Seccomp security profiles for Docker (original) (raw)

acct

Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_PACCT.

add_key

Prevent containers from using the kernel keyring, which is not namespaced.

bpf

Deny loading potentially persistent BPF programs into kernel, already gated by CAP_SYS_ADMIN.

clock_adjtime

Time/date is not namespaced. Also gated by CAP_SYS_TIME.

clock_settime

Time/date is not namespaced. Also gated by CAP_SYS_TIME.

clone

Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_NEWUSER.

create_module

Deny manipulation and functions on kernel modules. Obsolete. Also gated by CAP_SYS_MODULE.

delete_module

Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.

finit_module

Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.

get_kernel_syms

Deny retrieval of exported kernel and module symbols. Obsolete.

get_mempolicy

Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.

init_module

Deny manipulation and functions on kernel modules. Also gated by CAP_SYS_MODULE.

ioperm

Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.

iopl

Prevent containers from modifying kernel I/O privilege levels. Already gated by CAP_SYS_RAWIO.

kcmp

Restrict process inspection capabilities, already blocked by dropping CAP_SYS_PTRACE.

kexec_file_load

Sister syscall of kexec_load that does the same thing, slightly different arguments. Also gated by CAP_SYS_BOOT.

kexec_load

Deny loading a new kernel for later execution. Also gated by CAP_SYS_BOOT.

keyctl

Prevent containers from using the kernel keyring, which is not namespaced.

lookup_dcookie

Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by CAP_SYS_ADMIN.

mbind

Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.

mount

Deny mounting, already gated by CAP_SYS_ADMIN.

move_pages

Syscall that modifies kernel memory and NUMA settings.

nfsservctl

Deny interaction with the kernel NFS daemon. Obsolete since Linux 3.1.

open_by_handle_at

Cause of an old container breakout. Also gated by CAP_DAC_READ_SEARCH.

perf_event_open

Tracing/profiling syscall, which could leak a lot of information on the host.

personality

Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulnerabilities.

pivot_root

Deny pivot_root, should be privileged operation.

process_vm_readv

Restrict process inspection capabilities, already blocked by dropping CAP_SYS_PTRACE.

process_vm_writev

Restrict process inspection capabilities, already blocked by dropping CAP_SYS_PTRACE.

ptrace

Tracing/profiling syscall. Blocked in Linux kernel versions before 4.8 to avoid seccomp bypass. Tracing/profiling arbitrary processes is already blocked by dropping CAP_SYS_PTRACE, because it could leak a lot of information on the host.

query_module

Deny manipulation and functions on kernel modules. Obsolete.

quotactl

Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by CAP_SYS_ADMIN.

reboot

Don't let containers reboot the host. Also gated by CAP_SYS_BOOT.

request_key

Prevent containers from using the kernel keyring, which is not namespaced.

set_mempolicy

Syscall that modifies kernel memory and NUMA settings. Already gated by CAP_SYS_NICE.

setns

Deny associating a thread with a namespace. Also gated by CAP_SYS_ADMIN.

settimeofday

Time/date is not namespaced. Also gated by CAP_SYS_TIME.

stime

Time/date is not namespaced. Also gated by CAP_SYS_TIME.

swapon

Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.

swapoff

Deny start/stop swapping to file/device. Also gated by CAP_SYS_ADMIN.

sysfs

Obsolete syscall.

_sysctl

Obsolete, replaced by /proc/sys.

umount

Should be a privileged operation. Also gated by CAP_SYS_ADMIN.

umount2

Should be a privileged operation. Also gated by CAP_SYS_ADMIN.

unshare

Deny cloning new namespaces for processes. Also gated by CAP_SYS_ADMIN, with the exception of unshare --user.

uselib

Older syscall related to shared libraries, unused for a long time.

userfaultfd

Userspace page fault handling, largely needed for process migration.

ustat

Obsolete syscall.

vm86

In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.

vm86old

In kernel x86 real mode virtual machine. Also gated by CAP_SYS_ADMIN.