github.com/kim0/docker@v0.6.2-0.20161130212042-4addda3f07e7/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "alarm", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "prlimit64", 227 "pselect6", 228 "pwrite64", 229 "pwritev", 230 "read", 231 "readahead", 232 "readlink", 233 "readlinkat", 234 "readv", 235 "recv", 236 "recvfrom", 237 "recvmmsg", 238 "recvmsg", 239 "remap_file_pages", 240 "removexattr", 241 "rename", 242 "renameat", 243 "renameat2", 244 "restart_syscall", 245 "rmdir", 246 "rt_sigaction", 247 "rt_sigpending", 248 "rt_sigprocmask", 249 "rt_sigqueueinfo", 250 "rt_sigreturn", 251 "rt_sigsuspend", 252 "rt_sigtimedwait", 253 "rt_tgsigqueueinfo", 254 "sched_getaffinity", 255 "sched_getattr", 256 "sched_getparam", 257 "sched_get_priority_max", 258 "sched_get_priority_min", 259 "sched_getscheduler", 260 "sched_rr_get_interval", 261 "sched_setaffinity", 262 "sched_setattr", 263 "sched_setparam", 264 "sched_setscheduler", 265 "sched_yield", 266 "seccomp", 267 "select", 268 "semctl", 269 "semget", 270 "semop", 271 "semtimedop", 272 "send", 273 "sendfile", 274 "sendfile64", 275 "sendmmsg", 276 "sendmsg", 277 "sendto", 278 "setfsgid", 279 "setfsgid32", 280 "setfsuid", 281 "setfsuid32", 282 "setgid", 283 "setgid32", 284 "setgroups", 285 "setgroups32", 286 "setitimer", 287 "setpgid", 288 "setpriority", 289 "setregid", 290 "setregid32", 291 "setresgid", 292 "setresgid32", 293 "setresuid", 294 "setresuid32", 295 "setreuid", 296 "setreuid32", 297 "setrlimit", 298 "set_robust_list", 299 "setsid", 300 "setsockopt", 301 "set_thread_area", 302 "set_tid_address", 303 "setuid", 304 "setuid32", 305 "setxattr", 306 "shmat", 307 "shmctl", 308 "shmdt", 309 "shmget", 310 "shutdown", 311 "sigaltstack", 312 "signalfd", 313 "signalfd4", 314 "sigreturn", 315 "socket", 316 "socketcall", 317 "socketpair", 318 "splice", 319 "stat", 320 "stat64", 321 "statfs", 322 "statfs64", 323 "symlink", 324 "symlinkat", 325 "sync", 326 "sync_file_range", 327 "syncfs", 328 "sysinfo", 329 "syslog", 330 "tee", 331 "tgkill", 332 "time", 333 "timer_create", 334 "timer_delete", 335 "timerfd_create", 336 "timerfd_gettime", 337 "timerfd_settime", 338 "timer_getoverrun", 339 "timer_gettime", 340 "timer_settime", 341 "times", 342 "tkill", 343 "truncate", 344 "truncate64", 345 "ugetrlimit", 346 "umask", 347 "uname", 348 "unlink", 349 "unlinkat", 350 "utime", 351 "utimensat", 352 "utimes", 353 "vfork", 354 "vmsplice", 355 "wait4", 356 "waitid", 357 "waitpid", 358 "write", 359 "writev" 360 ], 361 "action": "SCMP_ACT_ALLOW", 362 "args": [], 363 "comment": "", 364 "includes": {}, 365 "excludes": {} 366 }, 367 { 368 "names": [ 369 "personality" 370 ], 371 "action": "SCMP_ACT_ALLOW", 372 "args": [ 373 { 374 "index": 0, 375 "value": 0, 376 "valueTwo": 0, 377 "op": "SCMP_CMP_EQ" 378 } 379 ], 380 "comment": "", 381 "includes": {}, 382 "excludes": {} 383 }, 384 { 385 "names": [ 386 "personality" 387 ], 388 "action": "SCMP_ACT_ALLOW", 389 "args": [ 390 { 391 "index": 0, 392 "value": 8, 393 "valueTwo": 0, 394 "op": "SCMP_CMP_EQ" 395 } 396 ], 397 "comment": "", 398 "includes": {}, 399 "excludes": {} 400 }, 401 { 402 "names": [ 403 "personality" 404 ], 405 "action": "SCMP_ACT_ALLOW", 406 "args": [ 407 { 408 "index": 0, 409 "value": 4294967295, 410 "valueTwo": 0, 411 "op": "SCMP_CMP_EQ" 412 } 413 ], 414 "comment": "", 415 "includes": {}, 416 "excludes": {} 417 }, 418 { 419 "names": [ 420 "breakpoint", 421 "cacheflush", 422 "set_tls" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [], 426 "comment": "", 427 "includes": { 428 "arches": [ 429 "arm", 430 "arm64" 431 ] 432 }, 433 "excludes": {} 434 }, 435 { 436 "names": [ 437 "arch_prctl" 438 ], 439 "action": "SCMP_ACT_ALLOW", 440 "args": [], 441 "comment": "", 442 "includes": { 443 "arches": [ 444 "amd64", 445 "x32" 446 ] 447 }, 448 "excludes": {} 449 }, 450 { 451 "names": [ 452 "modify_ldt" 453 ], 454 "action": "SCMP_ACT_ALLOW", 455 "args": [], 456 "comment": "", 457 "includes": { 458 "arches": [ 459 "amd64", 460 "x32", 461 "x86" 462 ] 463 }, 464 "excludes": {} 465 }, 466 { 467 "names": [ 468 "s390_pci_mmio_read", 469 "s390_pci_mmio_write", 470 "s390_runtime_instr" 471 ], 472 "action": "SCMP_ACT_ALLOW", 473 "args": [], 474 "comment": "", 475 "includes": { 476 "arches": [ 477 "s390", 478 "s390x" 479 ] 480 }, 481 "excludes": {} 482 }, 483 { 484 "names": [ 485 "open_by_handle_at" 486 ], 487 "action": "SCMP_ACT_ALLOW", 488 "args": [], 489 "comment": "", 490 "includes": { 491 "caps": [ 492 "CAP_DAC_READ_SEARCH" 493 ] 494 }, 495 "excludes": {} 496 }, 497 { 498 "names": [ 499 "bpf", 500 "clone", 501 "fanotify_init", 502 "lookup_dcookie", 503 "mount", 504 "name_to_handle_at", 505 "perf_event_open", 506 "setdomainname", 507 "sethostname", 508 "setns", 509 "umount", 510 "umount2", 511 "unshare" 512 ], 513 "action": "SCMP_ACT_ALLOW", 514 "args": [], 515 "comment": "", 516 "includes": { 517 "caps": [ 518 "CAP_SYS_ADMIN" 519 ] 520 }, 521 "excludes": {} 522 }, 523 { 524 "names": [ 525 "clone" 526 ], 527 "action": "SCMP_ACT_ALLOW", 528 "args": [ 529 { 530 "index": 0, 531 "value": 2080505856, 532 "valueTwo": 0, 533 "op": "SCMP_CMP_MASKED_EQ" 534 } 535 ], 536 "comment": "", 537 "includes": {}, 538 "excludes": { 539 "caps": [ 540 "CAP_SYS_ADMIN" 541 ], 542 "arches": [ 543 "s390", 544 "s390x" 545 ] 546 } 547 }, 548 { 549 "names": [ 550 "clone" 551 ], 552 "action": "SCMP_ACT_ALLOW", 553 "args": [ 554 { 555 "index": 1, 556 "value": 2080505856, 557 "valueTwo": 0, 558 "op": "SCMP_CMP_MASKED_EQ" 559 } 560 ], 561 "comment": "s390 parameter ordering for clone is different", 562 "includes": { 563 "arches": [ 564 "s390", 565 "s390x" 566 ] 567 }, 568 "excludes": { 569 "caps": [ 570 "CAP_SYS_ADMIN" 571 ] 572 } 573 }, 574 { 575 "names": [ 576 "reboot" 577 ], 578 "action": "SCMP_ACT_ALLOW", 579 "args": [], 580 "comment": "", 581 "includes": { 582 "caps": [ 583 "CAP_SYS_BOOT" 584 ] 585 }, 586 "excludes": {} 587 }, 588 { 589 "names": [ 590 "chroot" 591 ], 592 "action": "SCMP_ACT_ALLOW", 593 "args": [], 594 "comment": "", 595 "includes": { 596 "caps": [ 597 "CAP_SYS_CHROOT" 598 ] 599 }, 600 "excludes": {} 601 }, 602 { 603 "names": [ 604 "delete_module", 605 "init_module", 606 "finit_module", 607 "query_module" 608 ], 609 "action": "SCMP_ACT_ALLOW", 610 "args": [], 611 "comment": "", 612 "includes": { 613 "caps": [ 614 "CAP_SYS_MODULE" 615 ] 616 }, 617 "excludes": {} 618 }, 619 { 620 "names": [ 621 "acct" 622 ], 623 "action": "SCMP_ACT_ALLOW", 624 "args": [], 625 "comment": "", 626 "includes": { 627 "caps": [ 628 "CAP_SYS_PACCT" 629 ] 630 }, 631 "excludes": {} 632 }, 633 { 634 "names": [ 635 "kcmp", 636 "process_vm_readv", 637 "process_vm_writev", 638 "ptrace" 639 ], 640 "action": "SCMP_ACT_ALLOW", 641 "args": [], 642 "comment": "", 643 "includes": { 644 "caps": [ 645 "CAP_SYS_PTRACE" 646 ] 647 }, 648 "excludes": {} 649 }, 650 { 651 "names": [ 652 "iopl", 653 "ioperm" 654 ], 655 "action": "SCMP_ACT_ALLOW", 656 "args": [], 657 "comment": "", 658 "includes": { 659 "caps": [ 660 "CAP_SYS_RAWIO" 661 ] 662 }, 663 "excludes": {} 664 }, 665 { 666 "names": [ 667 "settimeofday", 668 "stime", 669 "adjtimex" 670 ], 671 "action": "SCMP_ACT_ALLOW", 672 "args": [], 673 "comment": "", 674 "includes": { 675 "caps": [ 676 "CAP_SYS_TIME" 677 ] 678 }, 679 "excludes": {} 680 }, 681 { 682 "names": [ 683 "vhangup" 684 ], 685 "action": "SCMP_ACT_ALLOW", 686 "args": [], 687 "comment": "", 688 "includes": { 689 "caps": [ 690 "CAP_SYS_TTY_CONFIG" 691 ] 692 }, 693 "excludes": {} 694 } 695 ] 696 }