github.com/rumpl/bof@v23.0.0-rc.2+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 1, 4 "archMap": [ 5 { 6 "architecture": "SCMP_ARCH_X86_64", 7 "subArchitectures": [ 8 "SCMP_ARCH_X86", 9 "SCMP_ARCH_X32" 10 ] 11 }, 12 { 13 "architecture": "SCMP_ARCH_AARCH64", 14 "subArchitectures": [ 15 "SCMP_ARCH_ARM" 16 ] 17 }, 18 { 19 "architecture": "SCMP_ARCH_MIPS64", 20 "subArchitectures": [ 21 "SCMP_ARCH_MIPS", 22 "SCMP_ARCH_MIPS64N32" 23 ] 24 }, 25 { 26 "architecture": "SCMP_ARCH_MIPS64N32", 27 "subArchitectures": [ 28 "SCMP_ARCH_MIPS", 29 "SCMP_ARCH_MIPS64" 30 ] 31 }, 32 { 33 "architecture": "SCMP_ARCH_MIPSEL64", 34 "subArchitectures": [ 35 "SCMP_ARCH_MIPSEL", 36 "SCMP_ARCH_MIPSEL64N32" 37 ] 38 }, 39 { 40 "architecture": "SCMP_ARCH_MIPSEL64N32", 41 "subArchitectures": [ 42 "SCMP_ARCH_MIPSEL", 43 "SCMP_ARCH_MIPSEL64" 44 ] 45 }, 46 { 47 "architecture": "SCMP_ARCH_S390X", 48 "subArchitectures": [ 49 "SCMP_ARCH_S390" 50 ] 51 }, 52 { 53 "architecture": "SCMP_ARCH_RISCV64", 54 "subArchitectures": null 55 } 56 ], 57 "syscalls": [ 58 { 59 "names": [ 60 "accept", 61 "accept4", 62 "access", 63 "adjtimex", 64 "alarm", 65 "bind", 66 "brk", 67 "capget", 68 "capset", 69 "chdir", 70 "chmod", 71 "chown", 72 "chown32", 73 "clock_adjtime", 74 "clock_adjtime64", 75 "clock_getres", 76 "clock_getres_time64", 77 "clock_gettime", 78 "clock_gettime64", 79 "clock_nanosleep", 80 "clock_nanosleep_time64", 81 "close", 82 "close_range", 83 "connect", 84 "copy_file_range", 85 "creat", 86 "dup", 87 "dup2", 88 "dup3", 89 "epoll_create", 90 "epoll_create1", 91 "epoll_ctl", 92 "epoll_ctl_old", 93 "epoll_pwait", 94 "epoll_pwait2", 95 "epoll_wait", 96 "epoll_wait_old", 97 "eventfd", 98 "eventfd2", 99 "execve", 100 "execveat", 101 "exit", 102 "exit_group", 103 "faccessat", 104 "faccessat2", 105 "fadvise64", 106 "fadvise64_64", 107 "fallocate", 108 "fanotify_mark", 109 "fchdir", 110 "fchmod", 111 "fchmodat", 112 "fchown", 113 "fchown32", 114 "fchownat", 115 "fcntl", 116 "fcntl64", 117 "fdatasync", 118 "fgetxattr", 119 "flistxattr", 120 "flock", 121 "fork", 122 "fremovexattr", 123 "fsetxattr", 124 "fstat", 125 "fstat64", 126 "fstatat64", 127 "fstatfs", 128 "fstatfs64", 129 "fsync", 130 "ftruncate", 131 "ftruncate64", 132 "futex", 133 "futex_time64", 134 "futex_waitv", 135 "futimesat", 136 "getcpu", 137 "getcwd", 138 "getdents", 139 "getdents64", 140 "getegid", 141 "getegid32", 142 "geteuid", 143 "geteuid32", 144 "getgid", 145 "getgid32", 146 "getgroups", 147 "getgroups32", 148 "getitimer", 149 "getpeername", 150 "getpgid", 151 "getpgrp", 152 "getpid", 153 "getppid", 154 "getpriority", 155 "getrandom", 156 "getresgid", 157 "getresgid32", 158 "getresuid", 159 "getresuid32", 160 "getrlimit", 161 "get_robust_list", 162 "getrusage", 163 "getsid", 164 "getsockname", 165 "getsockopt", 166 "get_thread_area", 167 "gettid", 168 "gettimeofday", 169 "getuid", 170 "getuid32", 171 "getxattr", 172 "inotify_add_watch", 173 "inotify_init", 174 "inotify_init1", 175 "inotify_rm_watch", 176 "io_cancel", 177 "ioctl", 178 "io_destroy", 179 "io_getevents", 180 "io_pgetevents", 181 "io_pgetevents_time64", 182 "ioprio_get", 183 "ioprio_set", 184 "io_setup", 185 "io_submit", 186 "io_uring_enter", 187 "io_uring_register", 188 "io_uring_setup", 189 "ipc", 190 "kill", 191 "landlock_add_rule", 192 "landlock_create_ruleset", 193 "landlock_restrict_self", 194 "lchown", 195 "lchown32", 196 "lgetxattr", 197 "link", 198 "linkat", 199 "listen", 200 "listxattr", 201 "llistxattr", 202 "_llseek", 203 "lremovexattr", 204 "lseek", 205 "lsetxattr", 206 "lstat", 207 "lstat64", 208 "madvise", 209 "membarrier", 210 "memfd_create", 211 "memfd_secret", 212 "mincore", 213 "mkdir", 214 "mkdirat", 215 "mknod", 216 "mknodat", 217 "mlock", 218 "mlock2", 219 "mlockall", 220 "mmap", 221 "mmap2", 222 "mprotect", 223 "mq_getsetattr", 224 "mq_notify", 225 "mq_open", 226 "mq_timedreceive", 227 "mq_timedreceive_time64", 228 "mq_timedsend", 229 "mq_timedsend_time64", 230 "mq_unlink", 231 "mremap", 232 "msgctl", 233 "msgget", 234 "msgrcv", 235 "msgsnd", 236 "msync", 237 "munlock", 238 "munlockall", 239 "munmap", 240 "nanosleep", 241 "newfstatat", 242 "_newselect", 243 "open", 244 "openat", 245 "openat2", 246 "pause", 247 "pidfd_open", 248 "pidfd_send_signal", 249 "pipe", 250 "pipe2", 251 "pkey_alloc", 252 "pkey_free", 253 "pkey_mprotect", 254 "poll", 255 "ppoll", 256 "ppoll_time64", 257 "prctl", 258 "pread64", 259 "preadv", 260 "preadv2", 261 "prlimit64", 262 "process_mrelease", 263 "pselect6", 264 "pselect6_time64", 265 "pwrite64", 266 "pwritev", 267 "pwritev2", 268 "read", 269 "readahead", 270 "readlink", 271 "readlinkat", 272 "readv", 273 "recv", 274 "recvfrom", 275 "recvmmsg", 276 "recvmmsg_time64", 277 "recvmsg", 278 "remap_file_pages", 279 "removexattr", 280 "rename", 281 "renameat", 282 "renameat2", 283 "restart_syscall", 284 "rmdir", 285 "rseq", 286 "rt_sigaction", 287 "rt_sigpending", 288 "rt_sigprocmask", 289 "rt_sigqueueinfo", 290 "rt_sigreturn", 291 "rt_sigsuspend", 292 "rt_sigtimedwait", 293 "rt_sigtimedwait_time64", 294 "rt_tgsigqueueinfo", 295 "sched_getaffinity", 296 "sched_getattr", 297 "sched_getparam", 298 "sched_get_priority_max", 299 "sched_get_priority_min", 300 "sched_getscheduler", 301 "sched_rr_get_interval", 302 "sched_rr_get_interval_time64", 303 "sched_setaffinity", 304 "sched_setattr", 305 "sched_setparam", 306 "sched_setscheduler", 307 "sched_yield", 308 "seccomp", 309 "select", 310 "semctl", 311 "semget", 312 "semop", 313 "semtimedop", 314 "semtimedop_time64", 315 "send", 316 "sendfile", 317 "sendfile64", 318 "sendmmsg", 319 "sendmsg", 320 "sendto", 321 "setfsgid", 322 "setfsgid32", 323 "setfsuid", 324 "setfsuid32", 325 "setgid", 326 "setgid32", 327 "setgroups", 328 "setgroups32", 329 "setitimer", 330 "setpgid", 331 "setpriority", 332 "setregid", 333 "setregid32", 334 "setresgid", 335 "setresgid32", 336 "setresuid", 337 "setresuid32", 338 "setreuid", 339 "setreuid32", 340 "setrlimit", 341 "set_robust_list", 342 "setsid", 343 "setsockopt", 344 "set_thread_area", 345 "set_tid_address", 346 "setuid", 347 "setuid32", 348 "setxattr", 349 "shmat", 350 "shmctl", 351 "shmdt", 352 "shmget", 353 "shutdown", 354 "sigaltstack", 355 "signalfd", 356 "signalfd4", 357 "sigprocmask", 358 "sigreturn", 359 "socketcall", 360 "socketpair", 361 "splice", 362 "stat", 363 "stat64", 364 "statfs", 365 "statfs64", 366 "statx", 367 "symlink", 368 "symlinkat", 369 "sync", 370 "sync_file_range", 371 "syncfs", 372 "sysinfo", 373 "tee", 374 "tgkill", 375 "time", 376 "timer_create", 377 "timer_delete", 378 "timer_getoverrun", 379 "timer_gettime", 380 "timer_gettime64", 381 "timer_settime", 382 "timer_settime64", 383 "timerfd_create", 384 "timerfd_gettime", 385 "timerfd_gettime64", 386 "timerfd_settime", 387 "timerfd_settime64", 388 "times", 389 "tkill", 390 "truncate", 391 "truncate64", 392 "ugetrlimit", 393 "umask", 394 "uname", 395 "unlink", 396 "unlinkat", 397 "utime", 398 "utimensat", 399 "utimensat_time64", 400 "utimes", 401 "vfork", 402 "vmsplice", 403 "wait4", 404 "waitid", 405 "waitpid", 406 "write", 407 "writev" 408 ], 409 "action": "SCMP_ACT_ALLOW" 410 }, 411 { 412 "names": [ 413 "process_vm_readv", 414 "process_vm_writev", 415 "ptrace" 416 ], 417 "action": "SCMP_ACT_ALLOW", 418 "includes": { 419 "minKernel": "4.8" 420 } 421 }, 422 { 423 "names": [ 424 "socket" 425 ], 426 "action": "SCMP_ACT_ALLOW", 427 "args": [ 428 { 429 "index": 0, 430 "value": 40, 431 "op": "SCMP_CMP_NE" 432 } 433 ] 434 }, 435 { 436 "names": [ 437 "personality" 438 ], 439 "action": "SCMP_ACT_ALLOW", 440 "args": [ 441 { 442 "index": 0, 443 "value": 0, 444 "op": "SCMP_CMP_EQ" 445 } 446 ] 447 }, 448 { 449 "names": [ 450 "personality" 451 ], 452 "action": "SCMP_ACT_ALLOW", 453 "args": [ 454 { 455 "index": 0, 456 "value": 8, 457 "op": "SCMP_CMP_EQ" 458 } 459 ] 460 }, 461 { 462 "names": [ 463 "personality" 464 ], 465 "action": "SCMP_ACT_ALLOW", 466 "args": [ 467 { 468 "index": 0, 469 "value": 131072, 470 "op": "SCMP_CMP_EQ" 471 } 472 ] 473 }, 474 { 475 "names": [ 476 "personality" 477 ], 478 "action": "SCMP_ACT_ALLOW", 479 "args": [ 480 { 481 "index": 0, 482 "value": 131080, 483 "op": "SCMP_CMP_EQ" 484 } 485 ] 486 }, 487 { 488 "names": [ 489 "personality" 490 ], 491 "action": "SCMP_ACT_ALLOW", 492 "args": [ 493 { 494 "index": 0, 495 "value": 4294967295, 496 "op": "SCMP_CMP_EQ" 497 } 498 ] 499 }, 500 { 501 "names": [ 502 "sync_file_range2", 503 "swapcontext" 504 ], 505 "action": "SCMP_ACT_ALLOW", 506 "includes": { 507 "arches": [ 508 "ppc64le" 509 ] 510 } 511 }, 512 { 513 "names": [ 514 "arm_fadvise64_64", 515 "arm_sync_file_range", 516 "sync_file_range2", 517 "breakpoint", 518 "cacheflush", 519 "set_tls" 520 ], 521 "action": "SCMP_ACT_ALLOW", 522 "includes": { 523 "arches": [ 524 "arm", 525 "arm64" 526 ] 527 } 528 }, 529 { 530 "names": [ 531 "arch_prctl" 532 ], 533 "action": "SCMP_ACT_ALLOW", 534 "includes": { 535 "arches": [ 536 "amd64", 537 "x32" 538 ] 539 } 540 }, 541 { 542 "names": [ 543 "modify_ldt" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "includes": { 547 "arches": [ 548 "amd64", 549 "x32", 550 "x86" 551 ] 552 } 553 }, 554 { 555 "names": [ 556 "s390_pci_mmio_read", 557 "s390_pci_mmio_write", 558 "s390_runtime_instr" 559 ], 560 "action": "SCMP_ACT_ALLOW", 561 "includes": { 562 "arches": [ 563 "s390", 564 "s390x" 565 ] 566 } 567 }, 568 { 569 "names": [ 570 "riscv_flush_icache" 571 ], 572 "action": "SCMP_ACT_ALLOW", 573 "includes": { 574 "arches": [ 575 "riscv64" 576 ] 577 } 578 }, 579 { 580 "names": [ 581 "open_by_handle_at" 582 ], 583 "action": "SCMP_ACT_ALLOW", 584 "includes": { 585 "caps": [ 586 "CAP_DAC_READ_SEARCH" 587 ] 588 } 589 }, 590 { 591 "names": [ 592 "bpf", 593 "clone", 594 "clone3", 595 "fanotify_init", 596 "fsconfig", 597 "fsmount", 598 "fsopen", 599 "fspick", 600 "lookup_dcookie", 601 "mount", 602 "mount_setattr", 603 "move_mount", 604 "name_to_handle_at", 605 "open_tree", 606 "perf_event_open", 607 "quotactl", 608 "quotactl_fd", 609 "setdomainname", 610 "sethostname", 611 "setns", 612 "syslog", 613 "umount", 614 "umount2", 615 "unshare" 616 ], 617 "action": "SCMP_ACT_ALLOW", 618 "includes": { 619 "caps": [ 620 "CAP_SYS_ADMIN" 621 ] 622 } 623 }, 624 { 625 "names": [ 626 "clone" 627 ], 628 "action": "SCMP_ACT_ALLOW", 629 "args": [ 630 { 631 "index": 0, 632 "value": 2114060288, 633 "op": "SCMP_CMP_MASKED_EQ" 634 } 635 ], 636 "excludes": { 637 "caps": [ 638 "CAP_SYS_ADMIN" 639 ], 640 "arches": [ 641 "s390", 642 "s390x" 643 ] 644 } 645 }, 646 { 647 "names": [ 648 "clone" 649 ], 650 "action": "SCMP_ACT_ALLOW", 651 "args": [ 652 { 653 "index": 1, 654 "value": 2114060288, 655 "op": "SCMP_CMP_MASKED_EQ" 656 } 657 ], 658 "comment": "s390 parameter ordering for clone is different", 659 "includes": { 660 "arches": [ 661 "s390", 662 "s390x" 663 ] 664 }, 665 "excludes": { 666 "caps": [ 667 "CAP_SYS_ADMIN" 668 ] 669 } 670 }, 671 { 672 "names": [ 673 "clone3" 674 ], 675 "action": "SCMP_ACT_ERRNO", 676 "errnoRet": 38, 677 "excludes": { 678 "caps": [ 679 "CAP_SYS_ADMIN" 680 ] 681 } 682 }, 683 { 684 "names": [ 685 "reboot" 686 ], 687 "action": "SCMP_ACT_ALLOW", 688 "includes": { 689 "caps": [ 690 "CAP_SYS_BOOT" 691 ] 692 } 693 }, 694 { 695 "names": [ 696 "chroot" 697 ], 698 "action": "SCMP_ACT_ALLOW", 699 "includes": { 700 "caps": [ 701 "CAP_SYS_CHROOT" 702 ] 703 } 704 }, 705 { 706 "names": [ 707 "delete_module", 708 "init_module", 709 "finit_module" 710 ], 711 "action": "SCMP_ACT_ALLOW", 712 "includes": { 713 "caps": [ 714 "CAP_SYS_MODULE" 715 ] 716 } 717 }, 718 { 719 "names": [ 720 "acct" 721 ], 722 "action": "SCMP_ACT_ALLOW", 723 "includes": { 724 "caps": [ 725 "CAP_SYS_PACCT" 726 ] 727 } 728 }, 729 { 730 "names": [ 731 "kcmp", 732 "pidfd_getfd", 733 "process_madvise", 734 "process_vm_readv", 735 "process_vm_writev", 736 "ptrace" 737 ], 738 "action": "SCMP_ACT_ALLOW", 739 "includes": { 740 "caps": [ 741 "CAP_SYS_PTRACE" 742 ] 743 } 744 }, 745 { 746 "names": [ 747 "iopl", 748 "ioperm" 749 ], 750 "action": "SCMP_ACT_ALLOW", 751 "includes": { 752 "caps": [ 753 "CAP_SYS_RAWIO" 754 ] 755 } 756 }, 757 { 758 "names": [ 759 "settimeofday", 760 "stime", 761 "clock_settime", 762 "clock_settime64" 763 ], 764 "action": "SCMP_ACT_ALLOW", 765 "includes": { 766 "caps": [ 767 "CAP_SYS_TIME" 768 ] 769 } 770 }, 771 { 772 "names": [ 773 "vhangup" 774 ], 775 "action": "SCMP_ACT_ALLOW", 776 "includes": { 777 "caps": [ 778 "CAP_SYS_TTY_CONFIG" 779 ] 780 } 781 }, 782 { 783 "names": [ 784 "get_mempolicy", 785 "mbind", 786 "set_mempolicy" 787 ], 788 "action": "SCMP_ACT_ALLOW", 789 "includes": { 790 "caps": [ 791 "CAP_SYS_NICE" 792 ] 793 } 794 }, 795 { 796 "names": [ 797 "syslog" 798 ], 799 "action": "SCMP_ACT_ALLOW", 800 "includes": { 801 "caps": [ 802 "CAP_SYSLOG" 803 ] 804 } 805 }, 806 { 807 "names": [ 808 "bpf" 809 ], 810 "action": "SCMP_ACT_ALLOW", 811 "includes": { 812 "caps": [ 813 "CAP_BPF" 814 ] 815 } 816 }, 817 { 818 "names": [ 819 "perf_event_open" 820 ], 821 "action": "SCMP_ACT_ALLOW", 822 "includes": { 823 "caps": [ 824 "CAP_PERFMON" 825 ] 826 } 827 } 828 ] 829 }