github.com/zhouyu0/docker-note@v0.0.0-20190722021225-b8d3825084db/profiles/seccomp/seccomp_default.go (about) 1 // +build linux,seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the whitelist for the default seccomp profile. 44 func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_getres", 62 "clock_gettime", 63 "clock_nanosleep", 64 "close", 65 "connect", 66 "copy_file_range", 67 "creat", 68 "dup", 69 "dup2", 70 "dup3", 71 "epoll_create", 72 "epoll_create1", 73 "epoll_ctl", 74 "epoll_ctl_old", 75 "epoll_pwait", 76 "epoll_wait", 77 "epoll_wait_old", 78 "eventfd", 79 "eventfd2", 80 "execve", 81 "execveat", 82 "exit", 83 "exit_group", 84 "faccessat", 85 "fadvise64", 86 "fadvise64_64", 87 "fallocate", 88 "fanotify_mark", 89 "fchdir", 90 "fchmod", 91 "fchmodat", 92 "fchown", 93 "fchown32", 94 "fchownat", 95 "fcntl", 96 "fcntl64", 97 "fdatasync", 98 "fgetxattr", 99 "flistxattr", 100 "flock", 101 "fork", 102 "fremovexattr", 103 "fsetxattr", 104 "fstat", 105 "fstat64", 106 "fstatat64", 107 "fstatfs", 108 "fstatfs64", 109 "fsync", 110 "ftruncate", 111 "ftruncate64", 112 "futex", 113 "futimesat", 114 "getcpu", 115 "getcwd", 116 "getdents", 117 "getdents64", 118 "getegid", 119 "getegid32", 120 "geteuid", 121 "geteuid32", 122 "getgid", 123 "getgid32", 124 "getgroups", 125 "getgroups32", 126 "getitimer", 127 "getpeername", 128 "getpgid", 129 "getpgrp", 130 "getpid", 131 "getppid", 132 "getpriority", 133 "getrandom", 134 "getresgid", 135 "getresgid32", 136 "getresuid", 137 "getresuid32", 138 "getrlimit", 139 "get_robust_list", 140 "getrusage", 141 "getsid", 142 "getsockname", 143 "getsockopt", 144 "get_thread_area", 145 "gettid", 146 "gettimeofday", 147 "getuid", 148 "getuid32", 149 "getxattr", 150 "inotify_add_watch", 151 "inotify_init", 152 "inotify_init1", 153 "inotify_rm_watch", 154 "io_cancel", 155 "ioctl", 156 "io_destroy", 157 "io_getevents", 158 "ioprio_get", 159 "ioprio_set", 160 "io_setup", 161 "io_submit", 162 "ipc", 163 "kill", 164 "lchown", 165 "lchown32", 166 "lgetxattr", 167 "link", 168 "linkat", 169 "listen", 170 "listxattr", 171 "llistxattr", 172 "_llseek", 173 "lremovexattr", 174 "lseek", 175 "lsetxattr", 176 "lstat", 177 "lstat64", 178 "madvise", 179 "memfd_create", 180 "mincore", 181 "mkdir", 182 "mkdirat", 183 "mknod", 184 "mknodat", 185 "mlock", 186 "mlock2", 187 "mlockall", 188 "mmap", 189 "mmap2", 190 "mprotect", 191 "mq_getsetattr", 192 "mq_notify", 193 "mq_open", 194 "mq_timedreceive", 195 "mq_timedsend", 196 "mq_unlink", 197 "mremap", 198 "msgctl", 199 "msgget", 200 "msgrcv", 201 "msgsnd", 202 "msync", 203 "munlock", 204 "munlockall", 205 "munmap", 206 "nanosleep", 207 "newfstatat", 208 "_newselect", 209 "open", 210 "openat", 211 "pause", 212 "pipe", 213 "pipe2", 214 "poll", 215 "ppoll", 216 "prctl", 217 "pread64", 218 "preadv", 219 "preadv2", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "pwritev2", 225 "read", 226 "readahead", 227 "readlink", 228 "readlinkat", 229 "readv", 230 "recv", 231 "recvfrom", 232 "recvmmsg", 233 "recvmsg", 234 "remap_file_pages", 235 "removexattr", 236 "rename", 237 "renameat", 238 "renameat2", 239 "restart_syscall", 240 "rmdir", 241 "rt_sigaction", 242 "rt_sigpending", 243 "rt_sigprocmask", 244 "rt_sigqueueinfo", 245 "rt_sigreturn", 246 "rt_sigsuspend", 247 "rt_sigtimedwait", 248 "rt_tgsigqueueinfo", 249 "sched_getaffinity", 250 "sched_getattr", 251 "sched_getparam", 252 "sched_get_priority_max", 253 "sched_get_priority_min", 254 "sched_getscheduler", 255 "sched_rr_get_interval", 256 "sched_setaffinity", 257 "sched_setattr", 258 "sched_setparam", 259 "sched_setscheduler", 260 "sched_yield", 261 "seccomp", 262 "select", 263 "semctl", 264 "semget", 265 "semop", 266 "semtimedop", 267 "send", 268 "sendfile", 269 "sendfile64", 270 "sendmmsg", 271 "sendmsg", 272 "sendto", 273 "setfsgid", 274 "setfsgid32", 275 "setfsuid", 276 "setfsuid32", 277 "setgid", 278 "setgid32", 279 "setgroups", 280 "setgroups32", 281 "setitimer", 282 "setpgid", 283 "setpriority", 284 "setregid", 285 "setregid32", 286 "setresgid", 287 "setresgid32", 288 "setresuid", 289 "setresuid32", 290 "setreuid", 291 "setreuid32", 292 "setrlimit", 293 "set_robust_list", 294 "setsid", 295 "setsockopt", 296 "set_thread_area", 297 "set_tid_address", 298 "setuid", 299 "setuid32", 300 "setxattr", 301 "shmat", 302 "shmctl", 303 "shmdt", 304 "shmget", 305 "shutdown", 306 "sigaltstack", 307 "signalfd", 308 "signalfd4", 309 "sigreturn", 310 "socket", 311 "socketcall", 312 "socketpair", 313 "splice", 314 "stat", 315 "stat64", 316 "statfs", 317 "statfs64", 318 "statx", 319 "symlink", 320 "symlinkat", 321 "sync", 322 "sync_file_range", 323 "syncfs", 324 "sysinfo", 325 "tee", 326 "tgkill", 327 "time", 328 "timer_create", 329 "timer_delete", 330 "timerfd_create", 331 "timerfd_gettime", 332 "timerfd_settime", 333 "timer_getoverrun", 334 "timer_gettime", 335 "timer_settime", 336 "times", 337 "tkill", 338 "truncate", 339 "truncate64", 340 "ugetrlimit", 341 "umask", 342 "uname", 343 "unlink", 344 "unlinkat", 345 "utime", 346 "utimensat", 347 "utimes", 348 "vfork", 349 "vmsplice", 350 "wait4", 351 "waitid", 352 "waitpid", 353 "write", 354 "writev", 355 }, 356 Action: types.ActAllow, 357 Args: []*types.Arg{}, 358 }, 359 { 360 Names: []string{"personality"}, 361 Action: types.ActAllow, 362 Args: []*types.Arg{ 363 { 364 Index: 0, 365 Value: 0x0, 366 Op: types.OpEqualTo, 367 }, 368 }, 369 }, 370 { 371 Names: []string{"personality"}, 372 Action: types.ActAllow, 373 Args: []*types.Arg{ 374 { 375 Index: 0, 376 Value: 0x0008, 377 Op: types.OpEqualTo, 378 }, 379 }, 380 }, 381 { 382 Names: []string{"personality"}, 383 Action: types.ActAllow, 384 Args: []*types.Arg{ 385 { 386 Index: 0, 387 Value: 0x20000, 388 Op: types.OpEqualTo, 389 }, 390 }, 391 }, 392 { 393 Names: []string{"personality"}, 394 Action: types.ActAllow, 395 Args: []*types.Arg{ 396 { 397 Index: 0, 398 Value: 0x20008, 399 Op: types.OpEqualTo, 400 }, 401 }, 402 }, 403 { 404 Names: []string{"personality"}, 405 Action: types.ActAllow, 406 Args: []*types.Arg{ 407 { 408 Index: 0, 409 Value: 0xffffffff, 410 Op: types.OpEqualTo, 411 }, 412 }, 413 }, 414 { 415 Names: []string{ 416 "sync_file_range2", 417 }, 418 Action: types.ActAllow, 419 Args: []*types.Arg{}, 420 Includes: types.Filter{ 421 Arches: []string{"ppc64le"}, 422 }, 423 }, 424 { 425 Names: []string{ 426 "arm_fadvise64_64", 427 "arm_sync_file_range", 428 "sync_file_range2", 429 "breakpoint", 430 "cacheflush", 431 "set_tls", 432 }, 433 Action: types.ActAllow, 434 Args: []*types.Arg{}, 435 Includes: types.Filter{ 436 Arches: []string{"arm", "arm64"}, 437 }, 438 }, 439 { 440 Names: []string{ 441 "arch_prctl", 442 }, 443 Action: types.ActAllow, 444 Args: []*types.Arg{}, 445 Includes: types.Filter{ 446 Arches: []string{"amd64", "x32"}, 447 }, 448 }, 449 { 450 Names: []string{ 451 "modify_ldt", 452 }, 453 Action: types.ActAllow, 454 Args: []*types.Arg{}, 455 Includes: types.Filter{ 456 Arches: []string{"amd64", "x32", "x86"}, 457 }, 458 }, 459 { 460 Names: []string{ 461 "s390_pci_mmio_read", 462 "s390_pci_mmio_write", 463 "s390_runtime_instr", 464 }, 465 Action: types.ActAllow, 466 Args: []*types.Arg{}, 467 Includes: types.Filter{ 468 Arches: []string{"s390", "s390x"}, 469 }, 470 }, 471 { 472 Names: []string{ 473 "open_by_handle_at", 474 }, 475 Action: types.ActAllow, 476 Args: []*types.Arg{}, 477 Includes: types.Filter{ 478 Caps: []string{"CAP_DAC_READ_SEARCH"}, 479 }, 480 }, 481 { 482 Names: []string{ 483 "bpf", 484 "clone", 485 "fanotify_init", 486 "lookup_dcookie", 487 "mount", 488 "name_to_handle_at", 489 "perf_event_open", 490 "quotactl", 491 "setdomainname", 492 "sethostname", 493 "setns", 494 "syslog", 495 "umount", 496 "umount2", 497 "unshare", 498 }, 499 Action: types.ActAllow, 500 Args: []*types.Arg{}, 501 Includes: types.Filter{ 502 Caps: []string{"CAP_SYS_ADMIN"}, 503 }, 504 }, 505 { 506 Names: []string{ 507 "clone", 508 }, 509 Action: types.ActAllow, 510 Args: []*types.Arg{ 511 { 512 Index: 0, 513 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 514 ValueTwo: 0, 515 Op: types.OpMaskedEqual, 516 }, 517 }, 518 Excludes: types.Filter{ 519 Caps: []string{"CAP_SYS_ADMIN"}, 520 Arches: []string{"s390", "s390x"}, 521 }, 522 }, 523 { 524 Names: []string{ 525 "clone", 526 }, 527 Action: types.ActAllow, 528 Args: []*types.Arg{ 529 { 530 Index: 1, 531 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 532 ValueTwo: 0, 533 Op: types.OpMaskedEqual, 534 }, 535 }, 536 Comment: "s390 parameter ordering for clone is different", 537 Includes: types.Filter{ 538 Arches: []string{"s390", "s390x"}, 539 }, 540 Excludes: types.Filter{ 541 Caps: []string{"CAP_SYS_ADMIN"}, 542 }, 543 }, 544 { 545 Names: []string{ 546 "reboot", 547 }, 548 Action: types.ActAllow, 549 Args: []*types.Arg{}, 550 Includes: types.Filter{ 551 Caps: []string{"CAP_SYS_BOOT"}, 552 }, 553 }, 554 { 555 Names: []string{ 556 "chroot", 557 }, 558 Action: types.ActAllow, 559 Args: []*types.Arg{}, 560 Includes: types.Filter{ 561 Caps: []string{"CAP_SYS_CHROOT"}, 562 }, 563 }, 564 { 565 Names: []string{ 566 "delete_module", 567 "init_module", 568 "finit_module", 569 "query_module", 570 }, 571 Action: types.ActAllow, 572 Args: []*types.Arg{}, 573 Includes: types.Filter{ 574 Caps: []string{"CAP_SYS_MODULE"}, 575 }, 576 }, 577 { 578 Names: []string{ 579 "acct", 580 }, 581 Action: types.ActAllow, 582 Args: []*types.Arg{}, 583 Includes: types.Filter{ 584 Caps: []string{"CAP_SYS_PACCT"}, 585 }, 586 }, 587 { 588 Names: []string{ 589 "kcmp", 590 "process_vm_readv", 591 "process_vm_writev", 592 "ptrace", 593 }, 594 Action: types.ActAllow, 595 Args: []*types.Arg{}, 596 Includes: types.Filter{ 597 Caps: []string{"CAP_SYS_PTRACE"}, 598 }, 599 }, 600 { 601 Names: []string{ 602 "iopl", 603 "ioperm", 604 }, 605 Action: types.ActAllow, 606 Args: []*types.Arg{}, 607 Includes: types.Filter{ 608 Caps: []string{"CAP_SYS_RAWIO"}, 609 }, 610 }, 611 { 612 Names: []string{ 613 "settimeofday", 614 "stime", 615 "clock_settime", 616 }, 617 Action: types.ActAllow, 618 Args: []*types.Arg{}, 619 Includes: types.Filter{ 620 Caps: []string{"CAP_SYS_TIME"}, 621 }, 622 }, 623 { 624 Names: []string{ 625 "vhangup", 626 }, 627 Action: types.ActAllow, 628 Args: []*types.Arg{}, 629 Includes: types.Filter{ 630 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 631 }, 632 }, 633 { 634 Names: []string{ 635 "get_mempolicy", 636 "mbind", 637 "set_mempolicy", 638 }, 639 Action: types.ActAllow, 640 Args: []*types.Arg{}, 641 Includes: types.Filter{ 642 Caps: []string{"CAP_SYS_NICE"}, 643 }, 644 }, 645 { 646 Names: []string{ 647 "syslog", 648 }, 649 Action: types.ActAllow, 650 Args: []*types.Arg{}, 651 Includes: types.Filter{ 652 Caps: []string{"CAP_SYSLOG"}, 653 }, 654 }, 655 } 656 657 return &types.Seccomp{ 658 DefaultAction: types.ActErrno, 659 ArchMap: arches(), 660 Syscalls: syscalls, 661 } 662 }