github.com/rish1988/moby@v25.0.2+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 1, 4 "archMap": [ 5 { 6 "architecture": "SCMP_ARCH_X86_64", 7 "subArchitectures": [ 8 "SCMP_ARCH_X86", 9 "SCMP_ARCH_X32" 10 ] 11 }, 12 { 13 "architecture": "SCMP_ARCH_AARCH64", 14 "subArchitectures": [ 15 "SCMP_ARCH_ARM" 16 ] 17 }, 18 { 19 "architecture": "SCMP_ARCH_MIPS64", 20 "subArchitectures": [ 21 "SCMP_ARCH_MIPS", 22 "SCMP_ARCH_MIPS64N32" 23 ] 24 }, 25 { 26 "architecture": "SCMP_ARCH_MIPS64N32", 27 "subArchitectures": [ 28 "SCMP_ARCH_MIPS", 29 "SCMP_ARCH_MIPS64" 30 ] 31 }, 32 { 33 "architecture": "SCMP_ARCH_MIPSEL64", 34 "subArchitectures": [ 35 "SCMP_ARCH_MIPSEL", 36 "SCMP_ARCH_MIPSEL64N32" 37 ] 38 }, 39 { 40 "architecture": "SCMP_ARCH_MIPSEL64N32", 41 "subArchitectures": [ 42 "SCMP_ARCH_MIPSEL", 43 "SCMP_ARCH_MIPSEL64" 44 ] 45 }, 46 { 47 "architecture": "SCMP_ARCH_S390X", 48 "subArchitectures": [ 49 "SCMP_ARCH_S390" 50 ] 51 }, 52 { 53 "architecture": "SCMP_ARCH_RISCV64", 54 "subArchitectures": null 55 } 56 ], 57 "syscalls": [ 58 { 59 "names": [ 60 "accept", 61 "accept4", 62 "access", 63 "adjtimex", 64 "alarm", 65 "bind", 66 "brk", 67 "capget", 68 "capset", 69 "chdir", 70 "chmod", 71 "chown", 72 "chown32", 73 "clock_adjtime", 74 "clock_adjtime64", 75 "clock_getres", 76 "clock_getres_time64", 77 "clock_gettime", 78 "clock_gettime64", 79 "clock_nanosleep", 80 "clock_nanosleep_time64", 81 "close", 82 "close_range", 83 "connect", 84 "copy_file_range", 85 "creat", 86 "dup", 87 "dup2", 88 "dup3", 89 "epoll_create", 90 "epoll_create1", 91 "epoll_ctl", 92 "epoll_ctl_old", 93 "epoll_pwait", 94 "epoll_pwait2", 95 "epoll_wait", 96 "epoll_wait_old", 97 "eventfd", 98 "eventfd2", 99 "execve", 100 "execveat", 101 "exit", 102 "exit_group", 103 "faccessat", 104 "faccessat2", 105 "fadvise64", 106 "fadvise64_64", 107 "fallocate", 108 "fanotify_mark", 109 "fchdir", 110 "fchmod", 111 "fchmodat", 112 "fchown", 113 "fchown32", 114 "fchownat", 115 "fcntl", 116 "fcntl64", 117 "fdatasync", 118 "fgetxattr", 119 "flistxattr", 120 "flock", 121 "fork", 122 "fremovexattr", 123 "fsetxattr", 124 "fstat", 125 "fstat64", 126 "fstatat64", 127 "fstatfs", 128 "fstatfs64", 129 "fsync", 130 "ftruncate", 131 "ftruncate64", 132 "futex", 133 "futex_time64", 134 "futex_waitv", 135 "futimesat", 136 "getcpu", 137 "getcwd", 138 "getdents", 139 "getdents64", 140 "getegid", 141 "getegid32", 142 "geteuid", 143 "geteuid32", 144 "getgid", 145 "getgid32", 146 "getgroups", 147 "getgroups32", 148 "getitimer", 149 "getpeername", 150 "getpgid", 151 "getpgrp", 152 "getpid", 153 "getppid", 154 "getpriority", 155 "getrandom", 156 "getresgid", 157 "getresgid32", 158 "getresuid", 159 "getresuid32", 160 "getrlimit", 161 "get_robust_list", 162 "getrusage", 163 "getsid", 164 "getsockname", 165 "getsockopt", 166 "get_thread_area", 167 "gettid", 168 "gettimeofday", 169 "getuid", 170 "getuid32", 171 "getxattr", 172 "inotify_add_watch", 173 "inotify_init", 174 "inotify_init1", 175 "inotify_rm_watch", 176 "io_cancel", 177 "ioctl", 178 "io_destroy", 179 "io_getevents", 180 "io_pgetevents", 181 "io_pgetevents_time64", 182 "ioprio_get", 183 "ioprio_set", 184 "io_setup", 185 "io_submit", 186 "ipc", 187 "kill", 188 "landlock_add_rule", 189 "landlock_create_ruleset", 190 "landlock_restrict_self", 191 "lchown", 192 "lchown32", 193 "lgetxattr", 194 "link", 195 "linkat", 196 "listen", 197 "listxattr", 198 "llistxattr", 199 "_llseek", 200 "lremovexattr", 201 "lseek", 202 "lsetxattr", 203 "lstat", 204 "lstat64", 205 "madvise", 206 "membarrier", 207 "memfd_create", 208 "memfd_secret", 209 "mincore", 210 "mkdir", 211 "mkdirat", 212 "mknod", 213 "mknodat", 214 "mlock", 215 "mlock2", 216 "mlockall", 217 "mmap", 218 "mmap2", 219 "mprotect", 220 "mq_getsetattr", 221 "mq_notify", 222 "mq_open", 223 "mq_timedreceive", 224 "mq_timedreceive_time64", 225 "mq_timedsend", 226 "mq_timedsend_time64", 227 "mq_unlink", 228 "mremap", 229 "msgctl", 230 "msgget", 231 "msgrcv", 232 "msgsnd", 233 "msync", 234 "munlock", 235 "munlockall", 236 "munmap", 237 "name_to_handle_at", 238 "nanosleep", 239 "newfstatat", 240 "_newselect", 241 "open", 242 "openat", 243 "openat2", 244 "pause", 245 "pidfd_open", 246 "pidfd_send_signal", 247 "pipe", 248 "pipe2", 249 "pkey_alloc", 250 "pkey_free", 251 "pkey_mprotect", 252 "poll", 253 "ppoll", 254 "ppoll_time64", 255 "prctl", 256 "pread64", 257 "preadv", 258 "preadv2", 259 "prlimit64", 260 "process_mrelease", 261 "pselect6", 262 "pselect6_time64", 263 "pwrite64", 264 "pwritev", 265 "pwritev2", 266 "read", 267 "readahead", 268 "readlink", 269 "readlinkat", 270 "readv", 271 "recv", 272 "recvfrom", 273 "recvmmsg", 274 "recvmmsg_time64", 275 "recvmsg", 276 "remap_file_pages", 277 "removexattr", 278 "rename", 279 "renameat", 280 "renameat2", 281 "restart_syscall", 282 "rmdir", 283 "rseq", 284 "rt_sigaction", 285 "rt_sigpending", 286 "rt_sigprocmask", 287 "rt_sigqueueinfo", 288 "rt_sigreturn", 289 "rt_sigsuspend", 290 "rt_sigtimedwait", 291 "rt_sigtimedwait_time64", 292 "rt_tgsigqueueinfo", 293 "sched_getaffinity", 294 "sched_getattr", 295 "sched_getparam", 296 "sched_get_priority_max", 297 "sched_get_priority_min", 298 "sched_getscheduler", 299 "sched_rr_get_interval", 300 "sched_rr_get_interval_time64", 301 "sched_setaffinity", 302 "sched_setattr", 303 "sched_setparam", 304 "sched_setscheduler", 305 "sched_yield", 306 "seccomp", 307 "select", 308 "semctl", 309 "semget", 310 "semop", 311 "semtimedop", 312 "semtimedop_time64", 313 "send", 314 "sendfile", 315 "sendfile64", 316 "sendmmsg", 317 "sendmsg", 318 "sendto", 319 "setfsgid", 320 "setfsgid32", 321 "setfsuid", 322 "setfsuid32", 323 "setgid", 324 "setgid32", 325 "setgroups", 326 "setgroups32", 327 "setitimer", 328 "setpgid", 329 "setpriority", 330 "setregid", 331 "setregid32", 332 "setresgid", 333 "setresgid32", 334 "setresuid", 335 "setresuid32", 336 "setreuid", 337 "setreuid32", 338 "setrlimit", 339 "set_robust_list", 340 "setsid", 341 "setsockopt", 342 "set_thread_area", 343 "set_tid_address", 344 "setuid", 345 "setuid32", 346 "setxattr", 347 "shmat", 348 "shmctl", 349 "shmdt", 350 "shmget", 351 "shutdown", 352 "sigaltstack", 353 "signalfd", 354 "signalfd4", 355 "sigprocmask", 356 "sigreturn", 357 "socketcall", 358 "socketpair", 359 "splice", 360 "stat", 361 "stat64", 362 "statfs", 363 "statfs64", 364 "statx", 365 "symlink", 366 "symlinkat", 367 "sync", 368 "sync_file_range", 369 "syncfs", 370 "sysinfo", 371 "tee", 372 "tgkill", 373 "time", 374 "timer_create", 375 "timer_delete", 376 "timer_getoverrun", 377 "timer_gettime", 378 "timer_gettime64", 379 "timer_settime", 380 "timer_settime64", 381 "timerfd_create", 382 "timerfd_gettime", 383 "timerfd_gettime64", 384 "timerfd_settime", 385 "timerfd_settime64", 386 "times", 387 "tkill", 388 "truncate", 389 "truncate64", 390 "ugetrlimit", 391 "umask", 392 "uname", 393 "unlink", 394 "unlinkat", 395 "utime", 396 "utimensat", 397 "utimensat_time64", 398 "utimes", 399 "vfork", 400 "vmsplice", 401 "wait4", 402 "waitid", 403 "waitpid", 404 "write", 405 "writev" 406 ], 407 "action": "SCMP_ACT_ALLOW" 408 }, 409 { 410 "names": [ 411 "process_vm_readv", 412 "process_vm_writev", 413 "ptrace" 414 ], 415 "action": "SCMP_ACT_ALLOW", 416 "includes": { 417 "minKernel": "4.8" 418 } 419 }, 420 { 421 "names": [ 422 "socket" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [ 426 { 427 "index": 0, 428 "value": 40, 429 "op": "SCMP_CMP_NE" 430 } 431 ] 432 }, 433 { 434 "names": [ 435 "personality" 436 ], 437 "action": "SCMP_ACT_ALLOW", 438 "args": [ 439 { 440 "index": 0, 441 "value": 0, 442 "op": "SCMP_CMP_EQ" 443 } 444 ] 445 }, 446 { 447 "names": [ 448 "personality" 449 ], 450 "action": "SCMP_ACT_ALLOW", 451 "args": [ 452 { 453 "index": 0, 454 "value": 8, 455 "op": "SCMP_CMP_EQ" 456 } 457 ] 458 }, 459 { 460 "names": [ 461 "personality" 462 ], 463 "action": "SCMP_ACT_ALLOW", 464 "args": [ 465 { 466 "index": 0, 467 "value": 131072, 468 "op": "SCMP_CMP_EQ" 469 } 470 ] 471 }, 472 { 473 "names": [ 474 "personality" 475 ], 476 "action": "SCMP_ACT_ALLOW", 477 "args": [ 478 { 479 "index": 0, 480 "value": 131080, 481 "op": "SCMP_CMP_EQ" 482 } 483 ] 484 }, 485 { 486 "names": [ 487 "personality" 488 ], 489 "action": "SCMP_ACT_ALLOW", 490 "args": [ 491 { 492 "index": 0, 493 "value": 4294967295, 494 "op": "SCMP_CMP_EQ" 495 } 496 ] 497 }, 498 { 499 "names": [ 500 "sync_file_range2", 501 "swapcontext" 502 ], 503 "action": "SCMP_ACT_ALLOW", 504 "includes": { 505 "arches": [ 506 "ppc64le" 507 ] 508 } 509 }, 510 { 511 "names": [ 512 "arm_fadvise64_64", 513 "arm_sync_file_range", 514 "sync_file_range2", 515 "breakpoint", 516 "cacheflush", 517 "set_tls" 518 ], 519 "action": "SCMP_ACT_ALLOW", 520 "includes": { 521 "arches": [ 522 "arm", 523 "arm64" 524 ] 525 } 526 }, 527 { 528 "names": [ 529 "arch_prctl" 530 ], 531 "action": "SCMP_ACT_ALLOW", 532 "includes": { 533 "arches": [ 534 "amd64", 535 "x32" 536 ] 537 } 538 }, 539 { 540 "names": [ 541 "modify_ldt" 542 ], 543 "action": "SCMP_ACT_ALLOW", 544 "includes": { 545 "arches": [ 546 "amd64", 547 "x32", 548 "x86" 549 ] 550 } 551 }, 552 { 553 "names": [ 554 "s390_pci_mmio_read", 555 "s390_pci_mmio_write", 556 "s390_runtime_instr" 557 ], 558 "action": "SCMP_ACT_ALLOW", 559 "includes": { 560 "arches": [ 561 "s390", 562 "s390x" 563 ] 564 } 565 }, 566 { 567 "names": [ 568 "riscv_flush_icache" 569 ], 570 "action": "SCMP_ACT_ALLOW", 571 "includes": { 572 "arches": [ 573 "riscv64" 574 ] 575 } 576 }, 577 { 578 "names": [ 579 "open_by_handle_at" 580 ], 581 "action": "SCMP_ACT_ALLOW", 582 "includes": { 583 "caps": [ 584 "CAP_DAC_READ_SEARCH" 585 ] 586 } 587 }, 588 { 589 "names": [ 590 "bpf", 591 "clone", 592 "clone3", 593 "fanotify_init", 594 "fsconfig", 595 "fsmount", 596 "fsopen", 597 "fspick", 598 "lookup_dcookie", 599 "mount", 600 "mount_setattr", 601 "move_mount", 602 "open_tree", 603 "perf_event_open", 604 "quotactl", 605 "quotactl_fd", 606 "setdomainname", 607 "sethostname", 608 "setns", 609 "syslog", 610 "umount", 611 "umount2", 612 "unshare" 613 ], 614 "action": "SCMP_ACT_ALLOW", 615 "includes": { 616 "caps": [ 617 "CAP_SYS_ADMIN" 618 ] 619 } 620 }, 621 { 622 "names": [ 623 "clone" 624 ], 625 "action": "SCMP_ACT_ALLOW", 626 "args": [ 627 { 628 "index": 0, 629 "value": 2114060288, 630 "op": "SCMP_CMP_MASKED_EQ" 631 } 632 ], 633 "excludes": { 634 "caps": [ 635 "CAP_SYS_ADMIN" 636 ], 637 "arches": [ 638 "s390", 639 "s390x" 640 ] 641 } 642 }, 643 { 644 "names": [ 645 "clone" 646 ], 647 "action": "SCMP_ACT_ALLOW", 648 "args": [ 649 { 650 "index": 1, 651 "value": 2114060288, 652 "op": "SCMP_CMP_MASKED_EQ" 653 } 654 ], 655 "comment": "s390 parameter ordering for clone is different", 656 "includes": { 657 "arches": [ 658 "s390", 659 "s390x" 660 ] 661 }, 662 "excludes": { 663 "caps": [ 664 "CAP_SYS_ADMIN" 665 ] 666 } 667 }, 668 { 669 "names": [ 670 "clone3" 671 ], 672 "action": "SCMP_ACT_ERRNO", 673 "errnoRet": 38, 674 "excludes": { 675 "caps": [ 676 "CAP_SYS_ADMIN" 677 ] 678 } 679 }, 680 { 681 "names": [ 682 "reboot" 683 ], 684 "action": "SCMP_ACT_ALLOW", 685 "includes": { 686 "caps": [ 687 "CAP_SYS_BOOT" 688 ] 689 } 690 }, 691 { 692 "names": [ 693 "chroot" 694 ], 695 "action": "SCMP_ACT_ALLOW", 696 "includes": { 697 "caps": [ 698 "CAP_SYS_CHROOT" 699 ] 700 } 701 }, 702 { 703 "names": [ 704 "delete_module", 705 "init_module", 706 "finit_module" 707 ], 708 "action": "SCMP_ACT_ALLOW", 709 "includes": { 710 "caps": [ 711 "CAP_SYS_MODULE" 712 ] 713 } 714 }, 715 { 716 "names": [ 717 "acct" 718 ], 719 "action": "SCMP_ACT_ALLOW", 720 "includes": { 721 "caps": [ 722 "CAP_SYS_PACCT" 723 ] 724 } 725 }, 726 { 727 "names": [ 728 "kcmp", 729 "pidfd_getfd", 730 "process_madvise", 731 "process_vm_readv", 732 "process_vm_writev", 733 "ptrace" 734 ], 735 "action": "SCMP_ACT_ALLOW", 736 "includes": { 737 "caps": [ 738 "CAP_SYS_PTRACE" 739 ] 740 } 741 }, 742 { 743 "names": [ 744 "iopl", 745 "ioperm" 746 ], 747 "action": "SCMP_ACT_ALLOW", 748 "includes": { 749 "caps": [ 750 "CAP_SYS_RAWIO" 751 ] 752 } 753 }, 754 { 755 "names": [ 756 "settimeofday", 757 "stime", 758 "clock_settime", 759 "clock_settime64" 760 ], 761 "action": "SCMP_ACT_ALLOW", 762 "includes": { 763 "caps": [ 764 "CAP_SYS_TIME" 765 ] 766 } 767 }, 768 { 769 "names": [ 770 "vhangup" 771 ], 772 "action": "SCMP_ACT_ALLOW", 773 "includes": { 774 "caps": [ 775 "CAP_SYS_TTY_CONFIG" 776 ] 777 } 778 }, 779 { 780 "names": [ 781 "get_mempolicy", 782 "mbind", 783 "set_mempolicy" 784 ], 785 "action": "SCMP_ACT_ALLOW", 786 "includes": { 787 "caps": [ 788 "CAP_SYS_NICE" 789 ] 790 } 791 }, 792 { 793 "names": [ 794 "syslog" 795 ], 796 "action": "SCMP_ACT_ALLOW", 797 "includes": { 798 "caps": [ 799 "CAP_SYSLOG" 800 ] 801 } 802 }, 803 { 804 "names": [ 805 "bpf" 806 ], 807 "action": "SCMP_ACT_ALLOW", 808 "includes": { 809 "caps": [ 810 "CAP_BPF" 811 ] 812 } 813 }, 814 { 815 "names": [ 816 "perf_event_open" 817 ], 818 "action": "SCMP_ACT_ALLOW", 819 "includes": { 820 "caps": [ 821 "CAP_PERFMON" 822 ] 823 } 824 } 825 ] 826 }