github.com/rumpl/bof@v23.0.0-rc.2+incompatible/profiles/seccomp/default_linux.go (about) 1 package seccomp // import "github.com/docker/docker/profiles/seccomp" 2 3 import ( 4 "github.com/opencontainers/runtime-spec/specs-go" 5 "golang.org/x/sys/unix" 6 ) 7 8 func arches() []Architecture { 9 return []Architecture{ 10 { 11 Arch: specs.ArchX86_64, 12 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 13 }, 14 { 15 Arch: specs.ArchAARCH64, 16 SubArches: []specs.Arch{specs.ArchARM}, 17 }, 18 { 19 Arch: specs.ArchMIPS64, 20 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 21 }, 22 { 23 Arch: specs.ArchMIPS64N32, 24 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 25 }, 26 { 27 Arch: specs.ArchMIPSEL64, 28 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 29 }, 30 { 31 Arch: specs.ArchMIPSEL64N32, 32 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 33 }, 34 { 35 Arch: specs.ArchS390X, 36 SubArches: []specs.Arch{specs.ArchS390}, 37 }, 38 { 39 Arch: specs.ArchRISCV64, 40 SubArches: nil, 41 }, 42 } 43 } 44 45 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 46 func DefaultProfile() *Seccomp { 47 nosys := uint(unix.ENOSYS) 48 syscalls := []*Syscall{ 49 { 50 LinuxSyscall: specs.LinuxSyscall{ 51 Names: []string{ 52 "accept", 53 "accept4", 54 "access", 55 "adjtimex", 56 "alarm", 57 "bind", 58 "brk", 59 "capget", 60 "capset", 61 "chdir", 62 "chmod", 63 "chown", 64 "chown32", 65 "clock_adjtime", 66 "clock_adjtime64", 67 "clock_getres", 68 "clock_getres_time64", 69 "clock_gettime", 70 "clock_gettime64", 71 "clock_nanosleep", 72 "clock_nanosleep_time64", 73 "close", 74 "close_range", 75 "connect", 76 "copy_file_range", 77 "creat", 78 "dup", 79 "dup2", 80 "dup3", 81 "epoll_create", 82 "epoll_create1", 83 "epoll_ctl", 84 "epoll_ctl_old", 85 "epoll_pwait", 86 "epoll_pwait2", 87 "epoll_wait", 88 "epoll_wait_old", 89 "eventfd", 90 "eventfd2", 91 "execve", 92 "execveat", 93 "exit", 94 "exit_group", 95 "faccessat", 96 "faccessat2", 97 "fadvise64", 98 "fadvise64_64", 99 "fallocate", 100 "fanotify_mark", 101 "fchdir", 102 "fchmod", 103 "fchmodat", 104 "fchown", 105 "fchown32", 106 "fchownat", 107 "fcntl", 108 "fcntl64", 109 "fdatasync", 110 "fgetxattr", 111 "flistxattr", 112 "flock", 113 "fork", 114 "fremovexattr", 115 "fsetxattr", 116 "fstat", 117 "fstat64", 118 "fstatat64", 119 "fstatfs", 120 "fstatfs64", 121 "fsync", 122 "ftruncate", 123 "ftruncate64", 124 "futex", 125 "futex_time64", 126 "futex_waitv", 127 "futimesat", 128 "getcpu", 129 "getcwd", 130 "getdents", 131 "getdents64", 132 "getegid", 133 "getegid32", 134 "geteuid", 135 "geteuid32", 136 "getgid", 137 "getgid32", 138 "getgroups", 139 "getgroups32", 140 "getitimer", 141 "getpeername", 142 "getpgid", 143 "getpgrp", 144 "getpid", 145 "getppid", 146 "getpriority", 147 "getrandom", 148 "getresgid", 149 "getresgid32", 150 "getresuid", 151 "getresuid32", 152 "getrlimit", 153 "get_robust_list", 154 "getrusage", 155 "getsid", 156 "getsockname", 157 "getsockopt", 158 "get_thread_area", 159 "gettid", 160 "gettimeofday", 161 "getuid", 162 "getuid32", 163 "getxattr", 164 "inotify_add_watch", 165 "inotify_init", 166 "inotify_init1", 167 "inotify_rm_watch", 168 "io_cancel", 169 "ioctl", 170 "io_destroy", 171 "io_getevents", 172 "io_pgetevents", 173 "io_pgetevents_time64", 174 "ioprio_get", 175 "ioprio_set", 176 "io_setup", 177 "io_submit", 178 "io_uring_enter", 179 "io_uring_register", 180 "io_uring_setup", 181 "ipc", 182 "kill", 183 "landlock_add_rule", 184 "landlock_create_ruleset", 185 "landlock_restrict_self", 186 "lchown", 187 "lchown32", 188 "lgetxattr", 189 "link", 190 "linkat", 191 "listen", 192 "listxattr", 193 "llistxattr", 194 "_llseek", 195 "lremovexattr", 196 "lseek", 197 "lsetxattr", 198 "lstat", 199 "lstat64", 200 "madvise", 201 "membarrier", 202 "memfd_create", 203 "memfd_secret", 204 "mincore", 205 "mkdir", 206 "mkdirat", 207 "mknod", 208 "mknodat", 209 "mlock", 210 "mlock2", 211 "mlockall", 212 "mmap", 213 "mmap2", 214 "mprotect", 215 "mq_getsetattr", 216 "mq_notify", 217 "mq_open", 218 "mq_timedreceive", 219 "mq_timedreceive_time64", 220 "mq_timedsend", 221 "mq_timedsend_time64", 222 "mq_unlink", 223 "mremap", 224 "msgctl", 225 "msgget", 226 "msgrcv", 227 "msgsnd", 228 "msync", 229 "munlock", 230 "munlockall", 231 "munmap", 232 "nanosleep", 233 "newfstatat", 234 "_newselect", 235 "open", 236 "openat", 237 "openat2", 238 "pause", 239 "pidfd_open", 240 "pidfd_send_signal", 241 "pipe", 242 "pipe2", 243 "pkey_alloc", 244 "pkey_free", 245 "pkey_mprotect", 246 "poll", 247 "ppoll", 248 "ppoll_time64", 249 "prctl", 250 "pread64", 251 "preadv", 252 "preadv2", 253 "prlimit64", 254 "process_mrelease", 255 "pselect6", 256 "pselect6_time64", 257 "pwrite64", 258 "pwritev", 259 "pwritev2", 260 "read", 261 "readahead", 262 "readlink", 263 "readlinkat", 264 "readv", 265 "recv", 266 "recvfrom", 267 "recvmmsg", 268 "recvmmsg_time64", 269 "recvmsg", 270 "remap_file_pages", 271 "removexattr", 272 "rename", 273 "renameat", 274 "renameat2", 275 "restart_syscall", 276 "rmdir", 277 "rseq", 278 "rt_sigaction", 279 "rt_sigpending", 280 "rt_sigprocmask", 281 "rt_sigqueueinfo", 282 "rt_sigreturn", 283 "rt_sigsuspend", 284 "rt_sigtimedwait", 285 "rt_sigtimedwait_time64", 286 "rt_tgsigqueueinfo", 287 "sched_getaffinity", 288 "sched_getattr", 289 "sched_getparam", 290 "sched_get_priority_max", 291 "sched_get_priority_min", 292 "sched_getscheduler", 293 "sched_rr_get_interval", 294 "sched_rr_get_interval_time64", 295 "sched_setaffinity", 296 "sched_setattr", 297 "sched_setparam", 298 "sched_setscheduler", 299 "sched_yield", 300 "seccomp", 301 "select", 302 "semctl", 303 "semget", 304 "semop", 305 "semtimedop", 306 "semtimedop_time64", 307 "send", 308 "sendfile", 309 "sendfile64", 310 "sendmmsg", 311 "sendmsg", 312 "sendto", 313 "setfsgid", 314 "setfsgid32", 315 "setfsuid", 316 "setfsuid32", 317 "setgid", 318 "setgid32", 319 "setgroups", 320 "setgroups32", 321 "setitimer", 322 "setpgid", 323 "setpriority", 324 "setregid", 325 "setregid32", 326 "setresgid", 327 "setresgid32", 328 "setresuid", 329 "setresuid32", 330 "setreuid", 331 "setreuid32", 332 "setrlimit", 333 "set_robust_list", 334 "setsid", 335 "setsockopt", 336 "set_thread_area", 337 "set_tid_address", 338 "setuid", 339 "setuid32", 340 "setxattr", 341 "shmat", 342 "shmctl", 343 "shmdt", 344 "shmget", 345 "shutdown", 346 "sigaltstack", 347 "signalfd", 348 "signalfd4", 349 "sigprocmask", 350 "sigreturn", 351 "socketcall", 352 "socketpair", 353 "splice", 354 "stat", 355 "stat64", 356 "statfs", 357 "statfs64", 358 "statx", 359 "symlink", 360 "symlinkat", 361 "sync", 362 "sync_file_range", 363 "syncfs", 364 "sysinfo", 365 "tee", 366 "tgkill", 367 "time", 368 "timer_create", 369 "timer_delete", 370 "timer_getoverrun", 371 "timer_gettime", 372 "timer_gettime64", 373 "timer_settime", 374 "timer_settime64", 375 "timerfd_create", 376 "timerfd_gettime", 377 "timerfd_gettime64", 378 "timerfd_settime", 379 "timerfd_settime64", 380 "times", 381 "tkill", 382 "truncate", 383 "truncate64", 384 "ugetrlimit", 385 "umask", 386 "uname", 387 "unlink", 388 "unlinkat", 389 "utime", 390 "utimensat", 391 "utimensat_time64", 392 "utimes", 393 "vfork", 394 "vmsplice", 395 "wait4", 396 "waitid", 397 "waitpid", 398 "write", 399 "writev", 400 }, 401 Action: specs.ActAllow, 402 }, 403 }, 404 { 405 LinuxSyscall: specs.LinuxSyscall{ 406 Names: []string{ 407 "process_vm_readv", 408 "process_vm_writev", 409 "ptrace", 410 }, 411 Action: specs.ActAllow, 412 }, 413 Includes: &Filter{ 414 MinKernel: &KernelVersion{4, 8}, 415 }, 416 }, 417 { 418 LinuxSyscall: specs.LinuxSyscall{ 419 Names: []string{"socket"}, 420 Action: specs.ActAllow, 421 Args: []specs.LinuxSeccompArg{ 422 { 423 Index: 0, 424 Value: unix.AF_VSOCK, 425 Op: specs.OpNotEqual, 426 }, 427 }, 428 }, 429 }, 430 { 431 LinuxSyscall: specs.LinuxSyscall{ 432 Names: []string{"personality"}, 433 Action: specs.ActAllow, 434 Args: []specs.LinuxSeccompArg{ 435 { 436 Index: 0, 437 Value: 0x0, 438 Op: specs.OpEqualTo, 439 }, 440 }, 441 }, 442 }, 443 { 444 LinuxSyscall: specs.LinuxSyscall{ 445 Names: []string{"personality"}, 446 Action: specs.ActAllow, 447 Args: []specs.LinuxSeccompArg{ 448 { 449 Index: 0, 450 Value: 0x0008, 451 Op: specs.OpEqualTo, 452 }, 453 }, 454 }, 455 }, 456 { 457 LinuxSyscall: specs.LinuxSyscall{ 458 Names: []string{"personality"}, 459 Action: specs.ActAllow, 460 Args: []specs.LinuxSeccompArg{ 461 { 462 Index: 0, 463 Value: 0x20000, 464 Op: specs.OpEqualTo, 465 }, 466 }, 467 }, 468 }, 469 { 470 LinuxSyscall: specs.LinuxSyscall{ 471 Names: []string{"personality"}, 472 Action: specs.ActAllow, 473 Args: []specs.LinuxSeccompArg{ 474 { 475 Index: 0, 476 Value: 0x20008, 477 Op: specs.OpEqualTo, 478 }, 479 }, 480 }, 481 }, 482 { 483 LinuxSyscall: specs.LinuxSyscall{ 484 Names: []string{"personality"}, 485 Action: specs.ActAllow, 486 Args: []specs.LinuxSeccompArg{ 487 { 488 Index: 0, 489 Value: 0xffffffff, 490 Op: specs.OpEqualTo, 491 }, 492 }, 493 }, 494 }, 495 { 496 LinuxSyscall: specs.LinuxSyscall{ 497 Names: []string{ 498 "sync_file_range2", 499 "swapcontext", 500 }, 501 Action: specs.ActAllow, 502 }, 503 Includes: &Filter{ 504 Arches: []string{"ppc64le"}, 505 }, 506 }, 507 { 508 LinuxSyscall: specs.LinuxSyscall{ 509 Names: []string{ 510 "arm_fadvise64_64", 511 "arm_sync_file_range", 512 "sync_file_range2", 513 "breakpoint", 514 "cacheflush", 515 "set_tls", 516 }, 517 Action: specs.ActAllow, 518 }, 519 Includes: &Filter{ 520 Arches: []string{"arm", "arm64"}, 521 }, 522 }, 523 { 524 LinuxSyscall: specs.LinuxSyscall{ 525 Names: []string{ 526 "arch_prctl", 527 }, 528 Action: specs.ActAllow, 529 }, 530 Includes: &Filter{ 531 Arches: []string{"amd64", "x32"}, 532 }, 533 }, 534 { 535 LinuxSyscall: specs.LinuxSyscall{ 536 Names: []string{ 537 "modify_ldt", 538 }, 539 Action: specs.ActAllow, 540 }, 541 Includes: &Filter{ 542 Arches: []string{"amd64", "x32", "x86"}, 543 }, 544 }, 545 { 546 LinuxSyscall: specs.LinuxSyscall{ 547 Names: []string{ 548 "s390_pci_mmio_read", 549 "s390_pci_mmio_write", 550 "s390_runtime_instr", 551 }, 552 Action: specs.ActAllow, 553 }, 554 Includes: &Filter{ 555 Arches: []string{"s390", "s390x"}, 556 }, 557 }, 558 { 559 LinuxSyscall: specs.LinuxSyscall{ 560 Names: []string{ 561 "riscv_flush_icache", 562 }, 563 Action: specs.ActAllow, 564 }, 565 Includes: &Filter{ 566 Arches: []string{"riscv64"}, 567 }, 568 }, 569 { 570 LinuxSyscall: specs.LinuxSyscall{ 571 Names: []string{ 572 "open_by_handle_at", 573 }, 574 Action: specs.ActAllow, 575 }, 576 Includes: &Filter{ 577 Caps: []string{"CAP_DAC_READ_SEARCH"}, 578 }, 579 }, 580 { 581 LinuxSyscall: specs.LinuxSyscall{ 582 Names: []string{ 583 "bpf", 584 "clone", 585 "clone3", 586 "fanotify_init", 587 "fsconfig", 588 "fsmount", 589 "fsopen", 590 "fspick", 591 "lookup_dcookie", 592 "mount", 593 "mount_setattr", 594 "move_mount", 595 "name_to_handle_at", 596 "open_tree", 597 "perf_event_open", 598 "quotactl", 599 "quotactl_fd", 600 "setdomainname", 601 "sethostname", 602 "setns", 603 "syslog", 604 "umount", 605 "umount2", 606 "unshare", 607 }, 608 Action: specs.ActAllow, 609 }, 610 Includes: &Filter{ 611 Caps: []string{"CAP_SYS_ADMIN"}, 612 }, 613 }, 614 { 615 LinuxSyscall: specs.LinuxSyscall{ 616 Names: []string{ 617 "clone", 618 }, 619 Action: specs.ActAllow, 620 Args: []specs.LinuxSeccompArg{ 621 { 622 Index: 0, 623 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 624 ValueTwo: 0, 625 Op: specs.OpMaskedEqual, 626 }, 627 }, 628 }, 629 Excludes: &Filter{ 630 Caps: []string{"CAP_SYS_ADMIN"}, 631 Arches: []string{"s390", "s390x"}, 632 }, 633 }, 634 { 635 LinuxSyscall: specs.LinuxSyscall{ 636 Names: []string{ 637 "clone", 638 }, 639 Action: specs.ActAllow, 640 Args: []specs.LinuxSeccompArg{ 641 { 642 Index: 1, 643 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 644 ValueTwo: 0, 645 Op: specs.OpMaskedEqual, 646 }, 647 }, 648 }, 649 Comment: "s390 parameter ordering for clone is different", 650 Includes: &Filter{ 651 Arches: []string{"s390", "s390x"}, 652 }, 653 Excludes: &Filter{ 654 Caps: []string{"CAP_SYS_ADMIN"}, 655 }, 656 }, 657 { 658 LinuxSyscall: specs.LinuxSyscall{ 659 Names: []string{ 660 "clone3", 661 }, 662 Action: specs.ActErrno, 663 ErrnoRet: &nosys, 664 }, 665 Excludes: &Filter{ 666 Caps: []string{"CAP_SYS_ADMIN"}, 667 }, 668 }, 669 { 670 LinuxSyscall: specs.LinuxSyscall{ 671 Names: []string{ 672 "reboot", 673 }, 674 Action: specs.ActAllow, 675 }, 676 Includes: &Filter{ 677 Caps: []string{"CAP_SYS_BOOT"}, 678 }, 679 }, 680 { 681 LinuxSyscall: specs.LinuxSyscall{ 682 Names: []string{ 683 "chroot", 684 }, 685 Action: specs.ActAllow, 686 }, 687 Includes: &Filter{ 688 Caps: []string{"CAP_SYS_CHROOT"}, 689 }, 690 }, 691 { 692 LinuxSyscall: specs.LinuxSyscall{ 693 Names: []string{ 694 "delete_module", 695 "init_module", 696 "finit_module", 697 }, 698 Action: specs.ActAllow, 699 }, 700 Includes: &Filter{ 701 Caps: []string{"CAP_SYS_MODULE"}, 702 }, 703 }, 704 { 705 LinuxSyscall: specs.LinuxSyscall{ 706 Names: []string{ 707 "acct", 708 }, 709 Action: specs.ActAllow, 710 }, 711 Includes: &Filter{ 712 Caps: []string{"CAP_SYS_PACCT"}, 713 }, 714 }, 715 { 716 LinuxSyscall: specs.LinuxSyscall{ 717 Names: []string{ 718 "kcmp", 719 "pidfd_getfd", 720 "process_madvise", 721 "process_vm_readv", 722 "process_vm_writev", 723 "ptrace", 724 }, 725 Action: specs.ActAllow, 726 }, 727 Includes: &Filter{ 728 Caps: []string{"CAP_SYS_PTRACE"}, 729 }, 730 }, 731 { 732 LinuxSyscall: specs.LinuxSyscall{ 733 Names: []string{ 734 "iopl", 735 "ioperm", 736 }, 737 Action: specs.ActAllow, 738 }, 739 Includes: &Filter{ 740 Caps: []string{"CAP_SYS_RAWIO"}, 741 }, 742 }, 743 { 744 LinuxSyscall: specs.LinuxSyscall{ 745 Names: []string{ 746 "settimeofday", 747 "stime", 748 "clock_settime", 749 "clock_settime64", 750 }, 751 Action: specs.ActAllow, 752 }, 753 Includes: &Filter{ 754 Caps: []string{"CAP_SYS_TIME"}, 755 }, 756 }, 757 { 758 LinuxSyscall: specs.LinuxSyscall{ 759 Names: []string{ 760 "vhangup", 761 }, 762 Action: specs.ActAllow, 763 }, 764 Includes: &Filter{ 765 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 766 }, 767 }, 768 { 769 LinuxSyscall: specs.LinuxSyscall{ 770 Names: []string{ 771 "get_mempolicy", 772 "mbind", 773 "set_mempolicy", 774 }, 775 Action: specs.ActAllow, 776 }, 777 Includes: &Filter{ 778 Caps: []string{"CAP_SYS_NICE"}, 779 }, 780 }, 781 { 782 LinuxSyscall: specs.LinuxSyscall{ 783 Names: []string{ 784 "syslog", 785 }, 786 Action: specs.ActAllow, 787 }, 788 Includes: &Filter{ 789 Caps: []string{"CAP_SYSLOG"}, 790 }, 791 }, 792 { 793 LinuxSyscall: specs.LinuxSyscall{ 794 Names: []string{ 795 "bpf", 796 }, 797 Action: specs.ActAllow, 798 }, 799 Includes: &Filter{ 800 Caps: []string{"CAP_BPF"}, 801 }, 802 }, 803 { 804 LinuxSyscall: specs.LinuxSyscall{ 805 Names: []string{ 806 "perf_event_open", 807 }, 808 Action: specs.ActAllow, 809 }, 810 Includes: &Filter{ 811 Caps: []string{"CAP_PERFMON"}, 812 }, 813 }, 814 } 815 816 errnoRet := uint(unix.EPERM) 817 return &Seccomp{ 818 LinuxSeccomp: specs.LinuxSeccomp{ 819 DefaultAction: specs.ActErrno, 820 DefaultErrnoRet: &errnoRet, 821 }, 822 ArchMap: arches(), 823 Syscalls: syscalls, 824 } 825 }