github.com/skanehira/moby@v17.12.1-ce-rc2+incompatible/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_getres", 62 "clock_gettime", 63 "clock_nanosleep", 64 "close", 65 "connect", 66 "copy_file_range", 67 "creat", 68 "dup", 69 "dup2", 70 "dup3", 71 "epoll_create", 72 "epoll_create1", 73 "epoll_ctl", 74 "epoll_ctl_old", 75 "epoll_pwait", 76 "epoll_wait", 77 "epoll_wait_old", 78 "eventfd", 79 "eventfd2", 80 "execve", 81 "execveat", 82 "exit", 83 "exit_group", 84 "faccessat", 85 "fadvise64", 86 "fadvise64_64", 87 "fallocate", 88 "fanotify_mark", 89 "fchdir", 90 "fchmod", 91 "fchmodat", 92 "fchown", 93 "fchown32", 94 "fchownat", 95 "fcntl", 96 "fcntl64", 97 "fdatasync", 98 "fgetxattr", 99 "flistxattr", 100 "flock", 101 "fork", 102 "fremovexattr", 103 "fsetxattr", 104 "fstat", 105 "fstat64", 106 "fstatat64", 107 "fstatfs", 108 "fstatfs64", 109 "fsync", 110 "ftruncate", 111 "ftruncate64", 112 "futex", 113 "futimesat", 114 "getcpu", 115 "getcwd", 116 "getdents", 117 "getdents64", 118 "getegid", 119 "getegid32", 120 "geteuid", 121 "geteuid32", 122 "getgid", 123 "getgid32", 124 "getgroups", 125 "getgroups32", 126 "getitimer", 127 "getpeername", 128 "getpgid", 129 "getpgrp", 130 "getpid", 131 "getppid", 132 "getpriority", 133 "getrandom", 134 "getresgid", 135 "getresgid32", 136 "getresuid", 137 "getresuid32", 138 "getrlimit", 139 "get_robust_list", 140 "getrusage", 141 "getsid", 142 "getsockname", 143 "getsockopt", 144 "get_thread_area", 145 "gettid", 146 "gettimeofday", 147 "getuid", 148 "getuid32", 149 "getxattr", 150 "inotify_add_watch", 151 "inotify_init", 152 "inotify_init1", 153 "inotify_rm_watch", 154 "io_cancel", 155 "ioctl", 156 "io_destroy", 157 "io_getevents", 158 "ioprio_get", 159 "ioprio_set", 160 "io_setup", 161 "io_submit", 162 "ipc", 163 "kill", 164 "lchown", 165 "lchown32", 166 "lgetxattr", 167 "link", 168 "linkat", 169 "listen", 170 "listxattr", 171 "llistxattr", 172 "_llseek", 173 "lremovexattr", 174 "lseek", 175 "lsetxattr", 176 "lstat", 177 "lstat64", 178 "madvise", 179 "memfd_create", 180 "mincore", 181 "mkdir", 182 "mkdirat", 183 "mknod", 184 "mknodat", 185 "mlock", 186 "mlock2", 187 "mlockall", 188 "mmap", 189 "mmap2", 190 "mprotect", 191 "mq_getsetattr", 192 "mq_notify", 193 "mq_open", 194 "mq_timedreceive", 195 "mq_timedsend", 196 "mq_unlink", 197 "mremap", 198 "msgctl", 199 "msgget", 200 "msgrcv", 201 "msgsnd", 202 "msync", 203 "munlock", 204 "munlockall", 205 "munmap", 206 "nanosleep", 207 "newfstatat", 208 "_newselect", 209 "open", 210 "openat", 211 "pause", 212 "pipe", 213 "pipe2", 214 "poll", 215 "ppoll", 216 "prctl", 217 "pread64", 218 "preadv", 219 "preadv2", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "pwritev2", 225 "read", 226 "readahead", 227 "readlink", 228 "readlinkat", 229 "readv", 230 "recv", 231 "recvfrom", 232 "recvmmsg", 233 "recvmsg", 234 "remap_file_pages", 235 "removexattr", 236 "rename", 237 "renameat", 238 "renameat2", 239 "restart_syscall", 240 "rmdir", 241 "rt_sigaction", 242 "rt_sigpending", 243 "rt_sigprocmask", 244 "rt_sigqueueinfo", 245 "rt_sigreturn", 246 "rt_sigsuspend", 247 "rt_sigtimedwait", 248 "rt_tgsigqueueinfo", 249 "sched_getaffinity", 250 "sched_getattr", 251 "sched_getparam", 252 "sched_get_priority_max", 253 "sched_get_priority_min", 254 "sched_getscheduler", 255 "sched_rr_get_interval", 256 "sched_setaffinity", 257 "sched_setattr", 258 "sched_setparam", 259 "sched_setscheduler", 260 "sched_yield", 261 "seccomp", 262 "select", 263 "semctl", 264 "semget", 265 "semop", 266 "semtimedop", 267 "send", 268 "sendfile", 269 "sendfile64", 270 "sendmmsg", 271 "sendmsg", 272 "sendto", 273 "setfsgid", 274 "setfsgid32", 275 "setfsuid", 276 "setfsuid32", 277 "setgid", 278 "setgid32", 279 "setgroups", 280 "setgroups32", 281 "setitimer", 282 "setpgid", 283 "setpriority", 284 "setregid", 285 "setregid32", 286 "setresgid", 287 "setresgid32", 288 "setresuid", 289 "setresuid32", 290 "setreuid", 291 "setreuid32", 292 "setrlimit", 293 "set_robust_list", 294 "setsid", 295 "setsockopt", 296 "set_thread_area", 297 "set_tid_address", 298 "setuid", 299 "setuid32", 300 "setxattr", 301 "shmat", 302 "shmctl", 303 "shmdt", 304 "shmget", 305 "shutdown", 306 "sigaltstack", 307 "signalfd", 308 "signalfd4", 309 "sigreturn", 310 "socket", 311 "socketcall", 312 "socketpair", 313 "splice", 314 "stat", 315 "stat64", 316 "statfs", 317 "statfs64", 318 "symlink", 319 "symlinkat", 320 "sync", 321 "sync_file_range", 322 "syncfs", 323 "sysinfo", 324 "syslog", 325 "tee", 326 "tgkill", 327 "time", 328 "timer_create", 329 "timer_delete", 330 "timerfd_create", 331 "timerfd_gettime", 332 "timerfd_settime", 333 "timer_getoverrun", 334 "timer_gettime", 335 "timer_settime", 336 "times", 337 "tkill", 338 "truncate", 339 "truncate64", 340 "ugetrlimit", 341 "umask", 342 "uname", 343 "unlink", 344 "unlinkat", 345 "utime", 346 "utimensat", 347 "utimes", 348 "vfork", 349 "vmsplice", 350 "wait4", 351 "waitid", 352 "waitpid", 353 "write", 354 "writev", 355 }, 356 Action: types.ActAllow, 357 Args: []*types.Arg{}, 358 }, 359 { 360 Names: []string{"personality"}, 361 Action: types.ActAllow, 362 Args: []*types.Arg{ 363 { 364 Index: 0, 365 Value: 0x0, 366 Op: types.OpEqualTo, 367 }, 368 }, 369 }, 370 { 371 Names: []string{"personality"}, 372 Action: types.ActAllow, 373 Args: []*types.Arg{ 374 { 375 Index: 0, 376 Value: 0x0008, 377 Op: types.OpEqualTo, 378 }, 379 }, 380 }, 381 { 382 Names: []string{"personality"}, 383 Action: types.ActAllow, 384 Args: []*types.Arg{ 385 { 386 Index: 0, 387 Value: 0x20000, 388 Op: types.OpEqualTo, 389 }, 390 }, 391 }, 392 { 393 Names: []string{"personality"}, 394 Action: types.ActAllow, 395 Args: []*types.Arg{ 396 { 397 Index: 0, 398 Value: 0x20008, 399 Op: types.OpEqualTo, 400 }, 401 }, 402 }, 403 { 404 Names: []string{"personality"}, 405 Action: types.ActAllow, 406 Args: []*types.Arg{ 407 { 408 Index: 0, 409 Value: 0xffffffff, 410 Op: types.OpEqualTo, 411 }, 412 }, 413 }, 414 { 415 Names: []string{ 416 "sync_file_range2", 417 }, 418 Action: types.ActAllow, 419 Args: []*types.Arg{}, 420 Includes: types.Filter{ 421 Arches: []string{"ppc64le"}, 422 }, 423 }, 424 { 425 Names: []string{ 426 "arm_fadvise64_64", 427 "arm_sync_file_range", 428 "sync_file_range2", 429 "breakpoint", 430 "cacheflush", 431 "set_tls", 432 }, 433 Action: types.ActAllow, 434 Args: []*types.Arg{}, 435 Includes: types.Filter{ 436 Arches: []string{"arm", "arm64"}, 437 }, 438 }, 439 { 440 Names: []string{ 441 "arch_prctl", 442 }, 443 Action: types.ActAllow, 444 Args: []*types.Arg{}, 445 Includes: types.Filter{ 446 Arches: []string{"amd64", "x32"}, 447 }, 448 }, 449 { 450 Names: []string{ 451 "modify_ldt", 452 }, 453 Action: types.ActAllow, 454 Args: []*types.Arg{}, 455 Includes: types.Filter{ 456 Arches: []string{"amd64", "x32", "x86"}, 457 }, 458 }, 459 { 460 Names: []string{ 461 "s390_pci_mmio_read", 462 "s390_pci_mmio_write", 463 "s390_runtime_instr", 464 }, 465 Action: types.ActAllow, 466 Args: []*types.Arg{}, 467 Includes: types.Filter{ 468 Arches: []string{"s390", "s390x"}, 469 }, 470 }, 471 { 472 Names: []string{ 473 "open_by_handle_at", 474 }, 475 Action: types.ActAllow, 476 Args: []*types.Arg{}, 477 Includes: types.Filter{ 478 Caps: []string{"CAP_DAC_READ_SEARCH"}, 479 }, 480 }, 481 { 482 Names: []string{ 483 "bpf", 484 "clone", 485 "fanotify_init", 486 "lookup_dcookie", 487 "mount", 488 "name_to_handle_at", 489 "perf_event_open", 490 "quotactl", 491 "setdomainname", 492 "sethostname", 493 "setns", 494 "umount", 495 "umount2", 496 "unshare", 497 }, 498 Action: types.ActAllow, 499 Args: []*types.Arg{}, 500 Includes: types.Filter{ 501 Caps: []string{"CAP_SYS_ADMIN"}, 502 }, 503 }, 504 { 505 Names: []string{ 506 "clone", 507 }, 508 Action: types.ActAllow, 509 Args: []*types.Arg{ 510 { 511 Index: 0, 512 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 513 ValueTwo: 0, 514 Op: types.OpMaskedEqual, 515 }, 516 }, 517 Excludes: types.Filter{ 518 Caps: []string{"CAP_SYS_ADMIN"}, 519 Arches: []string{"s390", "s390x"}, 520 }, 521 }, 522 { 523 Names: []string{ 524 "clone", 525 }, 526 Action: types.ActAllow, 527 Args: []*types.Arg{ 528 { 529 Index: 1, 530 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 531 ValueTwo: 0, 532 Op: types.OpMaskedEqual, 533 }, 534 }, 535 Comment: "s390 parameter ordering for clone is different", 536 Includes: types.Filter{ 537 Arches: []string{"s390", "s390x"}, 538 }, 539 Excludes: types.Filter{ 540 Caps: []string{"CAP_SYS_ADMIN"}, 541 }, 542 }, 543 { 544 Names: []string{ 545 "reboot", 546 }, 547 Action: types.ActAllow, 548 Args: []*types.Arg{}, 549 Includes: types.Filter{ 550 Caps: []string{"CAP_SYS_BOOT"}, 551 }, 552 }, 553 { 554 Names: []string{ 555 "chroot", 556 }, 557 Action: types.ActAllow, 558 Args: []*types.Arg{}, 559 Includes: types.Filter{ 560 Caps: []string{"CAP_SYS_CHROOT"}, 561 }, 562 }, 563 { 564 Names: []string{ 565 "delete_module", 566 "init_module", 567 "finit_module", 568 "query_module", 569 }, 570 Action: types.ActAllow, 571 Args: []*types.Arg{}, 572 Includes: types.Filter{ 573 Caps: []string{"CAP_SYS_MODULE"}, 574 }, 575 }, 576 { 577 Names: []string{ 578 "acct", 579 }, 580 Action: types.ActAllow, 581 Args: []*types.Arg{}, 582 Includes: types.Filter{ 583 Caps: []string{"CAP_SYS_PACCT"}, 584 }, 585 }, 586 { 587 Names: []string{ 588 "kcmp", 589 "process_vm_readv", 590 "process_vm_writev", 591 "ptrace", 592 }, 593 Action: types.ActAllow, 594 Args: []*types.Arg{}, 595 Includes: types.Filter{ 596 Caps: []string{"CAP_SYS_PTRACE"}, 597 }, 598 }, 599 { 600 Names: []string{ 601 "iopl", 602 "ioperm", 603 }, 604 Action: types.ActAllow, 605 Args: []*types.Arg{}, 606 Includes: types.Filter{ 607 Caps: []string{"CAP_SYS_RAWIO"}, 608 }, 609 }, 610 { 611 Names: []string{ 612 "settimeofday", 613 "stime", 614 "clock_settime", 615 }, 616 Action: types.ActAllow, 617 Args: []*types.Arg{}, 618 Includes: types.Filter{ 619 Caps: []string{"CAP_SYS_TIME"}, 620 }, 621 }, 622 { 623 Names: []string{ 624 "vhangup", 625 }, 626 Action: types.ActAllow, 627 Args: []*types.Arg{}, 628 Includes: types.Filter{ 629 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 630 }, 631 }, 632 } 633 634 return &types.Seccomp{ 635 DefaultAction: types.ActErrno, 636 ArchMap: arches(), 637 Syscalls: syscalls, 638 } 639 }