github.com/skanehira/moby@v17.12.1-ce-rc2+incompatible/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "preadv2", 227 "prlimit64", 228 "pselect6", 229 "pwrite64", 230 "pwritev", 231 "pwritev2", 232 "read", 233 "readahead", 234 "readlink", 235 "readlinkat", 236 "readv", 237 "recv", 238 "recvfrom", 239 "recvmmsg", 240 "recvmsg", 241 "remap_file_pages", 242 "removexattr", 243 "rename", 244 "renameat", 245 "renameat2", 246 "restart_syscall", 247 "rmdir", 248 "rt_sigaction", 249 "rt_sigpending", 250 "rt_sigprocmask", 251 "rt_sigqueueinfo", 252 "rt_sigreturn", 253 "rt_sigsuspend", 254 "rt_sigtimedwait", 255 "rt_tgsigqueueinfo", 256 "sched_getaffinity", 257 "sched_getattr", 258 "sched_getparam", 259 "sched_get_priority_max", 260 "sched_get_priority_min", 261 "sched_getscheduler", 262 "sched_rr_get_interval", 263 "sched_setaffinity", 264 "sched_setattr", 265 "sched_setparam", 266 "sched_setscheduler", 267 "sched_yield", 268 "seccomp", 269 "select", 270 "semctl", 271 "semget", 272 "semop", 273 "semtimedop", 274 "send", 275 "sendfile", 276 "sendfile64", 277 "sendmmsg", 278 "sendmsg", 279 "sendto", 280 "setfsgid", 281 "setfsgid32", 282 "setfsuid", 283 "setfsuid32", 284 "setgid", 285 "setgid32", 286 "setgroups", 287 "setgroups32", 288 "setitimer", 289 "setpgid", 290 "setpriority", 291 "setregid", 292 "setregid32", 293 "setresgid", 294 "setresgid32", 295 "setresuid", 296 "setresuid32", 297 "setreuid", 298 "setreuid32", 299 "setrlimit", 300 "set_robust_list", 301 "setsid", 302 "setsockopt", 303 "set_thread_area", 304 "set_tid_address", 305 "setuid", 306 "setuid32", 307 "setxattr", 308 "shmat", 309 "shmctl", 310 "shmdt", 311 "shmget", 312 "shutdown", 313 "sigaltstack", 314 "signalfd", 315 "signalfd4", 316 "sigreturn", 317 "socket", 318 "socketcall", 319 "socketpair", 320 "splice", 321 "stat", 322 "stat64", 323 "statfs", 324 "statfs64", 325 "symlink", 326 "symlinkat", 327 "sync", 328 "sync_file_range", 329 "syncfs", 330 "sysinfo", 331 "syslog", 332 "tee", 333 "tgkill", 334 "time", 335 "timer_create", 336 "timer_delete", 337 "timerfd_create", 338 "timerfd_gettime", 339 "timerfd_settime", 340 "timer_getoverrun", 341 "timer_gettime", 342 "timer_settime", 343 "times", 344 "tkill", 345 "truncate", 346 "truncate64", 347 "ugetrlimit", 348 "umask", 349 "uname", 350 "unlink", 351 "unlinkat", 352 "utime", 353 "utimensat", 354 "utimes", 355 "vfork", 356 "vmsplice", 357 "wait4", 358 "waitid", 359 "waitpid", 360 "write", 361 "writev" 362 ], 363 "action": "SCMP_ACT_ALLOW", 364 "args": [], 365 "comment": "", 366 "includes": {}, 367 "excludes": {} 368 }, 369 { 370 "names": [ 371 "personality" 372 ], 373 "action": "SCMP_ACT_ALLOW", 374 "args": [ 375 { 376 "index": 0, 377 "value": 0, 378 "valueTwo": 0, 379 "op": "SCMP_CMP_EQ" 380 } 381 ], 382 "comment": "", 383 "includes": {}, 384 "excludes": {} 385 }, 386 { 387 "names": [ 388 "personality" 389 ], 390 "action": "SCMP_ACT_ALLOW", 391 "args": [ 392 { 393 "index": 0, 394 "value": 8, 395 "valueTwo": 0, 396 "op": "SCMP_CMP_EQ" 397 } 398 ], 399 "comment": "", 400 "includes": {}, 401 "excludes": {} 402 }, 403 { 404 "names": [ 405 "personality" 406 ], 407 "action": "SCMP_ACT_ALLOW", 408 "args": [ 409 { 410 "index": 0, 411 "value": 131072, 412 "valueTwo": 0, 413 "op": "SCMP_CMP_EQ" 414 } 415 ], 416 "comment": "", 417 "includes": {}, 418 "excludes": {} 419 }, 420 { 421 "names": [ 422 "personality" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [ 426 { 427 "index": 0, 428 "value": 131080, 429 "valueTwo": 0, 430 "op": "SCMP_CMP_EQ" 431 } 432 ], 433 "comment": "", 434 "includes": {}, 435 "excludes": {} 436 }, 437 { 438 "names": [ 439 "personality" 440 ], 441 "action": "SCMP_ACT_ALLOW", 442 "args": [ 443 { 444 "index": 0, 445 "value": 4294967295, 446 "valueTwo": 0, 447 "op": "SCMP_CMP_EQ" 448 } 449 ], 450 "comment": "", 451 "includes": {}, 452 "excludes": {} 453 }, 454 { 455 "names": [ 456 "sync_file_range2" 457 ], 458 "action": "SCMP_ACT_ALLOW", 459 "args": [], 460 "comment": "", 461 "includes": { 462 "arches": [ 463 "ppc64le" 464 ] 465 }, 466 "excludes": {} 467 }, 468 { 469 "names": [ 470 "arm_fadvise64_64", 471 "arm_sync_file_range", 472 "sync_file_range2", 473 "breakpoint", 474 "cacheflush", 475 "set_tls" 476 ], 477 "action": "SCMP_ACT_ALLOW", 478 "args": [], 479 "comment": "", 480 "includes": { 481 "arches": [ 482 "arm", 483 "arm64" 484 ] 485 }, 486 "excludes": {} 487 }, 488 { 489 "names": [ 490 "arch_prctl" 491 ], 492 "action": "SCMP_ACT_ALLOW", 493 "args": [], 494 "comment": "", 495 "includes": { 496 "arches": [ 497 "amd64", 498 "x32" 499 ] 500 }, 501 "excludes": {} 502 }, 503 { 504 "names": [ 505 "modify_ldt" 506 ], 507 "action": "SCMP_ACT_ALLOW", 508 "args": [], 509 "comment": "", 510 "includes": { 511 "arches": [ 512 "amd64", 513 "x32", 514 "x86" 515 ] 516 }, 517 "excludes": {} 518 }, 519 { 520 "names": [ 521 "s390_pci_mmio_read", 522 "s390_pci_mmio_write", 523 "s390_runtime_instr" 524 ], 525 "action": "SCMP_ACT_ALLOW", 526 "args": [], 527 "comment": "", 528 "includes": { 529 "arches": [ 530 "s390", 531 "s390x" 532 ] 533 }, 534 "excludes": {} 535 }, 536 { 537 "names": [ 538 "open_by_handle_at" 539 ], 540 "action": "SCMP_ACT_ALLOW", 541 "args": [], 542 "comment": "", 543 "includes": { 544 "caps": [ 545 "CAP_DAC_READ_SEARCH" 546 ] 547 }, 548 "excludes": {} 549 }, 550 { 551 "names": [ 552 "bpf", 553 "clone", 554 "fanotify_init", 555 "lookup_dcookie", 556 "mount", 557 "name_to_handle_at", 558 "perf_event_open", 559 "quotactl", 560 "setdomainname", 561 "sethostname", 562 "setns", 563 "umount", 564 "umount2", 565 "unshare" 566 ], 567 "action": "SCMP_ACT_ALLOW", 568 "args": [], 569 "comment": "", 570 "includes": { 571 "caps": [ 572 "CAP_SYS_ADMIN" 573 ] 574 }, 575 "excludes": {} 576 }, 577 { 578 "names": [ 579 "clone" 580 ], 581 "action": "SCMP_ACT_ALLOW", 582 "args": [ 583 { 584 "index": 0, 585 "value": 2080505856, 586 "valueTwo": 0, 587 "op": "SCMP_CMP_MASKED_EQ" 588 } 589 ], 590 "comment": "", 591 "includes": {}, 592 "excludes": { 593 "caps": [ 594 "CAP_SYS_ADMIN" 595 ], 596 "arches": [ 597 "s390", 598 "s390x" 599 ] 600 } 601 }, 602 { 603 "names": [ 604 "clone" 605 ], 606 "action": "SCMP_ACT_ALLOW", 607 "args": [ 608 { 609 "index": 1, 610 "value": 2080505856, 611 "valueTwo": 0, 612 "op": "SCMP_CMP_MASKED_EQ" 613 } 614 ], 615 "comment": "s390 parameter ordering for clone is different", 616 "includes": { 617 "arches": [ 618 "s390", 619 "s390x" 620 ] 621 }, 622 "excludes": { 623 "caps": [ 624 "CAP_SYS_ADMIN" 625 ] 626 } 627 }, 628 { 629 "names": [ 630 "reboot" 631 ], 632 "action": "SCMP_ACT_ALLOW", 633 "args": [], 634 "comment": "", 635 "includes": { 636 "caps": [ 637 "CAP_SYS_BOOT" 638 ] 639 }, 640 "excludes": {} 641 }, 642 { 643 "names": [ 644 "chroot" 645 ], 646 "action": "SCMP_ACT_ALLOW", 647 "args": [], 648 "comment": "", 649 "includes": { 650 "caps": [ 651 "CAP_SYS_CHROOT" 652 ] 653 }, 654 "excludes": {} 655 }, 656 { 657 "names": [ 658 "delete_module", 659 "init_module", 660 "finit_module", 661 "query_module" 662 ], 663 "action": "SCMP_ACT_ALLOW", 664 "args": [], 665 "comment": "", 666 "includes": { 667 "caps": [ 668 "CAP_SYS_MODULE" 669 ] 670 }, 671 "excludes": {} 672 }, 673 { 674 "names": [ 675 "acct" 676 ], 677 "action": "SCMP_ACT_ALLOW", 678 "args": [], 679 "comment": "", 680 "includes": { 681 "caps": [ 682 "CAP_SYS_PACCT" 683 ] 684 }, 685 "excludes": {} 686 }, 687 { 688 "names": [ 689 "kcmp", 690 "process_vm_readv", 691 "process_vm_writev", 692 "ptrace" 693 ], 694 "action": "SCMP_ACT_ALLOW", 695 "args": [], 696 "comment": "", 697 "includes": { 698 "caps": [ 699 "CAP_SYS_PTRACE" 700 ] 701 }, 702 "excludes": {} 703 }, 704 { 705 "names": [ 706 "iopl", 707 "ioperm" 708 ], 709 "action": "SCMP_ACT_ALLOW", 710 "args": [], 711 "comment": "", 712 "includes": { 713 "caps": [ 714 "CAP_SYS_RAWIO" 715 ] 716 }, 717 "excludes": {} 718 }, 719 { 720 "names": [ 721 "settimeofday", 722 "stime", 723 "clock_settime" 724 ], 725 "action": "SCMP_ACT_ALLOW", 726 "args": [], 727 "comment": "", 728 "includes": { 729 "caps": [ 730 "CAP_SYS_TIME" 731 ] 732 }, 733 "excludes": {} 734 }, 735 { 736 "names": [ 737 "vhangup" 738 ], 739 "action": "SCMP_ACT_ALLOW", 740 "args": [], 741 "comment": "", 742 "includes": { 743 "caps": [ 744 "CAP_SYS_TTY_CONFIG" 745 ] 746 }, 747 "excludes": {} 748 } 749 ] 750 }