github.com/moby/docker@v26.1.3+incompatible/profiles/seccomp/default_linux.go (about) 1 package seccomp // import "github.com/docker/docker/profiles/seccomp" 2 3 import ( 4 "github.com/opencontainers/runtime-spec/specs-go" 5 "golang.org/x/sys/unix" 6 ) 7 8 func arches() []Architecture { 9 return []Architecture{ 10 { 11 Arch: specs.ArchX86_64, 12 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 13 }, 14 { 15 Arch: specs.ArchAARCH64, 16 SubArches: []specs.Arch{specs.ArchARM}, 17 }, 18 { 19 Arch: specs.ArchMIPS64, 20 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 21 }, 22 { 23 Arch: specs.ArchMIPS64N32, 24 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 25 }, 26 { 27 Arch: specs.ArchMIPSEL64, 28 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 29 }, 30 { 31 Arch: specs.ArchMIPSEL64N32, 32 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 33 }, 34 { 35 Arch: specs.ArchS390X, 36 SubArches: []specs.Arch{specs.ArchS390}, 37 }, 38 { 39 Arch: specs.ArchRISCV64, 40 SubArches: nil, 41 }, 42 } 43 } 44 45 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 46 func DefaultProfile() *Seccomp { 47 nosys := uint(unix.ENOSYS) 48 syscalls := []*Syscall{ 49 { 50 LinuxSyscall: specs.LinuxSyscall{ 51 Names: []string{ 52 "accept", 53 "accept4", 54 "access", 55 "adjtimex", 56 "alarm", 57 "bind", 58 "brk", 59 "cachestat", // kernel v6.5, libseccomp v2.5.5 60 "capget", 61 "capset", 62 "chdir", 63 "chmod", 64 "chown", 65 "chown32", 66 "clock_adjtime", 67 "clock_adjtime64", 68 "clock_getres", 69 "clock_getres_time64", 70 "clock_gettime", 71 "clock_gettime64", 72 "clock_nanosleep", 73 "clock_nanosleep_time64", 74 "close", 75 "close_range", 76 "connect", 77 "copy_file_range", 78 "creat", 79 "dup", 80 "dup2", 81 "dup3", 82 "epoll_create", 83 "epoll_create1", 84 "epoll_ctl", 85 "epoll_ctl_old", 86 "epoll_pwait", 87 "epoll_pwait2", 88 "epoll_wait", 89 "epoll_wait_old", 90 "eventfd", 91 "eventfd2", 92 "execve", 93 "execveat", 94 "exit", 95 "exit_group", 96 "faccessat", 97 "faccessat2", 98 "fadvise64", 99 "fadvise64_64", 100 "fallocate", 101 "fanotify_mark", 102 "fchdir", 103 "fchmod", 104 "fchmodat", 105 "fchmodat2", // kernel v6.6, libseccomp v2.5.5 106 "fchown", 107 "fchown32", 108 "fchownat", 109 "fcntl", 110 "fcntl64", 111 "fdatasync", 112 "fgetxattr", 113 "flistxattr", 114 "flock", 115 "fork", 116 "fremovexattr", 117 "fsetxattr", 118 "fstat", 119 "fstat64", 120 "fstatat64", 121 "fstatfs", 122 "fstatfs64", 123 "fsync", 124 "ftruncate", 125 "ftruncate64", 126 "futex", 127 "futex_requeue", // kernel v6.7, libseccomp v2.5.5 128 "futex_time64", 129 "futex_wait", // kernel v6.7, libseccomp v2.5.5 130 "futex_waitv", 131 "futex_wake", // kernel v6.7, libseccomp v2.5.5 132 "futimesat", 133 "getcpu", 134 "getcwd", 135 "getdents", 136 "getdents64", 137 "getegid", 138 "getegid32", 139 "geteuid", 140 "geteuid32", 141 "getgid", 142 "getgid32", 143 "getgroups", 144 "getgroups32", 145 "getitimer", 146 "getpeername", 147 "getpgid", 148 "getpgrp", 149 "getpid", 150 "getppid", 151 "getpriority", 152 "getrandom", 153 "getresgid", 154 "getresgid32", 155 "getresuid", 156 "getresuid32", 157 "getrlimit", 158 "get_robust_list", 159 "getrusage", 160 "getsid", 161 "getsockname", 162 "getsockopt", 163 "get_thread_area", 164 "gettid", 165 "gettimeofday", 166 "getuid", 167 "getuid32", 168 "getxattr", 169 "inotify_add_watch", 170 "inotify_init", 171 "inotify_init1", 172 "inotify_rm_watch", 173 "io_cancel", 174 "ioctl", 175 "io_destroy", 176 "io_getevents", 177 "io_pgetevents", 178 "io_pgetevents_time64", 179 "ioprio_get", 180 "ioprio_set", 181 "io_setup", 182 "io_submit", 183 "ipc", 184 "kill", 185 "landlock_add_rule", 186 "landlock_create_ruleset", 187 "landlock_restrict_self", 188 "lchown", 189 "lchown32", 190 "lgetxattr", 191 "link", 192 "linkat", 193 "listen", 194 "listxattr", 195 "llistxattr", 196 "_llseek", 197 "lremovexattr", 198 "lseek", 199 "lsetxattr", 200 "lstat", 201 "lstat64", 202 "madvise", 203 "map_shadow_stack", // kernel v6.6, libseccomp v2.5.5 204 "membarrier", 205 "memfd_create", 206 "memfd_secret", 207 "mincore", 208 "mkdir", 209 "mkdirat", 210 "mknod", 211 "mknodat", 212 "mlock", 213 "mlock2", 214 "mlockall", 215 "mmap", 216 "mmap2", 217 "mprotect", 218 "mq_getsetattr", 219 "mq_notify", 220 "mq_open", 221 "mq_timedreceive", 222 "mq_timedreceive_time64", 223 "mq_timedsend", 224 "mq_timedsend_time64", 225 "mq_unlink", 226 "mremap", 227 "msgctl", 228 "msgget", 229 "msgrcv", 230 "msgsnd", 231 "msync", 232 "munlock", 233 "munlockall", 234 "munmap", 235 "name_to_handle_at", 236 "nanosleep", 237 "newfstatat", 238 "_newselect", 239 "open", 240 "openat", 241 "openat2", 242 "pause", 243 "pidfd_open", 244 "pidfd_send_signal", 245 "pipe", 246 "pipe2", 247 "pkey_alloc", 248 "pkey_free", 249 "pkey_mprotect", 250 "poll", 251 "ppoll", 252 "ppoll_time64", 253 "prctl", 254 "pread64", 255 "preadv", 256 "preadv2", 257 "prlimit64", 258 "process_mrelease", 259 "pselect6", 260 "pselect6_time64", 261 "pwrite64", 262 "pwritev", 263 "pwritev2", 264 "read", 265 "readahead", 266 "readlink", 267 "readlinkat", 268 "readv", 269 "recv", 270 "recvfrom", 271 "recvmmsg", 272 "recvmmsg_time64", 273 "recvmsg", 274 "remap_file_pages", 275 "removexattr", 276 "rename", 277 "renameat", 278 "renameat2", 279 "restart_syscall", 280 "rmdir", 281 "rseq", 282 "rt_sigaction", 283 "rt_sigpending", 284 "rt_sigprocmask", 285 "rt_sigqueueinfo", 286 "rt_sigreturn", 287 "rt_sigsuspend", 288 "rt_sigtimedwait", 289 "rt_sigtimedwait_time64", 290 "rt_tgsigqueueinfo", 291 "sched_getaffinity", 292 "sched_getattr", 293 "sched_getparam", 294 "sched_get_priority_max", 295 "sched_get_priority_min", 296 "sched_getscheduler", 297 "sched_rr_get_interval", 298 "sched_rr_get_interval_time64", 299 "sched_setaffinity", 300 "sched_setattr", 301 "sched_setparam", 302 "sched_setscheduler", 303 "sched_yield", 304 "seccomp", 305 "select", 306 "semctl", 307 "semget", 308 "semop", 309 "semtimedop", 310 "semtimedop_time64", 311 "send", 312 "sendfile", 313 "sendfile64", 314 "sendmmsg", 315 "sendmsg", 316 "sendto", 317 "setfsgid", 318 "setfsgid32", 319 "setfsuid", 320 "setfsuid32", 321 "setgid", 322 "setgid32", 323 "setgroups", 324 "setgroups32", 325 "setitimer", 326 "setpgid", 327 "setpriority", 328 "setregid", 329 "setregid32", 330 "setresgid", 331 "setresgid32", 332 "setresuid", 333 "setresuid32", 334 "setreuid", 335 "setreuid32", 336 "setrlimit", 337 "set_robust_list", 338 "setsid", 339 "setsockopt", 340 "set_thread_area", 341 "set_tid_address", 342 "setuid", 343 "setuid32", 344 "setxattr", 345 "shmat", 346 "shmctl", 347 "shmdt", 348 "shmget", 349 "shutdown", 350 "sigaltstack", 351 "signalfd", 352 "signalfd4", 353 "sigprocmask", 354 "sigreturn", 355 "socketcall", 356 "socketpair", 357 "splice", 358 "stat", 359 "stat64", 360 "statfs", 361 "statfs64", 362 "statx", 363 "symlink", 364 "symlinkat", 365 "sync", 366 "sync_file_range", 367 "syncfs", 368 "sysinfo", 369 "tee", 370 "tgkill", 371 "time", 372 "timer_create", 373 "timer_delete", 374 "timer_getoverrun", 375 "timer_gettime", 376 "timer_gettime64", 377 "timer_settime", 378 "timer_settime64", 379 "timerfd_create", 380 "timerfd_gettime", 381 "timerfd_gettime64", 382 "timerfd_settime", 383 "timerfd_settime64", 384 "times", 385 "tkill", 386 "truncate", 387 "truncate64", 388 "ugetrlimit", 389 "umask", 390 "uname", 391 "unlink", 392 "unlinkat", 393 "utime", 394 "utimensat", 395 "utimensat_time64", 396 "utimes", 397 "vfork", 398 "vmsplice", 399 "wait4", 400 "waitid", 401 "waitpid", 402 "write", 403 "writev", 404 }, 405 Action: specs.ActAllow, 406 }, 407 }, 408 { 409 LinuxSyscall: specs.LinuxSyscall{ 410 Names: []string{ 411 "process_vm_readv", 412 "process_vm_writev", 413 "ptrace", 414 }, 415 Action: specs.ActAllow, 416 }, 417 Includes: &Filter{ 418 MinKernel: &KernelVersion{4, 8}, 419 }, 420 }, 421 { 422 LinuxSyscall: specs.LinuxSyscall{ 423 Names: []string{"socket"}, 424 Action: specs.ActAllow, 425 Args: []specs.LinuxSeccompArg{ 426 { 427 Index: 0, 428 Value: unix.AF_VSOCK, 429 Op: specs.OpNotEqual, 430 }, 431 }, 432 }, 433 }, 434 { 435 LinuxSyscall: specs.LinuxSyscall{ 436 Names: []string{"personality"}, 437 Action: specs.ActAllow, 438 Args: []specs.LinuxSeccompArg{ 439 { 440 Index: 0, 441 Value: 0x0, 442 Op: specs.OpEqualTo, 443 }, 444 }, 445 }, 446 }, 447 { 448 LinuxSyscall: specs.LinuxSyscall{ 449 Names: []string{"personality"}, 450 Action: specs.ActAllow, 451 Args: []specs.LinuxSeccompArg{ 452 { 453 Index: 0, 454 Value: 0x0008, 455 Op: specs.OpEqualTo, 456 }, 457 }, 458 }, 459 }, 460 { 461 LinuxSyscall: specs.LinuxSyscall{ 462 Names: []string{"personality"}, 463 Action: specs.ActAllow, 464 Args: []specs.LinuxSeccompArg{ 465 { 466 Index: 0, 467 Value: 0x20000, 468 Op: specs.OpEqualTo, 469 }, 470 }, 471 }, 472 }, 473 { 474 LinuxSyscall: specs.LinuxSyscall{ 475 Names: []string{"personality"}, 476 Action: specs.ActAllow, 477 Args: []specs.LinuxSeccompArg{ 478 { 479 Index: 0, 480 Value: 0x20008, 481 Op: specs.OpEqualTo, 482 }, 483 }, 484 }, 485 }, 486 { 487 LinuxSyscall: specs.LinuxSyscall{ 488 Names: []string{"personality"}, 489 Action: specs.ActAllow, 490 Args: []specs.LinuxSeccompArg{ 491 { 492 Index: 0, 493 Value: 0xffffffff, 494 Op: specs.OpEqualTo, 495 }, 496 }, 497 }, 498 }, 499 { 500 LinuxSyscall: specs.LinuxSyscall{ 501 Names: []string{ 502 "sync_file_range2", 503 "swapcontext", 504 }, 505 Action: specs.ActAllow, 506 }, 507 Includes: &Filter{ 508 Arches: []string{"ppc64le"}, 509 }, 510 }, 511 { 512 LinuxSyscall: specs.LinuxSyscall{ 513 Names: []string{ 514 "arm_fadvise64_64", 515 "arm_sync_file_range", 516 "sync_file_range2", 517 "breakpoint", 518 "cacheflush", 519 "set_tls", 520 }, 521 Action: specs.ActAllow, 522 }, 523 Includes: &Filter{ 524 Arches: []string{"arm", "arm64"}, 525 }, 526 }, 527 { 528 LinuxSyscall: specs.LinuxSyscall{ 529 Names: []string{ 530 "arch_prctl", 531 }, 532 Action: specs.ActAllow, 533 }, 534 Includes: &Filter{ 535 Arches: []string{"amd64", "x32"}, 536 }, 537 }, 538 { 539 LinuxSyscall: specs.LinuxSyscall{ 540 Names: []string{ 541 "modify_ldt", 542 }, 543 Action: specs.ActAllow, 544 }, 545 Includes: &Filter{ 546 Arches: []string{"amd64", "x32", "x86"}, 547 }, 548 }, 549 { 550 LinuxSyscall: specs.LinuxSyscall{ 551 Names: []string{ 552 "s390_pci_mmio_read", 553 "s390_pci_mmio_write", 554 "s390_runtime_instr", 555 }, 556 Action: specs.ActAllow, 557 }, 558 Includes: &Filter{ 559 Arches: []string{"s390", "s390x"}, 560 }, 561 }, 562 { 563 LinuxSyscall: specs.LinuxSyscall{ 564 Names: []string{ 565 "riscv_flush_icache", 566 }, 567 Action: specs.ActAllow, 568 }, 569 Includes: &Filter{ 570 Arches: []string{"riscv64"}, 571 }, 572 }, 573 { 574 LinuxSyscall: specs.LinuxSyscall{ 575 Names: []string{ 576 "open_by_handle_at", 577 }, 578 Action: specs.ActAllow, 579 }, 580 Includes: &Filter{ 581 Caps: []string{"CAP_DAC_READ_SEARCH"}, 582 }, 583 }, 584 { 585 LinuxSyscall: specs.LinuxSyscall{ 586 Names: []string{ 587 "bpf", 588 "clone", 589 "clone3", 590 "fanotify_init", 591 "fsconfig", 592 "fsmount", 593 "fsopen", 594 "fspick", 595 "lookup_dcookie", 596 "mount", 597 "mount_setattr", 598 "move_mount", 599 "open_tree", 600 "perf_event_open", 601 "quotactl", 602 "quotactl_fd", 603 "setdomainname", 604 "sethostname", 605 "setns", 606 "syslog", 607 "umount", 608 "umount2", 609 "unshare", 610 }, 611 Action: specs.ActAllow, 612 }, 613 Includes: &Filter{ 614 Caps: []string{"CAP_SYS_ADMIN"}, 615 }, 616 }, 617 { 618 LinuxSyscall: specs.LinuxSyscall{ 619 Names: []string{ 620 "clone", 621 }, 622 Action: specs.ActAllow, 623 Args: []specs.LinuxSeccompArg{ 624 { 625 Index: 0, 626 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 627 ValueTwo: 0, 628 Op: specs.OpMaskedEqual, 629 }, 630 }, 631 }, 632 Excludes: &Filter{ 633 Caps: []string{"CAP_SYS_ADMIN"}, 634 Arches: []string{"s390", "s390x"}, 635 }, 636 }, 637 { 638 LinuxSyscall: specs.LinuxSyscall{ 639 Names: []string{ 640 "clone", 641 }, 642 Action: specs.ActAllow, 643 Args: []specs.LinuxSeccompArg{ 644 { 645 Index: 1, 646 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 647 ValueTwo: 0, 648 Op: specs.OpMaskedEqual, 649 }, 650 }, 651 }, 652 Comment: "s390 parameter ordering for clone is different", 653 Includes: &Filter{ 654 Arches: []string{"s390", "s390x"}, 655 }, 656 Excludes: &Filter{ 657 Caps: []string{"CAP_SYS_ADMIN"}, 658 }, 659 }, 660 { 661 LinuxSyscall: specs.LinuxSyscall{ 662 Names: []string{ 663 "clone3", 664 }, 665 Action: specs.ActErrno, 666 ErrnoRet: &nosys, 667 }, 668 Excludes: &Filter{ 669 Caps: []string{"CAP_SYS_ADMIN"}, 670 }, 671 }, 672 { 673 LinuxSyscall: specs.LinuxSyscall{ 674 Names: []string{ 675 "reboot", 676 }, 677 Action: specs.ActAllow, 678 }, 679 Includes: &Filter{ 680 Caps: []string{"CAP_SYS_BOOT"}, 681 }, 682 }, 683 { 684 LinuxSyscall: specs.LinuxSyscall{ 685 Names: []string{ 686 "chroot", 687 }, 688 Action: specs.ActAllow, 689 }, 690 Includes: &Filter{ 691 Caps: []string{"CAP_SYS_CHROOT"}, 692 }, 693 }, 694 { 695 LinuxSyscall: specs.LinuxSyscall{ 696 Names: []string{ 697 "delete_module", 698 "init_module", 699 "finit_module", 700 }, 701 Action: specs.ActAllow, 702 }, 703 Includes: &Filter{ 704 Caps: []string{"CAP_SYS_MODULE"}, 705 }, 706 }, 707 { 708 LinuxSyscall: specs.LinuxSyscall{ 709 Names: []string{ 710 "acct", 711 }, 712 Action: specs.ActAllow, 713 }, 714 Includes: &Filter{ 715 Caps: []string{"CAP_SYS_PACCT"}, 716 }, 717 }, 718 { 719 LinuxSyscall: specs.LinuxSyscall{ 720 Names: []string{ 721 "kcmp", 722 "pidfd_getfd", 723 "process_madvise", 724 "process_vm_readv", 725 "process_vm_writev", 726 "ptrace", 727 }, 728 Action: specs.ActAllow, 729 }, 730 Includes: &Filter{ 731 Caps: []string{"CAP_SYS_PTRACE"}, 732 }, 733 }, 734 { 735 LinuxSyscall: specs.LinuxSyscall{ 736 Names: []string{ 737 "iopl", 738 "ioperm", 739 }, 740 Action: specs.ActAllow, 741 }, 742 Includes: &Filter{ 743 Caps: []string{"CAP_SYS_RAWIO"}, 744 }, 745 }, 746 { 747 LinuxSyscall: specs.LinuxSyscall{ 748 Names: []string{ 749 "settimeofday", 750 "stime", 751 "clock_settime", 752 "clock_settime64", 753 }, 754 Action: specs.ActAllow, 755 }, 756 Includes: &Filter{ 757 Caps: []string{"CAP_SYS_TIME"}, 758 }, 759 }, 760 { 761 LinuxSyscall: specs.LinuxSyscall{ 762 Names: []string{ 763 "vhangup", 764 }, 765 Action: specs.ActAllow, 766 }, 767 Includes: &Filter{ 768 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 769 }, 770 }, 771 { 772 LinuxSyscall: specs.LinuxSyscall{ 773 Names: []string{ 774 "get_mempolicy", 775 "mbind", 776 "set_mempolicy", 777 "set_mempolicy_home_node", // kernel v5.17, libseccomp v2.5.4 778 }, 779 Action: specs.ActAllow, 780 }, 781 Includes: &Filter{ 782 Caps: []string{"CAP_SYS_NICE"}, 783 }, 784 }, 785 { 786 LinuxSyscall: specs.LinuxSyscall{ 787 Names: []string{ 788 "syslog", 789 }, 790 Action: specs.ActAllow, 791 }, 792 Includes: &Filter{ 793 Caps: []string{"CAP_SYSLOG"}, 794 }, 795 }, 796 { 797 LinuxSyscall: specs.LinuxSyscall{ 798 Names: []string{ 799 "bpf", 800 }, 801 Action: specs.ActAllow, 802 }, 803 Includes: &Filter{ 804 Caps: []string{"CAP_BPF"}, 805 }, 806 }, 807 { 808 LinuxSyscall: specs.LinuxSyscall{ 809 Names: []string{ 810 "perf_event_open", 811 }, 812 Action: specs.ActAllow, 813 }, 814 Includes: &Filter{ 815 Caps: []string{"CAP_PERFMON"}, 816 }, 817 }, 818 } 819 820 errnoRet := uint(unix.EPERM) 821 return &Seccomp{ 822 LinuxSeccomp: specs.LinuxSeccomp{ 823 DefaultAction: specs.ActErrno, 824 DefaultErrnoRet: &errnoRet, 825 }, 826 ArchMap: arches(), 827 Syscalls: syscalls, 828 } 829 }