moby--moby/contrib/mkseccomp.sample

/* This sample file is an example for mkseccomp.pl to produce a seccomp file
 * which restricts syscalls that are only useful for an admin but allows the
 * vast majority of normal userspace programs to run normally.
 *
 * The format of this file is one line per syscall.  This is then processed
 * and passed to 'cpp' to convert the names to numbers using whatever is
 * correct for your platform.  As such C-style comments are permitted.  Note
 * this also means that C preprocessor macros are also allowed.  So it is
 * possible to create groups surrounded by #ifdef/#endif and control their
 * inclusion via #define (not #include).
 *
 * Syscalls that don't exist on your architecture are silently filtered out.
 * Syscalls marked with (*) are required for a container to spawn a bash
 * shell successfully (not necessarily full featured).  Listing the same
 * syscall multiple times is no problem.
 *
 * If you want to make a list specifically for one application the easiest
 * way is to run the application under strace, like so:
 *
 * $ strace -f -q -c -o strace.out application args...
 *
 * Once you have a reasonable sample of the execution of the program, exit
 * it.  The file strace.out will have a summary of the syscalls used.  Copy
 * that list into this file, comment out everything else except the starred
 * syscalls (which you need for the container to start) and you're done.
 *
 * To get the list of syscalls from the strace output this works well for
 * me
 *
 * $ cut -c52 < strace.out
 *
 * This sample list was compiled as a combination of all the syscalls
 * available on i386 and amd64 on Ubuntu Precise, as such it may not contain
 * everything and not everything may be relevent for your system.  This
 * shouldn't be a problem.
 */

// Filesystem/File descriptor related
access                 // (*)
chdir                  // (*)
chmod
chown
chown32
close                  // (*)
creat
dup                    // (*)
dup2                   // (*)
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
faccessat              // (*)
fadvise64
fadvise64_64
fallocate
fanotify_init
fanotify_mark
ioctl                  // (*)
fchdir
fchmod
fchmodat
fchown
fchown32
fchownat
fcntl                  // (*)
fcntl64
fdatasync
fgetxattr
flistxattr
flock
fremovexattr
fsetxattr
fstat                  // (*)
fstat64
fstatat64
fstatfs
fstatfs64
fsync
ftruncate
ftruncate64
getcwd                 // (*)
getdents               // (*)
getdents64
getxattr
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
io_cancel
io_destroy
io_getevents
io_setup
io_submit
lchown
lchown32
lgetxattr
link
linkat
listxattr
llistxattr
llseek
_llseek
lremovexattr
lseek                  // (*)
lsetxattr
lstat
lstat64
mkdir
mkdirat
mknod
mknodat
newfstatat
_newselect
oldfstat
oldlstat
oldolduname
oldstat
olduname
oldwait4
open                   // (*)
openat                 // (*)
pipe                   // (*)
pipe2
poll
ppoll
pread64
preadv
futimesat
pselect6
pwrite64
pwritev
read                   // (*)
readahead
readdir
readlink
readlinkat
readv
removexattr
rename
renameat
rmdir
select
sendfile
sendfile64
setxattr
splice
stat                   // (*)
stat64
statfs                 // (*)
statfs64
symlink
symlinkat
sync
sync_file_range
sync_file_range2
syncfs
tee
truncate
truncate64
umask
unlink
unlinkat
ustat
utime
utimensat
utimes
write                  // (*)
writev

// Network related
accept
accept4
bind                   // (*)
connect                // (*)
getpeername
getsockname            // (*)
getsockopt
listen
recv
recvfrom               // (*)
recvmmsg
recvmsg
send
sendmmsg
sendmsg
sendto                 // (*)
setsockopt
shutdown
socket                 // (*)
socketcall
socketpair

// Signal related
pause
rt_sigaction           // (*)
rt_sigpending
rt_sigprocmask         // (*)
rt_sigqueueinfo
rt_sigreturn           // (*)
rt_sigsuspend
rt_sigtimedwait
rt_tgsigqueueinfo
sigaction
sigaltstack            // (*)
signal
signalfd
signalfd4
sigpending
sigprocmask
sigreturn
sigsuspend

// Other needed POSIX
alarm
brk                    // (*)
clock_adjtime
clock_getres
clock_gettime
clock_nanosleep
//clock_settime
gettimeofday
nanosleep
nice
sysinfo
syslog
time
timer_create
timer_delete
timerfd_create
timerfd_gettime
timerfd_settime
timer_getoverrun
timer_gettime
timer_settime
times
uname                  // (*)

// Memory control
madvise
mbind
mincore
mlock
mlockall
mmap                   // (*)
mmap2
mprotect               // (*)
mremap
msync
munlock
munlockall
munmap                 // (*)
remap_file_pages
set_mempolicy
vmsplice

// Process control
capget
//capset
clone                  // (*)
execve                 // (*)
exit                   // (*)
exit_group             // (*)
fork
getcpu
getpgid
getpgrp                // (*)
getpid                 // (*)
getppid                // (*)
getpriority
getresgid
getresgid32
getresuid
getresuid32
getrlimit              // (*)
getrusage
getsid
getuid                 // (*)
getuid32
getegid                // (*)
getegid32
geteuid                // (*)
geteuid32
getgid                 // (*)
getgid32
getgroups
getgroups32
getitimer
get_mempolicy
kill
//personality
prctl
prlimit64
sched_getaffinity
sched_getparam
sched_get_priority_max
sched_get_priority_min
sched_getscheduler
sched_rr_get_interval
//sched_setaffinity
//sched_setparam
//sched_setscheduler
sched_yield
setfsgid
setfsgid32
setfsuid
setfsuid32
setgid
setgid32
setgroups
setgroups32
setitimer
setpgid                // (*)
setpriority
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setrlimit
setsid
setuid
setuid32
ugetrlimit
vfork
wait4                  // (*)
waitid
waitpid

// IPC
ipc
mq_getsetattr
mq_notify
mq_open
mq_timedreceive
mq_timedsend
mq_unlink
msgctl
msgget
msgrcv
msgsnd
semctl
semget
semop
semtimedop
shmat
shmctl
shmdt
shmget

// Linux specific, mostly needed for thread-related stuff
arch_prctl             // (*)
get_robust_list
get_thread_area
gettid
futex                  // (*)
restart_syscall        // (*)
set_robust_list        // (*)
set_thread_area
set_tid_address        // (*)
tgkill
tkill

// Admin syscalls, these are blocked
//acct
//adjtimex
//bdflush
//chroot
//create_module
//delete_module
//get_kernel_syms      // Obsolete
//idle                 // Obsolete
//init_module
//ioperm
//iopl
//ioprio_get
//ioprio_set
//kexec_load
//lookup_dcookie       // oprofile only?
//migrate_pages        // NUMA
//modify_ldt
//mount
//move_pages           // NUMA
//name_to_handle_at    // NFS server
//nfsservctl           // NFS server
//open_by_handle_at    // NFS server
//perf_event_open
//pivot_root
//process_vm_readv     // For debugger
//process_vm_writev    // For debugger
//ptrace               // For debugger
//query_module
//quotactl
//reboot
//setdomainname
//sethostname
//setns
//settimeofday
//sgetmask             // Obsolete
//ssetmask             // Obsolete
//stime
//swapoff
//swapon
//_sysctl
//sysfs
//sys_setaltroot
//umount
//umount2
//unshare
//uselib
//vhangup
//vm86
//vm86old

// Kernel key management
//add_key
//keyctl
//request_key

// Unimplemented
//afs_syscall
//break
//ftime
//getpmsg
//gtty
//lock
//madvise1
//mpx
//prof
//profil
//putpmsg
//security
//stty
//tuxcall
//ulimit
//vserver
Add mkseccomp.pl, helper script to make seccomp profiles. 2013-11-26 10:03:36 -05:00			`/* This sample file is an example for mkseccomp.pl to produce a seccomp file`
			`* which restricts syscalls that are only useful for an admin but allows the`
			`* vast majority of normal userspace programs to run normally.`
			`*`
			`* The format of this file is one line per syscall. This is then processed`
			`* and passed to 'cpp' to convert the names to numbers using whatever is`
			`* correct for your platform. As such C-style comments are permitted. Note`
			`* this also means that C preprocessor macros are also allowed. So it is`
			`* possible to create groups surrounded by #ifdef/#endif and control their`
			`* inclusion via #define (not #include).`
			`*`
			`* Syscalls that don't exist on your architecture are silently filtered out.`
			`* Syscalls marked with (*) are required for a container to spawn a bash`
			`* shell successfully (not necessarily full featured). Listing the same`
			`* syscall multiple times is no problem.`
			`*`
			`* If you want to make a list specifically for one application the easiest`
			`* way is to run the application under strace, like so:`
			`*`
			`* $ strace -f -q -c -o strace.out application args...`
			`*`
			`* Once you have a reasonable sample of the execution of the program, exit`
			`* it. The file strace.out will have a summary of the syscalls used. Copy`
			`* that list into this file, comment out everything else except the starred`
			`* syscalls (which you need for the container to start) and you're done.`
			`*`
			`* To get the list of syscalls from the strace output this works well for`
			`* me`
			`*`
			`* $ cut -c52 < strace.out`
			`*`
			`* This sample list was compiled as a combination of all the syscalls`
			`* available on i386 and amd64 on Ubuntu Precise, as such it may not contain`
			`* everything and not everything may be relevent for your system. This`
			`* shouldn't be a problem.`
			`*/`

			`// Filesystem/File descriptor related`
			`access // (*)`
			`chdir // (*)`
			`chmod`
			`chown`
			`chown32`
			`close // (*)`
			`creat`
			`dup // (*)`
			`dup2 // (*)`
			`dup3`
			`epoll_create`
			`epoll_create1`
			`epoll_ctl`
			`epoll_ctl_old`
			`epoll_pwait`
			`epoll_wait`
			`epoll_wait_old`
			`eventfd`
			`eventfd2`
			`faccessat // (*)`
			`fadvise64`
			`fadvise64_64`
			`fallocate`
			`fanotify_init`
			`fanotify_mark`
			`ioctl // (*)`
			`fchdir`
			`fchmod`
			`fchmodat`
			`fchown`
			`fchown32`
			`fchownat`
			`fcntl // (*)`
			`fcntl64`
			`fdatasync`
			`fgetxattr`
			`flistxattr`
			`flock`
			`fremovexattr`
			`fsetxattr`
			`fstat // (*)`
			`fstat64`
			`fstatat64`
			`fstatfs`
			`fstatfs64`
			`fsync`
			`ftruncate`
			`ftruncate64`
			`getcwd // (*)`
			`getdents // (*)`
			`getdents64`
			`getxattr`
			`inotify_add_watch`
			`inotify_init`
			`inotify_init1`
			`inotify_rm_watch`
			`io_cancel`
			`io_destroy`
			`io_getevents`
			`io_setup`
			`io_submit`
			`lchown`
			`lchown32`
			`lgetxattr`
			`link`
			`linkat`
			`listxattr`
			`llistxattr`
			`llseek`
			`_llseek`
			`lremovexattr`
			`lseek // (*)`
			`lsetxattr`
			`lstat`
			`lstat64`
			`mkdir`
			`mkdirat`
			`mknod`
			`mknodat`
			`newfstatat`
			`_newselect`
			`oldfstat`
			`oldlstat`
			`oldolduname`
			`oldstat`
			`olduname`
			`oldwait4`
			`open // (*)`
			`openat // (*)`
			`pipe // (*)`
			`pipe2`
			`poll`
			`ppoll`
			`pread64`
			`preadv`
			`futimesat`
			`pselect6`
			`pwrite64`
			`pwritev`
			`read // (*)`
			`readahead`
			`readdir`
			`readlink`
			`readlinkat`
			`readv`
			`removexattr`
			`rename`
			`renameat`
			`rmdir`
			`select`
			`sendfile`
			`sendfile64`
			`setxattr`
			`splice`
			`stat // (*)`
			`stat64`
			`statfs // (*)`
			`statfs64`
			`symlink`
			`symlinkat`
			`sync`
			`sync_file_range`
			`sync_file_range2`
			`syncfs`
			`tee`
			`truncate`
			`truncate64`
			`umask`
			`unlink`
			`unlinkat`
			`ustat`
			`utime`
			`utimensat`
			`utimes`
			`write // (*)`
			`writev`

			`// Network related`
			`accept`
			`accept4`
			`bind // (*)`
			`connect // (*)`
			`getpeername`
			`getsockname // (*)`
			`getsockopt`
			`listen`
			`recv`
			`recvfrom // (*)`
			`recvmmsg`
			`recvmsg`
			`send`
			`sendmmsg`
			`sendmsg`
			`sendto // (*)`
			`setsockopt`
			`shutdown`
			`socket // (*)`
			`socketcall`
			`socketpair`

			`// Signal related`
			`pause`
			`rt_sigaction // (*)`
			`rt_sigpending`
			`rt_sigprocmask // (*)`
			`rt_sigqueueinfo`
			`rt_sigreturn // (*)`
			`rt_sigsuspend`
			`rt_sigtimedwait`
			`rt_tgsigqueueinfo`
			`sigaction`
			`sigaltstack // (*)`
			`signal`
			`signalfd`
			`signalfd4`
			`sigpending`
			`sigprocmask`
			`sigreturn`
			`sigsuspend`

			`// Other needed POSIX`
			`alarm`
			`brk // (*)`
			`clock_adjtime`
			`clock_getres`
			`clock_gettime`
			`clock_nanosleep`
			`//clock_settime`
			`gettimeofday`
			`nanosleep`
			`nice`
			`sysinfo`
			`syslog`
			`time`
			`timer_create`
			`timer_delete`
			`timerfd_create`
			`timerfd_gettime`
			`timerfd_settime`
			`timer_getoverrun`
			`timer_gettime`
			`timer_settime`
			`times`
			`uname // (*)`

			`// Memory control`
			`madvise`
			`mbind`
			`mincore`
			`mlock`
			`mlockall`
			`mmap // (*)`
			`mmap2`
			`mprotect // (*)`
			`mremap`
			`msync`
			`munlock`
			`munlockall`
			`munmap // (*)`
			`remap_file_pages`
			`set_mempolicy`
			`vmsplice`

			`// Process control`
			`capget`
			`//capset`
			`clone // (*)`
			`execve // (*)`
			`exit // (*)`
			`exit_group // (*)`
			`fork`
			`getcpu`
			`getpgid`
			`getpgrp // (*)`
			`getpid // (*)`
			`getppid // (*)`
			`getpriority`
			`getresgid`
			`getresgid32`
			`getresuid`
			`getresuid32`
			`getrlimit // (*)`
			`getrusage`
			`getsid`
			`getuid // (*)`
			`getuid32`
			`getegid // (*)`
			`getegid32`
			`geteuid // (*)`
			`geteuid32`
			`getgid // (*)`
			`getgid32`
			`getgroups`
			`getgroups32`
			`getitimer`
			`get_mempolicy`
			`kill`
			`//personality`
			`prctl`
			`prlimit64`
			`sched_getaffinity`
			`sched_getparam`
			`sched_get_priority_max`
			`sched_get_priority_min`
			`sched_getscheduler`
			`sched_rr_get_interval`
			`//sched_setaffinity`
			`//sched_setparam`
			`//sched_setscheduler`
			`sched_yield`
			`setfsgid`
			`setfsgid32`
			`setfsuid`
			`setfsuid32`
			`setgid`
			`setgid32`
			`setgroups`
			`setgroups32`
			`setitimer`
			`setpgid // (*)`
			`setpriority`
			`setregid`
			`setregid32`
			`setresgid`
			`setresgid32`
			`setresuid`
			`setresuid32`
			`setreuid`
			`setreuid32`
			`setrlimit`
			`setsid`
			`setuid`
			`setuid32`
			`ugetrlimit`
			`vfork`
			`wait4 // (*)`
			`waitid`
			`waitpid`

			`// IPC`
			`ipc`
			`mq_getsetattr`
			`mq_notify`
			`mq_open`
			`mq_timedreceive`
			`mq_timedsend`
			`mq_unlink`
			`msgctl`
			`msgget`
			`msgrcv`
			`msgsnd`
			`semctl`
			`semget`
			`semop`
			`semtimedop`
			`shmat`
			`shmctl`
			`shmdt`
			`shmget`

			`// Linux specific, mostly needed for thread-related stuff`
			`arch_prctl // (*)`
			`get_robust_list`
			`get_thread_area`
			`gettid`
			`futex // (*)`
			`restart_syscall // (*)`
			`set_robust_list // (*)`
			`set_thread_area`
			`set_tid_address // (*)`
			`tgkill`
			`tkill`

			`// Admin syscalls, these are blocked`
			`//acct`
			`//adjtimex`
			`//bdflush`
			`//chroot`
			`//create_module`
			`//delete_module`
			`//get_kernel_syms // Obsolete`
			`//idle // Obsolete`
			`//init_module`
			`//ioperm`
			`//iopl`
			`//ioprio_get`
			`//ioprio_set`
			`//kexec_load`
			`//lookup_dcookie // oprofile only?`
			`//migrate_pages // NUMA`
			`//modify_ldt`
			`//mount`
			`//move_pages // NUMA`
			`//name_to_handle_at // NFS server`
			`//nfsservctl // NFS server`
			`//open_by_handle_at // NFS server`
			`//perf_event_open`
			`//pivot_root`
			`//process_vm_readv // For debugger`
			`//process_vm_writev // For debugger`
			`//ptrace // For debugger`
			`//query_module`
			`//quotactl`
			`//reboot`
			`//setdomainname`
			`//sethostname`
			`//setns`
			`//settimeofday`
			`//sgetmask // Obsolete`
			`//ssetmask // Obsolete`
			`//stime`
			`//swapoff`
			`//swapon`
			`//_sysctl`
			`//sysfs`
			`//sys_setaltroot`
			`//umount`
			`//umount2`
			`//unshare`
			`//uselib`
			`//vhangup`
			`//vm86`
			`//vm86old`

			`// Kernel key management`
			`//add_key`
			`//keyctl`
			`//request_key`

			`// Unimplemented`
			`//afs_syscall`
			`//break`
			`//ftime`
			`//getpmsg`
			`//gtty`
			`//lock`
			`//madvise1`
			`//mpx`
			`//prof`
			`//profil`
			`//putpmsg`
			`//security`
			`//stty`
			`//tuxcall`
			`//ulimit`
			`//vserver`