1// +build linux,seccomp 2 3package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5import ( 6 "github.com/docker/docker/api/types" 7 "golang.org/x/sys/unix" 8) 9 10func arches() []types.Architecture { 11 return []types.Architecture{ 12 { 13 Arch: types.ArchX86_64, 14 SubArches: []types.Arch{types.ArchX86, types.ArchX32}, 15 }, 16 { 17 Arch: types.ArchAARCH64, 18 SubArches: []types.Arch{types.ArchARM}, 19 }, 20 { 21 Arch: types.ArchMIPS64, 22 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32}, 23 }, 24 { 25 Arch: types.ArchMIPS64N32, 26 SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64}, 27 }, 28 { 29 Arch: types.ArchMIPSEL64, 30 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: types.ArchMIPSEL64N32, 34 SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64}, 35 }, 36 { 37 Arch: types.ArchS390X, 38 SubArches: []types.Arch{types.ArchS390}, 39 }, 40 } 41} 42 43// DefaultProfile defines the whitelist for the default seccomp profile. 44func DefaultProfile() *types.Seccomp { 45 syscalls := []*types.Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_getres", 62 "clock_gettime", 63 "clock_nanosleep", 64 "close", 65 "connect", 66 "copy_file_range", 67 "creat", 68 "dup", 69 "dup2", 70 "dup3", 71 "epoll_create", 72 "epoll_create1", 73 "epoll_ctl", 74 "epoll_ctl_old", 75 "epoll_pwait", 76 "epoll_wait", 77 "epoll_wait_old", 78 "eventfd", 79 "eventfd2", 80 "execve", 81 "execveat", 82 "exit", 83 "exit_group", 84 "faccessat", 85 "fadvise64", 86 "fadvise64_64", 87 "fallocate", 88 "fanotify_mark", 89 "fchdir", 90 "fchmod", 91 "fchmodat", 92 "fchown", 93 "fchown32", 94 "fchownat", 95 "fcntl", 96 "fcntl64", 97 "fdatasync", 98 "fgetxattr", 99 "flistxattr", 100 "flock", 101 "fork", 102 "fremovexattr", 103 "fsetxattr", 104 "fstat", 105 "fstat64", 106 "fstatat64", 107 "fstatfs", 108 "fstatfs64", 109 "fsync", 110 "ftruncate", 111 "ftruncate64", 112 "futex", 113 "futimesat", 114 "getcpu", 115 "getcwd", 116 "getdents", 117 "getdents64", 118 "getegid", 119 "getegid32", 120 "geteuid", 121 "geteuid32", 122 "getgid", 123 "getgid32", 124 "getgroups", 125 "getgroups32", 126 "getitimer", 127 "getpeername", 128 "getpgid", 129 "getpgrp", 130 "getpid", 131 "getppid", 132 "getpriority", 133 "getrandom", 134 "getresgid", 135 "getresgid32", 136 "getresuid", 137 "getresuid32", 138 "getrlimit", 139 "get_robust_list", 140 "getrusage", 141 "getsid", 142 "getsockname", 143 "getsockopt", 144 "get_thread_area", 145 "gettid", 146 "gettimeofday", 147 "getuid", 148 "getuid32", 149 "getxattr", 150 "inotify_add_watch", 151 "inotify_init", 152 "inotify_init1", 153 "inotify_rm_watch", 154 "io_cancel", 155 "ioctl", 156 "io_destroy", 157 "io_getevents", 158 "ioprio_get", 159 "ioprio_set", 160 "io_setup", 161 "io_submit", 162 "ipc", 163 "kill", 164 "lchown", 165 "lchown32", 166 "lgetxattr", 167 "link", 168 "linkat", 169 "listen", 170 "listxattr", 171 "llistxattr", 172 "_llseek", 173 "lremovexattr", 174 "lseek", 175 "lsetxattr", 176 "lstat", 177 "lstat64", 178 "madvise", 179 "memfd_create", 180 "mincore", 181 "mkdir", 182 "mkdirat", 183 "mknod", 184 "mknodat", 185 "mlock", 186 "mlock2", 187 "mlockall", 188 "mmap", 189 "mmap2", 190 "mprotect", 191 "mq_getsetattr", 192 "mq_notify", 193 "mq_open", 194 "mq_timedreceive", 195 "mq_timedsend", 196 "mq_unlink", 197 "mremap", 198 "msgctl", 199 "msgget", 200 "msgrcv", 201 "msgsnd", 202 "msync", 203 "munlock", 204 "munlockall", 205 "munmap", 206 "nanosleep", 207 "newfstatat", 208 "_newselect", 209 "open", 210 "openat", 211 "pause", 212 "pipe", 213 "pipe2", 214 "poll", 215 "ppoll", 216 "prctl", 217 "pread64", 218 "preadv", 219 "preadv2", 220 "prlimit64", 221 "pselect6", 222 "pwrite64", 223 "pwritev", 224 "pwritev2", 225 "read", 226 "readahead", 227 "readlink", 228 "readlinkat", 229 "readv", 230 "recv", 231 "recvfrom", 232 "recvmmsg", 233 "recvmsg", 234 "remap_file_pages", 235 "removexattr", 236 "rename", 237 "renameat", 238 "renameat2", 239 "restart_syscall", 240 "rmdir", 241 "rt_sigaction", 242 "rt_sigpending", 243 "rt_sigprocmask", 244 "rt_sigqueueinfo", 245 "rt_sigreturn", 246 "rt_sigsuspend", 247 "rt_sigtimedwait", 248 "rt_tgsigqueueinfo", 249 "sched_getaffinity", 250 "sched_getattr", 251 "sched_getparam", 252 "sched_get_priority_max", 253 "sched_get_priority_min", 254 "sched_getscheduler", 255 "sched_rr_get_interval", 256 "sched_setaffinity", 257 "sched_setattr", 258 "sched_setparam", 259 "sched_setscheduler", 260 "sched_yield", 261 "seccomp", 262 "select", 263 "semctl", 264 "semget", 265 "semop", 266 "semtimedop", 267 "send", 268 "sendfile", 269 "sendfile64", 270 "sendmmsg", 271 "sendmsg", 272 "sendto", 273 "setfsgid", 274 "setfsgid32", 275 "setfsuid", 276 "setfsuid32", 277 "setgid", 278 "setgid32", 279 "setgroups", 280 "setgroups32", 281 "setitimer", 282 "setpgid", 283 "setpriority", 284 "setregid", 285 "setregid32", 286 "setresgid", 287 "setresgid32", 288 "setresuid", 289 "setresuid32", 290 "setreuid", 291 "setreuid32", 292 "setrlimit", 293 "set_robust_list", 294 "setsid", 295 "setsockopt", 296 "set_thread_area", 297 "set_tid_address", 298 "setuid", 299 "setuid32", 300 "setxattr", 301 "shmat", 302 "shmctl", 303 "shmdt", 304 "shmget", 305 "shutdown", 306 "sigaltstack", 307 "signalfd", 308 "signalfd4", 309 "sigreturn", 310 "socket", 311 "socketcall", 312 "socketpair", 313 "splice", 314 "stat", 315 "stat64", 316 "statfs", 317 "statfs64", 318 "statx", 319 "symlink", 320 "symlinkat", 321 "sync", 322 "sync_file_range", 323 "syncfs", 324 "sysinfo", 325 "syslog", 326 "tee", 327 "tgkill", 328 "time", 329 "timer_create", 330 "timer_delete", 331 "timerfd_create", 332 "timerfd_gettime", 333 "timerfd_settime", 334 "timer_getoverrun", 335 "timer_gettime", 336 "timer_settime", 337 "times", 338 "tkill", 339 "truncate", 340 "truncate64", 341 "ugetrlimit", 342 "umask", 343 "uname", 344 "unlink", 345 "unlinkat", 346 "utime", 347 "utimensat", 348 "utimes", 349 "vfork", 350 "vmsplice", 351 "wait4", 352 "waitid", 353 "waitpid", 354 "write", 355 "writev", 356 }, 357 Action: types.ActAllow, 358 Args: []*types.Arg{}, 359 }, 360 { 361 Names: []string{"personality"}, 362 Action: types.ActAllow, 363 Args: []*types.Arg{ 364 { 365 Index: 0, 366 Value: 0x0, 367 Op: types.OpEqualTo, 368 }, 369 }, 370 }, 371 { 372 Names: []string{"personality"}, 373 Action: types.ActAllow, 374 Args: []*types.Arg{ 375 { 376 Index: 0, 377 Value: 0x0008, 378 Op: types.OpEqualTo, 379 }, 380 }, 381 }, 382 { 383 Names: []string{"personality"}, 384 Action: types.ActAllow, 385 Args: []*types.Arg{ 386 { 387 Index: 0, 388 Value: 0x20000, 389 Op: types.OpEqualTo, 390 }, 391 }, 392 }, 393 { 394 Names: []string{"personality"}, 395 Action: types.ActAllow, 396 Args: []*types.Arg{ 397 { 398 Index: 0, 399 Value: 0x20008, 400 Op: types.OpEqualTo, 401 }, 402 }, 403 }, 404 { 405 Names: []string{"personality"}, 406 Action: types.ActAllow, 407 Args: []*types.Arg{ 408 { 409 Index: 0, 410 Value: 0xffffffff, 411 Op: types.OpEqualTo, 412 }, 413 }, 414 }, 415 { 416 Names: []string{ 417 "sync_file_range2", 418 }, 419 Action: types.ActAllow, 420 Args: []*types.Arg{}, 421 Includes: types.Filter{ 422 Arches: []string{"ppc64le"}, 423 }, 424 }, 425 { 426 Names: []string{ 427 "arm_fadvise64_64", 428 "arm_sync_file_range", 429 "sync_file_range2", 430 "breakpoint", 431 "cacheflush", 432 "set_tls", 433 }, 434 Action: types.ActAllow, 435 Args: []*types.Arg{}, 436 Includes: types.Filter{ 437 Arches: []string{"arm", "arm64"}, 438 }, 439 }, 440 { 441 Names: []string{ 442 "arch_prctl", 443 }, 444 Action: types.ActAllow, 445 Args: []*types.Arg{}, 446 Includes: types.Filter{ 447 Arches: []string{"amd64", "x32"}, 448 }, 449 }, 450 { 451 Names: []string{ 452 "modify_ldt", 453 }, 454 Action: types.ActAllow, 455 Args: []*types.Arg{}, 456 Includes: types.Filter{ 457 Arches: []string{"amd64", "x32", "x86"}, 458 }, 459 }, 460 { 461 Names: []string{ 462 "s390_pci_mmio_read", 463 "s390_pci_mmio_write", 464 "s390_runtime_instr", 465 }, 466 Action: types.ActAllow, 467 Args: []*types.Arg{}, 468 Includes: types.Filter{ 469 Arches: []string{"s390", "s390x"}, 470 }, 471 }, 472 { 473 Names: []string{ 474 "open_by_handle_at", 475 }, 476 Action: types.ActAllow, 477 Args: []*types.Arg{}, 478 Includes: types.Filter{ 479 Caps: []string{"CAP_DAC_READ_SEARCH"}, 480 }, 481 }, 482 { 483 Names: []string{ 484 "bpf", 485 "clone", 486 "fanotify_init", 487 "lookup_dcookie", 488 "mount", 489 "name_to_handle_at", 490 "perf_event_open", 491 "quotactl", 492 "setdomainname", 493 "sethostname", 494 "setns", 495 "umount", 496 "umount2", 497 "unshare", 498 }, 499 Action: types.ActAllow, 500 Args: []*types.Arg{}, 501 Includes: types.Filter{ 502 Caps: []string{"CAP_SYS_ADMIN"}, 503 }, 504 }, 505 { 506 Names: []string{ 507 "clone", 508 }, 509 Action: types.ActAllow, 510 Args: []*types.Arg{ 511 { 512 Index: 0, 513 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 514 ValueTwo: 0, 515 Op: types.OpMaskedEqual, 516 }, 517 }, 518 Excludes: types.Filter{ 519 Caps: []string{"CAP_SYS_ADMIN"}, 520 Arches: []string{"s390", "s390x"}, 521 }, 522 }, 523 { 524 Names: []string{ 525 "clone", 526 }, 527 Action: types.ActAllow, 528 Args: []*types.Arg{ 529 { 530 Index: 1, 531 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, 532 ValueTwo: 0, 533 Op: types.OpMaskedEqual, 534 }, 535 }, 536 Comment: "s390 parameter ordering for clone is different", 537 Includes: types.Filter{ 538 Arches: []string{"s390", "s390x"}, 539 }, 540 Excludes: types.Filter{ 541 Caps: []string{"CAP_SYS_ADMIN"}, 542 }, 543 }, 544 { 545 Names: []string{ 546 "reboot", 547 }, 548 Action: types.ActAllow, 549 Args: []*types.Arg{}, 550 Includes: types.Filter{ 551 Caps: []string{"CAP_SYS_BOOT"}, 552 }, 553 }, 554 { 555 Names: []string{ 556 "chroot", 557 }, 558 Action: types.ActAllow, 559 Args: []*types.Arg{}, 560 Includes: types.Filter{ 561 Caps: []string{"CAP_SYS_CHROOT"}, 562 }, 563 }, 564 { 565 Names: []string{ 566 "delete_module", 567 "init_module", 568 "finit_module", 569 "query_module", 570 }, 571 Action: types.ActAllow, 572 Args: []*types.Arg{}, 573 Includes: types.Filter{ 574 Caps: []string{"CAP_SYS_MODULE"}, 575 }, 576 }, 577 { 578 Names: []string{ 579 "acct", 580 }, 581 Action: types.ActAllow, 582 Args: []*types.Arg{}, 583 Includes: types.Filter{ 584 Caps: []string{"CAP_SYS_PACCT"}, 585 }, 586 }, 587 { 588 Names: []string{ 589 "kcmp", 590 "process_vm_readv", 591 "process_vm_writev", 592 "ptrace", 593 }, 594 Action: types.ActAllow, 595 Args: []*types.Arg{}, 596 Includes: types.Filter{ 597 Caps: []string{"CAP_SYS_PTRACE"}, 598 }, 599 }, 600 { 601 Names: []string{ 602 "iopl", 603 "ioperm", 604 }, 605 Action: types.ActAllow, 606 Args: []*types.Arg{}, 607 Includes: types.Filter{ 608 Caps: []string{"CAP_SYS_RAWIO"}, 609 }, 610 }, 611 { 612 Names: []string{ 613 "settimeofday", 614 "stime", 615 "clock_settime", 616 }, 617 Action: types.ActAllow, 618 Args: []*types.Arg{}, 619 Includes: types.Filter{ 620 Caps: []string{"CAP_SYS_TIME"}, 621 }, 622 }, 623 { 624 Names: []string{ 625 "vhangup", 626 }, 627 Action: types.ActAllow, 628 Args: []*types.Arg{}, 629 Includes: types.Filter{ 630 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 631 }, 632 }, 633 } 634 635 return &types.Seccomp{ 636 DefaultAction: types.ActErrno, 637 ArchMap: arches(), 638 Syscalls: syscalls, 639 } 640} 641