github.com/moby/docker@v26.1.3+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 1, 4 "archMap": [ 5 { 6 "architecture": "SCMP_ARCH_X86_64", 7 "subArchitectures": [ 8 "SCMP_ARCH_X86", 9 "SCMP_ARCH_X32" 10 ] 11 }, 12 { 13 "architecture": "SCMP_ARCH_AARCH64", 14 "subArchitectures": [ 15 "SCMP_ARCH_ARM" 16 ] 17 }, 18 { 19 "architecture": "SCMP_ARCH_MIPS64", 20 "subArchitectures": [ 21 "SCMP_ARCH_MIPS", 22 "SCMP_ARCH_MIPS64N32" 23 ] 24 }, 25 { 26 "architecture": "SCMP_ARCH_MIPS64N32", 27 "subArchitectures": [ 28 "SCMP_ARCH_MIPS", 29 "SCMP_ARCH_MIPS64" 30 ] 31 }, 32 { 33 "architecture": "SCMP_ARCH_MIPSEL64", 34 "subArchitectures": [ 35 "SCMP_ARCH_MIPSEL", 36 "SCMP_ARCH_MIPSEL64N32" 37 ] 38 }, 39 { 40 "architecture": "SCMP_ARCH_MIPSEL64N32", 41 "subArchitectures": [ 42 "SCMP_ARCH_MIPSEL", 43 "SCMP_ARCH_MIPSEL64" 44 ] 45 }, 46 { 47 "architecture": "SCMP_ARCH_S390X", 48 "subArchitectures": [ 49 "SCMP_ARCH_S390" 50 ] 51 }, 52 { 53 "architecture": "SCMP_ARCH_RISCV64", 54 "subArchitectures": null 55 } 56 ], 57 "syscalls": [ 58 { 59 "names": [ 60 "accept", 61 "accept4", 62 "access", 63 "adjtimex", 64 "alarm", 65 "bind", 66 "brk", 67 "cachestat", 68 "capget", 69 "capset", 70 "chdir", 71 "chmod", 72 "chown", 73 "chown32", 74 "clock_adjtime", 75 "clock_adjtime64", 76 "clock_getres", 77 "clock_getres_time64", 78 "clock_gettime", 79 "clock_gettime64", 80 "clock_nanosleep", 81 "clock_nanosleep_time64", 82 "close", 83 "close_range", 84 "connect", 85 "copy_file_range", 86 "creat", 87 "dup", 88 "dup2", 89 "dup3", 90 "epoll_create", 91 "epoll_create1", 92 "epoll_ctl", 93 "epoll_ctl_old", 94 "epoll_pwait", 95 "epoll_pwait2", 96 "epoll_wait", 97 "epoll_wait_old", 98 "eventfd", 99 "eventfd2", 100 "execve", 101 "execveat", 102 "exit", 103 "exit_group", 104 "faccessat", 105 "faccessat2", 106 "fadvise64", 107 "fadvise64_64", 108 "fallocate", 109 "fanotify_mark", 110 "fchdir", 111 "fchmod", 112 "fchmodat", 113 "fchmodat2", 114 "fchown", 115 "fchown32", 116 "fchownat", 117 "fcntl", 118 "fcntl64", 119 "fdatasync", 120 "fgetxattr", 121 "flistxattr", 122 "flock", 123 "fork", 124 "fremovexattr", 125 "fsetxattr", 126 "fstat", 127 "fstat64", 128 "fstatat64", 129 "fstatfs", 130 "fstatfs64", 131 "fsync", 132 "ftruncate", 133 "ftruncate64", 134 "futex", 135 "futex_requeue", 136 "futex_time64", 137 "futex_wait", 138 "futex_waitv", 139 "futex_wake", 140 "futimesat", 141 "getcpu", 142 "getcwd", 143 "getdents", 144 "getdents64", 145 "getegid", 146 "getegid32", 147 "geteuid", 148 "geteuid32", 149 "getgid", 150 "getgid32", 151 "getgroups", 152 "getgroups32", 153 "getitimer", 154 "getpeername", 155 "getpgid", 156 "getpgrp", 157 "getpid", 158 "getppid", 159 "getpriority", 160 "getrandom", 161 "getresgid", 162 "getresgid32", 163 "getresuid", 164 "getresuid32", 165 "getrlimit", 166 "get_robust_list", 167 "getrusage", 168 "getsid", 169 "getsockname", 170 "getsockopt", 171 "get_thread_area", 172 "gettid", 173 "gettimeofday", 174 "getuid", 175 "getuid32", 176 "getxattr", 177 "inotify_add_watch", 178 "inotify_init", 179 "inotify_init1", 180 "inotify_rm_watch", 181 "io_cancel", 182 "ioctl", 183 "io_destroy", 184 "io_getevents", 185 "io_pgetevents", 186 "io_pgetevents_time64", 187 "ioprio_get", 188 "ioprio_set", 189 "io_setup", 190 "io_submit", 191 "ipc", 192 "kill", 193 "landlock_add_rule", 194 "landlock_create_ruleset", 195 "landlock_restrict_self", 196 "lchown", 197 "lchown32", 198 "lgetxattr", 199 "link", 200 "linkat", 201 "listen", 202 "listxattr", 203 "llistxattr", 204 "_llseek", 205 "lremovexattr", 206 "lseek", 207 "lsetxattr", 208 "lstat", 209 "lstat64", 210 "madvise", 211 "map_shadow_stack", 212 "membarrier", 213 "memfd_create", 214 "memfd_secret", 215 "mincore", 216 "mkdir", 217 "mkdirat", 218 "mknod", 219 "mknodat", 220 "mlock", 221 "mlock2", 222 "mlockall", 223 "mmap", 224 "mmap2", 225 "mprotect", 226 "mq_getsetattr", 227 "mq_notify", 228 "mq_open", 229 "mq_timedreceive", 230 "mq_timedreceive_time64", 231 "mq_timedsend", 232 "mq_timedsend_time64", 233 "mq_unlink", 234 "mremap", 235 "msgctl", 236 "msgget", 237 "msgrcv", 238 "msgsnd", 239 "msync", 240 "munlock", 241 "munlockall", 242 "munmap", 243 "name_to_handle_at", 244 "nanosleep", 245 "newfstatat", 246 "_newselect", 247 "open", 248 "openat", 249 "openat2", 250 "pause", 251 "pidfd_open", 252 "pidfd_send_signal", 253 "pipe", 254 "pipe2", 255 "pkey_alloc", 256 "pkey_free", 257 "pkey_mprotect", 258 "poll", 259 "ppoll", 260 "ppoll_time64", 261 "prctl", 262 "pread64", 263 "preadv", 264 "preadv2", 265 "prlimit64", 266 "process_mrelease", 267 "pselect6", 268 "pselect6_time64", 269 "pwrite64", 270 "pwritev", 271 "pwritev2", 272 "read", 273 "readahead", 274 "readlink", 275 "readlinkat", 276 "readv", 277 "recv", 278 "recvfrom", 279 "recvmmsg", 280 "recvmmsg_time64", 281 "recvmsg", 282 "remap_file_pages", 283 "removexattr", 284 "rename", 285 "renameat", 286 "renameat2", 287 "restart_syscall", 288 "rmdir", 289 "rseq", 290 "rt_sigaction", 291 "rt_sigpending", 292 "rt_sigprocmask", 293 "rt_sigqueueinfo", 294 "rt_sigreturn", 295 "rt_sigsuspend", 296 "rt_sigtimedwait", 297 "rt_sigtimedwait_time64", 298 "rt_tgsigqueueinfo", 299 "sched_getaffinity", 300 "sched_getattr", 301 "sched_getparam", 302 "sched_get_priority_max", 303 "sched_get_priority_min", 304 "sched_getscheduler", 305 "sched_rr_get_interval", 306 "sched_rr_get_interval_time64", 307 "sched_setaffinity", 308 "sched_setattr", 309 "sched_setparam", 310 "sched_setscheduler", 311 "sched_yield", 312 "seccomp", 313 "select", 314 "semctl", 315 "semget", 316 "semop", 317 "semtimedop", 318 "semtimedop_time64", 319 "send", 320 "sendfile", 321 "sendfile64", 322 "sendmmsg", 323 "sendmsg", 324 "sendto", 325 "setfsgid", 326 "setfsgid32", 327 "setfsuid", 328 "setfsuid32", 329 "setgid", 330 "setgid32", 331 "setgroups", 332 "setgroups32", 333 "setitimer", 334 "setpgid", 335 "setpriority", 336 "setregid", 337 "setregid32", 338 "setresgid", 339 "setresgid32", 340 "setresuid", 341 "setresuid32", 342 "setreuid", 343 "setreuid32", 344 "setrlimit", 345 "set_robust_list", 346 "setsid", 347 "setsockopt", 348 "set_thread_area", 349 "set_tid_address", 350 "setuid", 351 "setuid32", 352 "setxattr", 353 "shmat", 354 "shmctl", 355 "shmdt", 356 "shmget", 357 "shutdown", 358 "sigaltstack", 359 "signalfd", 360 "signalfd4", 361 "sigprocmask", 362 "sigreturn", 363 "socketcall", 364 "socketpair", 365 "splice", 366 "stat", 367 "stat64", 368 "statfs", 369 "statfs64", 370 "statx", 371 "symlink", 372 "symlinkat", 373 "sync", 374 "sync_file_range", 375 "syncfs", 376 "sysinfo", 377 "tee", 378 "tgkill", 379 "time", 380 "timer_create", 381 "timer_delete", 382 "timer_getoverrun", 383 "timer_gettime", 384 "timer_gettime64", 385 "timer_settime", 386 "timer_settime64", 387 "timerfd_create", 388 "timerfd_gettime", 389 "timerfd_gettime64", 390 "timerfd_settime", 391 "timerfd_settime64", 392 "times", 393 "tkill", 394 "truncate", 395 "truncate64", 396 "ugetrlimit", 397 "umask", 398 "uname", 399 "unlink", 400 "unlinkat", 401 "utime", 402 "utimensat", 403 "utimensat_time64", 404 "utimes", 405 "vfork", 406 "vmsplice", 407 "wait4", 408 "waitid", 409 "waitpid", 410 "write", 411 "writev" 412 ], 413 "action": "SCMP_ACT_ALLOW" 414 }, 415 { 416 "names": [ 417 "process_vm_readv", 418 "process_vm_writev", 419 "ptrace" 420 ], 421 "action": "SCMP_ACT_ALLOW", 422 "includes": { 423 "minKernel": "4.8" 424 } 425 }, 426 { 427 "names": [ 428 "socket" 429 ], 430 "action": "SCMP_ACT_ALLOW", 431 "args": [ 432 { 433 "index": 0, 434 "value": 40, 435 "op": "SCMP_CMP_NE" 436 } 437 ] 438 }, 439 { 440 "names": [ 441 "personality" 442 ], 443 "action": "SCMP_ACT_ALLOW", 444 "args": [ 445 { 446 "index": 0, 447 "value": 0, 448 "op": "SCMP_CMP_EQ" 449 } 450 ] 451 }, 452 { 453 "names": [ 454 "personality" 455 ], 456 "action": "SCMP_ACT_ALLOW", 457 "args": [ 458 { 459 "index": 0, 460 "value": 8, 461 "op": "SCMP_CMP_EQ" 462 } 463 ] 464 }, 465 { 466 "names": [ 467 "personality" 468 ], 469 "action": "SCMP_ACT_ALLOW", 470 "args": [ 471 { 472 "index": 0, 473 "value": 131072, 474 "op": "SCMP_CMP_EQ" 475 } 476 ] 477 }, 478 { 479 "names": [ 480 "personality" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [ 484 { 485 "index": 0, 486 "value": 131080, 487 "op": "SCMP_CMP_EQ" 488 } 489 ] 490 }, 491 { 492 "names": [ 493 "personality" 494 ], 495 "action": "SCMP_ACT_ALLOW", 496 "args": [ 497 { 498 "index": 0, 499 "value": 4294967295, 500 "op": "SCMP_CMP_EQ" 501 } 502 ] 503 }, 504 { 505 "names": [ 506 "sync_file_range2", 507 "swapcontext" 508 ], 509 "action": "SCMP_ACT_ALLOW", 510 "includes": { 511 "arches": [ 512 "ppc64le" 513 ] 514 } 515 }, 516 { 517 "names": [ 518 "arm_fadvise64_64", 519 "arm_sync_file_range", 520 "sync_file_range2", 521 "breakpoint", 522 "cacheflush", 523 "set_tls" 524 ], 525 "action": "SCMP_ACT_ALLOW", 526 "includes": { 527 "arches": [ 528 "arm", 529 "arm64" 530 ] 531 } 532 }, 533 { 534 "names": [ 535 "arch_prctl" 536 ], 537 "action": "SCMP_ACT_ALLOW", 538 "includes": { 539 "arches": [ 540 "amd64", 541 "x32" 542 ] 543 } 544 }, 545 { 546 "names": [ 547 "modify_ldt" 548 ], 549 "action": "SCMP_ACT_ALLOW", 550 "includes": { 551 "arches": [ 552 "amd64", 553 "x32", 554 "x86" 555 ] 556 } 557 }, 558 { 559 "names": [ 560 "s390_pci_mmio_read", 561 "s390_pci_mmio_write", 562 "s390_runtime_instr" 563 ], 564 "action": "SCMP_ACT_ALLOW", 565 "includes": { 566 "arches": [ 567 "s390", 568 "s390x" 569 ] 570 } 571 }, 572 { 573 "names": [ 574 "riscv_flush_icache" 575 ], 576 "action": "SCMP_ACT_ALLOW", 577 "includes": { 578 "arches": [ 579 "riscv64" 580 ] 581 } 582 }, 583 { 584 "names": [ 585 "open_by_handle_at" 586 ], 587 "action": "SCMP_ACT_ALLOW", 588 "includes": { 589 "caps": [ 590 "CAP_DAC_READ_SEARCH" 591 ] 592 } 593 }, 594 { 595 "names": [ 596 "bpf", 597 "clone", 598 "clone3", 599 "fanotify_init", 600 "fsconfig", 601 "fsmount", 602 "fsopen", 603 "fspick", 604 "lookup_dcookie", 605 "mount", 606 "mount_setattr", 607 "move_mount", 608 "open_tree", 609 "perf_event_open", 610 "quotactl", 611 "quotactl_fd", 612 "setdomainname", 613 "sethostname", 614 "setns", 615 "syslog", 616 "umount", 617 "umount2", 618 "unshare" 619 ], 620 "action": "SCMP_ACT_ALLOW", 621 "includes": { 622 "caps": [ 623 "CAP_SYS_ADMIN" 624 ] 625 } 626 }, 627 { 628 "names": [ 629 "clone" 630 ], 631 "action": "SCMP_ACT_ALLOW", 632 "args": [ 633 { 634 "index": 0, 635 "value": 2114060288, 636 "op": "SCMP_CMP_MASKED_EQ" 637 } 638 ], 639 "excludes": { 640 "caps": [ 641 "CAP_SYS_ADMIN" 642 ], 643 "arches": [ 644 "s390", 645 "s390x" 646 ] 647 } 648 }, 649 { 650 "names": [ 651 "clone" 652 ], 653 "action": "SCMP_ACT_ALLOW", 654 "args": [ 655 { 656 "index": 1, 657 "value": 2114060288, 658 "op": "SCMP_CMP_MASKED_EQ" 659 } 660 ], 661 "comment": "s390 parameter ordering for clone is different", 662 "includes": { 663 "arches": [ 664 "s390", 665 "s390x" 666 ] 667 }, 668 "excludes": { 669 "caps": [ 670 "CAP_SYS_ADMIN" 671 ] 672 } 673 }, 674 { 675 "names": [ 676 "clone3" 677 ], 678 "action": "SCMP_ACT_ERRNO", 679 "errnoRet": 38, 680 "excludes": { 681 "caps": [ 682 "CAP_SYS_ADMIN" 683 ] 684 } 685 }, 686 { 687 "names": [ 688 "reboot" 689 ], 690 "action": "SCMP_ACT_ALLOW", 691 "includes": { 692 "caps": [ 693 "CAP_SYS_BOOT" 694 ] 695 } 696 }, 697 { 698 "names": [ 699 "chroot" 700 ], 701 "action": "SCMP_ACT_ALLOW", 702 "includes": { 703 "caps": [ 704 "CAP_SYS_CHROOT" 705 ] 706 } 707 }, 708 { 709 "names": [ 710 "delete_module", 711 "init_module", 712 "finit_module" 713 ], 714 "action": "SCMP_ACT_ALLOW", 715 "includes": { 716 "caps": [ 717 "CAP_SYS_MODULE" 718 ] 719 } 720 }, 721 { 722 "names": [ 723 "acct" 724 ], 725 "action": "SCMP_ACT_ALLOW", 726 "includes": { 727 "caps": [ 728 "CAP_SYS_PACCT" 729 ] 730 } 731 }, 732 { 733 "names": [ 734 "kcmp", 735 "pidfd_getfd", 736 "process_madvise", 737 "process_vm_readv", 738 "process_vm_writev", 739 "ptrace" 740 ], 741 "action": "SCMP_ACT_ALLOW", 742 "includes": { 743 "caps": [ 744 "CAP_SYS_PTRACE" 745 ] 746 } 747 }, 748 { 749 "names": [ 750 "iopl", 751 "ioperm" 752 ], 753 "action": "SCMP_ACT_ALLOW", 754 "includes": { 755 "caps": [ 756 "CAP_SYS_RAWIO" 757 ] 758 } 759 }, 760 { 761 "names": [ 762 "settimeofday", 763 "stime", 764 "clock_settime", 765 "clock_settime64" 766 ], 767 "action": "SCMP_ACT_ALLOW", 768 "includes": { 769 "caps": [ 770 "CAP_SYS_TIME" 771 ] 772 } 773 }, 774 { 775 "names": [ 776 "vhangup" 777 ], 778 "action": "SCMP_ACT_ALLOW", 779 "includes": { 780 "caps": [ 781 "CAP_SYS_TTY_CONFIG" 782 ] 783 } 784 }, 785 { 786 "names": [ 787 "get_mempolicy", 788 "mbind", 789 "set_mempolicy", 790 "set_mempolicy_home_node" 791 ], 792 "action": "SCMP_ACT_ALLOW", 793 "includes": { 794 "caps": [ 795 "CAP_SYS_NICE" 796 ] 797 } 798 }, 799 { 800 "names": [ 801 "syslog" 802 ], 803 "action": "SCMP_ACT_ALLOW", 804 "includes": { 805 "caps": [ 806 "CAP_SYSLOG" 807 ] 808 } 809 }, 810 { 811 "names": [ 812 "bpf" 813 ], 814 "action": "SCMP_ACT_ALLOW", 815 "includes": { 816 "caps": [ 817 "CAP_BPF" 818 ] 819 } 820 }, 821 { 822 "names": [ 823 "perf_event_open" 824 ], 825 "action": "SCMP_ACT_ALLOW", 826 "includes": { 827 "caps": [ 828 "CAP_PERFMON" 829 ] 830 } 831 } 832 ] 833 }