github.com/yogeshlonkar/moby@v1.13.2-0.20201203103638-c0b64beaea94/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp 4 5 import ( 6 "syscall" 7 8 "github.com/docker/docker/api/types" 9 ) 10 11 func arches() []types.Architecture { 12 return []types.Architecture{ 13 { 14 Arch: types.ArchX86_64, 15 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 16 }, 17 { 18 Arch: types.ArchAARCH64, 19 SubArches: []types.Arch{types.ArchARM}, 20 }, 21 { 22 Arch: types.ArchMIPS64, 23 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 24 }, 25 { 26 Arch: types.ArchMIPS64N32, 27 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 28 }, 29 { 30 Arch: types.ArchMIPSEL64, 31 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 32 }, 33 { 34 Arch: types.ArchMIPSEL64N32, 35 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 36 }, 37 { 38 Arch: types.ArchS390X, 39 SubArches: []types.Arch{types.ArchS390}, 40 }, 41 } 42 } 43 44 // DefaultProfile defines the whitelist for the default seccomp profile. 45 func DefaultProfile() *types.Seccomp { 46 syscalls := []*types.Syscall{ 47 { 48 Names: []string{ 49 "accept", 50 "accept4", 51 "access", 52 "alarm", 53 "alarm", 54 "bind", 55 "brk", 56 "capget", 57 "capset", 58 "chdir", 59 "chmod", 60 "chown", 61 "chown32", 62 "clock_getres", 63 "clock_gettime", 64 "clock_nanosleep", 65 "close", 66 "connect", 67 "copy_file_range", 68 "creat", 69 "dup", 70 "dup2", 71 "dup3", 72 "epoll_create", 73 "epoll_create1", 74 "epoll_ctl", 75 "epoll_ctl_old", 76 "epoll_pwait", 77 "epoll_wait", 78 "epoll_wait_old", 79 "eventfd", 80 "eventfd2", 81 "execve", 82 "execveat", 83 "exit", 84 "exit_group", 85 "faccessat", 86 "fadvise64", 87 "fadvise64_64", 88 "fallocate", 89 "fanotify_mark", 90 "fchdir", 91 "fchmod", 92 "fchmodat", 93 "fchown", 94 "fchown32", 95 "fchownat", 96 "fcntl", 97 "fcntl64", 98 "fdatasync", 99 "fgetxattr", 100 "flistxattr", 101 "flock", 102 "fork", 103 "fremovexattr", 104 "fsetxattr", 105 "fstat", 106 "fstat64", 107 "fstatat64", 108 "fstatfs", 109 "fstatfs64", 110 "fsync", 111 "ftruncate", 112 "ftruncate64", 113 "futex", 114 "futimesat", 115 "getcpu", 116 "getcwd", 117 "getdents", 118 "getdents64", 119 "getegid", 120 "getegid32", 121 "geteuid", 122 "geteuid32", 123 "getgid", 124 "getgid32", 125 "getgroups", 126 "getgroups32", 127 "getitimer", 128 "getpeername", 129 "getpgid", 130 "getpgrp", 131 "getpid", 132 "getppid", 133 "getpriority", 134 "getrandom", 135 "getresgid", 136 "getresgid32", 137 "getresuid", 138 "getresuid32", 139 "getrlimit", 140 "get_robust_list", 141 "getrusage", 142 "getsid", 143 "getsockname", 144 "getsockopt", 145 "get_thread_area", 146 "gettid", 147 "gettimeofday", 148 "getuid", 149 "getuid32", 150 "getxattr", 151 "inotify_add_watch", 152 "inotify_init", 153 "inotify_init1", 154 "inotify_rm_watch", 155 "io_cancel", 156 "ioctl", 157 "io_destroy", 158 "io_getevents", 159 "ioprio_get", 160 "ioprio_set", 161 "io_setup", 162 "io_submit", 163 "ipc", 164 "kill", 165 "lchown", 166 "lchown32", 167 "lgetxattr", 168 "link", 169 "linkat", 170 "listen", 171 "listxattr", 172 "llistxattr", 173 "_llseek", 174 "lremovexattr", 175 "lseek", 176 "lsetxattr", 177 "lstat", 178 "lstat64", 179 "madvise", 180 "memfd_create", 181 "mincore", 182 "mkdir", 183 "mkdirat", 184 "mknod", 185 "mknodat", 186 "mlock", 187 "mlock2", 188 "mlockall", 189 "mmap", 190 "mmap2", 191 "mprotect", 192 "mq_getsetattr", 193 "mq_notify", 194 "mq_open", 195 "mq_timedreceive", 196 "mq_timedsend", 197 "mq_unlink", 198 "mremap", 199 "msgctl", 200 "msgget", 201 "msgrcv", 202 "msgsnd", 203 "msync", 204 "munlock", 205 "munlockall", 206 "munmap", 207 "nanosleep", 208 "newfstatat", 209 "_newselect", 210 "open", 211 "openat", 212 "pause", 213 "pipe", 214 "pipe2", 215 "poll", 216 "ppoll", 217 "prctl", 218 "pread64", 219 "preadv", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "read", 225 "readahead", 226 "readlink", 227 "readlinkat", 228 "readv", 229 "recv", 230 "recvfrom", 231 "recvmmsg", 232 "recvmsg", 233 "remap_file_pages", 234 "removexattr", 235 "rename", 236 "renameat", 237 "renameat2", 238 "restart_syscall", 239 "rmdir", 240 "rt_sigaction", 241 "rt_sigpending", 242 "rt_sigprocmask", 243 "rt_sigqueueinfo", 244 "rt_sigreturn", 245 "rt_sigsuspend", 246 "rt_sigtimedwait", 247 "rt_tgsigqueueinfo", 248 "sched_getaffinity", 249 "sched_getattr", 250 "sched_getparam", 251 "sched_get_priority_max", 252 "sched_get_priority_min", 253 "sched_getscheduler", 254 "sched_rr_get_interval", 255 "sched_setaffinity", 256 "sched_setattr", 257 "sched_setparam", 258 "sched_setscheduler", 259 "sched_yield", 260 "seccomp", 261 "select", 262 "semctl", 263 "semget", 264 "semop", 265 "semtimedop", 266 "send", 267 "sendfile", 268 "sendfile64", 269 "sendmmsg", 270 "sendmsg", 271 "sendto", 272 "setfsgid", 273 "setfsgid32", 274 "setfsuid", 275 "setfsuid32", 276 "setgid", 277 "setgid32", 278 "setgroups", 279 "setgroups32", 280 "setitimer", 281 "setpgid", 282 "setpriority", 283 "setregid", 284 "setregid32", 285 "setresgid", 286 "setresgid32", 287 "setresuid", 288 "setresuid32", 289 "setreuid", 290 "setreuid32", 291 "setrlimit", 292 "set_robust_list", 293 "setsid", 294 "setsockopt", 295 "set_thread_area", 296 "set_tid_address", 297 "setuid", 298 "setuid32", 299 "setxattr", 300 "shmat", 301 "shmctl", 302 "shmdt", 303 "shmget", 304 "shutdown", 305 "sigaltstack", 306 "signalfd", 307 "signalfd4", 308 "sigreturn", 309 "socketpair", 310 "splice", 311 "stat", 312 "stat64", 313 "statfs", 314 "statfs64", 315 "symlink", 316 "symlinkat", 317 "sync", 318 "sync_file_range", 319 "syncfs", 320 "sysinfo", 321 "syslog", 322 "tee", 323 "tgkill", 324 "time", 325 "timer_create", 326 "timer_delete", 327 "timerfd_create", 328 "timerfd_gettime", 329 "timerfd_settime", 330 "timer_getoverrun", 331 "timer_gettime", 332 "timer_settime", 333 "times", 334 "tkill", 335 "truncate", 336 "truncate64", 337 "ugetrlimit", 338 "umask", 339 "uname", 340 "unlink", 341 "unlinkat", 342 "utime", 343 "utimensat", 344 "utimes", 345 "vfork", 346 "vmsplice", 347 "wait4", 348 "waitid", 349 "waitpid", 350 "write", 351 "writev", 352 }, 353 Action: types.ActAllow, 354 Args: []*types.Arg{}, 355 }, 356 { 357 Names: []string{"personality"}, 358 Action: types.ActAllow, 359 Args: []*types.Arg{ 360 { 361 Index: 0, 362 Value: 0x0, 363 Op: types.OpEqualTo, 364 }, 365 }, 366 }, 367 { 368 Names: []string{"personality"}, 369 Action: types.ActAllow, 370 Args: []*types.Arg{ 371 { 372 Index: 0, 373 Value: 0x0008, 374 Op: types.OpEqualTo, 375 }, 376 }, 377 }, 378 { 379 Names: []string{"personality"}, 380 Action: types.ActAllow, 381 Args: []*types.Arg{ 382 { 383 Index: 0, 384 Value: 0xffffffff, 385 Op: types.OpEqualTo, 386 }, 387 }, 388 }, 389 { 390 Names: []string{"socket"}, 391 Action: types.ActAllow, 392 Args: []*types.Arg{ 393 { 394 Index: 0, 395 Value: syscall.AF_UNIX, 396 Op: types.OpEqualTo, 397 }, 398 }, 399 }, 400 { 401 Names: []string{"socket"}, 402 Action: types.ActAllow, 403 Args: []*types.Arg{ 404 { 405 Index: 0, 406 Value: syscall.AF_INET, 407 Op: types.OpEqualTo, 408 }, 409 }, 410 }, 411 { 412 Names: []string{"socket"}, 413 Action: types.ActAllow, 414 Args: []*types.Arg{ 415 { 416 Index: 0, 417 Value: syscall.AF_INET6, 418 Op: types.OpEqualTo, 419 }, 420 }, 421 }, 422 { 423 Names: []string{"socket"}, 424 Action: types.ActAllow, 425 Args: []*types.Arg{ 426 { 427 Index: 0, 428 Value: syscall.AF_NETLINK, 429 Op: types.OpEqualTo, 430 }, 431 }, 432 }, 433 { 434 Names: []string{"socket"}, 435 Action: types.ActAllow, 436 Args: []*types.Arg{ 437 { 438 Index: 0, 439 Value: syscall.AF_PACKET, 440 Op: types.OpEqualTo, 441 }, 442 }, 443 }, 444 // socketcall(1, ...) is equivalent to socket(...) on some architectures eg i386 445 { 446 Names: []string{"socketcall"}, 447 Action: types.ActAllow, 448 Args: []*types.Arg{ 449 { 450 Index: 0, 451 Value: 1, 452 Op: types.OpGreaterThan, 453 }, 454 }, 455 }, 456 { 457 Names: []string{"socketcall"}, 458 Action: types.ActAllow, 459 Args: []*types.Arg{ 460 { 461 Index: 0, 462 Value: 1, 463 Op: types.OpEqualTo, 464 }, 465 { 466 Index: 1, 467 Value: syscall.AF_UNIX, 468 Op: types.OpEqualTo, 469 }, 470 }, 471 }, 472 { 473 Names: []string{"socketcall"}, 474 Action: types.ActAllow, 475 Args: []*types.Arg{ 476 { 477 Index: 0, 478 Value: 1, 479 Op: types.OpEqualTo, 480 }, 481 { 482 Index: 1, 483 Value: syscall.AF_INET, 484 Op: types.OpEqualTo, 485 }, 486 }, 487 }, 488 { 489 Names: []string{"socketcall"}, 490 Action: types.ActAllow, 491 Args: []*types.Arg{ 492 { 493 Index: 0, 494 Value: 1, 495 Op: types.OpEqualTo, 496 }, 497 { 498 Index: 1, 499 Value: syscall.AF_INET6, 500 Op: types.OpEqualTo, 501 }, 502 }, 503 }, 504 { 505 Names: []string{"socketcall"}, 506 Action: types.ActAllow, 507 Args: []*types.Arg{ 508 { 509 Index: 0, 510 Value: 1, 511 Op: types.OpEqualTo, 512 }, 513 { 514 Index: 1, 515 Value: syscall.AF_NETLINK, 516 Op: types.OpEqualTo, 517 }, 518 }, 519 }, 520 { 521 Names: []string{"socketcall"}, 522 Action: types.ActAllow, 523 Args: []*types.Arg{ 524 { 525 Index: 0, 526 Value: 1, 527 Op: types.OpEqualTo, 528 }, 529 { 530 Index: 1, 531 Value: syscall.AF_PACKET, 532 Op: types.OpEqualTo, 533 }, 534 }, 535 }, 536 { 537 Names: []string{ 538 "sync_file_range2", 539 }, 540 Action: types.ActAllow, 541 Args: []*types.Arg{}, 542 Includes: types.Filter{ 543 Arches: []string{"ppc64le"}, 544 }, 545 }, 546 { 547 Names: []string{ 548 "arm_fadvise64_64", 549 "arm_sync_file_range", 550 "sync_file_range2", 551 "breakpoint", 552 "cacheflush", 553 "set_tls", 554 }, 555 Action: types.ActAllow, 556 Args: []*types.Arg{}, 557 Includes: types.Filter{ 558 Arches: []string{"arm", "arm64"}, 559 }, 560 }, 561 { 562 Names: []string{ 563 "arch_prctl", 564 }, 565 Action: types.ActAllow, 566 Args: []*types.Arg{}, 567 Includes: types.Filter{ 568 Arches: []string{"amd64", "x32"}, 569 }, 570 }, 571 { 572 Names: []string{ 573 "modify_ldt", 574 }, 575 Action: types.ActAllow, 576 Args: []*types.Arg{}, 577 Includes: types.Filter{ 578 Arches: []string{"amd64", "x32", "x86"}, 579 }, 580 }, 581 { 582 Names: []string{ 583 "s390_pci_mmio_read", 584 "s390_pci_mmio_write", 585 "s390_runtime_instr", 586 }, 587 Action: types.ActAllow, 588 Args: []*types.Arg{}, 589 Includes: types.Filter{ 590 Arches: []string{"s390", "s390x"}, 591 }, 592 }, 593 { 594 Names: []string{ 595 "open_by_handle_at", 596 }, 597 Action: types.ActAllow, 598 Args: []*types.Arg{}, 599 Includes: types.Filter{ 600 Caps: []string{"CAP_DAC_READ_SEARCH"}, 601 }, 602 }, 603 { 604 Names: []string{ 605 "bpf", 606 "clone", 607 "fanotify_init", 608 "lookup_dcookie", 609 "mount", 610 "name_to_handle_at", 611 "perf_event_open", 612 "setdomainname", 613 "sethostname", 614 "setns", 615 "umount", 616 "umount2", 617 "unshare", 618 }, 619 Action: types.ActAllow, 620 Args: []*types.Arg{}, 621 Includes: types.Filter{ 622 Caps: []string{"CAP_SYS_ADMIN"}, 623 }, 624 }, 625 { 626 Names: []string{ 627 "clone", 628 }, 629 Action: types.ActAllow, 630 Args: []*types.Arg{ 631 { 632 Index: 0, 633 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 634 ValueTwo: 0, 635 Op: types.OpMaskedEqual, 636 }, 637 }, 638 Excludes: types.Filter{ 639 Caps: []string{"CAP_SYS_ADMIN"}, 640 Arches: []string{"s390", "s390x"}, 641 }, 642 }, 643 { 644 Names: []string{ 645 "clone", 646 }, 647 Action: types.ActAllow, 648 Args: []*types.Arg{ 649 { 650 Index: 1, 651 Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, 652 ValueTwo: 0, 653 Op: types.OpMaskedEqual, 654 }, 655 }, 656 Comment: "s390 parameter ordering for clone is different", 657 Includes: types.Filter{ 658 Arches: []string{"s390", "s390x"}, 659 }, 660 Excludes: types.Filter{ 661 Caps: []string{"CAP_SYS_ADMIN"}, 662 }, 663 }, 664 { 665 Names: []string{ 666 "reboot", 667 }, 668 Action: types.ActAllow, 669 Args: []*types.Arg{}, 670 Includes: types.Filter{ 671 Caps: []string{"CAP_SYS_BOOT"}, 672 }, 673 }, 674 { 675 Names: []string{ 676 "chroot", 677 }, 678 Action: types.ActAllow, 679 Args: []*types.Arg{}, 680 Includes: types.Filter{ 681 Caps: []string{"CAP_SYS_CHROOT"}, 682 }, 683 }, 684 { 685 Names: []string{ 686 "delete_module", 687 "init_module", 688 "finit_module", 689 "query_module", 690 }, 691 Action: types.ActAllow, 692 Args: []*types.Arg{}, 693 Includes: types.Filter{ 694 Caps: []string{"CAP_SYS_MODULE"}, 695 }, 696 }, 697 { 698 Names: []string{ 699 "acct", 700 }, 701 Action: types.ActAllow, 702 Args: []*types.Arg{}, 703 Includes: types.Filter{ 704 Caps: []string{"CAP_SYS_PACCT"}, 705 }, 706 }, 707 { 708 Names: []string{ 709 "kcmp", 710 "process_vm_readv", 711 "process_vm_writev", 712 "ptrace", 713 }, 714 Action: types.ActAllow, 715 Args: []*types.Arg{}, 716 Includes: types.Filter{ 717 Caps: []string{"CAP_SYS_PTRACE"}, 718 }, 719 }, 720 { 721 Names: []string{ 722 "iopl", 723 "ioperm", 724 }, 725 Action: types.ActAllow, 726 Args: []*types.Arg{}, 727 Includes: types.Filter{ 728 Caps: []string{"CAP_SYS_RAWIO"}, 729 }, 730 }, 731 { 732 Names: []string{ 733 "settimeofday", 734 "stime", 735 "adjtimex", 736 "clock_settime", 737 }, 738 Action: types.ActAllow, 739 Args: []*types.Arg{}, 740 Includes: types.Filter{ 741 Caps: []string{"CAP_SYS_TIME"}, 742 }, 743 }, 744 { 745 Names: []string{ 746 "vhangup", 747 }, 748 Action: types.ActAllow, 749 Args: []*types.Arg{}, 750 Includes: types.Filter{ 751 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 752 }, 753 }, 754 } 755 756 return &types.Seccomp{ 757 DefaultAction: types.ActErrno, 758 ArchMap: arches(), 759 Syscalls: syscalls, 760 } 761 }