338 lines
8.4 KiB
JSON
338 lines
8.4 KiB
JSON
{
|
|
"_comment": "Minimal seccomp profile for a typical web server container (HTTP/HTTPS, TCP, file I/O). Default action: DENY everything not explicitly listed. Start here and add syscalls as your app requires them. Use 'strace -c <cmd>' or 'sysdig' to discover which syscalls your app actually makes in production.",
|
|
"_usage": {
|
|
"docker_run": "docker run --security-opt seccomp=seccomp-profile-template.json myapp:latest",
|
|
"docker_compose": "security_opt:\n - seccomp:./references/seccomp-profile-template.json",
|
|
"kubernetes": "securityContext:\n seccompProfile:\n type: Localhost\n localhostProfile: profiles/seccomp-profile-template.json"
|
|
},
|
|
"_discover_syscalls": {
|
|
"with_strace": "strace -c -f -p <PID> # Attach to running process",
|
|
"with_docker": "docker run --security-opt seccomp=unconfined --name audit myapp:latest",
|
|
"with_sysdig": "sysdig -p '%syscall.type' container.name=audit | sort -u"
|
|
},
|
|
"defaultAction": "SCMP_ACT_ERRNO",
|
|
"architectures": [
|
|
"SCMP_ARCH_X86_64",
|
|
"SCMP_ARCH_X86",
|
|
"SCMP_ARCH_X32",
|
|
"SCMP_ARCH_AARCH64"
|
|
],
|
|
"syscalls": [
|
|
{
|
|
"_group": "Process lifecycle",
|
|
"names": [
|
|
"execve",
|
|
"execveat",
|
|
"exit",
|
|
"exit_group",
|
|
"clone",
|
|
"clone3",
|
|
"fork",
|
|
"vfork",
|
|
"wait4",
|
|
"waitid",
|
|
"getpid",
|
|
"getppid",
|
|
"gettid",
|
|
"tgkill",
|
|
"kill",
|
|
"tkill",
|
|
"sched_yield",
|
|
"sched_getaffinity",
|
|
"sched_setaffinity",
|
|
"prctl",
|
|
"arch_prctl",
|
|
"seccomp",
|
|
"nanosleep",
|
|
"clock_nanosleep",
|
|
"pause"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "File I/O",
|
|
"names": [
|
|
"open",
|
|
"openat",
|
|
"openat2",
|
|
"close",
|
|
"close_range",
|
|
"read",
|
|
"readv",
|
|
"pread64",
|
|
"write",
|
|
"writev",
|
|
"pwrite64",
|
|
"lseek",
|
|
"fstat",
|
|
"fstat64",
|
|
"stat",
|
|
"stat64",
|
|
"lstat",
|
|
"lstat64",
|
|
"statx",
|
|
"newfstatat",
|
|
"access",
|
|
"faccessat",
|
|
"faccessat2",
|
|
"readlink",
|
|
"readlinkat",
|
|
"getcwd",
|
|
"getdents",
|
|
"getdents64",
|
|
"dup",
|
|
"dup2",
|
|
"dup3",
|
|
"sendfile",
|
|
"sendfile64",
|
|
"splice",
|
|
"copy_file_range",
|
|
"truncate",
|
|
"ftruncate",
|
|
"fsync",
|
|
"fdatasync",
|
|
"sync_file_range",
|
|
"fallocate",
|
|
"fadvise64",
|
|
"mknod",
|
|
"mknodat",
|
|
"mkdir",
|
|
"mkdirat",
|
|
"rmdir",
|
|
"unlink",
|
|
"unlinkat",
|
|
"rename",
|
|
"renameat",
|
|
"renameat2",
|
|
"chmod",
|
|
"fchmod",
|
|
"fchmodat",
|
|
"chown",
|
|
"fchown",
|
|
"lchown",
|
|
"fchownat",
|
|
"utimes",
|
|
"utimensat",
|
|
"futimesat",
|
|
"inotify_init",
|
|
"inotify_init1",
|
|
"inotify_add_watch",
|
|
"inotify_rm_watch"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Memory management",
|
|
"names": [
|
|
"brk",
|
|
"mmap",
|
|
"mmap2",
|
|
"munmap",
|
|
"mremap",
|
|
"mprotect",
|
|
"madvise",
|
|
"mlock",
|
|
"munlock",
|
|
"mlockall",
|
|
"munlockall",
|
|
"mincore",
|
|
"msync",
|
|
"memfd_create",
|
|
"remap_file_pages"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Networking (TCP/UDP server)",
|
|
"names": [
|
|
"socket",
|
|
"socketpair",
|
|
"bind",
|
|
"listen",
|
|
"accept",
|
|
"accept4",
|
|
"connect",
|
|
"getsockname",
|
|
"getpeername",
|
|
"setsockopt",
|
|
"getsockopt",
|
|
"sendto",
|
|
"sendmsg",
|
|
"sendmmsg",
|
|
"recvfrom",
|
|
"recvmsg",
|
|
"recvmmsg",
|
|
"shutdown",
|
|
"poll",
|
|
"ppoll",
|
|
"select",
|
|
"pselect6",
|
|
"epoll_create",
|
|
"epoll_create1",
|
|
"epoll_ctl",
|
|
"epoll_wait",
|
|
"epoll_pwait",
|
|
"epoll_pwait2",
|
|
"pipe",
|
|
"pipe2",
|
|
"eventfd",
|
|
"eventfd2"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Signals",
|
|
"names": [
|
|
"rt_sigaction",
|
|
"rt_sigprocmask",
|
|
"rt_sigreturn",
|
|
"rt_sigsuspend",
|
|
"rt_sigpending",
|
|
"rt_sigtimedwait",
|
|
"rt_sigqueueinfo",
|
|
"rt_tgsigqueueinfo",
|
|
"sigaltstack",
|
|
"signalfd",
|
|
"signalfd4",
|
|
"sigreturn",
|
|
"setitimer",
|
|
"getitimer",
|
|
"timer_create",
|
|
"timer_settime",
|
|
"timer_gettime",
|
|
"timer_getoverrun",
|
|
"timer_delete",
|
|
"timerfd_create",
|
|
"timerfd_settime",
|
|
"timerfd_gettime"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Identity / user management (read-only)",
|
|
"names": [
|
|
"getuid",
|
|
"getuid32",
|
|
"getgid",
|
|
"getgid32",
|
|
"geteuid",
|
|
"geteuid32",
|
|
"getegid",
|
|
"getegid32",
|
|
"getresuid",
|
|
"getresuid32",
|
|
"getresgid",
|
|
"getresgid32",
|
|
"getgroups",
|
|
"getgroups32",
|
|
"capget"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "System info / time",
|
|
"names": [
|
|
"uname",
|
|
"sysinfo",
|
|
"getrlimit",
|
|
"setrlimit",
|
|
"prlimit64",
|
|
"getrusage",
|
|
"clock_gettime",
|
|
"clock_gettime64",
|
|
"clock_getres",
|
|
"clock_adjtime",
|
|
"gettimeofday",
|
|
"time"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "I/O multiplexing / async I/O",
|
|
"names": [
|
|
"io_setup",
|
|
"io_submit",
|
|
"io_getevents",
|
|
"io_cancel",
|
|
"io_destroy",
|
|
"io_uring_setup",
|
|
"io_uring_enter",
|
|
"io_uring_register"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "File descriptor management",
|
|
"names": [
|
|
"fcntl",
|
|
"fcntl64",
|
|
"ioctl",
|
|
"flock",
|
|
"sync"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Futex (thread synchronization)",
|
|
"names": [
|
|
"futex",
|
|
"futex_time64",
|
|
"futex_waitv",
|
|
"set_robust_list",
|
|
"get_robust_list",
|
|
"set_tid_address"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "Miscellaneous safe syscalls",
|
|
"names": [
|
|
"getrandom",
|
|
"umask",
|
|
"chdir",
|
|
"fchdir",
|
|
"symlink",
|
|
"symlinkat",
|
|
"link",
|
|
"linkat"
|
|
],
|
|
"action": "SCMP_ACT_ALLOW"
|
|
},
|
|
{
|
|
"_group": "EXPLICITLY BLOCKED — comment out only with documented justification",
|
|
"_blocked_reason": "These syscalls are dangerous and should never be needed by a web server. Do not uncomment without a security review.",
|
|
"names": [],
|
|
"action": "SCMP_ACT_ERRNO",
|
|
"_examples_that_should_stay_blocked": [
|
|
"ptrace -- debug/trace processes; allows container escape",
|
|
"kexec_load -- load a new kernel; always block",
|
|
"kexec_file_load-- load a new kernel; always block",
|
|
"mount -- mount filesystems; always block in containers",
|
|
"umount -- unmount filesystems",
|
|
"umount2 -- unmount filesystems",
|
|
"swapon -- manage swap",
|
|
"swapoff -- manage swap",
|
|
"reboot -- reboot/halt system",
|
|
"syslog -- read/clear kernel message ring buffer",
|
|
"bpf -- load eBPF programs; high privilege",
|
|
"perf_event_open-- access hardware perf counters",
|
|
"init_module -- load kernel modules",
|
|
"finit_module -- load kernel modules",
|
|
"delete_module -- unload kernel modules",
|
|
"create_module -- create loadable modules",
|
|
"query_module -- query module info",
|
|
"get_kernel_syms-- deprecated kernel symbol query",
|
|
"nfsservctl -- NFS server control",
|
|
"pivot_root -- change root filesystem",
|
|
"settimeofday -- set system clock (use capabilities instead)",
|
|
"adjtimex -- tune kernel clock",
|
|
"acct -- enable/disable process accounting",
|
|
"setdomainname -- set domain name",
|
|
"sethostname -- set hostname",
|
|
"setns -- join a namespace (container escape risk)",
|
|
"unshare -- disassociate namespace (container escape risk)"
|
|
]
|
|
}
|
|
]
|
|
}
|