github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/engine/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "close_range", 78 "connect", 79 "copy_file_range", 80 "creat", 81 "dup", 82 "dup2", 83 "dup3", 84 "epoll_create", 85 "epoll_create1", 86 "epoll_ctl", 87 "epoll_ctl_old", 88 "epoll_pwait", 89 "epoll_pwait2", 90 "epoll_wait", 91 "epoll_wait_old", 92 "eventfd", 93 "eventfd2", 94 "execve", 95 "execveat", 96 "exit", 97 "exit_group", 98 "faccessat", 99 "faccessat2", 100 "fadvise64", 101 "fadvise64_64", 102 "fallocate", 103 "fanotify_mark", 104 "fchdir", 105 "fchmod", 106 "fchmodat", 107 "fchown", 108 "fchown32", 109 "fchownat", 110 "fcntl", 111 "fcntl64", 112 "fdatasync", 113 "fgetxattr", 114 "flistxattr", 115 "flock", 116 "fork", 117 "fremovexattr", 118 "fsetxattr", 119 "fstat", 120 "fstat64", 121 "fstatat64", 122 "fstatfs", 123 "fstatfs64", 124 "fsync", 125 "ftruncate", 126 "ftruncate64", 127 "futex", 128 "futex_time64", 129 "futex_waitv", 130 "futimesat", 131 "getcpu", 132 "getcwd", 133 "getdents", 134 "getdents64", 135 "getegid", 136 "getegid32", 137 "geteuid", 138 "geteuid32", 139 "getgid", 140 "getgid32", 141 "getgroups", 142 "getgroups32", 143 "getitimer", 144 "getpeername", 145 "getpgid", 146 "getpgrp", 147 "getpid", 148 "getppid", 149 "getpriority", 150 "getrandom", 151 "getresgid", 152 "getresgid32", 153 "getresuid", 154 "getresuid32", 155 "getrlimit", 156 "get_robust_list", 157 "getrusage", 158 "getsid", 159 "getsockname", 160 "getsockopt", 161 "get_thread_area", 162 "gettid", 163 "gettimeofday", 164 "getuid", 165 "getuid32", 166 "getxattr", 167 "inotify_add_watch", 168 "inotify_init", 169 "inotify_init1", 170 "inotify_rm_watch", 171 "io_cancel", 172 "ioctl", 173 "io_destroy", 174 "io_getevents", 175 "io_pgetevents", 176 "io_pgetevents_time64", 177 "ioprio_get", 178 "ioprio_set", 179 "io_setup", 180 "io_submit", 181 "io_uring_enter", 182 "io_uring_register", 183 "io_uring_setup", 184 "ipc", 185 "kill", 186 "landlock_add_rule", 187 "landlock_create_ruleset", 188 "landlock_restrict_self", 189 "lchown", 190 "lchown32", 191 "lgetxattr", 192 "link", 193 "linkat", 194 "listen", 195 "listxattr", 196 "llistxattr", 197 "_llseek", 198 "lremovexattr", 199 "lseek", 200 "lsetxattr", 201 "lstat", 202 "lstat64", 203 "madvise", 204 "membarrier", 205 "memfd_create", 206 "memfd_secret", 207 "mincore", 208 "mkdir", 209 "mkdirat", 210 "mknod", 211 "mknodat", 212 "mlock", 213 "mlock2", 214 "mlockall", 215 "mmap", 216 "mmap2", 217 "mprotect", 218 "mq_getsetattr", 219 "mq_notify", 220 "mq_open", 221 "mq_timedreceive", 222 "mq_timedreceive_time64", 223 "mq_timedsend", 224 "mq_timedsend_time64", 225 "mq_unlink", 226 "mremap", 227 "msgctl", 228 "msgget", 229 "msgrcv", 230 "msgsnd", 231 "msync", 232 "munlock", 233 "munlockall", 234 "munmap", 235 "nanosleep", 236 "newfstatat", 237 "_newselect", 238 "open", 239 "openat", 240 "openat2", 241 "pause", 242 "pidfd_open", 243 "pidfd_send_signal", 244 "pipe", 245 "pipe2", 246 "poll", 247 "ppoll", 248 "ppoll_time64", 249 "prctl", 250 "pread64", 251 "preadv", 252 "preadv2", 253 "prlimit64", 254 "process_mrelease", 255 "pselect6", 256 "pselect6_time64", 257 "pwrite64", 258 "pwritev", 259 "pwritev2", 260 "read", 261 "readahead", 262 "readlink", 263 "readlinkat", 264 "readv", 265 "recv", 266 "recvfrom", 267 "recvmmsg", 268 "recvmmsg_time64", 269 "recvmsg", 270 "remap_file_pages", 271 "removexattr", 272 "rename", 273 "renameat", 274 "renameat2", 275 "restart_syscall", 276 "rmdir", 277 "rseq", 278 "rt_sigaction", 279 "rt_sigpending", 280 "rt_sigprocmask", 281 "rt_sigqueueinfo", 282 "rt_sigreturn", 283 "rt_sigsuspend", 284 "rt_sigtimedwait", 285 "rt_sigtimedwait_time64", 286 "rt_tgsigqueueinfo", 287 "sched_getaffinity", 288 "sched_getattr", 289 "sched_getparam", 290 "sched_get_priority_max", 291 "sched_get_priority_min", 292 "sched_getscheduler", 293 "sched_rr_get_interval", 294 "sched_rr_get_interval_time64", 295 "sched_setaffinity", 296 "sched_setattr", 297 "sched_setparam", 298 "sched_setscheduler", 299 "sched_yield", 300 "seccomp", 301 "select", 302 "semctl", 303 "semget", 304 "semop", 305 "semtimedop", 306 "semtimedop_time64", 307 "send", 308 "sendfile", 309 "sendfile64", 310 "sendmmsg", 311 "sendmsg", 312 "sendto", 313 "setfsgid", 314 "setfsgid32", 315 "setfsuid", 316 "setfsuid32", 317 "setgid", 318 "setgid32", 319 "setgroups", 320 "setgroups32", 321 "setitimer", 322 "setpgid", 323 "setpriority", 324 "setregid", 325 "setregid32", 326 "setresgid", 327 "setresgid32", 328 "setresuid", 329 "setresuid32", 330 "setreuid", 331 "setreuid32", 332 "setrlimit", 333 "set_robust_list", 334 "setsid", 335 "setsockopt", 336 "set_thread_area", 337 "set_tid_address", 338 "setuid", 339 "setuid32", 340 "setxattr", 341 "shmat", 342 "shmctl", 343 "shmdt", 344 "shmget", 345 "shutdown", 346 "sigaltstack", 347 "signalfd", 348 "signalfd4", 349 "sigprocmask", 350 "sigreturn", 351 "socket", 352 "socketcall", 353 "socketpair", 354 "splice", 355 "stat", 356 "stat64", 357 "statfs", 358 "statfs64", 359 "statx", 360 "symlink", 361 "symlinkat", 362 "sync", 363 "sync_file_range", 364 "syncfs", 365 "sysinfo", 366 "tee", 367 "tgkill", 368 "time", 369 "timer_create", 370 "timer_delete", 371 "timer_getoverrun", 372 "timer_gettime", 373 "timer_gettime64", 374 "timer_settime", 375 "timer_settime64", 376 "timerfd_create", 377 "timerfd_gettime", 378 "timerfd_gettime64", 379 "timerfd_settime", 380 "timerfd_settime64", 381 "times", 382 "tkill", 383 "truncate", 384 "truncate64", 385 "ugetrlimit", 386 "umask", 387 "uname", 388 "unlink", 389 "unlinkat", 390 "utime", 391 "utimensat", 392 "utimensat_time64", 393 "utimes", 394 "vfork", 395 "vmsplice", 396 "wait4", 397 "waitid", 398 "waitpid", 399 "write", 400 "writev" 401 ], 402 "action": "SCMP_ACT_ALLOW", 403 "args": [], 404 "comment": "", 405 "includes": {}, 406 "excludes": {} 407 }, 408 { 409 "names": [ 410 "ptrace" 411 ], 412 "action": "SCMP_ACT_ALLOW", 413 "args": null, 414 "comment": "", 415 "includes": { 416 "minKernel": "4.8" 417 }, 418 "excludes": {} 419 }, 420 { 421 "names": [ 422 "personality" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [ 426 { 427 "index": 0, 428 "value": 0, 429 "op": "SCMP_CMP_EQ" 430 } 431 ], 432 "comment": "", 433 "includes": {}, 434 "excludes": {} 435 }, 436 { 437 "names": [ 438 "personality" 439 ], 440 "action": "SCMP_ACT_ALLOW", 441 "args": [ 442 { 443 "index": 0, 444 "value": 8, 445 "op": "SCMP_CMP_EQ" 446 } 447 ], 448 "comment": "", 449 "includes": {}, 450 "excludes": {} 451 }, 452 { 453 "names": [ 454 "personality" 455 ], 456 "action": "SCMP_ACT_ALLOW", 457 "args": [ 458 { 459 "index": 0, 460 "value": 131072, 461 "op": "SCMP_CMP_EQ" 462 } 463 ], 464 "comment": "", 465 "includes": {}, 466 "excludes": {} 467 }, 468 { 469 "names": [ 470 "personality" 471 ], 472 "action": "SCMP_ACT_ALLOW", 473 "args": [ 474 { 475 "index": 0, 476 "value": 131080, 477 "op": "SCMP_CMP_EQ" 478 } 479 ], 480 "comment": "", 481 "includes": {}, 482 "excludes": {} 483 }, 484 { 485 "names": [ 486 "personality" 487 ], 488 "action": "SCMP_ACT_ALLOW", 489 "args": [ 490 { 491 "index": 0, 492 "value": 4294967295, 493 "op": "SCMP_CMP_EQ" 494 } 495 ], 496 "comment": "", 497 "includes": {}, 498 "excludes": {} 499 }, 500 { 501 "names": [ 502 "sync_file_range2" 503 ], 504 "action": "SCMP_ACT_ALLOW", 505 "args": [], 506 "comment": "", 507 "includes": { 508 "arches": [ 509 "ppc64le" 510 ] 511 }, 512 "excludes": {} 513 }, 514 { 515 "names": [ 516 "arm_fadvise64_64", 517 "arm_sync_file_range", 518 "sync_file_range2", 519 "breakpoint", 520 "cacheflush", 521 "set_tls" 522 ], 523 "action": "SCMP_ACT_ALLOW", 524 "args": [], 525 "comment": "", 526 "includes": { 527 "arches": [ 528 "arm", 529 "arm64" 530 ] 531 }, 532 "excludes": {} 533 }, 534 { 535 "names": [ 536 "arch_prctl" 537 ], 538 "action": "SCMP_ACT_ALLOW", 539 "args": [], 540 "comment": "", 541 "includes": { 542 "arches": [ 543 "amd64", 544 "x32" 545 ] 546 }, 547 "excludes": {} 548 }, 549 { 550 "names": [ 551 "modify_ldt" 552 ], 553 "action": "SCMP_ACT_ALLOW", 554 "args": [], 555 "comment": "", 556 "includes": { 557 "arches": [ 558 "amd64", 559 "x32", 560 "x86" 561 ] 562 }, 563 "excludes": {} 564 }, 565 { 566 "names": [ 567 "s390_pci_mmio_read", 568 "s390_pci_mmio_write", 569 "s390_runtime_instr" 570 ], 571 "action": "SCMP_ACT_ALLOW", 572 "args": [], 573 "comment": "", 574 "includes": { 575 "arches": [ 576 "s390", 577 "s390x" 578 ] 579 }, 580 "excludes": {} 581 }, 582 { 583 "names": [ 584 "open_by_handle_at" 585 ], 586 "action": "SCMP_ACT_ALLOW", 587 "args": [], 588 "comment": "", 589 "includes": { 590 "caps": [ 591 "CAP_DAC_READ_SEARCH" 592 ] 593 }, 594 "excludes": {} 595 }, 596 { 597 "names": [ 598 "bpf", 599 "clone", 600 "clone3", 601 "fanotify_init", 602 "fsconfig", 603 "fsmount", 604 "fsopen", 605 "fspick", 606 "lookup_dcookie", 607 "mount", 608 "mount_setattr", 609 "move_mount", 610 "name_to_handle_at", 611 "open_tree", 612 "perf_event_open", 613 "quotactl", 614 "quotactl_fd", 615 "setdomainname", 616 "sethostname", 617 "setns", 618 "syslog", 619 "umount", 620 "umount2", 621 "unshare" 622 ], 623 "action": "SCMP_ACT_ALLOW", 624 "args": [], 625 "comment": "", 626 "includes": { 627 "caps": [ 628 "CAP_SYS_ADMIN" 629 ] 630 }, 631 "excludes": {} 632 }, 633 { 634 "names": [ 635 "clone" 636 ], 637 "action": "SCMP_ACT_ALLOW", 638 "args": [ 639 { 640 "index": 0, 641 "value": 2114060288, 642 "op": "SCMP_CMP_MASKED_EQ" 643 } 644 ], 645 "comment": "", 646 "includes": {}, 647 "excludes": { 648 "caps": [ 649 "CAP_SYS_ADMIN" 650 ], 651 "arches": [ 652 "s390", 653 "s390x" 654 ] 655 } 656 }, 657 { 658 "names": [ 659 "clone" 660 ], 661 "action": "SCMP_ACT_ALLOW", 662 "args": [ 663 { 664 "index": 1, 665 "value": 2114060288, 666 "op": "SCMP_CMP_MASKED_EQ" 667 } 668 ], 669 "comment": "s390 parameter ordering for clone is different", 670 "includes": { 671 "arches": [ 672 "s390", 673 "s390x" 674 ] 675 }, 676 "excludes": { 677 "caps": [ 678 "CAP_SYS_ADMIN" 679 ] 680 } 681 }, 682 { 683 "names": [ 684 "clone3" 685 ], 686 "action": "SCMP_ACT_ERRNO", 687 "errnoRet": 38, 688 "args": [], 689 "comment": "", 690 "includes": {}, 691 "excludes": { 692 "caps": [ 693 "CAP_SYS_ADMIN" 694 ] 695 } 696 }, 697 { 698 "names": [ 699 "reboot" 700 ], 701 "action": "SCMP_ACT_ALLOW", 702 "args": [], 703 "comment": "", 704 "includes": { 705 "caps": [ 706 "CAP_SYS_BOOT" 707 ] 708 }, 709 "excludes": {} 710 }, 711 { 712 "names": [ 713 "chroot" 714 ], 715 "action": "SCMP_ACT_ALLOW", 716 "args": [], 717 "comment": "", 718 "includes": { 719 "caps": [ 720 "CAP_SYS_CHROOT" 721 ] 722 }, 723 "excludes": {} 724 }, 725 { 726 "names": [ 727 "delete_module", 728 "init_module", 729 "finit_module" 730 ], 731 "action": "SCMP_ACT_ALLOW", 732 "args": [], 733 "comment": "", 734 "includes": { 735 "caps": [ 736 "CAP_SYS_MODULE" 737 ] 738 }, 739 "excludes": {} 740 }, 741 { 742 "names": [ 743 "acct" 744 ], 745 "action": "SCMP_ACT_ALLOW", 746 "args": [], 747 "comment": "", 748 "includes": { 749 "caps": [ 750 "CAP_SYS_PACCT" 751 ] 752 }, 753 "excludes": {} 754 }, 755 { 756 "names": [ 757 "kcmp", 758 "pidfd_getfd", 759 "process_madvise", 760 "process_vm_readv", 761 "process_vm_writev", 762 "ptrace" 763 ], 764 "action": "SCMP_ACT_ALLOW", 765 "args": [], 766 "comment": "", 767 "includes": { 768 "caps": [ 769 "CAP_SYS_PTRACE" 770 ] 771 }, 772 "excludes": {} 773 }, 774 { 775 "names": [ 776 "iopl", 777 "ioperm" 778 ], 779 "action": "SCMP_ACT_ALLOW", 780 "args": [], 781 "comment": "", 782 "includes": { 783 "caps": [ 784 "CAP_SYS_RAWIO" 785 ] 786 }, 787 "excludes": {} 788 }, 789 { 790 "names": [ 791 "settimeofday", 792 "stime", 793 "clock_settime" 794 ], 795 "action": "SCMP_ACT_ALLOW", 796 "args": [], 797 "comment": "", 798 "includes": { 799 "caps": [ 800 "CAP_SYS_TIME" 801 ] 802 }, 803 "excludes": {} 804 }, 805 { 806 "names": [ 807 "vhangup" 808 ], 809 "action": "SCMP_ACT_ALLOW", 810 "args": [], 811 "comment": "", 812 "includes": { 813 "caps": [ 814 "CAP_SYS_TTY_CONFIG" 815 ] 816 }, 817 "excludes": {} 818 }, 819 { 820 "names": [ 821 "get_mempolicy", 822 "mbind", 823 "set_mempolicy" 824 ], 825 "action": "SCMP_ACT_ALLOW", 826 "args": [], 827 "comment": "", 828 "includes": { 829 "caps": [ 830 "CAP_SYS_NICE" 831 ] 832 }, 833 "excludes": {} 834 }, 835 { 836 "names": [ 837 "syslog" 838 ], 839 "action": "SCMP_ACT_ALLOW", 840 "args": [], 841 "comment": "", 842 "includes": { 843 "caps": [ 844 "CAP_SYSLOG" 845 ] 846 }, 847 "excludes": {} 848 } 849 ] 850 }