github.com/jiasir/docker@v1.3.3-0.20170609024000-252e610103e7/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "syscall" 7 8 "github.com/docker/docker/api/types" 9 ) 10 11 func arches() []types.Architecture { 12 return []types.Architecture{ 13 { 14 Arch: types.ArchX86_64, 15 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 16 }, 17 { 18 Arch: types.ArchAARCH64, 19 SubArches: []types.Arch{types.ArchARM}, 20 }, 21 { 22 Arch: types.ArchMIPS64, 23 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 24 }, 25 { 26 Arch: types.ArchMIPS64N32, 27 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 28 }, 29 { 30 Arch: types.ArchMIPSEL64, 31 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 32 }, 33 { 34 Arch: types.ArchMIPSEL64N32, 35 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 36 }, 37 { 38 Arch: types.ArchS390X, 39 SubArches: []types.Arch{types.ArchS390}, 40 }, 41 } 42 } 43 44 // DefaultProfile defines the whitelist for the default seccomp profile. 45 func DefaultProfile() *types.Seccomp { 46 syscalls := []*types.Syscall{ 47 { 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "alarm", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_getres", 63 "clock_gettime", 64 "clock_nanosleep", 65 "close", 66 "connect", 67 "copy_file_range", 68 "creat", 69 "dup", 70 "dup2", 71 "dup3", 72 "epoll_create", 73 "epoll_create1", 74 "epoll_ctl", 75 "epoll_ctl_old", 76 "epoll_pwait", 77 "epoll_wait", 78 "epoll_wait_old", 79 "eventfd", 80 "eventfd2", 81 "execve", 82 "execveat", 83 "exit", 84 "exit_group", 85 "faccessat", 86 "fadvise64", 87 "fadvise64_64", 88 "fallocate", 89 "fanotify_mark", 90 "fchdir", 91 "fchmod", 92 "fchmodat", 93 "fchown", 94 "fchown32", 95 "fchownat", 96 "fcntl", 97 "fcntl64", 98 "fdatasync", 99 "fgetxattr", 100 "flistxattr", 101 "flock", 102 "fork", 103 "fremovexattr", 104 "fsetxattr", 105 "fstat", 106 "fstat64", 107 "fstatat64", 108 "fstatfs", 109 "fstatfs64", 110 "fsync", 111 "ftruncate", 112 "ftruncate64", 113 "futex", 114 "futimesat", 115 "getcpu", 116 "getcwd", 117 "getdents", 118 "getdents64", 119 "getegid", 120 "getegid32", 121 "geteuid", 122 "geteuid32", 123 "getgid", 124 "getgid32", 125 "getgroups", 126 "getgroups32", 127 "getitimer", 128 "getpeername", 129 "getpgid", 130 "getpgrp", 131 "getpid", 132 "getppid", 133 "getpriority", 134 "getrandom", 135 "getresgid", 136 "getresgid32", 137 "getresuid", 138 "getresuid32", 139 "getrlimit", 140 "get_robust_list", 141 "getrusage", 142 "getsid", 143 "getsockname", 144 "getsockopt", 145 "get_thread_area", 146 "gettid", 147 "gettimeofday", 148 "getuid", 149 "getuid32", 150 "getxattr", 151 "inotify_add_watch", 152 "inotify_init", 153 "inotify_init1", 154 "inotify_rm_watch", 155 "io_cancel", 156 "ioctl", 157 "io_destroy", 158 "io_getevents", 159 "ioprio_get", 160 "ioprio_set", 161 "io_setup", 162 "io_submit", 163 "ipc", 164 "kill", 165 "lchown", 166 "lchown32", 167 "lgetxattr", 168 "link", 169 "linkat", 170 "listen", 171 "listxattr", 172 "llistxattr", 173 "_llseek", 174 "lremovexattr", 175 "lseek", 176 "lsetxattr", 177 "lstat", 178 "lstat64", 179 "madvise", 180 "memfd_create", 181 "mincore", 182 "mkdir", 183 "mkdirat", 184 "mknod", 185 "mknodat", 186 "mlock", 187 "mlock2", 188 "mlockall", 189 "mmap", 190 "mmap2", 191 "mprotect", 192 "mq_getsetattr", 193 "mq_notify", 194 "mq_open", 195 "mq_timedreceive", 196 "mq_timedsend", 197 "mq_unlink", 198 "mremap", 199 "msgctl", 200 "msgget", 201 "msgrcv", 202 "msgsnd", 203 "msync", 204 "munlock", 205 "munlockall", 206 "munmap", 207 "nanosleep", 208 "newfstatat", 209 "_newselect", 210 "open", 211 "openat", 212 "pause", 213 "pipe", 214 "pipe2", 215 "poll", 216 "ppoll", 217 "prctl", 218 "pread64", 219 "preadv", 220 "preadv2", 221 "prlimit64", 222 "pselect6", 223 "pwrite64", 224 "pwritev", 225 "pwritev2", 226 "read", 227 "readahead", 228 "readlink", 229 "readlinkat", 230 "readv", 231 "recv", 232 "recvfrom", 233 "recvmmsg", 234 "recvmsg", 235 "remap_file_pages", 236 "removexattr", 237 "rename", 238 "renameat", 239 "renameat2", 240 "restart_syscall", 241 "rmdir", 242 "rt_sigaction", 243 "rt_sigpending", 244 "rt_sigprocmask", 245 "rt_sigqueueinfo", 246 "rt_sigreturn", 247 "rt_sigsuspend", 248 "rt_sigtimedwait", 249 "rt_tgsigqueueinfo", 250 "sched_getaffinity", 251 "sched_getattr", 252 "sched_getparam", 253 "sched_get_priority_max", 254 "sched_get_priority_min", 255 "sched_getscheduler", 256 "sched_rr_get_interval", 257 "sched_setaffinity", 258 "sched_setattr", 259 "sched_setparam", 260 "sched_setscheduler", 261 "sched_yield", 262 "seccomp", 263 "select", 264 "semctl", 265 "semget", 266 "semop", 267 "semtimedop", 268 "send", 269 "sendfile", 270 "sendfile64", 271 "sendmmsg", 272 "sendmsg", 273 "sendto", 274 "setfsgid", 275 "setfsgid32", 276 "setfsuid", 277 "setfsuid32", 278 "setgid", 279 "setgid32", 280 "setgroups", 281 "setgroups32", 282 "setitimer", 283 "setpgid", 284 "setpriority", 285 "setregid", 286 "setregid32", 287 "setresgid", 288 "setresgid32", 289 "setresuid", 290 "setresuid32", 291 "setreuid", 292 "setreuid32", 293 "setrlimit", 294 "set_robust_list", 295 "setsid", 296 "setsockopt", 297 "set_thread_area", 298 "set_tid_address", 299 "setuid", 300 "setuid32", 301 "setxattr", 302 "shmat", 303 "shmctl", 304 "shmdt", 305 "shmget", 306 "shutdown", 307 "sigaltstack", 308 "signalfd", 309 "signalfd4", 310 "sigreturn", 311 "socket", 312 "socketcall", 313 "socketpair", 314 "splice", 315 "stat", 316 "stat64", 317 "statfs", 318 "statfs64", 319 "symlink", 320 "symlinkat", 321 "sync", 322 "sync_file_range", 323 "syncfs", 324 "sysinfo", 325 "syslog", 326 "tee", 327 "tgkill", 328 "time", 329 "timer_create", 330 "timer_delete", 331 "timerfd_create", 332 "timerfd_gettime", 333 "timerfd_settime", 334 "timer_getoverrun", 335 "timer_gettime", 336 "timer_settime", 337 "times", 338 "tkill", 339 "truncate", 340 "truncate64", 341 "ugetrlimit", 342 "umask", 343 "uname", 344 "unlink", 345 "unlinkat", 346 "utime", 347 "utimensat", 348 "utimes", 349 "vfork", 350 "vmsplice", 351 "wait4", 352 "waitid", 353 "waitpid", 354 "write", 355 "writev", 356 }, 357 Action: types.ActAllow, 358 Args: []*types.Arg{}, 359 }, 360 { 361 Names: []string{"personality"}, 362 Action: types.ActAllow, 363 Args: []*types.Arg{ 364 { 365 Index: 0, 366 Value: 0x0, 367 Op: types.OpEqualTo, 368 }, 369 }, 370 }, 371 { 372 Names: []string{"personality"}, 373 Action: types.ActAllow, 374 Args: []*types.Arg{ 375 { 376 Index: 0, 377 Value: 0x0008, 378 Op: types.OpEqualTo, 379 }, 380 }, 381 }, 382 { 383 Names: []string{"personality"}, 384 Action: types.ActAllow, 385 Args: []*types.Arg{ 386 { 387 Index: 0, 388 Value: 0x20000, 389 Op: types.OpEqualTo, 390 }, 391 }, 392 }, 393 { 394 Names: []string{"personality"}, 395 Action: types.ActAllow, 396 Args: []*types.Arg{ 397 { 398 Index: 0, 399 Value: 0x20008, 400 Op: types.OpEqualTo, 401 }, 402 }, 403 }, 404 { 405 Names: []string{"personality"}, 406 Action: types.ActAllow, 407 Args: []*types.Arg{ 408 { 409 Index: 0, 410 Value: 0xffffffff, 411 Op: types.OpEqualTo, 412 }, 413 }, 414 }, 415 { 416 Names: []string{ 417 "sync_file_range2", 418 }, 419 Action: types.ActAllow, 420 Args: []*types.Arg{}, 421 Includes: types.Filter{ 422 Arches: []string{"ppc64le"}, 423 }, 424 }, 425 { 426 Names: []string{ 427 "arm_fadvise64_64", 428 "arm_sync_file_range", 429 "sync_file_range2", 430 "breakpoint", 431 "cacheflush", 432 "set_tls", 433 }, 434 Action: types.ActAllow, 435 Args: []*types.Arg{}, 436 Includes: types.Filter{ 437 Arches: []string{"arm", "arm64"}, 438 }, 439 }, 440 { 441 Names: []string{ 442 "arch_prctl", 443 }, 444 Action: types.ActAllow, 445 Args: []*types.Arg{}, 446 Includes: types.Filter{ 447 Arches: []string{"amd64", "x32"}, 448 }, 449 }, 450 { 451 Names: []string{ 452 "modify_ldt", 453 }, 454 Action: types.ActAllow, 455 Args: []*types.Arg{}, 456 Includes: types.Filter{ 457 Arches: []string{"amd64", "x32", "x86"}, 458 }, 459 }, 460 { 461 Names: []string{ 462 "s390_pci_mmio_read", 463 "s390_pci_mmio_write", 464 "s390_runtime_instr", 465 }, 466 Action: types.ActAllow, 467 Args: []*types.Arg{}, 468 Includes: types.Filter{ 469 Arches: []string{"s390", "s390x"}, 470 }, 471 }, 472 { 473 Names: []string{ 474 "open_by_handle_at", 475 }, 476 Action: types.ActAllow, 477 Args: []*types.Arg{}, 478 Includes: types.Filter{ 479 Caps: []string{"CAP_DAC_READ_SEARCH"}, 480 }, 481 }, 482 { 483 Names: []string{ 484 "bpf", 485 "clone", 486 "fanotify_init", 487 "lookup_dcookie", 488 "mount", 489 "name_to_handle_at", 490 "perf_event_open", 491 "setdomainname", 492 "sethostname", 493 "setns", 494 "umount", 495 "umount2", 496 "unshare", 497 }, 498 Action: types.ActAllow, 499 Args: []*types.Arg{}, 500 Includes: types.Filter{ 501 Caps: []string{"CAP_SYS_ADMIN"}, 502 }, 503 }, 504 { 505 Names: []string{ 506 "clone", 507 }, 508 Action: types.ActAllow, 509 Args: []*types.Arg{ 510 { 511 Index: 0, 512 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 513 ValueTwo: 0, 514 Op: types.OpMaskedEqual, 515 }, 516 }, 517 Excludes: types.Filter{ 518 Caps: []string{"CAP_SYS_ADMIN"}, 519 Arches: []string{"s390", "s390x"}, 520 }, 521 }, 522 { 523 Names: []string{ 524 "clone", 525 }, 526 Action: types.ActAllow, 527 Args: []*types.Arg{ 528 { 529 Index: 1, 530 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 531 ValueTwo: 0, 532 Op: types.OpMaskedEqual, 533 }, 534 }, 535 Comment: "s390 parameter ordering for clone is different", 536 Includes: types.Filter{ 537 Arches: []string{"s390", "s390x"}, 538 }, 539 Excludes: types.Filter{ 540 Caps: []string{"CAP_SYS_ADMIN"}, 541 }, 542 }, 543 { 544 Names: []string{ 545 "reboot", 546 }, 547 Action: types.ActAllow, 548 Args: []*types.Arg{}, 549 Includes: types.Filter{ 550 Caps: []string{"CAP_SYS_BOOT"}, 551 }, 552 }, 553 { 554 Names: []string{ 555 "chroot", 556 }, 557 Action: types.ActAllow, 558 Args: []*types.Arg{}, 559 Includes: types.Filter{ 560 Caps: []string{"CAP_SYS_CHROOT"}, 561 }, 562 }, 563 { 564 Names: []string{ 565 "delete_module", 566 "init_module", 567 "finit_module", 568 "query_module", 569 }, 570 Action: types.ActAllow, 571 Args: []*types.Arg{}, 572 Includes: types.Filter{ 573 Caps: []string{"CAP_SYS_MODULE"}, 574 }, 575 }, 576 { 577 Names: []string{ 578 "acct", 579 }, 580 Action: types.ActAllow, 581 Args: []*types.Arg{}, 582 Includes: types.Filter{ 583 Caps: []string{"CAP_SYS_PACCT"}, 584 }, 585 }, 586 { 587 Names: []string{ 588 "kcmp", 589 "process_vm_readv", 590 "process_vm_writev", 591 "ptrace", 592 }, 593 Action: types.ActAllow, 594 Args: []*types.Arg{}, 595 Includes: types.Filter{ 596 Caps: []string{"CAP_SYS_PTRACE"}, 597 }, 598 }, 599 { 600 Names: []string{ 601 "iopl", 602 "ioperm", 603 }, 604 Action: types.ActAllow, 605 Args: []*types.Arg{}, 606 Includes: types.Filter{ 607 Caps: []string{"CAP_SYS_RAWIO"}, 608 }, 609 }, 610 { 611 Names: []string{ 612 "settimeofday", 613 "stime", 614 "adjtimex", 615 "clock_settime", 616 }, 617 Action: types.ActAllow, 618 Args: []*types.Arg{}, 619 Includes: types.Filter{ 620 Caps: []string{"CAP_SYS_TIME"}, 621 }, 622 }, 623 { 624 Names: []string{ 625 "vhangup", 626 }, 627 Action: types.ActAllow, 628 Args: []*types.Arg{}, 629 Includes: types.Filter{ 630 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 631 }, 632 }, 633 } 634 635 return &types.Seccomp{ 636 DefaultAction: types.ActErrno, 637 ArchMap: arches(), 638 Syscalls: syscalls, 639 } 640 }