github.com/hms58/moby@v1.13.1/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "syscall" 7 8 "github.com/docker/docker/api/types" 9 ) 10 11 func arches() []types.Architecture { 12 return []types.Architecture{ 13 { 14 Arch: types.ArchX86_64, 15 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 16 }, 17 { 18 Arch: types.ArchAARCH64, 19 SubArches: []types.Arch{types.ArchARM}, 20 }, 21 { 22 Arch: types.ArchMIPS64, 23 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 24 }, 25 { 26 Arch: types.ArchMIPS64N32, 27 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 28 }, 29 { 30 Arch: types.ArchMIPSEL64, 31 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 32 }, 33 { 34 Arch: types.ArchMIPSEL64N32, 35 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 36 }, 37 { 38 Arch: types.ArchS390X, 39 SubArches: []types.Arch{types.ArchS390}, 40 }, 41 } 42 } 43 44 // DefaultProfile defines the whitelist for the default seccomp profile. 45 func DefaultProfile() *types.Seccomp { 46 syscalls := []*types.Syscall{ 47 { 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "alarm", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_getres", 63 "clock_gettime", 64 "clock_nanosleep", 65 "close", 66 "connect", 67 "copy_file_range", 68 "creat", 69 "dup", 70 "dup2", 71 "dup3", 72 "epoll_create", 73 "epoll_create1", 74 "epoll_ctl", 75 "epoll_ctl_old", 76 "epoll_pwait", 77 "epoll_wait", 78 "epoll_wait_old", 79 "eventfd", 80 "eventfd2", 81 "execve", 82 "execveat", 83 "exit", 84 "exit_group", 85 "faccessat", 86 "fadvise64", 87 "fadvise64_64", 88 "fallocate", 89 "fanotify_mark", 90 "fchdir", 91 "fchmod", 92 "fchmodat", 93 "fchown", 94 "fchown32", 95 "fchownat", 96 "fcntl", 97 "fcntl64", 98 "fdatasync", 99 "fgetxattr", 100 "flistxattr", 101 "flock", 102 "fork", 103 "fremovexattr", 104 "fsetxattr", 105 "fstat", 106 "fstat64", 107 "fstatat64", 108 "fstatfs", 109 "fstatfs64", 110 "fsync", 111 "ftruncate", 112 "ftruncate64", 113 "futex", 114 "futimesat", 115 "getcpu", 116 "getcwd", 117 "getdents", 118 "getdents64", 119 "getegid", 120 "getegid32", 121 "geteuid", 122 "geteuid32", 123 "getgid", 124 "getgid32", 125 "getgroups", 126 "getgroups32", 127 "getitimer", 128 "getpeername", 129 "getpgid", 130 "getpgrp", 131 "getpid", 132 "getppid", 133 "getpriority", 134 "getrandom", 135 "getresgid", 136 "getresgid32", 137 "getresuid", 138 "getresuid32", 139 "getrlimit", 140 "get_robust_list", 141 "getrusage", 142 "getsid", 143 "getsockname", 144 "getsockopt", 145 "get_thread_area", 146 "gettid", 147 "gettimeofday", 148 "getuid", 149 "getuid32", 150 "getxattr", 151 "inotify_add_watch", 152 "inotify_init", 153 "inotify_init1", 154 "inotify_rm_watch", 155 "io_cancel", 156 "ioctl", 157 "io_destroy", 158 "io_getevents", 159 "ioprio_get", 160 "ioprio_set", 161 "io_setup", 162 "io_submit", 163 "ipc", 164 "kill", 165 "lchown", 166 "lchown32", 167 "lgetxattr", 168 "link", 169 "linkat", 170 "listen", 171 "listxattr", 172 "llistxattr", 173 "_llseek", 174 "lremovexattr", 175 "lseek", 176 "lsetxattr", 177 "lstat", 178 "lstat64", 179 "madvise", 180 "memfd_create", 181 "mincore", 182 "mkdir", 183 "mkdirat", 184 "mknod", 185 "mknodat", 186 "mlock", 187 "mlock2", 188 "mlockall", 189 "mmap", 190 "mmap2", 191 "mprotect", 192 "mq_getsetattr", 193 "mq_notify", 194 "mq_open", 195 "mq_timedreceive", 196 "mq_timedsend", 197 "mq_unlink", 198 "mremap", 199 "msgctl", 200 "msgget", 201 "msgrcv", 202 "msgsnd", 203 "msync", 204 "munlock", 205 "munlockall", 206 "munmap", 207 "nanosleep", 208 "newfstatat", 209 "_newselect", 210 "open", 211 "openat", 212 "pause", 213 "pipe", 214 "pipe2", 215 "poll", 216 "ppoll", 217 "prctl", 218 "pread64", 219 "preadv", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "read", 225 "readahead", 226 "readlink", 227 "readlinkat", 228 "readv", 229 "recv", 230 "recvfrom", 231 "recvmmsg", 232 "recvmsg", 233 "remap_file_pages", 234 "removexattr", 235 "rename", 236 "renameat", 237 "renameat2", 238 "restart_syscall", 239 "rmdir", 240 "rt_sigaction", 241 "rt_sigpending", 242 "rt_sigprocmask", 243 "rt_sigqueueinfo", 244 "rt_sigreturn", 245 "rt_sigsuspend", 246 "rt_sigtimedwait", 247 "rt_tgsigqueueinfo", 248 "sched_getaffinity", 249 "sched_getattr", 250 "sched_getparam", 251 "sched_get_priority_max", 252 "sched_get_priority_min", 253 "sched_getscheduler", 254 "sched_rr_get_interval", 255 "sched_setaffinity", 256 "sched_setattr", 257 "sched_setparam", 258 "sched_setscheduler", 259 "sched_yield", 260 "seccomp", 261 "select", 262 "semctl", 263 "semget", 264 "semop", 265 "semtimedop", 266 "send", 267 "sendfile", 268 "sendfile64", 269 "sendmmsg", 270 "sendmsg", 271 "sendto", 272 "setfsgid", 273 "setfsgid32", 274 "setfsuid", 275 "setfsuid32", 276 "setgid", 277 "setgid32", 278 "setgroups", 279 "setgroups32", 280 "setitimer", 281 "setpgid", 282 "setpriority", 283 "setregid", 284 "setregid32", 285 "setresgid", 286 "setresgid32", 287 "setresuid", 288 "setresuid32", 289 "setreuid", 290 "setreuid32", 291 "setrlimit", 292 "set_robust_list", 293 "setsid", 294 "setsockopt", 295 "set_thread_area", 296 "set_tid_address", 297 "setuid", 298 "setuid32", 299 "setxattr", 300 "shmat", 301 "shmctl", 302 "shmdt", 303 "shmget", 304 "shutdown", 305 "sigaltstack", 306 "signalfd", 307 "signalfd4", 308 "sigreturn", 309 "socket", 310 "socketcall", 311 "socketpair", 312 "splice", 313 "stat", 314 "stat64", 315 "statfs", 316 "statfs64", 317 "symlink", 318 "symlinkat", 319 "sync", 320 "sync_file_range", 321 "syncfs", 322 "sysinfo", 323 "syslog", 324 "tee", 325 "tgkill", 326 "time", 327 "timer_create", 328 "timer_delete", 329 "timerfd_create", 330 "timerfd_gettime", 331 "timerfd_settime", 332 "timer_getoverrun", 333 "timer_gettime", 334 "timer_settime", 335 "times", 336 "tkill", 337 "truncate", 338 "truncate64", 339 "ugetrlimit", 340 "umask", 341 "uname", 342 "unlink", 343 "unlinkat", 344 "utime", 345 "utimensat", 346 "utimes", 347 "vfork", 348 "vmsplice", 349 "wait4", 350 "waitid", 351 "waitpid", 352 "write", 353 "writev", 354 }, 355 Action: types.ActAllow, 356 Args: []*types.Arg{}, 357 }, 358 { 359 Names: []string{"personality"}, 360 Action: types.ActAllow, 361 Args: []*types.Arg{ 362 { 363 Index: 0, 364 Value: 0x0, 365 Op: types.OpEqualTo, 366 }, 367 }, 368 }, 369 { 370 Names: []string{"personality"}, 371 Action: types.ActAllow, 372 Args: []*types.Arg{ 373 { 374 Index: 0, 375 Value: 0x0008, 376 Op: types.OpEqualTo, 377 }, 378 }, 379 }, 380 { 381 Names: []string{"personality"}, 382 Action: types.ActAllow, 383 Args: []*types.Arg{ 384 { 385 Index: 0, 386 Value: 0xffffffff, 387 Op: types.OpEqualTo, 388 }, 389 }, 390 }, 391 { 392 Names: []string{ 393 "arm_fadvise64_64", 394 "arm_sync_file_range", 395 "breakpoint", 396 "cacheflush", 397 "set_tls", 398 }, 399 Action: types.ActAllow, 400 Args: []*types.Arg{}, 401 Includes: types.Filter{ 402 Arches: []string{"arm", "arm64"}, 403 }, 404 }, 405 { 406 Names: []string{ 407 "arch_prctl", 408 }, 409 Action: types.ActAllow, 410 Args: []*types.Arg{}, 411 Includes: types.Filter{ 412 Arches: []string{"amd64", "x32"}, 413 }, 414 }, 415 { 416 Names: []string{ 417 "modify_ldt", 418 }, 419 Action: types.ActAllow, 420 Args: []*types.Arg{}, 421 Includes: types.Filter{ 422 Arches: []string{"amd64", "x32", "x86"}, 423 }, 424 }, 425 { 426 Names: []string{ 427 "s390_pci_mmio_read", 428 "s390_pci_mmio_write", 429 "s390_runtime_instr", 430 }, 431 Action: types.ActAllow, 432 Args: []*types.Arg{}, 433 Includes: types.Filter{ 434 Arches: []string{"s390", "s390x"}, 435 }, 436 }, 437 { 438 Names: []string{ 439 "open_by_handle_at", 440 }, 441 Action: types.ActAllow, 442 Args: []*types.Arg{}, 443 Includes: types.Filter{ 444 Caps: []string{"CAP_DAC_READ_SEARCH"}, 445 }, 446 }, 447 { 448 Names: []string{ 449 "bpf", 450 "clone", 451 "fanotify_init", 452 "lookup_dcookie", 453 "mount", 454 "name_to_handle_at", 455 "perf_event_open", 456 "setdomainname", 457 "sethostname", 458 "setns", 459 "umount", 460 "umount2", 461 "unshare", 462 }, 463 Action: types.ActAllow, 464 Args: []*types.Arg{}, 465 Includes: types.Filter{ 466 Caps: []string{"CAP_SYS_ADMIN"}, 467 }, 468 }, 469 { 470 Names: []string{ 471 "clone", 472 }, 473 Action: types.ActAllow, 474 Args: []*types.Arg{ 475 { 476 Index: 0, 477 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 478 ValueTwo: 0, 479 Op: types.OpMaskedEqual, 480 }, 481 }, 482 Excludes: types.Filter{ 483 Caps: []string{"CAP_SYS_ADMIN"}, 484 Arches: []string{"s390", "s390x"}, 485 }, 486 }, 487 { 488 Names: []string{ 489 "clone", 490 }, 491 Action: types.ActAllow, 492 Args: []*types.Arg{ 493 { 494 Index: 1, 495 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 496 ValueTwo: 0, 497 Op: types.OpMaskedEqual, 498 }, 499 }, 500 Comment: "s390 parameter ordering for clone is different", 501 Includes: types.Filter{ 502 Arches: []string{"s390", "s390x"}, 503 }, 504 Excludes: types.Filter{ 505 Caps: []string{"CAP_SYS_ADMIN"}, 506 }, 507 }, 508 { 509 Names: []string{ 510 "reboot", 511 }, 512 Action: types.ActAllow, 513 Args: []*types.Arg{}, 514 Includes: types.Filter{ 515 Caps: []string{"CAP_SYS_BOOT"}, 516 }, 517 }, 518 { 519 Names: []string{ 520 "chroot", 521 }, 522 Action: types.ActAllow, 523 Args: []*types.Arg{}, 524 Includes: types.Filter{ 525 Caps: []string{"CAP_SYS_CHROOT"}, 526 }, 527 }, 528 { 529 Names: []string{ 530 "delete_module", 531 "init_module", 532 "finit_module", 533 "query_module", 534 }, 535 Action: types.ActAllow, 536 Args: []*types.Arg{}, 537 Includes: types.Filter{ 538 Caps: []string{"CAP_SYS_MODULE"}, 539 }, 540 }, 541 { 542 Names: []string{ 543 "acct", 544 }, 545 Action: types.ActAllow, 546 Args: []*types.Arg{}, 547 Includes: types.Filter{ 548 Caps: []string{"CAP_SYS_PACCT"}, 549 }, 550 }, 551 { 552 Names: []string{ 553 "kcmp", 554 "process_vm_readv", 555 "process_vm_writev", 556 "ptrace", 557 }, 558 Action: types.ActAllow, 559 Args: []*types.Arg{}, 560 Includes: types.Filter{ 561 Caps: []string{"CAP_SYS_PTRACE"}, 562 }, 563 }, 564 { 565 Names: []string{ 566 "iopl", 567 "ioperm", 568 }, 569 Action: types.ActAllow, 570 Args: []*types.Arg{}, 571 Includes: types.Filter{ 572 Caps: []string{"CAP_SYS_RAWIO"}, 573 }, 574 }, 575 { 576 Names: []string{ 577 "settimeofday", 578 "stime", 579 "adjtimex", 580 }, 581 Action: types.ActAllow, 582 Args: []*types.Arg{}, 583 Includes: types.Filter{ 584 Caps: []string{"CAP_SYS_TIME"}, 585 }, 586 }, 587 { 588 Names: []string{ 589 "vhangup", 590 }, 591 Action: types.ActAllow, 592 Args: []*types.Arg{}, 593 Includes: types.Filter{ 594 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 595 }, 596 }, 597 } 598 599 return &types.Seccomp{ 600 DefaultAction: types.ActErrno, 601 ArchMap: arches(), 602 Syscalls: syscalls, 603 } 604 }