github.com/hms58/moby@v1.13.1/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "alarm", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "prlimit64", 227 "pselect6", 228 "pwrite64", 229 "pwritev", 230 "read", 231 "readahead", 232 "readlink", 233 "readlinkat", 234 "readv", 235 "recv", 236 "recvfrom", 237 "recvmmsg", 238 "recvmsg", 239 "remap_file_pages", 240 "removexattr", 241 "rename", 242 "renameat", 243 "renameat2", 244 "restart_syscall", 245 "rmdir", 246 "rt_sigaction", 247 "rt_sigpending", 248 "rt_sigprocmask", 249 "rt_sigqueueinfo", 250 "rt_sigreturn", 251 "rt_sigsuspend", 252 "rt_sigtimedwait", 253 "rt_tgsigqueueinfo", 254 "sched_getaffinity", 255 "sched_getattr", 256 "sched_getparam", 257 "sched_get_priority_max", 258 "sched_get_priority_min", 259 "sched_getscheduler", 260 "sched_rr_get_interval", 261 "sched_setaffinity", 262 "sched_setattr", 263 "sched_setparam", 264 "sched_setscheduler", 265 "sched_yield", 266 "seccomp", 267 "select", 268 "semctl", 269 "semget", 270 "semop", 271 "semtimedop", 272 "send", 273 "sendfile", 274 "sendfile64", 275 "sendmmsg", 276 "sendmsg", 277 "sendto", 278 "setfsgid", 279 "setfsgid32", 280 "setfsuid", 281 "setfsuid32", 282 "setgid", 283 "setgid32", 284 "setgroups", 285 "setgroups32", 286 "setitimer", 287 "setpgid", 288 "setpriority", 289 "setregid", 290 "setregid32", 291 "setresgid", 292 "setresgid32", 293 "setresuid", 294 "setresuid32", 295 "setreuid", 296 "setreuid32", 297 "setrlimit", 298 "set_robust_list", 299 "setsid", 300 "setsockopt", 301 "set_thread_area", 302 "set_tid_address", 303 "setuid", 304 "setuid32", 305 "setxattr", 306 "shmat", 307 "shmctl", 308 "shmdt", 309 "shmget", 310 "shutdown", 311 "sigaltstack", 312 "signalfd", 313 "signalfd4", 314 "sigreturn", 315 "socket", 316 "socketcall", 317 "socketpair", 318 "splice", 319 "stat", 320 "stat64", 321 "statfs", 322 "statfs64", 323 "symlink", 324 "symlinkat", 325 "sync", 326 "sync_file_range", 327 "syncfs", 328 "sysinfo", 329 "syslog", 330 "tee", 331 "tgkill", 332 "time", 333 "timer_create", 334 "timer_delete", 335 "timerfd_create", 336 "timerfd_gettime", 337 "timerfd_settime", 338 "timer_getoverrun", 339 "timer_gettime", 340 "timer_settime", 341 "times", 342 "tkill", 343 "truncate", 344 "truncate64", 345 "ugetrlimit", 346 "umask", 347 "uname", 348 "unlink", 349 "unlinkat", 350 "utime", 351 "utimensat", 352 "utimes", 353 "vfork", 354 "vmsplice", 355 "wait4", 356 "waitid", 357 "waitpid", 358 "write", 359 "writev" 360 ], 361 "action": "SCMP_ACT_ALLOW", 362 "args": [], 363 "comment": "", 364 "includes": {}, 365 "excludes": {} 366 }, 367 { 368 "names": [ 369 "personality" 370 ], 371 "action": "SCMP_ACT_ALLOW", 372 "args": [ 373 { 374 "index": 0, 375 "value": 0, 376 "valueTwo": 0, 377 "op": "SCMP_CMP_EQ" 378 } 379 ], 380 "comment": "", 381 "includes": {}, 382 "excludes": {} 383 }, 384 { 385 "names": [ 386 "personality" 387 ], 388 "action": "SCMP_ACT_ALLOW", 389 "args": [ 390 { 391 "index": 0, 392 "value": 8, 393 "valueTwo": 0, 394 "op": "SCMP_CMP_EQ" 395 } 396 ], 397 "comment": "", 398 "includes": {}, 399 "excludes": {} 400 }, 401 { 402 "names": [ 403 "personality" 404 ], 405 "action": "SCMP_ACT_ALLOW", 406 "args": [ 407 { 408 "index": 0, 409 "value": 4294967295, 410 "valueTwo": 0, 411 "op": "SCMP_CMP_EQ" 412 } 413 ], 414 "comment": "", 415 "includes": {}, 416 "excludes": {} 417 }, 418 { 419 "names": [ 420 "arm_fadvise64_64", 421 "arm_sync_file_range", 422 "breakpoint", 423 "cacheflush", 424 "set_tls" 425 ], 426 "action": "SCMP_ACT_ALLOW", 427 "args": [], 428 "comment": "", 429 "includes": { 430 "arches": [ 431 "arm", 432 "arm64" 433 ] 434 }, 435 "excludes": {} 436 }, 437 { 438 "names": [ 439 "arch_prctl" 440 ], 441 "action": "SCMP_ACT_ALLOW", 442 "args": [], 443 "comment": "", 444 "includes": { 445 "arches": [ 446 "amd64", 447 "x32" 448 ] 449 }, 450 "excludes": {} 451 }, 452 { 453 "names": [ 454 "modify_ldt" 455 ], 456 "action": "SCMP_ACT_ALLOW", 457 "args": [], 458 "comment": "", 459 "includes": { 460 "arches": [ 461 "amd64", 462 "x32", 463 "x86" 464 ] 465 }, 466 "excludes": {} 467 }, 468 { 469 "names": [ 470 "s390_pci_mmio_read", 471 "s390_pci_mmio_write", 472 "s390_runtime_instr" 473 ], 474 "action": "SCMP_ACT_ALLOW", 475 "args": [], 476 "comment": "", 477 "includes": { 478 "arches": [ 479 "s390", 480 "s390x" 481 ] 482 }, 483 "excludes": {} 484 }, 485 { 486 "names": [ 487 "open_by_handle_at" 488 ], 489 "action": "SCMP_ACT_ALLOW", 490 "args": [], 491 "comment": "", 492 "includes": { 493 "caps": [ 494 "CAP_DAC_READ_SEARCH" 495 ] 496 }, 497 "excludes": {} 498 }, 499 { 500 "names": [ 501 "bpf", 502 "clone", 503 "fanotify_init", 504 "lookup_dcookie", 505 "mount", 506 "name_to_handle_at", 507 "perf_event_open", 508 "setdomainname", 509 "sethostname", 510 "setns", 511 "umount", 512 "umount2", 513 "unshare" 514 ], 515 "action": "SCMP_ACT_ALLOW", 516 "args": [], 517 "comment": "", 518 "includes": { 519 "caps": [ 520 "CAP_SYS_ADMIN" 521 ] 522 }, 523 "excludes": {} 524 }, 525 { 526 "names": [ 527 "clone" 528 ], 529 "action": "SCMP_ACT_ALLOW", 530 "args": [ 531 { 532 "index": 0, 533 "value": 2080505856, 534 "valueTwo": 0, 535 "op": "SCMP_CMP_MASKED_EQ" 536 } 537 ], 538 "comment": "", 539 "includes": {}, 540 "excludes": { 541 "caps": [ 542 "CAP_SYS_ADMIN" 543 ], 544 "arches": [ 545 "s390", 546 "s390x" 547 ] 548 } 549 }, 550 { 551 "names": [ 552 "clone" 553 ], 554 "action": "SCMP_ACT_ALLOW", 555 "args": [ 556 { 557 "index": 1, 558 "value": 2080505856, 559 "valueTwo": 0, 560 "op": "SCMP_CMP_MASKED_EQ" 561 } 562 ], 563 "comment": "s390 parameter ordering for clone is different", 564 "includes": { 565 "arches": [ 566 "s390", 567 "s390x" 568 ] 569 }, 570 "excludes": { 571 "caps": [ 572 "CAP_SYS_ADMIN" 573 ] 574 } 575 }, 576 { 577 "names": [ 578 "reboot" 579 ], 580 "action": "SCMP_ACT_ALLOW", 581 "args": [], 582 "comment": "", 583 "includes": { 584 "caps": [ 585 "CAP_SYS_BOOT" 586 ] 587 }, 588 "excludes": {} 589 }, 590 { 591 "names": [ 592 "chroot" 593 ], 594 "action": "SCMP_ACT_ALLOW", 595 "args": [], 596 "comment": "", 597 "includes": { 598 "caps": [ 599 "CAP_SYS_CHROOT" 600 ] 601 }, 602 "excludes": {} 603 }, 604 { 605 "names": [ 606 "delete_module", 607 "init_module", 608 "finit_module", 609 "query_module" 610 ], 611 "action": "SCMP_ACT_ALLOW", 612 "args": [], 613 "comment": "", 614 "includes": { 615 "caps": [ 616 "CAP_SYS_MODULE" 617 ] 618 }, 619 "excludes": {} 620 }, 621 { 622 "names": [ 623 "acct" 624 ], 625 "action": "SCMP_ACT_ALLOW", 626 "args": [], 627 "comment": "", 628 "includes": { 629 "caps": [ 630 "CAP_SYS_PACCT" 631 ] 632 }, 633 "excludes": {} 634 }, 635 { 636 "names": [ 637 "kcmp", 638 "process_vm_readv", 639 "process_vm_writev", 640 "ptrace" 641 ], 642 "action": "SCMP_ACT_ALLOW", 643 "args": [], 644 "comment": "", 645 "includes": { 646 "caps": [ 647 "CAP_SYS_PTRACE" 648 ] 649 }, 650 "excludes": {} 651 }, 652 { 653 "names": [ 654 "iopl", 655 "ioperm" 656 ], 657 "action": "SCMP_ACT_ALLOW", 658 "args": [], 659 "comment": "", 660 "includes": { 661 "caps": [ 662 "CAP_SYS_RAWIO" 663 ] 664 }, 665 "excludes": {} 666 }, 667 { 668 "names": [ 669 "settimeofday", 670 "stime", 671 "adjtimex" 672 ], 673 "action": "SCMP_ACT_ALLOW", 674 "args": [], 675 "comment": "", 676 "includes": { 677 "caps": [ 678 "CAP_SYS_TIME" 679 ] 680 }, 681 "excludes": {} 682 }, 683 { 684 "names": [ 685 "vhangup" 686 ], 687 "action": "SCMP_ACT_ALLOW", 688 "args": [], 689 "comment": "", 690 "includes": { 691 "caps": [ 692 "CAP_SYS_TTY_CONFIG" 693 ] 694 }, 695 "excludes": {} 696 } 697 ] 698 }