my-seccomp.json (16200B)
1 { 2 "defaultAction": "SCMP_ACT_ERRNO", 3 "defaultErrnoRet": 38, 4 "defaultErrno": "ENOSYS", 5 "archMap": [ 6 { 7 "architecture": "SCMP_ARCH_X86_64", 8 "subArchitectures": [ 9 "SCMP_ARCH_X86", 10 "SCMP_ARCH_X32" 11 ] 12 }, 13 { 14 "architecture": "SCMP_ARCH_AARCH64", 15 "subArchitectures": [ 16 "SCMP_ARCH_ARM" 17 ] 18 }, 19 { 20 "architecture": "SCMP_ARCH_MIPS64", 21 "subArchitectures": [ 22 "SCMP_ARCH_MIPS", 23 "SCMP_ARCH_MIPS64N32" 24 ] 25 }, 26 { 27 "architecture": "SCMP_ARCH_MIPS64N32", 28 "subArchitectures": [ 29 "SCMP_ARCH_MIPS", 30 "SCMP_ARCH_MIPS64" 31 ] 32 }, 33 { 34 "architecture": "SCMP_ARCH_MIPSEL64", 35 "subArchitectures": [ 36 "SCMP_ARCH_MIPSEL", 37 "SCMP_ARCH_MIPSEL64N32" 38 ] 39 }, 40 { 41 "architecture": "SCMP_ARCH_MIPSEL64N32", 42 "subArchitectures": [ 43 "SCMP_ARCH_MIPSEL", 44 "SCMP_ARCH_MIPSEL64" 45 ] 46 }, 47 { 48 "architecture": "SCMP_ARCH_S390X", 49 "subArchitectures": [ 50 "SCMP_ARCH_S390" 51 ] 52 } 53 ], 54 "syscalls": [ 55 { 56 "names": [ 57 "bdflush", 58 "io_pgetevents", 59 "kexec_file_load", 60 "kexec_load", 61 "migrate_pages", 62 "move_pages", 63 "nfsservctl", 64 "nice", 65 "oldfstat", 66 "oldlstat", 67 "oldolduname", 68 "oldstat", 69 "olduname", 70 "pciconfig_iobase", 71 "pciconfig_read", 72 "pciconfig_write", 73 "sgetmask", 74 "ssetmask", 75 "swapcontext", 76 "swapoff", 77 "swapon", 78 "sysfs", 79 "uselib", 80 "userfaultfd", 81 "ustat", 82 "vm86", 83 "vm86old", 84 "vmsplice" 85 ], 86 "action": "SCMP_ACT_ERRNO", 87 "args": [], 88 "comment": "", 89 "includes": {}, 90 "excludes": {}, 91 "errnoRet": 1, 92 "errno": "EPERM" 93 }, 94 { 95 "names": [ 96 "_llseek", 97 "_newselect", 98 "accept", 99 "accept4", 100 "access", 101 "adjtimex", 102 "alarm", 103 "bind", 104 "brk", 105 "capget", 106 "capset", 107 "chdir", 108 "chmod", 109 "chown", 110 "chown32", 111 "clock_adjtime", 112 "clock_adjtime64", 113 "clock_getres", 114 "clock_getres_time64", 115 "clock_gettime", 116 "clock_gettime64", 117 "clock_nanosleep", 118 "clock_nanosleep_time64", 119 "clone", 120 "clone3", 121 "close", 122 "close_range", 123 "connect", 124 "copy_file_range", 125 "creat", 126 "dup", 127 "dup2", 128 "dup3", 129 "epoll_create", 130 "epoll_create1", 131 "epoll_ctl", 132 "epoll_ctl_old", 133 "epoll_pwait", 134 "epoll_pwait2", 135 "epoll_wait", 136 "epoll_wait_old", 137 "eventfd", 138 "eventfd2", 139 "execve", 140 "execveat", 141 "exit", 142 "exit_group", 143 "faccessat", 144 "faccessat2", 145 "fadvise64", 146 "fadvise64_64", 147 "fallocate", 148 "fanotify_mark", 149 "fchdir", 150 "fchmod", 151 "fchmodat", 152 "fchown", 153 "fchown32", 154 "fchownat", 155 "fcntl", 156 "fcntl64", 157 "fdatasync", 158 "fgetxattr", 159 "flistxattr", 160 "flock", 161 "fork", 162 "fremovexattr", 163 "fsconfig", 164 "fsetxattr", 165 "fsmount", 166 "fsopen", 167 "fspick", 168 "fstat", 169 "fstat64", 170 "fstatat64", 171 "fstatfs", 172 "fstatfs64", 173 "fsync", 174 "ftruncate", 175 "ftruncate64", 176 "futex", 177 "futex_time64", 178 "futimesat", 179 "get_robust_list", 180 "get_thread_area", 181 "getcpu", 182 "getcwd", 183 "getdents", 184 "getdents64", 185 "getegid", 186 "getegid32", 187 "geteuid", 188 "geteuid32", 189 "getgid", 190 "getgid32", 191 "getgroups", 192 "getgroups32", 193 "getitimer", 194 "get_mempolicy", 195 "getpeername", 196 "getpgid", 197 "getpgrp", 198 "getpid", 199 "getppid", 200 "getpriority", 201 "getrandom", 202 "getresgid", 203 "getresgid32", 204 "getresuid", 205 "getresuid32", 206 "getrlimit", 207 "getrusage", 208 "getsid", 209 "getsockname", 210 "getsockopt", 211 "gettid", 212 "gettimeofday", 213 "getuid", 214 "getuid32", 215 "getxattr", 216 "inotify_add_watch", 217 "inotify_init", 218 "inotify_init1", 219 "inotify_rm_watch", 220 "io_cancel", 221 "io_destroy", 222 "io_getevents", 223 "io_setup", 224 "io_submit", 225 "ioctl", 226 "ioprio_get", 227 "ioprio_set", 228 "ipc", 229 "keyctl", 230 "kill", 231 "lchown", 232 "lchown32", 233 "lgetxattr", 234 "link", 235 "linkat", 236 "listen", 237 "listxattr", 238 "llistxattr", 239 "lremovexattr", 240 "lseek", 241 "lsetxattr", 242 "lstat", 243 "lstat64", 244 "madvise", 245 "mbind", 246 "memfd_create", 247 "memfd_secret", 248 "mincore", 249 "mkdir", 250 "mkdirat", 251 "mknod", 252 "mknodat", 253 "mlock", 254 "mlock2", 255 "mlockall", 256 "mmap", 257 "mmap2", 258 "mount", 259 "move_mount", 260 "mprotect", 261 "mq_getsetattr", 262 "mq_notify", 263 "mq_open", 264 "mq_timedreceive", 265 "mq_timedreceive_time64", 266 "mq_timedsend", 267 "mq_timedsend_time64", 268 "mq_unlink", 269 "mremap", 270 "msgctl", 271 "msgget", 272 "msgrcv", 273 "msgsnd", 274 "msync", 275 "munlock", 276 "munlockall", 277 "munmap", 278 "name_to_handle_at", 279 "nanosleep", 280 "newfstatat", 281 "open", 282 "openat", 283 "openat2", 284 "open_tree", 285 "pause", 286 "pidfd_getfd", 287 "pidfd_open", 288 "pidfd_send_signal", 289 "pipe", 290 "pipe2", 291 "pivot_root", 292 "pkey_alloc", 293 "pkey_free", 294 "pkey_mprotect", 295 "poll", 296 "ppoll", 297 "ppoll_time64", 298 "prctl", 299 "pread64", 300 "preadv", 301 "preadv2", 302 "prlimit64", 303 "pselect6", 304 "pselect6_time64", 305 "pwrite64", 306 "pwritev", 307 "pwritev2", 308 "read", 309 "readahead", 310 "readdir", 311 "readlink", 312 "readlinkat", 313 "readv", 314 "reboot", 315 "recv", 316 "recvfrom", 317 "recvmmsg", 318 "recvmmsg_time64", 319 "recvmsg", 320 "remap_file_pages", 321 "removexattr", 322 "rename", 323 "renameat", 324 "renameat2", 325 "restart_syscall", 326 "rmdir", 327 "rseq", 328 "rt_sigaction", 329 "rt_sigpending", 330 "rt_sigprocmask", 331 "rt_sigqueueinfo", 332 "rt_sigreturn", 333 "rt_sigsuspend", 334 "rt_sigtimedwait", 335 "rt_sigtimedwait_time64", 336 "rt_tgsigqueueinfo", 337 "sched_get_priority_max", 338 "sched_get_priority_min", 339 "sched_getaffinity", 340 "sched_getattr", 341 "sched_getparam", 342 "sched_getscheduler", 343 "sched_rr_get_interval", 344 "sched_rr_get_interval_time64", 345 "sched_setaffinity", 346 "sched_setattr", 347 "sched_setparam", 348 "sched_setscheduler", 349 "sched_yield", 350 "seccomp", 351 "select", 352 "semctl", 353 "semget", 354 "semop", 355 "semtimedop", 356 "semtimedop_time64", 357 "send", 358 "sendfile", 359 "sendfile64", 360 "sendmmsg", 361 "sendmsg", 362 "sendto", 363 "setns", 364 "set_mempolicy", 365 "set_robust_list", 366 "set_thread_area", 367 "set_tid_address", 368 "setfsgid", 369 "setfsgid32", 370 "setfsuid", 371 "setfsuid32", 372 "setgid", 373 "setgid32", 374 "setgroups", 375 "setgroups32", 376 "setitimer", 377 "setpgid", 378 "setpriority", 379 "setregid", 380 "setregid32", 381 "setresgid", 382 "setresgid32", 383 "setresuid", 384 "setresuid32", 385 "setreuid", 386 "setreuid32", 387 "setrlimit", 388 "setsid", 389 "setsockopt", 390 "setuid", 391 "setuid32", 392 "setxattr", 393 "shmat", 394 "shmctl", 395 "shmdt", 396 "shmget", 397 "shutdown", 398 "sigaltstack", 399 "signalfd", 400 "signalfd4", 401 "sigreturn", 402 "socketcall", 403 "socketpair", 404 "splice", 405 "stat", 406 "stat64", 407 "statfs", 408 "statfs64", 409 "statx", 410 "symlink", 411 "symlinkat", 412 "sync", 413 "sync_file_range", 414 "syncfs", 415 "sysinfo", 416 "syslog", 417 "tee", 418 "tgkill", 419 "time", 420 "timer_create", 421 "timer_delete", 422 "timer_getoverrun", 423 "timer_gettime", 424 "timer_gettime64", 425 "timer_settime", 426 "timer_settime64", 427 "timerfd_create", 428 "timerfd_gettime", 429 "timerfd_gettime64", 430 "timerfd_settime", 431 "timerfd_settime64", 432 "times", 433 "tkill", 434 "truncate", 435 "truncate64", 436 "ugetrlimit", 437 "umask", 438 "umount", 439 "umount2", 440 "uname", 441 "unlink", 442 "unlinkat", 443 "unshare", 444 "utime", 445 "utimensat", 446 "utimensat_time64", 447 "utimes", 448 "vfork", 449 "wait4", 450 "waitid", 451 "waitpid", 452 "write", 453 "writev" 454 ], 455 "action": "SCMP_ACT_ALLOW", 456 "args": [], 457 "comment": "", 458 "includes": {}, 459 "excludes": {} 460 }, 461 { 462 "names": [ 463 "personality" 464 ], 465 "action": "SCMP_ACT_ALLOW", 466 "args": [ 467 { 468 "index": 0, 469 "value": 0, 470 "valueTwo": 0, 471 "op": "SCMP_CMP_EQ" 472 } 473 ], 474 "comment": "", 475 "includes": {}, 476 "excludes": {} 477 }, 478 { 479 "names": [ 480 "personality" 481 ], 482 "action": "SCMP_ACT_ALLOW", 483 "args": [ 484 { 485 "index": 0, 486 "value": 8, 487 "valueTwo": 0, 488 "op": "SCMP_CMP_EQ" 489 } 490 ], 491 "comment": "", 492 "includes": {}, 493 "excludes": {} 494 }, 495 { 496 "names": [ 497 "personality" 498 ], 499 "action": "SCMP_ACT_ALLOW", 500 "args": [ 501 { 502 "index": 0, 503 "value": 131072, 504 "valueTwo": 0, 505 "op": "SCMP_CMP_EQ" 506 } 507 ], 508 "comment": "", 509 "includes": {}, 510 "excludes": {} 511 }, 512 { 513 "names": [ 514 "personality" 515 ], 516 "action": "SCMP_ACT_ALLOW", 517 "args": [ 518 { 519 "index": 0, 520 "value": 131080, 521 "valueTwo": 0, 522 "op": "SCMP_CMP_EQ" 523 } 524 ], 525 "comment": "", 526 "includes": {}, 527 "excludes": {} 528 }, 529 { 530 "names": [ 531 "personality" 532 ], 533 "action": "SCMP_ACT_ALLOW", 534 "args": [ 535 { 536 "index": 0, 537 "value": 4294967295, 538 "valueTwo": 0, 539 "op": "SCMP_CMP_EQ" 540 } 541 ], 542 "comment": "", 543 "includes": {}, 544 "excludes": {} 545 }, 546 { 547 "names": [ 548 "sync_file_range2" 549 ], 550 "action": "SCMP_ACT_ALLOW", 551 "args": [], 552 "comment": "", 553 "includes": { 554 "arches": [ 555 "ppc64le" 556 ] 557 }, 558 "excludes": {} 559 }, 560 { 561 "names": [ 562 "arm_fadvise64_64", 563 "arm_sync_file_range", 564 "sync_file_range2", 565 "breakpoint", 566 "cacheflush", 567 "set_tls" 568 ], 569 "action": "SCMP_ACT_ALLOW", 570 "args": [], 571 "comment": "", 572 "includes": { 573 "arches": [ 574 "arm", 575 "arm64" 576 ] 577 }, 578 "excludes": {} 579 }, 580 { 581 "names": [ 582 "arch_prctl" 583 ], 584 "action": "SCMP_ACT_ALLOW", 585 "args": [], 586 "comment": "", 587 "includes": { 588 "arches": [ 589 "amd64", 590 "x32" 591 ] 592 }, 593 "excludes": {} 594 }, 595 { 596 "names": [ 597 "modify_ldt" 598 ], 599 "action": "SCMP_ACT_ALLOW", 600 "args": [], 601 "comment": "", 602 "includes": { 603 "arches": [ 604 "amd64", 605 "x32", 606 "x86" 607 ] 608 }, 609 "excludes": {} 610 }, 611 { 612 "names": [ 613 "s390_pci_mmio_read", 614 "s390_pci_mmio_write", 615 "s390_runtime_instr" 616 ], 617 "action": "SCMP_ACT_ALLOW", 618 "args": [], 619 "comment": "", 620 "includes": { 621 "arches": [ 622 "s390", 623 "s390x" 624 ] 625 }, 626 "excludes": {} 627 }, 628 { 629 "names": [ 630 "open_by_handle_at" 631 ], 632 "action": "SCMP_ACT_ALLOW", 633 "args": [], 634 "comment": "", 635 "includes": { 636 "caps": [ 637 "CAP_DAC_READ_SEARCH" 638 ] 639 }, 640 "excludes": {} 641 }, 642 { 643 "names": [ 644 "open_by_handle_at" 645 ], 646 "action": "SCMP_ACT_ERRNO", 647 "args": [], 648 "comment": "", 649 "includes": {}, 650 "excludes": { 651 "caps": [ 652 "CAP_DAC_READ_SEARCH" 653 ] 654 }, 655 "errnoRet": 1, 656 "errno": "EPERM" 657 }, 658 { 659 "names": [ 660 "bpf", 661 "fanotify_init", 662 "lookup_dcookie", 663 "perf_event_open", 664 "quotactl", 665 "setdomainname", 666 "sethostname", 667 "setns" 668 ], 669 "action": "SCMP_ACT_ALLOW", 670 "args": [], 671 "comment": "", 672 "includes": { 673 "caps": [ 674 "CAP_SYS_ADMIN" 675 ] 676 }, 677 "excludes": {} 678 }, 679 { 680 "names": [ 681 "bpf", 682 "fanotify_init", 683 "lookup_dcookie", 684 "perf_event_open", 685 "quotactl", 686 "setdomainname", 687 "sethostname", 688 "setns" 689 ], 690 "action": "SCMP_ACT_ERRNO", 691 "args": [], 692 "comment": "", 693 "includes": {}, 694 "excludes": { 695 "caps": [ 696 "CAP_SYS_ADMIN" 697 ] 698 }, 699 "errnoRet": 1, 700 "errno": "EPERM" 701 }, 702 { 703 "names": [ 704 "chroot" 705 ], 706 "action": "SCMP_ACT_ALLOW", 707 "args": [], 708 "comment": "", 709 "includes": { 710 "caps": [ 711 "CAP_SYS_CHROOT" 712 ] 713 }, 714 "excludes": {} 715 }, 716 { 717 "names": [ 718 "chroot" 719 ], 720 "action": "SCMP_ACT_ERRNO", 721 "args": [], 722 "comment": "", 723 "includes": {}, 724 "excludes": { 725 "caps": [ 726 "CAP_SYS_CHROOT" 727 ] 728 }, 729 "errnoRet": 1, 730 "errno": "EPERM" 731 }, 732 { 733 "names": [ 734 "delete_module", 735 "init_module", 736 "finit_module", 737 "query_module" 738 ], 739 "action": "SCMP_ACT_ALLOW", 740 "args": [], 741 "comment": "", 742 "includes": { 743 "caps": [ 744 "CAP_SYS_MODULE" 745 ] 746 }, 747 "excludes": {} 748 }, 749 { 750 "names": [ 751 "delete_module", 752 "init_module", 753 "finit_module", 754 "query_module" 755 ], 756 "action": "SCMP_ACT_ERRNO", 757 "args": [], 758 "comment": "", 759 "includes": {}, 760 "excludes": { 761 "caps": [ 762 "CAP_SYS_MODULE" 763 ] 764 }, 765 "errnoRet": 1, 766 "errno": "EPERM" 767 }, 768 { 769 "names": [ 770 "acct" 771 ], 772 "action": "SCMP_ACT_ALLOW", 773 "args": [], 774 "comment": "", 775 "includes": { 776 "caps": [ 777 "CAP_SYS_PACCT" 778 ] 779 }, 780 "excludes": {} 781 }, 782 { 783 "names": [ 784 "acct" 785 ], 786 "action": "SCMP_ACT_ERRNO", 787 "args": [], 788 "comment": "", 789 "includes": {}, 790 "excludes": { 791 "caps": [ 792 "CAP_SYS_PACCT" 793 ] 794 }, 795 "errnoRet": 1, 796 "errno": "EPERM" 797 }, 798 { 799 "names": [ 800 "kcmp", 801 "process_madvise", 802 "process_vm_readv", 803 "process_vm_writev", 804 "ptrace" 805 ], 806 "action": "SCMP_ACT_ALLOW", 807 "args": [], 808 "comment": "", 809 "includes": { 810 "caps": [ 811 "CAP_SYS_PTRACE" 812 ] 813 }, 814 "excludes": {} 815 }, 816 { 817 "names": [ 818 "kcmp", 819 "process_madvise", 820 "process_vm_readv", 821 "process_vm_writev", 822 "ptrace" 823 ], 824 "action": "SCMP_ACT_ERRNO", 825 "args": [], 826 "comment": "", 827 "includes": {}, 828 "excludes": { 829 "caps": [ 830 "CAP_SYS_PTRACE" 831 ] 832 }, 833 "errnoRet": 1, 834 "errno": "EPERM" 835 }, 836 { 837 "names": [ 838 "iopl", 839 "ioperm" 840 ], 841 "action": "SCMP_ACT_ALLOW", 842 "args": [], 843 "comment": "", 844 "includes": { 845 "caps": [ 846 "CAP_SYS_RAWIO" 847 ] 848 }, 849 "excludes": {} 850 }, 851 { 852 "names": [ 853 "iopl", 854 "ioperm" 855 ], 856 "action": "SCMP_ACT_ERRNO", 857 "args": [], 858 "comment": "", 859 "includes": {}, 860 "excludes": { 861 "caps": [ 862 "CAP_SYS_RAWIO" 863 ] 864 }, 865 "errnoRet": 1, 866 "errno": "EPERM" 867 }, 868 { 869 "names": [ 870 "settimeofday", 871 "stime", 872 "clock_settime", 873 "clock_settime64" 874 ], 875 "action": "SCMP_ACT_ALLOW", 876 "args": [], 877 "comment": "", 878 "includes": { 879 "caps": [ 880 "CAP_SYS_TIME" 881 ] 882 }, 883 "excludes": {} 884 }, 885 { 886 "names": [ 887 "settimeofday", 888 "stime", 889 "clock_settime", 890 "clock_settime64" 891 ], 892 "action": "SCMP_ACT_ERRNO", 893 "args": [], 894 "comment": "", 895 "includes": {}, 896 "excludes": { 897 "caps": [ 898 "CAP_SYS_TIME" 899 ] 900 }, 901 "errnoRet": 1, 902 "errno": "EPERM" 903 }, 904 { 905 "names": [ 906 "vhangup" 907 ], 908 "action": "SCMP_ACT_ALLOW", 909 "args": [], 910 "comment": "", 911 "includes": { 912 "caps": [ 913 "CAP_SYS_TTY_CONFIG" 914 ] 915 }, 916 "excludes": {} 917 }, 918 { 919 "names": [ 920 "vhangup" 921 ], 922 "action": "SCMP_ACT_ERRNO", 923 "args": [], 924 "comment": "", 925 "includes": {}, 926 "excludes": { 927 "caps": [ 928 "CAP_SYS_TTY_CONFIG" 929 ] 930 }, 931 "errnoRet": 1, 932 "errno": "EPERM" 933 }, 934 { 935 "names": [ 936 "socket" 937 ], 938 "action": "SCMP_ACT_ERRNO", 939 "args": [ 940 { 941 "index": 0, 942 "value": 16, 943 "valueTwo": 0, 944 "op": "SCMP_CMP_EQ" 945 }, 946 { 947 "index": 2, 948 "value": 9, 949 "valueTwo": 0, 950 "op": "SCMP_CMP_EQ" 951 } 952 ], 953 "comment": "", 954 "includes": {}, 955 "excludes": { 956 "caps": [ 957 "CAP_AUDIT_WRITE" 958 ] 959 }, 960 "errnoRet": 22, 961 "errno": "EINVAL" 962 }, 963 { 964 "names": [ 965 "socket" 966 ], 967 "action": "SCMP_ACT_ALLOW", 968 "args": [ 969 { 970 "index": 2, 971 "value": 9, 972 "valueTwo": 0, 973 "op": "SCMP_CMP_NE" 974 } 975 ], 976 "comment": "", 977 "includes": {}, 978 "excludes": { 979 "caps": [ 980 "CAP_AUDIT_WRITE" 981 ] 982 } 983 }, 984 { 985 "names": [ 986 "socket" 987 ], 988 "action": "SCMP_ACT_ALLOW", 989 "args": [ 990 { 991 "index": 0, 992 "value": 16, 993 "valueTwo": 0, 994 "op": "SCMP_CMP_NE" 995 } 996 ], 997 "comment": "", 998 "includes": {}, 999 "excludes": { 1000 "caps": [ 1001 "CAP_AUDIT_WRITE" 1002 ] 1003 } 1004 }, 1005 { 1006 "names": [ 1007 "socket" 1008 ], 1009 "action": "SCMP_ACT_ALLOW", 1010 "args": [ 1011 { 1012 "index": 2, 1013 "value": 9, 1014 "valueTwo": 0, 1015 "op": "SCMP_CMP_NE" 1016 } 1017 ], 1018 "comment": "", 1019 "includes": {}, 1020 "excludes": { 1021 "caps": [ 1022 "CAP_AUDIT_WRITE" 1023 ] 1024 } 1025 }, 1026 { 1027 "names": [ 1028 "socket" 1029 ], 1030 "action": "SCMP_ACT_ALLOW", 1031 "args": null, 1032 "comment": "", 1033 "includes": { 1034 "caps": [ 1035 "CAP_AUDIT_WRITE" 1036 ] 1037 }, 1038 "excludes": {} 1039 } 1040 ] 1041 }