github.com/jwhonce/docker@v0.6.7-0.20190327063223-da823cf3a5a3/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_getres", 62 "clock_gettime", 63 "clock_nanosleep", 64 "close", 65 "connect", 66 "copy_file_range", 67 "creat", 68 "dup", 69 "dup2", 70 "dup3", 71 "epoll_create", 72 "epoll_create1", 73 "epoll_ctl", 74 "epoll_ctl_old", 75 "epoll_pwait", 76 "epoll_wait", 77 "epoll_wait_old", 78 "eventfd", 79 "eventfd2", 80 "execve", 81 "execveat", 82 "exit", 83 "exit_group", 84 "faccessat", 85 "fadvise64", 86 "fadvise64_64", 87 "fallocate", 88 "fanotify_mark", 89 "fchdir", 90 "fchmod", 91 "fchmodat", 92 "fchown", 93 "fchown32", 94 "fchownat", 95 "fcntl", 96 "fcntl64", 97 "fdatasync", 98 "fgetxattr", 99 "flistxattr", 100 "flock", 101 "fork", 102 "fremovexattr", 103 "fsetxattr", 104 "fstat", 105 "fstat64", 106 "fstatat64", 107 "fstatfs", 108 "fstatfs64", 109 "fsync", 110 "ftruncate", 111 "ftruncate64", 112 "futex", 113 "futimesat", 114 "getcpu", 115 "getcwd", 116 "getdents", 117 "getdents64", 118 "getegid", 119 "getegid32", 120 "geteuid", 121 "geteuid32", 122 "getgid", 123 "getgid32", 124 "getgroups", 125 "getgroups32", 126 "getitimer", 127 "getpeername", 128 "getpgid", 129 "getpgrp", 130 "getpid", 131 "getppid", 132 "getpriority", 133 "getrandom", 134 "getresgid", 135 "getresgid32", 136 "getresuid", 137 "getresuid32", 138 "getrlimit", 139 "get_robust_list", 140 "getrusage", 141 "getsid", 142 "getsockname", 143 "getsockopt", 144 "get_thread_area", 145 "gettid", 146 "gettimeofday", 147 "getuid", 148 "getuid32", 149 "getxattr", 150 "inotify_add_watch", 151 "inotify_init", 152 "inotify_init1", 153 "inotify_rm_watch", 154 "io_cancel", 155 "ioctl", 156 "io_destroy", 157 "io_getevents", 158 "io_pgetevents", 159 "ioprio_get", 160 "ioprio_set", 161 "io_setup", 162 "io_submit", 163 "ipc", 164 "kill", 165 "lchown", 166 "lchown32", 167 "lgetxattr", 168 "link", 169 "linkat", 170 "listen", 171 "listxattr", 172 "llistxattr", 173 "_llseek", 174 "lremovexattr", 175 "lseek", 176 "lsetxattr", 177 "lstat", 178 "lstat64", 179 "madvise", 180 "memfd_create", 181 "mincore", 182 "mkdir", 183 "mkdirat", 184 "mknod", 185 "mknodat", 186 "mlock", 187 "mlock2", 188 "mlockall", 189 "mmap", 190 "mmap2", 191 "mprotect", 192 "mq_getsetattr", 193 "mq_notify", 194 "mq_open", 195 "mq_timedreceive", 196 "mq_timedsend", 197 "mq_unlink", 198 "mremap", 199 "msgctl", 200 "msgget", 201 "msgrcv", 202 "msgsnd", 203 "msync", 204 "munlock", 205 "munlockall", 206 "munmap", 207 "nanosleep", 208 "newfstatat", 209 "_newselect", 210 "open", 211 "openat", 212 "pause", 213 "pipe", 214 "pipe2", 215 "poll", 216 "ppoll", 217 "prctl", 218 "pread64", 219 "preadv", 220 "preadv2", 221 "prlimit64", 222 "pselect6", 223 "pwrite64", 224 "pwritev", 225 "pwritev2", 226 "read", 227 "readahead", 228 "readlink", 229 "readlinkat", 230 "readv", 231 "recv", 232 "recvfrom", 233 "recvmmsg", 234 "recvmsg", 235 "remap_file_pages", 236 "removexattr", 237 "rename", 238 "renameat", 239 "renameat2", 240 "restart_syscall", 241 "rmdir", 242 "rt_sigaction", 243 "rt_sigpending", 244 "rt_sigprocmask", 245 "rt_sigqueueinfo", 246 "rt_sigreturn", 247 "rt_sigsuspend", 248 "rt_sigtimedwait", 249 "rt_tgsigqueueinfo", 250 "sched_getaffinity", 251 "sched_getattr", 252 "sched_getparam", 253 "sched_get_priority_max", 254 "sched_get_priority_min", 255 "sched_getscheduler", 256 "sched_rr_get_interval", 257 "sched_setaffinity", 258 "sched_setattr", 259 "sched_setparam", 260 "sched_setscheduler", 261 "sched_yield", 262 "seccomp", 263 "select", 264 "semctl", 265 "semget", 266 "semop", 267 "semtimedop", 268 "send", 269 "sendfile", 270 "sendfile64", 271 "sendmmsg", 272 "sendmsg", 273 "sendto", 274 "setfsgid", 275 "setfsgid32", 276 "setfsuid", 277 "setfsuid32", 278 "setgid", 279 "setgid32", 280 "setgroups", 281 "setgroups32", 282 "setitimer", 283 "setpgid", 284 "setpriority", 285 "setregid", 286 "setregid32", 287 "setresgid", 288 "setresgid32", 289 "setresuid", 290 "setresuid32", 291 "setreuid", 292 "setreuid32", 293 "setrlimit", 294 "set_robust_list", 295 "setsid", 296 "setsockopt", 297 "set_thread_area", 298 "set_tid_address", 299 "setuid", 300 "setuid32", 301 "setxattr", 302 "shmat", 303 "shmctl", 304 "shmdt", 305 "shmget", 306 "shutdown", 307 "sigaltstack", 308 "signalfd", 309 "signalfd4", 310 "sigreturn", 311 "socket", 312 "socketcall", 313 "socketpair", 314 "splice", 315 "stat", 316 "stat64", 317 "statfs", 318 "statfs64", 319 "statx", 320 "symlink", 321 "symlinkat", 322 "sync", 323 "sync_file_range", 324 "syncfs", 325 "sysinfo", 326 "tee", 327 "tgkill", 328 "time", 329 "timer_create", 330 "timer_delete", 331 "timerfd_create", 332 "timerfd_gettime", 333 "timerfd_settime", 334 "timer_getoverrun", 335 "timer_gettime", 336 "timer_settime", 337 "times", 338 "tkill", 339 "truncate", 340 "truncate64", 341 "ugetrlimit", 342 "umask", 343 "uname", 344 "unlink", 345 "unlinkat", 346 "utime", 347 "utimensat", 348 "utimes", 349 "vfork", 350 "vmsplice", 351 "wait4", 352 "waitid", 353 "waitpid", 354 "write", 355 "writev", 356 }, 357 Action: types.ActAllow, 358 Args: []*types.Arg{}, 359 }, 360 { 361 Names: []string{"ptrace"}, 362 Action: types.ActAllow, 363 Includes: types.Filter{ 364 MinKernel: "4.8", 365 }, 366 }, 367 { 368 Names: []string{"personality"}, 369 Action: types.ActAllow, 370 Args: []*types.Arg{ 371 { 372 Index: 0, 373 Value: 0x0, 374 Op: types.OpEqualTo, 375 }, 376 }, 377 }, 378 { 379 Names: []string{"personality"}, 380 Action: types.ActAllow, 381 Args: []*types.Arg{ 382 { 383 Index: 0, 384 Value: 0x0008, 385 Op: types.OpEqualTo, 386 }, 387 }, 388 }, 389 { 390 Names: []string{"personality"}, 391 Action: types.ActAllow, 392 Args: []*types.Arg{ 393 { 394 Index: 0, 395 Value: 0x20000, 396 Op: types.OpEqualTo, 397 }, 398 }, 399 }, 400 { 401 Names: []string{"personality"}, 402 Action: types.ActAllow, 403 Args: []*types.Arg{ 404 { 405 Index: 0, 406 Value: 0x20008, 407 Op: types.OpEqualTo, 408 }, 409 }, 410 }, 411 { 412 Names: []string{"personality"}, 413 Action: types.ActAllow, 414 Args: []*types.Arg{ 415 { 416 Index: 0, 417 Value: 0xffffffff, 418 Op: types.OpEqualTo, 419 }, 420 }, 421 }, 422 { 423 Names: []string{ 424 "sync_file_range2", 425 }, 426 Action: types.ActAllow, 427 Args: []*types.Arg{}, 428 Includes: types.Filter{ 429 Arches: []string{"ppc64le"}, 430 }, 431 }, 432 { 433 Names: []string{ 434 "arm_fadvise64_64", 435 "arm_sync_file_range", 436 "sync_file_range2", 437 "breakpoint", 438 "cacheflush", 439 "set_tls", 440 }, 441 Action: types.ActAllow, 442 Args: []*types.Arg{}, 443 Includes: types.Filter{ 444 Arches: []string{"arm", "arm64"}, 445 }, 446 }, 447 { 448 Names: []string{ 449 "arch_prctl", 450 }, 451 Action: types.ActAllow, 452 Args: []*types.Arg{}, 453 Includes: types.Filter{ 454 Arches: []string{"amd64", "x32"}, 455 }, 456 }, 457 { 458 Names: []string{ 459 "modify_ldt", 460 }, 461 Action: types.ActAllow, 462 Args: []*types.Arg{}, 463 Includes: types.Filter{ 464 Arches: []string{"amd64", "x32", "x86"}, 465 }, 466 }, 467 { 468 Names: []string{ 469 "s390_pci_mmio_read", 470 "s390_pci_mmio_write", 471 "s390_runtime_instr", 472 }, 473 Action: types.ActAllow, 474 Args: []*types.Arg{}, 475 Includes: types.Filter{ 476 Arches: []string{"s390", "s390x"}, 477 }, 478 }, 479 { 480 Names: []string{ 481 "open_by_handle_at", 482 }, 483 Action: types.ActAllow, 484 Args: []*types.Arg{}, 485 Includes: types.Filter{ 486 Caps: []string{"CAP_DAC_READ_SEARCH"}, 487 }, 488 }, 489 { 490 Names: []string{ 491 "bpf", 492 "clone", 493 "fanotify_init", 494 "lookup_dcookie", 495 "mount", 496 "name_to_handle_at", 497 "perf_event_open", 498 "quotactl", 499 "setdomainname", 500 "sethostname", 501 "setns", 502 "syslog", 503 "umount", 504 "umount2", 505 "unshare", 506 }, 507 Action: types.ActAllow, 508 Args: []*types.Arg{}, 509 Includes: types.Filter{ 510 Caps: []string{"CAP_SYS_ADMIN"}, 511 }, 512 }, 513 { 514 Names: []string{ 515 "clone", 516 }, 517 Action: types.ActAllow, 518 Args: []*types.Arg{ 519 { 520 Index: 0, 521 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 522 ValueTwo: 0, 523 Op: types.OpMaskedEqual, 524 }, 525 }, 526 Excludes: types.Filter{ 527 Caps: []string{"CAP_SYS_ADMIN"}, 528 Arches: []string{"s390", "s390x"}, 529 }, 530 }, 531 { 532 Names: []string{ 533 "clone", 534 }, 535 Action: types.ActAllow, 536 Args: []*types.Arg{ 537 { 538 Index: 1, 539 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 540 ValueTwo: 0, 541 Op: types.OpMaskedEqual, 542 }, 543 }, 544 Comment: "s390 parameter ordering for clone is different", 545 Includes: types.Filter{ 546 Arches: []string{"s390", "s390x"}, 547 }, 548 Excludes: types.Filter{ 549 Caps: []string{"CAP_SYS_ADMIN"}, 550 }, 551 }, 552 { 553 Names: []string{ 554 "reboot", 555 }, 556 Action: types.ActAllow, 557 Args: []*types.Arg{}, 558 Includes: types.Filter{ 559 Caps: []string{"CAP_SYS_BOOT"}, 560 }, 561 }, 562 { 563 Names: []string{ 564 "chroot", 565 }, 566 Action: types.ActAllow, 567 Args: []*types.Arg{}, 568 Includes: types.Filter{ 569 Caps: []string{"CAP_SYS_CHROOT"}, 570 }, 571 }, 572 { 573 Names: []string{ 574 "delete_module", 575 "init_module", 576 "finit_module", 577 "query_module", 578 }, 579 Action: types.ActAllow, 580 Args: []*types.Arg{}, 581 Includes: types.Filter{ 582 Caps: []string{"CAP_SYS_MODULE"}, 583 }, 584 }, 585 { 586 Names: []string{ 587 "acct", 588 }, 589 Action: types.ActAllow, 590 Args: []*types.Arg{}, 591 Includes: types.Filter{ 592 Caps: []string{"CAP_SYS_PACCT"}, 593 }, 594 }, 595 { 596 Names: []string{ 597 "kcmp", 598 "process_vm_readv", 599 "process_vm_writev", 600 "ptrace", 601 }, 602 Action: types.ActAllow, 603 Args: []*types.Arg{}, 604 Includes: types.Filter{ 605 Caps: []string{"CAP_SYS_PTRACE"}, 606 }, 607 }, 608 { 609 Names: []string{ 610 "iopl", 611 "ioperm", 612 }, 613 Action: types.ActAllow, 614 Args: []*types.Arg{}, 615 Includes: types.Filter{ 616 Caps: []string{"CAP_SYS_RAWIO"}, 617 }, 618 }, 619 { 620 Names: []string{ 621 "settimeofday", 622 "stime", 623 "clock_settime", 624 }, 625 Action: types.ActAllow, 626 Args: []*types.Arg{}, 627 Includes: types.Filter{ 628 Caps: []string{"CAP_SYS_TIME"}, 629 }, 630 }, 631 { 632 Names: []string{ 633 "vhangup", 634 }, 635 Action: types.ActAllow, 636 Args: []*types.Arg{}, 637 Includes: types.Filter{ 638 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 639 }, 640 }, 641 { 642 Names: []string{ 643 "get_mempolicy", 644 "mbind", 645 "set_mempolicy", 646 }, 647 Action: types.ActAllow, 648 Args: []*types.Arg{}, 649 Includes: types.Filter{ 650 Caps: []string{"CAP_SYS_NICE"}, 651 }, 652 }, 653 { 654 Names: []string{ 655 "syslog", 656 }, 657 Action: types.ActAllow, 658 Args: []*types.Arg{}, 659 Includes: types.Filter{ 660 Caps: []string{"CAP_SYSLOG"}, 661 }, 662 }, 663 } 664 665 return &types.Seccomp{ 666 DefaultAction: types.ActErrno, 667 ArchMap: arches(), 668 Syscalls: syscalls, 669 } 670 }