github.com/jfrazelle/docker@v1.1.2-0.20210712172922-bf78e25fe508/profiles/seccomp/default_linux.go (about) 1 // +build seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/opencontainers/runtime-spec/specs-go" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []Architecture { 11 return []Architecture{ 12 { 13 Arch: specs.ArchX86_64, 14 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 15 }, 16 { 17 Arch: specs.ArchAARCH64, 18 SubArches: []specs.Arch{specs.ArchARM}, 19 }, 20 { 21 Arch: specs.ArchMIPS64, 22 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 23 }, 24 { 25 Arch: specs.ArchMIPS64N32, 26 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 27 }, 28 { 29 Arch: specs.ArchMIPSEL64, 30 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: specs.ArchMIPSEL64N32, 34 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 35 }, 36 { 37 Arch: specs.ArchS390X, 38 SubArches: []specs.Arch{specs.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 44 func DefaultProfile() *Seccomp { 45 syscalls := []*Syscall{ 46 { 47 LinuxSyscall: specs.LinuxSyscall{ 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "adjtimex", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_adjtime", 63 "clock_adjtime64", 64 "clock_getres", 65 "clock_getres_time64", 66 "clock_gettime", 67 "clock_gettime64", 68 "clock_nanosleep", 69 "clock_nanosleep_time64", 70 "close", 71 "close_range", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_pwait2", 84 "epoll_wait", 85 "epoll_wait_old", 86 "eventfd", 87 "eventfd2", 88 "execve", 89 "execveat", 90 "exit", 91 "exit_group", 92 "faccessat", 93 "faccessat2", 94 "fadvise64", 95 "fadvise64_64", 96 "fallocate", 97 "fanotify_mark", 98 "fchdir", 99 "fchmod", 100 "fchmodat", 101 "fchown", 102 "fchown32", 103 "fchownat", 104 "fcntl", 105 "fcntl64", 106 "fdatasync", 107 "fgetxattr", 108 "flistxattr", 109 "flock", 110 "fork", 111 "fremovexattr", 112 "fsetxattr", 113 "fstat", 114 "fstat64", 115 "fstatat64", 116 "fstatfs", 117 "fstatfs64", 118 "fsync", 119 "ftruncate", 120 "ftruncate64", 121 "futex", 122 "futex_time64", 123 "futimesat", 124 "getcpu", 125 "getcwd", 126 "getdents", 127 "getdents64", 128 "getegid", 129 "getegid32", 130 "geteuid", 131 "geteuid32", 132 "getgid", 133 "getgid32", 134 "getgroups", 135 "getgroups32", 136 "getitimer", 137 "getpeername", 138 "getpgid", 139 "getpgrp", 140 "getpid", 141 "getppid", 142 "getpriority", 143 "getrandom", 144 "getresgid", 145 "getresgid32", 146 "getresuid", 147 "getresuid32", 148 "getrlimit", 149 "get_robust_list", 150 "getrusage", 151 "getsid", 152 "getsockname", 153 "getsockopt", 154 "get_thread_area", 155 "gettid", 156 "gettimeofday", 157 "getuid", 158 "getuid32", 159 "getxattr", 160 "inotify_add_watch", 161 "inotify_init", 162 "inotify_init1", 163 "inotify_rm_watch", 164 "io_cancel", 165 "ioctl", 166 "io_destroy", 167 "io_getevents", 168 "io_pgetevents", 169 "io_pgetevents_time64", 170 "ioprio_get", 171 "ioprio_set", 172 "io_setup", 173 "io_submit", 174 "io_uring_enter", 175 "io_uring_register", 176 "io_uring_setup", 177 "ipc", 178 "kill", 179 "lchown", 180 "lchown32", 181 "lgetxattr", 182 "link", 183 "linkat", 184 "listen", 185 "listxattr", 186 "llistxattr", 187 "_llseek", 188 "lremovexattr", 189 "lseek", 190 "lsetxattr", 191 "lstat", 192 "lstat64", 193 "madvise", 194 "membarrier", 195 "memfd_create", 196 "mincore", 197 "mkdir", 198 "mkdirat", 199 "mknod", 200 "mknodat", 201 "mlock", 202 "mlock2", 203 "mlockall", 204 "mmap", 205 "mmap2", 206 "mprotect", 207 "mq_getsetattr", 208 "mq_notify", 209 "mq_open", 210 "mq_timedreceive", 211 "mq_timedreceive_time64", 212 "mq_timedsend", 213 "mq_timedsend_time64", 214 "mq_unlink", 215 "mremap", 216 "msgctl", 217 "msgget", 218 "msgrcv", 219 "msgsnd", 220 "msync", 221 "munlock", 222 "munlockall", 223 "munmap", 224 "nanosleep", 225 "newfstatat", 226 "_newselect", 227 "open", 228 "openat", 229 "openat2", 230 "pause", 231 "pidfd_open", 232 "pidfd_send_signal", 233 "pipe", 234 "pipe2", 235 "poll", 236 "ppoll", 237 "ppoll_time64", 238 "prctl", 239 "pread64", 240 "preadv", 241 "preadv2", 242 "prlimit64", 243 "pselect6", 244 "pselect6_time64", 245 "pwrite64", 246 "pwritev", 247 "pwritev2", 248 "read", 249 "readahead", 250 "readlink", 251 "readlinkat", 252 "readv", 253 "recv", 254 "recvfrom", 255 "recvmmsg", 256 "recvmmsg_time64", 257 "recvmsg", 258 "remap_file_pages", 259 "removexattr", 260 "rename", 261 "renameat", 262 "renameat2", 263 "restart_syscall", 264 "rmdir", 265 "rseq", 266 "rt_sigaction", 267 "rt_sigpending", 268 "rt_sigprocmask", 269 "rt_sigqueueinfo", 270 "rt_sigreturn", 271 "rt_sigsuspend", 272 "rt_sigtimedwait", 273 "rt_sigtimedwait_time64", 274 "rt_tgsigqueueinfo", 275 "sched_getaffinity", 276 "sched_getattr", 277 "sched_getparam", 278 "sched_get_priority_max", 279 "sched_get_priority_min", 280 "sched_getscheduler", 281 "sched_rr_get_interval", 282 "sched_rr_get_interval_time64", 283 "sched_setaffinity", 284 "sched_setattr", 285 "sched_setparam", 286 "sched_setscheduler", 287 "sched_yield", 288 "seccomp", 289 "select", 290 "semctl", 291 "semget", 292 "semop", 293 "semtimedop", 294 "semtimedop_time64", 295 "send", 296 "sendfile", 297 "sendfile64", 298 "sendmmsg", 299 "sendmsg", 300 "sendto", 301 "setfsgid", 302 "setfsgid32", 303 "setfsuid", 304 "setfsuid32", 305 "setgid", 306 "setgid32", 307 "setgroups", 308 "setgroups32", 309 "setitimer", 310 "setpgid", 311 "setpriority", 312 "setregid", 313 "setregid32", 314 "setresgid", 315 "setresgid32", 316 "setresuid", 317 "setresuid32", 318 "setreuid", 319 "setreuid32", 320 "setrlimit", 321 "set_robust_list", 322 "setsid", 323 "setsockopt", 324 "set_thread_area", 325 "set_tid_address", 326 "setuid", 327 "setuid32", 328 "setxattr", 329 "shmat", 330 "shmctl", 331 "shmdt", 332 "shmget", 333 "shutdown", 334 "sigaltstack", 335 "signalfd", 336 "signalfd4", 337 "sigprocmask", 338 "sigreturn", 339 "socket", 340 "socketcall", 341 "socketpair", 342 "splice", 343 "stat", 344 "stat64", 345 "statfs", 346 "statfs64", 347 "statx", 348 "symlink", 349 "symlinkat", 350 "sync", 351 "sync_file_range", 352 "syncfs", 353 "sysinfo", 354 "tee", 355 "tgkill", 356 "time", 357 "timer_create", 358 "timer_delete", 359 "timer_getoverrun", 360 "timer_gettime", 361 "timer_gettime64", 362 "timer_settime", 363 "timer_settime64", 364 "timerfd_create", 365 "timerfd_gettime", 366 "timerfd_gettime64", 367 "timerfd_settime", 368 "timerfd_settime64", 369 "times", 370 "tkill", 371 "truncate", 372 "truncate64", 373 "ugetrlimit", 374 "umask", 375 "uname", 376 "unlink", 377 "unlinkat", 378 "utime", 379 "utimensat", 380 "utimensat_time64", 381 "utimes", 382 "vfork", 383 "vmsplice", 384 "wait4", 385 "waitid", 386 "waitpid", 387 "write", 388 "writev", 389 }, 390 Action: specs.ActAllow, 391 }, 392 }, 393 { 394 LinuxSyscall: specs.LinuxSyscall{ 395 Names: []string{ 396 "process_vm_readv", 397 "process_vm_writev", 398 "ptrace", 399 }, 400 Action: specs.ActAllow, 401 }, 402 Includes: &Filter{ 403 MinKernel: &KernelVersion{4, 8}, 404 }, 405 }, 406 { 407 LinuxSyscall: specs.LinuxSyscall{ 408 Names: []string{"personality"}, 409 Action: specs.ActAllow, 410 Args: []specs.LinuxSeccompArg{ 411 { 412 Index: 0, 413 Value: 0x0, 414 Op: specs.OpEqualTo, 415 }, 416 }, 417 }, 418 }, 419 { 420 LinuxSyscall: specs.LinuxSyscall{ 421 Names: []string{"personality"}, 422 Action: specs.ActAllow, 423 Args: []specs.LinuxSeccompArg{ 424 { 425 Index: 0, 426 Value: 0x0008, 427 Op: specs.OpEqualTo, 428 }, 429 }, 430 }, 431 }, 432 { 433 LinuxSyscall: specs.LinuxSyscall{ 434 Names: []string{"personality"}, 435 Action: specs.ActAllow, 436 Args: []specs.LinuxSeccompArg{ 437 { 438 Index: 0, 439 Value: 0x20000, 440 Op: specs.OpEqualTo, 441 }, 442 }, 443 }, 444 }, 445 { 446 LinuxSyscall: specs.LinuxSyscall{ 447 Names: []string{"personality"}, 448 Action: specs.ActAllow, 449 Args: []specs.LinuxSeccompArg{ 450 { 451 Index: 0, 452 Value: 0x20008, 453 Op: specs.OpEqualTo, 454 }, 455 }, 456 }, 457 }, 458 { 459 LinuxSyscall: specs.LinuxSyscall{ 460 Names: []string{"personality"}, 461 Action: specs.ActAllow, 462 Args: []specs.LinuxSeccompArg{ 463 { 464 Index: 0, 465 Value: 0xffffffff, 466 Op: specs.OpEqualTo, 467 }, 468 }, 469 }, 470 }, 471 { 472 LinuxSyscall: specs.LinuxSyscall{ 473 Names: []string{ 474 "sync_file_range2", 475 }, 476 Action: specs.ActAllow, 477 }, 478 Includes: &Filter{ 479 Arches: []string{"ppc64le"}, 480 }, 481 }, 482 { 483 LinuxSyscall: specs.LinuxSyscall{ 484 Names: []string{ 485 "arm_fadvise64_64", 486 "arm_sync_file_range", 487 "sync_file_range2", 488 "breakpoint", 489 "cacheflush", 490 "set_tls", 491 }, 492 Action: specs.ActAllow, 493 }, 494 Includes: &Filter{ 495 Arches: []string{"arm", "arm64"}, 496 }, 497 }, 498 { 499 LinuxSyscall: specs.LinuxSyscall{ 500 Names: []string{ 501 "arch_prctl", 502 }, 503 Action: specs.ActAllow, 504 }, 505 Includes: &Filter{ 506 Arches: []string{"amd64", "x32"}, 507 }, 508 }, 509 { 510 LinuxSyscall: specs.LinuxSyscall{ 511 Names: []string{ 512 "modify_ldt", 513 }, 514 Action: specs.ActAllow, 515 }, 516 Includes: &Filter{ 517 Arches: []string{"amd64", "x32", "x86"}, 518 }, 519 }, 520 { 521 LinuxSyscall: specs.LinuxSyscall{ 522 Names: []string{ 523 "s390_pci_mmio_read", 524 "s390_pci_mmio_write", 525 "s390_runtime_instr", 526 }, 527 Action: specs.ActAllow, 528 }, 529 Includes: &Filter{ 530 Arches: []string{"s390", "s390x"}, 531 }, 532 }, 533 { 534 LinuxSyscall: specs.LinuxSyscall{ 535 Names: []string{ 536 "open_by_handle_at", 537 }, 538 Action: specs.ActAllow, 539 }, 540 Includes: &Filter{ 541 Caps: []string{"CAP_DAC_READ_SEARCH"}, 542 }, 543 }, 544 { 545 LinuxSyscall: specs.LinuxSyscall{ 546 Names: []string{ 547 "bpf", 548 "clone", 549 "fanotify_init", 550 "fsconfig", 551 "fsmount", 552 "fsopen", 553 "fspick", 554 "lookup_dcookie", 555 "mount", 556 "move_mount", 557 "name_to_handle_at", 558 "open_tree", 559 "perf_event_open", 560 "quotactl", 561 "setdomainname", 562 "sethostname", 563 "setns", 564 "syslog", 565 "umount", 566 "umount2", 567 "unshare", 568 }, 569 Action: specs.ActAllow, 570 }, 571 Includes: &Filter{ 572 Caps: []string{"CAP_SYS_ADMIN"}, 573 }, 574 }, 575 { 576 LinuxSyscall: specs.LinuxSyscall{ 577 Names: []string{ 578 "clone", 579 }, 580 Action: specs.ActAllow, 581 Args: []specs.LinuxSeccompArg{ 582 { 583 Index: 0, 584 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 585 ValueTwo: 0, 586 Op: specs.OpMaskedEqual, 587 }, 588 }, 589 }, 590 Excludes: &Filter{ 591 Caps: []string{"CAP_SYS_ADMIN"}, 592 Arches: []string{"s390", "s390x"}, 593 }, 594 }, 595 { 596 LinuxSyscall: specs.LinuxSyscall{ 597 Names: []string{ 598 "clone", 599 }, 600 Action: specs.ActAllow, 601 Args: []specs.LinuxSeccompArg{ 602 { 603 Index: 1, 604 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 605 ValueTwo: 0, 606 Op: specs.OpMaskedEqual, 607 }, 608 }, 609 }, 610 Comment: "s390 parameter ordering for clone is different", 611 Includes: &Filter{ 612 Arches: []string{"s390", "s390x"}, 613 }, 614 Excludes: &Filter{ 615 Caps: []string{"CAP_SYS_ADMIN"}, 616 }, 617 }, 618 { 619 LinuxSyscall: specs.LinuxSyscall{ 620 Names: []string{ 621 "reboot", 622 }, 623 Action: specs.ActAllow, 624 }, 625 Includes: &Filter{ 626 Caps: []string{"CAP_SYS_BOOT"}, 627 }, 628 }, 629 { 630 LinuxSyscall: specs.LinuxSyscall{ 631 Names: []string{ 632 "chroot", 633 }, 634 Action: specs.ActAllow, 635 }, 636 Includes: &Filter{ 637 Caps: []string{"CAP_SYS_CHROOT"}, 638 }, 639 }, 640 { 641 LinuxSyscall: specs.LinuxSyscall{ 642 Names: []string{ 643 "delete_module", 644 "init_module", 645 "finit_module", 646 }, 647 Action: specs.ActAllow, 648 }, 649 Includes: &Filter{ 650 Caps: []string{"CAP_SYS_MODULE"}, 651 }, 652 }, 653 { 654 LinuxSyscall: specs.LinuxSyscall{ 655 Names: []string{ 656 "acct", 657 }, 658 Action: specs.ActAllow, 659 }, 660 Includes: &Filter{ 661 Caps: []string{"CAP_SYS_PACCT"}, 662 }, 663 }, 664 { 665 LinuxSyscall: specs.LinuxSyscall{ 666 Names: []string{ 667 "kcmp", 668 "pidfd_getfd", 669 "process_madvise", 670 "process_vm_readv", 671 "process_vm_writev", 672 "ptrace", 673 }, 674 Action: specs.ActAllow, 675 }, 676 Includes: &Filter{ 677 Caps: []string{"CAP_SYS_PTRACE"}, 678 }, 679 }, 680 { 681 LinuxSyscall: specs.LinuxSyscall{ 682 Names: []string{ 683 "iopl", 684 "ioperm", 685 }, 686 Action: specs.ActAllow, 687 }, 688 Includes: &Filter{ 689 Caps: []string{"CAP_SYS_RAWIO"}, 690 }, 691 }, 692 { 693 LinuxSyscall: specs.LinuxSyscall{ 694 Names: []string{ 695 "settimeofday", 696 "stime", 697 "clock_settime", 698 }, 699 Action: specs.ActAllow, 700 }, 701 Includes: &Filter{ 702 Caps: []string{"CAP_SYS_TIME"}, 703 }, 704 }, 705 { 706 LinuxSyscall: specs.LinuxSyscall{ 707 Names: []string{ 708 "vhangup", 709 }, 710 Action: specs.ActAllow, 711 }, 712 Includes: &Filter{ 713 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 714 }, 715 }, 716 { 717 LinuxSyscall: specs.LinuxSyscall{ 718 Names: []string{ 719 "get_mempolicy", 720 "mbind", 721 "set_mempolicy", 722 }, 723 Action: specs.ActAllow, 724 }, 725 Includes: &Filter{ 726 Caps: []string{"CAP_SYS_NICE"}, 727 }, 728 }, 729 { 730 LinuxSyscall: specs.LinuxSyscall{ 731 Names: []string{ 732 "syslog", 733 }, 734 Action: specs.ActAllow, 735 }, 736 Includes: &Filter{ 737 Caps: []string{"CAP_SYSLOG"}, 738 }, 739 }, 740 } 741 742 return &Seccomp{ 743 DefaultAction: specs.ActErrno, 744 ArchMap: arches(), 745 Syscalls: syscalls, 746 } 747 }