github.com/lacework-dev/go-moby@v20.10.12+incompatible/profiles/seccomp/default_linux.go (about) 1 // +build seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/opencontainers/runtime-spec/specs-go" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []Architecture { 11 return []Architecture{ 12 { 13 Arch: specs.ArchX86_64, 14 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 15 }, 16 { 17 Arch: specs.ArchAARCH64, 18 SubArches: []specs.Arch{specs.ArchARM}, 19 }, 20 { 21 Arch: specs.ArchMIPS64, 22 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 23 }, 24 { 25 Arch: specs.ArchMIPS64N32, 26 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 27 }, 28 { 29 Arch: specs.ArchMIPSEL64, 30 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: specs.ArchMIPSEL64N32, 34 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 35 }, 36 { 37 Arch: specs.ArchS390X, 38 SubArches: []specs.Arch{specs.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 44 func DefaultProfile() *Seccomp { 45 nosys := uint(unix.ENOSYS) 46 syscalls := []*Syscall{ 47 { 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "adjtimex", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_adjtime", 63 "clock_adjtime64", 64 "clock_getres", 65 "clock_getres_time64", 66 "clock_gettime", 67 "clock_gettime64", 68 "clock_nanosleep", 69 "clock_nanosleep_time64", 70 "close", 71 "close_range", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_pwait2", 84 "epoll_wait", 85 "epoll_wait_old", 86 "eventfd", 87 "eventfd2", 88 "execve", 89 "execveat", 90 "exit", 91 "exit_group", 92 "faccessat", 93 "faccessat2", 94 "fadvise64", 95 "fadvise64_64", 96 "fallocate", 97 "fanotify_mark", 98 "fchdir", 99 "fchmod", 100 "fchmodat", 101 "fchown", 102 "fchown32", 103 "fchownat", 104 "fcntl", 105 "fcntl64", 106 "fdatasync", 107 "fgetxattr", 108 "flistxattr", 109 "flock", 110 "fork", 111 "fremovexattr", 112 "fsetxattr", 113 "fstat", 114 "fstat64", 115 "fstatat64", 116 "fstatfs", 117 "fstatfs64", 118 "fsync", 119 "ftruncate", 120 "ftruncate64", 121 "futex", 122 "futex_time64", 123 "futimesat", 124 "getcpu", 125 "getcwd", 126 "getdents", 127 "getdents64", 128 "getegid", 129 "getegid32", 130 "geteuid", 131 "geteuid32", 132 "getgid", 133 "getgid32", 134 "getgroups", 135 "getgroups32", 136 "getitimer", 137 "getpeername", 138 "getpgid", 139 "getpgrp", 140 "getpid", 141 "getppid", 142 "getpriority", 143 "getrandom", 144 "getresgid", 145 "getresgid32", 146 "getresuid", 147 "getresuid32", 148 "getrlimit", 149 "get_robust_list", 150 "getrusage", 151 "getsid", 152 "getsockname", 153 "getsockopt", 154 "get_thread_area", 155 "gettid", 156 "gettimeofday", 157 "getuid", 158 "getuid32", 159 "getxattr", 160 "inotify_add_watch", 161 "inotify_init", 162 "inotify_init1", 163 "inotify_rm_watch", 164 "io_cancel", 165 "ioctl", 166 "io_destroy", 167 "io_getevents", 168 "io_pgetevents", 169 "io_pgetevents_time64", 170 "ioprio_get", 171 "ioprio_set", 172 "io_setup", 173 "io_submit", 174 "io_uring_enter", 175 "io_uring_register", 176 "io_uring_setup", 177 "ipc", 178 "kill", 179 "lchown", 180 "lchown32", 181 "lgetxattr", 182 "link", 183 "linkat", 184 "listen", 185 "listxattr", 186 "llistxattr", 187 "_llseek", 188 "lremovexattr", 189 "lseek", 190 "lsetxattr", 191 "lstat", 192 "lstat64", 193 "madvise", 194 "membarrier", 195 "memfd_create", 196 "mincore", 197 "mkdir", 198 "mkdirat", 199 "mknod", 200 "mknodat", 201 "mlock", 202 "mlock2", 203 "mlockall", 204 "mmap", 205 "mmap2", 206 "mprotect", 207 "mq_getsetattr", 208 "mq_notify", 209 "mq_open", 210 "mq_timedreceive", 211 "mq_timedreceive_time64", 212 "mq_timedsend", 213 "mq_timedsend_time64", 214 "mq_unlink", 215 "mremap", 216 "msgctl", 217 "msgget", 218 "msgrcv", 219 "msgsnd", 220 "msync", 221 "munlock", 222 "munlockall", 223 "munmap", 224 "nanosleep", 225 "newfstatat", 226 "_newselect", 227 "open", 228 "openat", 229 "openat2", 230 "pause", 231 "pidfd_open", 232 "pidfd_send_signal", 233 "pipe", 234 "pipe2", 235 "poll", 236 "ppoll", 237 "ppoll_time64", 238 "prctl", 239 "pread64", 240 "preadv", 241 "preadv2", 242 "prlimit64", 243 "pselect6", 244 "pselect6_time64", 245 "pwrite64", 246 "pwritev", 247 "pwritev2", 248 "read", 249 "readahead", 250 "readlink", 251 "readlinkat", 252 "readv", 253 "recv", 254 "recvfrom", 255 "recvmmsg", 256 "recvmmsg_time64", 257 "recvmsg", 258 "remap_file_pages", 259 "removexattr", 260 "rename", 261 "renameat", 262 "renameat2", 263 "restart_syscall", 264 "rmdir", 265 "rseq", 266 "rt_sigaction", 267 "rt_sigpending", 268 "rt_sigprocmask", 269 "rt_sigqueueinfo", 270 "rt_sigreturn", 271 "rt_sigsuspend", 272 "rt_sigtimedwait", 273 "rt_sigtimedwait_time64", 274 "rt_tgsigqueueinfo", 275 "sched_getaffinity", 276 "sched_getattr", 277 "sched_getparam", 278 "sched_get_priority_max", 279 "sched_get_priority_min", 280 "sched_getscheduler", 281 "sched_rr_get_interval", 282 "sched_rr_get_interval_time64", 283 "sched_setaffinity", 284 "sched_setattr", 285 "sched_setparam", 286 "sched_setscheduler", 287 "sched_yield", 288 "seccomp", 289 "select", 290 "semctl", 291 "semget", 292 "semop", 293 "semtimedop", 294 "semtimedop_time64", 295 "send", 296 "sendfile", 297 "sendfile64", 298 "sendmmsg", 299 "sendmsg", 300 "sendto", 301 "setfsgid", 302 "setfsgid32", 303 "setfsuid", 304 "setfsuid32", 305 "setgid", 306 "setgid32", 307 "setgroups", 308 "setgroups32", 309 "setitimer", 310 "setpgid", 311 "setpriority", 312 "setregid", 313 "setregid32", 314 "setresgid", 315 "setresgid32", 316 "setresuid", 317 "setresuid32", 318 "setreuid", 319 "setreuid32", 320 "setrlimit", 321 "set_robust_list", 322 "setsid", 323 "setsockopt", 324 "set_thread_area", 325 "set_tid_address", 326 "setuid", 327 "setuid32", 328 "setxattr", 329 "shmat", 330 "shmctl", 331 "shmdt", 332 "shmget", 333 "shutdown", 334 "sigaltstack", 335 "signalfd", 336 "signalfd4", 337 "sigprocmask", 338 "sigreturn", 339 "socket", 340 "socketcall", 341 "socketpair", 342 "splice", 343 "stat", 344 "stat64", 345 "statfs", 346 "statfs64", 347 "statx", 348 "symlink", 349 "symlinkat", 350 "sync", 351 "sync_file_range", 352 "syncfs", 353 "sysinfo", 354 "tee", 355 "tgkill", 356 "time", 357 "timer_create", 358 "timer_delete", 359 "timer_getoverrun", 360 "timer_gettime", 361 "timer_gettime64", 362 "timer_settime", 363 "timer_settime64", 364 "timerfd_create", 365 "timerfd_gettime", 366 "timerfd_gettime64", 367 "timerfd_settime", 368 "timerfd_settime64", 369 "times", 370 "tkill", 371 "truncate", 372 "truncate64", 373 "ugetrlimit", 374 "umask", 375 "uname", 376 "unlink", 377 "unlinkat", 378 "utime", 379 "utimensat", 380 "utimensat_time64", 381 "utimes", 382 "vfork", 383 "vmsplice", 384 "wait4", 385 "waitid", 386 "waitpid", 387 "write", 388 "writev", 389 }, 390 Action: specs.ActAllow, 391 Args: []*specs.LinuxSeccompArg{}, 392 }, 393 { 394 Names: []string{"ptrace"}, 395 Action: specs.ActAllow, 396 Includes: Filter{ 397 MinKernel: &KernelVersion{4, 8}, 398 }, 399 }, 400 { 401 Names: []string{"personality"}, 402 Action: specs.ActAllow, 403 Args: []*specs.LinuxSeccompArg{ 404 { 405 Index: 0, 406 Value: 0x0, 407 Op: specs.OpEqualTo, 408 }, 409 }, 410 }, 411 { 412 Names: []string{"personality"}, 413 Action: specs.ActAllow, 414 Args: []*specs.LinuxSeccompArg{ 415 { 416 Index: 0, 417 Value: 0x0008, 418 Op: specs.OpEqualTo, 419 }, 420 }, 421 }, 422 { 423 Names: []string{"personality"}, 424 Action: specs.ActAllow, 425 Args: []*specs.LinuxSeccompArg{ 426 { 427 Index: 0, 428 Value: 0x20000, 429 Op: specs.OpEqualTo, 430 }, 431 }, 432 }, 433 { 434 Names: []string{"personality"}, 435 Action: specs.ActAllow, 436 Args: []*specs.LinuxSeccompArg{ 437 { 438 Index: 0, 439 Value: 0x20008, 440 Op: specs.OpEqualTo, 441 }, 442 }, 443 }, 444 { 445 Names: []string{"personality"}, 446 Action: specs.ActAllow, 447 Args: []*specs.LinuxSeccompArg{ 448 { 449 Index: 0, 450 Value: 0xffffffff, 451 Op: specs.OpEqualTo, 452 }, 453 }, 454 }, 455 { 456 Names: []string{ 457 "sync_file_range2", 458 }, 459 Action: specs.ActAllow, 460 Args: []*specs.LinuxSeccompArg{}, 461 Includes: Filter{ 462 Arches: []string{"ppc64le"}, 463 }, 464 }, 465 { 466 Names: []string{ 467 "arm_fadvise64_64", 468 "arm_sync_file_range", 469 "sync_file_range2", 470 "breakpoint", 471 "cacheflush", 472 "set_tls", 473 }, 474 Action: specs.ActAllow, 475 Args: []*specs.LinuxSeccompArg{}, 476 Includes: Filter{ 477 Arches: []string{"arm", "arm64"}, 478 }, 479 }, 480 { 481 Names: []string{ 482 "arch_prctl", 483 }, 484 Action: specs.ActAllow, 485 Args: []*specs.LinuxSeccompArg{}, 486 Includes: Filter{ 487 Arches: []string{"amd64", "x32"}, 488 }, 489 }, 490 { 491 Names: []string{ 492 "modify_ldt", 493 }, 494 Action: specs.ActAllow, 495 Args: []*specs.LinuxSeccompArg{}, 496 Includes: Filter{ 497 Arches: []string{"amd64", "x32", "x86"}, 498 }, 499 }, 500 { 501 Names: []string{ 502 "s390_pci_mmio_read", 503 "s390_pci_mmio_write", 504 "s390_runtime_instr", 505 }, 506 Action: specs.ActAllow, 507 Args: []*specs.LinuxSeccompArg{}, 508 Includes: Filter{ 509 Arches: []string{"s390", "s390x"}, 510 }, 511 }, 512 { 513 Names: []string{ 514 "open_by_handle_at", 515 }, 516 Action: specs.ActAllow, 517 Args: []*specs.LinuxSeccompArg{}, 518 Includes: Filter{ 519 Caps: []string{"CAP_DAC_READ_SEARCH"}, 520 }, 521 }, 522 { 523 Names: []string{ 524 "bpf", 525 "clone", 526 "clone3", 527 "fanotify_init", 528 "fsconfig", 529 "fsmount", 530 "fsopen", 531 "fspick", 532 "lookup_dcookie", 533 "mount", 534 "move_mount", 535 "name_to_handle_at", 536 "open_tree", 537 "perf_event_open", 538 "quotactl", 539 "setdomainname", 540 "sethostname", 541 "setns", 542 "syslog", 543 "umount", 544 "umount2", 545 "unshare", 546 }, 547 Action: specs.ActAllow, 548 Args: []*specs.LinuxSeccompArg{}, 549 Includes: Filter{ 550 Caps: []string{"CAP_SYS_ADMIN"}, 551 }, 552 }, 553 { 554 Names: []string{ 555 "clone", 556 }, 557 Action: specs.ActAllow, 558 Args: []*specs.LinuxSeccompArg{ 559 { 560 Index: 0, 561 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 562 ValueTwo: 0, 563 Op: specs.OpMaskedEqual, 564 }, 565 }, 566 Excludes: Filter{ 567 Caps: []string{"CAP_SYS_ADMIN"}, 568 Arches: []string{"s390", "s390x"}, 569 }, 570 }, 571 { 572 Names: []string{ 573 "clone", 574 }, 575 Action: specs.ActAllow, 576 Args: []*specs.LinuxSeccompArg{ 577 { 578 Index: 1, 579 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 580 ValueTwo: 0, 581 Op: specs.OpMaskedEqual, 582 }, 583 }, 584 Comment: "s390 parameter ordering for clone is different", 585 Includes: Filter{ 586 Arches: []string{"s390", "s390x"}, 587 }, 588 Excludes: Filter{ 589 Caps: []string{"CAP_SYS_ADMIN"}, 590 }, 591 }, 592 { 593 Names: []string{ 594 "clone3", 595 }, 596 Action: specs.ActErrno, 597 ErrnoRet: &nosys, 598 Args: []*specs.LinuxSeccompArg{}, 599 Excludes: Filter{ 600 Caps: []string{"CAP_SYS_ADMIN"}, 601 }, 602 }, 603 { 604 Names: []string{ 605 "reboot", 606 }, 607 Action: specs.ActAllow, 608 Args: []*specs.LinuxSeccompArg{}, 609 Includes: Filter{ 610 Caps: []string{"CAP_SYS_BOOT"}, 611 }, 612 }, 613 { 614 Names: []string{ 615 "chroot", 616 }, 617 Action: specs.ActAllow, 618 Args: []*specs.LinuxSeccompArg{}, 619 Includes: Filter{ 620 Caps: []string{"CAP_SYS_CHROOT"}, 621 }, 622 }, 623 { 624 Names: []string{ 625 "delete_module", 626 "init_module", 627 "finit_module", 628 }, 629 Action: specs.ActAllow, 630 Args: []*specs.LinuxSeccompArg{}, 631 Includes: Filter{ 632 Caps: []string{"CAP_SYS_MODULE"}, 633 }, 634 }, 635 { 636 Names: []string{ 637 "acct", 638 }, 639 Action: specs.ActAllow, 640 Args: []*specs.LinuxSeccompArg{}, 641 Includes: Filter{ 642 Caps: []string{"CAP_SYS_PACCT"}, 643 }, 644 }, 645 { 646 Names: []string{ 647 "kcmp", 648 "pidfd_getfd", 649 "process_madvise", 650 "process_vm_readv", 651 "process_vm_writev", 652 "ptrace", 653 }, 654 Action: specs.ActAllow, 655 Args: []*specs.LinuxSeccompArg{}, 656 Includes: Filter{ 657 Caps: []string{"CAP_SYS_PTRACE"}, 658 }, 659 }, 660 { 661 Names: []string{ 662 "iopl", 663 "ioperm", 664 }, 665 Action: specs.ActAllow, 666 Args: []*specs.LinuxSeccompArg{}, 667 Includes: Filter{ 668 Caps: []string{"CAP_SYS_RAWIO"}, 669 }, 670 }, 671 { 672 Names: []string{ 673 "settimeofday", 674 "stime", 675 "clock_settime", 676 }, 677 Action: specs.ActAllow, 678 Args: []*specs.LinuxSeccompArg{}, 679 Includes: Filter{ 680 Caps: []string{"CAP_SYS_TIME"}, 681 }, 682 }, 683 { 684 Names: []string{ 685 "vhangup", 686 }, 687 Action: specs.ActAllow, 688 Args: []*specs.LinuxSeccompArg{}, 689 Includes: Filter{ 690 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 691 }, 692 }, 693 { 694 Names: []string{ 695 "get_mempolicy", 696 "mbind", 697 "set_mempolicy", 698 }, 699 Action: specs.ActAllow, 700 Args: []*specs.LinuxSeccompArg{}, 701 Includes: Filter{ 702 Caps: []string{"CAP_SYS_NICE"}, 703 }, 704 }, 705 { 706 Names: []string{ 707 "syslog", 708 }, 709 Action: specs.ActAllow, 710 Args: []*specs.LinuxSeccompArg{}, 711 Includes: Filter{ 712 Caps: []string{"CAP_SYSLOG"}, 713 }, 714 }, 715 } 716 717 return &Seccomp{ 718 DefaultAction: specs.ActErrno, 719 ArchMap: arches(), 720 Syscalls: syscalls, 721 } 722 }