github.com/yogeshlonkar/moby@v1.13.2-0.20201203103638-c0b64beaea94/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "alarm", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "prlimit64", 227 "pselect6", 228 "pwrite64", 229 "pwritev", 230 "read", 231 "readahead", 232 "readlink", 233 "readlinkat", 234 "readv", 235 "recv", 236 "recvfrom", 237 "recvmmsg", 238 "recvmsg", 239 "remap_file_pages", 240 "removexattr", 241 "rename", 242 "renameat", 243 "renameat2", 244 "restart_syscall", 245 "rmdir", 246 "rt_sigaction", 247 "rt_sigpending", 248 "rt_sigprocmask", 249 "rt_sigqueueinfo", 250 "rt_sigreturn", 251 "rt_sigsuspend", 252 "rt_sigtimedwait", 253 "rt_tgsigqueueinfo", 254 "sched_getaffinity", 255 "sched_getattr", 256 "sched_getparam", 257 "sched_get_priority_max", 258 "sched_get_priority_min", 259 "sched_getscheduler", 260 "sched_rr_get_interval", 261 "sched_setaffinity", 262 "sched_setattr", 263 "sched_setparam", 264 "sched_setscheduler", 265 "sched_yield", 266 "seccomp", 267 "select", 268 "semctl", 269 "semget", 270 "semop", 271 "semtimedop", 272 "send", 273 "sendfile", 274 "sendfile64", 275 "sendmmsg", 276 "sendmsg", 277 "sendto", 278 "setfsgid", 279 "setfsgid32", 280 "setfsuid", 281 "setfsuid32", 282 "setgid", 283 "setgid32", 284 "setgroups", 285 "setgroups32", 286 "setitimer", 287 "setpgid", 288 "setpriority", 289 "setregid", 290 "setregid32", 291 "setresgid", 292 "setresgid32", 293 "setresuid", 294 "setresuid32", 295 "setreuid", 296 "setreuid32", 297 "setrlimit", 298 "set_robust_list", 299 "setsid", 300 "setsockopt", 301 "set_thread_area", 302 "set_tid_address", 303 "setuid", 304 "setuid32", 305 "setxattr", 306 "shmat", 307 "shmctl", 308 "shmdt", 309 "shmget", 310 "shutdown", 311 "sigaltstack", 312 "signalfd", 313 "signalfd4", 314 "sigreturn", 315 "socketpair", 316 "splice", 317 "stat", 318 "stat64", 319 "statfs", 320 "statfs64", 321 "symlink", 322 "symlinkat", 323 "sync", 324 "sync_file_range", 325 "syncfs", 326 "sysinfo", 327 "syslog", 328 "tee", 329 "tgkill", 330 "time", 331 "timer_create", 332 "timer_delete", 333 "timerfd_create", 334 "timerfd_gettime", 335 "timerfd_settime", 336 "timer_getoverrun", 337 "timer_gettime", 338 "timer_settime", 339 "times", 340 "tkill", 341 "truncate", 342 "truncate64", 343 "ugetrlimit", 344 "umask", 345 "uname", 346 "unlink", 347 "unlinkat", 348 "utime", 349 "utimensat", 350 "utimes", 351 "vfork", 352 "vmsplice", 353 "wait4", 354 "waitid", 355 "waitpid", 356 "write", 357 "writev" 358 ], 359 "action": "SCMP_ACT_ALLOW", 360 "args": [], 361 "comment": "", 362 "includes": {}, 363 "excludes": {} 364 }, 365 { 366 "names": [ 367 "personality" 368 ], 369 "action": "SCMP_ACT_ALLOW", 370 "args": [ 371 { 372 "index": 0, 373 "value": 0, 374 "valueTwo": 0, 375 "op": "SCMP_CMP_EQ" 376 } 377 ], 378 "comment": "", 379 "includes": {}, 380 "excludes": {} 381 }, 382 { 383 "names": [ 384 "personality" 385 ], 386 "action": "SCMP_ACT_ALLOW", 387 "args": [ 388 { 389 "index": 0, 390 "value": 8, 391 "valueTwo": 0, 392 "op": "SCMP_CMP_EQ" 393 } 394 ], 395 "comment": "", 396 "includes": {}, 397 "excludes": {} 398 }, 399 { 400 "names": [ 401 "personality" 402 ], 403 "action": "SCMP_ACT_ALLOW", 404 "args": [ 405 { 406 "index": 0, 407 "value": 4294967295, 408 "valueTwo": 0, 409 "op": "SCMP_CMP_EQ" 410 } 411 ], 412 "comment": "", 413 "includes": {}, 414 "excludes": {} 415 }, 416 { 417 "names": [ 418 "socket" 419 ], 420 "action": "SCMP_ACT_ALLOW", 421 "args": [ 422 { 423 "index": 0, 424 "value": 1, 425 "valueTwo": 0, 426 "op": "SCMP_CMP_EQ" 427 } 428 ], 429 "comment": "", 430 "includes": {}, 431 "excludes": {} 432 }, 433 { 434 "names": [ 435 "socket" 436 ], 437 "action": "SCMP_ACT_ALLOW", 438 "args": [ 439 { 440 "index": 0, 441 "value": 2, 442 "valueTwo": 0, 443 "op": "SCMP_CMP_EQ" 444 } 445 ], 446 "comment": "", 447 "includes": {}, 448 "excludes": {} 449 }, 450 { 451 "names": [ 452 "socket" 453 ], 454 "action": "SCMP_ACT_ALLOW", 455 "args": [ 456 { 457 "index": 0, 458 "value": 10, 459 "valueTwo": 0, 460 "op": "SCMP_CMP_EQ" 461 } 462 ], 463 "comment": "", 464 "includes": {}, 465 "excludes": {} 466 }, 467 { 468 "names": [ 469 "socket" 470 ], 471 "action": "SCMP_ACT_ALLOW", 472 "args": [ 473 { 474 "index": 0, 475 "value": 16, 476 "valueTwo": 0, 477 "op": "SCMP_CMP_EQ" 478 } 479 ], 480 "comment": "", 481 "includes": {}, 482 "excludes": {} 483 }, 484 { 485 "names": [ 486 "socket" 487 ], 488 "action": "SCMP_ACT_ALLOW", 489 "args": [ 490 { 491 "index": 0, 492 "value": 17, 493 "valueTwo": 0, 494 "op": "SCMP_CMP_EQ" 495 } 496 ], 497 "comment": "", 498 "includes": {}, 499 "excludes": {} 500 }, 501 { 502 "names": [ 503 "socketcall" 504 ], 505 "action": "SCMP_ACT_ALLOW", 506 "args": [ 507 { 508 "index": 0, 509 "value": 1, 510 "valueTwo": 0, 511 "op": "SCMP_CMP_GT" 512 } 513 ], 514 "comment": "", 515 "includes": {}, 516 "excludes": {} 517 }, 518 { 519 "names": [ 520 "socketcall" 521 ], 522 "action": "SCMP_ACT_ALLOW", 523 "args": [ 524 { 525 "index": 0, 526 "value": 1, 527 "valueTwo": 0, 528 "op": "SCMP_CMP_EQ" 529 }, 530 { 531 "index": 1, 532 "value": 1, 533 "valueTwo": 0, 534 "op": "SCMP_CMP_EQ" 535 } 536 ], 537 "comment": "", 538 "includes": {}, 539 "excludes": {} 540 }, 541 { 542 "names": [ 543 "socketcall" 544 ], 545 "action": "SCMP_ACT_ALLOW", 546 "args": [ 547 { 548 "index": 0, 549 "value": 1, 550 "valueTwo": 0, 551 "op": "SCMP_CMP_EQ" 552 }, 553 { 554 "index": 1, 555 "value": 2, 556 "valueTwo": 0, 557 "op": "SCMP_CMP_EQ" 558 } 559 ], 560 "comment": "", 561 "includes": {}, 562 "excludes": {} 563 }, 564 { 565 "names": [ 566 "socketcall" 567 ], 568 "action": "SCMP_ACT_ALLOW", 569 "args": [ 570 { 571 "index": 0, 572 "value": 1, 573 "valueTwo": 0, 574 "op": "SCMP_CMP_EQ" 575 }, 576 { 577 "index": 1, 578 "value": 10, 579 "valueTwo": 0, 580 "op": "SCMP_CMP_EQ" 581 } 582 ], 583 "comment": "", 584 "includes": {}, 585 "excludes": {} 586 }, 587 { 588 "names": [ 589 "socketcall" 590 ], 591 "action": "SCMP_ACT_ALLOW", 592 "args": [ 593 { 594 "index": 0, 595 "value": 1, 596 "valueTwo": 0, 597 "op": "SCMP_CMP_EQ" 598 }, 599 { 600 "index": 1, 601 "value": 16, 602 "valueTwo": 0, 603 "op": "SCMP_CMP_EQ" 604 } 605 ], 606 "comment": "", 607 "includes": {}, 608 "excludes": {} 609 }, 610 { 611 "names": [ 612 "socketcall" 613 ], 614 "action": "SCMP_ACT_ALLOW", 615 "args": [ 616 { 617 "index": 0, 618 "value": 1, 619 "valueTwo": 0, 620 "op": "SCMP_CMP_EQ" 621 }, 622 { 623 "index": 1, 624 "value": 17, 625 "valueTwo": 0, 626 "op": "SCMP_CMP_EQ" 627 } 628 ], 629 "comment": "", 630 "includes": {}, 631 "excludes": {} 632 }, 633 { 634 "names": [ 635 "sync_file_range2" 636 ], 637 "action": "SCMP_ACT_ALLOW", 638 "args": [], 639 "comment": "", 640 "includes": { 641 "arches": [ 642 "ppc64le" 643 ] 644 }, 645 "excludes": {} 646 }, 647 { 648 "names": [ 649 "arm_fadvise64_64", 650 "arm_sync_file_range", 651 "sync_file_range2", 652 "breakpoint", 653 "cacheflush", 654 "set_tls" 655 ], 656 "action": "SCMP_ACT_ALLOW", 657 "args": [], 658 "comment": "", 659 "includes": { 660 "arches": [ 661 "arm", 662 "arm64" 663 ] 664 }, 665 "excludes": {} 666 }, 667 { 668 "names": [ 669 "arch_prctl" 670 ], 671 "action": "SCMP_ACT_ALLOW", 672 "args": [], 673 "comment": "", 674 "includes": { 675 "arches": [ 676 "amd64", 677 "x32" 678 ] 679 }, 680 "excludes": {} 681 }, 682 { 683 "names": [ 684 "modify_ldt" 685 ], 686 "action": "SCMP_ACT_ALLOW", 687 "args": [], 688 "comment": "", 689 "includes": { 690 "arches": [ 691 "amd64", 692 "x32", 693 "x86" 694 ] 695 }, 696 "excludes": {} 697 }, 698 { 699 "names": [ 700 "s390_pci_mmio_read", 701 "s390_pci_mmio_write", 702 "s390_runtime_instr" 703 ], 704 "action": "SCMP_ACT_ALLOW", 705 "args": [], 706 "comment": "", 707 "includes": { 708 "arches": [ 709 "s390", 710 "s390x" 711 ] 712 }, 713 "excludes": {} 714 }, 715 { 716 "names": [ 717 "open_by_handle_at" 718 ], 719 "action": "SCMP_ACT_ALLOW", 720 "args": [], 721 "comment": "", 722 "includes": { 723 "caps": [ 724 "CAP_DAC_READ_SEARCH" 725 ] 726 }, 727 "excludes": {} 728 }, 729 { 730 "names": [ 731 "bpf", 732 "clone", 733 "fanotify_init", 734 "lookup_dcookie", 735 "mount", 736 "name_to_handle_at", 737 "perf_event_open", 738 "setdomainname", 739 "sethostname", 740 "setns", 741 "umount", 742 "umount2", 743 "unshare" 744 ], 745 "action": "SCMP_ACT_ALLOW", 746 "args": [], 747 "comment": "", 748 "includes": { 749 "caps": [ 750 "CAP_SYS_ADMIN" 751 ] 752 }, 753 "excludes": {} 754 }, 755 { 756 "names": [ 757 "clone" 758 ], 759 "action": "SCMP_ACT_ALLOW", 760 "args": [ 761 { 762 "index": 0, 763 "value": 2080505856, 764 "valueTwo": 0, 765 "op": "SCMP_CMP_MASKED_EQ" 766 } 767 ], 768 "comment": "", 769 "includes": {}, 770 "excludes": { 771 "caps": [ 772 "CAP_SYS_ADMIN" 773 ], 774 "arches": [ 775 "s390", 776 "s390x" 777 ] 778 } 779 }, 780 { 781 "names": [ 782 "clone" 783 ], 784 "action": "SCMP_ACT_ALLOW", 785 "args": [ 786 { 787 "index": 1, 788 "value": 2080505856, 789 "valueTwo": 0, 790 "op": "SCMP_CMP_MASKED_EQ" 791 } 792 ], 793 "comment": "s390 parameter ordering for clone is different", 794 "includes": { 795 "arches": [ 796 "s390", 797 "s390x" 798 ] 799 }, 800 "excludes": { 801 "caps": [ 802 "CAP_SYS_ADMIN" 803 ] 804 } 805 }, 806 { 807 "names": [ 808 "reboot" 809 ], 810 "action": "SCMP_ACT_ALLOW", 811 "args": [], 812 "comment": "", 813 "includes": { 814 "caps": [ 815 "CAP_SYS_BOOT" 816 ] 817 }, 818 "excludes": {} 819 }, 820 { 821 "names": [ 822 "chroot" 823 ], 824 "action": "SCMP_ACT_ALLOW", 825 "args": [], 826 "comment": "", 827 "includes": { 828 "caps": [ 829 "CAP_SYS_CHROOT" 830 ] 831 }, 832 "excludes": {} 833 }, 834 { 835 "names": [ 836 "delete_module", 837 "init_module", 838 "finit_module", 839 "query_module" 840 ], 841 "action": "SCMP_ACT_ALLOW", 842 "args": [], 843 "comment": "", 844 "includes": { 845 "caps": [ 846 "CAP_SYS_MODULE" 847 ] 848 }, 849 "excludes": {} 850 }, 851 { 852 "names": [ 853 "acct" 854 ], 855 "action": "SCMP_ACT_ALLOW", 856 "args": [], 857 "comment": "", 858 "includes": { 859 "caps": [ 860 "CAP_SYS_PACCT" 861 ] 862 }, 863 "excludes": {} 864 }, 865 { 866 "names": [ 867 "kcmp", 868 "process_vm_readv", 869 "process_vm_writev", 870 "ptrace" 871 ], 872 "action": "SCMP_ACT_ALLOW", 873 "args": [], 874 "comment": "", 875 "includes": { 876 "caps": [ 877 "CAP_SYS_PTRACE" 878 ] 879 }, 880 "excludes": {} 881 }, 882 { 883 "names": [ 884 "iopl", 885 "ioperm" 886 ], 887 "action": "SCMP_ACT_ALLOW", 888 "args": [], 889 "comment": "", 890 "includes": { 891 "caps": [ 892 "CAP_SYS_RAWIO" 893 ] 894 }, 895 "excludes": {} 896 }, 897 { 898 "names": [ 899 "settimeofday", 900 "stime", 901 "adjtimex", 902 "clock_settime" 903 ], 904 "action": "SCMP_ACT_ALLOW", 905 "args": [], 906 "comment": "", 907 "includes": { 908 "caps": [ 909 "CAP_SYS_TIME" 910 ] 911 }, 912 "excludes": {} 913 }, 914 { 915 "names": [ 916 "vhangup" 917 ], 918 "action": "SCMP_ACT_ALLOW", 919 "args": [], 920 "comment": "", 921 "includes": { 922 "caps": [ 923 "CAP_SYS_TTY_CONFIG" 924 ] 925 }, 926 "excludes": {} 927 } 928 ] 929 }