github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_adjtime", 69 "clock_adjtime64", 70 "clock_getres", 71 "clock_getres_time64", 72 "clock_gettime", 73 "clock_gettime64", 74 "clock_nanosleep", 75 "clock_nanosleep_time64", 76 "close", 77 "connect", 78 "copy_file_range", 79 "creat", 80 "dup", 81 "dup2", 82 "dup3", 83 "epoll_create", 84 "epoll_create1", 85 "epoll_ctl", 86 "epoll_ctl_old", 87 "epoll_pwait", 88 "epoll_wait", 89 "epoll_wait_old", 90 "eventfd", 91 "eventfd2", 92 "execve", 93 "execveat", 94 "exit", 95 "exit_group", 96 "faccessat", 97 "faccessat2", 98 "fadvise64", 99 "fadvise64_64", 100 "fallocate", 101 "fanotify_mark", 102 "fchdir", 103 "fchmod", 104 "fchmodat", 105 "fchown", 106 "fchown32", 107 "fchownat", 108 "fcntl", 109 "fcntl64", 110 "fdatasync", 111 "fgetxattr", 112 "flistxattr", 113 "flock", 114 "fork", 115 "fremovexattr", 116 "fsetxattr", 117 "fstat", 118 "fstat64", 119 "fstatat64", 120 "fstatfs", 121 "fstatfs64", 122 "fsync", 123 "ftruncate", 124 "ftruncate64", 125 "futex", 126 "futex_time64", 127 "futimesat", 128 "getcpu", 129 "getcwd", 130 "getdents", 131 "getdents64", 132 "getegid", 133 "getegid32", 134 "geteuid", 135 "geteuid32", 136 "getgid", 137 "getgid32", 138 "getgroups", 139 "getgroups32", 140 "getitimer", 141 "getpeername", 142 "getpgid", 143 "getpgrp", 144 "getpid", 145 "getppid", 146 "getpriority", 147 "getrandom", 148 "getresgid", 149 "getresgid32", 150 "getresuid", 151 "getresuid32", 152 "getrlimit", 153 "get_robust_list", 154 "getrusage", 155 "getsid", 156 "getsockname", 157 "getsockopt", 158 "get_thread_area", 159 "gettid", 160 "gettimeofday", 161 "getuid", 162 "getuid32", 163 "getxattr", 164 "inotify_add_watch", 165 "inotify_init", 166 "inotify_init1", 167 "inotify_rm_watch", 168 "io_cancel", 169 "ioctl", 170 "io_destroy", 171 "io_getevents", 172 "io_pgetevents", 173 "io_pgetevents_time64", 174 "ioprio_get", 175 "ioprio_set", 176 "io_setup", 177 "io_submit", 178 "io_uring_enter", 179 "io_uring_register", 180 "io_uring_setup", 181 "ipc", 182 "kill", 183 "lchown", 184 "lchown32", 185 "lgetxattr", 186 "link", 187 "linkat", 188 "listen", 189 "listxattr", 190 "llistxattr", 191 "_llseek", 192 "lremovexattr", 193 "lseek", 194 "lsetxattr", 195 "lstat", 196 "lstat64", 197 "madvise", 198 "membarrier", 199 "memfd_create", 200 "mincore", 201 "mkdir", 202 "mkdirat", 203 "mknod", 204 "mknodat", 205 "mlock", 206 "mlock2", 207 "mlockall", 208 "mmap", 209 "mmap2", 210 "mprotect", 211 "mq_getsetattr", 212 "mq_notify", 213 "mq_open", 214 "mq_timedreceive", 215 "mq_timedreceive_time64", 216 "mq_timedsend", 217 "mq_timedsend_time64", 218 "mq_unlink", 219 "mremap", 220 "msgctl", 221 "msgget", 222 "msgrcv", 223 "msgsnd", 224 "msync", 225 "munlock", 226 "munlockall", 227 "munmap", 228 "nanosleep", 229 "newfstatat", 230 "_newselect", 231 "open", 232 "openat", 233 "openat2", 234 "pause", 235 "pidfd_open", 236 "pidfd_send_signal", 237 "pipe", 238 "pipe2", 239 "poll", 240 "ppoll", 241 "ppoll_time64", 242 "prctl", 243 "pread64", 244 "preadv", 245 "preadv2", 246 "prlimit64", 247 "pselect6", 248 "pselect6_time64", 249 "pwrite64", 250 "pwritev", 251 "pwritev2", 252 "read", 253 "readahead", 254 "readlink", 255 "readlinkat", 256 "readv", 257 "recv", 258 "recvfrom", 259 "recvmmsg", 260 "recvmmsg_time64", 261 "recvmsg", 262 "remap_file_pages", 263 "removexattr", 264 "rename", 265 "renameat", 266 "renameat2", 267 "restart_syscall", 268 "rmdir", 269 "rseq", 270 "rt_sigaction", 271 "rt_sigpending", 272 "rt_sigprocmask", 273 "rt_sigqueueinfo", 274 "rt_sigreturn", 275 "rt_sigsuspend", 276 "rt_sigtimedwait", 277 "rt_sigtimedwait_time64", 278 "rt_tgsigqueueinfo", 279 "sched_getaffinity", 280 "sched_getattr", 281 "sched_getparam", 282 "sched_get_priority_max", 283 "sched_get_priority_min", 284 "sched_getscheduler", 285 "sched_rr_get_interval", 286 "sched_rr_get_interval_time64", 287 "sched_setaffinity", 288 "sched_setattr", 289 "sched_setparam", 290 "sched_setscheduler", 291 "sched_yield", 292 "seccomp", 293 "select", 294 "semctl", 295 "semget", 296 "semop", 297 "semtimedop", 298 "semtimedop_time64", 299 "send", 300 "sendfile", 301 "sendfile64", 302 "sendmmsg", 303 "sendmsg", 304 "sendto", 305 "setfsgid", 306 "setfsgid32", 307 "setfsuid", 308 "setfsuid32", 309 "setgid", 310 "setgid32", 311 "setgroups", 312 "setgroups32", 313 "setitimer", 314 "setpgid", 315 "setpriority", 316 "setregid", 317 "setregid32", 318 "setresgid", 319 "setresgid32", 320 "setresuid", 321 "setresuid32", 322 "setreuid", 323 "setreuid32", 324 "setrlimit", 325 "set_robust_list", 326 "setsid", 327 "setsockopt", 328 "set_thread_area", 329 "set_tid_address", 330 "setuid", 331 "setuid32", 332 "setxattr", 333 "shmat", 334 "shmctl", 335 "shmdt", 336 "shmget", 337 "shutdown", 338 "sigaltstack", 339 "signalfd", 340 "signalfd4", 341 "sigprocmask", 342 "sigreturn", 343 "socket", 344 "socketcall", 345 "socketpair", 346 "splice", 347 "stat", 348 "stat64", 349 "statfs", 350 "statfs64", 351 "statx", 352 "symlink", 353 "symlinkat", 354 "sync", 355 "sync_file_range", 356 "syncfs", 357 "sysinfo", 358 "tee", 359 "tgkill", 360 "time", 361 "timer_create", 362 "timer_delete", 363 "timer_getoverrun", 364 "timer_gettime", 365 "timer_gettime64", 366 "timer_settime", 367 "timer_settime64", 368 "timerfd_create", 369 "timerfd_gettime", 370 "timerfd_gettime64", 371 "timerfd_settime", 372 "timerfd_settime64", 373 "times", 374 "tkill", 375 "truncate", 376 "truncate64", 377 "ugetrlimit", 378 "umask", 379 "uname", 380 "unlink", 381 "unlinkat", 382 "utime", 383 "utimensat", 384 "utimensat_time64", 385 "utimes", 386 "vfork", 387 "vmsplice", 388 "wait4", 389 "waitid", 390 "waitpid", 391 "write", 392 "writev" 393 ], 394 "action": "SCMP_ACT_ALLOW", 395 "args": [], 396 "comment": "", 397 "includes": {}, 398 "excludes": {} 399 }, 400 { 401 "names": [ 402 "ptrace" 403 ], 404 "action": "SCMP_ACT_ALLOW", 405 "args": null, 406 "comment": "", 407 "includes": { 408 "minKernel": "4.8" 409 }, 410 "excludes": {} 411 }, 412 { 413 "names": [ 414 "personality" 415 ], 416 "action": "SCMP_ACT_ALLOW", 417 "args": [ 418 { 419 "index": 0, 420 "value": 0, 421 "op": "SCMP_CMP_EQ" 422 } 423 ], 424 "comment": "", 425 "includes": {}, 426 "excludes": {} 427 }, 428 { 429 "names": [ 430 "personality" 431 ], 432 "action": "SCMP_ACT_ALLOW", 433 "args": [ 434 { 435 "index": 0, 436 "value": 8, 437 "op": "SCMP_CMP_EQ" 438 } 439 ], 440 "comment": "", 441 "includes": {}, 442 "excludes": {} 443 }, 444 { 445 "names": [ 446 "personality" 447 ], 448 "action": "SCMP_ACT_ALLOW", 449 "args": [ 450 { 451 "index": 0, 452 "value": 131072, 453 "op": "SCMP_CMP_EQ" 454 } 455 ], 456 "comment": "", 457 "includes": {}, 458 "excludes": {} 459 }, 460 { 461 "names": [ 462 "personality" 463 ], 464 "action": "SCMP_ACT_ALLOW", 465 "args": [ 466 { 467 "index": 0, 468 "value": 131080, 469 "op": "SCMP_CMP_EQ" 470 } 471 ], 472 "comment": "", 473 "includes": {}, 474 "excludes": {} 475 }, 476 { 477 "names": [ 478 "personality" 479 ], 480 "action": "SCMP_ACT_ALLOW", 481 "args": [ 482 { 483 "index": 0, 484 "value": 4294967295, 485 "op": "SCMP_CMP_EQ" 486 } 487 ], 488 "comment": "", 489 "includes": {}, 490 "excludes": {} 491 }, 492 { 493 "names": [ 494 "sync_file_range2" 495 ], 496 "action": "SCMP_ACT_ALLOW", 497 "args": [], 498 "comment": "", 499 "includes": { 500 "arches": [ 501 "ppc64le" 502 ] 503 }, 504 "excludes": {} 505 }, 506 { 507 "names": [ 508 "arm_fadvise64_64", 509 "arm_sync_file_range", 510 "sync_file_range2", 511 "breakpoint", 512 "cacheflush", 513 "set_tls" 514 ], 515 "action": "SCMP_ACT_ALLOW", 516 "args": [], 517 "comment": "", 518 "includes": { 519 "arches": [ 520 "arm", 521 "arm64" 522 ] 523 }, 524 "excludes": {} 525 }, 526 { 527 "names": [ 528 "arch_prctl" 529 ], 530 "action": "SCMP_ACT_ALLOW", 531 "args": [], 532 "comment": "", 533 "includes": { 534 "arches": [ 535 "amd64", 536 "x32" 537 ] 538 }, 539 "excludes": {} 540 }, 541 { 542 "names": [ 543 "modify_ldt" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "args": [], 547 "comment": "", 548 "includes": { 549 "arches": [ 550 "amd64", 551 "x32", 552 "x86" 553 ] 554 }, 555 "excludes": {} 556 }, 557 { 558 "names": [ 559 "s390_pci_mmio_read", 560 "s390_pci_mmio_write", 561 "s390_runtime_instr" 562 ], 563 "action": "SCMP_ACT_ALLOW", 564 "args": [], 565 "comment": "", 566 "includes": { 567 "arches": [ 568 "s390", 569 "s390x" 570 ] 571 }, 572 "excludes": {} 573 }, 574 { 575 "names": [ 576 "open_by_handle_at" 577 ], 578 "action": "SCMP_ACT_ALLOW", 579 "args": [], 580 "comment": "", 581 "includes": { 582 "caps": [ 583 "CAP_DAC_READ_SEARCH" 584 ] 585 }, 586 "excludes": {} 587 }, 588 { 589 "names": [ 590 "bpf", 591 "clone", 592 "fanotify_init", 593 "lookup_dcookie", 594 "mount", 595 "name_to_handle_at", 596 "perf_event_open", 597 "quotactl", 598 "setdomainname", 599 "sethostname", 600 "setns", 601 "syslog", 602 "umount", 603 "umount2", 604 "unshare" 605 ], 606 "action": "SCMP_ACT_ALLOW", 607 "args": [], 608 "comment": "", 609 "includes": { 610 "caps": [ 611 "CAP_SYS_ADMIN" 612 ] 613 }, 614 "excludes": {} 615 }, 616 { 617 "names": [ 618 "clone" 619 ], 620 "action": "SCMP_ACT_ALLOW", 621 "args": [ 622 { 623 "index": 0, 624 "value": 2114060288, 625 "op": "SCMP_CMP_MASKED_EQ" 626 } 627 ], 628 "comment": "", 629 "includes": {}, 630 "excludes": { 631 "caps": [ 632 "CAP_SYS_ADMIN" 633 ], 634 "arches": [ 635 "s390", 636 "s390x" 637 ] 638 } 639 }, 640 { 641 "names": [ 642 "clone" 643 ], 644 "action": "SCMP_ACT_ALLOW", 645 "args": [ 646 { 647 "index": 1, 648 "value": 2114060288, 649 "op": "SCMP_CMP_MASKED_EQ" 650 } 651 ], 652 "comment": "s390 parameter ordering for clone is different", 653 "includes": { 654 "arches": [ 655 "s390", 656 "s390x" 657 ] 658 }, 659 "excludes": { 660 "caps": [ 661 "CAP_SYS_ADMIN" 662 ] 663 } 664 }, 665 { 666 "names": [ 667 "reboot" 668 ], 669 "action": "SCMP_ACT_ALLOW", 670 "args": [], 671 "comment": "", 672 "includes": { 673 "caps": [ 674 "CAP_SYS_BOOT" 675 ] 676 }, 677 "excludes": {} 678 }, 679 { 680 "names": [ 681 "chroot" 682 ], 683 "action": "SCMP_ACT_ALLOW", 684 "args": [], 685 "comment": "", 686 "includes": { 687 "caps": [ 688 "CAP_SYS_CHROOT" 689 ] 690 }, 691 "excludes": {} 692 }, 693 { 694 "names": [ 695 "delete_module", 696 "init_module", 697 "finit_module" 698 ], 699 "action": "SCMP_ACT_ALLOW", 700 "args": [], 701 "comment": "", 702 "includes": { 703 "caps": [ 704 "CAP_SYS_MODULE" 705 ] 706 }, 707 "excludes": {} 708 }, 709 { 710 "names": [ 711 "acct" 712 ], 713 "action": "SCMP_ACT_ALLOW", 714 "args": [], 715 "comment": "", 716 "includes": { 717 "caps": [ 718 "CAP_SYS_PACCT" 719 ] 720 }, 721 "excludes": {} 722 }, 723 { 724 "names": [ 725 "kcmp", 726 "pidfd_getfd", 727 "process_vm_readv", 728 "process_vm_writev", 729 "ptrace" 730 ], 731 "action": "SCMP_ACT_ALLOW", 732 "args": [], 733 "comment": "", 734 "includes": { 735 "caps": [ 736 "CAP_SYS_PTRACE" 737 ] 738 }, 739 "excludes": {} 740 }, 741 { 742 "names": [ 743 "iopl", 744 "ioperm" 745 ], 746 "action": "SCMP_ACT_ALLOW", 747 "args": [], 748 "comment": "", 749 "includes": { 750 "caps": [ 751 "CAP_SYS_RAWIO" 752 ] 753 }, 754 "excludes": {} 755 }, 756 { 757 "names": [ 758 "settimeofday", 759 "stime", 760 "clock_settime" 761 ], 762 "action": "SCMP_ACT_ALLOW", 763 "args": [], 764 "comment": "", 765 "includes": { 766 "caps": [ 767 "CAP_SYS_TIME" 768 ] 769 }, 770 "excludes": {} 771 }, 772 { 773 "names": [ 774 "vhangup" 775 ], 776 "action": "SCMP_ACT_ALLOW", 777 "args": [], 778 "comment": "", 779 "includes": { 780 "caps": [ 781 "CAP_SYS_TTY_CONFIG" 782 ] 783 }, 784 "excludes": {} 785 }, 786 { 787 "names": [ 788 "get_mempolicy", 789 "mbind", 790 "set_mempolicy" 791 ], 792 "action": "SCMP_ACT_ALLOW", 793 "args": [], 794 "comment": "", 795 "includes": { 796 "caps": [ 797 "CAP_SYS_NICE" 798 ] 799 }, 800 "excludes": {} 801 }, 802 { 803 "names": [ 804 "syslog" 805 ], 806 "action": "SCMP_ACT_ALLOW", 807 "args": [], 808 "comment": "", 809 "includes": { 810 "caps": [ 811 "CAP_SYSLOG" 812 ] 813 }, 814 "excludes": {} 815 } 816 ] 817 }