github.com/lacework-dev/go-moby@v20.10.12+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "close_range", 78 "connect", 79 "copy_file_range", 80 "creat", 81 "dup", 82 "dup2", 83 "dup3", 84 "epoll_create", 85 "epoll_create1", 86 "epoll_ctl", 87 "epoll_ctl_old", 88 "epoll_pwait", 89 "epoll_pwait2", 90 "epoll_wait", 91 "epoll_wait_old", 92 "eventfd", 93 "eventfd2", 94 "execve", 95 "execveat", 96 "exit", 97 "exit_group", 98 "faccessat", 99 "faccessat2", 100 "fadvise64", 101 "fadvise64_64", 102 "fallocate", 103 "fanotify_mark", 104 "fchdir", 105 "fchmod", 106 "fchmodat", 107 "fchown", 108 "fchown32", 109 "fchownat", 110 "fcntl", 111 "fcntl64", 112 "fdatasync", 113 "fgetxattr", 114 "flistxattr", 115 "flock", 116 "fork", 117 "fremovexattr", 118 "fsetxattr", 119 "fstat", 120 "fstat64", 121 "fstatat64", 122 "fstatfs", 123 "fstatfs64", 124 "fsync", 125 "ftruncate", 126 "ftruncate64", 127 "futex", 128 "futex_time64", 129 "futimesat", 130 "getcpu", 131 "getcwd", 132 "getdents", 133 "getdents64", 134 "getegid", 135 "getegid32", 136 "geteuid", 137 "geteuid32", 138 "getgid", 139 "getgid32", 140 "getgroups", 141 "getgroups32", 142 "getitimer", 143 "getpeername", 144 "getpgid", 145 "getpgrp", 146 "getpid", 147 "getppid", 148 "getpriority", 149 "getrandom", 150 "getresgid", 151 "getresgid32", 152 "getresuid", 153 "getresuid32", 154 "getrlimit", 155 "get_robust_list", 156 "getrusage", 157 "getsid", 158 "getsockname", 159 "getsockopt", 160 "get_thread_area", 161 "gettid", 162 "gettimeofday", 163 "getuid", 164 "getuid32", 165 "getxattr", 166 "inotify_add_watch", 167 "inotify_init", 168 "inotify_init1", 169 "inotify_rm_watch", 170 "io_cancel", 171 "ioctl", 172 "io_destroy", 173 "io_getevents", 174 "io_pgetevents", 175 "io_pgetevents_time64", 176 "ioprio_get", 177 "ioprio_set", 178 "io_setup", 179 "io_submit", 180 "io_uring_enter", 181 "io_uring_register", 182 "io_uring_setup", 183 "ipc", 184 "kill", 185 "lchown", 186 "lchown32", 187 "lgetxattr", 188 "link", 189 "linkat", 190 "listen", 191 "listxattr", 192 "llistxattr", 193 "_llseek", 194 "lremovexattr", 195 "lseek", 196 "lsetxattr", 197 "lstat", 198 "lstat64", 199 "madvise", 200 "membarrier", 201 "memfd_create", 202 "mincore", 203 "mkdir", 204 "mkdirat", 205 "mknod", 206 "mknodat", 207 "mlock", 208 "mlock2", 209 "mlockall", 210 "mmap", 211 "mmap2", 212 "mprotect", 213 "mq_getsetattr", 214 "mq_notify", 215 "mq_open", 216 "mq_timedreceive", 217 "mq_timedreceive_time64", 218 "mq_timedsend", 219 "mq_timedsend_time64", 220 "mq_unlink", 221 "mremap", 222 "msgctl", 223 "msgget", 224 "msgrcv", 225 "msgsnd", 226 "msync", 227 "munlock", 228 "munlockall", 229 "munmap", 230 "nanosleep", 231 "newfstatat", 232 "_newselect", 233 "open", 234 "openat", 235 "openat2", 236 "pause", 237 "pidfd_open", 238 "pidfd_send_signal", 239 "pipe", 240 "pipe2", 241 "poll", 242 "ppoll", 243 "ppoll_time64", 244 "prctl", 245 "pread64", 246 "preadv", 247 "preadv2", 248 "prlimit64", 249 "pselect6", 250 "pselect6_time64", 251 "pwrite64", 252 "pwritev", 253 "pwritev2", 254 "read", 255 "readahead", 256 "readlink", 257 "readlinkat", 258 "readv", 259 "recv", 260 "recvfrom", 261 "recvmmsg", 262 "recvmmsg_time64", 263 "recvmsg", 264 "remap_file_pages", 265 "removexattr", 266 "rename", 267 "renameat", 268 "renameat2", 269 "restart_syscall", 270 "rmdir", 271 "rseq", 272 "rt_sigaction", 273 "rt_sigpending", 274 "rt_sigprocmask", 275 "rt_sigqueueinfo", 276 "rt_sigreturn", 277 "rt_sigsuspend", 278 "rt_sigtimedwait", 279 "rt_sigtimedwait_time64", 280 "rt_tgsigqueueinfo", 281 "sched_getaffinity", 282 "sched_getattr", 283 "sched_getparam", 284 "sched_get_priority_max", 285 "sched_get_priority_min", 286 "sched_getscheduler", 287 "sched_rr_get_interval", 288 "sched_rr_get_interval_time64", 289 "sched_setaffinity", 290 "sched_setattr", 291 "sched_setparam", 292 "sched_setscheduler", 293 "sched_yield", 294 "seccomp", 295 "select", 296 "semctl", 297 "semget", 298 "semop", 299 "semtimedop", 300 "semtimedop_time64", 301 "send", 302 "sendfile", 303 "sendfile64", 304 "sendmmsg", 305 "sendmsg", 306 "sendto", 307 "setfsgid", 308 "setfsgid32", 309 "setfsuid", 310 "setfsuid32", 311 "setgid", 312 "setgid32", 313 "setgroups", 314 "setgroups32", 315 "setitimer", 316 "setpgid", 317 "setpriority", 318 "setregid", 319 "setregid32", 320 "setresgid", 321 "setresgid32", 322 "setresuid", 323 "setresuid32", 324 "setreuid", 325 "setreuid32", 326 "setrlimit", 327 "set_robust_list", 328 "setsid", 329 "setsockopt", 330 "set_thread_area", 331 "set_tid_address", 332 "setuid", 333 "setuid32", 334 "setxattr", 335 "shmat", 336 "shmctl", 337 "shmdt", 338 "shmget", 339 "shutdown", 340 "sigaltstack", 341 "signalfd", 342 "signalfd4", 343 "sigprocmask", 344 "sigreturn", 345 "socket", 346 "socketcall", 347 "socketpair", 348 "splice", 349 "stat", 350 "stat64", 351 "statfs", 352 "statfs64", 353 "statx", 354 "symlink", 355 "symlinkat", 356 "sync", 357 "sync_file_range", 358 "syncfs", 359 "sysinfo", 360 "tee", 361 "tgkill", 362 "time", 363 "timer_create", 364 "timer_delete", 365 "timer_getoverrun", 366 "timer_gettime", 367 "timer_gettime64", 368 "timer_settime", 369 "timer_settime64", 370 "timerfd_create", 371 "timerfd_gettime", 372 "timerfd_gettime64", 373 "timerfd_settime", 374 "timerfd_settime64", 375 "times", 376 "tkill", 377 "truncate", 378 "truncate64", 379 "ugetrlimit", 380 "umask", 381 "uname", 382 "unlink", 383 "unlinkat", 384 "utime", 385 "utimensat", 386 "utimensat_time64", 387 "utimes", 388 "vfork", 389 "vmsplice", 390 "wait4", 391 "waitid", 392 "waitpid", 393 "write", 394 "writev" 395 ], 396 "action": "SCMP_ACT_ALLOW", 397 "args": [], 398 "comment": "", 399 "includes": {}, 400 "excludes": {} 401 }, 402 { 403 "names": [ 404 "ptrace" 405 ], 406 "action": "SCMP_ACT_ALLOW", 407 "args": null, 408 "comment": "", 409 "includes": { 410 "minKernel": "4.8" 411 }, 412 "excludes": {} 413 }, 414 { 415 "names": [ 416 "personality" 417 ], 418 "action": "SCMP_ACT_ALLOW", 419 "args": [ 420 { 421 "index": 0, 422 "value": 0, 423 "op": "SCMP_CMP_EQ" 424 } 425 ], 426 "comment": "", 427 "includes": {}, 428 "excludes": {} 429 }, 430 { 431 "names": [ 432 "personality" 433 ], 434 "action": "SCMP_ACT_ALLOW", 435 "args": [ 436 { 437 "index": 0, 438 "value": 8, 439 "op": "SCMP_CMP_EQ" 440 } 441 ], 442 "comment": "", 443 "includes": {}, 444 "excludes": {} 445 }, 446 { 447 "names": [ 448 "personality" 449 ], 450 "action": "SCMP_ACT_ALLOW", 451 "args": [ 452 { 453 "index": 0, 454 "value": 131072, 455 "op": "SCMP_CMP_EQ" 456 } 457 ], 458 "comment": "", 459 "includes": {}, 460 "excludes": {} 461 }, 462 { 463 "names": [ 464 "personality" 465 ], 466 "action": "SCMP_ACT_ALLOW", 467 "args": [ 468 { 469 "index": 0, 470 "value": 131080, 471 "op": "SCMP_CMP_EQ" 472 } 473 ], 474 "comment": "", 475 "includes": {}, 476 "excludes": {} 477 }, 478 { 479 "names": [ 480 "personality" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [ 484 { 485 "index": 0, 486 "value": 4294967295, 487 "op": "SCMP_CMP_EQ" 488 } 489 ], 490 "comment": "", 491 "includes": {}, 492 "excludes": {} 493 }, 494 { 495 "names": [ 496 "sync_file_range2" 497 ], 498 "action": "SCMP_ACT_ALLOW", 499 "args": [], 500 "comment": "", 501 "includes": { 502 "arches": [ 503 "ppc64le" 504 ] 505 }, 506 "excludes": {} 507 }, 508 { 509 "names": [ 510 "arm_fadvise64_64", 511 "arm_sync_file_range", 512 "sync_file_range2", 513 "breakpoint", 514 "cacheflush", 515 "set_tls" 516 ], 517 "action": "SCMP_ACT_ALLOW", 518 "args": [], 519 "comment": "", 520 "includes": { 521 "arches": [ 522 "arm", 523 "arm64" 524 ] 525 }, 526 "excludes": {} 527 }, 528 { 529 "names": [ 530 "arch_prctl" 531 ], 532 "action": "SCMP_ACT_ALLOW", 533 "args": [], 534 "comment": "", 535 "includes": { 536 "arches": [ 537 "amd64", 538 "x32" 539 ] 540 }, 541 "excludes": {} 542 }, 543 { 544 "names": [ 545 "modify_ldt" 546 ], 547 "action": "SCMP_ACT_ALLOW", 548 "args": [], 549 "comment": "", 550 "includes": { 551 "arches": [ 552 "amd64", 553 "x32", 554 "x86" 555 ] 556 }, 557 "excludes": {} 558 }, 559 { 560 "names": [ 561 "s390_pci_mmio_read", 562 "s390_pci_mmio_write", 563 "s390_runtime_instr" 564 ], 565 "action": "SCMP_ACT_ALLOW", 566 "args": [], 567 "comment": "", 568 "includes": { 569 "arches": [ 570 "s390", 571 "s390x" 572 ] 573 }, 574 "excludes": {} 575 }, 576 { 577 "names": [ 578 "open_by_handle_at" 579 ], 580 "action": "SCMP_ACT_ALLOW", 581 "args": [], 582 "comment": "", 583 "includes": { 584 "caps": [ 585 "CAP_DAC_READ_SEARCH" 586 ] 587 }, 588 "excludes": {} 589 }, 590 { 591 "names": [ 592 "bpf", 593 "clone", 594 "clone3", 595 "fanotify_init", 596 "fsconfig", 597 "fsmount", 598 "fsopen", 599 "fspick", 600 "lookup_dcookie", 601 "mount", 602 "move_mount", 603 "name_to_handle_at", 604 "open_tree", 605 "perf_event_open", 606 "quotactl", 607 "setdomainname", 608 "sethostname", 609 "setns", 610 "syslog", 611 "umount", 612 "umount2", 613 "unshare" 614 ], 615 "action": "SCMP_ACT_ALLOW", 616 "args": [], 617 "comment": "", 618 "includes": { 619 "caps": [ 620 "CAP_SYS_ADMIN" 621 ] 622 }, 623 "excludes": {} 624 }, 625 { 626 "names": [ 627 "clone" 628 ], 629 "action": "SCMP_ACT_ALLOW", 630 "args": [ 631 { 632 "index": 0, 633 "value": 2114060288, 634 "op": "SCMP_CMP_MASKED_EQ" 635 } 636 ], 637 "comment": "", 638 "includes": {}, 639 "excludes": { 640 "caps": [ 641 "CAP_SYS_ADMIN" 642 ], 643 "arches": [ 644 "s390", 645 "s390x" 646 ] 647 } 648 }, 649 { 650 "names": [ 651 "clone" 652 ], 653 "action": "SCMP_ACT_ALLOW", 654 "args": [ 655 { 656 "index": 1, 657 "value": 2114060288, 658 "op": "SCMP_CMP_MASKED_EQ" 659 } 660 ], 661 "comment": "s390 parameter ordering for clone is different", 662 "includes": { 663 "arches": [ 664 "s390", 665 "s390x" 666 ] 667 }, 668 "excludes": { 669 "caps": [ 670 "CAP_SYS_ADMIN" 671 ] 672 } 673 }, 674 { 675 "names": [ 676 "clone3" 677 ], 678 "action": "SCMP_ACT_ERRNO", 679 "errnoRet": 38, 680 "args": [], 681 "comment": "", 682 "includes": {}, 683 "excludes": { 684 "caps": [ 685 "CAP_SYS_ADMIN" 686 ] 687 } 688 }, 689 { 690 "names": [ 691 "reboot" 692 ], 693 "action": "SCMP_ACT_ALLOW", 694 "args": [], 695 "comment": "", 696 "includes": { 697 "caps": [ 698 "CAP_SYS_BOOT" 699 ] 700 }, 701 "excludes": {} 702 }, 703 { 704 "names": [ 705 "chroot" 706 ], 707 "action": "SCMP_ACT_ALLOW", 708 "args": [], 709 "comment": "", 710 "includes": { 711 "caps": [ 712 "CAP_SYS_CHROOT" 713 ] 714 }, 715 "excludes": {} 716 }, 717 { 718 "names": [ 719 "delete_module", 720 "init_module", 721 "finit_module" 722 ], 723 "action": "SCMP_ACT_ALLOW", 724 "args": [], 725 "comment": "", 726 "includes": { 727 "caps": [ 728 "CAP_SYS_MODULE" 729 ] 730 }, 731 "excludes": {} 732 }, 733 { 734 "names": [ 735 "acct" 736 ], 737 "action": "SCMP_ACT_ALLOW", 738 "args": [], 739 "comment": "", 740 "includes": { 741 "caps": [ 742 "CAP_SYS_PACCT" 743 ] 744 }, 745 "excludes": {} 746 }, 747 { 748 "names": [ 749 "kcmp", 750 "pidfd_getfd", 751 "process_madvise", 752 "process_vm_readv", 753 "process_vm_writev", 754 "ptrace" 755 ], 756 "action": "SCMP_ACT_ALLOW", 757 "args": [], 758 "comment": "", 759 "includes": { 760 "caps": [ 761 "CAP_SYS_PTRACE" 762 ] 763 }, 764 "excludes": {} 765 }, 766 { 767 "names": [ 768 "iopl", 769 "ioperm" 770 ], 771 "action": "SCMP_ACT_ALLOW", 772 "args": [], 773 "comment": "", 774 "includes": { 775 "caps": [ 776 "CAP_SYS_RAWIO" 777 ] 778 }, 779 "excludes": {} 780 }, 781 { 782 "names": [ 783 "settimeofday", 784 "stime", 785 "clock_settime" 786 ], 787 "action": "SCMP_ACT_ALLOW", 788 "args": [], 789 "comment": "", 790 "includes": { 791 "caps": [ 792 "CAP_SYS_TIME" 793 ] 794 }, 795 "excludes": {} 796 }, 797 { 798 "names": [ 799 "vhangup" 800 ], 801 "action": "SCMP_ACT_ALLOW", 802 "args": [], 803 "comment": "", 804 "includes": { 805 "caps": [ 806 "CAP_SYS_TTY_CONFIG" 807 ] 808 }, 809 "excludes": {} 810 }, 811 { 812 "names": [ 813 "get_mempolicy", 814 "mbind", 815 "set_mempolicy" 816 ], 817 "action": "SCMP_ACT_ALLOW", 818 "args": [], 819 "comment": "", 820 "includes": { 821 "caps": [ 822 "CAP_SYS_NICE" 823 ] 824 }, 825 "excludes": {} 826 }, 827 { 828 "names": [ 829 "syslog" 830 ], 831 "action": "SCMP_ACT_ALLOW", 832 "args": [], 833 "comment": "", 834 "includes": { 835 "caps": [ 836 "CAP_SYSLOG" 837 ] 838 }, 839 "excludes": {} 840 } 841 ] 842 }