", 114 "flistxattr", 115 "flock", 116 "fork", 117 "fremovexattr", 118 "fsetxattr", 119 "fstat", 120 "fstat64", 121 "fstatat64", 122 "fstatfs", 123 "fstatfs64", 124 "fsync", 125 "ftruncate", 126 "ftruncate64", 127 "futex", 128 "futex_time64", 129 "futimesat", 130 "getcpu", 131 "getcwd", 132 "getdents", 133 "getdents64", 134 "getegid", 135 "getegid32", 136 "geteuid", 137 "geteuid32", 138 "getgid", 139 "getgid32", 140 "getgroups", 141 "getgroups32", 142 "getitimer", 143 "getpeername", 144 "getpgid", 145 "getpgrp", 146 "getpid", 147 "getppid", 148 "getpriority", 149 "getrandom", 150 "getresgid", 151 "getresgid32", 152 "getresuid", 153 "getresuid32", 154 "getrlimit", 155 "get_robust_list", 156 "getrusage", 157 "getsid", 158 "getsockname", 159 "getsockopt", 160 "get_thread_area", 161 "gettid", 162 "gettimeofday", 163 "getuid", 164 "getuid32", 165 "getxattr", 166 "inotify_add_watch", 167 "inotify_init", 168 "inotify_init1", 169 "inotify_rm_watch", 170 "io_cancel", 171 "ioctl", 172 "io_destroy", 173 "io_getevents", 174 "io_pgetevents", 175 "io_pgetevents_time64", 176 "ioprio_get", 177 "ioprio_set", 178 "io_setup", 179 "io_submit", 180 "io_uring_enter", 181 "io_uring_register", 182 "io_uring_setup", 183 "ipc", 184 "kill", 185 "lchown", 186 "lchown32", 187 "lgetxattr", 188 "link", 189 "linkat", 190 "listen", 191 "listxattr", 192 "llistxattr", 193 "_llseek", 194 "lremovexattr", 195 "lseek", 196 "lsetxattr", 197 "lstat", 198 "lstat64", 199 "madvise", 200 "membarrier", 201 "memfd_create", 202 "mincore", 203 "mkdir", 204 "mkdirat", 205 "mknod", 206 "mknodat", 207 "mlock", 208 "mlock2", 209 "mlockall", 210 "mmap", 211 "mmap2", 212 "mprotect", 213 "mq_getsetattr", 214 "mq_notify", 215 "mq_open", 216 "mq_timedreceive", 217 "mq_timedreceive_time64", 218 "mq_timedsend", 219 "mq_timedsend_time64", 220 "mq_unlink", 221 "mremap", 222 "msgctl", 223 "msgget", 224 "msgrcv", 225 "msgsnd", 226 "msync", 227 "munlock", 228 "munlockall", 229 "munmap", 230 "nanosleep", 231 "newfstatat", 232 "_newselect", 233 "open", 234 "openat", 235 "openat2", 236 "pause", 237 "pidfd_open", 238 "pidfd_send_signal", 239 "pipe", 240 "pipe2", 241 "poll", 242 "ppoll", 243 "ppoll_time64", 244 "prctl", 245 "pread64", 246 "preadv", 247 "preadv2", 248 "prlimit64", 249 "pselect6", 250 "pselect6_time64", 251 "pwrite64", 252 "pwritev", 253 "pwritev2", 254 "read", 255 "readahead", 256 "readlink", 257 "readlinkat", 258 "readv", 259 "recv", 260 "recvfrom", 261 "recvmmsg", 262 "recvmmsg_time64", 263 "recvmsg", 264 "remap_file_pages", 265 "removexattr", 266 "rename", 267 "renameat", 268 "renameat2", 269 "restart_syscall", 270 "rmdir", 271 "rseq", 272 "rt_sigaction", 273 "rt_sigpending", 274 "rt_sigprocmask", 275 "rt_sigqueueinfo", 276 "rt_sigreturn", 277 "rt_sigsuspend", 278 "rt_sigtimedwait", 279 "rt_sigtimedwait_time64", 280 "rt_tgsigqueueinfo", 281 "sched_getaffinity", 282 "sched_getattr", 283 "sched_getparam", 284 "sched_get_priority_max", 285 "sched_get_priority_min", 286 "sched_getscheduler", 287 "sched_rr_get_interval", 288 "sched_rr_get_interval_time64", 289 "sched_setaffinity", 290 "sched_setattr", 291 "sched_setparam", 292 "sched_setscheduler", 293 "sched_yield", 294 "seccomp", 295 "select", 296 "semctl", 297 "semget", 298 "semop", 299 "semtimedop", 300 "semtimedop_time64", 301 "send", 302 "sendfile", 303 "sendfile64", 304 "sendmmsg", 305 "sendmsg", 306 "sendto", 307 "setfsgid", 308 "setfsgid32", 309 "setfsuid", 310 "setfsuid32", 311 "setgid", 312 "setgid32", 313 "setgroups", 314 "setgroups32", 315 "setitimer", 316 "setpgid", 317 "setpriority", 318 "setregid", 319 "setregid32", 320 "setresgid", 321 "setresgid32", 322 "setresuid", 323 "setresuid32", 324 "setreuid", 325 "setreuid32", 326 "setrlimit", 327 "set_robust_list", 328 "setsid", 329 "setsockopt", 330 "set_thread_area", 331 "set_tid_address", 332 "setuid", 333 "setuid32", 334 "setxattr", 335 "shmat", 336 "shmctl", 337 "shmdt", 338 "shmget", 339 "shutdown", 340 "sigaltstack", 341 "signalfd", 342 "signalfd4", 343 "sigprocmask", 344 "sigreturn", 345 "socket", 346 "socketcall", 347 "socketpair", 348 "splice", 349 "stat", 350 "stat64", 351 "statfs", 352 "statfs64", 353 "statx", 354 "symlink", 355 "symlinkat", 356 "sync", 357 "sync_file_range", 358 "syncfs", 359 "sysinfo", 360 "tee", 361 "tgkill", 362 "time", 363 "timer_create", 364 "timer_delete", 365 "timer_getoverrun", 366 "timer_gettime", 367 "timer_gettime64", 368 "timer_settime", 369 "timer_settime64", 370 "timerfd_create", 371 "timerfd_gettime", 372 "timerfd_gettime64", 373 "timerfd_settime", 374 "timerfd_settime64", 375 "times", 376 "tkill", 377 "truncate", 378 "truncate64", 379 "ugetrlimit", 380 "umask", 381 "uname", 382 "unlink", 383 "unlinkat", 384 "utime", 385 "utimensat", 386 "utimensat_time64", 387 "utimes", 388 "vfork", 389 "vmsplice", 390 "wait4", 391 "waitid", 392 "waitpid", 393 "write", 394 "writev" 395 ], 396 "action": "SCMP_ACT_ALLOW", 397 "args": [], 398 "comment": "", 399 "includes": {}, 400 "excludes": {} 401 }, 402 { 403 "names": [ 404 "process_vm_readv", 405 "process_vm_writev", 406 "ptrace" 407 ], 408 "action": "SCMP_ACT_ALLOW", 409 "args": null, 410 "comment": "", 411 "includes": { 412 "minKernel": "4.8" 413 }, 414 "excludes": {} 415 }, 416 { 417 "names": [ 418 "personality" 419 ], 420 "action": "SCMP_ACT_ALLOW", 421 "args": [ 422 { 423 "index": 0, 424 "value": 0, 425 "op": "SCMP_CMP_EQ" 426 } 427 ], 428 "comment": "", 429 "includes": {}, 430 "excludes": {} 431 }, 432 { 433 "names": [ 434 "personality" 435 ], 436 "action": "SCMP_ACT_ALLOW", 437 "args": [ 438 { 439 "index": 0, 440 "value": 8, 441 "op": "SCMP_CMP_EQ" 442 } 443 ], 444 "comment": "", 445 "includes": {}, 446 "excludes": {} 447 }, 448 { 449 "names": [ 450 "personality" 451 ], 452 "action": "SCMP_ACT_ALLOW", 453 "args": [ 454 { 455 "index": 0, 456 "value": 131072, 457 "op": "SCMP_CMP_EQ" 458 } 459 ], 460 "comment": "", 461 "includes": {}, 462 "excludes": {} 463 }, 464 { 465 "names": [ 466 "personality" 467 ], 468 "action": "SCMP_ACT_ALLOW", 469 "args": [ 470 { 471 "index": 0, 472 "value": 131080, 473 "op": "SCMP_CMP_EQ" 474 } 475 ], 476 "comment": "", 477 "includes": {}, 478 "excludes": {} 479 }, 480 { 481 "names": [ 482 "personality" 483 ], 484 "action": "SCMP_ACT_ALLOW", 485 "args": [ 486 { 487 "index": 0, 488 "value": 4294967295, 489 "op": "SCMP_CMP_EQ" 490 } 491 ], 492 "comment": "", 493 "includes": {}, 494 "excludes": {} 495 }, 496 { 497 "names": [ 498 "sync_file_range2" 499 ], 500 "action": "SCMP_ACT_ALLOW", 501 "args": [], 502 "comment": "", 503 "includes": { 504 "arches": [ 505 "ppc64le" 506 ] 507 }, 508 "excludes": {} 509 }, 510 { 511 "names": [ 512 "arm_fadvise64_64", 513 "arm_sync_file_range", 514 "sync_file_range2", 515 "breakpoint", 516 "cacheflush", 517 "set_tls" 518 ], 519 "action": "SCMP_ACT_ALLOW", 520 "args": [], 521 "comment": "", 522 "includes": { 523 "arches": [ 524 "arm", 525 "arm64" 526 ] 527 }, 528 "excludes": {} 529 }, 530 { 531 "names": [ 532 "arch_prctl" 533 ], 534 "action": "SCMP_ACT_ALLOW", 535 "args": [], 536 "comment": "", 537 "includes": { 538 "arches": [ 539 "amd64", 540 "x32" 541 ] 542 }, 543 "excludes": {} 544 }, 545 { 546 "names": [ 547 "modify_ldt" 548 ], 549 "action": "SCMP_ACT_ALLOW", 550 "args": [], 551 "comment": "", 552 "includes": { 553 "arches": [ 554 "amd64", 555 "x32", 556 "x86" 557 ] 558 }, 559 "excludes": {} 560 }, 561 { 562 "names": [ 563 "s390_pci_mmio_read", 564 "s390_pci_mmio_write", 565 "s390_runtime_instr" 566 ], 567 "action": "SCMP_ACT_ALLOW", 568 "args": [], 569 "comment": "", 570 "includes": { 571 "arches": [ 572 "s390", 573 "s390x" 574 ] 575 }, 576 "excludes": {} 577 }, 578 { 579 "names": [ 580 "open_by_handle_at" 581 ], 582 "action": "SCMP_ACT_ALLOW", 583 "args": [], 584 "comment": "", 585 "includes": { 586 "caps": [ 587 "CAP_DAC_READ_SEARCH" 588 ] 589 }, 590 "excludes": {} 591 }, 592 { 593 "names": [ 594 "bpf", 595 "clone", 596 "fanotify_init", 597 "fsconfig", 598 "fsmount", 599 "fsopen", 600 "fspick", 601 "lookup_dcookie", 602 "mount", 603 "move_mount", 604 "name_to_handle_at", 605 "open_tree", 606 "perf_event_open", 607 "quotactl", 608 "setdomainname", 609 "sethostname", 610 "setns", 611 "syslog", 612 "umount", 613 "umount2", 614 "unshare" 615 ], 616 "action": "SCMP_ACT_ALLOW", 617 "args": [], 618 "comment": "", 619 "includes": { 620 "caps": [ 621 "CAP_SYS_ADMIN" 622 ] 623 }, 624 "excludes": {} 625 }, 626 { 627 "names": [ 628 "clone" 629 ], 630 "action": "SCMP_ACT_ALLOW", 631 "args": [ 632 { 633 "index": 0, 634 "value": 2114060288, 635 "op": "SCMP_CMP_MASKED_EQ" 636 } 637 ], 638 "comment": "", 639 "includes": {}, 640 "excludes": { 641 "caps": [ 642 "CAP_SYS_ADMIN" 643 ], 644 "arches": [ 645 "s390", 646 "s390x" 647 ] 648 } 649 }, 650 { 651 "names": [ 652 "clone" 653 ], 654 "action": "SCMP_ACT_ALLOW", 655 "args": [ 656 { 657 "index": 1, 658 "value": 2114060288, 659 "op": "SCMP_CMP_MASKED_EQ" 660 } 661 ], 662 "comment": "s390 parameter ordering for clone is different", 663 "includes": { 664 "arches": [ 665 "s390", 666 "s390x" 667 ] 668 }, 669 "excludes": { 670 "caps": [ 671 "CAP_SYS_ADMIN" 672 ] 673 } 674 }, 675 { 676 "names": [ 677 "reboot" 678 ], 679 "action": "SCMP_ACT_ALLOW", 680 "args": [], 681 "comment": "", 682 "includes": { 683 "caps": [ 684 "CAP_SYS_BOOT" 685 ] 686 }, 687 "excludes": {} 688 }, 689 { 690 "names": [ 691 "chroot" 692 ], 693 "action": "SCMP_ACT_ALLOW", 694 "args": [], 695 "comment": "", 696 "includes": { 697 "caps": [ 698 "CAP_SYS_CHROOT" 699 ] 700 }, 701 "excludes": {} 702 }, 703 { 704 "names": [ 705 "delete_module", 706 "init_module", 707 "finit_module" 708 ], 709 "action": "SCMP_ACT_ALLOW", 710 "args": [], 711 "comment": "", 712 "includes": { 713 "caps": [ 714 "CAP_SYS_MODULE" 715 ] 716 }, 717 "excludes": {} 718 }, 719 { 720 "names": [ 721 "acct" 722 ], 723 "action": "SCMP_ACT_ALLOW", 724 "args": [], 725 "comment": "", 726 "includes": { 727 "caps": [ 728 "CAP_SYS_PACCT" 729 ] 730 }, 731 "excludes": {} 732 }, 733 { 734 "names": [ 735 "kcmp", 736 "pidfd_getfd", 737 "process_madvise", 738 "process_vm_readv", 739 "process_vm_writev", 740 "ptrace" 741 ], 742 "action": "SCMP_ACT_ALLOW", 743 "args": [], 744 "comment": "", 745 "includes": { 746 "caps": [ 747 "CAP_SYS_PTRACE" 748 ] 749 }, 750 "excludes": {} 751 }, 752 { 753 "names": [ 754 "iopl", 755 "ioperm" 756 ], 757 "action": "SCMP_ACT_ALLOW", 758 "args": [], 759 "comment": "", 760 "includes": { 761 "caps": [ 762 "CAP_SYS_RAWIO" 763 ] 764 }, 765 "excludes": {} 766 }, 767 { 768 "names": [ 769 "settimeofday", 770 "stime", 771 "clock_settime" 772 ], 773 "action": "SCMP_ACT_ALLOW", 774 "args": [], 775 "comment": "", 776 "includes": { 777 "caps": [ 778 "CAP_SYS_TIME" 779 ] 780 }, 781 "excludes": {} 782 }, 783 { 784 "names": [ 785 "vhangup" 786 ], 787 "action": "SCMP_ACT_ALLOW", 788 "args": [], 789 "comment": "", 790 "includes": { 791 "caps": [ 792 "CAP_SYS_TTY_CONFIG" 793 ] 794 }, 795 "excludes": {} 796 }, 797 { 798 "names": [ 799 "get_mempolicy", 800 "mbind", 801 "set_mempolicy" 802 ], 803 "action": "SCMP_ACT_ALLOW", 804 "args": [], 805 "comment": "", 806 "includes": { 807 "caps": [ 808 "CAP_SYS_NICE" 809 ] 810 }, 811 "excludes": {} 812 }, 813 { 814 "names": [ 815 "syslog" 816 ], 817 "action": "SCMP_ACT_ALLOW", 818 "args": [], 819 "comment": "", 820 "includes": { 821 "caps": [ 822 "CAP_SYSLOG" 823 ] 824 }, 825 "excludes": {} 826 } 827 ] 828 }