|
 |
be3dc7 |
{
|
|
|
be3dc7 |
"defaultAction": "SCMP_ACT_ERRNO",
|
|
|
be3dc7 |
"archMap": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_X86_64",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_X86",
|
|
|
be3dc7 |
"SCMP_ARCH_X32"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_AARCH64",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_ARM"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_MIPS64",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_MIPS",
|
|
|
be3dc7 |
"SCMP_ARCH_MIPS64N32"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_MIPS64N32",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_MIPS",
|
|
|
be3dc7 |
"SCMP_ARCH_MIPS64"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_MIPSEL64",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_MIPSEL",
|
|
|
be3dc7 |
"SCMP_ARCH_MIPSEL64N32"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_MIPSEL64N32",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_MIPSEL",
|
|
|
be3dc7 |
"SCMP_ARCH_MIPSEL64"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"architecture": "SCMP_ARCH_S390X",
|
|
|
be3dc7 |
"subArchitectures": [
|
|
|
be3dc7 |
"SCMP_ARCH_S390"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"syscalls": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"_llseek",
|
|
|
be3dc7 |
"_newselect",
|
|
|
be3dc7 |
"accept",
|
|
|
be3dc7 |
"accept4",
|
|
|
be3dc7 |
"access",
|
|
|
be3dc7 |
"adjtimex",
|
|
|
be3dc7 |
"alarm",
|
|
|
be3dc7 |
"bind",
|
|
|
be3dc7 |
"brk",
|
|
|
be3dc7 |
"capget",
|
|
|
be3dc7 |
"capset",
|
|
|
be3dc7 |
"chdir",
|
|
|
be3dc7 |
"chmod",
|
|
|
be3dc7 |
"chown",
|
|
|
be3dc7 |
"chown32",
|
|
|
be3dc7 |
"clock_adjtime",
|
|
|
be3dc7 |
"clock_adjtime64",
|
|
|
be3dc7 |
"clock_getres",
|
|
|
be3dc7 |
"clock_getres_time64",
|
|
|
be3dc7 |
"clock_gettime",
|
|
|
be3dc7 |
"clock_gettime64",
|
|
|
be3dc7 |
"clock_nanosleep",
|
|
|
be3dc7 |
"clock_nanosleep_time64",
|
|
|
be3dc7 |
"clone",
|
|
|
be3dc7 |
"close",
|
|
|
be3dc7 |
"close_range",
|
|
|
be3dc7 |
"connect",
|
|
|
be3dc7 |
"copy_file_range",
|
|
|
be3dc7 |
"creat",
|
|
|
be3dc7 |
"dup",
|
|
|
be3dc7 |
"dup2",
|
|
|
be3dc7 |
"dup3",
|
|
|
be3dc7 |
"epoll_create",
|
|
|
be3dc7 |
"epoll_create1",
|
|
|
be3dc7 |
"epoll_ctl",
|
|
|
be3dc7 |
"epoll_ctl_old",
|
|
|
be3dc7 |
"epoll_pwait",
|
|
|
be3dc7 |
"epoll_wait",
|
|
|
be3dc7 |
"epoll_wait_old",
|
|
|
be3dc7 |
"eventfd",
|
|
|
be3dc7 |
"eventfd2",
|
|
|
be3dc7 |
"execve",
|
|
|
be3dc7 |
"execveat",
|
|
|
be3dc7 |
"exit",
|
|
|
be3dc7 |
"exit_group",
|
|
|
be3dc7 |
"faccessat",
|
|
|
be3dc7 |
"faccessat2",
|
|
|
be3dc7 |
"fadvise64",
|
|
|
be3dc7 |
"fadvise64_64",
|
|
|
be3dc7 |
"fallocate",
|
|
|
be3dc7 |
"fanotify_mark",
|
|
|
be3dc7 |
"fchdir",
|
|
|
be3dc7 |
"fchmod",
|
|
|
be3dc7 |
"fchmodat",
|
|
|
be3dc7 |
"fchown",
|
|
|
be3dc7 |
"fchown32",
|
|
|
be3dc7 |
"fchownat",
|
|
|
be3dc7 |
"fcntl",
|
|
|
be3dc7 |
"fcntl64",
|
|
|
be3dc7 |
"fdatasync",
|
|
|
be3dc7 |
"fgetxattr",
|
|
|
be3dc7 |
"flistxattr",
|
|
|
be3dc7 |
"flock",
|
|
|
be3dc7 |
"fork",
|
|
|
be3dc7 |
"fremovexattr",
|
|
|
be3dc7 |
"fsetxattr",
|
|
|
be3dc7 |
"fstat",
|
|
|
be3dc7 |
"fstat64",
|
|
|
be3dc7 |
"fstatat64",
|
|
|
be3dc7 |
"fstatfs",
|
|
|
be3dc7 |
"fstatfs64",
|
|
|
be3dc7 |
"fsync",
|
|
|
be3dc7 |
"ftruncate",
|
|
|
be3dc7 |
"ftruncate64",
|
|
|
be3dc7 |
"futex",
|
|
|
be3dc7 |
"futimesat",
|
|
|
be3dc7 |
"get_robust_list",
|
|
|
be3dc7 |
"get_thread_area",
|
|
|
be3dc7 |
"getcpu",
|
|
|
be3dc7 |
"getcwd",
|
|
|
be3dc7 |
"getdents",
|
|
|
be3dc7 |
"getdents64",
|
|
|
be3dc7 |
"getegid",
|
|
|
be3dc7 |
"getegid32",
|
|
|
be3dc7 |
"geteuid",
|
|
|
be3dc7 |
"geteuid32",
|
|
|
be3dc7 |
"getgid",
|
|
|
be3dc7 |
"getgid32",
|
|
|
be3dc7 |
"getgroups",
|
|
|
be3dc7 |
"getgroups32",
|
|
|
be3dc7 |
"getitimer",
|
|
|
be3dc7 |
"getpeername",
|
|
|
be3dc7 |
"getpgid",
|
|
|
be3dc7 |
"getpgrp",
|
|
|
be3dc7 |
"getpid",
|
|
|
be3dc7 |
"getppid",
|
|
|
be3dc7 |
"getpriority",
|
|
|
be3dc7 |
"getrandom",
|
|
|
be3dc7 |
"getresgid",
|
|
|
be3dc7 |
"getresgid32",
|
|
|
be3dc7 |
"getresuid",
|
|
|
be3dc7 |
"getresuid32",
|
|
|
be3dc7 |
"getrlimit",
|
|
|
be3dc7 |
"getrusage",
|
|
|
be3dc7 |
"getsid",
|
|
|
be3dc7 |
"getsockname",
|
|
|
be3dc7 |
"getsockopt",
|
|
|
be3dc7 |
"gettid",
|
|
|
be3dc7 |
"gettimeofday",
|
|
|
be3dc7 |
"getuid",
|
|
|
be3dc7 |
"getuid32",
|
|
|
be3dc7 |
"getxattr",
|
|
|
be3dc7 |
"inotify_add_watch",
|
|
|
be3dc7 |
"inotify_init",
|
|
|
be3dc7 |
"inotify_init1",
|
|
|
be3dc7 |
"inotify_rm_watch",
|
|
|
be3dc7 |
"io_cancel",
|
|
|
be3dc7 |
"io_destroy",
|
|
|
be3dc7 |
"io_getevents",
|
|
|
be3dc7 |
"io_setup",
|
|
|
be3dc7 |
"io_submit",
|
|
|
be3dc7 |
"ioctl",
|
|
|
be3dc7 |
"ioprio_get",
|
|
|
be3dc7 |
"ioprio_set",
|
|
|
be3dc7 |
"ipc",
|
|
|
be3dc7 |
"keyctl",
|
|
|
be3dc7 |
"kill",
|
|
|
be3dc7 |
"lchown",
|
|
|
be3dc7 |
"lchown32",
|
|
|
be3dc7 |
"lgetxattr",
|
|
|
be3dc7 |
"link",
|
|
|
be3dc7 |
"linkat",
|
|
|
be3dc7 |
"listen",
|
|
|
be3dc7 |
"listxattr",
|
|
|
be3dc7 |
"llistxattr",
|
|
|
be3dc7 |
"lremovexattr",
|
|
|
be3dc7 |
"lseek",
|
|
|
be3dc7 |
"lsetxattr",
|
|
|
be3dc7 |
"lstat",
|
|
|
be3dc7 |
"lstat64",
|
|
|
be3dc7 |
"madvise",
|
|
|
be3dc7 |
"memfd_create",
|
|
|
be3dc7 |
"mincore",
|
|
|
be3dc7 |
"mkdir",
|
|
|
be3dc7 |
"mkdirat",
|
|
|
be3dc7 |
"mknod",
|
|
|
be3dc7 |
"mknodat",
|
|
|
be3dc7 |
"mlock",
|
|
|
be3dc7 |
"mlock2",
|
|
|
be3dc7 |
"mlockall",
|
|
|
be3dc7 |
"mmap",
|
|
|
be3dc7 |
"mmap2",
|
|
|
be3dc7 |
"mount",
|
|
|
be3dc7 |
"mprotect",
|
|
|
be3dc7 |
"mq_getsetattr",
|
|
|
be3dc7 |
"mq_notify",
|
|
|
be3dc7 |
"mq_open",
|
|
|
be3dc7 |
"mq_timedreceive",
|
|
|
be3dc7 |
"mq_timedsend",
|
|
|
be3dc7 |
"mq_unlink",
|
|
|
be3dc7 |
"mremap",
|
|
|
be3dc7 |
"msgctl",
|
|
|
be3dc7 |
"msgget",
|
|
|
be3dc7 |
"msgrcv",
|
|
|
be3dc7 |
"msgsnd",
|
|
|
be3dc7 |
"msync",
|
|
|
be3dc7 |
"munlock",
|
|
|
be3dc7 |
"munlockall",
|
|
|
be3dc7 |
"munmap",
|
|
|
be3dc7 |
"name_to_handle_at",
|
|
|
be3dc7 |
"nanosleep",
|
|
|
be3dc7 |
"newfstatat",
|
|
|
be3dc7 |
"open",
|
|
|
be3dc7 |
"openat",
|
|
|
be3dc7 |
"openat2",
|
|
|
be3dc7 |
"pause",
|
|
|
be3dc7 |
"pidfd_getfd",
|
|
|
be3dc7 |
"pidfd_open",
|
|
|
be3dc7 |
"pidfd_send_signal",
|
|
|
be3dc7 |
"pipe",
|
|
|
be3dc7 |
"pipe2",
|
|
|
be3dc7 |
"pivot_root",
|
|
|
be3dc7 |
"poll",
|
|
|
be3dc7 |
"ppoll",
|
|
|
be3dc7 |
"ppoll_time64",
|
|
|
be3dc7 |
"prctl",
|
|
|
be3dc7 |
"pread64",
|
|
|
be3dc7 |
"preadv",
|
|
|
be3dc7 |
"preadv2",
|
|
|
be3dc7 |
"prlimit64",
|
|
|
be3dc7 |
"pselect6",
|
|
|
be3dc7 |
"pselect6_time64",
|
|
|
be3dc7 |
"pwrite64",
|
|
|
be3dc7 |
"pwritev",
|
|
|
be3dc7 |
"pwritev2",
|
|
|
be3dc7 |
"read",
|
|
|
be3dc7 |
"readahead",
|
|
|
be3dc7 |
"readlink",
|
|
|
be3dc7 |
"readlinkat",
|
|
|
be3dc7 |
"readv",
|
|
|
be3dc7 |
"reboot",
|
|
|
be3dc7 |
"recv",
|
|
|
be3dc7 |
"recvfrom",
|
|
|
be3dc7 |
"recvmmsg",
|
|
|
be3dc7 |
"recvmsg",
|
|
|
be3dc7 |
"remap_file_pages",
|
|
|
be3dc7 |
"removexattr",
|
|
|
be3dc7 |
"rename",
|
|
|
be3dc7 |
"renameat",
|
|
|
be3dc7 |
"renameat2",
|
|
|
be3dc7 |
"restart_syscall",
|
|
|
be3dc7 |
"rmdir",
|
|
|
be3dc7 |
"rt_sigaction",
|
|
|
be3dc7 |
"rt_sigpending",
|
|
|
be3dc7 |
"rt_sigprocmask",
|
|
|
be3dc7 |
"rt_sigqueueinfo",
|
|
|
be3dc7 |
"rt_sigreturn",
|
|
|
be3dc7 |
"rt_sigsuspend",
|
|
|
be3dc7 |
"rt_sigtimedwait",
|
|
|
be3dc7 |
"rt_tgsigqueueinfo",
|
|
|
be3dc7 |
"sched_get_priority_max",
|
|
|
be3dc7 |
"sched_get_priority_min",
|
|
|
be3dc7 |
"sched_getaffinity",
|
|
|
be3dc7 |
"sched_getattr",
|
|
|
be3dc7 |
"sched_getparam",
|
|
|
be3dc7 |
"sched_getscheduler",
|
|
|
be3dc7 |
"sched_rr_get_interval",
|
|
|
be3dc7 |
"sched_setaffinity",
|
|
|
be3dc7 |
"sched_setattr",
|
|
|
be3dc7 |
"sched_setparam",
|
|
|
be3dc7 |
"sched_setscheduler",
|
|
|
be3dc7 |
"sched_yield",
|
|
|
be3dc7 |
"seccomp",
|
|
|
be3dc7 |
"select",
|
|
|
be3dc7 |
"semctl",
|
|
|
be3dc7 |
"semget",
|
|
|
be3dc7 |
"semop",
|
|
|
be3dc7 |
"semtimedop",
|
|
|
be3dc7 |
"send",
|
|
|
be3dc7 |
"sendfile",
|
|
|
be3dc7 |
"sendfile64",
|
|
|
be3dc7 |
"sendmmsg",
|
|
|
be3dc7 |
"sendmsg",
|
|
|
be3dc7 |
"sendto",
|
|
|
be3dc7 |
"set_robust_list",
|
|
|
be3dc7 |
"set_thread_area",
|
|
|
be3dc7 |
"set_tid_address",
|
|
|
be3dc7 |
"setfsgid",
|
|
|
be3dc7 |
"setfsgid32",
|
|
|
be3dc7 |
"setfsuid",
|
|
|
be3dc7 |
"setfsuid32",
|
|
|
be3dc7 |
"setgid",
|
|
|
be3dc7 |
"setgid32",
|
|
|
be3dc7 |
"setgroups",
|
|
|
be3dc7 |
"setgroups32",
|
|
|
be3dc7 |
"setitimer",
|
|
|
be3dc7 |
"setpgid",
|
|
|
be3dc7 |
"setpriority",
|
|
|
be3dc7 |
"setregid",
|
|
|
be3dc7 |
"setregid32",
|
|
|
be3dc7 |
"setresgid",
|
|
|
be3dc7 |
"setresgid32",
|
|
|
be3dc7 |
"setresuid",
|
|
|
be3dc7 |
"setresuid32",
|
|
|
be3dc7 |
"setreuid",
|
|
|
be3dc7 |
"setreuid32",
|
|
|
be3dc7 |
"setrlimit",
|
|
|
be3dc7 |
"setsid",
|
|
|
be3dc7 |
"setsockopt",
|
|
|
be3dc7 |
"setuid",
|
|
|
be3dc7 |
"setuid32",
|
|
|
be3dc7 |
"setxattr",
|
|
|
be3dc7 |
"shmat",
|
|
|
be3dc7 |
"shmctl",
|
|
|
be3dc7 |
"shmdt",
|
|
|
be3dc7 |
"shmget",
|
|
|
be3dc7 |
"shutdown",
|
|
|
be3dc7 |
"sigaltstack",
|
|
|
be3dc7 |
"signalfd",
|
|
|
be3dc7 |
"signalfd4",
|
|
|
be3dc7 |
"sigreturn",
|
|
|
be3dc7 |
"socket",
|
|
|
be3dc7 |
"socketcall",
|
|
|
be3dc7 |
"socketpair",
|
|
|
be3dc7 |
"splice",
|
|
|
be3dc7 |
"stat",
|
|
|
be3dc7 |
"stat64",
|
|
|
be3dc7 |
"statfs",
|
|
|
be3dc7 |
"statfs64",
|
|
|
be3dc7 |
"statx",
|
|
|
be3dc7 |
"symlink",
|
|
|
be3dc7 |
"symlinkat",
|
|
|
be3dc7 |
"sync",
|
|
|
be3dc7 |
"sync_file_range",
|
|
|
be3dc7 |
"syncfs",
|
|
|
be3dc7 |
"sysinfo",
|
|
|
be3dc7 |
"syslog",
|
|
|
be3dc7 |
"tee",
|
|
|
be3dc7 |
"tgkill",
|
|
|
be3dc7 |
"time",
|
|
|
be3dc7 |
"timer_create",
|
|
|
be3dc7 |
"timer_delete",
|
|
|
be3dc7 |
"timer_getoverrun",
|
|
|
be3dc7 |
"timer_gettime",
|
|
|
be3dc7 |
"timer_gettime64",
|
|
|
be3dc7 |
"timer_settime",
|
|
|
be3dc7 |
"timerfd_create",
|
|
|
be3dc7 |
"timerfd_gettime",
|
|
|
be3dc7 |
"timerfd_gettime64",
|
|
|
be3dc7 |
"timerfd_settime",
|
|
|
be3dc7 |
"timerfd_settime64",
|
|
|
be3dc7 |
"times",
|
|
|
be3dc7 |
"tkill",
|
|
|
be3dc7 |
"truncate",
|
|
|
be3dc7 |
"truncate64",
|
|
|
be3dc7 |
"ugetrlimit",
|
|
|
be3dc7 |
"umask",
|
|
|
be3dc7 |
"umount",
|
|
|
be3dc7 |
"umount2",
|
|
|
be3dc7 |
"uname",
|
|
|
be3dc7 |
"unlink",
|
|
|
be3dc7 |
"unlinkat",
|
|
|
be3dc7 |
"unshare",
|
|
|
be3dc7 |
"utime",
|
|
|
be3dc7 |
"utimensat",
|
|
|
be3dc7 |
"utimensat_time64",
|
|
|
be3dc7 |
"utimes",
|
|
|
be3dc7 |
"vfork",
|
|
|
be3dc7 |
"wait4",
|
|
|
be3dc7 |
"waitid",
|
|
|
be3dc7 |
"waitpid",
|
|
|
be3dc7 |
"write",
|
|
|
be3dc7 |
"writev"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"personality"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 0,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"personality"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 8,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"personality"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 131072,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"personality"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 131080,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"personality"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 4294967295,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"sync_file_range2"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"ppc64le"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"arm_fadvise64_64",
|
|
|
be3dc7 |
"arm_sync_file_range",
|
|
|
be3dc7 |
"sync_file_range2",
|
|
|
be3dc7 |
"breakpoint",
|
|
|
be3dc7 |
"cacheflush",
|
|
|
be3dc7 |
"set_tls"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"arm",
|
|
|
be3dc7 |
"arm64"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"arch_prctl"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"amd64",
|
|
|
be3dc7 |
"x32"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"modify_ldt"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"amd64",
|
|
|
be3dc7 |
"x32",
|
|
|
be3dc7 |
"x86"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"s390_pci_mmio_read",
|
|
|
be3dc7 |
"s390_pci_mmio_write",
|
|
|
be3dc7 |
"s390_runtime_instr"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"s390",
|
|
|
be3dc7 |
"s390x"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"open_by_handle_at"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_DAC_READ_SEARCH"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"bpf",
|
|
|
be3dc7 |
"clone",
|
|
|
be3dc7 |
"fanotify_init",
|
|
|
be3dc7 |
"lookup_dcookie",
|
|
|
be3dc7 |
"mount",
|
|
|
be3dc7 |
"name_to_handle_at",
|
|
|
be3dc7 |
"perf_event_open",
|
|
|
be3dc7 |
"quotactl",
|
|
|
be3dc7 |
"setdomainname",
|
|
|
be3dc7 |
"sethostname",
|
|
|
be3dc7 |
"setns",
|
|
|
be3dc7 |
"umount",
|
|
|
be3dc7 |
"umount2",
|
|
|
be3dc7 |
"unshare"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_ADMIN"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"clone"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 2080505856,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_MASKED_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_ADMIN"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"s390",
|
|
|
be3dc7 |
"s390x"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"clone"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 1,
|
|
|
be3dc7 |
"value": 2080505856,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_MASKED_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "s390 parameter ordering for clone is different",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"arches": [
|
|
|
be3dc7 |
"s390",
|
|
|
be3dc7 |
"s390x"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_ADMIN"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"reboot"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_BOOT"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"chroot"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_CHROOT"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"delete_module",
|
|
|
be3dc7 |
"init_module",
|
|
|
be3dc7 |
"finit_module",
|
|
|
be3dc7 |
"query_module"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_MODULE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"get_mempolicy",
|
|
|
be3dc7 |
"mbind",
|
|
|
be3dc7 |
"name_to_handle_at",
|
|
|
be3dc7 |
"set_mempolicy"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_NICE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"acct"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_PACCT"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"kcmp",
|
|
|
be3dc7 |
"process_vm_readv",
|
|
|
be3dc7 |
"process_vm_writev",
|
|
|
be3dc7 |
"ptrace"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_PTRACE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"iopl",
|
|
|
be3dc7 |
"ioperm"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_RAWIO"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"settimeofday",
|
|
|
be3dc7 |
"stime",
|
|
|
be3dc7 |
"clock_settime",
|
|
|
be3dc7 |
"clock_settime64"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_TIME"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"vhangup"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_SYS_TTY_CONFIG"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"socket"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ERRNO",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 16,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 2,
|
|
|
be3dc7 |
"value": 9,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_EQ"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_AUDIT_WRITE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"errnoRet": 22
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"socket"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 2,
|
|
|
be3dc7 |
"value": 9,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_NE"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_AUDIT_WRITE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"socket"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 0,
|
|
|
be3dc7 |
"value": 16,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_NE"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_AUDIT_WRITE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"socket"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": [
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"index": 2,
|
|
|
be3dc7 |
"value": 9,
|
|
|
be3dc7 |
"valueTwo": 0,
|
|
|
be3dc7 |
"op": "SCMP_CMP_NE"
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {},
|
|
|
be3dc7 |
"excludes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_AUDIT_WRITE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
{
|
|
|
be3dc7 |
"names": [
|
|
|
be3dc7 |
"socket"
|
|
|
be3dc7 |
],
|
|
|
be3dc7 |
"action": "SCMP_ACT_ALLOW",
|
|
|
be3dc7 |
"args": null,
|
|
|
be3dc7 |
"comment": "",
|
|
|
be3dc7 |
"includes": {
|
|
|
be3dc7 |
"caps": [
|
|
|
be3dc7 |
"CAP_AUDIT_WRITE"
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
},
|
|
|
be3dc7 |
"excludes": {}
|
|
|
be3dc7 |
}
|
|
|
be3dc7 |
]
|
|
|
be3dc7 |
}
|