{ "_comment": "Minimal seccomp profile for a typical web server container (HTTP/HTTPS, TCP, file I/O). Default action: DENY everything not explicitly listed. Start here and add syscalls as your app requires them. Use 'strace -c ' or 'sysdig' to discover which syscalls your app actually makes in production.", "_usage": { "docker_run": "docker run --security-opt seccomp=seccomp-profile-template.json myapp:latest", "docker_compose": "security_opt:\n - seccomp:./references/seccomp-profile-template.json", "kubernetes": "securityContext:\n seccompProfile:\n type: Localhost\n localhostProfile: profiles/seccomp-profile-template.json" }, "_discover_syscalls": { "with_strace": "strace -c -f -p # Attach to running process", "with_docker": "docker run --security-opt seccomp=unconfined --name audit myapp:latest", "with_sysdig": "sysdig -p '%syscall.type' container.name=audit | sort -u" }, "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64" ], "syscalls": [ { "_group": "Process lifecycle", "names": [ "execve", "execveat", "exit", "exit_group", "clone", "clone3", "fork", "vfork", "wait4", "waitid", "getpid", "getppid", "gettid", "tgkill", "kill", "tkill", "sched_yield", "sched_getaffinity", "sched_setaffinity", "prctl", "arch_prctl", "seccomp", "nanosleep", "clock_nanosleep", "pause" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "File I/O", "names": [ "open", "openat", "openat2", "close", "close_range", "read", "readv", "pread64", "write", "writev", "pwrite64", "lseek", "fstat", "fstat64", "stat", "stat64", "lstat", "lstat64", "statx", "newfstatat", "access", "faccessat", "faccessat2", "readlink", "readlinkat", "getcwd", "getdents", "getdents64", "dup", "dup2", "dup3", "sendfile", "sendfile64", "splice", "copy_file_range", "truncate", "ftruncate", "fsync", "fdatasync", "sync_file_range", "fallocate", "fadvise64", "mknod", "mknodat", "mkdir", "mkdirat", "rmdir", "unlink", "unlinkat", "rename", "renameat", "renameat2", "chmod", "fchmod", "fchmodat", "chown", "fchown", "lchown", "fchownat", "utimes", "utimensat", "futimesat", "inotify_init", "inotify_init1", "inotify_add_watch", "inotify_rm_watch" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Memory management", "names": [ "brk", "mmap", "mmap2", "munmap", "mremap", "mprotect", "madvise", "mlock", "munlock", "mlockall", "munlockall", "mincore", "msync", "memfd_create", "remap_file_pages" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Networking (TCP/UDP server)", "names": [ "socket", "socketpair", "bind", "listen", "accept", "accept4", "connect", "getsockname", "getpeername", "setsockopt", "getsockopt", "sendto", "sendmsg", "sendmmsg", "recvfrom", "recvmsg", "recvmmsg", "shutdown", "poll", "ppoll", "select", "pselect6", "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait", "epoll_pwait", "epoll_pwait2", "pipe", "pipe2", "eventfd", "eventfd2" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Signals", "names": [ "rt_sigaction", "rt_sigprocmask", "rt_sigreturn", "rt_sigsuspend", "rt_sigpending", "rt_sigtimedwait", "rt_sigqueueinfo", "rt_tgsigqueueinfo", "sigaltstack", "signalfd", "signalfd4", "sigreturn", "setitimer", "getitimer", "timer_create", "timer_settime", "timer_gettime", "timer_getoverrun", "timer_delete", "timerfd_create", "timerfd_settime", "timerfd_gettime" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Identity / user management (read-only)", "names": [ "getuid", "getuid32", "getgid", "getgid32", "geteuid", "geteuid32", "getegid", "getegid32", "getresuid", "getresuid32", "getresgid", "getresgid32", "getgroups", "getgroups32", "capget" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "System info / time", "names": [ "uname", "sysinfo", "getrlimit", "setrlimit", "prlimit64", "getrusage", "clock_gettime", "clock_gettime64", "clock_getres", "clock_adjtime", "gettimeofday", "time" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "I/O multiplexing / async I/O", "names": [ "io_setup", "io_submit", "io_getevents", "io_cancel", "io_destroy", "io_uring_setup", "io_uring_enter", "io_uring_register" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "File descriptor management", "names": [ "fcntl", "fcntl64", "ioctl", "flock", "sync" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Futex (thread synchronization)", "names": [ "futex", "futex_time64", "futex_waitv", "set_robust_list", "get_robust_list", "set_tid_address" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "Miscellaneous safe syscalls", "names": [ "getrandom", "umask", "chdir", "fchdir", "symlink", "symlinkat", "link", "linkat" ], "action": "SCMP_ACT_ALLOW" }, { "_group": "EXPLICITLY BLOCKED — comment out only with documented justification", "_blocked_reason": "These syscalls are dangerous and should never be needed by a web server. Do not uncomment without a security review.", "names": [], "action": "SCMP_ACT_ERRNO", "_examples_that_should_stay_blocked": [ "ptrace -- debug/trace processes; allows container escape", "kexec_load -- load a new kernel; always block", "kexec_file_load-- load a new kernel; always block", "mount -- mount filesystems; always block in containers", "umount -- unmount filesystems", "umount2 -- unmount filesystems", "swapon -- manage swap", "swapoff -- manage swap", "reboot -- reboot/halt system", "syslog -- read/clear kernel message ring buffer", "bpf -- load eBPF programs; high privilege", "perf_event_open-- access hardware perf counters", "init_module -- load kernel modules", "finit_module -- load kernel modules", "delete_module -- unload kernel modules", "create_module -- create loadable modules", "query_module -- query module info", "get_kernel_syms-- deprecated kernel symbol query", "nfsservctl -- NFS server control", "pivot_root -- change root filesystem", "settimeofday -- set system clock (use capabilities instead)", "adjtimex -- tune kernel clock", "acct -- enable/disable process accounting", "setdomainname -- set domain name", "sethostname -- set hostname", "setns -- join a namespace (container escape risk)", "unshare -- disassociate namespace (container escape risk)" ] } ] }