github.com/jwhonce/docker@v0.6.7-0.20190327063223-da823cf3a5a3/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "io_pgetevents", 166 "ioprio_get", 167 "ioprio_set", 168 "io_setup", 169 "io_submit", 170 "ipc", 171 "kill", 172 "lchown", 173 "lchown32", 174 "lgetxattr", 175 "link", 176 "linkat", 177 "listen", 178 "listxattr", 179 "llistxattr", 180 "_llseek", 181 "lremovexattr", 182 "lseek", 183 "lsetxattr", 184 "lstat", 185 "lstat64", 186 "madvise", 187 "memfd_create", 188 "mincore", 189 "mkdir", 190 "mkdirat", 191 "mknod", 192 "mknodat", 193 "mlock", 194 "mlock2", 195 "mlockall", 196 "mmap", 197 "mmap2", 198 "mprotect", 199 "mq_getsetattr", 200 "mq_notify", 201 "mq_open", 202 "mq_timedreceive", 203 "mq_timedsend", 204 "mq_unlink", 205 "mremap", 206 "msgctl", 207 "msgget", 208 "msgrcv", 209 "msgsnd", 210 "msync", 211 "munlock", 212 "munlockall", 213 "munmap", 214 "nanosleep", 215 "newfstatat", 216 "_newselect", 217 "open", 218 "openat", 219 "pause", 220 "pipe", 221 "pipe2", 222 "poll", 223 "ppoll", 224 "prctl", 225 "pread64", 226 "preadv", 227 "preadv2", 228 "prlimit64", 229 "pselect6", 230 "pwrite64", 231 "pwritev", 232 "pwritev2", 233 "read", 234 "readahead", 235 "readlink", 236 "readlinkat", 237 "readv", 238 "recv", 239 "recvfrom", 240 "recvmmsg", 241 "recvmsg", 242 "remap_file_pages", 243 "removexattr", 244 "rename", 245 "renameat", 246 "renameat2", 247 "restart_syscall", 248 "rmdir", 249 "rt_sigaction", 250 "rt_sigpending", 251 "rt_sigprocmask", 252 "rt_sigqueueinfo", 253 "rt_sigreturn", 254 "rt_sigsuspend", 255 "rt_sigtimedwait", 256 "rt_tgsigqueueinfo", 257 "sched_getaffinity", 258 "sched_getattr", 259 "sched_getparam", 260 "sched_get_priority_max", 261 "sched_get_priority_min", 262 "sched_getscheduler", 263 "sched_rr_get_interval", 264 "sched_setaffinity", 265 "sched_setattr", 266 "sched_setparam", 267 "sched_setscheduler", 268 "sched_yield", 269 "seccomp", 270 "select", 271 "semctl", 272 "semget", 273 "semop", 274 "semtimedop", 275 "send", 276 "sendfile", 277 "sendfile64", 278 "sendmmsg", 279 "sendmsg", 280 "sendto", 281 "setfsgid", 282 "setfsgid32", 283 "setfsuid", 284 "setfsuid32", 285 "setgid", 286 "setgid32", 287 "setgroups", 288 "setgroups32", 289 "setitimer", 290 "setpgid", 291 "setpriority", 292 "setregid", 293 "setregid32", 294 "setresgid", 295 "setresgid32", 296 "setresuid", 297 "setresuid32", 298 "setreuid", 299 "setreuid32", 300 "setrlimit", 301 "set_robust_list", 302 "setsid", 303 "setsockopt", 304 "set_thread_area", 305 "set_tid_address", 306 "setuid", 307 "setuid32", 308 "setxattr", 309 "shmat", 310 "shmctl", 311 "shmdt", 312 "shmget", 313 "shutdown", 314 "sigaltstack", 315 "signalfd", 316 "signalfd4", 317 "sigreturn", 318 "socket", 319 "socketcall", 320 "socketpair", 321 "splice", 322 "stat", 323 "stat64", 324 "statfs", 325 "statfs64", 326 "statx", 327 "symlink", 328 "symlinkat", 329 "sync", 330 "sync_file_range", 331 "syncfs", 332 "sysinfo", 333 "tee", 334 "tgkill", 335 "time", 336 "timer_create", 337 "timer_delete", 338 "timerfd_create", 339 "timerfd_gettime", 340 "timerfd_settime", 341 "timer_getoverrun", 342 "timer_gettime", 343 "timer_settime", 344 "times", 345 "tkill", 346 "truncate", 347 "truncate64", 348 "ugetrlimit", 349 "umask", 350 "uname", 351 "unlink", 352 "unlinkat", 353 "utime", 354 "utimensat", 355 "utimes", 356 "vfork", 357 "vmsplice", 358 "wait4", 359 "waitid", 360 "waitpid", 361 "write", 362 "writev" 363 ], 364 "action": "SCMP_ACT_ALLOW", 365 "args": [], 366 "comment": "", 367 "includes": {}, 368 "excludes": {} 369 }, 370 { 371 "names": [ 372 "ptrace" 373 ], 374 "action": "SCMP_ACT_ALLOW", 375 "args": null, 376 "comment": "", 377 "includes": { 378 "minKernel": "4.8" 379 }, 380 "excludes": {} 381 }, 382 { 383 "names": [ 384 "personality" 385 ], 386 "action": "SCMP_ACT_ALLOW", 387 "args": [ 388 { 389 "index": 0, 390 "value": 0, 391 "valueTwo": 0, 392 "op": "SCMP_CMP_EQ" 393 } 394 ], 395 "comment": "", 396 "includes": {}, 397 "excludes": {} 398 }, 399 { 400 "names": [ 401 "personality" 402 ], 403 "action": "SCMP_ACT_ALLOW", 404 "args": [ 405 { 406 "index": 0, 407 "value": 8, 408 "valueTwo": 0, 409 "op": "SCMP_CMP_EQ" 410 } 411 ], 412 "comment": "", 413 "includes": {}, 414 "excludes": {} 415 }, 416 { 417 "names": [ 418 "personality" 419 ], 420 "action": "SCMP_ACT_ALLOW", 421 "args": [ 422 { 423 "index": 0, 424 "value": 131072, 425 "valueTwo": 0, 426 "op": "SCMP_CMP_EQ" 427 } 428 ], 429 "comment": "", 430 "includes": {}, 431 "excludes": {} 432 }, 433 { 434 "names": [ 435 "personality" 436 ], 437 "action": "SCMP_ACT_ALLOW", 438 "args": [ 439 { 440 "index": 0, 441 "value": 131080, 442 "valueTwo": 0, 443 "op": "SCMP_CMP_EQ" 444 } 445 ], 446 "comment": "", 447 "includes": {}, 448 "excludes": {} 449 }, 450 { 451 "names": [ 452 "personality" 453 ], 454 "action": "SCMP_ACT_ALLOW", 455 "args": [ 456 { 457 "index": 0, 458 "value": 4294967295, 459 "valueTwo": 0, 460 "op": "SCMP_CMP_EQ" 461 } 462 ], 463 "comment": "", 464 "includes": {}, 465 "excludes": {} 466 }, 467 { 468 "names": [ 469 "sync_file_range2" 470 ], 471 "action": "SCMP_ACT_ALLOW", 472 "args": [], 473 "comment": "", 474 "includes": { 475 "arches": [ 476 "ppc64le" 477 ] 478 }, 479 "excludes": {} 480 }, 481 { 482 "names": [ 483 "arm_fadvise64_64", 484 "arm_sync_file_range", 485 "sync_file_range2", 486 "breakpoint", 487 "cacheflush", 488 "set_tls" 489 ], 490 "action": "SCMP_ACT_ALLOW", 491 "args": [], 492 "comment": "", 493 "includes": { 494 "arches": [ 495 "arm", 496 "arm64" 497 ] 498 }, 499 "excludes": {} 500 }, 501 { 502 "names": [ 503 "arch_prctl" 504 ], 505 "action": "SCMP_ACT_ALLOW", 506 "args": [], 507 "comment": "", 508 "includes": { 509 "arches": [ 510 "amd64", 511 "x32" 512 ] 513 }, 514 "excludes": {} 515 }, 516 { 517 "names": [ 518 "modify_ldt" 519 ], 520 "action": "SCMP_ACT_ALLOW", 521 "args": [], 522 "comment": "", 523 "includes": { 524 "arches": [ 525 "amd64", 526 "x32", 527 "x86" 528 ] 529 }, 530 "excludes": {} 531 }, 532 { 533 "names": [ 534 "s390_pci_mmio_read", 535 "s390_pci_mmio_write", 536 "s390_runtime_instr" 537 ], 538 "action": "SCMP_ACT_ALLOW", 539 "args": [], 540 "comment": "", 541 "includes": { 542 "arches": [ 543 "s390", 544 "s390x" 545 ] 546 }, 547 "excludes": {} 548 }, 549 { 550 "names": [ 551 "open_by_handle_at" 552 ], 553 "action": "SCMP_ACT_ALLOW", 554 "args": [], 555 "comment": "", 556 "includes": { 557 "caps": [ 558 "CAP_DAC_READ_SEARCH" 559 ] 560 }, 561 "excludes": {} 562 }, 563 { 564 "names": [ 565 "bpf", 566 "clone", 567 "fanotify_init", 568 "lookup_dcookie", 569 "mount", 570 "name_to_handle_at", 571 "perf_event_open", 572 "quotactl", 573 "setdomainname", 574 "sethostname", 575 "setns", 576 "syslog", 577 "umount", 578 "umount2", 579 "unshare" 580 ], 581 "action": "SCMP_ACT_ALLOW", 582 "args": [], 583 "comment": "", 584 "includes": { 585 "caps": [ 586 "CAP_SYS_ADMIN" 587 ] 588 }, 589 "excludes": {} 590 }, 591 { 592 "names": [ 593 "clone" 594 ], 595 "action": "SCMP_ACT_ALLOW", 596 "args": [ 597 { 598 "index": 0, 599 "value": 2080505856, 600 "valueTwo": 0, 601 "op": "SCMP_CMP_MASKED_EQ" 602 } 603 ], 604 "comment": "", 605 "includes": {}, 606 "excludes": { 607 "caps": [ 608 "CAP_SYS_ADMIN" 609 ], 610 "arches": [ 611 "s390", 612 "s390x" 613 ] 614 } 615 }, 616 { 617 "names": [ 618 "clone" 619 ], 620 "action": "SCMP_ACT_ALLOW", 621 "args": [ 622 { 623 "index": 1, 624 "value": 2080505856, 625 "valueTwo": 0, 626 "op": "SCMP_CMP_MASKED_EQ" 627 } 628 ], 629 "comment": "s390 parameter ordering for clone is different", 630 "includes": { 631 "arches": [ 632 "s390", 633 "s390x" 634 ] 635 }, 636 "excludes": { 637 "caps": [ 638 "CAP_SYS_ADMIN" 639 ] 640 } 641 }, 642 { 643 "names": [ 644 "reboot" 645 ], 646 "action": "SCMP_ACT_ALLOW", 647 "args": [], 648 "comment": "", 649 "includes": { 650 "caps": [ 651 "CAP_SYS_BOOT" 652 ] 653 }, 654 "excludes": {} 655 }, 656 { 657 "names": [ 658 "chroot" 659 ], 660 "action": "SCMP_ACT_ALLOW", 661 "args": [], 662 "comment": "", 663 "includes": { 664 "caps": [ 665 "CAP_SYS_CHROOT" 666 ] 667 }, 668 "excludes": {} 669 }, 670 { 671 "names": [ 672 "delete_module", 673 "init_module", 674 "finit_module", 675 "query_module" 676 ], 677 "action": "SCMP_ACT_ALLOW", 678 "args": [], 679 "comment": "", 680 "includes": { 681 "caps": [ 682 "CAP_SYS_MODULE" 683 ] 684 }, 685 "excludes": {} 686 }, 687 { 688 "names": [ 689 "acct" 690 ], 691 "action": "SCMP_ACT_ALLOW", 692 "args": [], 693 "comment": "", 694 "includes": { 695 "caps": [ 696 "CAP_SYS_PACCT" 697 ] 698 }, 699 "excludes": {} 700 }, 701 { 702 "names": [ 703 "kcmp", 704 "process_vm_readv", 705 "process_vm_writev", 706 "ptrace" 707 ], 708 "action": "SCMP_ACT_ALLOW", 709 "args": [], 710 "comment": "", 711 "includes": { 712 "caps": [ 713 "CAP_SYS_PTRACE" 714 ] 715 }, 716 "excludes": {} 717 }, 718 { 719 "names": [ 720 "iopl", 721 "ioperm" 722 ], 723 "action": "SCMP_ACT_ALLOW", 724 "args": [], 725 "comment": "", 726 "includes": { 727 "caps": [ 728 "CAP_SYS_RAWIO" 729 ] 730 }, 731 "excludes": {} 732 }, 733 { 734 "names": [ 735 "settimeofday", 736 "stime", 737 "clock_settime" 738 ], 739 "action": "SCMP_ACT_ALLOW", 740 "args": [], 741 "comment": "", 742 "includes": { 743 "caps": [ 744 "CAP_SYS_TIME" 745 ] 746 }, 747 "excludes": {} 748 }, 749 { 750 "names": [ 751 "vhangup" 752 ], 753 "action": "SCMP_ACT_ALLOW", 754 "args": [], 755 "comment": "", 756 "includes": { 757 "caps": [ 758 "CAP_SYS_TTY_CONFIG" 759 ] 760 }, 761 "excludes": {} 762 }, 763 { 764 "names": [ 765 "get_mempolicy", 766 "mbind", 767 "set_mempolicy" 768 ], 769 "action": "SCMP_ACT_ALLOW", 770 "args": [], 771 "comment": "", 772 "includes": { 773 "caps": [ 774 "CAP_SYS_NICE" 775 ] 776 }, 777 "excludes": {} 778 }, 779 { 780 "names": [ 781 "syslog" 782 ], 783 "action": "SCMP_ACT_ALLOW", 784 "args": [], 785 "comment": "", 786 "includes": { 787 "caps": [ 788 "CAP_SYSLOG" 789 ] 790 }, 791 "excludes": {} 792 } 793 ] 794 }