github.com/kaisenlinux/docker@v0.0.0-20230510090727-ea55db55fac7/engine/profiles/seccomp/default_linux.go (about) 1 //go:build seccomp 2 // +build seccomp 3 4 package seccomp // import "github.com/docker/docker/profiles/seccomp" 5 6 import ( 7 "github.com/opencontainers/runtime-spec/specs-go" 8 "golang.org/x/sys/unix" 9 ) 10 11 func arches() []Architecture { 12 return []Architecture{ 13 { 14 Arch: specs.ArchX86_64, 15 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 16 }, 17 { 18 Arch: specs.ArchAARCH64, 19 SubArches: []specs.Arch{specs.ArchARM}, 20 }, 21 { 22 Arch: specs.ArchMIPS64, 23 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 24 }, 25 { 26 Arch: specs.ArchMIPS64N32, 27 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 28 }, 29 { 30 Arch: specs.ArchMIPSEL64, 31 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 32 }, 33 { 34 Arch: specs.ArchMIPSEL64N32, 35 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 36 }, 37 { 38 Arch: specs.ArchS390X, 39 SubArches: []specs.Arch{specs.ArchS390}, 40 }, 41 } 42 } 43 44 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 45 func DefaultProfile() *Seccomp { 46 nosys := uint(unix.ENOSYS) 47 syscalls := []*Syscall{ 48 { 49 Names: []string{ 50 "accept", 51 "accept4", 52 "access", 53 "adjtimex", 54 "alarm", 55 "bind", 56 "brk", 57 "capget", 58 "capset", 59 "chdir", 60 "chmod", 61 "chown", 62 "chown32", 63 "clock_adjtime", 64 "clock_adjtime64", 65 "clock_getres", 66 "clock_getres_time64", 67 "clock_gettime", 68 "clock_gettime64", 69 "clock_nanosleep", 70 "clock_nanosleep_time64", 71 "close", 72 "close_range", 73 "connect", 74 "copy_file_range", 75 "creat", 76 "dup", 77 "dup2", 78 "dup3", 79 "epoll_create", 80 "epoll_create1", 81 "epoll_ctl", 82 "epoll_ctl_old", 83 "epoll_pwait", 84 "epoll_pwait2", 85 "epoll_wait", 86 "epoll_wait_old", 87 "eventfd", 88 "eventfd2", 89 "execve", 90 "execveat", 91 "exit", 92 "exit_group", 93 "faccessat", 94 "faccessat2", 95 "fadvise64", 96 "fadvise64_64", 97 "fallocate", 98 "fanotify_mark", 99 "fchdir", 100 "fchmod", 101 "fchmodat", 102 "fchown", 103 "fchown32", 104 "fchownat", 105 "fcntl", 106 "fcntl64", 107 "fdatasync", 108 "fgetxattr", 109 "flistxattr", 110 "flock", 111 "fork", 112 "fremovexattr", 113 "fsetxattr", 114 "fstat", 115 "fstat64", 116 "fstatat64", 117 "fstatfs", 118 "fstatfs64", 119 "fsync", 120 "ftruncate", 121 "ftruncate64", 122 "futex", 123 "futex_time64", 124 "futex_waitv", 125 "futimesat", 126 "getcpu", 127 "getcwd", 128 "getdents", 129 "getdents64", 130 "getegid", 131 "getegid32", 132 "geteuid", 133 "geteuid32", 134 "getgid", 135 "getgid32", 136 "getgroups", 137 "getgroups32", 138 "getitimer", 139 "getpeername", 140 "getpgid", 141 "getpgrp", 142 "getpid", 143 "getppid", 144 "getpriority", 145 "getrandom", 146 "getresgid", 147 "getresgid32", 148 "getresuid", 149 "getresuid32", 150 "getrlimit", 151 "get_robust_list", 152 "getrusage", 153 "getsid", 154 "getsockname", 155 "getsockopt", 156 "get_thread_area", 157 "gettid", 158 "gettimeofday", 159 "getuid", 160 "getuid32", 161 "getxattr", 162 "inotify_add_watch", 163 "inotify_init", 164 "inotify_init1", 165 "inotify_rm_watch", 166 "io_cancel", 167 "ioctl", 168 "io_destroy", 169 "io_getevents", 170 "io_pgetevents", 171 "io_pgetevents_time64", 172 "ioprio_get", 173 "ioprio_set", 174 "io_setup", 175 "io_submit", 176 "io_uring_enter", 177 "io_uring_register", 178 "io_uring_setup", 179 "ipc", 180 "kill", 181 "landlock_add_rule", 182 "landlock_create_ruleset", 183 "landlock_restrict_self", 184 "lchown", 185 "lchown32", 186 "lgetxattr", 187 "link", 188 "linkat", 189 "listen", 190 "listxattr", 191 "llistxattr", 192 "_llseek", 193 "lremovexattr", 194 "lseek", 195 "lsetxattr", 196 "lstat", 197 "lstat64", 198 "madvise", 199 "membarrier", 200 "memfd_create", 201 "memfd_secret", 202 "mincore", 203 "mkdir", 204 "mkdirat", 205 "mknod", 206 "mknodat", 207 "mlock", 208 "mlock2", 209 "mlockall", 210 "mmap", 211 "mmap2", 212 "mprotect", 213 "mq_getsetattr", 214 "mq_notify", 215 "mq_open", 216 "mq_timedreceive", 217 "mq_timedreceive_time64", 218 "mq_timedsend", 219 "mq_timedsend_time64", 220 "mq_unlink", 221 "mremap", 222 "msgctl", 223 "msgget", 224 "msgrcv", 225 "msgsnd", 226 "msync", 227 "munlock", 228 "munlockall", 229 "munmap", 230 "nanosleep", 231 "newfstatat", 232 "_newselect", 233 "open", 234 "openat", 235 "openat2", 236 "pause", 237 "pidfd_open", 238 "pidfd_send_signal", 239 "pipe", 240 "pipe2", 241 "poll", 242 "ppoll", 243 "ppoll_time64", 244 "prctl", 245 "pread64", 246 "preadv", 247 "preadv2", 248 "prlimit64", 249 "process_mrelease", 250 "pselect6", 251 "pselect6_time64", 252 "pwrite64", 253 "pwritev", 254 "pwritev2", 255 "read", 256 "readahead", 257 "readlink", 258 "readlinkat", 259 "readv", 260 "recv", 261 "recvfrom", 262 "recvmmsg", 263 "recvmmsg_time64", 264 "recvmsg", 265 "remap_file_pages", 266 "removexattr", 267 "rename", 268 "renameat", 269 "renameat2", 270 "restart_syscall", 271 "rmdir", 272 "rseq", 273 "rt_sigaction", 274 "rt_sigpending", 275 "rt_sigprocmask", 276 "rt_sigqueueinfo", 277 "rt_sigreturn", 278 "rt_sigsuspend", 279 "rt_sigtimedwait", 280 "rt_sigtimedwait_time64", 281 "rt_tgsigqueueinfo", 282 "sched_getaffinity", 283 "sched_getattr", 284 "sched_getparam", 285 "sched_get_priority_max", 286 "sched_get_priority_min", 287 "sched_getscheduler", 288 "sched_rr_get_interval", 289 "sched_rr_get_interval_time64", 290 "sched_setaffinity", 291 "sched_setattr", 292 "sched_setparam", 293 "sched_setscheduler", 294 "sched_yield", 295 "seccomp", 296 "select", 297 "semctl", 298 "semget", 299 "semop", 300 "semtimedop", 301 "semtimedop_time64", 302 "send", 303 "sendfile", 304 "sendfile64", 305 "sendmmsg", 306 "sendmsg", 307 "sendto", 308 "setfsgid", 309 "setfsgid32", 310 "setfsuid", 311 "setfsuid32", 312 "setgid", 313 "setgid32", 314 "setgroups", 315 "setgroups32", 316 "setitimer", 317 "setpgid", 318 "setpriority", 319 "setregid", 320 "setregid32", 321 "setresgid", 322 "setresgid32", 323 "setresuid", 324 "setresuid32", 325 "setreuid", 326 "setreuid32", 327 "setrlimit", 328 "set_robust_list", 329 "setsid", 330 "setsockopt", 331 "set_thread_area", 332 "set_tid_address", 333 "setuid", 334 "setuid32", 335 "setxattr", 336 "shmat", 337 "shmctl", 338 "shmdt", 339 "shmget", 340 "shutdown", 341 "sigaltstack", 342 "signalfd", 343 "signalfd4", 344 "sigprocmask", 345 "sigreturn", 346 "socket", 347 "socketcall", 348 "socketpair", 349 "splice", 350 "stat", 351 "stat64", 352 "statfs", 353 "statfs64", 354 "statx", 355 "symlink", 356 "symlinkat", 357 "sync", 358 "sync_file_range", 359 "syncfs", 360 "sysinfo", 361 "tee", 362 "tgkill", 363 "time", 364 "timer_create", 365 "timer_delete", 366 "timer_getoverrun", 367 "timer_gettime", 368 "timer_gettime64", 369 "timer_settime", 370 "timer_settime64", 371 "timerfd_create", 372 "timerfd_gettime", 373 "timerfd_gettime64", 374 "timerfd_settime", 375 "timerfd_settime64", 376 "times", 377 "tkill", 378 "truncate", 379 "truncate64", 380 "ugetrlimit", 381 "umask", 382 "uname", 383 "unlink", 384 "unlinkat", 385 "utime", 386 "utimensat", 387 "utimensat_time64", 388 "utimes", 389 "vfork", 390 "vmsplice", 391 "wait4", 392 "waitid", 393 "waitpid", 394 "write", 395 "writev", 396 }, 397 Action: specs.ActAllow, 398 Args: []*specs.LinuxSeccompArg{}, 399 }, 400 { 401 Names: []string{"ptrace"}, 402 Action: specs.ActAllow, 403 Includes: Filter{ 404 MinKernel: &KernelVersion{4, 8}, 405 }, 406 }, 407 { 408 Names: []string{"personality"}, 409 Action: specs.ActAllow, 410 Args: []*specs.LinuxSeccompArg{ 411 { 412 Index: 0, 413 Value: 0x0, 414 Op: specs.OpEqualTo, 415 }, 416 }, 417 }, 418 { 419 Names: []string{"personality"}, 420 Action: specs.ActAllow, 421 Args: []*specs.LinuxSeccompArg{ 422 { 423 Index: 0, 424 Value: 0x0008, 425 Op: specs.OpEqualTo, 426 }, 427 }, 428 }, 429 { 430 Names: []string{"personality"}, 431 Action: specs.ActAllow, 432 Args: []*specs.LinuxSeccompArg{ 433 { 434 Index: 0, 435 Value: 0x20000, 436 Op: specs.OpEqualTo, 437 }, 438 }, 439 }, 440 { 441 Names: []string{"personality"}, 442 Action: specs.ActAllow, 443 Args: []*specs.LinuxSeccompArg{ 444 { 445 Index: 0, 446 Value: 0x20008, 447 Op: specs.OpEqualTo, 448 }, 449 }, 450 }, 451 { 452 Names: []string{"personality"}, 453 Action: specs.ActAllow, 454 Args: []*specs.LinuxSeccompArg{ 455 { 456 Index: 0, 457 Value: 0xffffffff, 458 Op: specs.OpEqualTo, 459 }, 460 }, 461 }, 462 { 463 Names: []string{ 464 "sync_file_range2", 465 }, 466 Action: specs.ActAllow, 467 Args: []*specs.LinuxSeccompArg{}, 468 Includes: Filter{ 469 Arches: []string{"ppc64le"}, 470 }, 471 }, 472 { 473 Names: []string{ 474 "arm_fadvise64_64", 475 "arm_sync_file_range", 476 "sync_file_range2", 477 "breakpoint", 478 "cacheflush", 479 "set_tls", 480 }, 481 Action: specs.ActAllow, 482 Args: []*specs.LinuxSeccompArg{}, 483 Includes: Filter{ 484 Arches: []string{"arm", "arm64"}, 485 }, 486 }, 487 { 488 Names: []string{ 489 "arch_prctl", 490 }, 491 Action: specs.ActAllow, 492 Args: []*specs.LinuxSeccompArg{}, 493 Includes: Filter{ 494 Arches: []string{"amd64", "x32"}, 495 }, 496 }, 497 { 498 Names: []string{ 499 "modify_ldt", 500 }, 501 Action: specs.ActAllow, 502 Args: []*specs.LinuxSeccompArg{}, 503 Includes: Filter{ 504 Arches: []string{"amd64", "x32", "x86"}, 505 }, 506 }, 507 { 508 Names: []string{ 509 "s390_pci_mmio_read", 510 "s390_pci_mmio_write", 511 "s390_runtime_instr", 512 }, 513 Action: specs.ActAllow, 514 Args: []*specs.LinuxSeccompArg{}, 515 Includes: Filter{ 516 Arches: []string{"s390", "s390x"}, 517 }, 518 }, 519 { 520 Names: []string{ 521 "open_by_handle_at", 522 }, 523 Action: specs.ActAllow, 524 Args: []*specs.LinuxSeccompArg{}, 525 Includes: Filter{ 526 Caps: []string{"CAP_DAC_READ_SEARCH"}, 527 }, 528 }, 529 { 530 Names: []string{ 531 "bpf", 532 "clone", 533 "clone3", 534 "fanotify_init", 535 "fsconfig", 536 "fsmount", 537 "fsopen", 538 "fspick", 539 "lookup_dcookie", 540 "mount", 541 "mount_setattr", 542 "move_mount", 543 "name_to_handle_at", 544 "open_tree", 545 "perf_event_open", 546 "quotactl", 547 "quotactl_fd", 548 "setdomainname", 549 "sethostname", 550 "setns", 551 "syslog", 552 "umount", 553 "umount2", 554 "unshare", 555 }, 556 Action: specs.ActAllow, 557 Args: []*specs.LinuxSeccompArg{}, 558 Includes: Filter{ 559 Caps: []string{"CAP_SYS_ADMIN"}, 560 }, 561 }, 562 { 563 Names: []string{ 564 "clone", 565 }, 566 Action: specs.ActAllow, 567 Args: []*specs.LinuxSeccompArg{ 568 { 569 Index: 0, 570 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 571 ValueTwo: 0, 572 Op: specs.OpMaskedEqual, 573 }, 574 }, 575 Excludes: Filter{ 576 Caps: []string{"CAP_SYS_ADMIN"}, 577 Arches: []string{"s390", "s390x"}, 578 }, 579 }, 580 { 581 Names: []string{ 582 "clone", 583 }, 584 Action: specs.ActAllow, 585 Args: []*specs.LinuxSeccompArg{ 586 { 587 Index: 1, 588 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 589 ValueTwo: 0, 590 Op: specs.OpMaskedEqual, 591 }, 592 }, 593 Comment: "s390 parameter ordering for clone is different", 594 Includes: Filter{ 595 Arches: []string{"s390", "s390x"}, 596 }, 597 Excludes: Filter{ 598 Caps: []string{"CAP_SYS_ADMIN"}, 599 }, 600 }, 601 { 602 Names: []string{ 603 "clone3", 604 }, 605 Action: specs.ActErrno, 606 ErrnoRet: &nosys, 607 Args: []*specs.LinuxSeccompArg{}, 608 Excludes: Filter{ 609 Caps: []string{"CAP_SYS_ADMIN"}, 610 }, 611 }, 612 { 613 Names: []string{ 614 "reboot", 615 }, 616 Action: specs.ActAllow, 617 Args: []*specs.LinuxSeccompArg{}, 618 Includes: Filter{ 619 Caps: []string{"CAP_SYS_BOOT"}, 620 }, 621 }, 622 { 623 Names: []string{ 624 "chroot", 625 }, 626 Action: specs.ActAllow, 627 Args: []*specs.LinuxSeccompArg{}, 628 Includes: Filter{ 629 Caps: []string{"CAP_SYS_CHROOT"}, 630 }, 631 }, 632 { 633 Names: []string{ 634 "delete_module", 635 "init_module", 636 "finit_module", 637 }, 638 Action: specs.ActAllow, 639 Args: []*specs.LinuxSeccompArg{}, 640 Includes: Filter{ 641 Caps: []string{"CAP_SYS_MODULE"}, 642 }, 643 }, 644 { 645 Names: []string{ 646 "acct", 647 }, 648 Action: specs.ActAllow, 649 Args: []*specs.LinuxSeccompArg{}, 650 Includes: Filter{ 651 Caps: []string{"CAP_SYS_PACCT"}, 652 }, 653 }, 654 { 655 Names: []string{ 656 "kcmp", 657 "pidfd_getfd", 658 "process_madvise", 659 "process_vm_readv", 660 "process_vm_writev", 661 "ptrace", 662 }, 663 Action: specs.ActAllow, 664 Args: []*specs.LinuxSeccompArg{}, 665 Includes: Filter{ 666 Caps: []string{"CAP_SYS_PTRACE"}, 667 }, 668 }, 669 { 670 Names: []string{ 671 "iopl", 672 "ioperm", 673 }, 674 Action: specs.ActAllow, 675 Args: []*specs.LinuxSeccompArg{}, 676 Includes: Filter{ 677 Caps: []string{"CAP_SYS_RAWIO"}, 678 }, 679 }, 680 { 681 Names: []string{ 682 "settimeofday", 683 "stime", 684 "clock_settime", 685 }, 686 Action: specs.ActAllow, 687 Args: []*specs.LinuxSeccompArg{}, 688 Includes: Filter{ 689 Caps: []string{"CAP_SYS_TIME"}, 690 }, 691 }, 692 { 693 Names: []string{ 694 "vhangup", 695 }, 696 Action: specs.ActAllow, 697 Args: []*specs.LinuxSeccompArg{}, 698 Includes: Filter{ 699 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 700 }, 701 }, 702 { 703 Names: []string{ 704 "get_mempolicy", 705 "mbind", 706 "set_mempolicy", 707 }, 708 Action: specs.ActAllow, 709 Args: []*specs.LinuxSeccompArg{}, 710 Includes: Filter{ 711 Caps: []string{"CAP_SYS_NICE"}, 712 }, 713 }, 714 { 715 Names: []string{ 716 "syslog", 717 }, 718 Action: specs.ActAllow, 719 Args: []*specs.LinuxSeccompArg{}, 720 Includes: Filter{ 721 Caps: []string{"CAP_SYSLOG"}, 722 }, 723 }, 724 } 725 726 return &Seccomp{ 727 DefaultAction: specs.ActErrno, 728 ArchMap: arches(), 729 Syscalls: syscalls, 730 } 731 }