Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
ulixee
GitHub Repository: ulixee/secret-agent
 Path: blob/main/tools/docker/seccomp_profile.json
1028 views
1
{

2
  "defaultAction": "SCMP_ACT_ERRNO",

3
  "archMap": [

4
    {

5
      "architecture": "SCMP_ARCH_X86_64",

6
      "subArchitectures": [

7
        "SCMP_ARCH_X86",

8
        "SCMP_ARCH_X32"

9
      ]

10
    },

11
    {

12
      "architecture": "SCMP_ARCH_AARCH64",

13
      "subArchitectures": [

14
        "SCMP_ARCH_ARM"

15
      ]

16
    },

17
    {

18
      "architecture": "SCMP_ARCH_MIPS64",

19
      "subArchitectures": [

20
        "SCMP_ARCH_MIPS",

21
        "SCMP_ARCH_MIPS64N32"

22
      ]

23
    },

24
    {

25
      "architecture": "SCMP_ARCH_MIPS64N32",

26
      "subArchitectures": [

27
        "SCMP_ARCH_MIPS",

28
        "SCMP_ARCH_MIPS64"

29
      ]

30
    },

31
    {

32
      "architecture": "SCMP_ARCH_MIPSEL64",

33
      "subArchitectures": [

34
        "SCMP_ARCH_MIPSEL",

35
        "SCMP_ARCH_MIPSEL64N32"

36
      ]

37
    },

38
    {

39
      "architecture": "SCMP_ARCH_MIPSEL64N32",

40
      "subArchitectures": [

41
        "SCMP_ARCH_MIPSEL",

42
        "SCMP_ARCH_MIPSEL64"

43
      ]

44
    },

45
    {

46
      "architecture": "SCMP_ARCH_S390X",

47
      "subArchitectures": [

48
        "SCMP_ARCH_S390"

49
      ]

50
    }

51
  ],

52
  "syscalls": [

53
    {

54
      "comment": "Allow create user namespaces",

55
      "names": [

56
        "clone",

57
        "setns",

58
        "unshare"

59
      ],

60
      "action": "SCMP_ACT_ALLOW",

61
      "args": [],

62
      "includes": {},

63
      "excludes": {}

64
    },

65
    {

66
      "names": [

67
        "accept",

68
        "accept4",

69
        "access",

70
        "adjtimex",

71
        "alarm",

72
        "bind",

73
        "brk",

74
        "capget",

75
        "capset",

76
        "chdir",

77
        "chmod",

78
        "chown",

79
        "chown32",

80
        "clock_adjtime",

81
        "clock_adjtime64",

82
        "clock_getres",

83
        "clock_getres_time64",

84
        "clock_gettime",

85
        "clock_gettime64",

86
        "clock_nanosleep",

87
        "clock_nanosleep_time64",

88
        "close",

89
        "close_range",

90
        "connect",

91
        "copy_file_range",

92
        "creat",

93
        "dup",

94
        "dup2",

95
        "dup3",

96
        "epoll_create",

97
        "epoll_create1",

98
        "epoll_ctl",

99
        "epoll_ctl_old",

100
        "epoll_pwait",

101
        "epoll_pwait2",

102
        "epoll_wait",

103
        "epoll_wait_old",

104
        "eventfd",

105
        "eventfd2",

106
        "execve",

107
        "execveat",

108
        "exit",

109
        "exit_group",

110
        "faccessat",

111
        "faccessat2",

112
        "fadvise64",

113
        "fadvise64_64",

114
        "fallocate",

115
        "fanotify_mark",

116
        "fchdir",

117
        "fchmod",

118
        "fchmodat",

119
        "fchown",

120
        "fchown32",

121
        "fchownat",

122
        "fcntl",

123
        "fcntl64",

124
        "fdatasync",

125
        "fgetxattr",

126
        "flistxattr",

127
        "flock",

128
        "fork",

129
        "fremovexattr",

130
        "fsetxattr",

131
        "fstat",

132
        "fstat64",

133
        "fstatat64",

134
        "fstatfs",

135
        "fstatfs64",

136
        "fsync",

137
        "ftruncate",

138
        "ftruncate64",

139
        "futex",

140
        "futex_time64",

141
        "futimesat",

142
        "getcpu",

143
        "getcwd",

144
        "getdents",

145
        "getdents64",

146
        "getegid",

147
        "getegid32",

148
        "geteuid",

149
        "geteuid32",

150
        "getgid",

151
        "getgid32",

152
        "getgroups",

153
        "getgroups32",

154
        "getitimer",

155
        "getpeername",

156
        "getpgid",

157
        "getpgrp",

158
        "getpid",

159
        "getppid",

160
        "getpriority",

161
        "getrandom",

162
        "getresgid",

163
        "getresgid32",

164
        "getresuid",

165
        "getresuid32",

166
        "getrlimit",

167
        "get_robust_list",

168
        "getrusage",

169
        "getsid",

170
        "getsockname",

171
        "getsockopt",

172
        "get_thread_area",

173
        "gettid",

174
        "gettimeofday",

175
        "getuid",

176
        "getuid32",

177
        "getxattr",

178
        "inotify_add_watch",

179
        "inotify_init",

180
        "inotify_init1",

181
        "inotify_rm_watch",

182
        "io_cancel",

183
        "ioctl",

184
        "io_destroy",

185
        "io_getevents",

186
        "io_pgetevents",

187
        "io_pgetevents_time64",

188
        "ioprio_get",

189
        "ioprio_set",

190
        "io_setup",

191
        "io_submit",

192
        "io_uring_enter",

193
        "io_uring_register",

194
        "io_uring_setup",

195
        "ipc",

196
        "kill",

197
        "lchown",

198
        "lchown32",

199
        "lgetxattr",

200
        "link",

201
        "linkat",

202
        "listen",

203
        "listxattr",

204
        "llistxattr",

205
        "_llseek",

206
        "lremovexattr",

207
        "lseek",

208
        "lsetxattr",

209
        "lstat",

210
        "lstat64",

211
        "madvise",

212
        "membarrier",

213
        "memfd_create",

214
        "mincore",

215
        "mkdir",

216
        "mkdirat",

217
        "mknod",

218
        "mknodat",

219
        "mlock",

220
        "mlock2",

221
        "mlockall",

222
        "mmap",

223
        "mmap2",

224
        "mprotect",

225
        "mq_getsetattr",

226
        "mq_notify",

227
        "mq_open",

228
        "mq_timedreceive",

229
        "mq_timedreceive_time64",

230
        "mq_timedsend",

231
        "mq_timedsend_time64",

232
        "mq_unlink",

233
        "mremap",

234
        "msgctl",

235
        "msgget",

236
        "msgrcv",

237
        "msgsnd",

238
        "msync",

239
        "munlock",

240
        "munlockall",

241
        "munmap",

242
        "nanosleep",

243
        "newfstatat",

244
        "_newselect",

245
        "open",

246
        "openat",

247
        "openat2",

248
        "pause",

249
        "pidfd_open",

250
        "pidfd_send_signal",

251
        "pipe",

252
        "pipe2",

253
        "poll",

254
        "ppoll",

255
        "ppoll_time64",

256
        "prctl",

257
        "pread64",

258
        "preadv",

259
        "preadv2",

260
        "prlimit64",

261
        "pselect6",

262
        "pselect6_time64",

263
        "pwrite64",

264
        "pwritev",

265
        "pwritev2",

266
        "read",

267
        "readahead",

268
        "readlink",

269
        "readlinkat",

270
        "readv",

271
        "recv",

272
        "recvfrom",

273
        "recvmmsg",

274
        "recvmmsg_time64",

275
        "recvmsg",

276
        "remap_file_pages",

277
        "removexattr",

278
        "rename",

279
        "renameat",

280
        "renameat2",

281
        "restart_syscall",

282
        "rmdir",

283
        "rseq",

284
        "rt_sigaction",

285
        "rt_sigpending",

286
        "rt_sigprocmask",

287
        "rt_sigqueueinfo",

288
        "rt_sigreturn",

289
        "rt_sigsuspend",

290
        "rt_sigtimedwait",

291
        "rt_sigtimedwait_time64",

292
        "rt_tgsigqueueinfo",

293
        "sched_getaffinity",

294
        "sched_getattr",

295
        "sched_getparam",

296
        "sched_get_priority_max",

297
        "sched_get_priority_min",

298
        "sched_getscheduler",

299
        "sched_rr_get_interval",

300
        "sched_rr_get_interval_time64",

301
        "sched_setaffinity",

302
        "sched_setattr",

303
        "sched_setparam",

304
        "sched_setscheduler",

305
        "sched_yield",

306
        "seccomp",

307
        "select",

308
        "semctl",

309
        "semget",

310
        "semop",

311
        "semtimedop",

312
        "semtimedop_time64",

313
        "send",

314
        "sendfile",

315
        "sendfile64",

316
        "sendmmsg",

317
        "sendmsg",

318
        "sendto",

319
        "setfsgid",

320
        "setfsgid32",

321
        "setfsuid",

322
        "setfsuid32",

323
        "setgid",

324
        "setgid32",

325
        "setgroups",

326
        "setgroups32",

327
        "setitimer",

328
        "setpgid",

329
        "setpriority",

330
        "setregid",

331
        "setregid32",

332
        "setresgid",

333
        "setresgid32",

334
        "setresuid",

335
        "setresuid32",

336
        "setreuid",

337
        "setreuid32",

338
        "setrlimit",

339
        "set_robust_list",

340
        "setsid",

341
        "setsockopt",

342
        "set_thread_area",

343
        "set_tid_address",

344
        "setuid",

345
        "setuid32",

346
        "setxattr",

347
        "shmat",

348
        "shmctl",

349
        "shmdt",

350
        "shmget",

351
        "shutdown",

352
        "sigaltstack",

353
        "signalfd",

354
        "signalfd4",

355
        "sigprocmask",

356
        "sigreturn",

357
        "socket",

358
        "socketcall",

359
        "socketpair",

360
        "splice",

361
        "stat",

362
        "stat64",

363
        "statfs",

364
        "statfs64",

365
        "statx",

366
        "symlink",

367
        "symlinkat",

368
        "sync",

369
        "sync_file_range",

370
        "syncfs",

371
        "sysinfo",

372
        "tee",

373
        "tgkill",

374
        "time",

375
        "timer_create",

376
        "timer_delete",

377
        "timer_getoverrun",

378
        "timer_gettime",

379
        "timer_gettime64",

380
        "timer_settime",

381
        "timer_settime64",

382
        "timerfd_create",

383
        "timerfd_gettime",

384
        "timerfd_gettime64",

385
        "timerfd_settime",

386
        "timerfd_settime64",

387
        "times",

388
        "tkill",

389
        "truncate",

390
        "truncate64",

391
        "ugetrlimit",

392
        "umask",

393
        "uname",

394
        "unlink",

395
        "unlinkat",

396
        "utime",

397
        "utimensat",

398
        "utimensat_time64",

399
        "utimes",

400
        "vfork",

401
        "vmsplice",

402
        "wait4",

403
        "waitid",

404
        "waitpid",

405
        "write",

406
        "writev"

407
      ],

408
      "action": "SCMP_ACT_ALLOW",

409
      "args": [],

410
      "comment": "",

411
      "includes": {},

412
      "excludes": {}

413
    },

414
    {

415
      "names": [

416
        "ptrace"

417
      ],

418
      "action": "SCMP_ACT_ALLOW",

419
      "args": null,

420
      "comment": "",

421
      "includes": {

422
        "minKernel": "4.8"

423
      },

424
      "excludes": {}

425
    },

426
    {

427
      "names": [

428
        "personality"

429
      ],

430
      "action": "SCMP_ACT_ALLOW",

431
      "args": [

432
        {

433
          "index": 0,

434
          "value": 0,

435
          "op": "SCMP_CMP_EQ"

436
        }

437
      ],

438
      "comment": "",

439
      "includes": {},

440
      "excludes": {}

441
    },

442
    {

443
      "names": [

444
        "personality"

445
      ],

446
      "action": "SCMP_ACT_ALLOW",

447
      "args": [

448
        {

449
          "index": 0,

450
          "value": 8,

451
          "op": "SCMP_CMP_EQ"

452
        }

453
      ],

454
      "comment": "",

455
      "includes": {},

456
      "excludes": {}

457
    },

458
    {

459
      "names": [

460
        "personality"

461
      ],

462
      "action": "SCMP_ACT_ALLOW",

463
      "args": [

464
        {

465
          "index": 0,

466
          "value": 131072,

467
          "op": "SCMP_CMP_EQ"

468
        }

469
      ],

470
      "comment": "",

471
      "includes": {},

472
      "excludes": {}

473
    },

474
    {

475
      "names": [

476
        "personality"

477
      ],

478
      "action": "SCMP_ACT_ALLOW",

479
      "args": [

480
        {

481
          "index": 0,

482
          "value": 131080,

483
          "op": "SCMP_CMP_EQ"

484
        }

485
      ],

486
      "comment": "",

487
      "includes": {},

488
      "excludes": {}

489
    },

490
    {

491
      "names": [

492
        "personality"

493
      ],

494
      "action": "SCMP_ACT_ALLOW",

495
      "args": [

496
        {

497
          "index": 0,

498
          "value": 4294967295,

499
          "op": "SCMP_CMP_EQ"

500
        }

501
      ],

502
      "comment": "",

503
      "includes": {},

504
      "excludes": {}

505
    },

506
    {

507
      "names": [

508
        "sync_file_range2"

509
      ],

510
      "action": "SCMP_ACT_ALLOW",

511
      "args": [],

512
      "comment": "",

513
      "includes": {

514
        "arches": [

515
          "ppc64le"

516
        ]

517
      },

518
      "excludes": {}

519
    },

520
    {

521
      "names": [

522
        "arm_fadvise64_64",

523
        "arm_sync_file_range",

524
        "sync_file_range2",

525
        "breakpoint",

526
        "cacheflush",

527
        "set_tls"

528
      ],

529
      "action": "SCMP_ACT_ALLOW",

530
      "args": [],

531
      "comment": "",

532
      "includes": {

533
        "arches": [

534
          "arm",

535
          "arm64"

536
        ]

537
      },

538
      "excludes": {}

539
    },

540
    {

541
      "names": [

542
        "arch_prctl"

543
      ],

544
      "action": "SCMP_ACT_ALLOW",

545
      "args": [],

546
      "comment": "",

547
      "includes": {

548
        "arches": [

549
          "amd64",

550
          "x32"

551
        ]

552
      },

553
      "excludes": {}

554
    },

555
    {

556
      "names": [

557
        "modify_ldt"

558
      ],

559
      "action": "SCMP_ACT_ALLOW",

560
      "args": [],

561
      "comment": "",

562
      "includes": {

563
        "arches": [

564
          "amd64",

565
          "x32",

566
          "x86"

567
        ]

568
      },

569
      "excludes": {}

570
    },

571
    {

572
      "names": [

573
        "s390_pci_mmio_read",

574
        "s390_pci_mmio_write",

575
        "s390_runtime_instr"

576
      ],

577
      "action": "SCMP_ACT_ALLOW",

578
      "args": [],

579
      "comment": "",

580
      "includes": {

581
        "arches": [

582
          "s390",

583
          "s390x"

584
        ]

585
      },

586
      "excludes": {}

587
    },

588
    {

589
      "names": [

590
        "open_by_handle_at"

591
      ],

592
      "action": "SCMP_ACT_ALLOW",

593
      "args": [],

594
      "comment": "",

595
      "includes": {

596
        "caps": [

597
          "CAP_DAC_READ_SEARCH"

598
        ]

599
      },

600
      "excludes": {}

601
    },

602
    {

603
      "names": [

604
        "bpf",

605
        "clone",

606
        "fanotify_init",

607
        "fsconfig",

608
        "fsmount",

609
        "fsopen",

610
        "fspick",

611
        "lookup_dcookie",

612
        "mount",

613
        "move_mount",

614
        "name_to_handle_at",

615
        "open_tree",

616
        "perf_event_open",

617
        "quotactl",

618
        "setdomainname",

619
        "sethostname",

620
        "setns",

621
        "syslog",

622
        "umount",

623
        "umount2",

624
        "unshare"

625
      ],

626
      "action": "SCMP_ACT_ALLOW",

627
      "args": [],

628
      "comment": "",

629
      "includes": {

630
        "caps": [

631
          "CAP_SYS_ADMIN"

632
        ]

633
      },

634
      "excludes": {}

635
    },

636
    {

637
      "names": [

638
        "clone"

639
      ],

640
      "action": "SCMP_ACT_ALLOW",

641
      "args": [

642
        {

643
          "index": 0,

644
          "value": 2114060288,

645
          "op": "SCMP_CMP_MASKED_EQ"

646
        }

647
      ],

648
      "comment": "",

649
      "includes": {},

650
      "excludes": {

651
        "caps": [

652
          "CAP_SYS_ADMIN"

653
        ],

654
        "arches": [

655
          "s390",

656
          "s390x"

657
        ]

658
      }

659
    },

660
    {

661
      "names": [

662
        "clone"

663
      ],

664
      "action": "SCMP_ACT_ALLOW",

665
      "args": [

666
        {

667
          "index": 1,

668
          "value": 2114060288,

669
          "op": "SCMP_CMP_MASKED_EQ"

670
        }

671
      ],

672
      "comment": "s390 parameter ordering for clone is different",

673
      "includes": {

674
        "arches": [

675
          "s390",

676
          "s390x"

677
        ]

678
      },

679
      "excludes": {

680
        "caps": [

681
          "CAP_SYS_ADMIN"

682
        ]

683
      }

684
    },

685
    {

686
      "names": [

687
        "reboot"

688
      ],

689
      "action": "SCMP_ACT_ALLOW",

690
      "args": [],

691
      "comment": "",

692
      "includes": {

693
        "caps": [

694
          "CAP_SYS_BOOT"

695
        ]

696
      },

697
      "excludes": {}

698
    },

699
    {

700
      "names": [

701
        "chroot"

702
      ],

703
      "action": "SCMP_ACT_ALLOW",

704
      "args": [],

705
      "comment": "",

706
      "includes": {

707
        "caps": [

708
          "CAP_SYS_CHROOT"

709
        ]

710
      },

711
      "excludes": {}

712
    },

713
    {

714
      "names": [

715
        "delete_module",

716
        "init_module",

717
        "finit_module"

718
      ],

719
      "action": "SCMP_ACT_ALLOW",

720
      "args": [],

721
      "comment": "",

722
      "includes": {

723
        "caps": [

724
          "CAP_SYS_MODULE"

725
        ]

726
      },

727
      "excludes": {}

728
    },

729
    {

730
      "names": [

731
        "acct"

732
      ],

733
      "action": "SCMP_ACT_ALLOW",

734
      "args": [],

735
      "comment": "",

736
      "includes": {

737
        "caps": [

738
          "CAP_SYS_PACCT"

739
        ]

740
      },

741
      "excludes": {}

742
    },

743
    {

744
      "names": [

745
        "kcmp",

746
        "pidfd_getfd",

747
        "process_madvise",

748
        "process_vm_readv",

749
        "process_vm_writev",

750
        "ptrace"

751
      ],

752
      "action": "SCMP_ACT_ALLOW",

753
      "args": [],

754
      "comment": "",

755
      "includes": {

756
        "caps": [

757
          "CAP_SYS_PTRACE"

758
        ]

759
      },

760
      "excludes": {}

761
    },

762
    {

763
      "names": [

764
        "iopl",

765
        "ioperm"

766
      ],

767
      "action": "SCMP_ACT_ALLOW",

768
      "args": [],

769
      "comment": "",

770
      "includes": {

771
        "caps": [

772
          "CAP_SYS_RAWIO"

773
        ]

774
      },

775
      "excludes": {}

776
    },

777
    {

778
      "names": [

779
        "settimeofday",

780
        "stime",

781
        "clock_settime"

782
      ],

783
      "action": "SCMP_ACT_ALLOW",

784
      "args": [],

785
      "comment": "",

786
      "includes": {

787
        "caps": [

788
          "CAP_SYS_TIME"

789
        ]

790
      },

791
      "excludes": {}

792
    },

793
    {

794
      "names": [

795
        "vhangup"

796
      ],

797
      "action": "SCMP_ACT_ALLOW",

798
      "args": [],

799
      "comment": "",

800
      "includes": {

801
        "caps": [

802
          "CAP_SYS_TTY_CONFIG"

803
        ]

804
      },

805
      "excludes": {}

806
    },

807
    {

808
      "names": [

809
        "get_mempolicy",

810
        "mbind",

811
        "set_mempolicy"

812
      ],

813
      "action": "SCMP_ACT_ALLOW",

814
      "args": [],

815
      "comment": "",

816
      "includes": {

817
        "caps": [

818
          "CAP_SYS_NICE"

819
        ]

820
      },

821
      "excludes": {}

822
    },

823
    {

824
      "names": [

825
        "syslog"

826
      ],

827
      "action": "SCMP_ACT_ALLOW",

828
      "args": [],

829
      "comment": "",

830
      "includes": {

831
        "caps": [

832
          "CAP_SYSLOG"

833
        ]

834
      },

835
      "excludes": {}

836
    }

837
  ]

838
}

839