seccomp.json (15207B)
1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "archMap": [ 4 { 5 "architecture": "SCMP_ARCH_X86_64", 6 "subArchitectures": [ 7 "SCMP_ARCH_X86", 8 "SCMP_ARCH_X32" 9 ] 10 }, 11 { 12 "architecture": "SCMP_ARCH_AARCH64", 13 "subArchitectures": [ 14 "SCMP_ARCH_ARM" 15 ] 16 }, 17 { 18 "architecture": "SCMP_ARCH_MIPS64", 19 "subArchitectures": [ 20 "SCMP_ARCH_MIPS", 21 "SCMP_ARCH_MIPS64N32" 22 ] 23 }, 24 { 25 "architecture": "SCMP_ARCH_MIPS64N32", 26 "subArchitectures": [ 27 "SCMP_ARCH_MIPS", 28 "SCMP_ARCH_MIPS64" 29 ] 30 }, 31 { 32 "architecture": "SCMP_ARCH_MIPSEL64", 33 "subArchitectures": [ 34 "SCMP_ARCH_MIPSEL", 35 "SCMP_ARCH_MIPSEL64N32" 36 ] 37 }, 38 { 39 "architecture": "SCMP_ARCH_MIPSEL64N32", 40 "subArchitectures": [ 41 "SCMP_ARCH_MIPSEL", 42 "SCMP_ARCH_MIPSEL64" 43 ] 44 }, 45 { 46 "architecture": "SCMP_ARCH_S390X", 47 "subArchitectures": [ 48 "SCMP_ARCH_S390" 49 ] 50 } 51 ], 52 "syscalls": [ 53 { 54 "names": [ 55 "accept", 56 "accept4", 57 "access", 58 "adjtimex", 59 "alarm", 60 "bind", 61 "brk", 62 "capget", 63 "capset", 64 "chdir", 65 "chmod", 66 "chown", 67 "chown32", 68 "clock_getres", 69 "clock_gettime", 70 "clock_nanosleep", 71 "clone", 72 "close", 73 "connect", 74 "copy_file_range", 75 "creat", 76 "dup", 77 "dup2", 78 "dup3", 79 "epoll_create", 80 "epoll_create1", 81 "epoll_ctl", 82 "epoll_ctl_old", 83 "epoll_pwait", 84 "epoll_wait", 85 "epoll_wait_old", 86 "eventfd", 87 "eventfd2", 88 "execve", 89 "execveat", 90 "exit", 91 "exit_group", 92 "faccessat", 93 "fadvise64", 94 "fadvise64_64", 95 "fallocate", 96 "fanotify_mark", 97 "fchdir", 98 "fchmod", 99 "fchmodat", 100 "fchown", 101 "fchown32", 102 "fchownat", 103 "fcntl", 104 "fcntl64", 105 "fdatasync", 106 "fgetxattr", 107 "flistxattr", 108 "flock", 109 "fork", 110 "fremovexattr", 111 "fsetxattr", 112 "fstat", 113 "fstat64", 114 "fstatat64", 115 "fstatfs", 116 "fstatfs64", 117 "fsync", 118 "ftruncate", 119 "ftruncate64", 120 "futex", 121 "futimesat", 122 "getcpu", 123 "getcwd", 124 "getdents", 125 "getdents64", 126 "getegid", 127 "getegid32", 128 "geteuid", 129 "geteuid32", 130 "getgid", 131 "getgid32", 132 "getgroups", 133 "getgroups32", 134 "getitimer", 135 "getpeername", 136 "getpgid", 137 "getpgrp", 138 "getpid", 139 "getppid", 140 "getpriority", 141 "getrandom", 142 "getresgid", 143 "getresgid32", 144 "getresuid", 145 "getresuid32", 146 "getrlimit", 147 "get_robust_list", 148 "getrusage", 149 "getsid", 150 "getsockname", 151 "getsockopt", 152 "get_thread_area", 153 "gettid", 154 "gettimeofday", 155 "getuid", 156 "getuid32", 157 "getxattr", 158 "inotify_add_watch", 159 "inotify_init", 160 "inotify_init1", 161 "inotify_rm_watch", 162 "io_cancel", 163 "ioctl", 164 "io_destroy", 165 "io_getevents", 166 "io_pgetevents", 167 "ioprio_get", 168 "ioprio_set", 169 "io_setup", 170 "io_submit", 171 "io_uring_enter", 172 "io_uring_register", 173 "io_uring_setup", 174 "ipc", 175 "kill", 176 "lchown", 177 "lchown32", 178 "lgetxattr", 179 "link", 180 "linkat", 181 "listen", 182 "listxattr", 183 "llistxattr", 184 "_llseek", 185 "lremovexattr", 186 "lseek", 187 "lsetxattr", 188 "lstat", 189 "lstat64", 190 "madvise", 191 "memfd_create", 192 "mincore", 193 "mkdir", 194 "mkdirat", 195 "mknod", 196 "mknodat", 197 "mlock", 198 "mlock2", 199 "mlockall", 200 "mmap", 201 "mmap2", 202 "mprotect", 203 "mq_getsetattr", 204 "mq_notify", 205 "mq_open", 206 "mq_timedreceive", 207 "mq_timedsend", 208 "mq_unlink", 209 "mremap", 210 "msgctl", 211 "msgget", 212 "msgrcv", 213 "msgsnd", 214 "msync", 215 "munlock", 216 "munlockall", 217 "munmap", 218 "nanosleep", 219 "newfstatat", 220 "_newselect", 221 "open", 222 "openat", 223 "pause", 224 "pipe", 225 "pipe2", 226 "poll", 227 "ppoll", 228 "prctl", 229 "pread64", 230 "preadv", 231 "preadv2", 232 "prlimit64", 233 "pselect6", 234 "pwrite64", 235 "pwritev", 236 "pwritev2", 237 "read", 238 "readahead", 239 "readlink", 240 "readlinkat", 241 "readv", 242 "recv", 243 "recvfrom", 244 "recvmmsg", 245 "recvmsg", 246 "remap_file_pages", 247 "removexattr", 248 "rename", 249 "renameat", 250 "renameat2", 251 "restart_syscall", 252 "rmdir", 253 "rt_sigaction", 254 "rt_sigpending", 255 "rt_sigprocmask", 256 "rt_sigqueueinfo", 257 "rt_sigreturn", 258 "rt_sigsuspend", 259 "rt_sigtimedwait", 260 "rt_tgsigqueueinfo", 261 "sched_getaffinity", 262 "sched_getattr", 263 "sched_getparam", 264 "sched_get_priority_max", 265 "sched_get_priority_min", 266 "sched_getscheduler", 267 "sched_rr_get_interval", 268 "sched_setaffinity", 269 "sched_setattr", 270 "sched_setparam", 271 "sched_setscheduler", 272 "sched_yield", 273 "seccomp", 274 "select", 275 "semctl", 276 "semget", 277 "semop", 278 "semtimedop", 279 "send", 280 "sendfile", 281 "sendfile64", 282 "sendmmsg", 283 "sendmsg", 284 "sendto", 285 "setfsgid", 286 "setfsgid32", 287 "setfsuid", 288 "setfsuid32", 289 "setgid", 290 "setgid32", 291 "setgroups", 292 "setgroups32", 293 "setitimer", 294 "setpgid", 295 "setpriority", 296 "setregid", 297 "setregid32", 298 "setresgid", 299 "setresgid32", 300 "setresuid", 301 "setresuid32", 302 "setreuid", 303 "setreuid32", 304 "setrlimit", 305 "set_robust_list", 306 "setsid", 307 "setsockopt", 308 "set_thread_area", 309 "set_tid_address", 310 "setuid", 311 "setuid32", 312 "setxattr", 313 "shmat", 314 "shmctl", 315 "shmdt", 316 "shmget", 317 "shutdown", 318 "sigaltstack", 319 "signalfd", 320 "signalfd4", 321 "sigprocmask", 322 "sigreturn", 323 "socket", 324 "socketcall", 325 "socketpair", 326 "splice", 327 "stat", 328 "stat64", 329 "statfs", 330 "statfs64", 331 "statx", 332 "symlink", 333 "symlinkat", 334 "sync", 335 "sync_file_range", 336 "syncfs", 337 "sysinfo", 338 "tee", 339 "tgkill", 340 "time", 341 "timer_create", 342 "timer_delete", 343 "timerfd_create", 344 "timerfd_gettime", 345 "timerfd_settime", 346 "timer_getoverrun", 347 "timer_gettime", 348 "timer_settime", 349 "times", 350 "tkill", 351 "truncate", 352 "truncate64", 353 "ugetrlimit", 354 "umask", 355 "uname", 356 "unlink", 357 "unlinkat", 358 "unshare", 359 "utime", 360 "utimensat", 361 "utimes", 362 "vfork", 363 "vmsplice", 364 "wait4", 365 "waitid", 366 "waitpid", 367 "write", 368 "writev" 369 ], 370 "action": "SCMP_ACT_ALLOW", 371 "args": [], 372 "comment": "", 373 "includes": null, 374 "excludes": null 375 }, 376 { 377 "names": [ 378 "ptrace" 379 ], 380 "action": "SCMP_ACT_ALLOW", 381 "args": null, 382 "comment": "", 383 "includes": { 384 "minKernel": "4.8" 385 }, 386 "excludes": null 387 }, 388 { 389 "names": [ 390 "personality" 391 ], 392 "action": "SCMP_ACT_ALLOW", 393 "args": [ 394 { 395 "index": 0, 396 "value": 0, 397 "valueTwo": 0, 398 "op": "SCMP_CMP_EQ" 399 } 400 ], 401 "comment": "", 402 "includes": null, 403 "excludes": null 404 }, 405 { 406 "names": [ 407 "personality" 408 ], 409 "action": "SCMP_ACT_ALLOW", 410 "args": [ 411 { 412 "index": 0, 413 "value": 8, 414 "valueTwo": 0, 415 "op": "SCMP_CMP_EQ" 416 } 417 ], 418 "comment": "", 419 "includes": null, 420 "excludes": null 421 }, 422 { 423 "names": [ 424 "personality" 425 ], 426 "action": "SCMP_ACT_ALLOW", 427 "args": [ 428 { 429 "index": 0, 430 "value": 131072, 431 "valueTwo": 0, 432 "op": "SCMP_CMP_EQ" 433 } 434 ], 435 "comment": "", 436 "includes": null, 437 "excludes": null 438 }, 439 { 440 "names": [ 441 "personality" 442 ], 443 "action": "SCMP_ACT_ALLOW", 444 "args": [ 445 { 446 "index": 0, 447 "value": 131080, 448 "valueTwo": 0, 449 "op": "SCMP_CMP_EQ" 450 } 451 ], 452 "comment": "", 453 "includes": null, 454 "excludes": null 455 }, 456 { 457 "names": [ 458 "personality" 459 ], 460 "action": "SCMP_ACT_ALLOW", 461 "args": [ 462 { 463 "index": 0, 464 "value": 4294967295, 465 "valueTwo": 0, 466 "op": "SCMP_CMP_EQ" 467 } 468 ], 469 "comment": "", 470 "includes": null, 471 "excludes": null 472 }, 473 { 474 "names": [ 475 "sync_file_range2" 476 ], 477 "action": "SCMP_ACT_ALLOW", 478 "args": [], 479 "comment": "", 480 "includes": { 481 "arches": [ 482 "ppc64le" 483 ] 484 }, 485 "excludes": null 486 }, 487 { 488 "names": [ 489 "arm_fadvise64_64", 490 "arm_sync_file_range", 491 "sync_file_range2", 492 "breakpoint", 493 "cacheflush", 494 "set_tls" 495 ], 496 "action": "SCMP_ACT_ALLOW", 497 "args": [], 498 "comment": "", 499 "includes": { 500 "arches": [ 501 "arm", 502 "arm64" 503 ] 504 }, 505 "excludes": null 506 }, 507 { 508 "names": [ 509 "arch_prctl" 510 ], 511 "action": "SCMP_ACT_ALLOW", 512 "args": [], 513 "comment": "", 514 "includes": { 515 "arches": [ 516 "amd64", 517 "x32" 518 ] 519 }, 520 "excludes": null 521 }, 522 { 523 "names": [ 524 "modify_ldt" 525 ], 526 "action": "SCMP_ACT_ALLOW", 527 "args": [], 528 "comment": "", 529 "includes": { 530 "arches": [ 531 "amd64", 532 "x32", 533 "x86" 534 ] 535 }, 536 "excludes": null 537 }, 538 { 539 "names": [ 540 "s390_pci_mmio_read", 541 "s390_pci_mmio_write", 542 "s390_runtime_instr" 543 ], 544 "action": "SCMP_ACT_ALLOW", 545 "args": [], 546 "comment": "", 547 "includes": { 548 "arches": [ 549 "s390", 550 "s390x" 551 ] 552 }, 553 "excludes": null 554 }, 555 { 556 "names": [ 557 "open_by_handle_at" 558 ], 559 "action": "SCMP_ACT_ALLOW", 560 "args": [], 561 "comment": "", 562 "includes": { 563 "caps": [ 564 "CAP_DAC_READ_SEARCH" 565 ] 566 }, 567 "excludes": null 568 }, 569 { 570 "names": [ 571 "bpf", 572 "fanotify_init", 573 "lookup_dcookie", 574 "mount", 575 "name_to_handle_at", 576 "perf_event_open", 577 "quotactl", 578 "setdomainname", 579 "sethostname", 580 "setns", 581 "syslog", 582 "umount", 583 "umount2" 584 ], 585 "action": "SCMP_ACT_ALLOW", 586 "args": [], 587 "comment": "", 588 "includes": { 589 "caps": [ 590 "CAP_SYS_ADMIN" 591 ] 592 }, 593 "excludes": null 594 }, 595 { 596 "names": [ 597 "clone" 598 ], 599 "action": "SCMP_ACT_ALLOW", 600 "args": [ 601 { 602 "index": 0, 603 "value": 2114060288, 604 "valueTwo": 0, 605 "op": "SCMP_CMP_MASKED_EQ" 606 } 607 ], 608 "comment": "", 609 "includes": null, 610 "excludes": { 611 "caps": [ 612 "CAP_SYS_ADMIN" 613 ], 614 "arches": [ 615 "s390", 616 "s390x" 617 ] 618 } 619 }, 620 { 621 "names": [ 622 "clone" 623 ], 624 "action": "SCMP_ACT_ALLOW", 625 "args": [ 626 { 627 "index": 1, 628 "value": 2114060288, 629 "valueTwo": 0, 630 "op": "SCMP_CMP_MASKED_EQ" 631 } 632 ], 633 "comment": "s390 parameter ordering for clone is different", 634 "includes": { 635 "arches": [ 636 "s390", 637 "s390x" 638 ] 639 }, 640 "excludes": { 641 "caps": [ 642 "CAP_SYS_ADMIN" 643 ] 644 } 645 }, 646 { 647 "names": [ 648 "reboot" 649 ], 650 "action": "SCMP_ACT_ALLOW", 651 "args": [], 652 "comment": "", 653 "includes": { 654 "caps": [ 655 "CAP_SYS_BOOT" 656 ] 657 }, 658 "excludes": null 659 }, 660 { 661 "names": [ 662 "chroot" 663 ], 664 "action": "SCMP_ACT_ALLOW", 665 "args": [], 666 "comment": "", 667 "includes": { 668 "caps": [ 669 "CAP_SYS_CHROOT" 670 ] 671 }, 672 "excludes": null 673 }, 674 { 675 "names": [ 676 "delete_module", 677 "init_module", 678 "finit_module", 679 "query_module" 680 ], 681 "action": "SCMP_ACT_ALLOW", 682 "args": [], 683 "comment": "", 684 "includes": { 685 "caps": [ 686 "CAP_SYS_MODULE" 687 ] 688 }, 689 "excludes": null 690 }, 691 { 692 "names": [ 693 "acct" 694 ], 695 "action": "SCMP_ACT_ALLOW", 696 "args": [], 697 "comment": "", 698 "includes": { 699 "caps": [ 700 "CAP_SYS_PACCT" 701 ] 702 }, 703 "excludes": null 704 }, 705 { 706 "names": [ 707 "kcmp", 708 "process_vm_readv", 709 "process_vm_writev", 710 "ptrace" 711 ], 712 "action": "SCMP_ACT_ALLOW", 713 "args": [], 714 "comment": "", 715 "includes": { 716 "caps": [ 717 "CAP_SYS_PTRACE" 718 ] 719 }, 720 "excludes": null 721 }, 722 { 723 "names": [ 724 "iopl", 725 "ioperm" 726 ], 727 "action": "SCMP_ACT_ALLOW", 728 "args": [], 729 "comment": "", 730 "includes": { 731 "caps": [ 732 "CAP_SYS_RAWIO" 733 ] 734 }, 735 "excludes": null 736 }, 737 { 738 "names": [ 739 "settimeofday", 740 "stime", 741 "clock_settime" 742 ], 743 "action": "SCMP_ACT_ALLOW", 744 "args": [], 745 "comment": "", 746 "includes": { 747 "caps": [ 748 "CAP_SYS_TIME" 749 ] 750 }, 751 "excludes": null 752 }, 753 { 754 "names": [ 755 "vhangup" 756 ], 757 "action": "SCMP_ACT_ALLOW", 758 "args": [], 759 "comment": "", 760 "includes": { 761 "caps": [ 762 "CAP_SYS_TTY_CONFIG" 763 ] 764 }, 765 "excludes": null 766 }, 767 { 768 "names": [ 769 "get_mempolicy", 770 "mbind", 771 "set_mempolicy" 772 ], 773 "action": "SCMP_ACT_ALLOW", 774 "args": [], 775 "comment": "", 776 "includes": { 777 "caps": [ 778 "CAP_SYS_NICE" 779 ] 780 }, 781 "excludes": null 782 }, 783 { 784 "names": [ 785 "syslog" 786 ], 787 "action": "SCMP_ACT_ALLOW", 788 "args": [], 789 "comment": "", 790 "includes": { 791 "caps": [ 792 "CAP_SYSLOG" 793 ] 794 }, 795 "excludes": null 796 } 797 ] 798 }