github.com/jiasir/docker@v1.3.3-0.20170609024000-252e610103e7/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "alarm", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "preadv2", 227 "prlimit64", 228 "pselect6", 229 "pwrite64", 230 "pwritev", 231 "pwritev2", 232 "read", 233 "readahead", 234 "readlink", 235 "readlinkat", 236 "readv", 237 "recv", 238 "recvfrom", 239 "recvmmsg", 240 "recvmsg", 241 "remap_file_pages", 242 "removexattr", 243 "rename", 244 "renameat", 245 "renameat2", 246 "restart_syscall", 247 "rmdir", 248 "rt_sigaction", 249 "rt_sigpending", 250 "rt_sigprocmask", 251 "rt_sigqueueinfo", 252 "rt_sigreturn", 253 "rt_sigsuspend", 254 "rt_sigtimedwait", 255 "rt_tgsigqueueinfo", 256 "sched_getaffinity", 257 "sched_getattr", 258 "sched_getparam", 259 "sched_get_priority_max", 260 "sched_get_priority_min", 261 "sched_getscheduler", 262 "sched_rr_get_interval", 263 "sched_setaffinity", 264 "sched_setattr", 265 "sched_setparam", 266 "sched_setscheduler", 267 "sched_yield", 268 "seccomp", 269 "select", 270 "semctl", 271 "semget", 272 "semop", 273 "semtimedop", 274 "send", 275 "sendfile", 276 "sendfile64", 277 "sendmmsg", 278 "sendmsg", 279 "sendto", 280 "setfsgid", 281 "setfsgid32", 282 "setfsuid", 283 "setfsuid32", 284 "setgid", 285 "setgid32", 286 "setgroups", 287 "setgroups32", 288 "setitimer", 289 "setpgid", 290 "setpriority", 291 "setregid", 292 "setregid32", 293 "setresgid", 294 "setresgid32", 295 "setresuid", 296 "setresuid32", 297 "setreuid", 298 "setreuid32", 299 "setrlimit", 300 "set_robust_list", 301 "setsid", 302 "setsockopt", 303 "set_thread_area", 304 "set_tid_address", 305 "setuid", 306 "setuid32", 307 "setxattr", 308 "shmat", 309 "shmctl", 310 "shmdt", 311 "shmget", 312 "shutdown", 313 "sigaltstack", 314 "signalfd", 315 "signalfd4", 316 "sigreturn", 317 "socket", 318 "socketcall", 319 "socketpair", 320 "splice", 321 "stat", 322 "stat64", 323 "statfs", 324 "statfs64", 325 "symlink", 326 "symlinkat", 327 "sync", 328 "sync_file_range", 329 "syncfs", 330 "sysinfo", 331 "syslog", 332 "tee", 333 "tgkill", 334 "time", 335 "timer_create", 336 "timer_delete", 337 "timerfd_create", 338 "timerfd_gettime", 339 "timerfd_settime", 340 "timer_getoverrun", 341 "timer_gettime", 342 "timer_settime", 343 "times", 344 "tkill", 345 "truncate", 346 "truncate64", 347 "ugetrlimit", 348 "umask", 349 "uname", 350 "unlink", 351 "unlinkat", 352 "utime", 353 "utimensat", 354 "utimes", 355 "vfork", 356 "vmsplice", 357 "wait4", 358 "waitid", 359 "waitpid", 360 "write", 361 "writev" 362 ], 363 "action": "SCMP_ACT_ALLOW", 364 "args": [], 365 "comment": "", 366 "includes": {}, 367 "excludes": {} 368 }, 369 { 370 "names": [ 371 "personality" 372 ], 373 "action": "SCMP_ACT_ALLOW", 374 "args": [ 375 { 376 "index": 0, 377 "value": 0, 378 "valueTwo": 0, 379 "op": "SCMP_CMP_EQ" 380 } 381 ], 382 "comment": "", 383 "includes": {}, 384 "excludes": {} 385 }, 386 { 387 "names": [ 388 "personality" 389 ], 390 "action": "SCMP_ACT_ALLOW", 391 "args": [ 392 { 393 "index": 0, 394 "value": 8, 395 "valueTwo": 0, 396 "op": "SCMP_CMP_EQ" 397 } 398 ], 399 "comment": "", 400 "includes": {}, 401 "excludes": {} 402 }, 403 { 404 "names": [ 405 "personality" 406 ], 407 "action": "SCMP_ACT_ALLOW", 408 "args": [ 409 { 410 "index": 0, 411 "value": 131072, 412 "valueTwo": 0, 413 "op": "SCMP_CMP_EQ" 414 } 415 ], 416 "comment": "", 417 "includes": {}, 418 "excludes": {} 419 }, 420 { 421 "names": [ 422 "personality" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [ 426 { 427 "index": 0, 428 "value": 131080, 429 "valueTwo": 0, 430 "op": "SCMP_CMP_EQ" 431 } 432 ], 433 "comment": "", 434 "includes": {}, 435 "excludes": {} 436 }, 437 { 438 "names": [ 439 "personality" 440 ], 441 "action": "SCMP_ACT_ALLOW", 442 "args": [ 443 { 444 "index": 0, 445 "value": 4294967295, 446 "valueTwo": 0, 447 "op": "SCMP_CMP_EQ" 448 } 449 ], 450 "comment": "", 451 "includes": {}, 452 "excludes": {} 453 }, 454 { 455 "names": [ 456 "sync_file_range2" 457 ], 458 "action": "SCMP_ACT_ALLOW", 459 "args": [], 460 "comment": "", 461 "includes": { 462 "arches": [ 463 "ppc64le" 464 ] 465 }, 466 "excludes": {} 467 }, 468 { 469 "names": [ 470 "arm_fadvise64_64", 471 "arm_sync_file_range", 472 "sync_file_range2", 473 "breakpoint", 474 "cacheflush", 475 "set_tls" 476 ], 477 "action": "SCMP_ACT_ALLOW", 478 "args": [], 479 "comment": "", 480 "includes": { 481 "arches": [ 482 "arm", 483 "arm64" 484 ] 485 }, 486 "excludes": {} 487 }, 488 { 489 "names": [ 490 "arch_prctl" 491 ], 492 "action": "SCMP_ACT_ALLOW", 493 "args": [], 494 "comment": "", 495 "includes": { 496 "arches": [ 497 "amd64", 498 "x32" 499 ] 500 }, 501 "excludes": {} 502 }, 503 { 504 "names": [ 505 "modify_ldt" 506 ], 507 "action": "SCMP_ACT_ALLOW", 508 "args": [], 509 "comment": "", 510 "includes": { 511 "arches": [ 512 "amd64", 513 "x32", 514 "x86" 515 ] 516 }, 517 "excludes": {} 518 }, 519 { 520 "names": [ 521 "s390_pci_mmio_read", 522 "s390_pci_mmio_write", 523 "s390_runtime_instr" 524 ], 525 "action": "SCMP_ACT_ALLOW", 526 "args": [], 527 "comment": "", 528 "includes": { 529 "arches": [ 530 "s390", 531 "s390x" 532 ] 533 }, 534 "excludes": {} 535 }, 536 { 537 "names": [ 538 "open_by_handle_at" 539 ], 540 "action": "SCMP_ACT_ALLOW", 541 "args": [], 542 "comment": "", 543 "includes": { 544 "caps": [ 545 "CAP_DAC_READ_SEARCH" 546 ] 547 }, 548 "excludes": {} 549 }, 550 { 551 "names": [ 552 "bpf", 553 "clone", 554 "fanotify_init", 555 "lookup_dcookie", 556 "mount", 557 "name_to_handle_at", 558 "perf_event_open", 559 "setdomainname", 560 "sethostname", 561 "setns", 562 "umount", 563 "umount2", 564 "unshare" 565 ], 566 "action": "SCMP_ACT_ALLOW", 567 "args": [], 568 "comment": "", 569 "includes": { 570 "caps": [ 571 "CAP_SYS_ADMIN" 572 ] 573 }, 574 "excludes": {} 575 }, 576 { 577 "names": [ 578 "clone" 579 ], 580 "action": "SCMP_ACT_ALLOW", 581 "args": [ 582 { 583 "index": 0, 584 "value": 2080505856, 585 "valueTwo": 0, 586 "op": "SCMP_CMP_MASKED_EQ" 587 } 588 ], 589 "comment": "", 590 "includes": {}, 591 "excludes": { 592 "caps": [ 593 "CAP_SYS_ADMIN" 594 ], 595 "arches": [ 596 "s390", 597 "s390x" 598 ] 599 } 600 }, 601 { 602 "names": [ 603 "clone" 604 ], 605 "action": "SCMP_ACT_ALLOW", 606 "args": [ 607 { 608 "index": 1, 609 "value": 2080505856, 610 "valueTwo": 0, 611 "op": "SCMP_CMP_MASKED_EQ" 612 } 613 ], 614 "comment": "s390 parameter ordering for clone is different", 615 "includes": { 616 "arches": [ 617 "s390", 618 "s390x" 619 ] 620 }, 621 "excludes": { 622 "caps": [ 623 "CAP_SYS_ADMIN" 624 ] 625 } 626 }, 627 { 628 "names": [ 629 "reboot" 630 ], 631 "action": "SCMP_ACT_ALLOW", 632 "args": [], 633 "comment": "", 634 "includes": { 635 "caps": [ 636 "CAP_SYS_BOOT" 637 ] 638 }, 639 "excludes": {} 640 }, 641 { 642 "names": [ 643 "chroot" 644 ], 645 "action": "SCMP_ACT_ALLOW", 646 "args": [], 647 "comment": "", 648 "includes": { 649 "caps": [ 650 "CAP_SYS_CHROOT" 651 ] 652 }, 653 "excludes": {} 654 }, 655 { 656 "names": [ 657 "delete_module", 658 "init_module", 659 "finit_module", 660 "query_module" 661 ], 662 "action": "SCMP_ACT_ALLOW", 663 "args": [], 664 "comment": "", 665 "includes": { 666 "caps": [ 667 "CAP_SYS_MODULE" 668 ] 669 }, 670 "excludes": {} 671 }, 672 { 673 "names": [ 674 "acct" 675 ], 676 "action": "SCMP_ACT_ALLOW", 677 "args": [], 678 "comment": "", 679 "includes": { 680 "caps": [ 681 "CAP_SYS_PACCT" 682 ] 683 }, 684 "excludes": {} 685 }, 686 { 687 "names": [ 688 "kcmp", 689 "process_vm_readv", 690 "process_vm_writev", 691 "ptrace" 692 ], 693 "action": "SCMP_ACT_ALLOW", 694 "args": [], 695 "comment": "", 696 "includes": { 697 "caps": [ 698 "CAP_SYS_PTRACE" 699 ] 700 }, 701 "excludes": {} 702 }, 703 { 704 "names": [ 705 "iopl", 706 "ioperm" 707 ], 708 "action": "SCMP_ACT_ALLOW", 709 "args": [], 710 "comment": "", 711 "includes": { 712 "caps": [ 713 "CAP_SYS_RAWIO" 714 ] 715 }, 716 "excludes": {} 717 }, 718 { 719 "names": [ 720 "settimeofday", 721 "stime", 722 "adjtimex", 723 "clock_settime" 724 ], 725 "action": "SCMP_ACT_ALLOW", 726 "args": [], 727 "comment": "", 728 "includes": { 729 "caps": [ 730 "CAP_SYS_TIME" 731 ] 732 }, 733 "excludes": {} 734 }, 735 { 736 "names": [ 737 "vhangup" 738 ], 739 "action": "SCMP_ACT_ALLOW", 740 "args": [], 741 "comment": "", 742 "includes": { 743 "caps": [ 744 "CAP_SYS_TTY_CONFIG" 745 ] 746 }, 747 "excludes": {} 748 } 749 ] 750 }