github.com/jfrazelle/docker@v1.1.2-0.20210712172922-bf78e25fe508/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "close_range", 78 "connect", 79 "copy_file_range", 80 "creat", 81 "dup", 82 "dup2", 83 "dup3", 84 "epoll_create", 85 "epoll_create1", 86 "epoll_ctl", 87 "epoll_ctl_old", 88 "epoll_pwait", 89 "epoll_pwait2", 90 "epoll_wait", 91 "epoll_wait_old", 92 "eventfd", 93 "eventfd2", 94 "execve", 95 "execveat", 96 "exit", 97 "exit_group", 98 "faccessat", 99 "faccessat2", 100 "fadvise64", 101 "fadvise64_64", 102 "fallocate", 103 "fanotify_mark", 104 "fchdir", 105 "fchmod", 106 "fchmodat", 107 "fchown", 108 "fchown32", 109 "fchownat", 110 "fcntl", 111 "fcntl64", 112 "fdatasync", 113 "fgetxattr", 114 "flistxattr", 115 "flock", 116 "fork", 117 "fremovexattr", 118 "fsetxattr", 119 "fstat", 120 "fstat64", 121 "fstatat64", 122 "fstatfs", 123 "fstatfs64", 124 "fsync", 125 "ftruncate", 126 "ftruncate64", 127 "futex", 128 "futex_time64", 129 "futimesat", 130 "getcpu", 131 "getcwd", 132 "getdents", 133 "getdents64", 134 "getegid", 135 "getegid32", 136 "geteuid", 137 "geteuid32", 138 "getgid", 139 "getgid32", 140 "getgroups", 141 "getgroups32", 142 "getitimer", 143 "getpeername", 144 "getpgid", 145 "getpgrp", 146 "getpid", 147 "getppid", 148 "getpriority", 149 "getrandom", 150 "getresgid", 151 "getresgid32", 152 "getresuid", 153 "getresuid32", 154 "getrlimit", 155 "get_robust_list", 156 "getrusage", 157 "getsid", 158 "getsockname", 159 "getsockopt", 160 "get_thread_area", 161 "gettid", 162 "gettimeofday", 163 "getuid", 164 "getuid32", 165 "getxattr", 166 "inotify_add_watch", 167 "inotify_init", 168 "inotify_init1", 169 "inotify_rm_watch", 170 "io_cancel", 171 "ioctl", 172 "io_destroy", 173 "io_getevents", 174 "io_pgetevents", 175 "io_pgetevents_time64", 176 "ioprio_get", 177 "ioprio_set", 178 "io_setup", 179 "io_submit", 180 "io_uring_enter", 181 "io_uring_register", 182 "io_uring_setup", 183 "ipc", 184 "kill", 185 "lchown", 186 "lchown32", 187 "lgetxattr", 188 "link", 189 "linkat", 190 "listen", 191 "listxattr", 192 "llistxattr", 193 "_llseek", 194 "lremovexattr", 195 "lseek", 196 "lsetxattr", 197 "lstat", 198 "lstat64", 199 "madvise", 200 "membarrier", 201 "memfd_create", 202 "mincore", 203 "mkdir", 204 "mkdirat", 205 "mknod", 206 "mknodat", 207 "mlock", 208 "mlock2", 209 "mlockall", 210 "mmap", 211 "mmap2", 212 "mprotect", 213 "mq_getsetattr", 214 "mq_notify", 215 "mq_open", 216 "mq_timedreceive", 217 "mq_timedreceive_time64", 218 "mq_timedsend", 219 "mq_timedsend_time64", 220 "mq_unlink", 221 "mremap", 222 "msgctl", 223 "msgget", 224 "msgrcv", 225 "msgsnd", 226 "msync", 227 "munlock", 228 "munlockall", 229 "munmap", 230 "nanosleep", 231 "newfstatat", 232 "_newselect", 233 "open", 234 "openat", 235 "openat2", 236 "pause", 237 "pidfd_open", 238 "pidfd_send_signal", 239 "pipe", 240 "pipe2", 241 "poll", 242 "ppoll", 243 "ppoll_time64", 244 "prctl", 245 "pread64", 246 "preadv", 247 "preadv2", 248 "prlimit64", 249 "pselect6", 250 "pselect6_time64", 251 "pwrite64", 252 "pwritev", 253 "pwritev2", 254 "read", 255 "readahead", 256 "readlink", 257 "readlinkat", 258 "readv", 259 "recv", 260 "recvfrom", 261 "recvmmsg", 262 "recvmmsg_time64", 263 "recvmsg", 264 "remap_file_pages", 265 "removexattr", 266 "rename", 267 "renameat", 268 "renameat2", 269 "restart_syscall", 270 "rmdir", 271 "rseq", 272 "rt_sigaction", 273 "rt_sigpending", 274 "rt_sigprocmask", 275 "rt_sigqueueinfo", 276 "rt_sigreturn", 277 "rt_sigsuspend", 278 "rt_sigtimedwait", 279 "rt_sigtimedwait_time64", 280 "rt_tgsigqueueinfo", 281 "sched_getaffinity", 282 "sched_getattr", 283 "sched_getparam", 284 "sched_get_priority_max", 285 "sched_get_priority_min", 286 "sched_getscheduler", 287 "sched_rr_get_interval", 288 "sched_rr_get_interval_time64", 289 "sched_setaffinity", 290 "sched_setattr", 291 "sched_setparam", 292 "sched_setscheduler", 293 "sched_yield", 294 "seccomp", 295 "select", 296 "semctl", 297 "semget", 298 "semop", 299 "semtimedop", 300 "semtimedop_time64", 301 "send", 302 "sendfile", 303 "sendfile64", 304 "sendmmsg", 305 "sendmsg", 306 "sendto", 307 "setfsgid", 308 "setfsgid32", 309 "setfsuid", 310 "setfsuid32", 311 "setgid", 312 "setgid32", 313 "setgroups", 314 "setgroups32", 315 "setitimer", 316 "setpgid", 317 "setpriority", 318 "setregid", 319 "setregid32", 320 "setresgid", 321 "setresgid32", 322 "setresuid", 323 "setresuid32", 324 "setreuid", 325 "setreuid32", 326 "setrlimit", 327 "set_robust_list", 328 "setsid", 329 "setsockopt", 330 "set_thread_area", 331 "set_tid_address", 332 "setuid", 333 "setuid32", 334 "setxattr", 335 "shmat", 336 "shmctl", 337 "shmdt", 338 "shmget", 339 "shutdown", 340 "sigaltstack", 341 "signalfd", 342 "signalfd4", 343 "sigprocmask", 344 "sigreturn", 345 "socket", 346 "socketcall", 347 "socketpair", 348 "splice", 349 "stat", 350 "stat64", 351 "statfs", 352 "statfs64", 353 "statx", 354 "symlink", 355 "symlinkat", 356 "sync", 357 "sync_file_range", 358 "syncfs", 359 "sysinfo", 360 "tee", 361 "tgkill", 362 "time", 363 "timer_create", 364 "timer_delete", 365 "timer_getoverrun", 366 "timer_gettime", 367 "timer_gettime64", 368 "timer_settime", 369 "timer_settime64", 370 "timerfd_create", 371 "timerfd_gettime", 372 "timerfd_gettime64", 373 "timerfd_settime", 374 "timerfd_settime64", 375 "times", 376 "tkill", 377 "truncate", 378 "truncate64", 379 "ugetrlimit", 380 "umask", 381 "uname", 382 "unlink", 383 "unlinkat", 384 "utime", 385 "utimensat", 386 "utimensat_time64", 387 "utimes", 388 "vfork", 389 "vmsplice", 390 "wait4", 391 "waitid", 392 "waitpid", 393 "write", 394 "writev" 395 ], 396 "action": "SCMP_ACT_ALLOW" 397 }, 398 { 399 "names": [ 400 "process_vm_readv", 401 "process_vm_writev", 402 "ptrace" 403 ], 404 "action": "SCMP_ACT_ALLOW", 405 "includes": { 406 "minKernel": "4.8" 407 } 408 }, 409 { 410 "names": [ 411 "personality" 412 ], 413 "action": "SCMP_ACT_ALLOW", 414 "args": [ 415 { 416 "index": 0, 417 "value": 0, 418 "op": "SCMP_CMP_EQ" 419 } 420 ] 421 }, 422 { 423 "names": [ 424 "personality" 425 ], 426 "action": "SCMP_ACT_ALLOW", 427 "args": [ 428 { 429 "index": 0, 430 "value": 8, 431 "op": "SCMP_CMP_EQ" 432 } 433 ] 434 }, 435 { 436 "names": [ 437 "personality" 438 ], 439 "action": "SCMP_ACT_ALLOW", 440 "args": [ 441 { 442 "index": 0, 443 "value": 131072, 444 "op": "SCMP_CMP_EQ" 445 } 446 ] 447 }, 448 { 449 "names": [ 450 "personality" 451 ], 452 "action": "SCMP_ACT_ALLOW", 453 "args": [ 454 { 455 "index": 0, 456 "value": 131080, 457 "op": "SCMP_CMP_EQ" 458 } 459 ] 460 }, 461 { 462 "names": [ 463 "personality" 464 ], 465 "action": "SCMP_ACT_ALLOW", 466 "args": [ 467 { 468 "index": 0, 469 "value": 4294967295, 470 "op": "SCMP_CMP_EQ" 471 } 472 ] 473 }, 474 { 475 "names": [ 476 "sync_file_range2" 477 ], 478 "action": "SCMP_ACT_ALLOW", 479 "includes": { 480 "arches": [ 481 "ppc64le" 482 ] 483 } 484 }, 485 { 486 "names": [ 487 "arm_fadvise64_64", 488 "arm_sync_file_range", 489 "sync_file_range2", 490 "breakpoint", 491 "cacheflush", 492 "set_tls" 493 ], 494 "action": "SCMP_ACT_ALLOW", 495 "includes": { 496 "arches": [ 497 "arm", 498 "arm64" 499 ] 500 } 501 }, 502 { 503 "names": [ 504 "arch_prctl" 505 ], 506 "action": "SCMP_ACT_ALLOW", 507 "includes": { 508 "arches": [ 509 "amd64", 510 "x32" 511 ] 512 } 513 }, 514 { 515 "names": [ 516 "modify_ldt" 517 ], 518 "action": "SCMP_ACT_ALLOW", 519 "includes": { 520 "arches": [ 521 "amd64", 522 "x32", 523 "x86" 524 ] 525 } 526 }, 527 { 528 "names": [ 529 "s390_pci_mmio_read", 530 "s390_pci_mmio_write", 531 "s390_runtime_instr" 532 ], 533 "action": "SCMP_ACT_ALLOW", 534 "includes": { 535 "arches": [ 536 "s390", 537 "s390x" 538 ] 539 } 540 }, 541 { 542 "names": [ 543 "open_by_handle_at" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "includes": { 547 "caps": [ 548 "CAP_DAC_READ_SEARCH" 549 ] 550 } 551 }, 552 { 553 "names": [ 554 "bpf", 555 "clone", 556 "fanotify_init", 557 "fsconfig", 558 "fsmount", 559 "fsopen", 560 "fspick", 561 "lookup_dcookie", 562 "mount", 563 "move_mount", 564 "name_to_handle_at", 565 "open_tree", 566 "perf_event_open", 567 "quotactl", 568 "setdomainname", 569 "sethostname", 570 "setns", 571 "syslog", 572 "umount", 573 "umount2", 574 "unshare" 575 ], 576 "action": "SCMP_ACT_ALLOW", 577 "includes": { 578 "caps": [ 579 "CAP_SYS_ADMIN" 580 ] 581 } 582 }, 583 { 584 "names": [ 585 "clone" 586 ], 587 "action": "SCMP_ACT_ALLOW", 588 "args": [ 589 { 590 "index": 0, 591 "value": 2114060288, 592 "op": "SCMP_CMP_MASKED_EQ" 593 } 594 ], 595 "excludes": { 596 "caps": [ 597 "CAP_SYS_ADMIN" 598 ], 599 "arches": [ 600 "s390", 601 "s390x" 602 ] 603 } 604 }, 605 { 606 "names": [ 607 "clone" 608 ], 609 "action": "SCMP_ACT_ALLOW", 610 "args": [ 611 { 612 "index": 1, 613 "value": 2114060288, 614 "op": "SCMP_CMP_MASKED_EQ" 615 } 616 ], 617 "comment": "s390 parameter ordering for clone is different", 618 "includes": { 619 "arches": [ 620 "s390", 621 "s390x" 622 ] 623 }, 624 "excludes": { 625 "caps": [ 626 "CAP_SYS_ADMIN" 627 ] 628 } 629 }, 630 { 631 "names": [ 632 "reboot" 633 ], 634 "action": "SCMP_ACT_ALLOW", 635 "includes": { 636 "caps": [ 637 "CAP_SYS_BOOT" 638 ] 639 } 640 }, 641 { 642 "names": [ 643 "chroot" 644 ], 645 "action": "SCMP_ACT_ALLOW", 646 "includes": { 647 "caps": [ 648 "CAP_SYS_CHROOT" 649 ] 650 } 651 }, 652 { 653 "names": [ 654 "delete_module", 655 "init_module", 656 "finit_module" 657 ], 658 "action": "SCMP_ACT_ALLOW", 659 "includes": { 660 "caps": [ 661 "CAP_SYS_MODULE" 662 ] 663 } 664 }, 665 { 666 "names": [ 667 "acct" 668 ], 669 "action": "SCMP_ACT_ALLOW", 670 "includes": { 671 "caps": [ 672 "CAP_SYS_PACCT" 673 ] 674 } 675 }, 676 { 677 "names": [ 678 "kcmp", 679 "pidfd_getfd", 680 "process_madvise", 681 "process_vm_readv", 682 "process_vm_writev", 683 "ptrace" 684 ], 685 "action": "SCMP_ACT_ALLOW", 686 "includes": { 687 "caps": [ 688 "CAP_SYS_PTRACE" 689 ] 690 } 691 }, 692 { 693 "names": [ 694 "iopl", 695 "ioperm" 696 ], 697 "action": "SCMP_ACT_ALLOW", 698 "includes": { 699 "caps": [ 700 "CAP_SYS_RAWIO" 701 ] 702 } 703 }, 704 { 705 "names": [ 706 "settimeofday", 707 "stime", 708 "clock_settime" 709 ], 710 "action": "SCMP_ACT_ALLOW", 711 "includes": { 712 "caps": [ 713 "CAP_SYS_TIME" 714 ] 715 } 716 }, 717 { 718 "names": [ 719 "vhangup" 720 ], 721 "action": "SCMP_ACT_ALLOW", 722 "includes": { 723 "caps": [ 724 "CAP_SYS_TTY_CONFIG" 725 ] 726 } 727 }, 728 { 729 "names": [ 730 "get_mempolicy", 731 "mbind", 732 "set_mempolicy" 733 ], 734 "action": "SCMP_ACT_ALLOW", 735 "includes": { 736 "caps": [ 737 "CAP_SYS_NICE" 738 ] 739 } 740 }, 741 { 742 "names": [ 743 "syslog" 744 ], 745 "action": "SCMP_ACT_ALLOW", 746 "includes": { 747 "caps": [ 748 "CAP_SYSLOG" 749 ] 750 } 751 } 752 ] 753 }