github.com/zhouyu0/docker-note@v0.0.0-20190722021225-b8d3825084db/profiles/seccomp/default.json (about) 1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "close", 72 "connect", 73 "copy_file_range", 74 "creat", 75 "dup", 76 "dup2", 77 "dup3", 78 "epoll_create", 79 "epoll_create1", 80 "epoll_ctl", 81 "epoll_ctl_old", 82 "epoll_pwait", 83 "epoll_wait", 84 "epoll_wait_old", 85 "eventfd", 86 "eventfd2", 87 "execve", 88 "execveat", 89 "exit", 90 "exit_group", 91 "faccessat", 92 "fadvise64", 93 "fadvise64_64", 94 "fallocate", 95 "fanotify_mark", 96 "fchdir", 97 "fchmod", 98 "fchmodat", 99 "fchown", 100 "fchown32", 101 "fchownat", 102 "fcntl", 103 "fcntl64", 104 "fdatasync", 105 "fgetxattr", 106 "flistxattr", 107 "flock", 108 "fork", 109 "fremovexattr", 110 "fsetxattr", 111 "fstat", 112 "fstat64", 113 "fstatat64", 114 "fstatfs", 115 "fstatfs64", 116 "fsync", 117 "ftruncate", 118 "ftruncate64", 119 "futex", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "ioprio_get", 166 "ioprio_set", 167 "io_setup", 168 "io_submit", 169 "ipc", 170 "kill", 171 "lchown", 172 "lchown32", 173 "lgetxattr", 174 "link", 175 "linkat", 176 "listen", 177 "listxattr", 178 "llistxattr", 179 "_llseek", 180 "lremovexattr", 181 "lseek", 182 "lsetxattr", 183 "lstat", 184 "lstat64", 185 "madvise", 186 "memfd_create", 187 "mincore", 188 "mkdir", 189 "mkdirat", 190 "mknod", 191 "mknodat", 192 "mlock", 193 "mlock2", 194 "mlockall", 195 "mmap", 196 "mmap2", 197 "mprotect", 198 "mq_getsetattr", 199 "mq_notify", 200 "mq_open", 201 "mq_timedreceive", 202 "mq_timedsend", 203 "mq_unlink", 204 "mremap", 205 "msgctl", 206 "msgget", 207 "msgrcv", 208 "msgsnd", 209 "msync", 210 "munlock", 211 "munlockall", 212 "munmap", 213 "nanosleep", 214 "newfstatat", 215 "_newselect", 216 "open", 217 "openat", 218 "pause", 219 "pipe", 220 "pipe2", 221 "poll", 222 "ppoll", 223 "prctl", 224 "pread64", 225 "preadv", 226 "preadv2", 227 "prlimit64", 228 "pselect6", 229 "pwrite64", 230 "pwritev", 231 "pwritev2", 232 "read", 233 "readahead", 234 "readlink", 235 "readlinkat", 236 "readv", 237 "recv", 238 "recvfrom", 239 "recvmmsg", 240 "recvmsg", 241 "remap_file_pages", 242 "removexattr", 243 "rename", 244 "renameat", 245 "renameat2", 246 "restart_syscall", 247 "rmdir", 248 "rt_sigaction", 249 "rt_sigpending", 250 "rt_sigprocmask", 251 "rt_sigqueueinfo", 252 "rt_sigreturn", 253 "rt_sigsuspend", 254 "rt_sigtimedwait", 255 "rt_tgsigqueueinfo", 256 "sched_getaffinity", 257 "sched_getattr", 258 "sched_getparam", 259 "sched_get_priority_max", 260 "sched_get_priority_min", 261 "sched_getscheduler", 262 "sched_rr_get_interval", 263 "sched_setaffinity", 264 "sched_setattr", 265 "sched_setparam", 266 "sched_setscheduler", 267 "sched_yield", 268 "seccomp", 269 "select", 270 "semctl", 271 "semget", 272 "semop", 273 "semtimedop", 274 "send", 275 "sendfile", 276 "sendfile64", 277 "sendmmsg", 278 "sendmsg", 279 "sendto", 280 "setfsgid", 281 "setfsgid32", 282 "setfsuid", 283 "setfsuid32", 284 "setgid", 285 "setgid32", 286 "setgroups", 287 "setgroups32", 288 "setitimer", 289 "setpgid", 290 "setpriority", 291 "setregid", 292 "setregid32", 293 "setresgid", 294 "setresgid32", 295 "setresuid", 296 "setresuid32", 297 "setreuid", 298 "setreuid32", 299 "setrlimit", 300 "set_robust_list", 301 "setsid", 302 "setsockopt", 303 "set_thread_area", 304 "set_tid_address", 305 "setuid", 306 "setuid32", 307 "setxattr", 308 "shmat", 309 "shmctl", 310 "shmdt", 311 "shmget", 312 "shutdown", 313 "sigaltstack", 314 "signalfd", 315 "signalfd4", 316 "sigreturn", 317 "socket", 318 "socketcall", 319 "socketpair", 320 "splice", 321 "stat", 322 "stat64", 323 "statfs", 324 "statfs64", 325 "statx", 326 "symlink", 327 "symlinkat", 328 "sync", 329 "sync_file_range", 330 "syncfs", 331 "sysinfo", 332 "tee", 333 "tgkill", 334 "time", 335 "timer_create", 336 "timer_delete", 337 "timerfd_create", 338 "timerfd_gettime", 339 "timerfd_settime", 340 "timer_getoverrun", 341 "timer_gettime", 342 "timer_settime", 343 "times", 344 "tkill", 345 "truncate", 346 "truncate64", 347 "ugetrlimit", 348 "umask", 349 "uname", 350 "unlink", 351 "unlinkat", 352 "utime", 353 "utimensat", 354 "utimes", 355 "vfork", 356 "vmsplice", 357 "wait4", 358 "waitid", 359 "waitpid", 360 "write", 361 "writev" 362 ], 363 "action": "SCMP_ACT_ALLOW", 364 "args": [], 365 "comment": "", 366 "includes": {}, 367 "excludes": {} 368 }, 369 { 370 "names": [ 371 "personality" 372 ], 373 "action": "SCMP_ACT_ALLOW", 374 "args": [ 375 { 376 "index": 0, 377 "value": 0, 378 "valueTwo": 0, 379 "op": "SCMP_CMP_EQ" 380 } 381 ], 382 "comment": "", 383 "includes": {}, 384 "excludes": {} 385 }, 386 { 387 "names": [ 388 "personality" 389 ], 390 "action": "SCMP_ACT_ALLOW", 391 "args": [ 392 { 393 "index": 0, 394 "value": 8, 395 "valueTwo": 0, 396 "op": "SCMP_CMP_EQ" 397 } 398 ], 399 "comment": "", 400 "includes": {}, 401 "excludes": {} 402 }, 403 { 404 "names": [ 405 "personality" 406 ], 407 "action": "SCMP_ACT_ALLOW", 408 "args": [ 409 { 410 "index": 0, 411 "value": 131072, 412 "valueTwo": 0, 413 "op": "SCMP_CMP_EQ" 414 } 415 ], 416 "comment": "", 417 "includes": {}, 418 "excludes": {} 419 }, 420 { 421 "names": [ 422 "personality" 423 ], 424 "action": "SCMP_ACT_ALLOW", 425 "args": [ 426 { 427 "index": 0, 428 "value": 131080, 429 "valueTwo": 0, 430 "op": "SCMP_CMP_EQ" 431 } 432 ], 433 "comment": "", 434 "includes": {}, 435 "excludes": {} 436 }, 437 { 438 "names": [ 439 "personality" 440 ], 441 "action": "SCMP_ACT_ALLOW", 442 "args": [ 443 { 444 "index": 0, 445 "value": 4294967295, 446 "valueTwo": 0, 447 "op": "SCMP_CMP_EQ" 448 } 449 ], 450 "comment": "", 451 "includes": {}, 452 "excludes": {} 453 }, 454 { 455 "names": [ 456 "sync_file_range2" 457 ], 458 "action": "SCMP_ACT_ALLOW", 459 "args": [], 460 "comment": "", 461 "includes": { 462 "arches": [ 463 "ppc64le" 464 ] 465 }, 466 "excludes": {} 467 }, 468 { 469 "names": [ 470 "arm_fadvise64_64", 471 "arm_sync_file_range", 472 "sync_file_range2", 473 "breakpoint", 474 "cacheflush", 475 "set_tls" 476 ], 477 "action": "SCMP_ACT_ALLOW", 478 "args": [], 479 "comment": "", 480 "includes": { 481 "arches": [ 482 "arm", 483 "arm64" 484 ] 485 }, 486 "excludes": {} 487 }, 488 { 489 "names": [ 490 "arch_prctl" 491 ], 492 "action": "SCMP_ACT_ALLOW", 493 "args": [], 494 "comment": "", 495 "includes": { 496 "arches": [ 497 "amd64", 498 "x32" 499 ] 500 }, 501 "excludes": {} 502 }, 503 { 504 "names": [ 505 "modify_ldt" 506 ], 507 "action": "SCMP_ACT_ALLOW", 508 "args": [], 509 "comment": "", 510 "includes": { 511 "arches": [ 512 "amd64", 513 "x32", 514 "x86" 515 ] 516 }, 517 "excludes": {} 518 }, 519 { 520 "names": [ 521 "s390_pci_mmio_read", 522 "s390_pci_mmio_write", 523 "s390_runtime_instr" 524 ], 525 "action": "SCMP_ACT_ALLOW", 526 "args": [], 527 "comment": "", 528 "includes": { 529 "arches": [ 530 "s390", 531 "s390x" 532 ] 533 }, 534 "excludes": {} 535 }, 536 { 537 "names": [ 538 "open_by_handle_at" 539 ], 540 "action": "SCMP_ACT_ALLOW", 541 "args": [], 542 "comment": "", 543 "includes": { 544 "caps": [ 545 "CAP_DAC_READ_SEARCH" 546 ] 547 }, 548 "excludes": {} 549 }, 550 { 551 "names": [ 552 "bpf", 553 "clone", 554 "fanotify_init", 555 "lookup_dcookie", 556 "mount", 557 "name_to_handle_at", 558 "perf_event_open", 559 "quotactl", 560 "setdomainname", 561 "sethostname", 562 "setns", 563 "syslog", 564 "umount", 565 "umount2", 566 "unshare" 567 ], 568 "action": "SCMP_ACT_ALLOW", 569 "args": [], 570 "comment": "", 571 "includes": { 572 "caps": [ 573 "CAP_SYS_ADMIN" 574 ] 575 }, 576 "excludes": {} 577 }, 578 { 579 "names": [ 580 "clone" 581 ], 582 "action": "SCMP_ACT_ALLOW", 583 "args": [ 584 { 585 "index": 0, 586 "value": 2080505856, 587 "valueTwo": 0, 588 "op": "SCMP_CMP_MASKED_EQ" 589 } 590 ], 591 "comment": "", 592 "includes": {}, 593 "excludes": { 594 "caps": [ 595 "CAP_SYS_ADMIN" 596 ], 597 "arches": [ 598 "s390", 599 "s390x" 600 ] 601 } 602 }, 603 { 604 "names": [ 605 "clone" 606 ], 607 "action": "SCMP_ACT_ALLOW", 608 "args": [ 609 { 610 "index": 1, 611 "value": 2080505856, 612 "valueTwo": 0, 613 "op": "SCMP_CMP_MASKED_EQ" 614 } 615 ], 616 "comment": "s390 parameter ordering for clone is different", 617 "includes": { 618 "arches": [ 619 "s390", 620 "s390x" 621 ] 622 }, 623 "excludes": { 624 "caps": [ 625 "CAP_SYS_ADMIN" 626 ] 627 } 628 }, 629 { 630 "names": [ 631 "reboot" 632 ], 633 "action": "SCMP_ACT_ALLOW", 634 "args": [], 635 "comment": "", 636 "includes": { 637 "caps": [ 638 "CAP_SYS_BOOT" 639 ] 640 }, 641 "excludes": {} 642 }, 643 { 644 "names": [ 645 "chroot" 646 ], 647 "action": "SCMP_ACT_ALLOW", 648 "args": [], 649 "comment": "", 650 "includes": { 651 "caps": [ 652 "CAP_SYS_CHROOT" 653 ] 654 }, 655 "excludes": {} 656 }, 657 { 658 "names": [ 659 "delete_module", 660 "init_module", 661 "finit_module", 662 "query_module" 663 ], 664 "action": "SCMP_ACT_ALLOW", 665 "args": [], 666 "comment": "", 667 "includes": { 668 "caps": [ 669 "CAP_SYS_MODULE" 670 ] 671 }, 672 "excludes": {} 673 }, 674 { 675 "names": [ 676 "acct" 677 ], 678 "action": "SCMP_ACT_ALLOW", 679 "args": [], 680 "comment": "", 681 "includes": { 682 "caps": [ 683 "CAP_SYS_PACCT" 684 ] 685 }, 686 "excludes": {} 687 }, 688 { 689 "names": [ 690 "kcmp", 691 "process_vm_readv", 692 "process_vm_writev", 693 "ptrace" 694 ], 695 "action": "SCMP_ACT_ALLOW", 696 "args": [], 697 "comment": "", 698 "includes": { 699 "caps": [ 700 "CAP_SYS_PTRACE" 701 ] 702 }, 703 "excludes": {} 704 }, 705 { 706 "names": [ 707 "iopl", 708 "ioperm" 709 ], 710 "action": "SCMP_ACT_ALLOW", 711 "args": [], 712 "comment": "", 713 "includes": { 714 "caps": [ 715 "CAP_SYS_RAWIO" 716 ] 717 }, 718 "excludes": {} 719 }, 720 { 721 "names": [ 722 "settimeofday", 723 "stime", 724 "clock_settime" 725 ], 726 "action": "SCMP_ACT_ALLOW", 727 "args": [], 728 "comment": "", 729 "includes": { 730 "caps": [ 731 "CAP_SYS_TIME" 732 ] 733 }, 734 "excludes": {} 735 }, 736 { 737 "names": [ 738 "vhangup" 739 ], 740 "action": "SCMP_ACT_ALLOW", 741 "args": [], 742 "comment": "", 743 "includes": { 744 "caps": [ 745 "CAP_SYS_TTY_CONFIG" 746 ] 747 }, 748 "excludes": {} 749 }, 750 { 751 "names": [ 752 "get_mempolicy", 753 "mbind", 754 "set_mempolicy" 755 ], 756 "action": "SCMP_ACT_ALLOW", 757 "args": [], 758 "comment": "", 759 "includes": { 760 "caps": [ 761 "CAP_SYS_NICE" 762 ] 763 }, 764 "excludes": {} 765 }, 766 { 767 "names": [ 768 "syslog" 769 ], 770 "action": "SCMP_ACT_ALLOW", 771 "args": [], 772 "comment": "", 773 "includes": { 774 "caps": [ 775 "CAP_SYSLOG" 776 ] 777 }, 778 "excludes": {} 779 } 780 ] 781 }