@@ -6,7 +6,7 @@ import (

 	"fmt"

 	"github.com/containerd/containerd/v2/pkg/apparmor"

-	aaprofile "github.com/docker/docker/profiles/apparmor"

+	aaprofile "github.com/moby/profiles/apparmor"

 )

 // Define constants for native driver

@@ -9,7 +9,7 @@ import (

 	"github.com/containerd/log"

 	dconfig "github.com/docker/docker/daemon/config"

 	"github.com/docker/docker/daemon/container"

-	"github.com/docker/docker/profiles/seccomp"

+	"github.com/moby/profiles/seccomp"

 	"github.com/opencontainers/runtime-spec/specs-go"

 )

@@ -8,8 +8,8 @@ import (

 	"github.com/docker/docker/daemon/container"

 	"github.com/docker/docker/oci"

 	"github.com/docker/docker/pkg/sysinfo"

-	"github.com/docker/docker/profiles/seccomp"

 	containertypes "github.com/moby/moby/api/types/container"

+	"github.com/moby/profiles/seccomp"

 	"github.com/opencontainers/runtime-spec/specs-go"

 	"gotest.tools/v3/assert"

 )

@@ -22,6 +22,7 @@ import (

 	"github.com/docker/docker/pkg/sysinfo"

 	"github.com/docker/docker/testutil"

 	"github.com/moby/moby/client"

+	"github.com/moby/profiles/seccomp"

 	"github.com/moby/sys/mount"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

@@ -1319,7 +1320,16 @@ func (s *DockerCLIRunSuite) TestRunApparmorProcDirectory(c *testing.T) {

 func (s *DockerCLIRunSuite) TestRunSeccompWithDefaultProfile(c *testing.T) {

 	testRequires(c, testEnv.IsLocalDaemon, seccompEnabled)

-	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bookworm-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")

+	// write the default profile to a file

+	b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")

+	assert.NilError(c, err)

+

+	tmpDir := c.TempDir()

+	fileName := filepath.Join(tmpDir, "default.json")

+	err = os.WriteFile(fileName, b, 0o644)

+	assert.NilError(c, err)

+

+	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp="+fileName, "debian:bookworm-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")

 	assert.ErrorContains(c, err, "", out)

 	assert.Equal(c, strings.TrimSpace(out), "unshare: unshare failed: Operation not permitted")

 }

@@ -7,7 +7,7 @@ import (

 	"os"

 	"testing"

-	"github.com/docker/docker/profiles/seccomp"

+	"github.com/moby/profiles/seccomp"

 )

 func TestSeccompLoadProfile(t *testing.T) {

deleted file mode 100644

@@ -1,132 +0,0 @@

-//go:build linux

-

-package apparmor

-

-import (

-	"bufio"

-	"fmt"

-	"io"

-	"os"

-	"os/exec"

-	"path"

-	"strings"

-	"text/template"

-)

-

-// profileDirectory is the file store for apparmor profiles and macros.

-const profileDirectory = "/etc/apparmor.d"

-

-// profileData holds information about the given profile for generation.

-type profileData struct {

-	// Name is profile name.

-	Name string

-	// DaemonProfile is the profile name of our daemon.

-	DaemonProfile string

-	// Imports defines the apparmor functions to import, before defining the profile.

-	Imports []string

-	// InnerImports defines the apparmor functions to import in the profile.

-	InnerImports []string

-}

-

-// generateDefault creates an apparmor profile from ProfileData.

-func (p *profileData) generateDefault(out io.Writer) error {

-	compiled, err := template.New("apparmor_profile").Parse(baseTemplate)

-	if err != nil {

-		return err

-	}

-

-	if macroExists("tunables/global") {

-		p.Imports = append(p.Imports, "#include <tunables/global>")

-	} else {

-		p.Imports = append(p.Imports, "@{PROC}=/proc/")

-	}

-

-	if macroExists("abstractions/base") {

-		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")

-	}

-

-	return compiled.Execute(out, p)

-}

-

-// macroExists checks if the passed macro exists.

-func macroExists(m string) bool {

-	_, err := os.Stat(path.Join(profileDirectory, m))

-	return err == nil

-}

-

-// InstallDefault generates a default profile in a temp directory determined by

-// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.

-func InstallDefault(name string) error {

-	// Figure out the daemon profile.

-	daemonProfile := "unconfined"

-	if currentProfile, err := os.ReadFile("/proc/self/attr/current"); err == nil {

-		// Normally profiles are suffixed by " (enforcing)" or similar. AppArmor

-		// profiles cannot contain spaces so this doesn't restrict daemon profile

-		// names.

-		if profile, _, _ := strings.Cut(string(currentProfile), " "); profile != "" {

-			daemonProfile = profile

-		}

-	}

-

-	// Install to a temporary directory.

-	tmpFile, err := os.CreateTemp("", name)

-	if err != nil {

-		return err

-	}

-

-	defer func() {

-		_ = tmpFile.Close()

-		_ = os.Remove(tmpFile.Name())

-	}()

-

-	p := profileData{

-		Name:          name,

-		DaemonProfile: daemonProfile,

-	}

-	if err := p.generateDefault(tmpFile); err != nil {

-		return err

-	}

-

-	return loadProfile(tmpFile.Name())

-}

-

-// IsLoaded checks if a profile with the given name has been loaded into the

-// kernel.

-func IsLoaded(name string) (bool, error) {

-	return isLoaded(name, "/sys/kernel/security/apparmor/profiles")

-}

-

-func isLoaded(name string, fileName string) (bool, error) {

-	file, err := os.Open(fileName)

-	if err != nil {

-		return false, err

-	}

-	defer file.Close()

-

-	scanner := bufio.NewScanner(file)

-	for scanner.Scan() {

-		if prefix, _, ok := strings.Cut(scanner.Text(), " "); ok && prefix == name {

-			return true, nil

-		}

-	}

-

-	if err := scanner.Err(); err != nil {

-		return false, err

-	}

-

-	return false, nil

-}

-

-// loadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to

-// replace the profile. The `-K` is necessary to make sure that apparmor_parser

-// doesn't try to write to a read-only filesystem.

-func loadProfile(profilePath string) error {

-	c := exec.Command("apparmor_parser", "-Kr", profilePath)

-	c.Dir = ""

-

-	if output, err := c.CombinedOutput(); err != nil {

-		return fmt.Errorf("running '%s' failed with output: %s\nerror: %v", c, output, err)

-	}

-

-	return nil

-}

new file mode 100644

@@ -0,0 +1,21 @@

+//go:build linux

+

+package apparmor

+

+import "github.com/moby/profiles/apparmor"

+

+// InstallDefault generates a default profile in a temp directory determined by

+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.

+//

+// Deprecated: use [apparmor.InstallDefault].

+func InstallDefault(name string) error {

+	return apparmor.InstallDefault(name)

+}

+

+// IsLoaded checks if a profile with the given name has been loaded into the

+// kernel.

+//

+// Deprecated: use [apparmor.IsLoaded].

+func IsLoaded(name string) (bool, error) {

+	return apparmor.IsLoaded(name)

+}

deleted file mode 100644

@@ -1,197 +0,0 @@

-package apparmor

-

-import (

-	"errors"

-	"os"

-	"path"

-	"path/filepath"

-	"strings"

-	"testing"

-)

-

-// testAppArmorProfiles fixture "/sys/kernel/security/apparmor/profiles"

-// from an Ubuntu 24.10 host.

-const testAppArmorProfiles = `wpcom (unconfined)

-wike (unconfined)

-vpnns (unconfined)

-vivaldi-bin (unconfined)

-virtiofsd (unconfined)

-vdens (unconfined)

-uwsgi-core (unconfined)

-rsyslogd (enforce)

-/usr/lib/snapd/snap-confine (enforce)

-/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)

-tcpdump (enforce)

-man_groff (enforce)

-man_filter (enforce)

-/usr/bin/man (enforce)

-userbindmount (unconfined)

-unprivileged_userns (enforce)

-unix-chkpwd (enforce)

-ubuntu_pro_esm_cache_systemd_detect_virt (enforce)

-ubuntu_pro_esm_cache_systemctl (enforce)

-ubuntu_pro_esm_cache (enforce)

-ubuntu_pro_esm_cache//ubuntu_distro_info (enforce)

-ubuntu_pro_esm_cache//ps (enforce)

-ubuntu_pro_esm_cache//dpkg (enforce)

-ubuntu_pro_esm_cache//cloud_id (enforce)

-ubuntu_pro_esm_cache//apt_methods_gpgv (enforce)

-ubuntu_pro_esm_cache//apt_methods (enforce)

-ubuntu_pro_apt_news (enforce)

-tuxedo-control-center (unconfined)

-tup (unconfined)

-trinity (unconfined)

-transmission-qt (complain)

-transmission-gtk (complain)

-transmission-daemon (complain)

-transmission-cli (complain)

-toybox (unconfined)

-thunderbird (unconfined)

-systemd-coredump (unconfined)

-surfshark (unconfined)

-stress-ng (unconfined)

-steam (unconfined)

-slirp4netns (unconfined)

-slack (unconfined)

-signal-desktop (unconfined)

-scide (unconfined)

-sbuild-upgrade (unconfined)

-sbuild-update (unconfined)

-sbuild-unhold (unconfined)

-sbuild-shell (unconfined)

-sbuild-hold (unconfined)

-sbuild-distupgrade (unconfined)

-sbuild-destroychroot (unconfined)

-sbuild-createchroot (unconfined)

-sbuild-clean (unconfined)

-sbuild-checkpackages (unconfined)

-sbuild-apt (unconfined)

-sbuild-adduser (unconfined)

-sbuild-abort (unconfined)

-sbuild (unconfined)

-runc (unconfined)

-rssguard (unconfined)

-rpm (unconfined)

-rootlesskit (unconfined)

-qutebrowser (unconfined)

-qmapshack (unconfined)

-qcam (unconfined)

-privacybrowser (unconfined)

-polypane (unconfined)

-podman (unconfined)

-plasmashell (enforce)

-plasmashell//QtWebEngineProcess (enforce)

-pageedit (unconfined)

-opera (unconfined)

-opam (unconfined)

-obsidian (unconfined)

-nvidia_modprobe (enforce)

-nvidia_modprobe//kmod (enforce)

-notepadqq (unconfined)

-nautilus (unconfined)

-msedge (unconfined)

-mmdebstrap (unconfined)

-lxc-usernsexec (unconfined)

-lxc-unshare (unconfined)

-lxc-stop (unconfined)

-lxc-execute (unconfined)

-lxc-destroy (unconfined)

-lxc-create (unconfined)

-lxc-attach (unconfined)

-lsb_release (enforce)

-loupe (unconfined)

-linux-sandbox (unconfined)

-libcamerify (unconfined)

-lc-compliance (unconfined)

-keybase (unconfined)

-kchmviewer (unconfined)

-ipa_verify (unconfined)

-goldendict (unconfined)

-github-desktop (unconfined)

-geary (unconfined)

-foliate (unconfined)

-flatpak (unconfined)

-firefox (unconfined)

-evolution (unconfined)

-epiphany (unconfined)

-element-desktop (unconfined)

-devhelp (unconfined)

-crun (unconfined)

-vscode (unconfined)

-chromium (unconfined)

-chrome (unconfined)

-ch-run (unconfined)

-ch-checkns (unconfined)

-cam (unconfined)

-busybox (unconfined)

-buildah (unconfined)

-brave (unconfined)

-balena-etcher (unconfined)

-Xorg (complain)

-QtWebEngineProcess (unconfined)

-MongoDB Compass (unconfined)

-Discord (unconfined)

-1password (unconfined)

-`

-

-func TestIsLoaded(t *testing.T) {

-	tmpDir := t.TempDir()

-	profiles := path.Join(tmpDir, "apparmor_profiles")

-	if err := os.WriteFile(profiles, []byte(testAppArmorProfiles), 0o644); err != nil {

-		t.Fatal(err)

-	}

-	t.Run("loaded", func(t *testing.T) {

-		found, err := isLoaded("busybox", profiles)

-		if err != nil {

-			t.Fatal(err)

-		}

-		if !found {

-			t.Fatal("expected profile to be loaded")

-		}

-	})

-	t.Run("not loaded", func(t *testing.T) {

-		found, err := isLoaded("no-such-profile", profiles)

-		if err != nil {

-			t.Fatal(err)

-		}

-		if found {

-			t.Fatal("expected profile to not be loaded")

-		}

-	})

-	t.Run("error", func(t *testing.T) {

-		_, err := isLoaded("anything", path.Join(tmpDir, "no_such_file"))

-		if err == nil || !errors.Is(err, os.ErrNotExist) {

-			t.Fatalf("expected error to be os.ErrNotExist, got %v", err)

-		}

-	})

-}

-

-func createTestProfiles(b *testing.B, lines int, targetProfile string) string {

-	b.Helper()

-

-	var sb strings.Builder

-	for i := 0; i < lines-1; i++ {

-		sb.WriteString("someprofile (enforcing)\n")

-	}

-	sb.WriteString(targetProfile + " (enforcing)\n")

-

-	fileName := filepath.Join(b.TempDir(), "apparmor_profiles")

-	if err := os.WriteFile(fileName, []byte(sb.String()), 0o644); err != nil {

-		b.Fatal(err)

-	}

-	return fileName

-}

-

-func BenchmarkIsLoaded(b *testing.B) {

-	const target = "myprofile"

-	profiles := createTestProfiles(b, 10000, target)

-

-	b.ReportAllocs()

-	b.ResetTimer()

-	for i := 0; i < b.N; i++ {

-		found, err := isLoaded(target, profiles)

-		if err != nil || !found {

-			b.Fatalf("expected profile to be found, got found=%v, err=%v", found, err)

-		}

-	}

-}

deleted file mode 100644

@@ -1,59 +0,0 @@

-//go:build linux

-

-package apparmor

-

-// NOTE: This profile is replicated in containerd and libpod. If you make a

-//       change to this profile, please make follow-up PRs to those projects so

-//       that these rules can be synchronised (because any issue with this

-//       profile will likely affect libpod and containerd).

-// TODO: Move this to a common project so we can maintain it in one spot.

-

-// baseTemplate defines the default apparmor profile for containers.

-const baseTemplate = `

-{{range $value := .Imports}}

-{{$value}}

-{{end}}

-

-profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {

-{{range $value := .InnerImports}}

-  {{$value}}

-{{end}}

-

-  network,

-  capability,

-  file,

-  umount,

-  # Host (privileged) processes may send signals to container processes.

-  signal (receive) peer=unconfined,

-  # runc may send signals to container processes (for "docker stop").

-  signal (receive) peer=runc,

-  # crun may send signals to container processes (for "docker stop" when used with crun OCI runtime).

-  signal (receive) peer=crun,

-  # dockerd may send signals to container processes (for "docker kill").

-  signal (receive) peer={{.DaemonProfile}},

-  # Container processes may send signals amongst themselves.

-  signal (send,receive) peer={{.Name}},

-

-  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

-  # deny write to files not in /proc/<number>/** or /proc/sys/**

-  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9/]*}/** w,

-  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

-  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/

-  deny @{PROC}/sysrq-trigger rwklx,

-  deny @{PROC}/kcore rwklx,

-

-  deny mount,

-

-  deny /sys/[^f]*/** wklx,

-  deny /sys/f[^s]*/** wklx,

-  deny /sys/fs/[^c]*/** wklx,

-  deny /sys/fs/c[^g]*/** wklx,

-  deny /sys/fs/cg[^r]*/** wklx,

-  deny /sys/firmware/** rwklx,

-  deny /sys/devices/virtual/powercap/** rwklx,

-  deny /sys/kernel/security/** rwklx,

-

-  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container

-  ptrace (trace,read,tracedby,readby) peer={{.Name}},

-}

-`

deleted file mode 100644

@@ -1,845 +0,0 @@

-{

-	"defaultAction": "SCMP_ACT_ERRNO",

-	"defaultErrnoRet": 1,

-	"archMap": [

-		{

-			"architecture": "SCMP_ARCH_X86_64",

-			"subArchitectures": [

-				"SCMP_ARCH_X86",

-				"SCMP_ARCH_X32"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_AARCH64",

-			"subArchitectures": [

-				"SCMP_ARCH_ARM"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_MIPS64",

-			"subArchitectures": [

-				"SCMP_ARCH_MIPS",

-				"SCMP_ARCH_MIPS64N32"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_MIPS64N32",

-			"subArchitectures": [

-				"SCMP_ARCH_MIPS",

-				"SCMP_ARCH_MIPS64"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_MIPSEL64",

-			"subArchitectures": [

-				"SCMP_ARCH_MIPSEL",

-				"SCMP_ARCH_MIPSEL64N32"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_MIPSEL64N32",

-			"subArchitectures": [

-				"SCMP_ARCH_MIPSEL",

-				"SCMP_ARCH_MIPSEL64"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_S390X",

-			"subArchitectures": [

-				"SCMP_ARCH_S390"

-			]

-		},

-		{

-			"architecture": "SCMP_ARCH_RISCV64",

-			"subArchitectures": null

-		}

-	],

-	"syscalls": [

-		{

-			"names": [

-				"accept",

-				"accept4",

-				"access",

-				"adjtimex",

-				"alarm",

-				"bind",

-				"brk",

-				"cachestat",

-				"capget",

-				"capset",

-				"chdir",

-				"chmod",

-				"chown",

-				"chown32",

-				"clock_adjtime",

-				"clock_adjtime64",

-				"clock_getres",

-				"clock_getres_time64",

-				"clock_gettime",

-				"clock_gettime64",

-				"clock_nanosleep",

-				"clock_nanosleep_time64",

-				"close",

-				"close_range",

-				"connect",

-				"copy_file_range",

-				"creat",

-				"dup",

-				"dup2",

-				"dup3",

-				"epoll_create",

-				"epoll_create1",

-				"epoll_ctl",

-				"epoll_ctl_old",

-				"epoll_pwait",

-				"epoll_pwait2",

-				"epoll_wait",

-				"epoll_wait_old",

-				"eventfd",

-				"eventfd2",

-				"execve",

-				"execveat",

-				"exit",

-				"exit_group",

-				"faccessat",

-				"faccessat2",

-				"fadvise64",

-				"fadvise64_64",

-				"fallocate",

-				"fanotify_mark",

-				"fchdir",

-				"fchmod",

-				"fchmodat",

-				"fchmodat2",

-				"fchown",

-				"fchown32",

-				"fchownat",

-				"fcntl",

-				"fcntl64",

-				"fdatasync",

-				"fgetxattr",

-				"flistxattr",

-				"flock",

-				"fork",

-				"fremovexattr",

-				"fsetxattr",

-				"fstat",

-				"fstat64",

-				"fstatat64",

-				"fstatfs",

-				"fstatfs64",

-				"fsync",

-				"ftruncate",

-				"ftruncate64",

-				"futex",

-				"futex_requeue",

-				"futex_time64",

-				"futex_wait",

-				"futex_waitv",

-				"futex_wake",

-				"futimesat",

-				"getcpu",

-				"getcwd",

-				"getdents",

-				"getdents64",

-				"getegid",

-				"getegid32",

-				"geteuid",

-				"geteuid32",

-				"getgid",

-				"getgid32",

-				"getgroups",

-				"getgroups32",

-				"getitimer",

-				"getpeername",

-				"getpgid",

-				"getpgrp",

-				"getpid",

-				"getppid",

-				"getpriority",

-				"getrandom",

-				"getresgid",

-				"getresgid32",

-				"getresuid",

-				"getresuid32",

-				"getrlimit",

-				"get_robust_list",

-				"getrusage",

-				"getsid",

-				"getsockname",

-				"getsockopt",

-				"get_thread_area",

-				"gettid",

-				"gettimeofday",

-				"getuid",

-				"getuid32",

-				"getxattr",

-				"getxattrat",

-				"inotify_add_watch",

-				"inotify_init",

-				"inotify_init1",

-				"inotify_rm_watch",

-				"io_cancel",

-				"ioctl",

-				"io_destroy",

-				"io_getevents",

-				"io_pgetevents",

-				"io_pgetevents_time64",

-				"ioprio_get",

-				"ioprio_set",

-				"io_setup",

-				"io_submit",

-				"ipc",

-				"kill",

-				"landlock_add_rule",

-				"landlock_create_ruleset",

-				"landlock_restrict_self",

-				"lchown",

-				"lchown32",

-				"lgetxattr",

-				"link",

-				"linkat",

-				"listen",

-				"listmount",

-				"listxattr",

-				"listxattrat",

-				"llistxattr",

-				"_llseek",

-				"lremovexattr",

-				"lseek",

-				"lsetxattr",

-				"lstat",

-				"lstat64",

-				"madvise",

-				"map_shadow_stack",

-				"membarrier",

-				"memfd_create",

-				"memfd_secret",

-				"mincore",

-				"mkdir",

-				"mkdirat",

-				"mknod",

-				"mknodat",

-				"mlock",

-				"mlock2",

-				"mlockall",

-				"mmap",

-				"mmap2",

-				"mprotect",

-				"mq_getsetattr",

-				"mq_notify",

-				"mq_open",

-				"mq_timedreceive",

-				"mq_timedreceive_time64",

-				"mq_timedsend",

-				"mq_timedsend_time64",

-				"mq_unlink",

-				"mremap",

-				"mseal",

-				"msgctl",

-				"msgget",

-				"msgrcv",

-				"msgsnd",

-				"msync",

-				"munlock",

-				"munlockall",

-				"munmap",

-				"name_to_handle_at",

-				"nanosleep",

-				"newfstatat",

-				"_newselect",

-				"open",

-				"openat",

-				"openat2",

-				"pause",

-				"pidfd_open",

-				"pidfd_send_signal",

-				"pipe",

-				"pipe2",

-				"pkey_alloc",

-				"pkey_free",

-				"pkey_mprotect",

-				"poll",

-				"ppoll",

-				"ppoll_time64",

-				"prctl",

-				"pread64",

-				"preadv",

-				"preadv2",

-				"prlimit64",

-				"process_mrelease",

-				"pselect6",

-				"pselect6_time64",

-				"pwrite64",

-				"pwritev",

-				"pwritev2",

-				"read",

-				"readahead",

-				"readlink",

-				"readlinkat",

-				"readv",

-				"recv",

-				"recvfrom",

-				"recvmmsg",

-				"recvmmsg_time64",

-				"recvmsg",

-				"remap_file_pages",

-				"removexattr",

-				"removexattrat",

-				"rename",

-				"renameat",

-				"renameat2",

-				"restart_syscall",

-				"riscv_hwprobe",

-				"rmdir",

-				"rseq",

-				"rt_sigaction",

-				"rt_sigpending",

-				"rt_sigprocmask",

-				"rt_sigqueueinfo",

-				"rt_sigreturn",

-				"rt_sigsuspend",

-				"rt_sigtimedwait",

-				"rt_sigtimedwait_time64",

-				"rt_tgsigqueueinfo",

-				"sched_getaffinity",

-				"sched_getattr",

-				"sched_getparam",

-				"sched_get_priority_max",

-				"sched_get_priority_min",

-				"sched_getscheduler",

-				"sched_rr_get_interval",

-				"sched_rr_get_interval_time64",

-				"sched_setaffinity",

-				"sched_setattr",

-				"sched_setparam",

-				"sched_setscheduler",

-				"sched_yield",

-				"seccomp",

-				"select",

-				"semctl",

-				"semget",

-				"semop",

-				"semtimedop",

-				"semtimedop_time64",

-				"send",

-				"sendfile",

-				"sendfile64",

-				"sendmmsg",

-				"sendmsg",

-				"sendto",

-				"setfsgid",

-				"setfsgid32",

-				"setfsuid",

-				"setfsuid32",

-				"setgid",

-				"setgid32",

-				"setgroups",

-				"setgroups32",

-				"setitimer",

-				"setpgid",

-				"setpriority",

-				"setregid",

-				"setregid32",

-				"setresgid",

-				"setresgid32",

-				"setresuid",

-				"setresuid32",

-				"setreuid",

-				"setreuid32",

-				"setrlimit",

-				"set_robust_list",

-				"setsid",

-				"setsockopt",

-				"set_thread_area",

-				"set_tid_address",

-				"setuid",

-				"setuid32",

-				"setxattr",

-				"setxattrat",

-				"shmat",

-				"shmctl",

-				"shmdt",

-				"shmget",

-				"shutdown",

-				"sigaltstack",

-				"signalfd",

-				"signalfd4",

-				"sigprocmask",

-				"sigreturn",

-				"socketcall",

-				"socketpair",

-				"splice",

-				"stat",

-				"stat64",

-				"statfs",

-				"statfs64",

-				"statmount",