Merge pull request #18979 from jfrazelle/make-whitelist

Change seccomp blacklist to a whitelist

daemon/execdriver/native/seccomp_default.go

@@ -2,364 +2,1566 @@
 
 package native
 
-import "github.com/opencontainers/runc/libcontainer/configs"
+import (
+	"syscall"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+func arches() []string {
+	var native, err = libseccomp.GetNativeArch()
+	if err != nil {
+		return []string{}
+	}
+	var a = native.String()
+	switch a {
+	case "amd64":
+		return []string{"amd64", "x86"}
+	case "arm64":
+		return []string{"arm64", "arm"}
+	case "mips64":
+		return []string{"mips64", "mips64n32", "mips"}
+	case "mips64n32":
+		return []string{"mips64", "mips64n32", "mips"}
+	case "mipsel64":
+		return []string{"mipsel64", "mipsel64n32", "mipsel"}
+	case "mipsel64n32":
+		return []string{"mipsel64", "mipsel64n32", "mipsel"}
+	default:
+		return []string{a}
+	}
+}
 
 var defaultSeccompProfile = &configs.Seccomp{
-	DefaultAction: configs.Allow,
+	DefaultAction: configs.Errno,
+	Architectures: arches(),
 	Syscalls: []*configs.Syscall{
 		{
-			// Quota and Accounting syscalls which could let containers
-			// disable their own resource limits or process accounting
-			Name:   "acct",
-			Action: configs.Errno,
+			Name:   "accept",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "accept4",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "access",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "alarm",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "arch_prctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "bind",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "brk",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "capget",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "capset",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "chdir",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "chmod",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "chown",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent containers from using the kernel keyring,
-			// which is not namespaced
-			Name:   "add_key",
-			Action: configs.Errno,
+			Name:   "chown32",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Similar to clock_settime and settimeofday
-			// Time/Date is not namespaced
-			Name:   "adjtimex",
-			Action: configs.Errno,
+			Name:   "chroot",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny loading potentially persistent bpf programs into kernel
-			// already gated by CAP_SYS_ADMIN
-			Name:   "bpf",
-			Action: configs.Errno,
+			Name:   "clock_getres",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Time/Date is not namespaced
-			Name:   "clock_adjtime",
-			Action: configs.Errno,
+			Name:   "clock_gettime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Time/Date is not namespaced
-			Name:   "clock_settime",
-			Action: configs.Errno,
+			Name:   "clock_nanosleep",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny cloning new namespaces
 			Name:   "clone",
-			Action: configs.Errno,
+			Action: configs.Allow,
 			Args: []*configs.Arg{
 				{
-					// flags from sched.h
-					// CLONE_NEWUTS		0x04000000
-					// CLONE_NEWIPC		0x08000000
-					// CLONE_NEWUSER	0x10000000
-					// CLONE_NEWPID		0x20000000
-					// CLONE_NEWNET		0x40000000
-					Index: 0,
-					Value: uint64(0x04000000),
-					Op:    configs.GreaterThanOrEqualTo,
-				},
-				{
-					// flags from sched.h
-					// CLONE_NEWNS		0x00020000
-					Index: 0,
-					Value: uint64(0x00020000),
-					Op:    configs.EqualTo,
+					Index:    0,
+					Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
+					ValueTwo: 0,
+					Op:       configs.MaskEqualTo,
 				},
 			},
 		},
 		{
-			// Deny manipulation and functions on kernel modules.
-			Name:   "create_module",
-			Action: configs.Errno,
+			Name:   "close",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "connect",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "creat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "dup",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "dup2",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "dup3",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_create",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_create1",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_ctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_ctl_old",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_pwait",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_wait",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "epoll_wait_old",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "eventfd",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "eventfd2",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "execve",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "execveat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "exit",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "exit_group",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "faccessat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fadvise64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fadvise64_64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fallocate",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fanotify_init",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fanotify_mark",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchdir",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchmod",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchmodat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchown",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchown32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fchownat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fcntl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fcntl64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fdatasync",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fgetxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "flistxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "flock",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fork",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fremovexattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fsetxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fstat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fstat64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fstatat64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fstatfs",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fstatfs64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "fsync",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ftruncate",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ftruncate64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "futex",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "futimesat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getcpu",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getcwd",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getdents",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getdents64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getegid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getegid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "geteuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "geteuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getgid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getgroups",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getgroups32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getitimer",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getpeername",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getpgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getpgrp",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getpid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getppid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getpriority",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getrandom",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getresgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getresgid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getresuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getresuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getrlimit",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "get_robust_list",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getrusage",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getsid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getsockname",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getsockopt",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "get_thread_area",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "gettid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "gettimeofday",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "getxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "inotify_add_watch",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "inotify_init",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "inotify_init1",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "inotify_rm_watch",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "io_cancel",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ioctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "io_destroy",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "io_getevents",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ioprio_get",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ioprio_set",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "io_setup",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "io_submit",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "kill",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lchown",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lchown32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lgetxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "link",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "linkat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "listen",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "listxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "llistxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "_llseek",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lremovexattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lseek",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lsetxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lstat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "lstat64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "madvise",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "memfd_create",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mincore",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mkdir",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mkdirat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mknod",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mknodat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mlock",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mlockall",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mmap",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mmap2",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mprotect",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_getsetattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_notify",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_open",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_timedreceive",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_timedsend",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mq_unlink",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "mremap",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "msgctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "msgget",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "msgrcv",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "msgsnd",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "msync",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "munlock",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "munlockall",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "munmap",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "nanosleep",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "newfstatat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "_newselect",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "open",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "openat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pause",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pipe",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pipe2",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "poll",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "ppoll",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "prctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pread64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "preadv",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "prlimit64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pselect6",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pwrite64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "pwritev",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "read",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "readahead",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "readlink",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "readlinkat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "readv",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "recvfrom",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "recvmmsg",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "recvmsg",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "remap_file_pages",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "removexattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rename",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "renameat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "renameat2",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rmdir",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigaction",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigpending",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigprocmask",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigqueueinfo",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigreturn",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigsuspend",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_sigtimedwait",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "rt_tgsigqueueinfo",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_getaffinity",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_getattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_getparam",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_get_priority_max",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_get_priority_min",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_getscheduler",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_rr_get_interval",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_setaffinity",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_setattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_setparam",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_setscheduler",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sched_yield",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "seccomp",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "select",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "semctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "semget",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "semop",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "semtimedop",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sendfile",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sendfile64",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sendmmsg",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sendmsg",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sendto",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setdomainname",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setfsgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setfsgid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setfsuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setfsuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setgid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setgroups",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setgroups32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sethostname",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setitimer",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setpgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setpriority",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setregid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setregid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setresgid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setresgid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setresuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setresuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setreuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setreuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setrlimit",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "set_robust_list",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setsid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setsockopt",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "set_thread_area",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "set_tid_address",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setuid",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setuid32",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "setxattr",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "shmat",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "shmctl",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "shmdt",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "shmget",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "shutdown",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sigaltstack",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "signalfd",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "signalfd4",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "sigreturn",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "socket",
+			Action: configs.Allow,
+			Args:   []*configs.Arg{},
+		},
+		{
+			Name:   "socketpair",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny manipulation and functions on kernel modules.
-			Name:   "delete_module",
-			Action: configs.Errno,
+			Name:   "splice",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny manipulation and functions on kernel modules.
-			Name:   "finit_module",
-			Action: configs.Errno,
+			Name:   "stat",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny retrieval of exported kernel and module symbols
-			Name:   "get_kernel_syms",
-			Action: configs.Errno,
+			Name:   "stat64",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Terrifying syscalls that modify kernel memory and NUMA settings.
-			// They're gated by CAP_SYS_NICE,
-			// which we do not retain by default in containers.
-			Name:   "get_mempolicy",
-			Action: configs.Errno,
+			Name:   "statfs",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny manipulation and functions on kernel modules.
-			Name:   "init_module",
-			Action: configs.Errno,
+			Name:   "statfs64",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent containers from modifying kernel I/O privilege levels.
-			// Already restricted as containers drop CAP_SYS_RAWIO by default.
-			Name:   "ioperm",
-			Action: configs.Errno,
+			Name:   "symlink",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent containers from modifying kernel I/O privilege levels.
-			// Already restricted as containers drop CAP_SYS_RAWIO by default.
-			Name:   "iopl",
-			Action: configs.Errno,
+			Name:   "symlinkat",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Restrict process inspection capabilities
-			// Already blocked by dropping CAP_PTRACE
-			Name:   "kcmp",
-			Action: configs.Errno,
+			Name:   "sync",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Sister syscall of kexec_load that does the same thing,
-			// slightly different arguments
-			Name:   "kexec_file_load",
-			Action: configs.Errno,
+			Name:   "sync_file_range",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny loading a new kernel for later execution
-			Name:   "kexec_load",
-			Action: configs.Errno,
+			Name:   "syncfs",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent containers from using the kernel keyring,
-			// which is not namespaced
-			Name:   "keyctl",
-			Action: configs.Errno,
+			Name:   "sysinfo",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Tracing/profiling syscalls,
-			// which could leak a lot of information on the host
-			Name:   "lookup_dcookie",
-			Action: configs.Errno,
+			Name:   "syslog",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Terrifying syscalls that modify kernel memory and NUMA settings.
-			// They're gated by CAP_SYS_NICE,
-			// which we do not retain by default in containers.
-			Name:   "mbind",
-			Action: configs.Errno,
+			Name:   "tee",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Terrifying syscalls that modify kernel memory and NUMA settings.
-			// They're gated by CAP_SYS_NICE,
-			// which we do not retain by default in containers.
-			Name:   "migrate_pages",
-			Action: configs.Errno,
+			Name:   "tgkill",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Old syscall only used in 16-bit code,
-			// and a potential information leak
-			Name:   "modify_ldt",
-			Action: configs.Errno,
+			Name:   "time",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny mount
-			Name:   "mount",
-			Action: configs.Errno,
+			Name:   "timer_create",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Terrifying syscalls that modify kernel memory and NUMA settings.
-			// They're gated by CAP_SYS_NICE,
-			// which we do not retain by default in containers.
-			Name:   "move_pages",
-			Action: configs.Errno,
+			Name:   "timer_delete",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny interaction with the kernel nfs daemon
-			Name:   "nfsservctl",
-			Action: configs.Errno,
+			Name:   "timerfd_create",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Cause of an old container breakout,
-			// might as well restrict it to be on the safe side
-			Name:   "open_by_handle_at",
-			Action: configs.Errno,
+			Name:   "timerfd_gettime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Tracing/profiling syscalls,
-			// which could leak a lot of information on the host
-			Name:   "perf_event_open",
-			Action: configs.Errno,
+			Name:   "timerfd_settime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent container from enabling BSD emulation.
-			// Not inherently dangerous, but poorly tested,
-			// potential for a lot of kernel vulns in this.
-			Name:   "personality",
-			Action: configs.Errno,
+			Name:   "timer_getoverrun",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny pivot_root
-			Name:   "pivot_root",
-			Action: configs.Errno,
+			Name:   "timer_gettime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Restrict process inspection capabilities
-			// Already blocked by dropping CAP_PTRACE
-			Name:   "process_vm_readv",
-			Action: configs.Errno,
+			Name:   "timer_settime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Restrict process modification capabilities
-			// Already blocked by dropping CAP_PTRACE
-			Name:   "process_vm_writev",
-			Action: configs.Errno,
+			Name:   "times",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Already blocked by dropping CAP_PTRACE
-			Name:   "ptrace",
-			Action: configs.Errno,
+			Name:   "tkill",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny manipulation and functions on kernel modules.
-			Name:   "query_module",
-			Action: configs.Errno,
+			Name:   "truncate",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Quota and Accounting syscalls which could let containers
-			// disable their own resource limits or process accounting
-			Name:   "quotactl",
-			Action: configs.Errno,
+			Name:   "truncate64",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Probably a bad idea to let containers reboot the host
-			Name:   "reboot",
-			Action: configs.Errno,
+			Name:   "ugetrlimit",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Probably a bad idea to let containers restart a syscall.
-			// Possible seccomp bypass, see: https://code.google.com/p/chromium/issues/detail?id=408827.
-			Name:   "restart_syscall",
-			Action: configs.Errno,
+			Name:   "umask",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Prevent containers from using the kernel keyring,
-			// which is not namespaced
-			Name:   "request_key",
-			Action: configs.Errno,
+			Name:   "uname",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Terrifying syscalls that modify kernel memory and NUMA settings.
-			// They're gated by CAP_SYS_NICE,
-			// which we do not retain by default in containers.
-			Name:   "set_mempolicy",
-			Action: configs.Errno,
+			Name:   "unlink",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// deny associating a thread with a namespace
-			Name:   "setns",
-			Action: configs.Errno,
+			Name:   "unlinkat",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Time/Date is not namespaced
-			Name:   "settimeofday",
-			Action: configs.Errno,
+			Name:   "utime",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Time/Date is not namespaced
-			Name:   "stime",
-			Action: configs.Errno,
+			Name:   "utimensat",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny start/stop swapping to file/device
-			Name:   "swapon",
-			Action: configs.Errno,
+			Name:   "utimes",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny start/stop swapping to file/device
-			Name:   "swapoff",
-			Action: configs.Errno,
+			Name:   "vfork",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny read/write system parameters
-			Name:   "_sysctl",
-			Action: configs.Errno,
+			Name:   "vhangup",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny umount
-			Name:   "umount",
-			Action: configs.Errno,
+			Name:   "vmsplice",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Deny umount
-			Name:   "umount2",
-			Action: configs.Errno,
+			Name:   "wait4",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Same as clone
-			Name:   "unshare",
-			Action: configs.Errno,
+			Name:   "waitid",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// Older syscall related to shared libraries, unused for a long time
-			Name:   "uselib",
-			Action: configs.Errno,
+			Name:   "waitpid",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// In kernel x86 real mode virtual machine
-			Name:   "vm86",
-			Action: configs.Errno,
+			Name:   "write",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 		{
-			// In kernel x86 real mode virtual machine
-			Name:   "vm86old",
-			Action: configs.Errno,
+			Name:   "writev",
+			Action: configs.Allow,
 			Args:   []*configs.Arg{},
 		},
 	},