1. docker
  2. Commit 5ff21add06ce0e502b41a194077daad311901996
Browse code

New seccomp format

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

Antonio Murdaca authored on 2016/07/13 22:41:30
Showing 8 changed files
daemon/seccomp_linux.go
History View file @ 5ff21ad
... ... 
@@ -32,7 +32,7 @@ func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
32 32 
 		return nil
33 33 
 	}
34 34 
 	if c.SeccompProfile != "" {
35 
-		profile, err = seccomp.LoadProfile(c.SeccompProfile)
35 
+		profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
36 36 
 		if err != nil {
37 37 
 			return err
38 38 
 		}
docs/security/seccomp.md
History View file @ 5ff21ad
... ... 
@@ -40,24 +40,65 @@ compatibility. The default Docker profile (found [here](https://github.com/docke
40 40 
 ```json
41 41 
 {
42 42 
 	"defaultAction": "SCMP_ACT_ERRNO",
43 
-	"architectures": [
44 
-		"SCMP_ARCH_X86_64",
45 
-		"SCMP_ARCH_X86",
46 
-		"SCMP_ARCH_X32"
43 
+	"archMap": [
44 
+		{
45 
+			"architecture": "SCMP_ARCH_X86_64",
46 
+			"subArchitectures": [
47 
+				"SCMP_ARCH_X86",
48 
+				"SCMP_ARCH_X32"
49 
+			]
50 
+		},
51 
+		...
47 52 
 	],
48 53 
 	"syscalls": [
49 54 
 		{
50 
-			"name": "accept",
55 
+			"names": [
56 
+				"accept",
57 
+				"accept4",
58 
+				"access",
59 
+				"alarm",
60 
+				"alarm",
61 
+				"bind",
62 
+				"brk",
63 
+				...
64 
+				"waitid",
65 
+				"waitpid",
66 
+				"write",
67 
+				"writev"
68 
+			],
51 69 
 			"action": "SCMP_ACT_ALLOW",
52 
-			"args": []
70 
+			"args": [],
71 
+			"comment": "",
72 
+			"includes": {},
73 
+			"excludes": {}
53 74 
 		},
54 75 
 		{
55 
-			"name": "accept4",
76 
+			"names": [
77 
+				"clone"
78 
+			],
56 79 
 			"action": "SCMP_ACT_ALLOW",
57 
-			"args": []
80 
+			"args": [
81 
+				{
82 
+					"index": 1,
83 
+					"value": 2080505856,
84 
+					"valueTwo": 0,
85 
+					"op": "SCMP_CMP_MASKED_EQ"
86 
+				}
87 
+			],
88 
+			"comment": "s390 parameter ordering for clone is different",
89 
+			"includes": {
90 
+				"arches": [
91 
+					"s390",
92 
+					"s390x"
93 
+				]
94 
+			},
95 
+			"excludes": {
96 
+				"caps": [
97 
+					"CAP_SYS_ADMIN"
98 
+				]
99 
+			}
58 100 
 		},
59 101 
 		...
60 
-	]
61 102 
 }
62 103 
 ```
63 104
integration-cli/docker_cli_run_unix_test.go
History View file @ 5ff21ad
... ... 
@@ -1166,7 +1166,7 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
1166 1166 
 // make sure the default profile can be successfully parsed (using unshare as it is
1167 1167 
 // something which we know is blocked in the default profile)
1168 1168 
 func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
1169 
-	testRequires(c, SameHostDaemon, seccompEnabled, NotArm, NotPpc64le, NotS390X)
1169 
+	testRequires(c, SameHostDaemon, seccompEnabled)
1170 1170
1171 1171 
 	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
1172 1172 
 	c.Assert(err, checker.NotNil, check.Commentf(out))
... ... 
@@ -1259,3 +1259,94 @@ func (s *DockerSuite) TestRunUserDeviceAllowed(c *check.C) {
1259 1259 
 	out, _ := dockerCmd(c, "run", "--device", "/dev/snd/timer:w", "busybox", "cat", file)
1260 1260 
 	c.Assert(out, checker.Contains, fmt.Sprintf("c %d:%d w", stat.Rdev/256, stat.Rdev%256))
1261 1261 
 }
1262 
+
1263 
+func (s *DockerDaemonSuite) TestRunSeccompJSONNewFormat(c *check.C) {
1264 
+	testRequires(c, SameHostDaemon, seccompEnabled)
1265 
+
1266 
+	err := s.d.StartWithBusybox()
1267 
+	c.Assert(err, check.IsNil)
1268 
+
1269 
+	jsonData := `{
1270 
+	"defaultAction": "SCMP_ACT_ALLOW",
1271 
+	"syscalls": [
1272 
+		{
1273 
+			"names": ["chmod", "fchmod", "fchmodat"],
1274 
+			"action": "SCMP_ACT_ERRNO"
1275 
+		}
1276 
+	]
1277 
+}`
1278 
+	tmpFile, err := ioutil.TempFile("", "profile.json")
1279 
+	c.Assert(err, check.IsNil)
1280 
+	defer tmpFile.Close()
1281 
+	_, err = tmpFile.Write([]byte(jsonData))
1282 
+	c.Assert(err, check.IsNil)
1283 
+
1284 
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
1285 
+	c.Assert(err, check.NotNil)
1286 
+	c.Assert(out, checker.Contains, "Operation not permitted")
1287 
+}
1288 
+
1289 
+func (s *DockerDaemonSuite) TestRunSeccompJSONNoNameAndNames(c *check.C) {
1290 
+	testRequires(c, SameHostDaemon, seccompEnabled)
1291 
+
1292 
+	err := s.d.StartWithBusybox()
1293 
+	c.Assert(err, check.IsNil)
1294 
+
1295 
+	jsonData := `{
1296 
+	"defaultAction": "SCMP_ACT_ALLOW",
1297 
+	"syscalls": [
1298 
+		{
1299 
+			"name": "chmod",
1300 
+			"names": ["fchmod", "fchmodat"],
1301 
+			"action": "SCMP_ACT_ERRNO"
1302 
+		}
1303 
+	]
1304 
+}`
1305 
+	tmpFile, err := ioutil.TempFile("", "profile.json")
1306 
+	c.Assert(err, check.IsNil)
1307 
+	defer tmpFile.Close()
1308 
+	_, err = tmpFile.Write([]byte(jsonData))
1309 
+	c.Assert(err, check.IsNil)
1310 
+
1311 
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
1312 
+	c.Assert(err, check.NotNil)
1313 
+	c.Assert(out, checker.Contains, "'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
1314 
+}
1315 
+
1316 
+func (s *DockerDaemonSuite) TestRunSeccompJSONNoArchAndArchMap(c *check.C) {
1317 
+	testRequires(c, SameHostDaemon, seccompEnabled)
1318 
+
1319 
+	err := s.d.StartWithBusybox()
1320 
+	c.Assert(err, check.IsNil)
1321 
+
1322 
+	jsonData := `{
1323 
+	"archMap": [
1324 
+		{
1325 
+			"architecture": "SCMP_ARCH_X86_64",
1326 
+			"subArchitectures": [
1327 
+				"SCMP_ARCH_X86",
1328 
+				"SCMP_ARCH_X32"
1329 
+			]
1330 
+		}
1331 
+	],
1332 
+	"architectures": [
1333 
+		"SCMP_ARCH_X32"
1334 
+	],
1335 
+	"defaultAction": "SCMP_ACT_ALLOW",
1336 
+	"syscalls": [
1337 
+		{
1338 
+			"names": ["chmod", "fchmod", "fchmodat"],
1339 
+			"action": "SCMP_ACT_ERRNO"
1340 
+		}
1341 
+	]
1342 
+}`
1343 
+	tmpFile, err := ioutil.TempFile("", "profile.json")
1344 
+	c.Assert(err, check.IsNil)
1345 
+	defer tmpFile.Close()
1346 
+	_, err = tmpFile.Write([]byte(jsonData))
1347 
+	c.Assert(err, check.IsNil)
1348 
+
1349 
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
1350 
+	c.Assert(err, check.NotNil)
1351 
+	c.Assert(out, checker.Contains, "'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
1352 
+}
profiles/seccomp/default.json
History View file @ 5ff21ad
... ... 
@@ -1,828 +1,373 @@
1 1 
 {
2 2 
 	"defaultAction": "SCMP_ACT_ERRNO",
3 
-	"architectures": [
4 
-		"SCMP_ARCH_X86_64",
5 
-		"SCMP_ARCH_X86",
6 
-		"SCMP_ARCH_X32"
7 
-	],
8 
-	"syscalls": [
9 
-		{
10 
-			"name": "accept",
11 
-			"action": "SCMP_ACT_ALLOW",
12 
-			"args": []
13 
-		},
14 
-		{
15 
-			"name": "accept4",
16 
-			"action": "SCMP_ACT_ALLOW",
17 
-			"args": []
18 
-		},
19 
-		{
20 
-			"name": "access",
21 
-			"action": "SCMP_ACT_ALLOW",
22 
-			"args": []
23 
-		},
24 
-		{
25 
-			"name": "alarm",
26 
-			"action": "SCMP_ACT_ALLOW",
27 
-			"args": []
28 
-		},
29 
-		{
30 
-			"name": "bind",
31 
-			"action": "SCMP_ACT_ALLOW",
32 
-			"args": []
33 
-		},
34 
-		{
35 
-			"name": "brk",
36 
-			"action": "SCMP_ACT_ALLOW",
37 
-			"args": []
38 
-		},
39 
-		{
40 
-			"name": "capget",
41 
-			"action": "SCMP_ACT_ALLOW",
42 
-			"args": []
43 
-		},
44 
-		{
45 
-			"name": "capset",
46 
-			"action": "SCMP_ACT_ALLOW",
47 
-			"args": []
48 
-		},
49 
-		{
50 
-			"name": "chdir",
51 
-			"action": "SCMP_ACT_ALLOW",
52 
-			"args": []
53 
-		},
54 
-		{
55 
-			"name": "chmod",
56 
-			"action": "SCMP_ACT_ALLOW",
57 
-			"args": []
58 
-		},
59 
-		{
60 
-			"name": "chown",
61 
-			"action": "SCMP_ACT_ALLOW",
62 
-			"args": []
63 
-		},
64 
-		{
65 
-			"name": "chown32",
66 
-			"action": "SCMP_ACT_ALLOW",
67 
-			"args": []
68 
-		},
69 
-		{
70 
-			"name": "clock_getres",
71 
-			"action": "SCMP_ACT_ALLOW",
72 
-			"args": []
73 
-		},
74 
-		{
75 
-			"name": "clock_gettime",
76 
-			"action": "SCMP_ACT_ALLOW",
77 
-			"args": []
78 
-		},
79 
-		{
80 
-			"name": "clock_nanosleep",
81 
-			"action": "SCMP_ACT_ALLOW",
82 
-			"args": []
83 
-		},
84 
-		{
85 
-			"name": "close",
86 
-			"action": "SCMP_ACT_ALLOW",
87 
-			"args": []
88 
-		},
89 
-		{
90 
-			"name": "connect",
91 
-			"action": "SCMP_ACT_ALLOW",
92 
-			"args": []
93 
-		},
94 
-		{
95 
-			"name": "copy_file_range",
96 
-			"action": "SCMP_ACT_ALLOW",
97 
-			"args": []
98 
-		},
99 
-		{
100 
-			"name": "creat",
101 
-			"action": "SCMP_ACT_ALLOW",
102 
-			"args": []
103 
-		},
104 
-		{
105 
-			"name": "dup",
106 
-			"action": "SCMP_ACT_ALLOW",
107 
-			"args": []
108 
-		},
109 
-		{
110 
-			"name": "dup2",
111 
-			"action": "SCMP_ACT_ALLOW",
112 
-			"args": []
113 
-		},
114 
-		{
115 
-			"name": "dup3",
116 
-			"action": "SCMP_ACT_ALLOW",
117 
-			"args": []
118 
-		},
119 
-		{
120 
-			"name": "epoll_create",
121 
-			"action": "SCMP_ACT_ALLOW",
122 
-			"args": []
123 
-		},
124 
-		{
125 
-			"name": "epoll_create1",
126 
-			"action": "SCMP_ACT_ALLOW",
127 
-			"args": []
128 
-		},
129 
-		{
130 
-			"name": "epoll_ctl",
131 
-			"action": "SCMP_ACT_ALLOW",
132 
-			"args": []
133 
-		},
134 
-		{
135 
-			"name": "epoll_ctl_old",
136 
-			"action": "SCMP_ACT_ALLOW",
137 
-			"args": []
138 
-		},
139 
-		{
140 
-			"name": "epoll_pwait",
141 
-			"action": "SCMP_ACT_ALLOW",
142 
-			"args": []
143 
-		},
144 
-		{
145 
-			"name": "epoll_wait",
146 
-			"action": "SCMP_ACT_ALLOW",
147 
-			"args": []
148 
-		},
149 
-		{
150 
-			"name": "epoll_wait_old",
151 
-			"action": "SCMP_ACT_ALLOW",
152 
-			"args": []
153 
-		},
154 
-		{
155 
-			"name": "eventfd",
156 
-			"action": "SCMP_ACT_ALLOW",
157 
-			"args": []
158 
-		},
159 
-		{
160 
-			"name": "eventfd2",
161 
-			"action": "SCMP_ACT_ALLOW",
162 
-			"args": []
163 
-		},
164 
-		{
165 
-			"name": "execve",
166 
-			"action": "SCMP_ACT_ALLOW",
167 
-			"args": []
168 
-		},
169 
-		{
170 
-			"name": "execveat",
171 
-			"action": "SCMP_ACT_ALLOW",
172 
-			"args": []
173 
-		},
174 
-		{
175 
-			"name": "exit",
176 
-			"action": "SCMP_ACT_ALLOW",
177 
-			"args": []
178 
-		},
179 
-		{
180 
-			"name": "exit_group",
181 
-			"action": "SCMP_ACT_ALLOW",
182 
-			"args": []
183 
-		},
184 
-		{
185 
-			"name": "faccessat",
186 
-			"action": "SCMP_ACT_ALLOW",
187 
-			"args": []
188 
-		},
189 
-		{
190 
-			"name": "fadvise64",
191 
-			"action": "SCMP_ACT_ALLOW",
192 
-			"args": []
193 
-		},
194 
-		{
195 
-			"name": "fadvise64_64",
196 
-			"action": "SCMP_ACT_ALLOW",
197 
-			"args": []
198 
-		},
199 
-		{
200 
-			"name": "fallocate",
201 
-			"action": "SCMP_ACT_ALLOW",
202 
-			"args": []
203 
-		},
204 
-		{
205 
-			"name": "fanotify_mark",
206 
-			"action": "SCMP_ACT_ALLOW",
207 
-			"args": []
208 
-		},
209 
-		{
210 
-			"name": "fchdir",
211 
-			"action": "SCMP_ACT_ALLOW",
212 
-			"args": []
213 
-		},
214 
-		{
215 
-			"name": "fchmod",
216 
-			"action": "SCMP_ACT_ALLOW",
217 
-			"args": []
218 
-		},
219 
-		{
220 
-			"name": "fchmodat",
221 
-			"action": "SCMP_ACT_ALLOW",
222 
-			"args": []
223 
-		},
224 
-		{
225 
-			"name": "fchown",
226 
-			"action": "SCMP_ACT_ALLOW",
227 
-			"args": []
228 
-		},
229 
-		{
230 
-			"name": "fchown32",
231 
-			"action": "SCMP_ACT_ALLOW",
232 
-			"args": []
233 
-		},
234 
-		{
235 
-			"name": "fchownat",
236 
-			"action": "SCMP_ACT_ALLOW",
237 
-			"args": []
238 
-		},
239 
-		{
240 
-			"name": "fcntl",
241 
-			"action": "SCMP_ACT_ALLOW",
242 
-			"args": []
243 
-		},
244 
-		{
245 
-			"name": "fcntl64",
246 
-			"action": "SCMP_ACT_ALLOW",
247 
-			"args": []
248 
-		},
249 
-		{
250 
-			"name": "fdatasync",
251 
-			"action": "SCMP_ACT_ALLOW",
252 
-			"args": []
253 
-		},
254 
-		{
255 
-			"name": "fgetxattr",
256 
-			"action": "SCMP_ACT_ALLOW",
257 
-			"args": []
258 
-		},
259 
-		{
260 
-			"name": "flistxattr",
261 
-			"action": "SCMP_ACT_ALLOW",
262 
-			"args": []
263 
-		},
264 
-		{
265 
-			"name": "flock",
266 
-			"action": "SCMP_ACT_ALLOW",
267 
-			"args": []
268 
-		},
269 
-		{
270 
-			"name": "fork",
271 
-			"action": "SCMP_ACT_ALLOW",
272 
-			"args": []
273 
-		},
274 
-		{
275 
-			"name": "fremovexattr",
276 
-			"action": "SCMP_ACT_ALLOW",
277 
-			"args": []
278 
-		},
279 
-		{
280 
-			"name": "fsetxattr",
281 
-			"action": "SCMP_ACT_ALLOW",
282 
-			"args": []
283 
-		},
284 
-		{
285 
-			"name": "fstat",
286 
-			"action": "SCMP_ACT_ALLOW",
287 
-			"args": []
288 
-		},
289 
-		{
290 
-			"name": "fstat64",
291 
-			"action": "SCMP_ACT_ALLOW",
292 
-			"args": []
293 
-		},
294 
-		{
295 
-			"name": "fstatat64",
296 
-			"action": "SCMP_ACT_ALLOW",
297 
-			"args": []
298 
-		},
299 
-		{
300 
-			"name": "fstatfs",
301 
-			"action": "SCMP_ACT_ALLOW",
302 
-			"args": []
303 
-		},
304 
-		{
305 
-			"name": "fstatfs64",
306 
-			"action": "SCMP_ACT_ALLOW",
307 
-			"args": []
308 
-		},
309 
-		{
310 
-			"name": "fsync",
311 
-			"action": "SCMP_ACT_ALLOW",
312 
-			"args": []
313 
-		},
314 
-		{
315 
-			"name": "ftruncate",
316 
-			"action": "SCMP_ACT_ALLOW",
317 
-			"args": []
318 
-		},
319 
-		{
320 
-			"name": "ftruncate64",
321 
-			"action": "SCMP_ACT_ALLOW",
322 
-			"args": []
323 
-		},
324 
-		{
325 
-			"name": "futex",
326 
-			"action": "SCMP_ACT_ALLOW",
327 
-			"args": []
328 
-		},
329 
-		{
330 
-			"name": "futimesat",
331 
-			"action": "SCMP_ACT_ALLOW",
332 
-			"args": []
333 
-		},
334 
-		{
335 
-			"name": "getcpu",
336 
-			"action": "SCMP_ACT_ALLOW",
337 
-			"args": []
338 
-		},
339 
-		{
340 
-			"name": "getcwd",
341 
-			"action": "SCMP_ACT_ALLOW",
342 
-			"args": []
343 
-		},
344 
-		{
345 
-			"name": "getdents",
346 
-			"action": "SCMP_ACT_ALLOW",
347 
-			"args": []
348 
-		},
349 
-		{
350 
-			"name": "getdents64",
351 
-			"action": "SCMP_ACT_ALLOW",
352 
-			"args": []
353 
-		},
354 
-		{
355 
-			"name": "getegid",
356 
-			"action": "SCMP_ACT_ALLOW",
357 
-			"args": []
358 
-		},
359 
-		{
360 
-			"name": "getegid32",
361 
-			"action": "SCMP_ACT_ALLOW",
362 
-			"args": []
363 
-		},
364 
-		{
365 
-			"name": "geteuid",
366 
-			"action": "SCMP_ACT_ALLOW",
367 
-			"args": []
368 
-		},
369 
-		{
370 
-			"name": "geteuid32",
371 
-			"action": "SCMP_ACT_ALLOW",
372 
-			"args": []
373 
-		},
374 
-		{
375 
-			"name": "getgid",
376 
-			"action": "SCMP_ACT_ALLOW",
377 
-			"args": []
378 
-		},
379 
-		{
380 
-			"name": "getgid32",
381 
-			"action": "SCMP_ACT_ALLOW",
382 
-			"args": []
383 
-		},
384 
-		{
385 
-			"name": "getgroups",
386 
-			"action": "SCMP_ACT_ALLOW",
387 
-			"args": []
388 
-		},
389 
-		{
390 
-			"name": "getgroups32",
391 
-			"action": "SCMP_ACT_ALLOW",
392 
-			"args": []
393 
-		},
394 
-		{
395 
-			"name": "getitimer",
396 
-			"action": "SCMP_ACT_ALLOW",
397 
-			"args": []
398 
-		},
399 
-		{
400 
-			"name": "getpeername",
401 
-			"action": "SCMP_ACT_ALLOW",
402 
-			"args": []
403 
-		},
404 
-		{
405 
-			"name": "getpgid",
406 
-			"action": "SCMP_ACT_ALLOW",
407 
-			"args": []
408 
-		},
409 
-		{
410 
-			"name": "getpgrp",
411 
-			"action": "SCMP_ACT_ALLOW",
412 
-			"args": []
413 
-		},
414 
-		{
415 
-			"name": "getpid",
416 
-			"action": "SCMP_ACT_ALLOW",
417 
-			"args": []
418 
-		},
419 
-		{
420 
-			"name": "getppid",
421 
-			"action": "SCMP_ACT_ALLOW",
422 
-			"args": []
423 
-		},
424 
-		{
425 
-			"name": "getpriority",
426 
-			"action": "SCMP_ACT_ALLOW",
427 
-			"args": []
428 
-		},
429 
-		{
430 
-			"name": "getrandom",
431 
-			"action": "SCMP_ACT_ALLOW",
432 
-			"args": []
433 
-		},
434 
-		{
435 
-			"name": "getresgid",
436 
-			"action": "SCMP_ACT_ALLOW",
437 
-			"args": []
438 
-		},
439 
-		{
440 
-			"name": "getresgid32",
441 
-			"action": "SCMP_ACT_ALLOW",
442 
-			"args": []
443 
-		},
444 
-		{
445 
-			"name": "getresuid",
446 
-			"action": "SCMP_ACT_ALLOW",
447 
-			"args": []
448 
-		},
449 
-		{
450 
-			"name": "getresuid32",
451 
-			"action": "SCMP_ACT_ALLOW",
452 
-			"args": []
453 
-		},
454 
-		{
455 
-			"name": "getrlimit",
456 
-			"action": "SCMP_ACT_ALLOW",
457 
-			"args": []
458 
-		},
459 
-		{
460 
-			"name": "get_robust_list",
461 
-			"action": "SCMP_ACT_ALLOW",
462 
-			"args": []
463 
-		},
464 
-		{
465 
-			"name": "getrusage",
466 
-			"action": "SCMP_ACT_ALLOW",
467 
-			"args": []
468 
-		},
469 
-		{
470 
-			"name": "getsid",
471 
-			"action": "SCMP_ACT_ALLOW",
472 
-			"args": []
473 
-		},
474 
-		{
475 
-			"name": "getsockname",
476 
-			"action": "SCMP_ACT_ALLOW",
477 
-			"args": []
478 
-		},
479 
-		{
480 
-			"name": "getsockopt",
481 
-			"action": "SCMP_ACT_ALLOW",
482 
-			"args": []
483 
-		},
484 
-		{
485 
-			"name": "get_thread_area",
486 
-			"action": "SCMP_ACT_ALLOW",
487 
-			"args": []
488 
-		},
489 
-		{
490 
-			"name": "gettid",
491 
-			"action": "SCMP_ACT_ALLOW",
492 
-			"args": []
493 
-		},
494 
-		{
495 
-			"name": "gettimeofday",
496 
-			"action": "SCMP_ACT_ALLOW",
497 
-			"args": []
498 
-		},
499 
-		{
500 
-			"name": "getuid",
501 
-			"action": "SCMP_ACT_ALLOW",
502 
-			"args": []
503 
-		},
504 
-		{
505 
-			"name": "getuid32",
506 
-			"action": "SCMP_ACT_ALLOW",
507 
-			"args": []
508 
-		},
509 
-		{
510 
-			"name": "getxattr",
511 
-			"action": "SCMP_ACT_ALLOW",
512 
-			"args": []
513 
-		},
514 
-		{
515 
-			"name": "inotify_add_watch",
516 
-			"action": "SCMP_ACT_ALLOW",
517 
-			"args": []
518 
-		},
519 
-		{
520 
-			"name": "inotify_init",
521 
-			"action": "SCMP_ACT_ALLOW",
522 
-			"args": []
523 
-		},
524 
-		{
525 
-			"name": "inotify_init1",
526 
-			"action": "SCMP_ACT_ALLOW",
527 
-			"args": []
528 
-		},
529 
-		{
530 
-			"name": "inotify_rm_watch",
531 
-			"action": "SCMP_ACT_ALLOW",
532 
-			"args": []
533 
-		},
534 
-		{
535 
-			"name": "io_cancel",
536 
-			"action": "SCMP_ACT_ALLOW",
537 
-			"args": []
538 
-		},
539 
-		{
540 
-			"name": "ioctl",
541 
-			"action": "SCMP_ACT_ALLOW",
542 
-			"args": []
543 
-		},
544 
-		{
545 
-			"name": "io_destroy",
546 
-			"action": "SCMP_ACT_ALLOW",
547 
-			"args": []
548 
-		},
549 
-		{
550 
-			"name": "io_getevents",
551 
-			"action": "SCMP_ACT_ALLOW",
552 
-			"args": []
553 
-		},
554 
-		{
555 
-			"name": "ioprio_get",
556 
-			"action": "SCMP_ACT_ALLOW",
557 
-			"args": []
558 
-		},
559 
-		{
560 
-			"name": "ioprio_set",
561 
-			"action": "SCMP_ACT_ALLOW",
562 
-			"args": []
563 
-		},
564 
-		{
565 
-			"name": "io_setup",
566 
-			"action": "SCMP_ACT_ALLOW",
567 
-			"args": []
568 
-		},
569 
-		{
570 
-			"name": "io_submit",
571 
-			"action": "SCMP_ACT_ALLOW",
572 
-			"args": []
573 
-		},
574 
-		{
575 
-			"name": "ipc",
576 
-			"action": "SCMP_ACT_ALLOW",
577 
-			"args": []
578 
-		},
579 
-		{
580 
-			"name": "kill",
581 
-			"action": "SCMP_ACT_ALLOW",
582 
-			"args": []
583 
-		},
584 
-		{
585 
-			"name": "lchown",
586 
-			"action": "SCMP_ACT_ALLOW",
587 
-			"args": []
588 
-		},
589 
-		{
590 
-			"name": "lchown32",
591 
-			"action": "SCMP_ACT_ALLOW",
592 
-			"args": []
593 
-		},
594 
-		{
595 
-			"name": "lgetxattr",
596 
-			"action": "SCMP_ACT_ALLOW",
597 
-			"args": []
598 
-		},
599 
-		{
600 
-			"name": "link",
601 
-			"action": "SCMP_ACT_ALLOW",
602 
-			"args": []
603 
-		},
604 
-		{
605 
-			"name": "linkat",
606 
-			"action": "SCMP_ACT_ALLOW",
607 
-			"args": []
608 
-		},
609 
-		{
610 
-			"name": "listen",
611 
-			"action": "SCMP_ACT_ALLOW",
612 
-			"args": []
613 
-		},
614 
-		{
615 
-			"name": "listxattr",
616 
-			"action": "SCMP_ACT_ALLOW",
617 
-			"args": []
618 
-		},
619 
-		{
620 
-			"name": "llistxattr",
621 
-			"action": "SCMP_ACT_ALLOW",
622 
-			"args": []
623 
-		},
624 
-		{
625 
-			"name": "_llseek",
626 
-			"action": "SCMP_ACT_ALLOW",
627 
-			"args": []
628 
-		},
629 
-		{
630 
-			"name": "lremovexattr",
631 
-			"action": "SCMP_ACT_ALLOW",
632 
-			"args": []
633 
-		},
634 
-		{
635 
-			"name": "lseek",
636 
-			"action": "SCMP_ACT_ALLOW",
637 
-			"args": []
638 
-		},
639 
-		{
640 
-			"name": "lsetxattr",
641 
-			"action": "SCMP_ACT_ALLOW",
642 
-			"args": []
643 
-		},
644 
-		{
645 
-			"name": "lstat",
646 
-			"action": "SCMP_ACT_ALLOW",
647 
-			"args": []
648 
-		},
649 
-		{
650 
-			"name": "lstat64",
651 
-			"action": "SCMP_ACT_ALLOW",
652 
-			"args": []
653 
-		},
654 
-		{
655 
-			"name": "madvise",
656 
-			"action": "SCMP_ACT_ALLOW",
657 
-			"args": []
658 
-		},
659 
-		{
660 
-			"name": "memfd_create",
661 
-			"action": "SCMP_ACT_ALLOW",
662 
-			"args": []
663 
-		},
664 
-		{
665 
-			"name": "mincore",
666 
-			"action": "SCMP_ACT_ALLOW",
667 
-			"args": []
668 
-		},
669 
-		{
670 
-			"name": "mkdir",
671 
-			"action": "SCMP_ACT_ALLOW",
672 
-			"args": []
673 
-		},
674 
-		{
675 
-			"name": "mkdirat",
676 
-			"action": "SCMP_ACT_ALLOW",
677 
-			"args": []
678 
-		},
679 
-		{
680 
-			"name": "mknod",
681 
-			"action": "SCMP_ACT_ALLOW",
682 
-			"args": []
683 
-		},
684 
-		{
685 
-			"name": "mknodat",
686 
-			"action": "SCMP_ACT_ALLOW",
687 
-			"args": []
688 
-		},
689 
-		{
690 
-			"name": "mlock",
691 
-			"action": "SCMP_ACT_ALLOW",
692 
-			"args": []
693 
-		},
694 
-		{
695 
-			"name": "mlock2",
696 
-			"action": "SCMP_ACT_ALLOW",
697 
-			"args": []
698 
-		},
699 
-		{
700 
-			"name": "mlockall",
701 
-			"action": "SCMP_ACT_ALLOW",
702 
-			"args": []
703 
-		},
704 
-		{
705 
-			"name": "mmap",
706 
-			"action": "SCMP_ACT_ALLOW",
707 
-			"args": []
708 
-		},
709 
-		{
710 
-			"name": "mmap2",
711 
-			"action": "SCMP_ACT_ALLOW",
712 
-			"args": []
713 
-		},
714 
-		{
715 
-			"name": "mprotect",
716 
-			"action": "SCMP_ACT_ALLOW",
717 
-			"args": []
718 
-		},
719 
-		{
720 
-			"name": "mq_getsetattr",
721 
-			"action": "SCMP_ACT_ALLOW",
722 
-			"args": []
723 
-		},
724 
-		{
725 
-			"name": "mq_notify",
726 
-			"action": "SCMP_ACT_ALLOW",
727 
-			"args": []
728 
-		},
729 
-		{
730 
-			"name": "mq_open",
731 
-			"action": "SCMP_ACT_ALLOW",
732 
-			"args": []
733 
-		},
734 
-		{
735 
-			"name": "mq_timedreceive",
736 
-			"action": "SCMP_ACT_ALLOW",
737 
-			"args": []
738 
-		},
739 
-		{
740 
-			"name": "mq_timedsend",
741 
-			"action": "SCMP_ACT_ALLOW",
742 
-			"args": []
743 
-		},
744 
-		{
745 
-			"name": "mq_unlink",
746 
-			"action": "SCMP_ACT_ALLOW",
747 
-			"args": []
748 
-		},
749 
-		{
750 
-			"name": "mremap",
751 
-			"action": "SCMP_ACT_ALLOW",
752 
-			"args": []
753 
-		},
754 
-		{
755 
-			"name": "msgctl",
756 
-			"action": "SCMP_ACT_ALLOW",
757 
-			"args": []
758 
-		},
759 
-		{
760 
-			"name": "msgget",
761 
-			"action": "SCMP_ACT_ALLOW",
762 
-			"args": []
763 
-		},
764 
-		{
765 
-			"name": "msgrcv",
766 
-			"action": "SCMP_ACT_ALLOW",
767 
-			"args": []
768 
-		},
769 
-		{
770 
-			"name": "msgsnd",
771 
-			"action": "SCMP_ACT_ALLOW",
772 
-			"args": []
773 
-		},
774 
-		{
775 
-			"name": "msync",
776 
-			"action": "SCMP_ACT_ALLOW",
777 
-			"args": []
778 
-		},
779 
-		{
780 
-			"name": "munlock",
781 
-			"action": "SCMP_ACT_ALLOW",
782 
-			"args": []
783 
-		},
3 
+	"archMap": [
784 4 
 		{
785 
-			"name": "munlockall",
786 
-			"action": "SCMP_ACT_ALLOW",
787 
-			"args": []
788 
-		},
789 
-		{
790 
-			"name": "munmap",
791 
-			"action": "SCMP_ACT_ALLOW",
792 
-			"args": []
5 
+			"architecture": "SCMP_ARCH_X86_64",
6 
+			"subArchitectures": [
7 
+				"SCMP_ARCH_X86",
8 
+				"SCMP_ARCH_X32"
9 
+			]
793 10 
 		},
794 11 
 		{
795 
-			"name": "nanosleep",
796 
-			"action": "SCMP_ACT_ALLOW",
797 
-			"args": []
12 
+			"architecture": "SCMP_ARCH_AARCH64",
13 
+			"subArchitectures": [
14 
+				"SCMP_ARCH_ARM"
15 
+			]
798 16 
 		},
799 17 
 		{
800 
-			"name": "newfstatat",
801 
-			"action": "SCMP_ACT_ALLOW",
802 
-			"args": []
18 
+			"architecture": "SCMP_ARCH_MIPS64",
19 
+			"subArchitectures": [
20 
+				"SCMP_ARCH_MIPS",
21 
+				"SCMP_ARCH_MIPS64N32"
22 
+			]
803 23 
 		},
804 24 
 		{
805 
-			"name": "_newselect",
806 
-			"action": "SCMP_ACT_ALLOW",
807 
-			"args": []
25 
+			"architecture": "SCMP_ARCH_MIPS64N32",
26 
+			"subArchitectures": [
27 
+				"SCMP_ARCH_MIPS",
28 
+				"SCMP_ARCH_MIPS64"
29 
+			]
808 30 
 		},
809 31 
 		{
810 
-			"name": "open",
811 
-			"action": "SCMP_ACT_ALLOW",
812 
-			"args": []
32 
+			"architecture": "SCMP_ARCH_MIPSEL64",
33 
+			"subArchitectures": [
34 
+				"SCMP_ARCH_MIPSEL",
35 
+				"SCMP_ARCH_MIPSEL64N32"
36 
+			]
813 37 
 		},
814 38 
 		{
815 
-			"name": "openat",
816 
-			"action": "SCMP_ACT_ALLOW",
817 
-			"args": []
39 
+			"architecture": "SCMP_ARCH_MIPSEL64N32",
40 
+			"subArchitectures": [
41 
+				"SCMP_ARCH_MIPSEL",
42 
+				"SCMP_ARCH_MIPSEL64"
43 
+			]
818 44 
 		},
819 45 
 		{
820 
-			"name": "pause",
821 
-			"action": "SCMP_ACT_ALLOW",
822 
-			"args": []
823 
-		},
46 
+			"architecture": "SCMP_ARCH_S390X",
47 
+			"subArchitectures": [
48 
+				"SCMP_ARCH_S390"
49 
+			]
50 
+		}
51 
+	],
52 
+	"syscalls": [
824 53 
 		{
825 
-			"name": "personality",
54 
+			"names": [
55 
+				"accept",
56 
+				"accept4",
57 
+				"access",
58 
+				"alarm",
59 
+				"alarm",
60 
+				"bind",
61 
+				"brk",
62 
+				"capget",
63 
+				"capset",
64 
+				"chdir",
65 
+				"chmod",
66 
+				"chown",
67 
+				"chown32",
68 
+				"clock_getres",
69 
+				"clock_gettime",
70 
+				"clock_nanosleep",
71 
+				"close",
72 
+				"connect",
73 
+				"copy_file_range",
74 
+				"creat",
75 
+				"dup",
76 
+				"dup2",
77 
+				"dup3",
78 
+				"epoll_create",
79 
+				"epoll_create1",
80 
+				"epoll_ctl",
81 
+				"epoll_ctl_old",
82 
+				"epoll_pwait",
83 
+				"epoll_wait",
84 
+				"epoll_wait_old",
85 
+				"eventfd",
86 
+				"eventfd2",
87 
+				"execve",
88 
+				"execveat",
89 
+				"exit",
90 
+				"exit_group",
91 
+				"faccessat",
92 
+				"fadvise64",
93 
+				"fadvise64_64",
94 
+				"fallocate",
95 
+				"fanotify_mark",
96 
+				"fchdir",
97 
+				"fchmod",
98 
+				"fchmodat",
99 
+				"fchown",
100 
+				"fchown32",
101 
+				"fchownat",
102 
+				"fcntl",
103 
+				"fcntl64",
104 
+				"fdatasync",
105 
+				"fgetxattr",
106 
+				"flistxattr",
107 
+				"flock",
108 
+				"fork",
109 
+				"fremovexattr",
110 
+				"fsetxattr",
111 
+				"fstat",
112 
+				"fstat64",
113 
+				"fstatat64",
114 
+				"fstatfs",
115 
+				"fstatfs64",
116 
+				"fsync",
117 
+				"ftruncate",
118 
+				"ftruncate64",
119 
+				"futex",
120 
+				"futimesat",
121 
+				"getcpu",
122 
+				"getcwd",
123 
+				"getdents",
124 
+				"getdents64",
125 
+				"getegid",
126 
+				"getegid32",
127 
+				"geteuid",
128 
+				"geteuid32",
129 
+				"getgid",
130 
+				"getgid32",
131 
+				"getgroups",
132 
+				"getgroups32",
133 
+				"getitimer",
134 
+				"getpeername",
135 
+				"getpgid",
136 
+				"getpgrp",
137 
+				"getpid",
138 
+				"getppid",
139 
+				"getpriority",
140 
+				"getrandom",
141 
+				"getresgid",
142 
+				"getresgid32",
143 
+				"getresuid",
144 
+				"getresuid32",
145 
+				"getrlimit",
146 
+				"get_robust_list",
147 
+				"getrusage",
148 
+				"getsid",
149 
+				"getsockname",
150 
+				"getsockopt",
151 
+				"get_thread_area",
152 
+				"gettid",
153 
+				"gettimeofday",
154 
+				"getuid",
155 
+				"getuid32",
156 
+				"getxattr",
157 
+				"inotify_add_watch",
158 
+				"inotify_init",
159 
+				"inotify_init1",
160 
+				"inotify_rm_watch",
161 
+				"io_cancel",
162 
+				"ioctl",
163 
+				"io_destroy",
164 
+				"io_getevents",
165 
+				"ioprio_get",
166 
+				"ioprio_set",
167 
+				"io_setup",
168 
+				"io_submit",
169 
+				"ipc",
170 
+				"kill",
171 
+				"lchown",
172 
+				"lchown32",
173 
+				"lgetxattr",
174 
+				"link",
175 
+				"linkat",
176 
+				"listen",
177 
+				"listxattr",
178 
+				"llistxattr",
179 
+				"_llseek",
180 
+				"lremovexattr",
181 
+				"lseek",
182 
+				"lsetxattr",
183 
+				"lstat",
184 
+				"lstat64",
185 
+				"madvise",
186 
+				"memfd_create",
187 
+				"mincore",
188 
+				"mkdir",
189 
+				"mkdirat",
190 
+				"mknod",
191 
+				"mknodat",
192 
+				"mlock",
193 
+				"mlock2",
194 
+				"mlockall",
195 
+				"mmap",
196 
+				"mmap2",
197 
+				"mprotect",
198 
+				"mq_getsetattr",
199 
+				"mq_notify",
200 
+				"mq_open",
201 
+				"mq_timedreceive",
202 
+				"mq_timedsend",
203 
+				"mq_unlink",
204 
+				"mremap",
205 
+				"msgctl",
206 
+				"msgget",
207 
+				"msgrcv",
208 
+				"msgsnd",
209 
+				"msync",
210 
+				"munlock",
211 
+				"munlockall",
212 
+				"munmap",
213 
+				"nanosleep",
214 
+				"newfstatat",
215 
+				"_newselect",
216 
+				"open",
217 
+				"openat",
218 
+				"pause",
219 
+				"pipe",
220 
+				"pipe2",
221 
+				"poll",
222 
+				"ppoll",
223 
+				"prctl",
224 
+				"pread64",
225 
+				"preadv",
226 
+				"prlimit64",
227 
+				"pselect6",
228 
+				"pwrite64",
229 
+				"pwritev",
230 
+				"read",
231 
+				"readahead",
232 
+				"readlink",
233 
+				"readlinkat",
234 
+				"readv",
235 
+				"recv",
236 
+				"recvfrom",
237 
+				"recvmmsg",
238 
+				"recvmsg",
239 
+				"remap_file_pages",
240 
+				"removexattr",
241 
+				"rename",
242 
+				"renameat",
243 
+				"renameat2",
244 
+				"restart_syscall",
245 
+				"rmdir",
246 
+				"rt_sigaction",
247 
+				"rt_sigpending",
248 
+				"rt_sigprocmask",
249 
+				"rt_sigqueueinfo",
250 
+				"rt_sigreturn",
251 
+				"rt_sigsuspend",
252 
+				"rt_sigtimedwait",
253 
+				"rt_tgsigqueueinfo",
254 
+				"sched_getaffinity",
255 
+				"sched_getattr",
256 
+				"sched_getparam",
257 
+				"sched_get_priority_max",
258 
+				"sched_get_priority_min",
259 
+				"sched_getscheduler",
260 
+				"sched_rr_get_interval",
261 
+				"sched_setaffinity",
262 
+				"sched_setattr",
263 
+				"sched_setparam",
264 
+				"sched_setscheduler",
265 
+				"sched_yield",
266 
+				"seccomp",
267 
+				"select",
268 
+				"semctl",
269 
+				"semget",
270 
+				"semop",
271 
+				"semtimedop",
272 
+				"send",
273 
+				"sendfile",
274 
+				"sendfile64",
275 
+				"sendmmsg",
276 
+				"sendmsg",
277 
+				"sendto",
278 
+				"setfsgid",
279 
+				"setfsgid32",
280 
+				"setfsuid",
281 
+				"setfsuid32",
282 
+				"setgid",
283 
+				"setgid32",
284 
+				"setgroups",
285 
+				"setgroups32",
286 
+				"setitimer",
287 
+				"setpgid",
288 
+				"setpriority",
289 
+				"setregid",
290 
+				"setregid32",
291 
+				"setresgid",
292 
+				"setresgid32",
293 
+				"setresuid",
294 
+				"setresuid32",
295 
+				"setreuid",
296 
+				"setreuid32",
297 
+				"setrlimit",
298 
+				"set_robust_list",
299 
+				"setsid",
300 
+				"setsockopt",
301 
+				"set_thread_area",
302 
+				"set_tid_address",
303 
+				"setuid",
304 
+				"setuid32",
305 
+				"setxattr",
306 
+				"shmat",
307 
+				"shmctl",
308 
+				"shmdt",
309 
+				"shmget",
310 
+				"shutdown",
311 
+				"sigaltstack",
312 
+				"signalfd",
313 
+				"signalfd4",
314 
+				"sigreturn",
315 
+				"socket",
316 
+				"socketcall",
317 
+				"socketpair",
318 
+				"splice",
319 
+				"stat",
320 
+				"stat64",
321 
+				"statfs",
322 
+				"statfs64",
323 
+				"symlink",
324 
+				"symlinkat",
325 
+				"sync",
326 
+				"sync_file_range",
327 
+				"syncfs",
328 
+				"sysinfo",
329 
+				"syslog",
330 
+				"tee",
331 
+				"tgkill",
332 
+				"time",
333 
+				"timer_create",
334 
+				"timer_delete",
335 
+				"timerfd_create",
336 
+				"timerfd_gettime",
337 
+				"timerfd_settime",
338 
+				"timer_getoverrun",
339 
+				"timer_gettime",
340 
+				"timer_settime",
341 
+				"times",
342 
+				"tkill",
343 
+				"truncate",
344 
+				"truncate64",
345 
+				"ugetrlimit",
346 
+				"umask",
347 
+				"uname",
348 
+				"unlink",
349 
+				"unlinkat",
350 
+				"utime",
351 
+				"utimensat",
352 
+				"utimes",
353 
+				"vfork",
354 
+				"vmsplice",
355 
+				"wait4",
356 
+				"waitid",
357 
+				"waitpid",
358 
+				"write",
359 
+				"writev"
360 
+			],
361 
+			"action": "SCMP_ACT_ALLOW",
362 
+			"args": [],
363 
+			"comment": "",
364 
+			"includes": {},
365 
+			"excludes": {}
366 
+		},
367 
+		{
368 
+			"names": [
369 
+				"personality"
370 
+			],
826 371 
 			"action": "SCMP_ACT_ALLOW",
827 372 
 			"args": [
828 373 
 				{
... ... 
@@ -831,10 +376,15 @@
831 831 
 					"valueTwo": 0,
832 832 
 					"op": "SCMP_CMP_EQ"
833 833 
 				}
834 
-			]
834 
+			],
835 
+			"comment": "",
836 
+			"includes": {},
837 
+			"excludes": {}
835 838 
 		},
836 839 
 		{
837 
-			"name": "personality",
840 
+			"names": [
841 
+				"personality"
842 
+			],
838 843 
 			"action": "SCMP_ACT_ALLOW",
839 844 
 			"args": [
840 845 
 				{
... ... 
@@ -843,10 +393,15 @@
843 843 
 					"valueTwo": 0,
844 844 
 					"op": "SCMP_CMP_EQ"
845 845 
 				}
846 
-			]
846 
+			],
847 
+			"comment": "",
848 
+			"includes": {},
849 
+			"excludes": {}
847 850 
 		},
848 851 
 		{
849 
-			"name": "personality",
852 
+			"names": [
853 
+				"personality"
854 
+			],
850 855 
 			"action": "SCMP_ACT_ALLOW",
851 856 
 			"args": [
852 857 
 				{
... ... 
@@ -855,730 +410,120 @@
855 855 
 					"valueTwo": 0,
856 856 
 					"op": "SCMP_CMP_EQ"
857 857 
 				}
858 
-			]
859 
-		},
860 
-		{
861 
-			"name": "pipe",
862 
-			"action": "SCMP_ACT_ALLOW",
863 
-			"args": []
864 
-		},
865 
-		{
866 
-			"name": "pipe2",
867 
-			"action": "SCMP_ACT_ALLOW",
868 
-			"args": []
869 
-		},
870 
-		{
871 
-			"name": "poll",
872 
-			"action": "SCMP_ACT_ALLOW",
873 
-			"args": []
874 
-		},
875 
-		{
876 
-			"name": "ppoll",
877 
-			"action": "SCMP_ACT_ALLOW",
878 
-			"args": []
879 
-		},
880 
-		{
881 
-			"name": "prctl",
882 
-			"action": "SCMP_ACT_ALLOW",
883 
-			"args": []
884 
-		},
885 
-		{
886 
-			"name": "pread64",
887 
-			"action": "SCMP_ACT_ALLOW",
888 
-			"args": []
889 
-		},
890 
-		{
891 
-			"name": "preadv",
892 
-			"action": "SCMP_ACT_ALLOW",
893 
-			"args": []
894 
-		},
895 
-		{
896 
-			"name": "prlimit64",
897 
-			"action": "SCMP_ACT_ALLOW",
898 
-			"args": []
899 
-		},
900 
-		{
901 
-			"name": "pselect6",
902 
-			"action": "SCMP_ACT_ALLOW",
903 
-			"args": []
904 
-		},
905 
-		{
906 
-			"name": "pwrite64",
907 
-			"action": "SCMP_ACT_ALLOW",
908 
-			"args": []
909 
-		},
910 
-		{
911 
-			"name": "pwritev",
912 
-			"action": "SCMP_ACT_ALLOW",
913 
-			"args": []
914 
-		},
915 
-		{
916 
-			"name": "read",
917 
-			"action": "SCMP_ACT_ALLOW",
918 
-			"args": []
919 
-		},
920 
-		{
921 
-			"name": "readahead",
922 
-			"action": "SCMP_ACT_ALLOW",
923 
-			"args": []
924 
-		},
925 
-		{
926 
-			"name": "readlink",
927 
-			"action": "SCMP_ACT_ALLOW",
928 
-			"args": []
929 
-		},
930 
-		{
931 
-			"name": "readlinkat",
932 
-			"action": "SCMP_ACT_ALLOW",
933 
-			"args": []
934 
-		},
935 
-		{
936 
-			"name": "readv",
937 
-			"action": "SCMP_ACT_ALLOW",
938 
-			"args": []
939 
-		},
940 
-		{
941 
-			"name": "recv",
942 
-			"action": "SCMP_ACT_ALLOW",
943 
-			"args": []
944 
-		},
945 
-		{
946 
-			"name": "recvfrom",
947 
-			"action": "SCMP_ACT_ALLOW",
948 
-			"args": []
949 
-		},
950 
-		{
951 
-			"name": "recvmmsg",
952 
-			"action": "SCMP_ACT_ALLOW",
953 
-			"args": []
954 
-		},
955 
-		{
956 
-			"name": "recvmsg",
957 
-			"action": "SCMP_ACT_ALLOW",
958 
-			"args": []
959 
-		},
960 
-		{
961 
-			"name": "remap_file_pages",
962 
-			"action": "SCMP_ACT_ALLOW",
963 
-			"args": []
964 
-		},
965 
-		{
966 
-			"name": "removexattr",
967 
-			"action": "SCMP_ACT_ALLOW",
968 
-			"args": []
969 
-		},
970 
-		{
971 
-			"name": "rename",
972 
-			"action": "SCMP_ACT_ALLOW",
973 
-			"args": []
974 
-		},
975 
-		{
976 
-			"name": "renameat",
977 
-			"action": "SCMP_ACT_ALLOW",
978 
-			"args": []
979 
-		},
980 
-		{
981 
-			"name": "renameat2",
982 
-			"action": "SCMP_ACT_ALLOW",
983 
-			"args": []
984 
-		},
985 
-		{
986 
-			"name": "restart_syscall",
987 
-			"action": "SCMP_ACT_ALLOW",
988 
-			"args": []
989 
-		},
990 
-		{
991 
-			"name": "rmdir",
992 
-			"action": "SCMP_ACT_ALLOW",
993 
-			"args": []
994 
-		},
995 
-		{
996 
-			"name": "rt_sigaction",
997 
-			"action": "SCMP_ACT_ALLOW",
998 
-			"args": []
999 
-		},
1000 
-		{
1001 
-			"name": "rt_sigpending",
1002 
-			"action": "SCMP_ACT_ALLOW",
1003 
-			"args": []
1004 
-		},
1005 
-		{
1006 
-			"name": "rt_sigprocmask",
1007 
-			"action": "SCMP_ACT_ALLOW",
1008 
-			"args": []
1009 
-		},
1010 
-		{
1011 
-			"name": "rt_sigqueueinfo",
1012 
-			"action": "SCMP_ACT_ALLOW",
1013 
-			"args": []
1014 
-		},
1015 
-		{
1016 
-			"name": "rt_sigreturn",
1017 
-			"action": "SCMP_ACT_ALLOW",
1018 
-			"args": []
1019 
-		},
1020 
-		{
1021 
-			"name": "rt_sigsuspend",
1022 
-			"action": "SCMP_ACT_ALLOW",
1023 
-			"args": []
1024 
-		},
1025 
-		{
1026 
-			"name": "rt_sigtimedwait",
1027 
-			"action": "SCMP_ACT_ALLOW",
1028 
-			"args": []
1029 
-		},
1030 
-		{
1031 
-			"name": "rt_tgsigqueueinfo",
1032 
-			"action": "SCMP_ACT_ALLOW",
1033 
-			"args": []
1034 
-		},
1035 
-		{
1036 
-			"name": "sched_getaffinity",
1037 
-			"action": "SCMP_ACT_ALLOW",
1038 
-			"args": []
1039 
-		},
1040 
-		{
1041 
-			"name": "sched_getattr",
1042 
-			"action": "SCMP_ACT_ALLOW",
1043 
-			"args": []
1044 
-		},
1045 
-		{
1046 
-			"name": "sched_getparam",
1047 
-			"action": "SCMP_ACT_ALLOW",
1048 
-			"args": []
1049 
-		},
1050 
-		{
1051 
-			"name": "sched_get_priority_max",
1052 
-			"action": "SCMP_ACT_ALLOW",
1053 
-			"args": []
1054 
-		},
1055 
-		{
1056 
-			"name": "sched_get_priority_min",
1057 
-			"action": "SCMP_ACT_ALLOW",
1058 
-			"args": []
1059 
-		},
1060 
-		{
1061 
-			"name": "sched_getscheduler",
1062 
-			"action": "SCMP_ACT_ALLOW",
1063 
-			"args": []
1064 
-		},
1065 
-		{
1066 
-			"name": "sched_rr_get_interval",
1067 
-			"action": "SCMP_ACT_ALLOW",
1068 
-			"args": []
1069 
-		},
1070 
-		{
1071 
-			"name": "sched_setaffinity",
1072 
-			"action": "SCMP_ACT_ALLOW",
1073 
-			"args": []
1074 
-		},
1075 
-		{
1076 
-			"name": "sched_setattr",
1077 
-			"action": "SCMP_ACT_ALLOW",
1078 
-			"args": []
1079 
-		},
1080 
-		{
1081 
-			"name": "sched_setparam",
1082 
-			"action": "SCMP_ACT_ALLOW",
1083 
-			"args": []
1084 
-		},
1085 
-		{
1086 
-			"name": "sched_setscheduler",
1087 
-			"action": "SCMP_ACT_ALLOW",
1088 
-			"args": []
1089 
-		},
1090 
-		{
1091 
-			"name": "sched_yield",
1092 
-			"action": "SCMP_ACT_ALLOW",
1093 
-			"args": []
1094 
-		},
1095 
-		{
1096 
-			"name": "seccomp",
1097 
-			"action": "SCMP_ACT_ALLOW",
1098 
-			"args": []
1099 
-		},
1100 
-		{
1101 
-			"name": "select",
1102 
-			"action": "SCMP_ACT_ALLOW",
1103 
-			"args": []
1104 
-		},
1105 
-		{
1106 
-			"name": "semctl",
1107 
-			"action": "SCMP_ACT_ALLOW",
1108 
-			"args": []
1109 
-		},
1110 
-		{
1111 
-			"name": "semget",
1112 
-			"action": "SCMP_ACT_ALLOW",
1113 
-			"args": []
1114 
-		},
1115 
-		{
1116 
-			"name": "semop",
1117 
-			"action": "SCMP_ACT_ALLOW",
1118 
-			"args": []
1119 
-		},
1120 
-		{
1121 
-			"name": "semtimedop",
1122 
-			"action": "SCMP_ACT_ALLOW",
1123 
-			"args": []
1124 
-		},
1125 
-		{
1126 
-			"name": "send",
1127 
-			"action": "SCMP_ACT_ALLOW",
1128 
-			"args": []
1129 
-		},
1130 
-		{
1131 
-			"name": "sendfile",
1132 
-			"action": "SCMP_ACT_ALLOW",
1133 
-			"args": []
1134 
-		},
1135 
-		{
1136 
-			"name": "sendfile64",
1137 
-			"action": "SCMP_ACT_ALLOW",
1138 
-			"args": []
1139 
-		},
1140 
-		{
1141 
-			"name": "sendmmsg",
1142 
-			"action": "SCMP_ACT_ALLOW",
1143 
-			"args": []
1144 
-		},
1145 
-		{
1146 
-			"name": "sendmsg",
1147 
-			"action": "SCMP_ACT_ALLOW",
1148 
-			"args": []
1149 
-		},
1150 
-		{
1151 
-			"name": "sendto",
1152 
-			"action": "SCMP_ACT_ALLOW",
1153 
-			"args": []
1154 
-		},
1155 
-		{
1156 
-			"name": "setfsgid",
1157 
-			"action": "SCMP_ACT_ALLOW",
1158 
-			"args": []
1159 
-		},
1160 
-		{
1161 
-			"name": "setfsgid32",
1162 
-			"action": "SCMP_ACT_ALLOW",
1163 
-			"args": []
1164 
-		},
1165 
-		{
1166 
-			"name": "setfsuid",
1167 
-			"action": "SCMP_ACT_ALLOW",
1168 
-			"args": []
1169 
-		},
1170 
-		{
1171 
-			"name": "setfsuid32",
1172 
-			"action": "SCMP_ACT_ALLOW",
1173 
-			"args": []
1174 
-		},
1175 
-		{
1176 
-			"name": "setgid",
1177 
-			"action": "SCMP_ACT_ALLOW",
1178 
-			"args": []
1179 
-		},
1180 
-		{
1181 
-			"name": "setgid32",
1182 
-			"action": "SCMP_ACT_ALLOW",
1183 
-			"args": []
1184 
-		},
1185 
-		{
1186 
-			"name": "setgroups",
1187 
-			"action": "SCMP_ACT_ALLOW",
1188 
-			"args": []
1189 
-		},
1190 
-		{
1191 
-			"name": "setgroups32",
1192 
-			"action": "SCMP_ACT_ALLOW",
1193 
-			"args": []
1194 
-		},
1195 
-		{
1196 
-			"name": "setitimer",
1197 
-			"action": "SCMP_ACT_ALLOW",
1198 
-			"args": []
1199 
-		},
1200 
-		{
1201 
-			"name": "setpgid",
1202 
-			"action": "SCMP_ACT_ALLOW",
1203 
-			"args": []
1204 
-		},
1205 
-		{
1206 
-			"name": "setpriority",
1207 
-			"action": "SCMP_ACT_ALLOW",
1208 
-			"args": []
1209 
-		},
1210 
-		{
1211 
-			"name": "setregid",
1212 
-			"action": "SCMP_ACT_ALLOW",
1213 
-			"args": []
1214 
-		},
1215 
-		{
1216 
-			"name": "setregid32",
1217 
-			"action": "SCMP_ACT_ALLOW",
1218 
-			"args": []
1219 
-		},
1220 
-		{
1221 
-			"name": "setresgid",
1222 
-			"action": "SCMP_ACT_ALLOW",
1223 
-			"args": []
1224 
-		},
1225 
-		{
1226 
-			"name": "setresgid32",
1227 
-			"action": "SCMP_ACT_ALLOW",
1228 
-			"args": []
1229 
-		},
1230 
-		{
1231 
-			"name": "setresuid",
1232 
-			"action": "SCMP_ACT_ALLOW",
1233 
-			"args": []
1234 
-		},
1235 
-		{
1236 
-			"name": "setresuid32",
1237 
-			"action": "SCMP_ACT_ALLOW",
1238 
-			"args": []
1239 
-		},
1240 
-		{
1241 
-			"name": "setreuid",
1242 
-			"action": "SCMP_ACT_ALLOW",
1243 
-			"args": []
1244 
-		},
1245 
-		{
1246 
-			"name": "setreuid32",
1247 
-			"action": "SCMP_ACT_ALLOW",
1248 
-			"args": []
1249 
-		},
1250 
-		{
1251 
-			"name": "setrlimit",
1252 
-			"action": "SCMP_ACT_ALLOW",
1253 
-			"args": []
1254 
-		},
1255 
-		{
1256 
-			"name": "set_robust_list",
1257 
-			"action": "SCMP_ACT_ALLOW",
1258 
-			"args": []
1259 
-		},
1260 
-		{
1261 
-			"name": "setsid",
1262 
-			"action": "SCMP_ACT_ALLOW",
1263 
-			"args": []
1264 
-		},
1265 
-		{
1266 
-			"name": "setsockopt",
1267 
-			"action": "SCMP_ACT_ALLOW",
1268 
-			"args": []
1269 
-		},
1270 
-		{
1271 
-			"name": "set_thread_area",
1272 
-			"action": "SCMP_ACT_ALLOW",
1273 
-			"args": []
1274 
-		},
1275 
-		{
1276 
-			"name": "set_tid_address",
1277 
-			"action": "SCMP_ACT_ALLOW",
1278 
-			"args": []
1279 
-		},
1280 
-		{
1281 
-			"name": "setuid",
1282 
-			"action": "SCMP_ACT_ALLOW",
1283 
-			"args": []
1284 
-		},
1285 
-		{
1286 
-			"name": "setuid32",
1287 
-			"action": "SCMP_ACT_ALLOW",
1288 
-			"args": []
1289 
-		},
1290 
-		{
1291 
-			"name": "setxattr",
1292 
-			"action": "SCMP_ACT_ALLOW",
1293 
-			"args": []
1294 
-		},
1295 
-		{
1296 
-			"name": "shmat",
1297 
-			"action": "SCMP_ACT_ALLOW",
1298 
-			"args": []
1299 
-		},
1300 
-		{
1301 
-			"name": "shmctl",
1302 
-			"action": "SCMP_ACT_ALLOW",
1303 
-			"args": []
1304 
-		},
1305 
-		{
1306 
-			"name": "shmdt",
1307 
-			"action": "SCMP_ACT_ALLOW",
1308 
-			"args": []
1309 
-		},
1310 
-		{
1311 
-			"name": "shmget",
1312 
-			"action": "SCMP_ACT_ALLOW",
1313 
-			"args": []
1314 
-		},
1315 
-		{
1316 
-			"name": "shutdown",
1317 
-			"action": "SCMP_ACT_ALLOW",
1318 
-			"args": []
1319 
-		},
1320 
-		{
1321 
-			"name": "sigaltstack",
1322 
-			"action": "SCMP_ACT_ALLOW",
1323 
-			"args": []
1324 
-		},
1325 
-		{
1326 
-			"name": "signalfd",
1327 
-			"action": "SCMP_ACT_ALLOW",
1328 
-			"args": []
1329 
-		},
1330 
-		{
1331 
-			"name": "signalfd4",
1332 
-			"action": "SCMP_ACT_ALLOW",
1333 
-			"args": []
1334 
-		},
1335 
-		{
1336 
-			"name": "sigreturn",
1337 
-			"action": "SCMP_ACT_ALLOW",
1338 
-			"args": []
1339 
-		},
1340 
-		{
1341 
-			"name": "socket",
1342 
-			"action": "SCMP_ACT_ALLOW",
1343 
-			"args": []
1344 
-		},
1345 
-		{
1346 
-			"name": "socketcall",
1347 
-			"action": "SCMP_ACT_ALLOW",
1348 
-			"args": []
1349 
-		},
1350 
-		{
1351 
-			"name": "socketpair",
1352 
-			"action": "SCMP_ACT_ALLOW",
1353 
-			"args": []
1354 
-		},
1355 
-		{
1356 
-			"name": "splice",
1357 
-			"action": "SCMP_ACT_ALLOW",
1358 
-			"args": []
1359 
-		},
1360 
-		{
1361 
-			"name": "stat",
1362 
-			"action": "SCMP_ACT_ALLOW",
1363 
-			"args": []
1364 
-		},
1365 
-		{
1366 
-			"name": "stat64",
1367 
-			"action": "SCMP_ACT_ALLOW",
1368 
-			"args": []
1369 
-		},
1370 
-		{
1371 
-			"name": "statfs",
1372 
-			"action": "SCMP_ACT_ALLOW",
1373 
-			"args": []
1374 
-		},
1375 
-		{
1376 
-			"name": "statfs64",
1377 
-			"action": "SCMP_ACT_ALLOW",
1378 
-			"args": []
1379 
-		},
1380 
-		{
1381 
-			"name": "symlink",
1382 
-			"action": "SCMP_ACT_ALLOW",
1383 
-			"args": []
1384 
-		},
1385 
-		{
1386 
-			"name": "symlinkat",
1387 
-			"action": "SCMP_ACT_ALLOW",
1388 
-			"args": []
1389 
-		},
1390 
-		{
1391 
-			"name": "sync",
1392 
-			"action": "SCMP_ACT_ALLOW",
1393 
-			"args": []
1394 
-		},
1395 
-		{
1396 
-			"name": "sync_file_range",
1397 
-			"action": "SCMP_ACT_ALLOW",
1398 
-			"args": []
1399 
-		},
1400 
-		{
1401 
-			"name": "syncfs",
1402 
-			"action": "SCMP_ACT_ALLOW",
1403 
-			"args": []
1404 
-		},
1405 
-		{
1406 
-			"name": "sysinfo",
1407 
-			"action": "SCMP_ACT_ALLOW",
1408 
-			"args": []
1409 
-		},
1410 
-		{
1411 
-			"name": "syslog",
1412 
-			"action": "SCMP_ACT_ALLOW",
1413 
-			"args": []
1414 
-		},
1415 
-		{
1416 
-			"name": "tee",
1417 
-			"action": "SCMP_ACT_ALLOW",
1418 
-			"args": []
1419 
-		},
1420 
-		{
1421 
-			"name": "tgkill",
1422 
-			"action": "SCMP_ACT_ALLOW",
1423 
-			"args": []
1424 
-		},
1425 
-		{
1426 
-			"name": "time",
1427 
-			"action": "SCMP_ACT_ALLOW",
1428 
-			"args": []
1429 
-		},
1430 
-		{
1431 
-			"name": "timer_create",
1432 
-			"action": "SCMP_ACT_ALLOW",
1433 
-			"args": []
1434 
-		},
1435 
-		{
1436 
-			"name": "timer_delete",
1437 
-			"action": "SCMP_ACT_ALLOW",
1438 
-			"args": []
1439 
-		},
1440 
-		{
1441 
-			"name": "timerfd_create",
1442 
-			"action": "SCMP_ACT_ALLOW",
1443 
-			"args": []
1444 
-		},
1445 
-		{
1446 
-			"name": "timerfd_gettime",
1447 
-			"action": "SCMP_ACT_ALLOW",
1448 
-			"args": []
1449 
-		},
1450 
-		{
1451 
-			"name": "timerfd_settime",
1452 
-			"action": "SCMP_ACT_ALLOW",
1453 
-			"args": []
1454 
-		},
1455 
-		{
1456 
-			"name": "timer_getoverrun",
1457 
-			"action": "SCMP_ACT_ALLOW",
1458 
-			"args": []
1459 
-		},
1460 
-		{
1461 
-			"name": "timer_gettime",
1462 
-			"action": "SCMP_ACT_ALLOW",
1463 
-			"args": []
1464 
-		},
1465 
-		{
1466 
-			"name": "timer_settime",
1467 
-			"action": "SCMP_ACT_ALLOW",
1468 
-			"args": []
1469 
-		},
1470 
-		{
1471 
-			"name": "times",
1472 
-			"action": "SCMP_ACT_ALLOW",
1473 
-			"args": []
1474 
-		},
1475 
-		{
1476 
-			"name": "tkill",
1477 
-			"action": "SCMP_ACT_ALLOW",
1478 
-			"args": []
1479 
-		},
1480 
-		{
1481 
-			"name": "truncate",
1482 
-			"action": "SCMP_ACT_ALLOW",
1483 
-			"args": []
1484 
-		},
1485 
-		{
1486 
-			"name": "truncate64",
1487 
-			"action": "SCMP_ACT_ALLOW",
1488 
-			"args": []
1489 
-		},
1490 
-		{
1491 
-			"name": "ugetrlimit",
1492 
-			"action": "SCMP_ACT_ALLOW",
1493 
-			"args": []
1494 
-		},
1495 
-		{
1496 
-			"name": "umask",
1497 
-			"action": "SCMP_ACT_ALLOW",
1498 
-			"args": []
1499 
-		},
1500 
-		{
1501 
-			"name": "uname",
1502 
-			"action": "SCMP_ACT_ALLOW",
1503 
-			"args": []
1504 
-		},
1505 
-		{
1506 
-			"name": "unlink",
1507 
-			"action": "SCMP_ACT_ALLOW",
1508 
-			"args": []
1509 
-		},
1510 
-		{
1511 
-			"name": "unlinkat",
1512 
-			"action": "SCMP_ACT_ALLOW",
1513 
-			"args": []
1514 
-		},
1515 
-		{
1516 
-			"name": "utime",
1517 
-			"action": "SCMP_ACT_ALLOW",
1518 
-			"args": []
1519 
-		},
1520 
-		{
1521 
-			"name": "utimensat",
1522 
-			"action": "SCMP_ACT_ALLOW",
1523 
-			"args": []
1524 
-		},
1525 
-		{
1526 
-			"name": "utimes",
1527 
-			"action": "SCMP_ACT_ALLOW",
1528 
-			"args": []
1529 
-		},
1530 
-		{
1531 
-			"name": "vfork",
1532 
-			"action": "SCMP_ACT_ALLOW",
1533 
-			"args": []
1534 
-		},
1535 
-		{
1536 
-			"name": "vmsplice",
1537 
-			"action": "SCMP_ACT_ALLOW",
1538 
-			"args": []
1539 
-		},
1540 
-		{
1541 
-			"name": "wait4",
1542 
-			"action": "SCMP_ACT_ALLOW",
1543 
-			"args": []
1544 
-		},
1545 
-		{
1546 
-			"name": "waitid",
1547 
-			"action": "SCMP_ACT_ALLOW",
1548 
-			"args": []
1549 
-		},
1550 
-		{
1551 
-			"name": "waitpid",
1552 
-			"action": "SCMP_ACT_ALLOW",
1553 
-			"args": []
1554 
-		},
1555 
-		{
1556 
-			"name": "write",
1557 
-			"action": "SCMP_ACT_ALLOW",
1558 
-			"args": []
1559 
-		},
1560 
-		{
1561 
-			"name": "writev",
1562 
-			"action": "SCMP_ACT_ALLOW",
1563 
-			"args": []
1564 
-		},
1565 
-		{
1566 
-			"name": "arch_prctl",
1567 
-			"action": "SCMP_ACT_ALLOW",
1568 
-			"args": []
1569 
-		},
1570 
-		{
1571 
-			"name": "modify_ldt",
1572 
-			"action": "SCMP_ACT_ALLOW",
1573 
-			"args": []
1574 
-		},
1575 
-		{
1576 
-			"name": "chroot",
1577 
-			"action": "SCMP_ACT_ALLOW",
1578 
-			"args": []
1579 
-		},
1580 
-		{
1581 
-			"name": "clone",
858 
+			],
859 
+			"comment": "",
860 
+			"includes": {},
861 
+			"excludes": {}
862 
+		},
863 
+		{
864 
+			"names": [
865 
+				"breakpoint",
866 
+				"cacheflush",
867 
+				"set_tls"
868 
+			],
869 
+			"action": "SCMP_ACT_ALLOW",
870 
+			"args": [],
871 
+			"comment": "",
872 
+			"includes": {
873 
+				"arches": [
874 
+					"arm",
875 
+					"arm64"
876 
+				]
877 
+			},
878 
+			"excludes": {}
879 
+		},
880 
+		{
881 
+			"names": [
882 
+				"arch_prctl"
883 
+			],
884 
+			"action": "SCMP_ACT_ALLOW",
885 
+			"args": [],
886 
+			"comment": "",
887 
+			"includes": {
888 
+				"arches": [
889 
+					"amd64",
890 
+					"x32"
891 
+				]
892 
+			},
893 
+			"excludes": {}
894 
+		},
895 
+		{
896 
+			"names": [
897 
+				"modify_ldt"
898 
+			],
899 
+			"action": "SCMP_ACT_ALLOW",
900 
+			"args": [],
901 
+			"comment": "",
902 
+			"includes": {
903 
+				"arches": [
904 
+					"amd64",
905 
+					"x32",
906 
+					"x86"
907 
+				]
908 
+			},
909 
+			"excludes": {}
910 
+		},
911 
+		{
912 
+			"names": [
913 
+				"s390_pci_mmio_read",
914 
+				"s390_pci_mmio_write",
915 
+				"s390_runtime_instr"
916 
+			],
917 
+			"action": "SCMP_ACT_ALLOW",
918 
+			"args": [],
919 
+			"comment": "",
920 
+			"includes": {
921 
+				"arches": [
922 
+					"s390",
923 
+					"s390x"
924 
+				]
925 
+			},
926 
+			"excludes": {}
927 
+		},
928 
+		{
929 
+			"names": [
930 
+				"open_by_handle_at"
931 
+			],
932 
+			"action": "SCMP_ACT_ALLOW",
933 
+			"args": [],
934 
+			"comment": "",
935 
+			"includes": {
936 
+				"caps": [
937 
+					"CAP_DAC_READ_SEARCH"
938 
+				]
939 
+			},
940 
+			"excludes": {}
941 
+		},
942 
+		{
943 
+			"names": [
944 
+				"bpf",
945 
+				"clone",
946 
+				"fanotify_init",
947 
+				"lookup_dcookie",
948 
+				"mount",
949 
+				"name_to_handle_at",
950 
+				"perf_event_open",
951 
+				"setdomainname",
952 
+				"sethostname",
953 
+				"setns",
954 
+				"umount",
955 
+				"umount2",
956 
+				"unshare"
957 
+			],
958 
+			"action": "SCMP_ACT_ALLOW",
959 
+			"args": [],
960 
+			"comment": "",
961 
+			"includes": {
962 
+				"caps": [
963 
+					"CAP_SYS_ADMIN"
964 
+				]
965 
+			},
966 
+			"excludes": {}
967 
+		},
968 
+		{
969 
+			"names": [
970 
+				"clone"
971 
+			],
1582 972 
 			"action": "SCMP_ACT_ALLOW",
1583 973 
 			"args": [
1584 974 
 				{
... ... 
@@ -1587,7 +532,165 @@
1587 1587 
 					"valueTwo": 0,
1588 1588 
 					"op": "SCMP_CMP_MASKED_EQ"
1589 1589 
 				}
1590 
-			]
1590 
+			],
1591 
+			"comment": "",
1592 
+			"includes": {},
1593 
+			"excludes": {
1594 
+				"caps": [
1595 
+					"CAP_SYS_ADMIN"
1596 
+				],
1597 
+				"arches": [
1598 
+					"s390",
1599 
+					"s390x"
1600 
+				]
1601 
+			}
1602 
+		},
1603 
+		{
1604 
+			"names": [
1605 
+				"clone"
1606 
+			],
1607 
+			"action": "SCMP_ACT_ALLOW",
1608 
+			"args": [
1609 
+				{
1610 
+					"index": 1,
1611 
+					"value": 2080505856,
1612 
+					"valueTwo": 0,
1613 
+					"op": "SCMP_CMP_MASKED_EQ"
1614 
+				}
1615 
+			],
1616 
+			"comment": "s390 parameter ordering for clone is different",
1617 
+			"includes": {
1618 
+				"arches": [
1619 
+					"s390",
1620 
+					"s390x"
1621 
+				]
1622 
+			},
1623 
+			"excludes": {
1624 
+				"caps": [
1625 
+					"CAP_SYS_ADMIN"
1626 
+				]
1627 
+			}
1628 
+		},
1629 
+		{
1630 
+			"names": [
1631 
+				"reboot"
1632 
+			],
1633 
+			"action": "SCMP_ACT_ALLOW",
1634 
+			"args": [],
1635 
+			"comment": "",
1636 
+			"includes": {
1637 
+				"caps": [
1638 
+					"CAP_SYS_BOOT"
1639 
+				]
1640 
+			},
1641 
+			"excludes": {}
1642 
+		},
1643 
+		{
1644 
+			"names": [
1645 
+				"chroot"
1646 
+			],
1647 
+			"action": "SCMP_ACT_ALLOW",
1648 
+			"args": [],
1649 
+			"comment": "",
1650 
+			"includes": {
1651 
+				"caps": [
1652 
+					"CAP_SYS_CHROOT"
1653 
+				]
1654 
+			},
1655 
+			"excludes": {}
1656 
+		},
1657 
+		{
1658 
+			"names": [
1659 
+				"delete_module",
1660 
+				"init_module",
1661 
+				"finit_module",
1662 
+				"query_module"
1663 
+			],
1664 
+			"action": "SCMP_ACT_ALLOW",
1665 
+			"args": [],
1666 
+			"comment": "",
1667 
+			"includes": {
1668 
+				"caps": [
1669 
+					"CAP_SYS_MODULE"
1670 
+				]
1671 
+			},
1672 
+			"excludes": {}
1673 
+		},
1674 
+		{
1675 
+			"names": [
1676 
+				"acct"
1677 
+			],
1678 
+			"action": "SCMP_ACT_ALLOW",
1679 
+			"args": [],
1680 
+			"comment": "",
1681 
+			"includes": {
1682 
+				"caps": [
1683 
+					"CAP_SYS_PACCT"
1684 
+				]
1685 
+			},
1686 
+			"excludes": {}
1687 
+		},
1688 
+		{
1689 
+			"names": [
1690 
+				"kcmp",
1691 
+				"process_vm_readv",
1692 
+				"process_vm_writev",
1693 
+				"ptrace"
1694 
+			],
1695 
+			"action": "SCMP_ACT_ALLOW",
1696 
+			"args": [],
1697 
+			"comment": "",
1698 
+			"includes": {
1699 
+				"caps": [
1700 
+					"CAP_SYS_PTRACE"
1701 
+				]
1702 
+			},
1703 
+			"excludes": {}
1704 
+		},
1705 
+		{
1706 
+			"names": [
1707 
+				"iopl",
1708 
+				"ioperm"
1709 
+			],
1710 
+			"action": "SCMP_ACT_ALLOW",
1711 
+			"args": [],
1712 
+			"comment": "",
1713 
+			"includes": {
1714 
+				"caps": [
1715 
+					"CAP_SYS_RAWIO"
1716 
+				]
1717 
+			},
1718 
+			"excludes": {}
1719 
+		},
1720 
+		{
1721 
+			"names": [
1722 
+				"settimeofday",
1723 
+				"stime",
1724 
+				"adjtimex"
1725 
+			],
1726 
+			"action": "SCMP_ACT_ALLOW",
1727 
+			"args": [],
1728 
+			"comment": "",
1729 
+			"includes": {
1730 
+				"caps": [
1731 
+					"CAP_SYS_TIME"
1732 
+				]
1733 
+			},
1734 
+			"excludes": {}
1735 
+		},
1736 
+		{
1737 
+			"names": [
1738 
+				"vhangup"
1739 
+			],
1740 
+			"action": "SCMP_ACT_ALLOW",
1741 
+			"args": [],
1742 
+			"comment": "",
1743 
+			"includes": {
1744 
+				"caps": [
1745 
+					"CAP_SYS_TTY_CONFIG"
1746 
+				]
1747 
+			},
1748 
+			"excludes": {}
1591 1749 
 		}
1592 1750 
 	]
1593 1751 
 }
1594 1752 
\ No newline at end of file
profiles/seccomp/generate.go
History View file @ 5ff21ad
... ... 
@@ -8,7 +8,6 @@ import (
8 8 
 	"os"
9 9 
 	"path/filepath"
10 10
11 
-	"github.com/docker/docker/oci"
12 11 
 	"github.com/docker/docker/profiles/seccomp"
13 12 
 )
14 13
... ... 
@@ -21,10 +20,8 @@ func main() {
21 21 
 	}
22 22 
 	f := filepath.Join(wd, "default.json")
23 23
24 
-	rs := oci.DefaultSpec()
25 
-
26 24 
 	// write the default profile to the file
27 
-	b, err := json.MarshalIndent(seccomp.DefaultProfile(&rs), "", "\t")
25 
+	b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")
28 26 
 	if err != nil {
29 27 
 		panic(err)
30 28 
 	}
profiles/seccomp/seccomp.go
History View file @ 5ff21ad
... ... 
@@ -4,30 +4,42 @@ package seccomp
4 4
5 5 
 import (
6 6 
 	"encoding/json"
7 
+	"errors"
7 8 
 	"fmt"
8 9
10 
+	"github.com/docker/docker/pkg/stringutils"
9 11 
 	"github.com/docker/engine-api/types"
10 12 
 	"github.com/opencontainers/runtime-spec/specs-go"
13 
+	libseccomp "github.com/seccomp/libseccomp-golang"
11 14 
 )
12 15
13 16 
 //go:generate go run -tags 'seccomp' generate.go
14 17
15 18 
 // GetDefaultProfile returns the default seccomp profile.
16 19 
 func GetDefaultProfile(rs *specs.Spec) (*specs.Seccomp, error) {
17 
-	return setupSeccomp(DefaultProfile(rs))
20 
+	return setupSeccomp(DefaultProfile(), rs)
18 21 
 }
19 22
20 23 
 // LoadProfile takes a file path and decodes the seccomp profile.
21 
-func LoadProfile(body string) (*specs.Seccomp, error) {
24 
+func LoadProfile(body string, rs *specs.Spec) (*specs.Seccomp, error) {
22 25 
 	var config types.Seccomp
23 26 
 	if err := json.Unmarshal([]byte(body), &config); err != nil {
24 27 
 		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
25 28 
 	}
29 
+	return setupSeccomp(&config, rs)
30 
+}
26 31
27 
-	return setupSeccomp(&config)
32 
+var nativeToSeccomp = map[string]types.Arch{
33 
+	"amd64":       types.ArchX86_64,
34 
+	"arm64":       types.ArchAARCH64,
35 
+	"mips64":      types.ArchMIPS64,
36 
+	"mips64n32":   types.ArchMIPS64N32,
37 
+	"mipsel64":    types.ArchMIPSEL64,
38 
+	"mipsel64n32": types.ArchMIPSEL64N32,
39 
+	"s390x":       types.ArchS390X,
28 40 
 }
29 41
30 
-func setupSeccomp(config *types.Seccomp) (newConfig *specs.Seccomp, err error) {
42 
+func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.Seccomp, error) {
31 43 
 	if config == nil {
32 44 
 		return nil, nil
33 45 
 	}
... ... 
@@ -37,38 +49,102 @@ func setupSeccomp(config *types.Seccomp) (newConfig *specs.Seccomp, err error) {
37 37 
 		return nil, nil
38 38 
 	}
39 39
40 
-	newConfig = &specs.Seccomp{}
40 
+	newConfig := &specs.Seccomp{}
41 
+
42 
+	var arch string
43 
+	var native, err = libseccomp.GetNativeArch()
44 
+	if err == nil {
45 
+		arch = native.String()
46 
+	}
47 
+
48 
+	if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
49 
+		return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
50 
+	}
41 51
42 52 
 	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
43 
-	if len(config.Architectures) > 0 {
44 
-		for _, arch := range config.Architectures {
45 
-			newConfig.Architectures = append(newConfig.Architectures, specs.Arch(arch))
53 
+	if len(config.Architectures) != 0 {
54 
+		for _, a := range config.Architectures {
55 
+			newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
56 
+		}
57 
+	}
58 
+
59 
+	if len(config.ArchMap) != 0 {
60 
+		for _, a := range config.ArchMap {
61 
+			seccompArch, ok := nativeToSeccomp[arch]
62 
+			if ok {
63 
+				if a.Arch == seccompArch {
64 
+					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
65 
+					for _, sa := range a.SubArches {
66 
+						newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
67 
+					}
68 
+					break
69 
+				}
70 
+			}
46 71 
 		}
47 72 
 	}
48 73
49 74 
 	newConfig.DefaultAction = specs.Action(config.DefaultAction)
50 75
51 
-	// Loop through all syscall blocks and convert them to libcontainer format
76 
+Loop:
77 
+	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
52 78 
 	for _, call := range config.Syscalls {
53 
-		newCall := specs.Syscall{
54 
-			Name:   call.Name,
55 
-			Action: specs.Action(call.Action),
79 
+		if len(call.Excludes.Arches) > 0 {
80 
+			if stringutils.InSlice(call.Excludes.Arches, arch) {
81 
+				continue Loop
82 
+			}
56 83 
 		}
57 
-
58 
-		// Loop through all the arguments of the syscall and convert them
59 
-		for _, arg := range call.Args {
60 
-			newArg := specs.Arg{
61 
-				Index:    arg.Index,
62 
-				Value:    arg.Value,
63 
-				ValueTwo: arg.ValueTwo,
64 
-				Op:       specs.Operator(arg.Op),
84 
+		if len(call.Excludes.Caps) > 0 {
85 
+			for _, c := range call.Excludes.Caps {
86 
+				if stringutils.InSlice(rs.Process.Capabilities, c) {
87 
+					continue Loop
88 
+				}
89 
+			}
90 
+		}
91 
+		if len(call.Includes.Arches) > 0 {
92 
+			if !stringutils.InSlice(call.Includes.Arches, arch) {
93 
+				continue Loop
65 94 
 			}
95 
+		}
96 
+		if len(call.Includes.Caps) > 0 {
97 
+			for _, c := range call.Includes.Caps {
98 
+				if !stringutils.InSlice(rs.Process.Capabilities, c) {
99 
+					continue Loop
100 
+				}
101 
+			}
102 
+		}
66 103
67 
-			newCall.Args = append(newCall.Args, newArg)
104 
+		if call.Name != "" && len(call.Names) != 0 {
105 
+			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
68 106 
 		}
69 107
70 
-		newConfig.Syscalls = append(newConfig.Syscalls, newCall)
108 
+		if call.Name != "" {
109 
+			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
110 
+		}
111 
+
112 
+		for _, n := range call.Names {
113 
+			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
114 
+		}
71 115 
 	}
72 116
73 117 
 	return newConfig, nil
74 118 
 }
119 
+
120 
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.Syscall {
121 
+	newCall := specs.Syscall{
122 
+		Name:   name,
123 
+		Action: specs.Action(action),
124 
+	}
125 
+
126 
+	// Loop through all the arguments of the syscall and convert them
127 
+	for _, arg := range args {
128 
+		newArg := specs.Arg{
129 
+			Index:    arg.Index,
130 
+			Value:    arg.Value,
131 
+			ValueTwo: arg.ValueTwo,
132 
+			Op:       specs.Operator(arg.Op),
133 
+		}
134 
+
135 
+		newCall.Args = append(newCall.Args, newArg)
136 
+	}
137 
+	return newCall
138 
+}
profiles/seccomp/seccomp_default.go
History View file @ 5ff21ad
... ... 
@@ -6,858 +6,357 @@ import (
6 6 
 	"syscall"
7 7
8 8 
 	"github.com/docker/engine-api/types"
9 
-	"github.com/opencontainers/runtime-spec/specs-go"
10 
-	libseccomp "github.com/seccomp/libseccomp-golang"
11 9 
 )
12 10
13 
-func arches() []types.Arch {
14 
-	var native, err = libseccomp.GetNativeArch()
15 
-	if err != nil {
16 
-		return []types.Arch{}
17 
-	}
18 
-	var a = native.String()
19 
-	switch a {
20 
-	case "amd64":
21 
-		return []types.Arch{types.ArchX86_64, types.ArchX86, types.ArchX32}
22 
-	case "arm64":
23 
-		return []types.Arch{types.ArchARM, types.ArchAARCH64}
24 
-	case "mips64":
25 
-		return []types.Arch{types.ArchMIPS, types.ArchMIPS64, types.ArchMIPS64N32}
26 
-	case "mips64n32":
27 
-		return []types.Arch{types.ArchMIPS, types.ArchMIPS64, types.ArchMIPS64N32}
28 
-	case "mipsel64":
29 
-		return []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64, types.ArchMIPSEL64N32}
30 
-	case "mipsel64n32":
31 
-		return []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64, types.ArchMIPSEL64N32}
32 
-	case "s390x":
33 
-		return []types.Arch{types.ArchS390, types.ArchS390X}
34 
-	default:
35 
-		return []types.Arch{}
36 
-	}
37 
-}
38 
-
39 
-// DefaultProfile defines the whitelist for the default seccomp profile.
40 
-func DefaultProfile(rs *specs.Spec) *types.Seccomp {
41 
-
42 
-	syscalls := []*types.Syscall{
43 
-		{
44 
-			Name:   "accept",
45 
-			Action: types.ActAllow,
46 
-			Args:   []*types.Arg{},
47 
-		},
48 
-		{
49 
-			Name:   "accept4",
50 
-			Action: types.ActAllow,
51 
-			Args:   []*types.Arg{},
52 
-		},
53 
-		{
54 
-			Name:   "access",
55 
-			Action: types.ActAllow,
56 
-			Args:   []*types.Arg{},
57 
-		},
58 
-		{
59 
-			Name:   "alarm",
60 
-			Action: types.ActAllow,
61 
-			Args:   []*types.Arg{},
62 
-		},
63 
-		{
64 
-			Name:   "bind",
65 
-			Action: types.ActAllow,
66 
-			Args:   []*types.Arg{},
67 
-		},
11 
+func arches() []types.Architecture {
12 
+	return []types.Architecture{
68 13 
 		{
69 
-			Name:   "brk",
70 
-			Action: types.ActAllow,
71 
-			Args:   []*types.Arg{},
14 
+			Arch:      types.ArchX86_64,
15 
+			SubArches: []types.Arch{types.ArchX86, types.ArchX32},
72 16 
 		},
73 17 
 		{
74 
-			Name:   "capget",
75 
-			Action: types.ActAllow,
76 
-			Args:   []*types.Arg{},
18 
+			Arch:      types.ArchAARCH64,
19 
+			SubArches: []types.Arch{types.ArchARM},
77 20 
 		},
78 21 
 		{
79 
-			Name:   "capset",
80 
-			Action: types.ActAllow,
81 
-			Args:   []*types.Arg{},
22 
+			Arch:      types.ArchMIPS64,
23 
+			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
82 24 
 		},
83 25 
 		{
84 
-			Name:   "chdir",
85 
-			Action: types.ActAllow,
86 
-			Args:   []*types.Arg{},
26 
+			Arch:      types.ArchMIPS64N32,
27 
+			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
87 28 
 		},
88 29 
 		{
89 
-			Name:   "chmod",
90 
-			Action: types.ActAllow,
91 
-			Args:   []*types.Arg{},
30 
+			Arch:      types.ArchMIPSEL64,
31 
+			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
92 32 
 		},
93 33 
 		{
94 
-			Name:   "chown",
95 
-			Action: types.ActAllow,
96 
-			Args:   []*types.Arg{},
34 
+			Arch:      types.ArchMIPSEL64N32,
35 
+			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
97 36 
 		},
98 37 
 		{
99 
-			Name:   "chown32",
100 
-			Action: types.ActAllow,
101 
-			Args:   []*types.Arg{},
38 
+			Arch:      types.ArchS390X,
39 
+			SubArches: []types.Arch{types.ArchS390},
102 40 
 		},
41 
+	}
42 
+}
103 43
44 
+// DefaultProfile defines the whitelist for the default seccomp profile.
45 
+func DefaultProfile() *types.Seccomp {
46 
+	syscalls := []*types.Syscall{
104 47 
 		{
105 
-			Name:   "clock_getres",
106 
-			Action: types.ActAllow,
107 
-			Args:   []*types.Arg{},
108 
-		},
109 
-		{
110 
-			Name:   "clock_gettime",
111 
-			Action: types.ActAllow,
112 
-			Args:   []*types.Arg{},
113 
-		},
114 
-		{
115 
-			Name:   "clock_nanosleep",
116 
-			Action: types.ActAllow,
117 
-			Args:   []*types.Arg{},
118 
-		},
119 
-		{
120 
-			Name:   "close",
121 
-			Action: types.ActAllow,
122 
-			Args:   []*types.Arg{},
123 
-		},
124 
-		{
125 
-			Name:   "connect",
126 
-			Action: types.ActAllow,
127 
-			Args:   []*types.Arg{},
128 
-		},
129 
-		{
130 
-			Name:   "copy_file_range",
131 
-			Action: types.ActAllow,
132 
-			Args:   []*types.Arg{},
133 
-		},
134 
-		{
135 
-			Name:   "creat",
136 
-			Action: types.ActAllow,
137 
-			Args:   []*types.Arg{},
138 
-		},
139 
-		{
140 
-			Name:   "dup",
141 
-			Action: types.ActAllow,
142 
-			Args:   []*types.Arg{},
143 
-		},
144 
-		{
145 
-			Name:   "dup2",
146 
-			Action: types.ActAllow,
147 
-			Args:   []*types.Arg{},
148 
-		},
149 
-		{
150 
-			Name:   "dup3",
151 
-			Action: types.ActAllow,
152 
-			Args:   []*types.Arg{},
153 
-		},
154 
-		{
155 
-			Name:   "epoll_create",
156 
-			Action: types.ActAllow,
157 
-			Args:   []*types.Arg{},
158 
-		},
159 
-		{
160 
-			Name:   "epoll_create1",
161 
-			Action: types.ActAllow,
162 
-			Args:   []*types.Arg{},
163 
-		},
164 
-		{
165 
-			Name:   "epoll_ctl",
166 
-			Action: types.ActAllow,
167 
-			Args:   []*types.Arg{},
168 
-		},
169 
-		{
170 
-			Name:   "epoll_ctl_old",
171 
-			Action: types.ActAllow,
172 
-			Args:   []*types.Arg{},
173 
-		},
174 
-		{
175 
-			Name:   "epoll_pwait",
176 
-			Action: types.ActAllow,
177 
-			Args:   []*types.Arg{},
178 
-		},
179 
-		{
180 
-			Name:   "epoll_wait",
181 
-			Action: types.ActAllow,
182 
-			Args:   []*types.Arg{},
183 
-		},
184 
-		{
185 
-			Name:   "epoll_wait_old",
186 
-			Action: types.ActAllow,
187 
-			Args:   []*types.Arg{},
188 
-		},
189 
-		{
190 
-			Name:   "eventfd",
191 
-			Action: types.ActAllow,
192 
-			Args:   []*types.Arg{},
193 
-		},
194 
-		{
195 
-			Name:   "eventfd2",
196 
-			Action: types.ActAllow,
197 
-			Args:   []*types.Arg{},
198 
-		},
199 
-		{
200 
-			Name:   "execve",
201 
-			Action: types.ActAllow,
202 
-			Args:   []*types.Arg{},
203 
-		},
204 
-		{
205 
-			Name:   "execveat",
206 
-			Action: types.ActAllow,
207 
-			Args:   []*types.Arg{},
208 
-		},
209 
-		{
210 
-			Name:   "exit",
211 
-			Action: types.ActAllow,
212 
-			Args:   []*types.Arg{},
213 
-		},
214 
-		{
215 
-			Name:   "exit_group",
216 
-			Action: types.ActAllow,
217 
-			Args:   []*types.Arg{},
218 
-		},
219 
-		{
220 
-			Name:   "faccessat",
221 
-			Action: types.ActAllow,
222 
-			Args:   []*types.Arg{},
223 
-		},
224 
-		{
225 
-			Name:   "fadvise64",
226 
-			Action: types.ActAllow,
227 
-			Args:   []*types.Arg{},
228 
-		},
229 
-		{
230 
-			Name:   "fadvise64_64",
231 
-			Action: types.ActAllow,
232 
-			Args:   []*types.Arg{},
233 
-		},
234 
-		{
235 
-			Name:   "fallocate",
236 
-			Action: types.ActAllow,
237 
-			Args:   []*types.Arg{},
238 
-		},
239 
-		{
240 
-			Name:   "fanotify_mark",
241 
-			Action: types.ActAllow,
242 
-			Args:   []*types.Arg{},
243 
-		},
244 
-		{
245 
-			Name:   "fchdir",
246 
-			Action: types.ActAllow,
247 
-			Args:   []*types.Arg{},
248 
-		},
249 
-		{
250 
-			Name:   "fchmod",
251 
-			Action: types.ActAllow,
252 
-			Args:   []*types.Arg{},
253 
-		},
254 
-		{
255 
-			Name:   "fchmodat",
256 
-			Action: types.ActAllow,
257 
-			Args:   []*types.Arg{},
258 
-		},
259 
-		{
260 
-			Name:   "fchown",
261 
-			Action: types.ActAllow,
262 
-			Args:   []*types.Arg{},
263 
-		},
264 
-		{
265 
-			Name:   "fchown32",
266 
-			Action: types.ActAllow,
267 
-			Args:   []*types.Arg{},
268 
-		},
269 
-		{
270 
-			Name:   "fchownat",
271 
-			Action: types.ActAllow,
272 
-			Args:   []*types.Arg{},
273 
-		},
274 
-		{
275 
-			Name:   "fcntl",
276 
-			Action: types.ActAllow,
277 
-			Args:   []*types.Arg{},
278 
-		},
279 
-		{
280 
-			Name:   "fcntl64",
281 
-			Action: types.ActAllow,
282 
-			Args:   []*types.Arg{},
283 
-		},
284 
-		{
285 
-			Name:   "fdatasync",
286 
-			Action: types.ActAllow,
287 
-			Args:   []*types.Arg{},
288 
-		},
289 
-		{
290 
-			Name:   "fgetxattr",
291 
-			Action: types.ActAllow,
292 
-			Args:   []*types.Arg{},
293 
-		},
294 
-		{
295 
-			Name:   "flistxattr",
296 
-			Action: types.ActAllow,
297 
-			Args:   []*types.Arg{},
298 
-		},
299 
-		{
300 
-			Name:   "flock",
301 
-			Action: types.ActAllow,
302 
-			Args:   []*types.Arg{},
303 
-		},
304 
-		{
305 
-			Name:   "fork",
306 
-			Action: types.ActAllow,
307 
-			Args:   []*types.Arg{},
308 
-		},
309 
-		{
310 
-			Name:   "fremovexattr",
311 
-			Action: types.ActAllow,
312 
-			Args:   []*types.Arg{},
313 
-		},
314 
-		{
315 
-			Name:   "fsetxattr",
316 
-			Action: types.ActAllow,
317 
-			Args:   []*types.Arg{},
318 
-		},
319 
-		{
320 
-			Name:   "fstat",
321 
-			Action: types.ActAllow,
322 
-			Args:   []*types.Arg{},
323 
-		},
324 
-		{
325 
-			Name:   "fstat64",
326 
-			Action: types.ActAllow,
327 
-			Args:   []*types.Arg{},
328 
-		},
329 
-		{
330 
-			Name:   "fstatat64",
331 
-			Action: types.ActAllow,
332 
-			Args:   []*types.Arg{},
333 
-		},
334 
-		{
335 
-			Name:   "fstatfs",
336 
-			Action: types.ActAllow,
337 
-			Args:   []*types.Arg{},
338 
-		},
339 
-		{
340 
-			Name:   "fstatfs64",
341 
-			Action: types.ActAllow,
342 
-			Args:   []*types.Arg{},
343 
-		},
344 
-		{
345 
-			Name:   "fsync",
346 
-			Action: types.ActAllow,
347 
-			Args:   []*types.Arg{},
348 
-		},
349 
-		{
350 
-			Name:   "ftruncate",
351 
-			Action: types.ActAllow,
352 
-			Args:   []*types.Arg{},
353 
-		},
354 
-		{
355 
-			Name:   "ftruncate64",
356 
-			Action: types.ActAllow,
357 
-			Args:   []*types.Arg{},
358 
-		},
359 
-		{
360 
-			Name:   "futex",
361 
-			Action: types.ActAllow,
362 
-			Args:   []*types.Arg{},
363 
-		},
364 
-		{
365 
-			Name:   "futimesat",
366 
-			Action: types.ActAllow,
367 
-			Args:   []*types.Arg{},
368 
-		},
369 
-		{
370 
-			Name:   "getcpu",
371 
-			Action: types.ActAllow,
372 
-			Args:   []*types.Arg{},
373 
-		},
374 
-		{
375 
-			Name:   "getcwd",
376 
-			Action: types.ActAllow,
377 
-			Args:   []*types.Arg{},
378 
-		},
379 
-		{
380 
-			Name:   "getdents",
381 
-			Action: types.ActAllow,
382 
-			Args:   []*types.Arg{},
383 
-		},
384 
-		{
385 
-			Name:   "getdents64",
386 
-			Action: types.ActAllow,
387 
-			Args:   []*types.Arg{},
388 
-		},
389 
-		{
390 
-			Name:   "getegid",
391 
-			Action: types.ActAllow,
392 
-			Args:   []*types.Arg{},
393 
-		},
394 
-		{
395 
-			Name:   "getegid32",
396 
-			Action: types.ActAllow,
397 
-			Args:   []*types.Arg{},
398 
-		},
399 
-		{
400 
-			Name:   "geteuid",
401 
-			Action: types.ActAllow,
402 
-			Args:   []*types.Arg{},
403 
-		},
404 
-		{
405 
-			Name:   "geteuid32",
406 
-			Action: types.ActAllow,
407 
-			Args:   []*types.Arg{},
408 
-		},
409 
-		{
410 
-			Name:   "getgid",
411 
-			Action: types.ActAllow,
412 
-			Args:   []*types.Arg{},
413 
-		},
414 
-		{
415 
-			Name:   "getgid32",
416 
-			Action: types.ActAllow,
417 
-			Args:   []*types.Arg{},
418 
-		},
419 
-		{
420 
-			Name:   "getgroups",
421 
-			Action: types.ActAllow,
422 
-			Args:   []*types.Arg{},
423 
-		},
424 
-		{
425 
-			Name:   "getgroups32",
426 
-			Action: types.ActAllow,
427 
-			Args:   []*types.Arg{},
428 
-		},
429 
-		{
430 
-			Name:   "getitimer",
431 
-			Action: types.ActAllow,
432 
-			Args:   []*types.Arg{},
433 
-		},
434 
-		{
435 
-			Name:   "getpeername",
436 
-			Action: types.ActAllow,
437 
-			Args:   []*types.Arg{},
438 
-		},
439 
-		{
440 
-			Name:   "getpgid",
441 
-			Action: types.ActAllow,
442 
-			Args:   []*types.Arg{},
443 
-		},
444 
-		{
445 
-			Name:   "getpgrp",
446 
-			Action: types.ActAllow,
447 
-			Args:   []*types.Arg{},
448 
-		},
449 
-		{
450 
-			Name:   "getpid",
451 
-			Action: types.ActAllow,
452 
-			Args:   []*types.Arg{},
453 
-		},
454 
-		{
455 
-			Name:   "getppid",
456 
-			Action: types.ActAllow,
457 
-			Args:   []*types.Arg{},
458 
-		},
459 
-		{
460 
-			Name:   "getpriority",
461 
-			Action: types.ActAllow,
462 
-			Args:   []*types.Arg{},
463 
-		},
464 
-		{
465 
-			Name:   "getrandom",
466 
-			Action: types.ActAllow,
467 
-			Args:   []*types.Arg{},
468 
-		},
469 
-		{
470 
-			Name:   "getresgid",
471 
-			Action: types.ActAllow,
472 
-			Args:   []*types.Arg{},
473 
-		},
474 
-		{
475 
-			Name:   "getresgid32",
476 
-			Action: types.ActAllow,
477 
-			Args:   []*types.Arg{},
478 
-		},
479 
-		{
480 
-			Name:   "getresuid",
481 
-			Action: types.ActAllow,
482 
-			Args:   []*types.Arg{},
483 
-		},
484 
-		{
485 
-			Name:   "getresuid32",
486 
-			Action: types.ActAllow,
487 
-			Args:   []*types.Arg{},
488 
-		},
489 
-		{
490 
-			Name:   "getrlimit",
491 
-			Action: types.ActAllow,
492 
-			Args:   []*types.Arg{},
493 
-		},
494 
-		{
495 
-			Name:   "get_robust_list",
496 
-			Action: types.ActAllow,
497 
-			Args:   []*types.Arg{},
498 
-		},
499 
-		{
500 
-			Name:   "getrusage",
501 
-			Action: types.ActAllow,
502 
-			Args:   []*types.Arg{},
503 
-		},
504 
-		{
505 
-			Name:   "getsid",
506 
-			Action: types.ActAllow,
507 
-			Args:   []*types.Arg{},
508 
-		},
509 
-		{
510 
-			Name:   "getsockname",
511 
-			Action: types.ActAllow,
512 
-			Args:   []*types.Arg{},
513 
-		},
514 
-		{
515 
-			Name:   "getsockopt",
516 
-			Action: types.ActAllow,
517 
-			Args:   []*types.Arg{},
518 
-		},
519 
-		{
520 
-			Name:   "get_thread_area",
521 
-			Action: types.ActAllow,
522 
-			Args:   []*types.Arg{},
523 
-		},
524 
-		{
525 
-			Name:   "gettid",
526 
-			Action: types.ActAllow,
527 
-			Args:   []*types.Arg{},
528 
-		},
529 
-		{
530 
-			Name:   "gettimeofday",
531 
-			Action: types.ActAllow,
532 
-			Args:   []*types.Arg{},
533 
-		},
534 
-		{
535 
-			Name:   "getuid",
536 
-			Action: types.ActAllow,
537 
-			Args:   []*types.Arg{},
538 
-		},
539 
-		{
540 
-			Name:   "getuid32",
541 
-			Action: types.ActAllow,
542 
-			Args:   []*types.Arg{},
543 
-		},
544 
-		{
545 
-			Name:   "getxattr",
546 
-			Action: types.ActAllow,
547 
-			Args:   []*types.Arg{},
548 
-		},
549 
-		{
550 
-			Name:   "inotify_add_watch",
551 
-			Action: types.ActAllow,
552 
-			Args:   []*types.Arg{},
553 
-		},
554 
-		{
555 
-			Name:   "inotify_init",
556 
-			Action: types.ActAllow,
557 
-			Args:   []*types.Arg{},
558 
-		},
559 
-		{
560 
-			Name:   "inotify_init1",
561 
-			Action: types.ActAllow,
562 
-			Args:   []*types.Arg{},
563 
-		},
564 
-		{
565 
-			Name:   "inotify_rm_watch",
566 
-			Action: types.ActAllow,
567 
-			Args:   []*types.Arg{},
568 
-		},
569 
-		{
570 
-			Name:   "io_cancel",
571 
-			Action: types.ActAllow,
572 
-			Args:   []*types.Arg{},
573 
-		},
574 
-		{
575 
-			Name:   "ioctl",
576 
-			Action: types.ActAllow,
577 
-			Args:   []*types.Arg{},
578 
-		},
579 
-		{
580 
-			Name:   "io_destroy",
581 
-			Action: types.ActAllow,
582 
-			Args:   []*types.Arg{},
583 
-		},
584 
-		{
585 
-			Name:   "io_getevents",
586 
-			Action: types.ActAllow,
587 
-			Args:   []*types.Arg{},
588 
-		},
589 
-		{
590 
-			Name:   "ioprio_get",
591 
-			Action: types.ActAllow,
592 
-			Args:   []*types.Arg{},
593 
-		},
594 
-		{
595 
-			Name:   "ioprio_set",
596 
-			Action: types.ActAllow,
597 
-			Args:   []*types.Arg{},
598 
-		},
599 
-		{
600 
-			Name:   "io_setup",
601 
-			Action: types.ActAllow,
602 
-			Args:   []*types.Arg{},
603 
-		},
604 
-		{
605 
-			Name:   "io_submit",
606 
-			Action: types.ActAllow,
607 
-			Args:   []*types.Arg{},
608 
-		},
609 
-		{
610 
-			Name:   "ipc",
611 
-			Action: types.ActAllow,
612 
-			Args:   []*types.Arg{},
613 
-		},
614 
-		{
615 
-			Name:   "kill",
616 
-			Action: types.ActAllow,
617 
-			Args:   []*types.Arg{},
618 
-		},
619 
-		{
620 
-			Name:   "lchown",
621 
-			Action: types.ActAllow,
622 
-			Args:   []*types.Arg{},
623 
-		},
624 
-		{
625 
-			Name:   "lchown32",
626 
-			Action: types.ActAllow,
627 
-			Args:   []*types.Arg{},
628 
-		},
629 
-		{
630 
-			Name:   "lgetxattr",
631 
-			Action: types.ActAllow,
632 
-			Args:   []*types.Arg{},
633 
-		},
634 
-		{
635 
-			Name:   "link",
636 
-			Action: types.ActAllow,
637 
-			Args:   []*types.Arg{},
638 
-		},
639 
-		{
640 
-			Name:   "linkat",
641 
-			Action: types.ActAllow,
642 
-			Args:   []*types.Arg{},
643 
-		},
644 
-		{
645 
-			Name:   "listen",
646 
-			Action: types.ActAllow,
647 
-			Args:   []*types.Arg{},
648 
-		},
649 
-		{
650 
-			Name:   "listxattr",
651 
-			Action: types.ActAllow,
652 
-			Args:   []*types.Arg{},
653 
-		},
654 
-		{
655 
-			Name:   "llistxattr",
656 
-			Action: types.ActAllow,
657 
-			Args:   []*types.Arg{},
658 
-		},
659 
-		{
660 
-			Name:   "_llseek",
661 
-			Action: types.ActAllow,
662 
-			Args:   []*types.Arg{},
663 
-		},
664 
-		{
665 
-			Name:   "lremovexattr",
666 
-			Action: types.ActAllow,
667 
-			Args:   []*types.Arg{},
668 
-		},
669 
-		{
670 
-			Name:   "lseek",
671 
-			Action: types.ActAllow,
672 
-			Args:   []*types.Arg{},
673 
-		},
674 
-		{
675 
-			Name:   "lsetxattr",
676 
-			Action: types.ActAllow,
677 
-			Args:   []*types.Arg{},
678 
-		},
679 
-		{
680 
-			Name:   "lstat",
681 
-			Action: types.ActAllow,
682 
-			Args:   []*types.Arg{},
683 
-		},
684 
-		{
685 
-			Name:   "lstat64",
686 
-			Action: types.ActAllow,
687 
-			Args:   []*types.Arg{},
688 
-		},
689 
-		{
690 
-			Name:   "madvise",
691 
-			Action: types.ActAllow,
692 
-			Args:   []*types.Arg{},
693 
-		},
694 
-		{
695 
-			Name:   "memfd_create",
696 
-			Action: types.ActAllow,
697 
-			Args:   []*types.Arg{},
698 
-		},
699 
-		{
700 
-			Name:   "mincore",
701 
-			Action: types.ActAllow,
702 
-			Args:   []*types.Arg{},
703 
-		},
704 
-		{
705 
-			Name:   "mkdir",
706 
-			Action: types.ActAllow,
707 
-			Args:   []*types.Arg{},
708 
-		},
709 
-		{
710 
-			Name:   "mkdirat",
711 
-			Action: types.ActAllow,
712 
-			Args:   []*types.Arg{},
713 
-		},
714 
-		{
715 
-			Name:   "mknod",
716 
-			Action: types.ActAllow,
717 
-			Args:   []*types.Arg{},
718 
-		},
719 
-		{
720 
-			Name:   "mknodat",
721 
-			Action: types.ActAllow,
722 
-			Args:   []*types.Arg{},
723 
-		},
724 
-		{
725 
-			Name:   "mlock",
726 
-			Action: types.ActAllow,
727 
-			Args:   []*types.Arg{},
728 
-		},
729 
-		{
730 
-			Name:   "mlock2",
731 
-			Action: types.ActAllow,
732 
-			Args:   []*types.Arg{},
733 
-		},
734 
-		{
735 
-			Name:   "mlockall",
736 
-			Action: types.ActAllow,
737 
-			Args:   []*types.Arg{},
738 
-		},
739 
-		{
740 
-			Name:   "mmap",
741 
-			Action: types.ActAllow,
742 
-			Args:   []*types.Arg{},
743 
-		},
744 
-		{
745 
-			Name:   "mmap2",
746 
-			Action: types.ActAllow,
747 
-			Args:   []*types.Arg{},
748 
-		},
749 
-		{
750 
-			Name:   "mprotect",
751 
-			Action: types.ActAllow,
752 
-			Args:   []*types.Arg{},
753 
-		},
754 
-		{
755 
-			Name:   "mq_getsetattr",
756 
-			Action: types.ActAllow,
757 
-			Args:   []*types.Arg{},
758 
-		},
759 
-		{
760 
-			Name:   "mq_notify",
761 
-			Action: types.ActAllow,
762 
-			Args:   []*types.Arg{},
763 
-		},
764 
-		{
765 
-			Name:   "mq_open",
766 
-			Action: types.ActAllow,
767 
-			Args:   []*types.Arg{},
768 
-		},
769 
-		{
770 
-			Name:   "mq_timedreceive",
771 
-			Action: types.ActAllow,
772 
-			Args:   []*types.Arg{},
773 
-		},
774 
-		{
775 
-			Name:   "mq_timedsend",
776 
-			Action: types.ActAllow,
777 
-			Args:   []*types.Arg{},
778 
-		},
779 
-		{
780 
-			Name:   "mq_unlink",
781 
-			Action: types.ActAllow,
782 
-			Args:   []*types.Arg{},
783 
-		},
784 
-		{
785 
-			Name:   "mremap",
786 
-			Action: types.ActAllow,
787 
-			Args:   []*types.Arg{},
788 
-		},
789 
-		{
790 
-			Name:   "msgctl",
791 
-			Action: types.ActAllow,
792 
-			Args:   []*types.Arg{},
793 
-		},
794 
-		{
795 
-			Name:   "msgget",
796 
-			Action: types.ActAllow,
797 
-			Args:   []*types.Arg{},
798 
-		},
799 
-		{
800 
-			Name:   "msgrcv",
801 
-			Action: types.ActAllow,
802 
-			Args:   []*types.Arg{},
803 
-		},
804 
-		{
805 
-			Name:   "msgsnd",
806 
-			Action: types.ActAllow,
807 
-			Args:   []*types.Arg{},
808 
-		},
809 
-		{
810 
-			Name:   "msync",
811 
-			Action: types.ActAllow,
812 
-			Args:   []*types.Arg{},
813 
-		},
814 
-		{
815 
-			Name:   "munlock",
816 
-			Action: types.ActAllow,
817 
-			Args:   []*types.Arg{},
818 
-		},
819 
-		{
820 
-			Name:   "munlockall",
821 
-			Action: types.ActAllow,
822 
-			Args:   []*types.Arg{},
823 
-		},
824 
-		{
825 
-			Name:   "munmap",
826 
-			Action: types.ActAllow,
827 
-			Args:   []*types.Arg{},
828 
-		},
829 
-		{
830 
-			Name:   "nanosleep",
831 
-			Action: types.ActAllow,
832 
-			Args:   []*types.Arg{},
833 
-		},
834 
-		{
835 
-			Name:   "newfstatat",
836 
-			Action: types.ActAllow,
837 
-			Args:   []*types.Arg{},
838 
-		},
839 
-		{
840 
-			Name:   "_newselect",
841 
-			Action: types.ActAllow,
842 
-			Args:   []*types.Arg{},
843 
-		},
844 
-		{
845 
-			Name:   "open",
846 
-			Action: types.ActAllow,
847 
-			Args:   []*types.Arg{},
848 
-		},
849 
-		{
850 
-			Name:   "openat",
851 
-			Action: types.ActAllow,
852 
-			Args:   []*types.Arg{},
853 
-		},
854 
-		{
855 
-			Name:   "pause",
48 
+			Names: []string{
49 
+				"accept",
50 
+				"accept4",
51 
+				"access",
52 
+				"alarm",
53 
+				"alarm",
54 
+				"bind",
55 
+				"brk",
56 
+				"capget",
57 
+				"capset",
58 
+				"chdir",
59 
+				"chmod",
60 
+				"chown",
61 
+				"chown32",
62 
+				"clock_getres",
63 
+				"clock_gettime",
64 
+				"clock_nanosleep",
65 
+				"close",
66 
+				"connect",
67 
+				"copy_file_range",
68 
+				"creat",
69 
+				"dup",
70 
+				"dup2",
71 
+				"dup3",
72 
+				"epoll_create",
73 
+				"epoll_create1",
74 
+				"epoll_ctl",
75 
+				"epoll_ctl_old",
76 
+				"epoll_pwait",
77 
+				"epoll_wait",
78 
+				"epoll_wait_old",
79 
+				"eventfd",
80 
+				"eventfd2",
81 
+				"execve",
82 
+				"execveat",
83 
+				"exit",
84 
+				"exit_group",
85 
+				"faccessat",
86 
+				"fadvise64",
87 
+				"fadvise64_64",
88 
+				"fallocate",
89 
+				"fanotify_mark",
90 
+				"fchdir",
91 
+				"fchmod",
92 
+				"fchmodat",
93 
+				"fchown",
94 
+				"fchown32",
95 
+				"fchownat",
96 
+				"fcntl",
97 
+				"fcntl64",
98 
+				"fdatasync",
99 
+				"fgetxattr",
100 
+				"flistxattr",
101 
+				"flock",
102 
+				"fork",
103 
+				"fremovexattr",
104 
+				"fsetxattr",
105 
+				"fstat",
106 
+				"fstat64",
107 
+				"fstatat64",
108 
+				"fstatfs",
109 
+				"fstatfs64",
110 
+				"fsync",
111 
+				"ftruncate",
112 
+				"ftruncate64",
113 
+				"futex",
114 
+				"futimesat",
115 
+				"getcpu",
116 
+				"getcwd",
117 
+				"getdents",
118 
+				"getdents64",
119 
+				"getegid",
120 
+				"getegid32",
121 
+				"geteuid",
122 
+				"geteuid32",
123 
+				"getgid",
124 
+				"getgid32",
125 
+				"getgroups",
126 
+				"getgroups32",
127 
+				"getitimer",
128 
+				"getpeername",
129 
+				"getpgid",
130 
+				"getpgrp",
131 
+				"getpid",
132 
+				"getppid",
133 
+				"getpriority",
134 
+				"getrandom",
135 
+				"getresgid",
136 
+				"getresgid32",
137 
+				"getresuid",
138 
+				"getresuid32",
139 
+				"getrlimit",
140 
+				"get_robust_list",
141 
+				"getrusage",
142 
+				"getsid",
143 
+				"getsockname",
144 
+				"getsockopt",
145 
+				"get_thread_area",
146 
+				"gettid",
147 
+				"gettimeofday",
148 
+				"getuid",
149 
+				"getuid32",
150 
+				"getxattr",
151 
+				"inotify_add_watch",
152 
+				"inotify_init",
153 
+				"inotify_init1",
154 
+				"inotify_rm_watch",
155 
+				"io_cancel",
156 
+				"ioctl",
157 
+				"io_destroy",
158 
+				"io_getevents",
159 
+				"ioprio_get",
160 
+				"ioprio_set",
161 
+				"io_setup",
162 
+				"io_submit",
163 
+				"ipc",
164 
+				"kill",
165 
+				"lchown",
166 
+				"lchown32",
167 
+				"lgetxattr",
168 
+				"link",
169 
+				"linkat",
170 
+				"listen",
171 
+				"listxattr",
172 
+				"llistxattr",
173 
+				"_llseek",
174 
+				"lremovexattr",
175 
+				"lseek",
176 
+				"lsetxattr",
177 
+				"lstat",
178 
+				"lstat64",
179 
+				"madvise",
180 
+				"memfd_create",
181 
+				"mincore",
182 
+				"mkdir",
183 
+				"mkdirat",
184 
+				"mknod",
185 
+				"mknodat",
186 
+				"mlock",
187 
+				"mlock2",
188 
+				"mlockall",
189 
+				"mmap",
190 
+				"mmap2",
191 
+				"mprotect",
192 
+				"mq_getsetattr",
193 
+				"mq_notify",
194 
+				"mq_open",
195 
+				"mq_timedreceive",
196 
+				"mq_timedsend",
197 
+				"mq_unlink",
198 
+				"mremap",
199 
+				"msgctl",
200 
+				"msgget",
201 
+				"msgrcv",
202 
+				"msgsnd",
203 
+				"msync",
204 
+				"munlock",
205 
+				"munlockall",
206 
+				"munmap",
207 
+				"nanosleep",
208 
+				"newfstatat",
209 
+				"_newselect",
210 
+				"open",
211 
+				"openat",
212 
+				"pause",
213 
+				"pipe",
214 
+				"pipe2",
215 
+				"poll",
216 
+				"ppoll",
217 
+				"prctl",
218 
+				"pread64",
219 
+				"preadv",
220 
+				"prlimit64",
221 
+				"pselect6",
222 
+				"pwrite64",
223 
+				"pwritev",
224 
+				"read",
225 
+				"readahead",
226 
+				"readlink",
227 
+				"readlinkat",
228 
+				"readv",
229 
+				"recv",
230 
+				"recvfrom",
231 
+				"recvmmsg",
232 
+				"recvmsg",
233 
+				"remap_file_pages",
234 
+				"removexattr",
235 
+				"rename",
236 
+				"renameat",
237 
+				"renameat2",
238 
+				"restart_syscall",
239 
+				"rmdir",
240 
+				"rt_sigaction",
241 
+				"rt_sigpending",
242 
+				"rt_sigprocmask",
243 
+				"rt_sigqueueinfo",
244 
+				"rt_sigreturn",
245 
+				"rt_sigsuspend",
246 
+				"rt_sigtimedwait",
247 
+				"rt_tgsigqueueinfo",
248 
+				"sched_getaffinity",
249 
+				"sched_getattr",
250 
+				"sched_getparam",
251 
+				"sched_get_priority_max",
252 
+				"sched_get_priority_min",
253 
+				"sched_getscheduler",
254 
+				"sched_rr_get_interval",
255 
+				"sched_setaffinity",
256 
+				"sched_setattr",
257 
+				"sched_setparam",
258 
+				"sched_setscheduler",
259 
+				"sched_yield",
260 
+				"seccomp",
261 
+				"select",
262 
+				"semctl",
263 
+				"semget",
264 
+				"semop",
265 
+				"semtimedop",
266 
+				"send",
267 
+				"sendfile",
268 
+				"sendfile64",
269 
+				"sendmmsg",
270 
+				"sendmsg",
271 
+				"sendto",
272 
+				"setfsgid",
273 
+				"setfsgid32",
274 
+				"setfsuid",
275 
+				"setfsuid32",
276 
+				"setgid",
277 
+				"setgid32",
278 
+				"setgroups",
279 
+				"setgroups32",
280 
+				"setitimer",
281 
+				"setpgid",
282 
+				"setpriority",
283 
+				"setregid",
284 
+				"setregid32",
285 
+				"setresgid",
286 
+				"setresgid32",
287 
+				"setresuid",
288 
+				"setresuid32",
289 
+				"setreuid",
290 
+				"setreuid32",
291 
+				"setrlimit",
292 
+				"set_robust_list",
293 
+				"setsid",
294 
+				"setsockopt",
295 
+				"set_thread_area",
296 
+				"set_tid_address",
297 
+				"setuid",
298 
+				"setuid32",
299 
+				"setxattr",
300 
+				"shmat",
301 
+				"shmctl",
302 
+				"shmdt",
303 
+				"shmget",
304 
+				"shutdown",
305 
+				"sigaltstack",
306 
+				"signalfd",
307 
+				"signalfd4",
308 
+				"sigreturn",
309 
+				"socket",
310 
+				"socketcall",
311 
+				"socketpair",
312 
+				"splice",
313 
+				"stat",
314 
+				"stat64",
315 
+				"statfs",
316 
+				"statfs64",
317 
+				"symlink",
318 
+				"symlinkat",
319 
+				"sync",
320 
+				"sync_file_range",
321 
+				"syncfs",
322 
+				"sysinfo",
323 
+				"syslog",
324 
+				"tee",
325 
+				"tgkill",
326 
+				"time",
327 
+				"timer_create",
328 
+				"timer_delete",
329 
+				"timerfd_create",
330 
+				"timerfd_gettime",
331 
+				"timerfd_settime",
332 
+				"timer_getoverrun",
333 
+				"timer_gettime",
334 
+				"timer_settime",
335 
+				"times",
336 
+				"tkill",
337 
+				"truncate",
338 
+				"truncate64",
339 
+				"ugetrlimit",
340 
+				"umask",
341 
+				"uname",
342 
+				"unlink",
343 
+				"unlinkat",
344 
+				"utime",
345 
+				"utimensat",
346 
+				"utimes",
347 
+				"vfork",
348 
+				"vmsplice",
349 
+				"wait4",
350 
+				"waitid",
351 
+				"waitpid",
352 
+				"write",
353 
+				"writev",
354 
+			},
856 355 
 			Action: types.ActAllow,
857 356 
 			Args:   []*types.Arg{},
858 357 
 		},
859 358 
 		{
860 
-			Name:   "personality",
359 
+			Names:  []string{"personality"},
861 360 
 			Action: types.ActAllow,
862 361 
 			Args: []*types.Arg{
863 362 
 				{
... ... 
@@ -868,7 +367,7 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
868 868 
 			},
869 869 
 		},
870 870 
 		{
871 
-			Name:   "personality",
871 
+			Names:  []string{"personality"},
872 872 
 			Action: types.ActAllow,
873 873 
 			Args: []*types.Arg{
874 874 
 				{
... ... 
@@ -879,7 +378,7 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
879 879 
 			},
880 880 
 		},
881 881 
 		{
882 
-			Name:   "personality",
882 
+			Names:  []string{"personality"},
883 883 
 			Action: types.ActAllow,
884 884 
 			Args: []*types.Arg{
885 885 
 				{
... ... 
@@ -890,990 +389,214 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
890 890 
 			},
891 891 
 		},
892 892 
 		{
893 
-			Name:   "pipe",
894 
-			Action: types.ActAllow,
895 
-			Args:   []*types.Arg{},
896 
-		},
897 
-		{
898 
-			Name:   "pipe2",
899 
-			Action: types.ActAllow,
900 
-			Args:   []*types.Arg{},
901 
-		},
902 
-		{
903 
-			Name:   "poll",
904 
-			Action: types.ActAllow,
905 
-			Args:   []*types.Arg{},
906 
-		},
907 
-		{
908 
-			Name:   "ppoll",
909 
-			Action: types.ActAllow,
910 
-			Args:   []*types.Arg{},
911 
-		},
912 
-		{
913 
-			Name:   "prctl",
914 
-			Action: types.ActAllow,
915 
-			Args:   []*types.Arg{},
916 
-		},
917 
-		{
918 
-			Name:   "pread64",
919 
-			Action: types.ActAllow,
920 
-			Args:   []*types.Arg{},
921 
-		},
922 
-		{
923 
-			Name:   "preadv",
924 
-			Action: types.ActAllow,
925 
-			Args:   []*types.Arg{},
926 
-		},
927 
-		{
928 
-			Name:   "prlimit64",
929 
-			Action: types.ActAllow,
930 
-			Args:   []*types.Arg{},
931 
-		},
932 
-		{
933 
-			Name:   "pselect6",
934 
-			Action: types.ActAllow,
935 
-			Args:   []*types.Arg{},
936 
-		},
937 
-		{
938 
-			Name:   "pwrite64",
939 
-			Action: types.ActAllow,
940 
-			Args:   []*types.Arg{},
941 
-		},
942 
-		{
943 
-			Name:   "pwritev",
944 
-			Action: types.ActAllow,
945 
-			Args:   []*types.Arg{},
946 
-		},
947 
-		{
948 
-			Name:   "read",
949 
-			Action: types.ActAllow,
950 
-			Args:   []*types.Arg{},
951 
-		},
952 
-		{
953 
-			Name:   "readahead",
954 
-			Action: types.ActAllow,
955 
-			Args:   []*types.Arg{},
956 
-		},
957 
-		{
958 
-			Name:   "readlink",
959 
-			Action: types.ActAllow,
960 
-			Args:   []*types.Arg{},
961 
-		},
962 
-		{
963 
-			Name:   "readlinkat",
964 
-			Action: types.ActAllow,
965 
-			Args:   []*types.Arg{},
966 
-		},
967 
-		{
968 
-			Name:   "readv",
969 
-			Action: types.ActAllow,
970 
-			Args:   []*types.Arg{},
971 
-		},
972 
-		{
973 
-			Name:   "recv",
974 
-			Action: types.ActAllow,
975 
-			Args:   []*types.Arg{},
976 
-		},
977 
-		{
978 
-			Name:   "recvfrom",
979 
-			Action: types.ActAllow,
980 
-			Args:   []*types.Arg{},
981 
-		},
982 
-		{
983 
-			Name:   "recvmmsg",
984 
-			Action: types.ActAllow,
985 
-			Args:   []*types.Arg{},
986 
-		},
987 
-		{
988 
-			Name:   "recvmsg",
989 
-			Action: types.ActAllow,
990 
-			Args:   []*types.Arg{},
991 
-		},
992 
-		{
993 
-			Name:   "remap_file_pages",
994 
-			Action: types.ActAllow,
995 
-			Args:   []*types.Arg{},
996 
-		},
997 
-		{
998 
-			Name:   "removexattr",
999 
-			Action: types.ActAllow,
1000 
-			Args:   []*types.Arg{},
1001 
-		},
1002 
-		{
1003 
-			Name:   "rename",
1004 
-			Action: types.ActAllow,
1005 
-			Args:   []*types.Arg{},
1006 
-		},
1007 
-		{
1008 
-			Name:   "renameat",
1009 
-			Action: types.ActAllow,
1010 
-			Args:   []*types.Arg{},
1011 
-		},
1012 
-		{
1013 
-			Name:   "renameat2",
1014 
-			Action: types.ActAllow,
1015 
-			Args:   []*types.Arg{},
1016 
-		},
1017 
-		{
1018 
-			Name:   "restart_syscall",
1019 
-			Action: types.ActAllow,
1020 
-			Args:   []*types.Arg{},
1021 
-		},
1022 
-		{
1023 
-			Name:   "rmdir",
1024 
-			Action: types.ActAllow,
1025 
-			Args:   []*types.Arg{},
1026 
-		},
1027 
-		{
1028 
-			Name:   "rt_sigaction",
1029 
-			Action: types.ActAllow,
1030 
-			Args:   []*types.Arg{},
1031 
-		},
1032 
-		{
1033 
-			Name:   "rt_sigpending",
1034 
-			Action: types.ActAllow,
1035 
-			Args:   []*types.Arg{},
1036 
-		},
1037 
-		{
1038 
-			Name:   "rt_sigprocmask",
1039 
-			Action: types.ActAllow,
1040 
-			Args:   []*types.Arg{},
1041 
-		},
1042 
-		{
1043 
-			Name:   "rt_sigqueueinfo",
1044 
-			Action: types.ActAllow,
1045 
-			Args:   []*types.Arg{},
1046 
-		},
1047 
-		{
1048 
-			Name:   "rt_sigreturn",
1049 
-			Action: types.ActAllow,
1050 
-			Args:   []*types.Arg{},
1051 
-		},
1052 
-		{
1053 
-			Name:   "rt_sigsuspend",
1054 
-			Action: types.ActAllow,
1055 
-			Args:   []*types.Arg{},
1056 
-		},
1057 
-		{
1058 
-			Name:   "rt_sigtimedwait",
1059 
-			Action: types.ActAllow,
1060 
-			Args:   []*types.Arg{},
1061 
-		},
1062 
-		{
1063 
-			Name:   "rt_tgsigqueueinfo",
1064 
-			Action: types.ActAllow,
1065 
-			Args:   []*types.Arg{},
1066 
-		},
1067 
-		{
1068 
-			Name:   "sched_getaffinity",
1069 
-			Action: types.ActAllow,
1070 
-			Args:   []*types.Arg{},
1071 
-		},
1072 
-		{
1073 
-			Name:   "sched_getattr",
1074 
-			Action: types.ActAllow,
1075 
-			Args:   []*types.Arg{},
1076 
-		},
1077 
-		{
1078 
-			Name:   "sched_getparam",
1079 
-			Action: types.ActAllow,
1080 
-			Args:   []*types.Arg{},
1081 
-		},
1082 
-		{
1083 
-			Name:   "sched_get_priority_max",
1084 
-			Action: types.ActAllow,
1085 
-			Args:   []*types.Arg{},
1086 
-		},
1087 
-		{
1088 
-			Name:   "sched_get_priority_min",
1089 
-			Action: types.ActAllow,
1090 
-			Args:   []*types.Arg{},
1091 
-		},
1092 
-		{
1093 
-			Name:   "sched_getscheduler",
1094 
-			Action: types.ActAllow,
1095 
-			Args:   []*types.Arg{},
1096 
-		},
1097 
-		{
1098 
-			Name:   "sched_rr_get_interval",
1099 
-			Action: types.ActAllow,
1100 
-			Args:   []*types.Arg{},
1101 
-		},
1102 
-		{
1103 
-			Name:   "sched_setaffinity",
1104 
-			Action: types.ActAllow,
1105 
-			Args:   []*types.Arg{},
1106 
-		},
1107 
-		{
1108 
-			Name:   "sched_setattr",
1109 
-			Action: types.ActAllow,
1110 
-			Args:   []*types.Arg{},
1111 
-		},
1112 
-		{
1113 
-			Name:   "sched_setparam",
1114 
-			Action: types.ActAllow,
1115 
-			Args:   []*types.Arg{},
1116 
-		},
1117 
-		{
1118 
-			Name:   "sched_setscheduler",
1119 
-			Action: types.ActAllow,
1120 
-			Args:   []*types.Arg{},
1121 
-		},
1122 
-		{
1123 
-			Name:   "sched_yield",
1124 
-			Action: types.ActAllow,
1125 
-			Args:   []*types.Arg{},
1126 
-		},
1127 
-		{
1128 
-			Name:   "seccomp",
1129 
-			Action: types.ActAllow,
1130 
-			Args:   []*types.Arg{},
1131 
-		},
1132 
-		{
1133 
-			Name:   "select",
1134 
-			Action: types.ActAllow,
1135 
-			Args:   []*types.Arg{},
1136 
-		},
1137 
-		{
1138 
-			Name:   "semctl",
1139 
-			Action: types.ActAllow,
1140 
-			Args:   []*types.Arg{},
1141 
-		},
1142 
-		{
1143 
-			Name:   "semget",
1144 
-			Action: types.ActAllow,
1145 
-			Args:   []*types.Arg{},
1146 
-		},
1147 
-		{
1148 
-			Name:   "semop",
1149 
-			Action: types.ActAllow,
1150 
-			Args:   []*types.Arg{},
1151 
-		},
1152 
-		{
1153 
-			Name:   "semtimedop",
1154 
-			Action: types.ActAllow,
1155 
-			Args:   []*types.Arg{},
1156 
-		},
1157 
-		{
1158 
-			Name:   "send",
1159 
-			Action: types.ActAllow,
1160 
-			Args:   []*types.Arg{},
1161 
-		},
1162 
-		{
1163 
-			Name:   "sendfile",
1164 
-			Action: types.ActAllow,
1165 
-			Args:   []*types.Arg{},
1166 
-		},
1167 
-		{
1168 
-			Name:   "sendfile64",
1169 
-			Action: types.ActAllow,
1170 
-			Args:   []*types.Arg{},
1171 
-		},
1172 
-		{
1173 
-			Name:   "sendmmsg",
1174 
-			Action: types.ActAllow,
1175 
-			Args:   []*types.Arg{},
1176 
-		},
1177 
-		{
1178 
-			Name:   "sendmsg",
1179 
-			Action: types.ActAllow,
1180 
-			Args:   []*types.Arg{},
1181 
-		},
1182 
-		{
1183 
-			Name:   "sendto",
1184 
-			Action: types.ActAllow,
1185 
-			Args:   []*types.Arg{},
1186 
-		},
1187 
-		{
1188 
-			Name:   "setfsgid",
1189 
-			Action: types.ActAllow,
1190 
-			Args:   []*types.Arg{},
1191 
-		},
1192 
-		{
1193 
-			Name:   "setfsgid32",
1194 
-			Action: types.ActAllow,
1195 
-			Args:   []*types.Arg{},
1196 
-		},
1197 
-		{
1198 
-			Name:   "setfsuid",
1199 
-			Action: types.ActAllow,
1200 
-			Args:   []*types.Arg{},
1201 
-		},
1202 
-		{
1203 
-			Name:   "setfsuid32",
1204 
-			Action: types.ActAllow,
1205 
-			Args:   []*types.Arg{},
1206 
-		},
1207 
-		{
1208 
-			Name:   "setgid",
1209 
-			Action: types.ActAllow,
1210 
-			Args:   []*types.Arg{},
1211 
-		},
1212 
-		{
1213 
-			Name:   "setgid32",
1214 
-			Action: types.ActAllow,
1215 
-			Args:   []*types.Arg{},
1216 
-		},
1217 
-		{
1218 
-			Name:   "setgroups",
1219 
-			Action: types.ActAllow,
1220 
-			Args:   []*types.Arg{},
1221 
-		},
1222 
-		{
1223 
-			Name:   "setgroups32",
1224 
-			Action: types.ActAllow,
1225 
-			Args:   []*types.Arg{},
1226 
-		},
1227 
-		{
1228 
-			Name:   "setitimer",
1229 
-			Action: types.ActAllow,
1230 
-			Args:   []*types.Arg{},
1231 
-		},
1232 
-		{
1233 
-			Name:   "setpgid",
1234 
-			Action: types.ActAllow,
1235 
-			Args:   []*types.Arg{},
1236 
-		},
1237 
-		{
1238 
-			Name:   "setpriority",
1239 
-			Action: types.ActAllow,
1240 
-			Args:   []*types.Arg{},
1241 
-		},
1242 
-		{
1243 
-			Name:   "setregid",
1244 
-			Action: types.ActAllow,
1245 
-			Args:   []*types.Arg{},
1246 
-		},
1247 
-		{
1248 
-			Name:   "setregid32",
1249 
-			Action: types.ActAllow,
1250 
-			Args:   []*types.Arg{},
1251 
-		},
1252 
-		{
1253 
-			Name:   "setresgid",
1254 
-			Action: types.ActAllow,
1255 
-			Args:   []*types.Arg{},
1256 
-		},
1257 
-		{
1258 
-			Name:   "setresgid32",
1259 
-			Action: types.ActAllow,
1260 
-			Args:   []*types.Arg{},
1261 
-		},
1262 
-		{
1263 
-			Name:   "setresuid",
1264 
-			Action: types.ActAllow,
1265 
-			Args:   []*types.Arg{},
1266 
-		},
1267 
-		{
1268 
-			Name:   "setresuid32",
1269 
-			Action: types.ActAllow,
1270 
-			Args:   []*types.Arg{},
1271 
-		},
1272 
-		{
1273 
-			Name:   "setreuid",
1274 
-			Action: types.ActAllow,
1275 
-			Args:   []*types.Arg{},
1276 
-		},
1277 
-		{
1278 
-			Name:   "setreuid32",
1279 
-			Action: types.ActAllow,
1280 
-			Args:   []*types.Arg{},
1281 
-		},
1282 
-		{
1283 
-			Name:   "setrlimit",
1284 
-			Action: types.ActAllow,
1285 
-			Args:   []*types.Arg{},
1286 
-		},
1287 
-		{
1288 
-			Name:   "set_robust_list",
1289 
-			Action: types.ActAllow,
1290 
-			Args:   []*types.Arg{},
1291 
-		},
1292 
-		{
1293 
-			Name:   "setsid",
1294 
-			Action: types.ActAllow,
1295 
-			Args:   []*types.Arg{},
1296 
-		},
1297 
-		{
1298 
-			Name:   "setsockopt",
1299 
-			Action: types.ActAllow,
1300 
-			Args:   []*types.Arg{},
1301 
-		},
1302 
-		{
1303 
-			Name:   "set_thread_area",
1304 
-			Action: types.ActAllow,
1305 
-			Args:   []*types.Arg{},
1306 
-		},
1307 
-		{
1308 
-			Name:   "set_tid_address",
1309 
-			Action: types.ActAllow,
1310 
-			Args:   []*types.Arg{},
1311 
-		},
1312 
-		{
1313 
-			Name:   "setuid",
1314 
-			Action: types.ActAllow,
1315 
-			Args:   []*types.Arg{},
1316 
-		},
1317 
-		{
1318 
-			Name:   "setuid32",
1319 
-			Action: types.ActAllow,
1320 
-			Args:   []*types.Arg{},
1321 
-		},
1322 
-		{
1323 
-			Name:   "setxattr",
1324 
-			Action: types.ActAllow,
1325 
-			Args:   []*types.Arg{},
1326 
-		},
1327 
-		{
1328 
-			Name:   "shmat",
1329 
-			Action: types.ActAllow,
1330 
-			Args:   []*types.Arg{},
1331 
-		},
1332 
-		{
1333 
-			Name:   "shmctl",
1334 
-			Action: types.ActAllow,
1335 
-			Args:   []*types.Arg{},
1336 
-		},
1337 
-		{
1338 
-			Name:   "shmdt",
1339 
-			Action: types.ActAllow,
1340 
-			Args:   []*types.Arg{},
1341 
-		},
1342 
-		{
1343 
-			Name:   "shmget",
1344 
-			Action: types.ActAllow,
1345 
-			Args:   []*types.Arg{},
1346 
-		},
1347 
-		{
1348 
-			Name:   "shutdown",
1349 
-			Action: types.ActAllow,
1350 
-			Args:   []*types.Arg{},
1351 
-		},
1352 
-		{
1353 
-			Name:   "sigaltstack",
1354 
-			Action: types.ActAllow,
1355 
-			Args:   []*types.Arg{},
1356 
-		},
1357 
-		{
1358 
-			Name:   "signalfd",
1359 
-			Action: types.ActAllow,
1360 
-			Args:   []*types.Arg{},
1361 
-		},
1362 
-		{
1363 
-			Name:   "signalfd4",
1364 
-			Action: types.ActAllow,
1365 
-			Args:   []*types.Arg{},
1366 
-		},
1367 
-		{
1368 
-			Name:   "sigreturn",
1369 
-			Action: types.ActAllow,
1370 
-			Args:   []*types.Arg{},
1371 
-		},
1372 
-		{
1373 
-			Name:   "socket",
1374 
-			Action: types.ActAllow,
1375 
-			Args:   []*types.Arg{},
1376 
-		},
1377 
-		{
1378 
-			Name:   "socketcall",
1379 
-			Action: types.ActAllow,
1380 
-			Args:   []*types.Arg{},
1381 
-		},
1382 
-		{
1383 
-			Name:   "socketpair",
1384 
-			Action: types.ActAllow,
1385 
-			Args:   []*types.Arg{},
1386 
-		},
1387 
-		{
1388 
-			Name:   "splice",
1389 
-			Action: types.ActAllow,
1390 
-			Args:   []*types.Arg{},
1391 
-		},
1392 
-		{
1393 
-			Name:   "stat",
1394 
-			Action: types.ActAllow,
1395 
-			Args:   []*types.Arg{},
1396 
-		},
1397 
-		{
1398 
-			Name:   "stat64",
1399 
-			Action: types.ActAllow,
1400 
-			Args:   []*types.Arg{},
1401 
-		},
1402 
-		{
1403 
-			Name:   "statfs",
1404 
-			Action: types.ActAllow,
1405 
-			Args:   []*types.Arg{},
1406 
-		},
1407 
-		{
1408 
-			Name:   "statfs64",
1409 
-			Action: types.ActAllow,
1410 
-			Args:   []*types.Arg{},
1411 
-		},
1412 
-		{
1413 
-			Name:   "symlink",
1414 
-			Action: types.ActAllow,
1415 
-			Args:   []*types.Arg{},
1416 
-		},
1417 
-		{
1418 
-			Name:   "symlinkat",
1419 
-			Action: types.ActAllow,
1420 
-			Args:   []*types.Arg{},
1421 
-		},
1422 
-		{
1423 
-			Name:   "sync",
1424 
-			Action: types.ActAllow,
1425 
-			Args:   []*types.Arg{},
1426 
-		},
1427 
-		{
1428 
-			Name:   "sync_file_range",
1429 
-			Action: types.ActAllow,
1430 
-			Args:   []*types.Arg{},
1431 
-		},
1432 
-		{
1433 
-			Name:   "syncfs",
1434 
-			Action: types.ActAllow,
1435 
-			Args:   []*types.Arg{},
1436 
-		},
1437 
-		{
1438 
-			Name:   "sysinfo",
1439 
-			Action: types.ActAllow,
1440 
-			Args:   []*types.Arg{},
1441 
-		},
1442 
-		{
1443 
-			Name:   "syslog",
1444 
-			Action: types.ActAllow,
1445 
-			Args:   []*types.Arg{},
1446 
-		},
1447 
-		{
1448 
-			Name:   "tee",
1449 
-			Action: types.ActAllow,
1450 
-			Args:   []*types.Arg{},
1451 
-		},
1452 
-		{
1453 
-			Name:   "tgkill",
1454 
-			Action: types.ActAllow,
1455 
-			Args:   []*types.Arg{},
1456 
-		},
1457 
-		{
1458 
-			Name:   "time",
1459 
-			Action: types.ActAllow,
1460 
-			Args:   []*types.Arg{},
1461 
-		},
1462 
-		{
1463 
-			Name:   "timer_create",
1464 
-			Action: types.ActAllow,
1465 
-			Args:   []*types.Arg{},
1466 
-		},
1467 
-		{
1468 
-			Name:   "timer_delete",
1469 
-			Action: types.ActAllow,
1470 
-			Args:   []*types.Arg{},
1471 
-		},
1472 
-		{
1473 
-			Name:   "timerfd_create",
1474 
-			Action: types.ActAllow,
1475 
-			Args:   []*types.Arg{},
1476 
-		},
1477 
-		{
1478 
-			Name:   "timerfd_gettime",
1479 
-			Action: types.ActAllow,
1480 
-			Args:   []*types.Arg{},
1481 
-		},
1482 
-		{
1483 
-			Name:   "timerfd_settime",
1484 
-			Action: types.ActAllow,
1485 
-			Args:   []*types.Arg{},
1486 
-		},
1487 
-		{
1488 
-			Name:   "timer_getoverrun",
1489 
-			Action: types.ActAllow,
1490 
-			Args:   []*types.Arg{},
1491 
-		},
1492 
-		{
1493 
-			Name:   "timer_gettime",
1494 
-			Action: types.ActAllow,
1495 
-			Args:   []*types.Arg{},
1496 
-		},
1497 
-		{
1498 
-			Name:   "timer_settime",
1499 
-			Action: types.ActAllow,
1500 
-			Args:   []*types.Arg{},
1501 
-		},
1502 
-		{
1503 
-			Name:   "times",
1504 
-			Action: types.ActAllow,
1505 
-			Args:   []*types.Arg{},
1506 
-		},
1507 
-		{
1508 
-			Name:   "tkill",
1509 
-			Action: types.ActAllow,
1510 
-			Args:   []*types.Arg{},
1511 
-		},
1512 
-		{
1513 
-			Name:   "truncate",
1514 
-			Action: types.ActAllow,
1515 
-			Args:   []*types.Arg{},
1516 
-		},
1517 
-		{
1518 
-			Name:   "truncate64",
893 
+			Names: []string{
894 
+				"breakpoint",
895 
+				"cacheflush",
896 
+				"set_tls",
897 
+			},
1519 898 
 			Action: types.ActAllow,
1520 899 
 			Args:   []*types.Arg{},
900 
+			Includes: types.Filter{
901 
+				Arches: []string{"arm", "arm64"},
902 
+			},
1521 903 
 		},
1522 904 
 		{
1523 
-			Name:   "ugetrlimit",
905 
+			Names: []string{
906 
+				"arch_prctl",
907 
+			},
1524 908 
 			Action: types.ActAllow,
1525 909 
 			Args:   []*types.Arg{},
910 
+			Includes: types.Filter{
911 
+				Arches: []string{"amd64", "x32"},
912 
+			},
1526 913 
 		},
1527 914 
 		{
1528 
-			Name:   "umask",
915 
+			Names: []string{
916 
+				"modify_ldt",
917 
+			},
1529 918 
 			Action: types.ActAllow,
1530 919 
 			Args:   []*types.Arg{},
920 
+			Includes: types.Filter{
921 
+				Arches: []string{"amd64", "x32", "x86"},
922 
+			},
1531 923 
 		},
1532 924 
 		{
1533 
-			Name:   "uname",
925 
+			Names: []string{
926 
+				"s390_pci_mmio_read",
927 
+				"s390_pci_mmio_write",
928 
+				"s390_runtime_instr",
929 
+			},
1534 930 
 			Action: types.ActAllow,
1535 931 
 			Args:   []*types.Arg{},
932 
+			Includes: types.Filter{
933 
+				Arches: []string{"s390", "s390x"},
934 
+			},
1536 935 
 		},
1537 936 
 		{
1538 
-			Name:   "unlink",
937 
+			Names: []string{
938 
+				"open_by_handle_at",
939 
+			},
1539 940 
 			Action: types.ActAllow,
1540 941 
 			Args:   []*types.Arg{},
942 
+			Includes: types.Filter{
943 
+				Caps: []string{"CAP_DAC_READ_SEARCH"},
944 
+			},
1541 945 
 		},
1542 946 
 		{
1543 
-			Name:   "unlinkat",
947 
+			Names: []string{
948 
+				"bpf",
949 
+				"clone",
950 
+				"fanotify_init",
951 
+				"lookup_dcookie",
952 
+				"mount",
953 
+				"name_to_handle_at",
954 
+				"perf_event_open",
955 
+				"setdomainname",
956 
+				"sethostname",
957 
+				"setns",
958 
+				"umount",
959 
+				"umount2",
960 
+				"unshare",
961 
+			},
1544 962 
 			Action: types.ActAllow,
1545 963 
 			Args:   []*types.Arg{},
964 
+			Includes: types.Filter{
965 
+				Caps: []string{"CAP_SYS_ADMIN"},
966 
+			},
1546 967 
 		},
1547 968 
 		{
1548 
-			Name:   "utime",
969 
+			Names: []string{
970 
+				"clone",
971 
+			},
1549 972 
 			Action: types.ActAllow,
1550 
-			Args:   []*types.Arg{},
973 
+			Args: []*types.Arg{
974 
+				{
975 
+					Index:    0,
976 
+					Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
977 
+					ValueTwo: 0,
978 
+					Op:       types.OpMaskedEqual,
979 
+				},
980 
+			},
981 
+			Excludes: types.Filter{
982 
+				Caps:   []string{"CAP_SYS_ADMIN"},
983 
+				Arches: []string{"s390", "s390x"},
984 
+			},
1551 985 
 		},
1552 986 
 		{
1553 
-			Name:   "utimensat",
987 
+			Names: []string{
988 
+				"clone",
989 
+			},
1554 990 
 			Action: types.ActAllow,
1555 
-			Args:   []*types.Arg{},
991 
+			Args: []*types.Arg{
992 
+				{
993 
+					Index:    1,
994 
+					Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
995 
+					ValueTwo: 0,
996 
+					Op:       types.OpMaskedEqual,
997 
+				},
998 
+			},
999 
+			Comment: "s390 parameter ordering for clone is different",
1000 
+			Includes: types.Filter{
1001 
+				Arches: []string{"s390", "s390x"},
1002 
+			},
1003 
+			Excludes: types.Filter{
1004 
+				Caps: []string{"CAP_SYS_ADMIN"},
1005 
+			},
1556 1006 
 		},
1557 1007 
 		{
1558 
-			Name:   "utimes",
1008 
+			Names: []string{
1009 
+				"reboot",
1010 
+			},
1559 1011 
 			Action: types.ActAllow,
1560 1012 
 			Args:   []*types.Arg{},
1013 
+			Includes: types.Filter{
1014 
+				Caps: []string{"CAP_SYS_BOOT"},
1015 
+			},
1561 1016 
 		},
1562 1017 
 		{
1563 
-			Name:   "vfork",
1018 
+			Names: []string{
1019 
+				"chroot",
1020 
+			},
1564 1021 
 			Action: types.ActAllow,
1565 1022 
 			Args:   []*types.Arg{},
1023 
+			Includes: types.Filter{
1024 
+				Caps: []string{"CAP_SYS_CHROOT"},
1025 
+			},
1566 1026 
 		},
1567 1027 
 		{
1568 
-			Name:   "vmsplice",
1028 
+			Names: []string{
1029 
+				"delete_module",
1030 
+				"init_module",
1031 
+				"finit_module",
1032 
+				"query_module",
1033 
+			},
1569 1034 
 			Action: types.ActAllow,
1570 1035 
 			Args:   []*types.Arg{},
1036 
+			Includes: types.Filter{
1037 
+				Caps: []string{"CAP_SYS_MODULE"},
1038 
+			},
1571 1039 
 		},
1572 1040 
 		{
1573 
-			Name:   "wait4",
1041 
+			Names: []string{
1042 
+				"acct",
1043 
+			},
1574 1044 
 			Action: types.ActAllow,
1575 1045 
 			Args:   []*types.Arg{},
1046 
+			Includes: types.Filter{
1047 
+				Caps: []string{"CAP_SYS_PACCT"},
1048 
+			},
1576 1049 
 		},
1577 1050 
 		{
1578 
-			Name:   "waitid",
1051 
+			Names: []string{
1052 
+				"kcmp",
1053 
+				"process_vm_readv",
1054 
+				"process_vm_writev",
1055 
+				"ptrace",
1056 
+			},
1579 1057 
 			Action: types.ActAllow,
1580 1058 
 			Args:   []*types.Arg{},
1059 
+			Includes: types.Filter{
1060 
+				Caps: []string{"CAP_SYS_PTRACE"},
1061 
+			},
1581 1062 
 		},
1582 1063 
 		{
1583 
-			Name:   "waitpid",
1064 
+			Names: []string{
1065 
+				"iopl",
1066 
+				"ioperm",
1067 
+			},
1584 1068 
 			Action: types.ActAllow,
1585 1069 
 			Args:   []*types.Arg{},
1070 
+			Includes: types.Filter{
1071 
+				Caps: []string{"CAP_SYS_RAWIO"},
1072 
+			},
1586 1073 
 		},
1587 1074 
 		{
1588 
-			Name:   "write",
1075 
+			Names: []string{
1076 
+				"settimeofday",
1077 
+				"stime",
1078 
+				"adjtimex",
1079 
+			},
1589 1080 
 			Action: types.ActAllow,
1590 1081 
 			Args:   []*types.Arg{},
1082 
+			Includes: types.Filter{
1083 
+				Caps: []string{"CAP_SYS_TIME"},
1084 
+			},
1591 1085 
 		},
1592 1086 
 		{
1593 
-			Name:   "writev",
1087 
+			Names: []string{
1088 
+				"vhangup",
1089 
+			},
1594 1090 
 			Action: types.ActAllow,
1595 1091 
 			Args:   []*types.Arg{},
1596 
-		},
1597 
-	}
1598 
-
1599 
-	var sysCloneFlagsIndex uint
1600 
-	var arch string
1601 
-	var native, err = libseccomp.GetNativeArch()
1602 
-	if err == nil {
1603 
-		arch = native.String()
1604 
-	}
1605 
-	switch arch {
1606 
-	case "arm", "arm64":
1607 
-		syscalls = append(syscalls, []*types.Syscall{
1608 
-			{
1609 
-				Name:   "breakpoint",
1610 
-				Action: types.ActAllow,
1611 
-				Args:   []*types.Arg{},
1612 
-			},
1613 
-			{
1614 
-				Name:   "cacheflush",
1615 
-				Action: types.ActAllow,
1616 
-				Args:   []*types.Arg{},
1617 
-			},
1618 
-			{
1619 
-				Name:   "set_tls",
1620 
-				Action: types.ActAllow,
1621 
-				Args:   []*types.Arg{},
1622 
-			},
1623 
-		}...)
1624 
-	case "amd64", "x32":
1625 
-		syscalls = append(syscalls, []*types.Syscall{
1626 
-			{
1627 
-				Name:   "arch_prctl",
1628 
-				Action: types.ActAllow,
1629 
-				Args:   []*types.Arg{},
1092 
+			Includes: types.Filter{
1093 
+				Caps: []string{"CAP_SYS_TTY_CONFIG"},
1630 1094 
 			},
1631 
-		}...)
1632 
-		fallthrough
1633 
-	case "x86":
1634 
-		syscalls = append(syscalls, []*types.Syscall{
1635 
-			{
1636 
-				Name:   "modify_ldt",
1637 
-				Action: types.ActAllow,
1638 
-				Args:   []*types.Arg{},
1639 
-			},
1640 
-		}...)
1641 
-	case "s390", "s390x":
1642 
-		syscalls = append(syscalls, []*types.Syscall{
1643 
-			{
1644 
-				Name:   "s390_pci_mmio_read",
1645 
-				Action: types.ActAllow,
1646 
-				Args:   []*types.Arg{},
1647 
-			},
1648 
-			{
1649 
-				Name:   "s390_pci_mmio_write",
1650 
-				Action: types.ActAllow,
1651 
-				Args:   []*types.Arg{},
1652 
-			},
1653 
-			{
1654 
-				Name:   "s390_runtime_instr",
1655 
-				Action: types.ActAllow,
1656 
-				Args:   []*types.Arg{},
1657 
-			},
1658 
-		}...)
1659 
-		/* Flags parameter of the clone syscall is the 2nd on s390 */
1660 
-		sysCloneFlagsIndex = 1
1661 
-	}
1662 
-
1663 
-	capSysAdmin := false
1664 
-
1665 
-	var cap string
1666 
-	for _, cap = range rs.Process.Capabilities {
1667 
-		switch cap {
1668 
-		case "CAP_DAC_READ_SEARCH":
1669 
-			syscalls = append(syscalls, []*types.Syscall{
1670 
-				{
1671 
-					Name:   "open_by_handle_at",
1672 
-					Action: types.ActAllow,
1673 
-					Args:   []*types.Arg{},
1674 
-				},
1675 
-			}...)
1676 
-		case "CAP_SYS_ADMIN":
1677 
-			capSysAdmin = true
1678 
-			syscalls = append(syscalls, []*types.Syscall{
1679 
-				{
1680 
-					Name:   "bpf",
1681 
-					Action: types.ActAllow,
1682 
-					Args:   []*types.Arg{},
1683 
-				},
1684 
-				{
1685 
-					Name:   "clone",
1686 
-					Action: types.ActAllow,
1687 
-					Args:   []*types.Arg{},
1688 
-				},
1689 
-				{
1690 
-					Name:   "fanotify_init",
1691 
-					Action: types.ActAllow,
1692 
-					Args:   []*types.Arg{},
1693 
-				},
1694 
-				{
1695 
-					Name:   "lookup_dcookie",
1696 
-					Action: types.ActAllow,
1697 
-					Args:   []*types.Arg{},
1698 
-				},
1699 
-				{
1700 
-					Name:   "mount",
1701 
-					Action: types.ActAllow,
1702 
-					Args:   []*types.Arg{},
1703 
-				},
1704 
-				{
1705 
-					Name:   "name_to_handle_at",
1706 
-					Action: types.ActAllow,
1707 
-					Args:   []*types.Arg{},
1708 
-				},
1709 
-				{
1710 
-					Name:   "perf_event_open",
1711 
-					Action: types.ActAllow,
1712 
-					Args:   []*types.Arg{},
1713 
-				},
1714 
-				{
1715 
-					Name:   "setdomainname",
1716 
-					Action: types.ActAllow,
1717 
-					Args:   []*types.Arg{},
1718 
-				},
1719 
-				{
1720 
-					Name:   "sethostname",
1721 
-					Action: types.ActAllow,
1722 
-					Args:   []*types.Arg{},
1723 
-				},
1724 
-				{
1725 
-					Name:   "setns",
1726 
-					Action: types.ActAllow,
1727 
-					Args:   []*types.Arg{},
1728 
-				},
1729 
-				{
1730 
-					Name:   "umount",
1731 
-					Action: types.ActAllow,
1732 
-					Args:   []*types.Arg{},
1733 
-				},
1734 
-				{
1735 
-					Name:   "umount2",
1736 
-					Action: types.ActAllow,
1737 
-					Args:   []*types.Arg{},
1738 
-				},
1739 
-				{
1740 
-					Name:   "unshare",
1741 
-					Action: types.ActAllow,
1742 
-					Args:   []*types.Arg{},
1743 
-				},
1744 
-			}...)
1745 
-		case "CAP_SYS_BOOT":
1746 
-			syscalls = append(syscalls, []*types.Syscall{
1747 
-				{
1748 
-					Name:   "reboot",
1749 
-					Action: types.ActAllow,
1750 
-					Args:   []*types.Arg{},
1751 
-				},
1752 
-			}...)
1753 
-		case "CAP_SYS_CHROOT":
1754 
-			syscalls = append(syscalls, []*types.Syscall{
1755 
-				{
1756 
-					Name:   "chroot",
1757 
-					Action: types.ActAllow,
1758 
-					Args:   []*types.Arg{},
1759 
-				},
1760 
-			}...)
1761 
-		case "CAP_SYS_MODULE":
1762 
-			syscalls = append(syscalls, []*types.Syscall{
1763 
-				{
1764 
-					Name:   "delete_module",
1765 
-					Action: types.ActAllow,
1766 
-					Args:   []*types.Arg{},
1767 
-				},
1768 
-				{
1769 
-					Name:   "init_module",
1770 
-					Action: types.ActAllow,
1771 
-					Args:   []*types.Arg{},
1772 
-				},
1773 
-				{
1774 
-					Name:   "finit_module",
1775 
-					Action: types.ActAllow,
1776 
-					Args:   []*types.Arg{},
1777 
-				},
1778 
-				{
1779 
-					Name:   "query_module",
1780 
-					Action: types.ActAllow,
1781 
-					Args:   []*types.Arg{},
1782 
-				},
1783 
-			}...)
1784 
-		case "CAP_SYS_PACCT":
1785 
-			syscalls = append(syscalls, []*types.Syscall{
1786 
-				{
1787 
-					Name:   "acct",
1788 
-					Action: types.ActAllow,
1789 
-					Args:   []*types.Arg{},
1790 
-				},
1791 
-			}...)
1792 
-		case "CAP_SYS_PTRACE":
1793 
-			syscalls = append(syscalls, []*types.Syscall{
1794 
-				{
1795 
-					Name:   "kcmp",
1796 
-					Action: types.ActAllow,
1797 
-					Args:   []*types.Arg{},
1798 
-				},
1799 
-				{
1800 
-					Name:   "process_vm_readv",
1801 
-					Action: types.ActAllow,
1802 
-					Args:   []*types.Arg{},
1803 
-				},
1804 
-				{
1805 
-					Name:   "process_vm_writev",
1806 
-					Action: types.ActAllow,
1807 
-					Args:   []*types.Arg{},
1808 
-				},
1809 
-				{
1810 
-					Name:   "ptrace",
1811 
-					Action: types.ActAllow,
1812 
-					Args:   []*types.Arg{},
1813 
-				},
1814 
-			}...)
1815 
-		case "CAP_SYS_RAWIO":
1816 
-			syscalls = append(syscalls, []*types.Syscall{
1817 
-				{
1818 
-					Name:   "iopl",
1819 
-					Action: types.ActAllow,
1820 
-					Args:   []*types.Arg{},
1821 
-				},
1822 
-				{
1823 
-					Name:   "ioperm",
1824 
-					Action: types.ActAllow,
1825 
-					Args:   []*types.Arg{},
1826 
-				},
1827 
-			}...)
1828 
-		case "CAP_SYS_TIME":
1829 
-			syscalls = append(syscalls, []*types.Syscall{
1830 
-				{
1831 
-					Name:   "settimeofday",
1832 
-					Action: types.ActAllow,
1833 
-					Args:   []*types.Arg{},
1834 
-				},
1835 
-				{
1836 
-					Name:   "stime",
1837 
-					Action: types.ActAllow,
1838 
-					Args:   []*types.Arg{},
1839 
-				},
1840 
-				{
1841 
-					Name:   "adjtimex",
1842 
-					Action: types.ActAllow,
1843 
-					Args:   []*types.Arg{},
1844 
-				},
1845 
-			}...)
1846 
-		case "CAP_SYS_TTY_CONFIG":
1847 
-			syscalls = append(syscalls, []*types.Syscall{
1848 
-				{
1849 
-					Name:   "vhangup",
1850 
-					Action: types.ActAllow,
1851 
-					Args:   []*types.Arg{},
1852 
-				},
1853 
-			}...)
1854 
-		}
1855 
-	}
1856 
-
1857 
-	if !capSysAdmin {
1858 
-		syscalls = append(syscalls, []*types.Syscall{
1859 
-			{
1860 
-				Name:   "clone",
1861 
-				Action: types.ActAllow,
1862 
-				Args: []*types.Arg{
1863 
-					{
1864 
-						Index:    sysCloneFlagsIndex,
1865 
-						Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
1866 
-						ValueTwo: 0,
1867 
-						Op:       types.OpMaskedEqual,
1868 
-					},
1869 
-				},
1870 
-			},
1871 
-		}...)
1095 
+		},
1872 1096 
 	}
1873 1097
1874 1098 
 	return &types.Seccomp{
1875 1099 
 		DefaultAction: types.ActErrno,
1876 
-		Architectures: arches(),
1100 
+		ArchMap:       arches(),
1877 1101 
 		Syscalls:      syscalls,
1878 1102 
 	}
1879 1103 
 }
profiles/seccomp/seccomp_test.go
History View file @ 5ff21ad
... ... 
@@ -5,6 +5,8 @@ package seccomp
5 5 
 import (
6 6 
 	"io/ioutil"
7 7 
 	"testing"
8 
+
9 
+	"github.com/docker/docker/oci"
8 10 
 )
9 11
10 12 
 func TestLoadProfile(t *testing.T) {
... ... 
@@ -12,7 +14,8 @@ func TestLoadProfile(t *testing.T) {
12 12 
 	if err != nil {
13 13 
 		t.Fatal(err)
14 14 
 	}
15 
-	if _, err := LoadProfile(string(f)); err != nil {
15 
+	rs := oci.DefaultSpec()
16 
+	if _, err := LoadProfile(string(f), &rs); err != nil {
16 17 
 		t.Fatal(err)
17 18 
 	}
18 19 
 }
... ... 
@@ -22,7 +25,8 @@ func TestLoadDefaultProfile(t *testing.T) {
22 22 
 	if err != nil {
23 23 
 		t.Fatal(err)
24 24 
 	}
25 
-	if _, err := LoadProfile(string(f)); err != nil {
25 
+	rs := oci.DefaultSpec()
26 
+	if _, err := LoadProfile(string(f), &rs); err != nil {
26 27 
 		t.Fatal(err)
27 28 
 	}
28 29 
 }