├── README.md ├── alpine ├── alpine.aa └── alpine.sc ├── busybox ├── busybox.aa └── busybox.sc ├── traefik ├── traefik.aa └── traefik.sc ├── consul ├── consul.aa └── consul.sc ├── node ├── node.aa └── node.sc ├── vault ├── vault.aa └── vault.sc ├── redis ├── redis.aa └── redis.sc ├── memcached ├── memcached.aa └── memcached.sc ├── python ├── python.aa └── python.sc ├── prometheus ├── prometheus.aa └── prometheus.sc ├── ruby ├── ruby.sc └── ruby.aa ├── httpd ├── httpd.sc └── httpd.aa ├── nginx ├── nginx.aa └── nginx.sc ├── haproxy ├── haproxy.sc └── haproxy.aa ├── gitea ├── gitea.sc └── gitea.aa ├── tomcat ├── tomcat.sc └── tomcat.aa ├── grafana ├── grafana.sc └── grafana.aa ├── openjdk ├── openjdk.sc └── openjdk.aa ├── zookeeper ├── zookeeper.sc └── zookeeper.aa ├── wordpress └── wordpress.sc ├── juice-shop └── juice-shop.sc ├── mariadb └── mariadb.sc ├── elasticsearch └── elasticsearch.sc ├── postgres └── postgres.sc ├── cassandra └── cassandra.sc └── mysql └── mysql.sc /README.md: -------------------------------------------------------------------------------- 1 | # Docker AppArmor Profiles 2 | 3 | ## Description 4 | This repository contains a collection of AppArmor and Seccomp profiles for common Docker images. These profiles were automatically generated using [Armiel](https://archguardian.io/armiel/), a powerful tool from [ArchGuardian.io](https://archguardian.io/) that generate AppArmor and Seccomp profiles. 5 | 6 | ## Create your own 7 | You can build and try the program here - https://github.com/edenberger/archguardian. 8 | 9 | ## Additional profiles 10 | Feel free to contact us if you have a request for other opensource container images: contact@archguardian.io 11 | 12 | ## License 13 | All profiles are released under [BSD 0-Clause License (0BSD)](https://opensource.org/license/0bsd). 14 | -------------------------------------------------------------------------------- /alpine/alpine.aa: -------------------------------------------------------------------------------- 1 | profile alpine.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/bin/busybox rix, 7 | /bin/busybox ix, 8 | /proc/self/fd/* rw, 9 | /proc/self/fd/ r, 10 | /usr/sbin/runc ix, 11 | /dev/ r, 12 | /dev/null rw, 13 | /dev/random rw, 14 | / r, 15 | /etc/passwd r, 16 | /etc/ r, 17 | /run/** rwixk, 18 | /dev/mqueue rw, 19 | /proc/self/ r, 20 | /proc/self/fd rw, 21 | /proc/self/setgroups r, 22 | /proc/self/mountinfo r, 23 | /dev/tty rw, 24 | /dev/fd r, 25 | /dev/shm/** rwk, 26 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 27 | /proc/sys/net/ipv4/ r, 28 | /dev/stderr r, 29 | /proc/ r, 30 | /etc/hostname r, 31 | /proc/filesystems r, 32 | /proc/self/uid_map r, 33 | /dev/core r, 34 | /proc/kcore w, 35 | /proc/self/status r, 36 | /dev/urandom rw, 37 | /sys/ r, 38 | /proc/sys/net/ipv4/ping_group_range rw, 39 | /proc/self/attr/apparmor/ r, 40 | /proc/self/attr/apparmor/exec rw, 41 | /dev/full rw, 42 | /dev/pts/ rw, 43 | /sys/fs/ r, 44 | /sys/fs/cgroup r, 45 | /etc/group r, 46 | /etc/resolv.conf r, 47 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 48 | /sys/kernel/mm/transparent_hugepage/ r, 49 | /sys/fs/cgroup/ r, 50 | /proc/sys/kernel/ r, 51 | /proc/sys/kernel/cap_last_cap r, 52 | /etc/hosts r, 53 | /dev/stdout r, 54 | /dev/ptmx r, 55 | /dev/stdin r, 56 | /dev/zero rw, 57 | /tmp/ r, 58 | } 59 | -------------------------------------------------------------------------------- /busybox/busybox.aa: -------------------------------------------------------------------------------- 1 | profile busybox.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /bin/sleep rix, 7 | /lib/libc.so.6 rm, 8 | /bin/sh rix, 9 | /lib/libresolv.so.2 rm, 10 | /bin/echo rix, 11 | /lib/libm.so.6 rm, 12 | /usr/sbin/runc ix, 13 | /run/** rwixk, 14 | /lib/ r, 15 | /sys/kernel/mm/transparent_hugepage/ r, 16 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 17 | /proc/self/ r, 18 | /proc/self/status r, 19 | /dev/shm/** rwk, 20 | /dev/ r, 21 | /etc/ r, 22 | /etc/hostname r, 23 | /dev/urandom rw, 24 | /proc/sys/kernel/cap_last_cap r, 25 | /proc/sys/kernel/ r, 26 | / r, 27 | /etc/hosts r, 28 | /etc/group r, 29 | /dev/pts/ rw, 30 | /sys/fs/cgroup r, 31 | /sys/fs/cgroup/ r, 32 | /usr/lib/libresolv.so.2 rm, 33 | /sys/fs/ r, 34 | /proc/self/setgroups r, 35 | /proc/self/fd/* rw, 36 | /proc/self/fd/ r, 37 | /dev/null rw, 38 | /usr/lib/libm.so.6 rm, 39 | /etc/resolv.conf r, 40 | /proc/self/uid_map r, 41 | /proc/self/mountinfo r, 42 | /sys/ r, 43 | /dev/fd r, 44 | /proc/self/fd rw, 45 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 46 | /proc/sys/net/ipv4/ r, 47 | /proc/ r, 48 | /dev/stderr r, 49 | /usr/lib/libc.so.6 rm, 50 | /etc/passwd r, 51 | /proc/sys/net/ipv4/ping_group_range rw, 52 | /dev/stdout r, 53 | /dev/full rw, 54 | /dev/mqueue rw, 55 | /dev/ptmx r, 56 | /dev/random rw, 57 | /proc/self/attr/apparmor/exec rw, 58 | /proc/self/attr/apparmor/ r, 59 | /dev/stdin r, 60 | /proc/filesystems r, 61 | /dev/core r, 62 | /proc/kcore w, 63 | /dev/zero rw, 64 | /dev/tty rw, 65 | /tmp/ r, 66 | } 67 | -------------------------------------------------------------------------------- /traefik/traefik.aa: -------------------------------------------------------------------------------- 1 | profile traefik.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/bin/traefik rix, 7 | /entrypoint.sh rix, 8 | /dev/null rw, 9 | /etc/resolv.conf r, 10 | /etc/traefik/traefik.yml r, 11 | /etc/os-release r, 12 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 13 | /proc/sys/net/core/somaxconn r, 14 | /proc/*/cgroup r, 15 | /proc/meminfo r, 16 | /proc/*/stat r, 17 | /proc/stat r, 18 | /bin/busybox ix, 19 | /etc/traefik/ rw, 20 | /usr/sbin/runc ix, 21 | / r, 22 | /sys/fs/ r, 23 | /sys/fs/cgroup r, 24 | /dev/shm/** rwk, 25 | /proc/self/fd/ r, 26 | /proc/self/fd/* rw, 27 | /proc/ r, 28 | /run/** rwixk, 29 | /dev/zero rw, 30 | /proc/*/ r, 31 | /proc/sys/kernel/ r, 32 | /proc/sys/kernel/cap_last_cap r, 33 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 34 | /proc/sys/net/ipv4/ r, 35 | /dev/random rw, 36 | /dev/ r, 37 | /etc/group r, 38 | /etc/ r, 39 | /dev/pts/ rw, 40 | /proc/self/setgroups r, 41 | /proc/self/ r, 42 | /dev/mqueue rw, 43 | /proc/self/status r, 44 | /proc/sys/net/core/ r, 45 | /etc/hosts r, 46 | /run/ r, 47 | /run/docker.sock rix, 48 | /usr/local/sbin/traefik rix, 49 | /dev/core r, 50 | /proc/kcore w, 51 | /proc/self/uid_map r, 52 | /proc/filesystems r, 53 | /sys/kernel/mm/transparent_hugepage/ r, 54 | /etc/hostname r, 55 | /dev/urandom rw, 56 | /dev/stderr r, 57 | /proc/self/fd rw, 58 | /dev/fd r, 59 | /dev/tty rw, 60 | /dev/full rw, 61 | /dev/stdout r, 62 | /etc/passwd r, 63 | /proc/self/mountinfo r, 64 | /sys/fs/cgroup/ r, 65 | /proc/self/cgroup r, 66 | /sys/ r, 67 | /dev/stdin r, 68 | /proc/sys/net/ipv4/ping_group_range rw, 69 | /dev/ptmx r, 70 | /usr/local/bin/ r, 71 | /proc/self/attr/apparmor/exec rw, 72 | /proc/self/attr/apparmor/ r, 73 | /tmp/ r, 74 | } 75 | -------------------------------------------------------------------------------- /consul/consul.aa: -------------------------------------------------------------------------------- 1 | profile consul.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /bin/consul rix, 7 | /sbin/su-exec rix, 8 | /etc/group r, 9 | /usr/bin/busybox rix, 10 | /etc/passwd r, 11 | /proc/sys/net/core/somaxconn r, 12 | /usr/local/bin/docker-entrypoint.sh rix, 13 | /consul/config/ rix, 14 | /proc/stat r, 15 | /consul/data/node-id rw, 16 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 17 | /consul/data/services/ rw, 18 | /consul/data/ rw, 19 | /usr/bin/dumb-init ix, 20 | /bin/busybox ix, 21 | /proc/sys/net/core/ r, 22 | /run/** rwixk, 23 | /usr/sbin/runc ix, 24 | /proc/self/ r, 25 | /proc/self/fd rw, 26 | / r, 27 | /proc/ r, 28 | /consul/ r, 29 | /sys/ r, 30 | /sys/fs/cgroup/ r, 31 | /sys/fs/cgroup r, 32 | /sys/fs/ r, 33 | /proc/self/fd/* rw, 34 | /proc/self/fd/ r, 35 | /bin/ r, 36 | /proc/self/mountinfo r, 37 | /proc/self/status r, 38 | /dev/tty rw, 39 | /etc/ r, 40 | /dev/null rw, 41 | /usr/local/bin/su-exec rix, 42 | /etc/hostname r, 43 | /dev/ r, 44 | /dev/stdin r, 45 | /usr/bin/su-exec rix, 46 | /proc/self/attr/apparmor/ r, 47 | /proc/self/attr/apparmor/exec rw, 48 | /proc/self/setgroups r, 49 | /sys/kernel/mm/transparent_hugepage/ r, 50 | /etc/hosts r, 51 | /proc/sys/kernel/cap_last_cap r, 52 | /proc/sys/kernel/ r, 53 | /dev/random rw, 54 | /proc/sys/net/ipv4/ping_group_range rw, 55 | /proc/sys/net/ipv4/ r, 56 | /dev/mqueue rw, 57 | /proc/self/uid_map r, 58 | /proc/kcore w, 59 | /dev/core r, 60 | /etc/resolv.conf r, 61 | /dev/full rw, 62 | /usr/sbin/su-exec rix, 63 | /usr/local/bin/ r, 64 | /dev/shm/** rwk, 65 | /proc/filesystems r, 66 | /dev/stderr r, 67 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 68 | /dev/ptmx r, 69 | /dev/pts/ rw, 70 | /usr/local/sbin/su-exec rix, 71 | /usr/bin/consul rix, 72 | /usr/local/sbin/consul rix, 73 | /dev/fd r, 74 | /dev/urandom rw, 75 | /sbin/consul rix, 76 | /dev/zero rw, 77 | /dev/stdout r, 78 | /usr/local/bin/consul rix, 79 | /usr/sbin/consul rix, 80 | /consul/data/services/* rw, 81 | /consul/data/services/*b1e8bfa2d462b3adb06d49f*e5df03d7fd*a102fce8 w, 82 | /tmp/ r, 83 | } 84 | -------------------------------------------------------------------------------- /node/node.aa: -------------------------------------------------------------------------------- 1 | profile node.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/bin/node rixm, 7 | /etc/ssl/openssl.cnf r, 8 | /usr/lib/x86_64-linux-gnu/libpthread.so.0 rm, 9 | /proc/*/maps r, 10 | /sys/fs/cgroup/memory.high r, 11 | /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30 rm, 12 | /usr/local/bin/docker-entrypoint.sh rix, 13 | /sys/fs/cgroup/memory.max r, 14 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 15 | /etc/ld.so.cache rm, 16 | /proc/*/cgroup r, 17 | /proc/version_signature r, 18 | /proc/meminfo r, 19 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 20 | /usr/lib/x86_64-linux-gnu/libdl.so.2 rm, 21 | /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 rm, 22 | /usr/bin/dash ix, 23 | /usr/sbin/runc ix, 24 | /dev/ r, 25 | /dev/mqueue rw, 26 | / r, 27 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 28 | /proc/sys/net/ipv4/ r, 29 | /proc/self/setgroups r, 30 | /proc/self/ r, 31 | /sys/fs/cgroup r, 32 | /sys/fs/ r, 33 | /usr/lib/x86_64-linux-gnu/ r, 34 | /proc/sys/kernel/ r, 35 | /proc/sys/kernel/cap_last_cap r, 36 | /proc/ r, 37 | /run/** rwixk, 38 | /dev/full rw, 39 | /dev/null rw, 40 | /proc/self/status r, 41 | /dev/urandom rw, 42 | /sys/ r, 43 | /proc/self/attr/apparmor/exec rw, 44 | /proc/self/attr/apparmor/ r, 45 | /dev/shm/** rwk, 46 | /etc/passwd r, 47 | /etc/ r, 48 | /etc/group r, 49 | /dev/pts/ rw, 50 | /sys/fs/cgroup//memory.high r, 51 | /sys/fs/cgroup/ r, 52 | /etc/hosts r, 53 | /proc/self/uid_map r, 54 | /usr/local/bin/ r, 55 | /proc/self/cgroup r, 56 | /proc/self/fd rw, 57 | /dev/fd r, 58 | /proc/filesystems r, 59 | /etc/ssl/ r, 60 | /sys/kernel/mm/transparent_hugepage/ r, 61 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 62 | /dev/tty rw, 63 | /sys/fs/cgroup//memory.max r, 64 | /etc/hostname r, 65 | /dev/stdin r, 66 | /proc/self/fd/* rw, 67 | /proc/kcore w, 68 | /dev/core r, 69 | /dev/stderr r, 70 | /proc/self/maps r, 71 | /usr/local/sbin/node rix, 72 | /dev/stdout r, 73 | /dev/random rw, 74 | /proc/sys/net/ipv4/ping_group_range rw, 75 | /proc/self/fd/ r, 76 | /etc/resolv.conf r, 77 | /proc/self/mountinfo r, 78 | /dev/ptmx r, 79 | /dev/zero rw, 80 | /tmp/ r, 81 | } 82 | -------------------------------------------------------------------------------- /vault/vault.aa: -------------------------------------------------------------------------------- 1 | profile vault.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/bin/busybox rix, 7 | /bin/vault rix, 8 | /proc/sys/net/core/somaxconn r, 9 | /proc/stat r, 10 | /sbin/su-exec rix, 11 | /etc/passwd r, 12 | /usr/sbin/setcap rix, 13 | /usr/lib/libcap.so.2.50 rixm, 14 | /etc/group r, 15 | /dev/null rw, 16 | /home/vault/.vault-token.tmp rw, 17 | /home/vault/.cache/snowflake/ocsp_response_cache.json rwix, 18 | /usr/local/bin/docker-entrypoint.sh rix, 19 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 20 | /vault/config/ rix, 21 | /bin/busybox ix, 22 | /usr/bin/dumb-init ix, 23 | /home/vault/.cache/snowflake/ rw, 24 | /home/vault/.cache/ rw, 25 | /home/vault/ rw, 26 | /usr/sbin/runc ix, 27 | /run/** rwk, 28 | /sys/kernel/mm/transparent_hugepage/ r, 29 | /dev/ r, 30 | / r, 31 | /etc/ r, 32 | /etc/hosts r, 33 | /dev/core r, 34 | /proc/kcore w, 35 | /dev/stdin r, 36 | /proc/self/fd/* rw, 37 | /proc/self/mountinfo r, 38 | /proc/self/ r, 39 | /proc/self/fd rw, 40 | /dev/fd r, 41 | /proc/self/setgroups r, 42 | /dev/shm/** rwk, 43 | /sys/ r, 44 | /proc/ r, 45 | /proc/filesystems r, 46 | /proc/self/attr/apparmor/exec rw, 47 | /proc/self/attr/apparmor/ r, 48 | /dev/tty rw, 49 | /usr/local/bin/ r, 50 | /proc/self/uid_map r, 51 | /bin/ r, 52 | /proc/sys/net/core/ r, 53 | /dev/pts/ rw, 54 | /usr/sbin/vault rix, 55 | /dev/random rw, 56 | /dev/full rw, 57 | /dev/zero rw, 58 | /vault/ r, 59 | /etc/resolv.conf r, 60 | /proc/self/status r, 61 | /sbin/vault rix, 62 | /dev/urandom rw, 63 | /proc/sys/kernel/ r, 64 | /proc/sys/kernel/cap_last_cap r, 65 | /proc/sys/net/ipv4/ping_group_range rw, 66 | /proc/sys/net/ipv4/ r, 67 | /dev/mqueue rw, 68 | /usr/lib/ r, 69 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 70 | /dev/stderr r, 71 | /usr/sbin/su-exec rix, 72 | /usr/local/sbin/vault rix, 73 | /vault/logs/ r, 74 | /sys/fs/cgroup r, 75 | /sys/fs/ r, 76 | /home/vault/.vault-token w, 77 | /usr/bin/su-exec rix, 78 | /proc/self/fd/ r, 79 | /vault/file/ r, 80 | /usr/local/sbin/su-exec rix, 81 | /usr/bin/vault rix, 82 | /dev/stdout r, 83 | /usr/local/bin/vault rix, 84 | /dev/ptmx r, 85 | /usr/local/bin/su-exec rix, 86 | /etc/hostname r, 87 | /tmp/ r, 88 | } 89 | -------------------------------------------------------------------------------- /redis/redis.aa: -------------------------------------------------------------------------------- 1 | profile redis.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/bin/redis-server rix, 7 | /sys/kernel/mm/transparent_hugepage/enabled r, 8 | /usr/bin/id rix, 9 | /proc/filesystems r, 10 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 11 | /usr/bin/find rix, 12 | /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 rm, 13 | /usr/lib/x86_64-linux-gnu/libselinux.so.1 rm, 14 | /usr/share/zoneinfo/Etc/UTC r, 15 | /usr/lib/x86_64-linux-gnu/libssl.so.3 rm, 16 | /usr/local/bin/docker-entrypoint.sh rix, 17 | /usr/lib/x86_64-linux-gnu/libcrypto.so.3 rm, 18 | /data/ rix, 19 | /etc/ld.so.cache rm, 20 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 21 | /usr/local/bin/gosu rix, 22 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 23 | /etc/group r, 24 | /etc/nsswitch.conf r, 25 | /etc/passwd r, 26 | /proc/*/stat r, 27 | /proc/sys/vm/overcommit_memory r, 28 | /sys/devices/system/clocksource/clocksource0/current_clocksource r, 29 | /dev/urandom rw, 30 | /proc/sys/net/core/somaxconn r, 31 | /usr/bin/dash ix, 32 | /etc/ r, 33 | /usr/lib/x86_64-linux-gnu/ r, 34 | /proc/self/ r, 35 | /usr/sbin/runc ix, 36 | /proc/self/uid_map r, 37 | /dev/full rw, 38 | /dev/stdout r, 39 | /proc/self/fd/* rw, 40 | /sys/kernel/mm/transparent_hugepage/ r, 41 | /dev/ r, 42 | /dev/null rw, 43 | /dev/shm/** rwk, 44 | /run/** rwk, 45 | /dev/ptmx r, 46 | / r, 47 | /dev/tty rw, 48 | /proc/self/mountinfo r, 49 | /proc/sys/kernel/cap_last_cap r, 50 | /proc/sys/kernel/ r, 51 | /dev/fd r, 52 | /proc/self/fd rw, 53 | /usr/local/sbin/redis-server rix, 54 | /proc/ r, 55 | /usr/local/bin/ r, 56 | /proc/self/setgroups r, 57 | /dev/mqueue rw, 58 | /sys/ r, 59 | /dev/pts/ rw, 60 | /sys/fs/cgroup r, 61 | /sys/fs/ r, 62 | /proc/sys/vm/ r, 63 | /proc/self/fd/ r, 64 | /proc/sys/net/core/ r, 65 | /sys/devices/system/clocksource/clocksource0/ r, 66 | /etc/hosts r, 67 | /dev/random rw, 68 | /proc/self/status r, 69 | /proc/self/attr/apparmor/exec rw, 70 | /proc/self/attr/apparmor/ r, 71 | /proc/sys/net/ipv4/ping_group_range rw, 72 | /proc/sys/net/ipv4/ r, 73 | /dev/stderr r, 74 | /etc/resolv.conf r, 75 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 76 | /dev/stdin r, 77 | /dev/core r, 78 | /proc/kcore w, 79 | /etc/hostname r, 80 | /proc/self/stat r, 81 | /dev/zero rw, 82 | /usr/local/sbin/gosu rix, 83 | /tmp/ r, 84 | } 85 | -------------------------------------------------------------------------------- /memcached/memcached.aa: -------------------------------------------------------------------------------- 1 | profile memcached.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/bin/memcached rix, 7 | /usr/local/bin/docker-entrypoint.sh rix, 8 | /proc/*/task/11/comm rw, 9 | /proc/*/task/12/comm rw, 10 | /proc/*/task/7/comm rw, 11 | /proc/*/task/15/comm rw, 12 | /proc/*/task/9/comm rw, 13 | /proc/*/task/13/comm rw, 14 | /proc/*/task/14/comm rw, 15 | /etc/gai.conf r, 16 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 17 | /usr/lib/x86_64-linux-gnu/libcrypto.so.3 rm, 18 | /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25 rm, 19 | /etc/ld.so.cache rm, 20 | /proc/*/task/8/comm rw, 21 | /usr/lib/x86_64-linux-gnu/libssl.so.3 rm, 22 | /proc/*/task/10/comm rw, 23 | /usr/lib/x86_64-linux-gnu/libevent-2.1.so.7.0.1 rm, 24 | /usr/bin/dash ix, 25 | /usr/lib/x86_64-linux-gnu/ r, 26 | /proc/self/task/13/comm rw, 27 | /proc/self/task/13/ r, 28 | / r, 29 | /usr/sbin/runc ix, 30 | /dev/mqueue rw, 31 | /dev/ r, 32 | /sys/ r, 33 | /run/** rwixk, 34 | /etc/hosts r, 35 | /etc/ r, 36 | /proc/self/ r, 37 | /proc/self/setgroups r, 38 | /etc/resolv.conf r, 39 | /proc/self/status r, 40 | /etc/passwd r, 41 | /dev/shm/** rwk, 42 | /proc/sys/kernel/ r, 43 | /proc/sys/kernel/cap_last_cap r, 44 | /proc/sys/net/ipv4/ r, 45 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 46 | /dev/null rw, 47 | /dev/pts/ rw, 48 | /dev/urandom rw, 49 | /proc/sys/net/ipv4/ping_group_range rw, 50 | /dev/full rw, 51 | /usr/local/bin/ r, 52 | /proc/self/mountinfo r, 53 | /proc/self/fd/* rw, 54 | /dev/stdin r, 55 | /proc/self/fd rw, 56 | /sys/fs/cgroup r, 57 | /sys/fs/ r, 58 | /proc/filesystems r, 59 | /proc/ r, 60 | /dev/tty rw, 61 | /proc/self/attr/apparmor/ r, 62 | /proc/self/attr/apparmor/exec rw, 63 | /proc/self/task/9/ r, 64 | /proc/self/task/9/comm rw, 65 | /dev/fd r, 66 | /proc/self/task/11/comm rw, 67 | /proc/self/task/11/ r, 68 | /proc/self/task/14/comm rw, 69 | /proc/self/task/14/ r, 70 | /proc/self/fd/ r, 71 | /etc/group r, 72 | /proc/self/uid_map r, 73 | /dev/stderr r, 74 | /dev/core r, 75 | /proc/kcore w, 76 | /etc/hostname r, 77 | /sys/fs/cgroup/ r, 78 | /proc/self/task/7/comm rw, 79 | /proc/self/task/7/ r, 80 | /proc/self/task/8/ r, 81 | /proc/self/task/8/comm rw, 82 | /usr/local/sbin/memcached rix, 83 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 84 | /sys/kernel/mm/transparent_hugepage/ r, 85 | /dev/zero rw, 86 | /proc/self/task/12/comm rw, 87 | /proc/self/task/12/ r, 88 | /proc/self/task/10/comm rw, 89 | /proc/self/task/10/ r, 90 | /dev/random rw, 91 | /dev/stdout r, 92 | /dev/ptmx r, 93 | /proc/self/task/15/comm rw, 94 | /proc/self/task/15/ r, 95 | /tmp/ r, 96 | } 97 | -------------------------------------------------------------------------------- /python/python.aa: -------------------------------------------------------------------------------- 1 | profile python.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/share/zoneinfo/Etc/UTC r, 7 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 8 | /etc/ld.so.cache rm, 9 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 10 | /proc/sys/vm/overcommit_memory r, 11 | /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache rm, 12 | /usr/lib/locale/C.utf8/LC_CTYPE rm, 13 | /usr/sbin/runc ix, 14 | / r, 15 | /proc/self/mountinfo r, 16 | /proc/self/ r, 17 | /usr/lib/x86_64-linux-gnu/ r, 18 | /proc/sys/net/ipv4/ r, 19 | /proc/sys/net/ipv4/ping_group_range rw, 20 | /dev/ r, 21 | /etc/group r, 22 | /etc/ r, 23 | /dev/mqueue rw, 24 | /sys/fs/ r, 25 | /sys/fs/cgroup r, 26 | /usr/lib/x86_64-linux-gnu/libseccomp.so.2.5.4 rm, 27 | /proc/sys/kernel/ r, 28 | /proc/sys/kernel/cap_last_cap r, 29 | /usr/local/lib/ r, 30 | /etc/hosts r, 31 | /run/** rwixk, 32 | /proc/self/uid_map r, 33 | /proc/self/status r, 34 | /usr/lib/locale/C.utf8/ r, 35 | /sys/ r, 36 | /proc/self/fd rw, 37 | /sys/fs/cgroup/ r, 38 | /dev/null rw, 39 | /proc/sys/vm/ r, 40 | /dev/pts/ rw, 41 | /dev/stdout r, 42 | /proc/self/fd/* rw, 43 | /etc/hostname r, 44 | /proc/self/setgroups r, 45 | /dev/shm/** rwk, 46 | /dev/urandom rw, 47 | /proc/self/attr/apparmor/ r, 48 | /proc/self/attr/apparmor/exec rw, 49 | /dev/fd r, 50 | /proc/ r, 51 | /proc/kcore w, 52 | /dev/core r, 53 | /dev/stderr r, 54 | /dev/tty rw, 55 | /etc/resolv.conf r, 56 | /etc/passwd r, 57 | /dev/random rw, 58 | /proc/filesystems r, 59 | /usr/lib/x86_64-linux-gnu/gconv/ r, 60 | /proc/self/oom_score_adj rw, 61 | /dev/stdin r, 62 | /dev/zero rw, 63 | /proc/self/fd/ r, 64 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 65 | /sys/kernel/mm/transparent_hugepage/ r, 66 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 67 | /dev/full rw, 68 | /dev/ptmx r, 69 | /proc/self/exe r, 70 | /usr/local/lib/*.13/linecache.py r, 71 | /usr/local/lib/*.13/encodings/aliases.py r, 72 | /usr/local/lib/*.13/encodings/utf_8.py r, 73 | /usr/local/lib/*.13/encodings/ rix, 74 | /usr/local/lib/lib*.13.so.1.0 rm, 75 | /usr/local/lib/*.13/encodings/__init__.py r, 76 | /usr/local/lib/*.13/site-packages/ rix, 77 | /usr/local/lib/*.13/lib-dynload/ rix, 78 | /usr/local/lib/*.13/ rix, 79 | /usr/local/lib/*.13/encodings/__pycache__/ rw, 80 | /usr/local/lib/*.13/__pycache__/ rw, 81 | /usr/local/lib/*.13/encodings/__pycache__/* rw, 82 | /usr/local/lib/*.13/encodings/__pycache__/utf_8.cpython-313.pyc.* rw, 83 | /usr/local/lib/*.13/__pycache__/linecache.cpython-313.pyc.* rw, 84 | /usr/local/lib/*.13/encodings/__pycache__/__init__.cpython-313.pyc.* rw, 85 | /usr/local/lib/*.13/__pycache__/linecache.cpython-*.pyc rw, 86 | /usr/local/lib/*.13/encodings/__pycache__/aliases.cpython-*.pyc rw, 87 | /usr/local/lib/*.13/encodings/__pycache__/utf_8.cpython-*.pyc rw, 88 | /usr/local/lib/*.13/encodings/__pycache__/__init__.cpython-*.pyc rw, 89 | /usr/local/bin/*.* rix, 90 | /tmp/ r, 91 | } 92 | -------------------------------------------------------------------------------- /alpine/alpine.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "getsockname", 17 | "pread64", 18 | "accept4", 19 | "epoll_create1", 20 | "stat", 21 | "dup3", 22 | "listen", 23 | "seccomp", 24 | "fstatfs", 25 | "nanosleep", 26 | "gettid", 27 | "faccessat", 28 | "fchdir", 29 | "rt_sigprocmask", 30 | "accept", 31 | "clone3", 32 | "prctl", 33 | "munmap", 34 | "set_tid_address", 35 | "unshare", 36 | "unlinkat", 37 | "sendto", 38 | "close", 39 | "fstat", 40 | "set_robust_list", 41 | "setgroups", 42 | "sigaltstack", 43 | "mknodat", 44 | "capget", 45 | "setuid", 46 | "mount", 47 | "umount2", 48 | "sched_getaffinity", 49 | "mkdirat", 50 | "sched_yield", 51 | "pipe2", 52 | "madvise", 53 | "bind", 54 | "tgkill", 55 | "chdir", 56 | "mmap", 57 | "faccessat2", 58 | "umask", 59 | "pread", 60 | "rseq", 61 | "getppid", 62 | "openat", 63 | "sethostname", 64 | "keyctl", 65 | "getrlimit", 66 | "capset", 67 | "arch_prctl", 68 | "clone", 69 | "mkdir", 70 | "write", 71 | "geteuid", 72 | "readlinkat", 73 | "getdents64", 74 | "poll", 75 | "recvfrom", 76 | "symlinkat", 77 | "socket", 78 | "rt_sigreturn", 79 | "setgid", 80 | "setsid", 81 | "recv", 82 | "getuid", 83 | "recvmsg", 84 | "rt_sigaction", 85 | "statfs", 86 | "brk", 87 | "getpid", 88 | "getcwd", 89 | "epoll_pwait", 90 | "futex", 91 | "pivot_root", 92 | "newfstatat", 93 | "read", 94 | "fchownat", 95 | "epoll_ctl", 96 | "exit_group", 97 | "fcntl", 98 | "execve", 99 | "mprotect" 100 | ], 101 | "action": "SCMP_ACT_ALLOW" 102 | } 103 | ] 104 | } -------------------------------------------------------------------------------- /prometheus/prometheus.aa: -------------------------------------------------------------------------------- 1 | profile promprometheus.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /bin/prometheus rix, 7 | /etc/prometheus/prometheus.yml r, 8 | /sys/kernel/mm/hugepages rix, 9 | /etc/localtime r, 10 | /sys/fs/cgroup/hugetlb.1GB.current r, 11 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 12 | /proc/sys/net/core/somaxconn r, 13 | /prometheus/queries.active rwm, 14 | /sys/fs/cgroup/rdma.current r, 15 | /prometheus/chunks_head/ rwix, 16 | /etc/nsswitch.conf r, 17 | /sys/fs/cgroup/cpu.stat r, 18 | /sys/fs/cgroup/memory.swap.max r, 19 | /etc/resolv.conf r, 20 | /sys/fs/cgroup/memory.current r, 21 | /prometheus/ rwix, 22 | /proc/*/net/netstat r, 23 | /sys/fs/cgroup/io.pressure r, 24 | /sys/fs/cgroup/memory.max r, 25 | /sys/fs/cgroup/memory.pressure r, 26 | /etc/passwd r, 27 | /proc/*/stat r, 28 | /sys/fs/cgroup/pids.current r, 29 | /prometheus/lock rwk, 30 | /proc/*/limits r, 31 | /sys/fs/cgroup/cpu.max r, 32 | /proc/*/cgroup r, 33 | /sys/fs/cgroup/hugetlb.1GB.max r, 34 | /sys/fs/cgroup/hugetlb.2MB.max r, 35 | /sys/fs/cgroup/io.stat r, 36 | /sys/fs/cgroup/cpu.pressure r, 37 | /sys/fs/cgroup/memory.stat r, 38 | /proc/stat r, 39 | /prometheus/wal/ rwix, 40 | /etc/hosts r, 41 | /proc/*/mountinfo r, 42 | /sys/fs/cgroup/memory.events r, 43 | /sys/fs/cgroup/hugetlb.2MB.current r, 44 | /sys/fs/cgroup/cgroup.controllers r, 45 | /sys/fs/cgroup/rdma.max r, 46 | /sys/fs/cgroup/pids.max r, 47 | /proc/*/fd rix, 48 | /sys/fs/cgroup/memory.swap.current r, 49 | /sys/fs/cgroup/ r, 50 | /sys/fs/ r, 51 | /sys/fs/cgroup r, 52 | /usr/sbin/runc ix, 53 | / r, 54 | /sys/ r, 55 | /proc/self/attr/apparmor/ r, 56 | /proc/self/attr/apparmor/exec rw, 57 | /bin/ r, 58 | /run/** rwixk, 59 | /dev/stderr r, 60 | /proc/self/fd/* rw, 61 | /proc/self/ r, 62 | /proc/self/uid_map r, 63 | /etc/ r, 64 | /proc/*/net/ r, 65 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 66 | /dev/ r, 67 | /dev/mqueue rw, 68 | /dev/null rw, 69 | /sys/kernel/mm/hugepages/ r, 70 | /proc/*/ r, 71 | /proc/sys/net/ipv4/ r, 72 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 73 | /lib/x86_64-linux-gnu/ r, 74 | /lib/x86_64-linux-gnu/libc.so.6 r, 75 | /sys/kernel/mm/transparent_hugepage/ r, 76 | /proc/self/mountinfo r, 77 | /dev/urandom rw, 78 | /proc/sys/kernel/ r, 79 | /proc/sys/kernel/cap_last_cap r, 80 | /proc/self/exe r, 81 | /proc/sys/net/core/ r, 82 | /proc/self/setgroups r, 83 | /proc/self/fd rw, 84 | /dev/pts/ rw, 85 | /proc/ r, 86 | /dev/core r, 87 | /proc/kcore w, 88 | /proc/self/status r, 89 | /etc/prometheus/ r, 90 | /lib/x86_64-linux-gnu/libseccomp.so.2 rm, 91 | /dev/shm/** rwk, 92 | /proc/filesystems r, 93 | /dev/stdin r, 94 | /proc/self/cgroup r, 95 | /dev/stdout r, 96 | /etc/hostname r, 97 | /proc/sys/net/ipv4/ping_group_range rw, 98 | /etc/group r, 99 | /dev/full rw, 100 | /proc/self/oom_score_adj rw, 101 | /etc/ld.so.cache rm, 102 | /dev/random rw, 103 | /dev/ptmx r, 104 | /proc/self/fd/ r, 105 | /dev/zero rw, 106 | /dev/fd r, 107 | /dev/tty rw, 108 | /usr/lib/x86_64-linux-gnu/libseccomp.so.2.5.5 rm, 109 | /prometheus/wal/* rw, 110 | /tmp/ r, 111 | } 112 | -------------------------------------------------------------------------------- /busybox/busybox.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "write", 17 | "rt_sigaction", 18 | "fchdir", 19 | "readlinkat", 20 | "getrlimit", 21 | "clone", 22 | "sched_yield", 23 | "getsockname", 24 | "getdents64", 25 | "setgroups", 26 | "getpid", 27 | "statfs", 28 | "rseq", 29 | "recvmsg", 30 | "mknodat", 31 | "nanosleep", 32 | "futex", 33 | "sigaltstack", 34 | "capget", 35 | "seccomp", 36 | "set_tid_address", 37 | "fstatfs", 38 | "pread", 39 | "unshare", 40 | "faccessat", 41 | "fcntl", 42 | "symlinkat", 43 | "pipe2", 44 | "getppid", 45 | "exit_group", 46 | "prctl", 47 | "prlimit64", 48 | "set_robust_list", 49 | "unlinkat", 50 | "munmap", 51 | "read", 52 | "close", 53 | "execve", 54 | "sethostname", 55 | "openat", 56 | "prlimit", 57 | "sendto", 58 | "setgid", 59 | "epoll_create1", 60 | "rt_sigprocmask", 61 | "umask", 62 | "geteuid", 63 | "sched_getaffinity", 64 | "brk", 65 | "poll", 66 | "umount2", 67 | "accept4", 68 | "accept", 69 | "newfstatat", 70 | "setsid", 71 | "pread64", 72 | "setuid", 73 | "listen", 74 | "getrandom", 75 | "keyctl", 76 | "mkdir", 77 | "getcwd", 78 | "fstat", 79 | "clock_nanosleep", 80 | "rt_sigreturn", 81 | "tgkill", 82 | "arch_prctl", 83 | "mkdirat", 84 | "mmap", 85 | "chdir", 86 | "mount", 87 | "faccessat2", 88 | "pivot_root", 89 | "epoll_ctl", 90 | "mprotect", 91 | "capset", 92 | "madvise", 93 | "gettid", 94 | "recv", 95 | "socket", 96 | "access", 97 | "epoll_pwait", 98 | "recvfrom", 99 | "dup3", 100 | "fchownat", 101 | "clone3", 102 | "bind", 103 | "getuid" 104 | ], 105 | "action": "SCMP_ACT_ALLOW" 106 | } 107 | ] 108 | } -------------------------------------------------------------------------------- /ruby/ruby.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "tgkill", 17 | "munmap", 18 | "capset", 19 | "futex", 20 | "exit_group", 21 | "epoll_wait", 22 | "pread", 23 | "fstat", 24 | "recvfrom", 25 | "fchdir", 26 | "nanosleep", 27 | "sched_yield", 28 | "sched_getaffinity", 29 | "poll", 30 | "geteuid", 31 | "clock_gettime", 32 | "pipe2", 33 | "mount", 34 | "arch_prctl", 35 | "mkdir", 36 | "prlimit64", 37 | "readlinkat", 38 | "chdir", 39 | "mkdirat", 40 | "setsid", 41 | "newfstatat", 42 | "pivot_root", 43 | "umount2", 44 | "pread64", 45 | "clone", 46 | "capget", 47 | "recvmsg", 48 | "accept4", 49 | "setuid", 50 | "recv", 51 | "unlinkat", 52 | "getdents64", 53 | "bind", 54 | "gettid", 55 | "readlink", 56 | "faccessat", 57 | "openat", 58 | "fcntl", 59 | "listen", 60 | "madvise", 61 | "setgid", 62 | "rt_sigaction", 63 | "umask", 64 | "statfs", 65 | "prctl", 66 | "sigaltstack", 67 | "sethostname", 68 | "execve", 69 | "rseq", 70 | "unshare", 71 | "brk", 72 | "seccomp", 73 | "set_tid_address", 74 | "prlimit", 75 | "epoll_create1", 76 | "clone3", 77 | "eventfd2", 78 | "getgid", 79 | "symlinkat", 80 | "socket", 81 | "keyctl", 82 | "mknodat", 83 | "close", 84 | "getpid", 85 | "write", 86 | "lseek", 87 | "epoll_pwait", 88 | "getppid", 89 | "set_robust_list", 90 | "rt_sigreturn", 91 | "getrlimit", 92 | "faccessat2", 93 | "getsockname", 94 | "sendto", 95 | "access", 96 | "mprotect", 97 | "getcwd", 98 | "getrandom", 99 | "sysinfo", 100 | "setgroups", 101 | "read", 102 | "accept", 103 | "getuid", 104 | "ioctl", 105 | "dup3", 106 | "fchownat", 107 | "getegid", 108 | "rt_sigprocmask", 109 | "mmap", 110 | "fstatfs", 111 | "epoll_ctl" 112 | ], 113 | "action": "SCMP_ACT_ALLOW" 114 | } 115 | ] 116 | } -------------------------------------------------------------------------------- /traefik/traefik.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "getrandom", 17 | "sched_yield", 18 | "clone", 19 | "fstat", 20 | "getdents64", 21 | "sched_getaffinity", 22 | "pivot_root", 23 | "accept4", 24 | "poll", 25 | "umount2", 26 | "sigaltstack", 27 | "getrlimit", 28 | "recvfrom", 29 | "fchownat", 30 | "setgroups", 31 | "read", 32 | "rt_sigaction", 33 | "munmap", 34 | "fstatfs", 35 | "chdir", 36 | "bind", 37 | "epoll_create1", 38 | "recvmsg", 39 | "stat", 40 | "ioctl", 41 | "recv", 42 | "listen", 43 | "accept", 44 | "dup2", 45 | "rseq", 46 | "capget", 47 | "sendmsg", 48 | "rt_sigreturn", 49 | "dup3", 50 | "geteuid", 51 | "pread", 52 | "nanosleep", 53 | "unshare", 54 | "pread64", 55 | "wait4", 56 | "sendto", 57 | "socket", 58 | "getpeername", 59 | "open", 60 | "unlinkat", 61 | "newfstatat", 62 | "symlinkat", 63 | "tgkill", 64 | "connect", 65 | "mkdirat", 66 | "statfs", 67 | "arch_prctl", 68 | "close", 69 | "getcwd", 70 | "epoll_pwait", 71 | "setsockopt", 72 | "write", 73 | "execve", 74 | "getuid", 75 | "mmap", 76 | "setsid", 77 | "faccessat2", 78 | "setuid", 79 | "seccomp", 80 | "setgid", 81 | "fork", 82 | "set_robust_list", 83 | "prctl", 84 | "mknodat", 85 | "mprotect", 86 | "clone3", 87 | "mkdir", 88 | "getppid", 89 | "pipe2", 90 | "openat", 91 | "umask", 92 | "futex", 93 | "rt_sigprocmask", 94 | "brk", 95 | "getsockopt", 96 | "mount", 97 | "readlinkat", 98 | "sethostname", 99 | "faccessat", 100 | "keyctl", 101 | "getpid", 102 | "getgid", 103 | "fchdir", 104 | "madvise", 105 | "getsockname", 106 | "set_tid_address", 107 | "fcntl", 108 | "epoll_ctl", 109 | "gettid", 110 | "uname", 111 | "capset", 112 | "exit_group" 113 | ], 114 | "action": "SCMP_ACT_ALLOW" 115 | } 116 | ] 117 | } -------------------------------------------------------------------------------- /python/python.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "setgroups", 17 | "mkdir", 18 | "chdir", 19 | "mount", 20 | "geteuid", 21 | "rt_sigprocmask", 22 | "keyctl", 23 | "fchdir", 24 | "getrlimit", 25 | "nanosleep", 26 | "bind", 27 | "pivot_root", 28 | "sysinfo", 29 | "mmap", 30 | "umount2", 31 | "ioctl", 32 | "madvise", 33 | "execve", 34 | "munmap", 35 | "close", 36 | "arch_prctl", 37 | "gettid", 38 | "futex", 39 | "rename", 40 | "faccessat2", 41 | "socketpair", 42 | "mprotect", 43 | "fstat", 44 | "fstatfs", 45 | "getppid", 46 | "mkdirat", 47 | "recv", 48 | "newfstatat", 49 | "write", 50 | "access", 51 | "capset", 52 | "setsid", 53 | "getegid", 54 | "epoll_ctl", 55 | "clone3", 56 | "rseq", 57 | "listen", 58 | "faccessat", 59 | "getpid", 60 | "capget", 61 | "read", 62 | "recvmsg", 63 | "umask", 64 | "unlinkat", 65 | "symlinkat", 66 | "fchownat", 67 | "open", 68 | "getcwd", 69 | "getdents64", 70 | "rt_sigaction", 71 | "seccomp", 72 | "lseek", 73 | "setgid", 74 | "accept", 75 | "epoll_create1", 76 | "socket", 77 | "dup3", 78 | "sethostname", 79 | "mknodat", 80 | "clone", 81 | "pipe2", 82 | "clock_nanosleep", 83 | "readlink", 84 | "epoll_pwait", 85 | "sched_getaffinity", 86 | "getsockname", 87 | "unshare", 88 | "accept4", 89 | "fcntl", 90 | "readlinkat", 91 | "pread", 92 | "getgid", 93 | "rt_sigreturn", 94 | "sendto", 95 | "sched_yield", 96 | "set_robust_list", 97 | "sigaltstack", 98 | "statfs", 99 | "setuid", 100 | "prlimit64", 101 | "prlimit", 102 | "exit_group", 103 | "getrandom", 104 | "brk", 105 | "pread64", 106 | "tgkill", 107 | "openat", 108 | "getuid", 109 | "prctl", 110 | "poll", 111 | "set_tid_address", 112 | "recvfrom" 113 | ], 114 | "action": "SCMP_ACT_ALLOW" 115 | } 116 | ] 117 | } -------------------------------------------------------------------------------- /node/node.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "getegid", 17 | "fchownat", 18 | "sigaltstack", 19 | "openat", 20 | "prlimit64", 21 | "eventfd2", 22 | "sysinfo", 23 | "setgroups", 24 | "chdir", 25 | "ioctl", 26 | "set_tid_address", 27 | "tgkill", 28 | "futex", 29 | "getdents64", 30 | "rt_sigreturn", 31 | "execve", 32 | "arch_prctl", 33 | "rt_sigprocmask", 34 | "geteuid", 35 | "exit_group", 36 | "capset", 37 | "mmap", 38 | "setgid", 39 | "seccomp", 40 | "sched_yield", 41 | "prlimit", 42 | "getcwd", 43 | "unshare", 44 | "faccessat2", 45 | "fstat", 46 | "poll", 47 | "munmap", 48 | "getuid", 49 | "accept4", 50 | "epoll_ctl", 51 | "mkdir", 52 | "umount2", 53 | "close", 54 | "capget", 55 | "write", 56 | "getgid", 57 | "epoll_create1", 58 | "mprotect", 59 | "gettid", 60 | "listen", 61 | "readlinkat", 62 | "clone3", 63 | "getrandom", 64 | "pivot_root", 65 | "recvfrom", 66 | "pipe2", 67 | "faccessat", 68 | "madvise", 69 | "getsockname", 70 | "rseq", 71 | "statfs", 72 | "pread", 73 | "setsid", 74 | "newfstatat", 75 | "readlink", 76 | "io_uring_setup", 77 | "setuid", 78 | "mkdirat", 79 | "accept", 80 | "unlinkat", 81 | "dup3", 82 | "fchdir", 83 | "mount", 84 | "read", 85 | "umask", 86 | "wait4", 87 | "set_robust_list", 88 | "sched_getaffinity", 89 | "epoll_pwait", 90 | "getrlimit", 91 | "io_uring_enter", 92 | "mknodat", 93 | "symlinkat", 94 | "connect", 95 | "bind", 96 | "prctl", 97 | "pread64", 98 | "brk", 99 | "socket", 100 | "sendto", 101 | "getppid", 102 | "access", 103 | "dup2", 104 | "recv", 105 | "fstatfs", 106 | "clone", 107 | "sethostname", 108 | "recvmsg", 109 | "nanosleep", 110 | "rt_sigaction", 111 | "getpid", 112 | "fcntl", 113 | "keyctl" 114 | ], 115 | "action": "SCMP_ACT_ALLOW" 116 | } 117 | ] 118 | } -------------------------------------------------------------------------------- /memcached/memcached.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "recvmsg", 17 | "symlinkat", 18 | "fchown", 19 | "accept4", 20 | "sched_yield", 21 | "prctl", 22 | "rt_sigaction", 23 | "seccomp", 24 | "getcwd", 25 | "read", 26 | "set_robust_list", 27 | "eventfd2", 28 | "sendmsg", 29 | "mkdirat", 30 | "setsockopt", 31 | "setgroups", 32 | "listen", 33 | "getsockname", 34 | "munmap", 35 | "access", 36 | "newfstatat", 37 | "epoll_pwait", 38 | "tgkill", 39 | "readlinkat", 40 | "mkdir", 41 | "arch_prctl", 42 | "fcntl", 43 | "epoll_wait", 44 | "sethostname", 45 | "fstat", 46 | "getrandom", 47 | "statfs", 48 | "rt_sigprocmask", 49 | "capget", 50 | "getdents64", 51 | "setuid", 52 | "unlinkat", 53 | "setsid", 54 | "accept", 55 | "bind", 56 | "getpid", 57 | "pipe2", 58 | "dup3", 59 | "unshare", 60 | "recvfrom", 61 | "umask", 62 | "pread64", 63 | "poll", 64 | "mknodat", 65 | "clock_nanosleep", 66 | "capset", 67 | "fchownat", 68 | "brk", 69 | "connect", 70 | "fstatfs", 71 | "exit_group", 72 | "sched_getaffinity", 73 | "prlimit64", 74 | "gettid", 75 | "getrusage", 76 | "epoll_ctl", 77 | "prlimit", 78 | "mount", 79 | "faccessat2", 80 | "getegid", 81 | "getrlimit", 82 | "socket", 83 | "fchdir", 84 | "rt_sigreturn", 85 | "rseq", 86 | "mprotect", 87 | "close", 88 | "geteuid", 89 | "mmap", 90 | "pivot_root", 91 | "getppid", 92 | "chdir", 93 | "openat", 94 | "clone", 95 | "umount2", 96 | "recv", 97 | "madvise", 98 | "futex", 99 | "clone3", 100 | "setgid", 101 | "write", 102 | "getgid", 103 | "getuid", 104 | "pread", 105 | "execve", 106 | "set_tid_address", 107 | "getpeername", 108 | "sendto", 109 | "nanosleep", 110 | "sigaltstack", 111 | "epoll_create1", 112 | "keyctl", 113 | "dup", 114 | "faccessat" 115 | ], 116 | "action": "SCMP_ACT_ALLOW" 117 | } 118 | ] 119 | } -------------------------------------------------------------------------------- /prometheus/prometheus.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "rt_sigreturn", 17 | "socketpair", 18 | "chdir", 19 | "accept", 20 | "setgid", 21 | "execve", 22 | "newfstatat", 23 | "exit_group", 24 | "bind", 25 | "sendto", 26 | "mount", 27 | "rt_sigaction", 28 | "gettid", 29 | "getsockopt", 30 | "dup3", 31 | "getrandom", 32 | "pipe2", 33 | "openat", 34 | "sched_getaffinity", 35 | "pread64", 36 | "prlimit64", 37 | "sysinfo", 38 | "geteuid", 39 | "munmap", 40 | "fstat", 41 | "read", 42 | "symlinkat", 43 | "fcntl", 44 | "faccessat2", 45 | "ftruncate", 46 | "readlinkat", 47 | "sendmmsg", 48 | "clone", 49 | "getrlimit", 50 | "flock", 51 | "arch_prctl", 52 | "setuid", 53 | "madvise", 54 | "getppid", 55 | "setsockopt", 56 | "mknodat", 57 | "fchownat", 58 | "seccomp", 59 | "mkdir", 60 | "umask", 61 | "recv", 62 | "close", 63 | "statfs", 64 | "tgkill", 65 | "umount2", 66 | "keyctl", 67 | "mprotect", 68 | "epoll_pwait", 69 | "set_robust_list", 70 | "uname", 71 | "epoll_create1", 72 | "rseq", 73 | "setsid", 74 | "connect", 75 | "set_tid_address", 76 | "faccessat", 77 | "epoll_ctl", 78 | "clone3", 79 | "nanosleep", 80 | "getdents64", 81 | "pread", 82 | "fstatfs", 83 | "sched_yield", 84 | "listen", 85 | "unlinkat", 86 | "getpeername", 87 | "accept4", 88 | "capset", 89 | "pivot_root", 90 | "ioctl", 91 | "getcwd", 92 | "prlimit", 93 | "getuid", 94 | "unshare", 95 | "mkdirat", 96 | "fchown", 97 | "write", 98 | "capget", 99 | "prctl", 100 | "recvmsg", 101 | "eventfd2", 102 | "poll", 103 | "fchdir", 104 | "lseek", 105 | "futex", 106 | "recvfrom", 107 | "mmap", 108 | "sethostname", 109 | "sigaltstack", 110 | "getpid", 111 | "socket", 112 | "access", 113 | "rt_sigprocmask", 114 | "setgroups", 115 | "getsockname", 116 | "brk" 117 | ], 118 | "action": "SCMP_ACT_ALLOW" 119 | } 120 | ] 121 | } -------------------------------------------------------------------------------- /consul/consul.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "accept", 17 | "bind", 18 | "sendmmsg", 19 | "faccessat", 20 | "getsockname", 21 | "epoll_create1", 22 | "recvfrom", 23 | "setsid", 24 | "gettid", 25 | "clone3", 26 | "pipe", 27 | "rt_sigprocmask", 28 | "umount2", 29 | "ioctl", 30 | "setuid", 31 | "poll", 32 | "rseq", 33 | "close", 34 | "set_tid_address", 35 | "fchownat", 36 | "connect", 37 | "getrlimit", 38 | "unshare", 39 | "fchdir", 40 | "pivot_root", 41 | "getuid", 42 | "accept4", 43 | "listen", 44 | "open", 45 | "prctl", 46 | "uname", 47 | "fsync", 48 | "exit_group", 49 | "fork", 50 | "getgid", 51 | "getpid", 52 | "madvise", 53 | "mknodat", 54 | "lstat", 55 | "sched_getaffinity", 56 | "pread64", 57 | "mkdir", 58 | "getdents64", 59 | "read", 60 | "sigaltstack", 61 | "unlinkat", 62 | "fcntl", 63 | "epoll_pwait", 64 | "umask", 65 | "mmap", 66 | "getpeername", 67 | "setsockopt", 68 | "statfs", 69 | "sched_yield", 70 | "socket", 71 | "wait4", 72 | "mprotect", 73 | "mkdirat", 74 | "writev", 75 | "recvmsg", 76 | "setgroups", 77 | "rt_sigreturn", 78 | "arch_prctl", 79 | "setgid", 80 | "readlinkat", 81 | "futex", 82 | "geteuid", 83 | "munmap", 84 | "symlinkat", 85 | "capset", 86 | "dup2", 87 | "sendto", 88 | "dup3", 89 | "renameat", 90 | "rt_sigaction", 91 | "epoll_ctl", 92 | "rt_sigtimedwait", 93 | "pread", 94 | "brk", 95 | "getrandom", 96 | "fstatfs", 97 | "chdir", 98 | "sethostname", 99 | "newfstatat", 100 | "openat", 101 | "nanosleep", 102 | "recv", 103 | "getppid", 104 | "set_robust_list", 105 | "capget", 106 | "getsockopt", 107 | "write", 108 | "keyctl", 109 | "mount", 110 | "tgkill", 111 | "pipe2", 112 | "seccomp", 113 | "execve", 114 | "stat", 115 | "fstat", 116 | "faccessat2", 117 | "getcwd", 118 | "clone" 119 | ], 120 | "action": "SCMP_ACT_ALLOW" 121 | } 122 | ] 123 | } -------------------------------------------------------------------------------- /httpd/httpd.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "clone", 17 | "sched_getaffinity", 18 | "getpid", 19 | "setsockopt", 20 | "setsid", 21 | "mount", 22 | "write", 23 | "setuid", 24 | "arch_prctl", 25 | "getrlimit", 26 | "fstatfs", 27 | "set_tid_address", 28 | "gettid", 29 | "prctl", 30 | "exit", 31 | "sethostname", 32 | "read", 33 | "writev", 34 | "fstat", 35 | "recvfrom", 36 | "capget", 37 | "epoll_pwait", 38 | "sched_yield", 39 | "openat", 40 | "exit_group", 41 | "setgroups", 42 | "uname", 43 | "listen", 44 | "mkdir", 45 | "pivot_root", 46 | "dup3", 47 | "epoll_create1", 48 | "mmap", 49 | "fchownat", 50 | "close", 51 | "setgid", 52 | "capset", 53 | "faccessat", 54 | "prlimit64", 55 | "pipe2", 56 | "rt_sigreturn", 57 | "getppid", 58 | "readlinkat", 59 | "seccomp", 60 | "getrandom", 61 | "rseq", 62 | "getuid", 63 | "faccessat2", 64 | "rename", 65 | "wait4", 66 | "socket", 67 | "sigaltstack", 68 | "clone3", 69 | "rt_sigprocmask", 70 | "pread64", 71 | "fcntl", 72 | "chmod", 73 | "keyctl", 74 | "getcwd", 75 | "mknodat", 76 | "madvise", 77 | "chdir", 78 | "nanosleep", 79 | "poll", 80 | "mkdirat", 81 | "statfs", 82 | "ioctl", 83 | "geteuid", 84 | "unshare", 85 | "rt_sigaction", 86 | "getegid", 87 | "lseek", 88 | "execve", 89 | "connect", 90 | "getsockname", 91 | "umask", 92 | "set_robust_list", 93 | "futex", 94 | "prlimit", 95 | "epoll_wait", 96 | "accept", 97 | "pselect6", 98 | "recv", 99 | "newfstatat", 100 | "times", 101 | "accept4", 102 | "shutdown", 103 | "mprotect", 104 | "vfork", 105 | "umount2", 106 | "sendto", 107 | "pread", 108 | "tgkill", 109 | "munmap", 110 | "epoll_ctl", 111 | "brk", 112 | "fchdir", 113 | "unlinkat", 114 | "recvmsg", 115 | "bind", 116 | "getdents64", 117 | "symlinkat", 118 | "getgid", 119 | "access" 120 | ], 121 | "action": "SCMP_ACT_ALLOW" 122 | } 123 | ] 124 | } -------------------------------------------------------------------------------- /redis/redis.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "readlink", 17 | "futex", 18 | "symlinkat", 19 | "set_tid_address", 20 | "sched_yield", 21 | "listen", 22 | "dup2", 23 | "accept", 24 | "close", 25 | "getegid", 26 | "exit_group", 27 | "sethostname", 28 | "ioctl", 29 | "getdents64", 30 | "clone", 31 | "bind", 32 | "poll", 33 | "access", 34 | "unshare", 35 | "openat", 36 | "epoll_wait", 37 | "mkdirat", 38 | "tgkill", 39 | "connect", 40 | "uname", 41 | "fstatfs", 42 | "sysinfo", 43 | "mprotect", 44 | "getppid", 45 | "keyctl", 46 | "write", 47 | "gettid", 48 | "mkdir", 49 | "read", 50 | "madvise", 51 | "prlimit64", 52 | "getpid", 53 | "getrandom", 54 | "epoll_pwait", 55 | "setsid", 56 | "prctl", 57 | "accept4", 58 | "unlinkat", 59 | "sendto", 60 | "readlinkat", 61 | "getpeername", 62 | "dup3", 63 | "recvmsg", 64 | "rt_sigaction", 65 | "brk", 66 | "getuid", 67 | "pread", 68 | "sigaltstack", 69 | "munmap", 70 | "rt_sigreturn", 71 | "capset", 72 | "fstat", 73 | "seccomp", 74 | "vfork", 75 | "umask", 76 | "setitimer", 77 | "getcwd", 78 | "chdir", 79 | "lseek", 80 | "open", 81 | "mknodat", 82 | "faccessat", 83 | "prlimit", 84 | "umount2", 85 | "epoll_create", 86 | "getsockname", 87 | "pipe2", 88 | "epoll_ctl", 89 | "getgid", 90 | "fchdir", 91 | "wait4", 92 | "mount", 93 | "mmap", 94 | "geteuid", 95 | "epoll_create1", 96 | "nanosleep", 97 | "rseq", 98 | "clone3", 99 | "newfstatat", 100 | "setuid", 101 | "fchownat", 102 | "getrlimit", 103 | "setsockopt", 104 | "set_robust_list", 105 | "recv", 106 | "execve", 107 | "setgid", 108 | "faccessat2", 109 | "recvfrom", 110 | "sched_getaffinity", 111 | "fcntl", 112 | "capget", 113 | "rt_sigprocmask", 114 | "setgroups", 115 | "statfs", 116 | "pread64", 117 | "arch_prctl", 118 | "pivot_root", 119 | "socket" 120 | ], 121 | "action": "SCMP_ACT_ALLOW" 122 | } 123 | ] 124 | } -------------------------------------------------------------------------------- /nginx/nginx.aa: -------------------------------------------------------------------------------- 1 | profile nginx.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/sbin/nginx rix, 7 | /etc/nginx/nginx.conf r, 8 | /usr/bin/grep rix, 9 | /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 rm, 10 | /usr/bin/dpkg-query rix, 11 | /usr/lib/x86_64-linux-gnu/libmd.so.0.0.5 rm, 12 | /etc/group r, 13 | /docker-entrypoint.sh rix, 14 | /docker-entrypoint.d/15-local-resolvers.envsh r, 15 | /usr/bin/mawk rix, 16 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 17 | /var/lib/dpkg/triggers/File r, 18 | /usr/bin/find rix, 19 | /usr/lib/x86_64-linux-gnu/libcrypto.so.3 rm, 20 | /etc/ld.so.cache rm, 21 | /usr/bin/cut rix, 22 | /usr/bin/md5sum rix, 23 | /usr/bin/sed rix, 24 | /etc/nginx/conf.d/default.conf rwix, 25 | /etc/nginx/mime.types r, 26 | /usr/share/nginx/html/index.html r, 27 | /docker-entrypoint.d/20-envsubst-on-templates.sh rix, 28 | /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh rix, 29 | /dev/null rw, 30 | /sys/devices/system/cpu/online r, 31 | /proc/filesystems r, 32 | /usr/lib/x86_64-linux-gnu/libselinux.so.1 rm, 33 | /usr/bin/basename rix, 34 | /docker-entrypoint.d/30-tune-worker-processes.sh rix, 35 | /proc/*/maps r, 36 | /etc/ssl/openssl.cnf r, 37 | /usr/bin/sort rix, 38 | /run/** rwixk, 39 | /proc/sys/kernel/ngroups_max r, 40 | /var/lib/dpkg/updates/ rix, 41 | /etc/nsswitch.conf r, 42 | /usr/bin/touch rix, 43 | /usr/lib/x86_64-linux-gnu/libssl.so.3 rm, 44 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 45 | /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0 rm, 46 | /usr/share/zoneinfo/Etc/UTC r, 47 | /usr/lib/os-release r, 48 | /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 rm, 49 | /etc/nginx/conf.d/* rw, 50 | /etc/passwd r, 51 | /var/lib/dpkg/status r, 52 | /docker-entrypoint.d/ rix, 53 | /var/lib/dpkg/triggers/Unincorp r, 54 | /usr/lib/x86_64-linux-gnu/libz.so.1.2.13 rm, 55 | /etc/nginx/conf.d/ rwix, 56 | /var/cache/nginx/ rw, 57 | /usr/bin/dash ix, 58 | /var/run/** rw, 59 | /var/log/nginx/access.log rw, 60 | /var/log/nginx/ rw, 61 | /dev/ rw, 62 | /var/log/nginx/error.log rw, 63 | / r, 64 | /usr/lib/x86_64-linux-gnu/ r, 65 | /usr/sbin/runc ix, 66 | /etc/ r, 67 | /etc/hostname r, 68 | /proc/self/attr/apparmor/ r, 69 | /proc/self/attr/apparmor/exec rw, 70 | /dev/shm/** rwk, 71 | /dev/mqueue rw, 72 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 73 | /proc/sys/net/ipv4/ r, 74 | /proc/ r, 75 | /etc/resolv.conf r, 76 | /dev/stdout r, 77 | /proc/self/fd/* rw, 78 | /sys/ r, 79 | /var/cache/nginx/proxy_temp/ rw, 80 | /var/cache/nginx/scgi_temp/ rw, 81 | /usr/share/nginx/html/ r, 82 | /dev/random rw, 83 | /proc/sys/kernel/ r, 84 | /var/lib/dpkg/triggers/ r, 85 | /dev/urandom rw, 86 | /proc/sys/net/ipv4/ping_group_range rw, 87 | /proc/self/ r, 88 | /proc/self/status r, 89 | /proc/self/fd/ r, 90 | /proc/self/uid_map r, 91 | /usr/lib/ssl/ r, 92 | /dev/stderr r, 93 | /etc/nginx/ r, 94 | /var/lib/dpkg/ r, 95 | /dev/pts/ rw, 96 | /dev/tty rw, 97 | /proc/sys/kernel/cap_last_cap r, 98 | /dev/fd r, 99 | /proc/self/fd rw, 100 | /var/cache/nginx/uwsgi_temp/ rw, 101 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 102 | /sys/kernel/mm/transparent_hugepage/ r, 103 | /proc/self/maps r, 104 | /proc/self/mountinfo r, 105 | /proc/self/setgroups r, 106 | /sys/fs/cgroup r, 107 | /sys/fs/ r, 108 | /sys/devices/system/cpu/ r, 109 | /dev/full rw, 110 | /etc/hosts r, 111 | /dev/stdin r, 112 | /dev/zero rw, 113 | /dev/core r, 114 | /proc/kcore w, 115 | /dev/ptmx r, 116 | /var/cache/nginx/client_temp/ rw, 117 | /usr/local/sbin/nginx rix, 118 | /usr/local/bin/nginx rix, 119 | /sys/fs/cgroup/ r, 120 | /var/cache/nginx/fastcgi_temp/ rw, 121 | /tmp/ r, 122 | } 123 | -------------------------------------------------------------------------------- /httpd/httpd.aa: -------------------------------------------------------------------------------- 1 | profile httpd.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/apache2/bin/httpd rix, 7 | /usr/local/apache2/modules/mod_access_compat.so rm, 8 | /usr/local/apache2/modules/mod_authz_groupfile.so rm, 9 | /usr/local/apache2/modules/mod_mime.so rm, 10 | /usr/local/apache2/conf/mime.types r, 11 | /usr/local/apache2/modules/mod_mpm_event.so rm, 12 | /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.2 rm, 13 | /usr/local/apache2/logs/httpd.pid.* rw, 14 | /etc/host.conf r, 15 | /proc/sys/kernel/ngroups_max r, 16 | /usr/local/apache2/modules/mod_authz_host.so rm, 17 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 18 | /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.3 rm, 19 | /usr/local/apache2/modules/mod_reqtimeout.so rm, 20 | /usr/local/bin/httpd-foreground rix, 21 | /etc/ld.so.cache rm, 22 | /etc/hosts r, 23 | /etc/group r, 24 | /usr/local/apache2/modules/mod_authn_core.so rm, 25 | /usr/share/zoneinfo/Etc/UTC r, 26 | /etc/resolv.conf r, 27 | /etc/nsswitch.conf r, 28 | /usr/local/apache2/modules/mod_auth_basic.so rm, 29 | /usr/local/apache2/modules/mod_authz_core.so rm, 30 | /usr/local/apache2/modules/mod_alias.so rm, 31 | /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 rm, 32 | /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0 rm, 33 | /usr/local/apache2/modules/mod_filter.so rm, 34 | /usr/local/apache2/modules/mod_authz_user.so rm, 35 | /usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3 rm, 36 | /usr/local/apache2/modules/mod_env.so rm, 37 | /usr/local/apache2/modules/mod_setenvif.so rm, 38 | /usr/local/apache2/modules/mod_version.so rm, 39 | /usr/local/apache2/htdocs/index.html rm, 40 | /usr/local/apache2/modules/mod_headers.so rm, 41 | /usr/local/apache2/modules/mod_autoindex.so rm, 42 | /usr/local/apache2/modules/mod_dir.so rm, 43 | /usr/local/apache2/modules/mod_authn_file.so rm, 44 | /usr/local/apache2/modules/mod_unixd.so rm, 45 | /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0 rm, 46 | /usr/lib/x86_64-linux-gnu/libexpat.so.1.8.10 rm, 47 | /usr/bin/rm rix, 48 | /etc/passwd r, 49 | /usr/local/apache2/conf/httpd.conf r, 50 | /usr/local/apache2/modules/mod_status.so rm, 51 | /sys/devices/system/cpu/online r, 52 | /usr/local/apache2/modules/mod_log_config.so rm, 53 | /usr/bin/dash ix, 54 | /usr/local/apache2/logs/ rw, 55 | /usr/local/apache2/logs/httpd.pid rw, 56 | /proc/self/fd/* rw, 57 | /proc/self/fd/ rw, 58 | /dev/null rw, 59 | /usr/sbin/runc ix, 60 | /usr/local/apache2/modules/ r, 61 | /run/** rwixk, 62 | / r, 63 | /dev/random rw, 64 | /dev/zero rw, 65 | /sys/fs/cgroup/ r, 66 | /sys/fs/cgroup r, 67 | /usr/lib/x86_64-linux-gnu/ r, 68 | /usr/local/apache2/conf/ r, 69 | /etc/ r, 70 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 71 | /sys/kernel/mm/transparent_hugepage/ r, 72 | /proc/self/ r, 73 | /proc/self/fd rw, 74 | /proc/sys/kernel/ r, 75 | /proc/sys/kernel/cap_last_cap r, 76 | /dev/fd r, 77 | /usr/local/apache2/bin/suexec r, 78 | /dev/urandom rw, 79 | /dev/ r, 80 | /etc/hostname r, 81 | /proc/self/status r, 82 | /proc/filesystems r, 83 | /proc/ r, 84 | /dev/stdin r, 85 | /sys/ r, 86 | /dev/tty rw, 87 | /proc/self/attr/apparmor/ r, 88 | /proc/self/attr/apparmor/exec rw, 89 | /usr/local/apache2/htdocs/ r, 90 | /proc/self/uid_map r, 91 | /sys/fs/ r, 92 | /dev/pts/ rw, 93 | /dev/core r, 94 | /proc/kcore w, 95 | /usr/local/bin/ r, 96 | /dev/shm/** rwk, 97 | /dev/stdout r, 98 | /dev/full rw, 99 | /dev/mqueue rw, 100 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 101 | /proc/sys/net/ipv4/ r, 102 | /proc/self/setgroups r, 103 | /sys/devices/system/cpu/ r, 104 | /dev/ptmx r, 105 | /proc/sys/net/ipv4/ping_group_range rw, 106 | /dev/stderr r, 107 | /proc/self/mountinfo r, 108 | /tmp/ r, 109 | } 110 | -------------------------------------------------------------------------------- /vault/vault.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "exit_group", 17 | "set_robust_list", 18 | "clone", 19 | "write", 20 | "readlink", 21 | "open", 22 | "pipe2", 23 | "unshare", 24 | "listen", 25 | "getegid", 26 | "sigaltstack", 27 | "umount2", 28 | "rt_sigtimedwait", 29 | "capget", 30 | "socket", 31 | "keyctl", 32 | "pivot_root", 33 | "recv", 34 | "getdents64", 35 | "clone3", 36 | "tgkill", 37 | "symlinkat", 38 | "execve", 39 | "setxattr", 40 | "pread", 41 | "fcntl", 42 | "stat", 43 | "connect", 44 | "geteuid", 45 | "openat", 46 | "arch_prctl", 47 | "ioctl", 48 | "fchownat", 49 | "setsockopt", 50 | "socketpair", 51 | "setgroups", 52 | "faccessat", 53 | "pread64", 54 | "dup2", 55 | "getpeername", 56 | "getcwd", 57 | "epoll_create1", 58 | "prlimit", 59 | "access", 60 | "fchdir", 61 | "epoll_pwait", 62 | "faccessat2", 63 | "recvmsg", 64 | "writev", 65 | "poll", 66 | "recvfrom", 67 | "setsid", 68 | "lseek", 69 | "readlinkat", 70 | "set_tid_address", 71 | "prctl", 72 | "newfstatat", 73 | "unlinkat", 74 | "rt_sigprocmask", 75 | "capset", 76 | "getsockname", 77 | "statfs", 78 | "wait4", 79 | "getuid", 80 | "bind", 81 | "prlimit64", 82 | "fork", 83 | "futex", 84 | "mkdir", 85 | "gettid", 86 | "mkdirat", 87 | "getrandom", 88 | "dup3", 89 | "getrlimit", 90 | "getppid", 91 | "epoll_ctl", 92 | "read", 93 | "munmap", 94 | "renameat", 95 | "sethostname", 96 | "setuid", 97 | "nanosleep", 98 | "mprotect", 99 | "fstatfs", 100 | "umask", 101 | "chdir", 102 | "mount", 103 | "fstat", 104 | "seccomp", 105 | "rseq", 106 | "mknodat", 107 | "accept", 108 | "sendto", 109 | "rt_sigaction", 110 | "getpid", 111 | "lstat", 112 | "mmap", 113 | "brk", 114 | "pipe", 115 | "sched_getaffinity", 116 | "sendmsg", 117 | "uname", 118 | "setgid", 119 | "madvise", 120 | "accept4", 121 | "rt_sigreturn", 122 | "sched_yield", 123 | "close", 124 | "getgid" 125 | ], 126 | "action": "SCMP_ACT_ALLOW" 127 | } 128 | ] 129 | } -------------------------------------------------------------------------------- /haproxy/haproxy.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "sched_yield", 17 | "openat", 18 | "fstat", 19 | "setsockopt", 20 | "epoll_pwait", 21 | "getrlimit", 22 | "clone3", 23 | "getuid", 24 | "pivot_root", 25 | "set_tid_address", 26 | "unlink", 27 | "capget", 28 | "setuid", 29 | "prlimit", 30 | "readlinkat", 31 | "shutdown", 32 | "pread64", 33 | "getpid", 34 | "ftruncate", 35 | "recvmsg", 36 | "fchown", 37 | "read", 38 | "pipe2", 39 | "getgid", 40 | "umask", 41 | "arch_prctl", 42 | "clock_gettime", 43 | "setns", 44 | "getsockopt", 45 | "bind", 46 | "accept", 47 | "fchdir", 48 | "epoll_wait", 49 | "mprotect", 50 | "execve", 51 | "statfs", 52 | "recvfrom", 53 | "unshare", 54 | "uname", 55 | "prctl", 56 | "rt_sigreturn", 57 | "listen", 58 | "setgroups", 59 | "timer_settime", 60 | "epoll_create", 61 | "accept4", 62 | "mknodat", 63 | "munmap", 64 | "socketpair", 65 | "setsid", 66 | "wait4", 67 | "geteuid", 68 | "getrandom", 69 | "sethostname", 70 | "mmap", 71 | "mount", 72 | "sendto", 73 | "lseek", 74 | "madvise", 75 | "write", 76 | "chdir", 77 | "epoll_ctl", 78 | "seccomp", 79 | "pread", 80 | "getdents64", 81 | "tgkill", 82 | "mkdirat", 83 | "rseq", 84 | "mkdir", 85 | "fcntl", 86 | "sysinfo", 87 | "poll", 88 | "sendmsg", 89 | "symlinkat", 90 | "getsockname", 91 | "connect", 92 | "dup3", 93 | "umount2", 94 | "fchownat", 95 | "faccessat2", 96 | "nanosleep", 97 | "faccessat", 98 | "setgid", 99 | "getcwd", 100 | "recv", 101 | "exit", 102 | "rt_sigaction", 103 | "gettid", 104 | "keyctl", 105 | "set_robust_list", 106 | "clone", 107 | "rt_sigprocmask", 108 | "exit_group", 109 | "unlinkat", 110 | "newfstatat", 111 | "timer_create", 112 | "close", 113 | "sched_getaffinity", 114 | "sigaltstack", 115 | "access", 116 | "prlimit64", 117 | "brk", 118 | "capset", 119 | "fstatfs", 120 | "getegid", 121 | "getppid", 122 | "socket", 123 | "epoll_create1", 124 | "futex" 125 | ], 126 | "action": "SCMP_ACT_ALLOW" 127 | } 128 | ] 129 | } -------------------------------------------------------------------------------- /gitea/gitea.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "prctl", 17 | "umount2", 18 | "accept", 19 | "getsockname", 20 | "execve", 21 | "faccessat", 22 | "mknod", 23 | "set_robust_list", 24 | "mmap", 25 | "prlimit64", 26 | "connect", 27 | "recvmsg", 28 | "setgid", 29 | "rt_sigprocmask", 30 | "getgid", 31 | "read", 32 | "lchown", 33 | "symlinkat", 34 | "fstatfs", 35 | "fork", 36 | "getrlimit", 37 | "prlimit", 38 | "poll", 39 | "rename", 40 | "mkdirat", 41 | "setuid", 42 | "setsockopt", 43 | "lseek", 44 | "nanosleep", 45 | "readlinkat", 46 | "sigaltstack", 47 | "getpgid", 48 | "ioctl", 49 | "membarrier", 50 | "unshare", 51 | "wait4", 52 | "capset", 53 | "gettid", 54 | "madvise", 55 | "clone", 56 | "getpid", 57 | "dup3", 58 | "bind", 59 | "dup2", 60 | "clone3", 61 | "socketpair", 62 | "rt_sigaction", 63 | "stat", 64 | "getdents64", 65 | "keyctl", 66 | "ppoll", 67 | "getuid", 68 | "fstat", 69 | "mkdir", 70 | "seccomp", 71 | "setsid", 72 | "capget", 73 | "getcwd", 74 | "pipe", 75 | "getppid", 76 | "sched_yield", 77 | "sched_getaffinity", 78 | "pipe2", 79 | "mprotect", 80 | "open", 81 | "chown", 82 | "tgkill", 83 | "lstat", 84 | "accept4", 85 | "futex", 86 | "recv", 87 | "getrandom", 88 | "epoll_pwait", 89 | "getegid", 90 | "close", 91 | "sethostname", 92 | "pivot_root", 93 | "geteuid", 94 | "pread", 95 | "arch_prctl", 96 | "mount", 97 | "access", 98 | "rseq", 99 | "set_tid_address", 100 | "getpeername", 101 | "sendto", 102 | "exit_group", 103 | "brk", 104 | "write", 105 | "chmod", 106 | "socket", 107 | "listen", 108 | "fcntl", 109 | "setgroups", 110 | "faccessat2", 111 | "munmap", 112 | "newfstatat", 113 | "recvfrom", 114 | "umask", 115 | "uname", 116 | "openat", 117 | "fchdir", 118 | "signalfd4", 119 | "statfs", 120 | "epoll_create1", 121 | "writev", 122 | "unlinkat", 123 | "mknodat", 124 | "epoll_ctl", 125 | "pread64", 126 | "fchownat", 127 | "rt_sigreturn", 128 | "chdir" 129 | ], 130 | "action": "SCMP_ACT_ALLOW" 131 | } 132 | ] 133 | } -------------------------------------------------------------------------------- /tomcat/tomcat.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "statx", 17 | "getpgrp", 18 | "sysinfo", 19 | "getdents64", 20 | "rt_sigreturn", 21 | "accept", 22 | "write", 23 | "getpid", 24 | "recv", 25 | "lseek", 26 | "munmap", 27 | "getrandom", 28 | "mkdirat", 29 | "mount", 30 | "getrlimit", 31 | "umount2", 32 | "clone", 33 | "getsockname", 34 | "epoll_wait", 35 | "set_robust_list", 36 | "mprotect", 37 | "fchdir", 38 | "sendto", 39 | "exit_group", 40 | "geteuid", 41 | "epoll_ctl", 42 | "pread64", 43 | "newfstatat", 44 | "setgroups", 45 | "getuid", 46 | "rt_sigprocmask", 47 | "getrusage", 48 | "connect", 49 | "fstat", 50 | "clock_getres", 51 | "socketpair", 52 | "dup", 53 | "listen", 54 | "faccessat", 55 | "rt_sigaction", 56 | "ftruncate", 57 | "getgid", 58 | "umask", 59 | "pivot_root", 60 | "socket", 61 | "bind", 62 | "mmap", 63 | "setsid", 64 | "setuid", 65 | "fchownat", 66 | "openat", 67 | "dup2", 68 | "dup3", 69 | "wait4", 70 | "unshare", 71 | "prctl", 72 | "clone3", 73 | "epoll_create1", 74 | "nanosleep", 75 | "mknodat", 76 | "getppid", 77 | "set_tid_address", 78 | "prlimit", 79 | "recvmsg", 80 | "futex", 81 | "seccomp", 82 | "shutdown", 83 | "sigaltstack", 84 | "getsockopt", 85 | "flock", 86 | "read", 87 | "uname", 88 | "pipe2", 89 | "keyctl", 90 | "brk", 91 | "poll", 92 | "faccessat2", 93 | "eventfd2", 94 | "sendmsg", 95 | "madvise", 96 | "lstat", 97 | "readlink", 98 | "accept4", 99 | "close", 100 | "execve", 101 | "prlimit64", 102 | "getcwd", 103 | "readlinkat", 104 | "mkdir", 105 | "tgkill", 106 | "statfs", 107 | "gettid", 108 | "setgid", 109 | "fstatfs", 110 | "capget", 111 | "rseq", 112 | "capset", 113 | "stat", 114 | "chdir", 115 | "sched_getaffinity", 116 | "epoll_pwait", 117 | "recvfrom", 118 | "sched_yield", 119 | "pread", 120 | "unlinkat", 121 | "sethostname", 122 | "clock_nanosleep", 123 | "symlinkat", 124 | "ioctl", 125 | "arch_prctl", 126 | "access", 127 | "fcntl", 128 | "getegid", 129 | "setsockopt" 130 | ], 131 | "action": "SCMP_ACT_ALLOW" 132 | } 133 | ] 134 | } -------------------------------------------------------------------------------- /grafana/grafana.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "fsync", 17 | "prctl", 18 | "getpeername", 19 | "symlinkat", 20 | "setgid", 21 | "eventfd2", 22 | "setgroups", 23 | "mkdirat", 24 | "gettid", 25 | "setsockopt", 26 | "setsid", 27 | "mkdir", 28 | "pipe2", 29 | "unlink", 30 | "connect", 31 | "fstatfs", 32 | "fchownat", 33 | "pread", 34 | "umask", 35 | "pwrite", 36 | "sendmmsg", 37 | "accept4", 38 | "rt_sigaction", 39 | "prlimit64", 40 | "socketpair", 41 | "futex", 42 | "brk", 43 | "writev", 44 | "faccessat", 45 | "pread64", 46 | "unlinkat", 47 | "geteuid", 48 | "getpid", 49 | "listen", 50 | "stat", 51 | "getcwd", 52 | "pivot_root", 53 | "getsockopt", 54 | "fchdir", 55 | "execve", 56 | "shutdown", 57 | "fchown", 58 | "keyctl", 59 | "epoll_pwait", 60 | "open", 61 | "unshare", 62 | "newfstatat", 63 | "pipe", 64 | "recvmsg", 65 | "mprotect", 66 | "capget", 67 | "capset", 68 | "rt_sigprocmask", 69 | "sethostname", 70 | "statfs", 71 | "mmap", 72 | "poll", 73 | "sendmsg", 74 | "setuid", 75 | "pwrite64", 76 | "getegid", 77 | "lseek", 78 | "set_tid_address", 79 | "clone", 80 | "epoll_ctl", 81 | "ioctl", 82 | "rseq", 83 | "clone3", 84 | "munmap", 85 | "getdents64", 86 | "getppid", 87 | "close", 88 | "accept", 89 | "madvise", 90 | "faccessat2", 91 | "wait4", 92 | "getgid", 93 | "dup2", 94 | "prlimit", 95 | "uname", 96 | "fork", 97 | "nanosleep", 98 | "getrlimit", 99 | "mount", 100 | "write", 101 | "fstat", 102 | "getsockname", 103 | "readlinkat", 104 | "mknodat", 105 | "sendto", 106 | "read", 107 | "recvfrom", 108 | "sched_yield", 109 | "lstat", 110 | "getpgid", 111 | "seccomp", 112 | "socket", 113 | "recv", 114 | "bind", 115 | "getrandom", 116 | "sigaltstack", 117 | "fcntl", 118 | "umount2", 119 | "set_robust_list", 120 | "arch_prctl", 121 | "getuid", 122 | "epoll_create1", 123 | "sched_getaffinity", 124 | "chdir", 125 | "rt_sigreturn", 126 | "recvmmsg", 127 | "exit_group", 128 | "openat", 129 | "tgkill", 130 | "dup3" 131 | ], 132 | "action": "SCMP_ACT_ALLOW" 133 | } 134 | ] 135 | } -------------------------------------------------------------------------------- /openjdk/openjdk.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "gettid", 17 | "getpgrp", 18 | "setgid", 19 | "rename", 20 | "umount2", 21 | "kill", 22 | "getpeername", 23 | "lstat", 24 | "epoll_ctl", 25 | "rt_sigaction", 26 | "sched_yield", 27 | "getppid", 28 | "fstatfs", 29 | "mprotect", 30 | "clone", 31 | "set_tid_address", 32 | "readlink", 33 | "prctl", 34 | "pread", 35 | "fchdir", 36 | "pipe2", 37 | "unshare", 38 | "geteuid", 39 | "mknodat", 40 | "pipe", 41 | "nanosleep", 42 | "sendto", 43 | "tgkill", 44 | "listen", 45 | "setsid", 46 | "arch_prctl", 47 | "pread64", 48 | "setuid", 49 | "sethostname", 50 | "lseek", 51 | "mkdir", 52 | "utimes", 53 | "pivot_root", 54 | "read", 55 | "getsockname", 56 | "openat", 57 | "keyctl", 58 | "statfs", 59 | "readlinkat", 60 | "newfstatat", 61 | "clock_getres", 62 | "uname", 63 | "wait4", 64 | "recvfrom", 65 | "getdents64", 66 | "futex", 67 | "chmod", 68 | "sysinfo", 69 | "brk", 70 | "exit_group", 71 | "set_robust_list", 72 | "faccessat2", 73 | "prlimit64", 74 | "getrlimit", 75 | "mkdirat", 76 | "getpid", 77 | "prlimit", 78 | "accept", 79 | "ioctl", 80 | "execve", 81 | "epoll_create1", 82 | "connect", 83 | "socket", 84 | "getsockopt", 85 | "capset", 86 | "dup3", 87 | "faccessat", 88 | "unlink", 89 | "unlinkat", 90 | "getgid", 91 | "ftruncate", 92 | "socketpair", 93 | "bind", 94 | "recvmsg", 95 | "rt_sigprocmask", 96 | "mmap", 97 | "stat", 98 | "getcwd", 99 | "sigaltstack", 100 | "sched_getaffinity", 101 | "munmap", 102 | "seccomp", 103 | "rseq", 104 | "setsockopt", 105 | "dup2", 106 | "getegid", 107 | "getrusage", 108 | "recv", 109 | "epoll_pwait", 110 | "poll", 111 | "fstat", 112 | "fcntl", 113 | "setgroups", 114 | "exit", 115 | "clone3", 116 | "chdir", 117 | "mount", 118 | "write", 119 | "madvise", 120 | "close", 121 | "access", 122 | "dup", 123 | "fchownat", 124 | "accept4", 125 | "capget", 126 | "shutdown", 127 | "symlinkat", 128 | "getuid", 129 | "rt_sigreturn", 130 | "umask" 131 | ], 132 | "action": "SCMP_ACT_ALLOW" 133 | } 134 | ] 135 | } -------------------------------------------------------------------------------- /zookeeper/zookeeper.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "clone3", 17 | "getgid", 18 | "brk", 19 | "clone", 20 | "newfstatat", 21 | "umask", 22 | "getcwd", 23 | "geteuid", 24 | "write", 25 | "getdents64", 26 | "readlinkat", 27 | "rt_sigaction", 28 | "connect", 29 | "set_robust_list", 30 | "mmap", 31 | "fcntl", 32 | "unlinkat", 33 | "eventfd2", 34 | "seccomp", 35 | "mkdir", 36 | "ioctl", 37 | "futex", 38 | "fchdir", 39 | "getrandom", 40 | "mount", 41 | "recvfrom", 42 | "pwrite64", 43 | "setgroups", 44 | "execve", 45 | "socketpair", 46 | "shutdown", 47 | "fstatfs", 48 | "openat", 49 | "uname", 50 | "pread", 51 | "dup3", 52 | "mkdirat", 53 | "clock_nanosleep", 54 | "socket", 55 | "unshare", 56 | "fdatasync", 57 | "ftruncate", 58 | "rseq", 59 | "bind", 60 | "exit_group", 61 | "sched_yield", 62 | "mprotect", 63 | "sysinfo", 64 | "getegid", 65 | "getppid", 66 | "pipe2", 67 | "sched_getaffinity", 68 | "tgkill", 69 | "faccessat2", 70 | "munmap", 71 | "prlimit64", 72 | "epoll_ctl", 73 | "access", 74 | "getsockopt", 75 | "pivot_root", 76 | "gettid", 77 | "sethostname", 78 | "close", 79 | "rt_sigreturn", 80 | "faccessat", 81 | "prlimit", 82 | "mknodat", 83 | "keyctl", 84 | "stat", 85 | "read", 86 | "poll", 87 | "setgid", 88 | "capget", 89 | "getrlimit", 90 | "statfs", 91 | "readlink", 92 | "dup2", 93 | "set_tid_address", 94 | "setuid", 95 | "lseek", 96 | "arch_prctl", 97 | "sendto", 98 | "pwrite", 99 | "rt_sigprocmask", 100 | "umount2", 101 | "sigaltstack", 102 | "epoll_pwait", 103 | "recv", 104 | "getpgrp", 105 | "setsockopt", 106 | "getrusage", 107 | "exit", 108 | "statx", 109 | "chdir", 110 | "fstat", 111 | "listen", 112 | "recvmsg", 113 | "flock", 114 | "getuid", 115 | "accept", 116 | "clock_getres", 117 | "madvise", 118 | "symlinkat", 119 | "getpid", 120 | "setsid", 121 | "epoll_create1", 122 | "fchownat", 123 | "capset", 124 | "nanosleep", 125 | "pread64", 126 | "prctl", 127 | "epoll_wait", 128 | "getsockname", 129 | "wait4", 130 | "accept4" 131 | ], 132 | "action": "SCMP_ACT_ALLOW" 133 | } 134 | ] 135 | } -------------------------------------------------------------------------------- /nginx/nginx.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "dup2", 17 | "mkdir", 18 | "pwrite64", 19 | "epoll_wait", 20 | "getcwd", 21 | "bind", 22 | "madvise", 23 | "setsid", 24 | "execve", 25 | "utimensat", 26 | "getppid", 27 | "pivot_root", 28 | "getdents64", 29 | "fchownat", 30 | "getegid", 31 | "rt_sigaction", 32 | "readlinkat", 33 | "newfstatat", 34 | "unlinkat", 35 | "sendmsg", 36 | "getrlimit", 37 | "umask", 38 | "rt_sigsuspend", 39 | "prlimit64", 40 | "getuid", 41 | "fcntl", 42 | "uname", 43 | "munmap", 44 | "socket", 45 | "sched_yield", 46 | "recvmsg", 47 | "mkdirat", 48 | "pread", 49 | "pwrite", 50 | "mprotect", 51 | "capset", 52 | "pread64", 53 | "getsockname", 54 | "unshare", 55 | "read", 56 | "vfork", 57 | "sysinfo", 58 | "setsockopt", 59 | "recvfrom", 60 | "setgroups", 61 | "pipe2", 62 | "clone", 63 | "rename", 64 | "seccomp", 65 | "fsetxattr", 66 | "sethostname", 67 | "epoll_create", 68 | "openat", 69 | "gettid", 70 | "connect", 71 | "symlinkat", 72 | "set_robust_list", 73 | "getrandom", 74 | "prlimit", 75 | "capget", 76 | "write", 77 | "faccessat2", 78 | "statfs", 79 | "brk", 80 | "writev", 81 | "setgid", 82 | "fadvise64", 83 | "ioctl", 84 | "geteuid", 85 | "io_setup", 86 | "getgid", 87 | "chdir", 88 | "setuid", 89 | "fchdir", 90 | "set_tid_address", 91 | "epoll_create1", 92 | "exit_group", 93 | "epoll_ctl", 94 | "sendto", 95 | "arch_prctl", 96 | "poll", 97 | "rt_sigprocmask", 98 | "listen", 99 | "chown", 100 | "prctl", 101 | "clone3", 102 | "mount", 103 | "futex", 104 | "dup3", 105 | "recv", 106 | "epoll_pwait", 107 | "fgetxattr", 108 | "nanosleep", 109 | "fstat", 110 | "umount2", 111 | "fstatfs", 112 | "getpid", 113 | "mknodat", 114 | "socketpair", 115 | "sendfile", 116 | "fchown", 117 | "rt_sigreturn", 118 | "sched_getaffinity", 119 | "sigaltstack", 120 | "accept4", 121 | "mmap", 122 | "rseq", 123 | "keyctl", 124 | "lseek", 125 | "eventfd2", 126 | "accept", 127 | "wait4", 128 | "access", 129 | "close", 130 | "faccessat", 131 | "tgkill" 132 | ], 133 | "action": "SCMP_ACT_ALLOW" 134 | } 135 | ] 136 | } -------------------------------------------------------------------------------- /wordpress/wordpress.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "newfstatat", 17 | "clone", 18 | "accept", 19 | "faccessat2", 20 | "setgroups", 21 | "umask", 22 | "mount", 23 | "connect", 24 | "fchmodat", 25 | "bind", 26 | "rt_sigaction", 27 | "mmap", 28 | "clone3", 29 | "fchown", 30 | "dup2", 31 | "unlinkat", 32 | "fstat", 33 | "accept4", 34 | "capset", 35 | "openat", 36 | "uname", 37 | "listen", 38 | "recvmsg", 39 | "sendmmsg", 40 | "unshare", 41 | "wait4", 42 | "mknodat", 43 | "symlinkat", 44 | "dup3", 45 | "setsid", 46 | "setgid", 47 | "close", 48 | "write", 49 | "prlimit64", 50 | "sigaltstack", 51 | "getsockname", 52 | "rename", 53 | "fchdir", 54 | "fchmod", 55 | "rt_sigreturn", 56 | "lseek", 57 | "epoll_ctl", 58 | "getdents64", 59 | "setsockopt", 60 | "seccomp", 61 | "getpid", 62 | "umount2", 63 | "access", 64 | "ioctl", 65 | "writev", 66 | "getuid", 67 | "brk", 68 | "sched_yield", 69 | "set_robust_list", 70 | "setitimer", 71 | "capget", 72 | "chmod", 73 | "getppid", 74 | "prctl", 75 | "shutdown", 76 | "mkdir", 77 | "rseq", 78 | "getsockopt", 79 | "readlinkat", 80 | "statfs", 81 | "mkdirat", 82 | "keyctl", 83 | "exit_group", 84 | "epoll_create1", 85 | "pipe2", 86 | "fcntl", 87 | "getrlimit", 88 | "execve", 89 | "read", 90 | "getpeername", 91 | "fchownat", 92 | "socket", 93 | "statx", 94 | "epoll_pwait", 95 | "mprotect", 96 | "times", 97 | "socketpair", 98 | "recvfrom", 99 | "getrandom", 100 | "rt_sigprocmask", 101 | "getpgrp", 102 | "arch_prctl", 103 | "pread", 104 | "recv", 105 | "faccessat", 106 | "geteuid", 107 | "chdir", 108 | "pivot_root", 109 | "readlink", 110 | "tgkill", 111 | "sysinfo", 112 | "pread64", 113 | "prlimit", 114 | "fstatfs", 115 | "exit", 116 | "set_tid_address", 117 | "pselect6", 118 | "sethostname", 119 | "utimensat", 120 | "poll", 121 | "sched_getaffinity", 122 | "munmap", 123 | "nanosleep", 124 | "setuid", 125 | "getgid", 126 | "gettid", 127 | "madvise", 128 | "unlink", 129 | "getegid", 130 | "futex", 131 | "getcwd", 132 | "sendto" 133 | ], 134 | "action": "SCMP_ACT_ALLOW" 135 | } 136 | ] 137 | } -------------------------------------------------------------------------------- /juice-shop/juice-shop.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "rt_sigreturn", 17 | "poll", 18 | "read", 19 | "setuid", 20 | "symlinkat", 21 | "prctl", 22 | "accept4", 23 | "readlinkat", 24 | "futex", 25 | "set_tid_address", 26 | "epoll_create1", 27 | "setgid", 28 | "madvise", 29 | "umask", 30 | "recvfrom", 31 | "pread", 32 | "inotify_add_watch", 33 | "access", 34 | "sched_yield", 35 | "rseq", 36 | "prlimit", 37 | "setgroups", 38 | "fstat", 39 | "mknodat", 40 | "sched_getaffinity", 41 | "rt_sigprocmask", 42 | "getegid", 43 | "getcwd", 44 | "seccomp", 45 | "openat", 46 | "getsockname", 47 | "getrusage", 48 | "capget", 49 | "getsockopt", 50 | "mount", 51 | "setsockopt", 52 | "getpid", 53 | "ftruncate", 54 | "sysinfo", 55 | "mmap", 56 | "uname", 57 | "getppid", 58 | "shutdown", 59 | "recvmsg", 60 | "getrlimit", 61 | "umount2", 62 | "bind", 63 | "pread64", 64 | "unlink", 65 | "epoll_ctl", 66 | "newfstatat", 67 | "write", 68 | "fstatfs", 69 | "statfs", 70 | "fchownat", 71 | "sethostname", 72 | "fchown", 73 | "pwrite64", 74 | "mkdir", 75 | "set_robust_list", 76 | "faccessat", 77 | "geteuid", 78 | "clone", 79 | "recv", 80 | "stat", 81 | "clock_nanosleep", 82 | "gettid", 83 | "lseek", 84 | "rt_sigaction", 85 | "pwrite", 86 | "getuid", 87 | "arch_prctl", 88 | "copy_file_range", 89 | "listen", 90 | "sendto", 91 | "socket", 92 | "unshare", 93 | "pipe2", 94 | "accept", 95 | "getgid", 96 | "epoll_pwait", 97 | "pivot_root", 98 | "fcntl", 99 | "nanosleep", 100 | "mprotect", 101 | "tgkill", 102 | "capset", 103 | "prlimit64", 104 | "brk", 105 | "munmap", 106 | "sigaltstack", 107 | "lstat", 108 | "execve", 109 | "getrandom", 110 | "close", 111 | "faccessat2", 112 | "getpeername", 113 | "getdents64", 114 | "setsid", 115 | "inotify_init1", 116 | "clone3", 117 | "readlink", 118 | "unlinkat", 119 | "fchmod", 120 | "chdir", 121 | "ioctl", 122 | "mkdirat", 123 | "exit_group", 124 | "fsync", 125 | "writev", 126 | "statx", 127 | "connect", 128 | "dup3", 129 | "keyctl", 130 | "fchdir", 131 | "pkey_alloc", 132 | "eventfd2" 133 | ], 134 | "action": "SCMP_ACT_ALLOW" 135 | } 136 | ] 137 | } -------------------------------------------------------------------------------- /mariadb/mariadb.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "mprotect", 17 | "lseek", 18 | "pselect6", 19 | "getpgrp", 20 | "getpid", 21 | "recvmsg", 22 | "statx", 23 | "times", 24 | "futex", 25 | "mount", 26 | "geteuid", 27 | "fstatfs", 28 | "symlinkat", 29 | "kill", 30 | "statfs", 31 | "keyctl", 32 | "poll", 33 | "rseq", 34 | "sigaltstack", 35 | "clone", 36 | "unshare", 37 | "pwrite64", 38 | "fcntl", 39 | "fchdir", 40 | "chdir", 41 | "fallocate", 42 | "sethostname", 43 | "getgid", 44 | "fchownat", 45 | "rename", 46 | "recvfrom", 47 | "rt_sigreturn", 48 | "set_tid_address", 49 | "prlimit64", 50 | "clock_nanosleep", 51 | "getsockname", 52 | "getrandom", 53 | "pivot_root", 54 | "getcwd", 55 | "close", 56 | "gettid", 57 | "getgroups", 58 | "readlink", 59 | "mkdirat", 60 | "rt_sigaction", 61 | "getegid", 62 | "execve", 63 | "openat", 64 | "brk", 65 | "clone3", 66 | "write", 67 | "setsockopt", 68 | "fstat", 69 | "wait4", 70 | "unlinkat", 71 | "rt_sigprocmask", 72 | "arch_prctl", 73 | "mmap", 74 | "dup3", 75 | "epoll_ctl", 76 | "setsid", 77 | "seccomp", 78 | "access", 79 | "setuid", 80 | "faccessat2", 81 | "read", 82 | "listen", 83 | "capset", 84 | "umount2", 85 | "fdatasync", 86 | "pipe2", 87 | "pread64", 88 | "faccessat", 89 | "getrlimit", 90 | "getdents64", 91 | "capget", 92 | "setgroups", 93 | "getppid", 94 | "recv", 95 | "newfstatat", 96 | "socket", 97 | "readlinkat", 98 | "madvise", 99 | "sendto", 100 | "exit_group", 101 | "pwrite", 102 | "bind", 103 | "connect", 104 | "getuid", 105 | "unlink", 106 | "prctl", 107 | "epoll_pwait", 108 | "setgid", 109 | "msync", 110 | "accept4", 111 | "mkdir", 112 | "set_robust_list", 113 | "umask", 114 | "munmap", 115 | "tgkill", 116 | "accept", 117 | "fadvise64", 118 | "pread", 119 | "mknodat", 120 | "exit", 121 | "dup", 122 | "vfork", 123 | "sched_getaffinity", 124 | "dup2", 125 | "epoll_create1", 126 | "uname", 127 | "ioctl", 128 | "prlimit", 129 | "ftruncate", 130 | "rt_sigtimedwait", 131 | "sched_yield", 132 | "nanosleep", 133 | "getpeername" 134 | ], 135 | "action": "SCMP_ACT_ALLOW" 136 | } 137 | ] 138 | } -------------------------------------------------------------------------------- /gitea/gitea.aa: -------------------------------------------------------------------------------- 1 | profile giteagitea.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/bin/busybox rix, 7 | /bin/s6-svscan rix, 8 | /etc/s6/.s6-svscan/lock rwk, 9 | /etc/s6/gitea/run rix, 10 | /usr/lib/libreadline.so.8.2 rixm, 11 | /usr/local/bin/environment-to-ini rix, 12 | /usr/sbin/sshd rix, 13 | /usr/bin/ssh-keygen rix, 14 | /data/ssh/ssh_host_ecdsa_key.pub rw, 15 | /etc/group r, 16 | /lib/libcrypto.so.3 rm, 17 | /etc/s6/openssh/run rix, 18 | /dev/null rwk, 19 | /etc/passwd r, 20 | /data/git/.ssh/environment rw, 21 | /bin/s6-supervise rix, 22 | /etc/s6/openssh/supervise/status.new rw, 23 | /data/ssh/ssh_host_rsa_key rw, 24 | /lib/libz.so.1.3.1 rixm, 25 | /data/ssh/ssh_host_rsa_key.pub rw, 26 | /usr/local/bin/gitea rix, 27 | /data/ssh/ssh_host_ecdsa_key rw, 28 | /app/gitea/gitea rix, 29 | /proc/sys/net/core/somaxconn r, 30 | /proc/*/cpuset r, 31 | /data/gitea/conf/app.ini rw, 32 | /etc/s6/gitea/setup rix, 33 | /run/** rwk, 34 | /sbin/su-exec rix, 35 | /usr/bin/envsubst rix, 36 | /usr/lib/libintl.so.8.4.0 rixm, 37 | /proc/*/oom_score_adj rw, 38 | /lib/libskarnet.so.2.14.1.1 rixm, 39 | /etc/templates/sshd_config r, 40 | /usr/bin/entrypoint rix, 41 | /etc/ssh/sshd_config rw, 42 | /etc/s6/openssh/supervise/control rw, 43 | /app/gitea/ rix, 44 | /etc/s6/gitea/supervise/status.new rw, 45 | /etc/s6/gitea/supervise/lock rwk, 46 | /etc/s6/.s6-svscan/control rw, 47 | /etc/s6/gitea/event/ rwix, 48 | /etc/ssl/openssl.cnf r, 49 | /etc/s6/openssh/event/ rwix, 50 | /etc/templates/app.ini r, 51 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 52 | /etc/s6/gitea/supervise/control rw, 53 | /proc/*/fd rix, 54 | /etc/s6/openssh/supervise/death_tally rw, 55 | /etc/s6/gitea/supervise/death_tally rw, 56 | /usr/lib/libncursesw.so.6.4 rixm, 57 | /etc/s6/openssh/setup rix, 58 | /etc/s6/ rix, 59 | /etc/s6/openssh/supervise/lock rwk, 60 | /etc/s6/openssh/supervise/ rw, 61 | /etc/s6/openssh/ rw, 62 | /bin/busybox ix, 63 | /data/ rw, 64 | /bin/bash ix, 65 | /etc/s6/gitea/supervise/status rw, 66 | /etc/s6/gitea/supervise/* rw, 67 | /etc/s6/.s6-svscan/ rw, 68 | /etc/s6/gitea/supervise/ rw, 69 | /etc/s6/gitea/ rw, 70 | /etc/s6/openssh/supervise/status rw, 71 | /etc/s6/openssh/supervise/* rw, 72 | /lib/ r, 73 | /dev/full rw, 74 | /usr/sbin/runc ix, 75 | /etc/ssh/ r, 76 | /etc/ r, 77 | /proc/sys/net/ipv4/ r, 78 | /proc/sys/net/ipv4/ping_group_range rw, 79 | /usr/local/bin/ r, 80 | /sys/fs/ r, 81 | /sys/fs/cgroup r, 82 | /proc/self/ r, 83 | /proc/self/mountinfo r, 84 | /usr/lib/ r, 85 | /proc/self/cpuset r, 86 | /dev/ r, 87 | /proc/self/uid_map r, 88 | /etc/s6/openssh/supervise/supervise/status.new r, 89 | /etc/resolv.conf r, 90 | /proc/sys/kernel/ r, 91 | /proc/sys/kernel/cap_last_cap r, 92 | /proc/self/attr/apparmor/ r, 93 | /proc/self/attr/apparmor/exec rw, 94 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 95 | /sbin/s6-supervise rix, 96 | / r, 97 | /proc/ r, 98 | /proc/self/oom_score_adj rw, 99 | /proc/sys/net/core/ r, 100 | /data/gitea/log/ rw, 101 | /usr/lib/libskarnet.so.2.14.1.1 rm, 102 | /dev/mqueue rw, 103 | /sys/kernel/mm/transparent_hugepage/ r, 104 | /dev/urandom rw, 105 | /proc/self/setgroups r, 106 | /usr/bin/ r, 107 | /proc/self/status r, 108 | /usr/sbin/s6-supervise rix, 109 | /dev/stderr r, 110 | /proc/self/fd/* rw, 111 | /data/gitea/ rw, 112 | /dev/stdin r, 113 | /etc/hostname r, 114 | /dev/tty rw, 115 | /data/git/.ssh/ rw, 116 | /dev/pts/ rw, 117 | /data/git/ rw, 118 | /dev/shm/** rwk, 119 | /dev/zero rw, 120 | /proc/*/fd/ r, 121 | /etc/ssl/ r, 122 | /proc/filesystems r, 123 | /dev/random rw, 124 | /etc/templates/ r, 125 | /etc/hosts r, 126 | /data/ssh/ rw, 127 | /data/gitea/conf/ rw, 128 | /dev/stdout r, 129 | /dev/core r, 130 | /proc/kcore w, 131 | /usr/lib/libz.so.1.3.1 rm, 132 | /dev/ptmx r, 133 | /usr/bin/s6-supervise rix, 134 | /proc/self/fd/ r, 135 | /sys/ r, 136 | /proc/self/fd rw, 137 | /dev/fd r, 138 | /usr/local/sbin/s6-supervise rix, 139 | /etc/s6/gitea/supervise/supervise/status.new r, 140 | /usr/local/bin/s6-supervise rix, 141 | /data/ssh/ssh_host_ed*_key.pub rw, 142 | /data/ssh/ssh_host_ed*_key rw, 143 | /tmp/ r, 144 | } 145 | -------------------------------------------------------------------------------- /elasticsearch/elasticsearch.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "clock_gettime", 17 | "flock", 18 | "seccomp", 19 | "set_robust_list", 20 | "getsockopt", 21 | "geteuid", 22 | "clone3", 23 | "prlimit64", 24 | "fchdir", 25 | "unlinkat", 26 | "faccessat2", 27 | "arch_prctl", 28 | "setuid", 29 | "pivot_root", 30 | "rt_sigtimedwait", 31 | "execve", 32 | "clock_nanosleep", 33 | "mknodat", 34 | "statx", 35 | "epoll_wait", 36 | "epoll_pwait", 37 | "keyctl", 38 | "faccessat", 39 | "bind", 40 | "fsync", 41 | "pread64", 42 | "mmap", 43 | "pipe2", 44 | "dup3", 45 | "sigaltstack", 46 | "umount2", 47 | "inotify_add_watch", 48 | "epoll_ctl", 49 | "clock_getres", 50 | "exit_group", 51 | "setsockopt", 52 | "sysinfo", 53 | "readlink", 54 | "setgroups", 55 | "read", 56 | "socketpair", 57 | "uname", 58 | "unlink", 59 | "rseq", 60 | "getegid", 61 | "lstat", 62 | "epoll_create1", 63 | "ftruncate", 64 | "pipe", 65 | "fchmod", 66 | "listen", 67 | "getdents64", 68 | "shutdown", 69 | "access", 70 | "recvmsg", 71 | "connect", 72 | "times", 73 | "newfstatat", 74 | "capget", 75 | "close", 76 | "gettid", 77 | "prctl", 78 | "sched_yield", 79 | "futex", 80 | "mount", 81 | "tgkill", 82 | "clone", 83 | "getcwd", 84 | "pread", 85 | "rename", 86 | "socket", 87 | "rt_sigreturn", 88 | "getrlimit", 89 | "write", 90 | "madvise", 91 | "getuid", 92 | "getrusage", 93 | "chmod", 94 | "recv", 95 | "rt_sigaction", 96 | "stat", 97 | "setpgid", 98 | "lseek", 99 | "fcntl", 100 | "getgid", 101 | "rt_sigprocmask", 102 | "statfs", 103 | "accept", 104 | "capset", 105 | "mkdirat", 106 | "fstat", 107 | "exit", 108 | "sendto", 109 | "fchownat", 110 | "setgid", 111 | "dup", 112 | "poll", 113 | "eventfd2", 114 | "sethostname", 115 | "fchown", 116 | "munmap", 117 | "openat", 118 | "getsockname", 119 | "getpid", 120 | "readlinkat", 121 | "umask", 122 | "chdir", 123 | "nanosleep", 124 | "getpgrp", 125 | "inotify_init", 126 | "unshare", 127 | "mkdir", 128 | "sched_getaffinity", 129 | "wait4", 130 | "brk", 131 | "recvfrom", 132 | "fstatfs", 133 | "mprotect", 134 | "getppid", 135 | "mknod", 136 | "dup2", 137 | "accept4", 138 | "symlinkat", 139 | "ioctl", 140 | "setsid", 141 | "set_tid_address", 142 | "prlimit" 143 | ], 144 | "action": "SCMP_ACT_ALLOW" 145 | } 146 | ] 147 | } -------------------------------------------------------------------------------- /postgres/postgres.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "truncate", 17 | "poll", 18 | "chmod", 19 | "getgroups", 20 | "getcwd", 21 | "rt_sigreturn", 22 | "signalfd4", 23 | "bind", 24 | "unlink", 25 | "epoll_create1", 26 | "keyctl", 27 | "seccomp", 28 | "lseek", 29 | "getrandom", 30 | "rseq", 31 | "setitimer", 32 | "close", 33 | "sethostname", 34 | "tgkill", 35 | "fchdir", 36 | "sigaltstack", 37 | "getpgrp", 38 | "mkdir", 39 | "epoll_ctl", 40 | "exit_group", 41 | "fsync", 42 | "vfork", 43 | "uname", 44 | "rt_sigaction", 45 | "getrlimit", 46 | "arch_prctl", 47 | "setuid", 48 | "set_tid_address", 49 | "access", 50 | "readlinkat", 51 | "sendto", 52 | "rt_sigprocmask", 53 | "umount2", 54 | "setsid", 55 | "epoll_pwait", 56 | "dup", 57 | "pread64", 58 | "getpeername", 59 | "shmctl", 60 | "capget", 61 | "faccessat", 62 | "accept", 63 | "getppid", 64 | "setgid", 65 | "getsockname", 66 | "rename", 67 | "unlinkat", 68 | "symlinkat", 69 | "fallocate", 70 | "listen", 71 | "getegid", 72 | "sysinfo", 73 | "pwritev", 74 | "mount", 75 | "sync_file_range", 76 | "execve", 77 | "write", 78 | "setsockopt", 79 | "nanosleep", 80 | "unshare", 81 | "pivot_root", 82 | "shmat", 83 | "socketpair", 84 | "getuid", 85 | "setgroups", 86 | "getgid", 87 | "wait4", 88 | "fchmodat", 89 | "madvise", 90 | "mkdirat", 91 | "statx", 92 | "getrusage", 93 | "clone3", 94 | "set_robust_list", 95 | "shmdt", 96 | "capset", 97 | "umask", 98 | "epoll_wait", 99 | "getpid", 100 | "socket", 101 | "sched_yield", 102 | "fstat", 103 | "faccessat2", 104 | "newfstatat", 105 | "geteuid", 106 | "statfs", 107 | "connect", 108 | "pipe2", 109 | "recvfrom", 110 | "fstatfs", 111 | "mknodat", 112 | "pwrite64", 113 | "openat", 114 | "recv", 115 | "getdents64", 116 | "ioctl", 117 | "clone", 118 | "fchownat", 119 | "kill", 120 | "gettid", 121 | "mmap", 122 | "prlimit", 123 | "sched_getaffinity", 124 | "munmap", 125 | "brk", 126 | "readlink", 127 | "shmget", 128 | "chdir", 129 | "pwrite", 130 | "getsockopt", 131 | "accept4", 132 | "clock_nanosleep", 133 | "prlimit64", 134 | "futex", 135 | "fcntl", 136 | "fadvise64", 137 | "prctl", 138 | "pread", 139 | "dup2", 140 | "dup3", 141 | "recvmsg", 142 | "fdatasync", 143 | "mprotect", 144 | "read" 145 | ], 146 | "action": "SCMP_ACT_ALLOW" 147 | } 148 | ] 149 | } -------------------------------------------------------------------------------- /cassandra/cassandra.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "prctl", 17 | "accept4", 18 | "statx", 19 | "set_tid_address", 20 | "setuid", 21 | "getsockopt", 22 | "ftruncate", 23 | "getrusage", 24 | "getcwd", 25 | "umask", 26 | "setgroups", 27 | "faccessat2", 28 | "fstatfs", 29 | "sigaltstack", 30 | "lseek", 31 | "rt_sigreturn", 32 | "gettid", 33 | "fdatasync", 34 | "keyctl", 35 | "clone", 36 | "poll", 37 | "getsockname", 38 | "write", 39 | "socketpair", 40 | "rt_sigaction", 41 | "chmod", 42 | "rseq", 43 | "epoll_create", 44 | "mlockall", 45 | "geteuid", 46 | "unlinkat", 47 | "getegid", 48 | "timerfd_create", 49 | "bind", 50 | "writev", 51 | "setsockopt", 52 | "recvfrom", 53 | "recvmmsg", 54 | "clone3", 55 | "set_robust_list", 56 | "socket", 57 | "dup2", 58 | "epoll_pwait2", 59 | "epoll_ctl", 60 | "unshare", 61 | "mkdirat", 62 | "exit_group", 63 | "vfork", 64 | "stat", 65 | "readlink", 66 | "getgid", 67 | "getdents64", 68 | "fchdir", 69 | "msync", 70 | "epoll_create1", 71 | "chdir", 72 | "capget", 73 | "sethostname", 74 | "unlink", 75 | "epoll_wait", 76 | "arch_prctl", 77 | "fchownat", 78 | "mknodat", 79 | "sched_yield", 80 | "faccessat", 81 | "epoll_pwait", 82 | "access", 83 | "symlinkat", 84 | "pread", 85 | "recvmsg", 86 | "recv", 87 | "pread64", 88 | "sendmmsg", 89 | "setsid", 90 | "listen", 91 | "sendto", 92 | "openat", 93 | "getrlimit", 94 | "mount", 95 | "clock_getres", 96 | "prlimit64", 97 | "sched_getaffinity", 98 | "fsync", 99 | "rmdir", 100 | "nanosleep", 101 | "dup3", 102 | "accept", 103 | "dup", 104 | "sysinfo", 105 | "getppid", 106 | "getpid", 107 | "wait4", 108 | "pivot_root", 109 | "ioctl", 110 | "exit", 111 | "getpgrp", 112 | "open", 113 | "futex", 114 | "eventfd2", 115 | "uname", 116 | "newfstatat", 117 | "mmap", 118 | "close", 119 | "seccomp", 120 | "get_mempolicy", 121 | "getuid", 122 | "execve", 123 | "mkdir", 124 | "tgkill", 125 | "fadvise64", 126 | "mprotect", 127 | "umount2", 128 | "getrandom", 129 | "prlimit", 130 | "rename", 131 | "brk", 132 | "pipe2", 133 | "munmap", 134 | "statfs", 135 | "rt_sigprocmask", 136 | "set_mempolicy", 137 | "capset", 138 | "flock", 139 | "connect", 140 | "read", 141 | "fstat", 142 | "fcntl", 143 | "readlinkat", 144 | "setgid", 145 | "clock_nanosleep", 146 | "madvise" 147 | ], 148 | "action": "SCMP_ACT_ALLOW" 149 | } 150 | ] 151 | } -------------------------------------------------------------------------------- /mysql/mysql.sc: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "defaultErrnoRet": 1, 4 | "archMap": [ 5 | { 6 | "architecture": "SCMP_ARCH_X86_64", 7 | "subArchitectures": [ 8 | "SCMP_ARCH_X86", 9 | "SCMP_ARCH_X32" 10 | ] 11 | } 12 | ], 13 | "syscalls": [ 14 | { 15 | "names": [ 16 | "accept", 17 | "sigaltstack", 18 | "setuid", 19 | "openat", 20 | "futex", 21 | "pread", 22 | "unlinkat", 23 | "set_tid_address", 24 | "readlinkat", 25 | "recvfrom", 26 | "getgid", 27 | "fstatfs", 28 | "io_submit", 29 | "getpgrp", 30 | "pipe2", 31 | "prlimit", 32 | "ppoll", 33 | "io_setup", 34 | "statfs", 35 | "arch_prctl", 36 | "bind", 37 | "mprotect", 38 | "recv", 39 | "capget", 40 | "umount2", 41 | "getpriority", 42 | "faccessat2", 43 | "execve", 44 | "epoll_create1", 45 | "fchownat", 46 | "clock_nanosleep", 47 | "sched_setaffinity", 48 | "getcwd", 49 | "seccomp", 50 | "lseek", 51 | "fstat", 52 | "getpid", 53 | "mmap", 54 | "rseq", 55 | "dup2", 56 | "read", 57 | "getrandom", 58 | "clone", 59 | "mknodat", 60 | "accept4", 61 | "io_getevents", 62 | "keyctl", 63 | "umask", 64 | "sched_yield", 65 | "exit_group", 66 | "pipe", 67 | "tgkill", 68 | "getsockname", 69 | "getrlimit", 70 | "eventfd2", 71 | "fadvise64", 72 | "rt_sigprocmask", 73 | "sched_getaffinity", 74 | "getegid", 75 | "exit", 76 | "recvmsg", 77 | "unshare", 78 | "clone3", 79 | "faccessat", 80 | "pwrite64", 81 | "pwrite", 82 | "munmap", 83 | "dup", 84 | "mkdirat", 85 | "access", 86 | "sendto", 87 | "geteuid", 88 | "listen", 89 | "mount", 90 | "statx", 91 | "rt_sigreturn", 92 | "unlink", 93 | "getpeername", 94 | "chdir", 95 | "set_robust_list", 96 | "setgroups", 97 | "wait4", 98 | "shutdown", 99 | "fcntl", 100 | "rt_sigtimedwait", 101 | "times", 102 | "write", 103 | "getgroups", 104 | "setpriority", 105 | "socket", 106 | "getuid", 107 | "newfstatat", 108 | "symlinkat", 109 | "poll", 110 | "fallocate", 111 | "nanosleep", 112 | "fchdir", 113 | "epoll_ctl", 114 | "ioctl", 115 | "connect", 116 | "setsockopt", 117 | "pivot_root", 118 | "getdents64", 119 | "readlink", 120 | "madvise", 121 | "uname", 122 | "sethostname", 123 | "setsid", 124 | "rename", 125 | "rmdir", 126 | "getppid", 127 | "getrusage", 128 | "epoll_wait", 129 | "capset", 130 | "fdatasync", 131 | "gettid", 132 | "mkdir", 133 | "prlimit64", 134 | "setgid", 135 | "fsync", 136 | "pread64", 137 | "epoll_pwait", 138 | "close", 139 | "sysinfo", 140 | "rt_sigaction", 141 | "dup3", 142 | "chmod", 143 | "prctl", 144 | "ftruncate", 145 | "clock_gettime", 146 | "brk" 147 | ], 148 | "action": "SCMP_ACT_ALLOW" 149 | } 150 | ] 151 | } -------------------------------------------------------------------------------- /openjdk/openjdk.aa: -------------------------------------------------------------------------------- 1 | profile openjdk.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/bin/bash rix, 7 | /usr/lib/locale/C.utf8/LC_TIME rm, 8 | /usr/java/openjdk-18/bin/jshell rix, 9 | /usr/java/openjdk-18/lib/libjli.so rm, 10 | /usr/bin/tty rix, 11 | /proc/filesystems r, 12 | /usr/share/locale/locale.alias r, 13 | /usr/java/openjdk-18/bin/java rix, 14 | /usr/java/openjdk-18/lib/jvm.cfg r, 15 | /proc/*/stat r, 16 | /usr/lib64/libnss_files-2.28.so rm, 17 | /proc/cgroups r, 18 | /proc/*/mountinfo r, 19 | /etc/localtime r, 20 | /usr/lib64/libpthread-2.28.so rm, 21 | /etc/host.conf r, 22 | /tmp/** rwmk, 23 | /usr/java/openjdk-18/lib/libjsvml.so rm, 24 | /usr/lib/locale/C.utf8/LC_NUMERIC rm, 25 | /etc/ld.so.cache rm, 26 | /usr/lib64/gconv/gconv-modules.cache rm, 27 | /root/.java/.userPrefs/.user.lock.root rwk, 28 | /dev/random rw, 29 | /usr/lib64/libm-2.28.so rm, 30 | /usr/lib/locale/C.utf8/LC_TELEPHONE rm, 31 | /usr/java/openjdk-18/lib/jspawnhelper rix, 32 | /usr/lib64/libc-2.28.so rm, 33 | /usr/lib/locale/C.utf8/LC_MESSAGES/ rix, 34 | /etc/hosts r, 35 | /proc/*/coredump_filter rw, 36 | /usr/lib/locale/C.utf8/LC_MEASUREMENT rm, 37 | /proc/*/cgroup r, 38 | /usr/lib64/librt-2.28.so rm, 39 | /usr/java/openjdk-18/lib/libextnet.so rm, 40 | /usr/lib64/libselinux.so.1 rm, 41 | /usr/java/openjdk-18/lib/server/classes.jsa rm, 42 | /usr/java/openjdk-18/lib/libjava.so rm, 43 | /sys/devices/system/cpu/online r, 44 | /usr/lib/locale/C.utf8/LC_MONETARY rm, 45 | /etc/passwd r, 46 | /usr/java/openjdk-18/lib/libjimage.so rm, 47 | /proc/*/net/if_inet6 r, 48 | /usr/lib64/libz.so.1.2.11 rm, 49 | /usr/java/openjdk-18/lib/server/libjvm.so rm, 50 | /usr/java/openjdk-18/conf/security/java.security r, 51 | /usr/lib/locale/C.utf8/LC_IDENTIFICATION rm, 52 | /sys/fs/cgroup/cpu.max r, 53 | /usr/lib/locale/C.utf8/LC_PAPER rm, 54 | /usr/lib64/libcap.so.2.48 rm, 55 | /etc/nsswitch.conf r, 56 | /proc/stat r, 57 | /usr/lib/locale/C.utf8/LC_NAME rm, 58 | /usr/lib64/libpcre2-8.so.0.7.1 rm, 59 | /dev/urandom rw, 60 | /etc/protocols r, 61 | /usr/lib/locale/C.utf8/LC_COLLATE rm, 62 | /usr/lib/locale/C.utf8/LC_ADDRESS rm, 63 | /sys/fs/cgroup/memory.max r, 64 | /usr/lib64/libacl.so.1.1.2253 rm, 65 | /root/.java/.userPrefs/tool/JShell/prefs.tmp rw, 66 | /usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES rm, 67 | /usr/lib64/libtinfo.so.6.1 rm, 68 | /proc/sys/vm/overcommit_memory r, 69 | /etc/resolv.conf r, 70 | /usr/java/openjdk-18/lib/libnio.so rm, 71 | /usr/lib64/libdl-2.28.so rm, 72 | /sys/devices/system/cpu rix, 73 | /proc/*/cmdline r, 74 | /usr/lib/locale/C.utf8/LC_CTYPE rm, 75 | /usr/share/zoneinfo/UTC r, 76 | /usr/lib64/libattr.so.1.1.2448 rm, 77 | /root/.java/.userPrefs/tool/prefs.tmp rw, 78 | /proc/cpuinfo r, 79 | /usr/java/openjdk-18/lib/libprefs.so rm, 80 | /usr/java/openjdk-18/lib/modules rm, 81 | /usr/java/openjdk-18/lib/libnet.so rm, 82 | /usr/java/openjdk-18/lib/libjdwp.so rm, 83 | /usr/java/openjdk-18/lib/tzdb.dat r, 84 | /usr/java/openjdk-18/lib/libdt_socket.so rm, 85 | /usr/java/openjdk-18/conf/net.properties r, 86 | /usr/java/openjdk-18/conf/logging.properties r, 87 | /root/.java/.userPrefs/.userRootModFile.root rw, 88 | /proc/*/fd rix, 89 | /usr/bin/coreutils ix, 90 | /root/ rw, 91 | /root/.java/.userPrefs/tool/JShell/prefs.xml rw, 92 | /root/.java/.userPrefs/tool/prefs.xml rw, 93 | /usr/lib/locale/C.utf8/ r, 94 | /etc/ r, 95 | /sys/fs/cgroup r, 96 | /usr/sbin/runc ix, 97 | /sys/fs/ r, 98 | /proc/ r, 99 | /usr/java/openjdk-18/lib/ r, 100 | /usr/lib64/ r, 101 | /proc/sys/kernel/ r, 102 | /proc/sys/kernel/cap_last_cap r, 103 | /sys/fs/cgroup/ r, 104 | /dev/fd r, 105 | /proc/self/fd rw, 106 | /sys/devices/system/cpu/ r, 107 | /usr/share/locale/ r, 108 | / r, 109 | /proc/*/ r, 110 | /proc/sys/vm/ r, 111 | /run/** rwixk, 112 | /dev/ptmx r, 113 | /proc/self/uid_map r, 114 | /proc/self/ r, 115 | /proc/self/cgroup r, 116 | /usr/java/openjdk-18/lib/server/ r, 117 | /usr/share/zoneinfo/ r, 118 | /usr/lib64/gconv/ r, 119 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 120 | /proc/sys/net/ipv4/ r, 121 | /dev/null rwk, 122 | /dev/ r, 123 | /usr/java/openjdk-18/conf/ r, 124 | /root/.java/.userPrefs/tool/JShell/ rw, 125 | /sys/ r, 126 | /proc/self/mountinfo r, 127 | /proc/sys/net/ipv4/ping_group_range rw, 128 | /proc/self/fd/* rw, 129 | /proc/self/fd/ r, 130 | /proc/self/coredump_filter rw, 131 | /usr/java/openjdk-18/conf/security/ r, 132 | /root/.java/.userPrefs/tool/ rw, 133 | /dev/stdin r, 134 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 135 | /sys/kernel/mm/transparent_hugepage/ r, 136 | /dev/pts/ rw, 137 | /proc/self/status r, 138 | /dev/shm/** rwk, 139 | /dev/stdout r, 140 | /root/.java/ rw, 141 | /proc/self/attr/apparmor/exec rw, 142 | /proc/self/attr/apparmor/ r, 143 | /dev/mqueue rw, 144 | /sys/fs/cgroup//memory.max r, 145 | /sys/fs/cgroup//cpu.max r, 146 | /proc/net/if_inet6 r, 147 | /proc/net/ r, 148 | /dev/tty rw, 149 | /proc/kcore w, 150 | /dev/core r, 151 | /proc/self/setgroups r, 152 | /dev/zero rw, 153 | /dev/stderr r, 154 | /etc/group r, 155 | /root/.java/.userPrefs/ rw, 156 | /dev/full rw, 157 | /etc/hostname r, 158 | } 159 | -------------------------------------------------------------------------------- /tomcat/tomcat.aa: -------------------------------------------------------------------------------- 1 | profile tomcat.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /opt/java/openjdk/bin/java rix, 7 | /usr/local/tomcat/lib/tomcat-api.jar r, 8 | /usr/local/tomcat/lib/catalina-ssi.jar r, 9 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 10 | /etc/resolv.conf r, 11 | /usr/lib/x86_64-linux-gnu/libdl.so.2 rm, 12 | /tmp/** rwixmk, 13 | /usr/local/tomcat/lib/tomcat-util-scan.jar r, 14 | /usr/bin/bash rix, 15 | /etc/nsswitch.conf r, 16 | /opt/java/openjdk/lib/libmanagement.so rm, 17 | /usr/local/tomcat/lib/servlet-api.jar r, 18 | /proc/cgroups r, 19 | /opt/java/openjdk/lib/libzip.so rm, 20 | /usr/lib/x86_64-linux-gnu/librt.so.1 rm, 21 | /etc/passwd r, 22 | /opt/java/openjdk/lib/tzdb.dat r, 23 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 24 | /proc/*/coredump_filter rw, 25 | /usr/local/tomcat/bin/setclasspath.sh r, 26 | /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache rm, 27 | /etc/ld.so.cache rm, 28 | /proc/stat r, 29 | /usr/local/tomcat/lib/ecj-4.33.jar r, 30 | /usr/local/tomcat/lib/tomcat-i18n-fr.jar r, 31 | /usr/local/tomcat/conf/tomcat-users.xml r, 32 | /usr/local/tomcat/webapps/ rix, 33 | /usr/local/tomcat/bin/bootstrap.jar r, 34 | /proc/*/mountinfo r, 35 | /usr/local/tomcat/lib/tomcat-websocket.jar r, 36 | /etc/timezone r, 37 | /usr/local/tomcat/lib/catalina-ha.jar r, 38 | /usr/local/tomcat/native-jni-lib/libtcnative-2.so.0.0.8 rm, 39 | /etc/hosts r, 40 | /etc/gai.conf r, 41 | /usr/lib/locale/locale-archive rm, 42 | /opt/java/openjdk/lib/jvm.cfg r, 43 | /usr/local/tomcat/bin/catalina.sh rix, 44 | /proc/sys/vm/overcommit_memory r, 45 | /opt/java/openjdk/lib/server/libjvm.so rm, 46 | /sys/devices/system/cpu/online r, 47 | /opt/java/openjdk/lib/libnet.so rm, 48 | /usr/bin/dirname rix, 49 | /usr/bin/uname rix, 50 | /usr/local/tomcat/lib/websocket-client-api.jar r, 51 | /usr/local/tomcat/lib/tomcat-i18n-es.jar r, 52 | /opt/java/openjdk/lib/libjli.so rm, 53 | /etc/ssl/openssl.cnf r, 54 | /usr/local/tomcat/lib/tomcat-util.jar r, 55 | /usr/local/tomcat/lib/jaspic-api.jar r, 56 | /opt/java/openjdk/conf/security/java.security r, 57 | /usr/local/tomcat/lib/tomcat-jni.jar r, 58 | /opt/java/openjdk/lib/libextnet.so rm, 59 | /opt/java/openjdk/lib/jfr/ rix, 60 | /usr/local/tomcat/lib/catalina-ant.jar r, 61 | /usr/local/tomcat/lib/tomcat-i18n-cs.jar r, 62 | /usr/local/tomcat/conf/server.xml r, 63 | /usr/local/tomcat/conf/catalina.properties r, 64 | /usr/share/zoneinfo/Etc/UTC r, 65 | /opt/java/openjdk/lib/libjimage.so rm, 66 | /sys/fs/cgroup/memory.max r, 67 | /usr/local/tomcat/lib/jakartaee-migration-1.0.8-shaded.jar r, 68 | /opt/java/openjdk/lib/server/classes.jsa rm, 69 | /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0 rm, 70 | /sys/devices/system/cpu/cpu0/microcode/version r, 71 | /usr/local/tomcat/conf/logging.properties r, 72 | /usr/local/tomcat/lib/jasper-el.jar r, 73 | /proc/meminfo r, 74 | /opt/java/openjdk/lib/libmanagement_ext.so rm, 75 | /usr/local/tomcat/lib/annotations-api.jar r, 76 | /usr/lib/x86_64-linux-gnu/libpthread.so.0 rm, 77 | /sys/fs/cgroup/cpu.max r, 78 | /usr/local/tomcat/lib/websocket-api.jar r, 79 | /opt/java/openjdk/lib/libnio.so rm, 80 | /usr/local/tomcat/ rix, 81 | /usr/local/tomcat/lib/tomcat-i18n-ko.jar r, 82 | /usr/local/tomcat/lib/tomcat-dbcp.jar r, 83 | /usr/local/tomcat/lib/el-api.jar r, 84 | /usr/local/tomcat/lib/tomcat-i18n-de.jar r, 85 | /usr/local/tomcat/logs/ rwix, 86 | /opt/java/openjdk/lib/jfr/profile.jfc r, 87 | /usr/local/tomcat/lib/jsp-api.jar r, 88 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 89 | /usr/local/tomcat/lib/tomcat-i18n-ru.jar r, 90 | /proc/*/cgroup r, 91 | /usr/lib/x86_64-linux-gnu/libcrypto.so.3 rm, 92 | /usr/local/tomcat/lib/jasper.jar r, 93 | /usr/local/tomcat/lib/ rix, 94 | /etc/host.conf r, 95 | /usr/lib/x86_64-linux-gnu/libssl.so.3 rm, 96 | /opt/java/openjdk/lib/modules rm, 97 | /usr/local/tomcat/lib/catalina-tribes.jar r, 98 | /sys/kernel/mm/transparent_hugepage/enabled r, 99 | /usr/local/tomcat/bin/commons-daemon.jar r, 100 | /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.2 rm, 101 | /sys/kernel/mm/hugepages rix, 102 | /usr/local/tomcat/lib/tomcat-coyote.jar r, 103 | /usr/lib/x86_64-linux-gnu/libtinfo.so.6.4 rm, 104 | /opt/java/openjdk/lib/libjsvml.so rm, 105 | /proc/*/net/if_inet6 r, 106 | /usr/local/tomcat/bin/tomcat-juli.jar r, 107 | /usr/local/tomcat/lib/tomcat-i18n-zh-CN.jar r, 108 | /opt/java/openjdk/lib/libjava.so rm, 109 | /sys/devices/system/cpu/possible r, 110 | /usr/local/tomcat/lib/tomcat-jdbc.jar r, 111 | /usr/local/tomcat/lib/catalina-storeconfig.jar r, 112 | /usr/local/tomcat/lib/tomcat-coyote-ffm.jar r, 113 | /usr/local/tomcat/lib/tomcat-i18n-pt-BR.jar r, 114 | /usr/local/tomcat/lib/tomcat-i18n-ja.jar r, 115 | /opt/java/openjdk/conf/jaxp.properties r, 116 | /opt/java/openjdk/lib/jfr/default.jfc r, 117 | /usr/local/tomcat/lib/catalina.jar r, 118 | /usr/bin/env ix, 119 | /usr/local/tomcat/conf/ rw, 120 | /proc/sys/vm/ r, 121 | /usr/lib/locale/ r, 122 | /proc/ r, 123 | /sys/devices/system/cpu/ r, 124 | /usr/sbin/runc ix, 125 | /proc/sys/kernel/ r, 126 | /proc/sys/kernel/cap_last_cap r, 127 | /etc/ r, 128 | /usr/lib/x86_64-linux-gnu/ r, 129 | /proc/self/mountinfo r, 130 | /proc/self/ r, 131 | /dev/full rw, 132 | /dev/mqueue rw, 133 | /dev/ r, 134 | /opt/java/openjdk/lib/ r, 135 | /run/** rwixk, 136 | /usr/local/tomcat/bin/bash rix, 137 | /proc/self/fd/* rw, 138 | /proc/self/fd/ r, 139 | /dev/pts/ rw, 140 | /sys/devices/system/cpu/cpu0/microcode/ r, 141 | / r, 142 | /sys/kernel/mm/transparent_hugepage/ r, 143 | /usr/lib/ssl/ r, 144 | /opt/java/openjdk/lib/server/ r, 145 | /proc/self/setgroups r, 146 | /proc/net/ r, 147 | /proc/net/if_inet6 r, 148 | /dev/null rw, 149 | /opt/java/openjdk/conf/security/ r, 150 | /usr/local/sbin/bash rix, 151 | /proc/self/uid_map r, 152 | /sys/fs/cgroup/ r, 153 | /usr/local/tomcat/bin/ r, 154 | /proc/self/coredump_filter rw, 155 | /etc/hostname r, 156 | /proc/sys/net/ipv4/ r, 157 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 158 | /proc/filesystems r, 159 | /usr/local/tomcat/conf/Catalina/localhost/ rw, 160 | /proc/sys/net/ipv4/ping_group_range rw, 161 | /usr/local/tomcat/conf/Catalina/ rw, 162 | /etc/group r, 163 | /dev/zero rw, 164 | /dev/shm/** rwk, 165 | /sys/fs/cgroup r, 166 | /sys/fs/ r, 167 | /usr/local/ r, 168 | /proc/self/attr/apparmor/exec rw, 169 | /proc/self/attr/apparmor/ r, 170 | /sys/ r, 171 | /opt/java/openjdk/bin/bash rix, 172 | /proc/self/fd rw, 173 | /dev/ptmx r, 174 | /dev/stderr r, 175 | /proc/kcore w, 176 | /dev/core r, 177 | /dev/stdin r, 178 | /usr/local/tomcat/native-jni-lib/ r, 179 | /proc/self/status r, 180 | /dev/stdout r, 181 | /dev/urandom rw, 182 | /usr/sbin/bash rix, 183 | /opt/java/openjdk/conf/ r, 184 | /proc/self/cgroup r, 185 | /dev/tty rw, 186 | /sys/kernel/mm/hugepages/ r, 187 | /usr/lib/x86_64-linux-gnu/gconv/ r, 188 | /dev/fd r, 189 | /dev/random rw, 190 | /usr/local/bin/bash rix, 191 | /usr/local/tomcat/logs/localhost_access_log.*-12-08.txt rw, 192 | /usr/local/tomcat/logs/catalina.*-12-08.log rw, 193 | } 194 | -------------------------------------------------------------------------------- /zookeeper/zookeeper.aa: -------------------------------------------------------------------------------- 1 | profile zookeeper.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/bin/chown rix, 7 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 8 | /opt/java/openjdk/bin/java rix, 9 | /apache-zookeeper-3.9.3-bin/lib/netty-buffer-4.1.113.Final.jar r, 10 | /opt/java/openjdk/lib/libmanagement_ext.so rm, 11 | /opt/java/openjdk/lib/libjava.so rm, 12 | /usr/bin/ls rix, 13 | /proc/filesystems r, 14 | /apache-zookeeper-3.9.3-bin/lib/jackson-core-2.15.2.jar r, 15 | /usr/bin/sed rix, 16 | /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 rm, 17 | /usr/bin/id rix, 18 | /usr/lib/x86_64-linux-gnu/libpthread.so.0 rm, 19 | /apache-zookeeper-3.9.3-bin/lib/commons-io-2.17.0.jar r, 20 | /docker-entrypoint.sh rix, 21 | /opt/java/openjdk/conf/logging.properties r, 22 | /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 rm, 23 | /etc/nsswitch.conf r, 24 | /proc/cgroups r, 25 | /proc/*/net/if_inet6 r, 26 | /opt/java/openjdk/lib/server/classes.jsa rm, 27 | /usr/lib/x86_64-linux-gnu/libtinfo.so.6.3 rm, 28 | /usr/bin/grep rix, 29 | /proc/*/maps r, 30 | /sys/fs/cgroup/cpu.max r, 31 | /apache-zookeeper-3.9.3-bin/lib/jackson-databind-2.15.2.jar r, 32 | /apache-zookeeper-3.9.3-bin/bin/zkServer.sh rix, 33 | /usr/lib/locale/locale-archive rm, 34 | /etc/timezone r, 35 | /usr/bin/bash rix, 36 | /apache-zookeeper-3.9.3-bin/lib/simpleclient_common-0.9.0.jar r, 37 | /etc/ld.so.cache rm, 38 | /dev/urandom rw, 39 | /apache-zookeeper-3.9.3-bin/lib/snappy-java-1.1.10.5.jar r, 40 | /etc/host.conf r, 41 | /apache-zookeeper-3.9.3-bin/lib/slf4j-api-1.7.30.jar r, 42 | /usr/lib/x86_64-linux-gnu/libselinux.so.1 rm, 43 | /proc/meminfo r, 44 | /usr/sbin/gosu rix, 45 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 46 | /apache-zookeeper-3.9.3-bin/bin/zkEnv.sh r, 47 | /usr/lib/x86_64-linux-gnu/librt.so.1 rm, 48 | /apache-zookeeper-3.9.3-bin/lib/logback-classic-1.2.13.jar r, 49 | /etc/passwd r, 50 | /conf/logback.xml r, 51 | /sys/fs/cgroup/memory.max r, 52 | /opt/java/openjdk/conf/security/java.policy r, 53 | /apache-zookeeper-3.9.3-bin/lib/netty-tcnative-boringssl-static-2.0.66.Final.jar r, 54 | /etc/group r, 55 | /usr/bin/uname rix, 56 | /apache-zookeeper-3.9.3-bin/lib/zookeeper-prometheus-metrics-3.9.3.jar r, 57 | /apache-zookeeper-3.9.3-bin/lib/netty-transport-native-epoll-4.1.113.Final-linux-x86_64.jar r, 58 | /opt/java/openjdk/lib/libmanagement.so rm, 59 | /dev/null rw, 60 | /conf/zoo.cfg rwix, 61 | /opt/java/openjdk/lib/libzip.so rm, 62 | /etc/gai.conf r, 63 | /apache-zookeeper-3.9.3-bin/lib/netty-transport-native-unix-common-4.1.113.Final.jar r, 64 | /sys/kernel/mm/transparent_hugepage/enabled r, 65 | /etc/locale.alias r, 66 | /usr/share/zoneinfo/Etc/UTC r, 67 | /logs/ rwix, 68 | /apache-zookeeper-3.9.3-bin/lib/zookeeper-3.9.3.jar r, 69 | /proc/*/cgroup r, 70 | /proc/*/coredump_filter rw, 71 | /apache-zookeeper-3.9.3-bin/lib/netty-transport-4.1.113.Final.jar r, 72 | /apache-zookeeper-3.9.3-bin/lib/simpleclient_hotspot-0.9.0.jar r, 73 | /data/myid rw, 74 | /usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3 rm, 75 | /opt/java/openjdk/lib/libjsvml.so rm, 76 | /opt/java/openjdk/lib/libnet.so rm, 77 | /apache-zookeeper-3.9.3-bin/lib/netty-tcnative-classes-2.0.66.Final.jar r, 78 | /apache-zookeeper-3.9.3-bin/lib/metrics-core-4.1.12.1.jar r, 79 | /opt/java/openjdk/lib/tzdb.dat r, 80 | /opt/java/openjdk/lib/libverify.so rm, 81 | /apache-zookeeper-3.9.3-bin/lib/logback-core-1.2.13.jar r, 82 | /apache-zookeeper-3.9.3-bin/lib/netty-codec-4.1.113.Final.jar r, 83 | /apache-zookeeper-3.9.3-bin/lib/netty-tcnative-boringssl-static-2.0.66.Final-osx-aarch_64.jar r, 84 | /datalog/ rwix, 85 | /apache-zookeeper-3.9.3-bin/lib/simpleclient-0.9.0.jar r, 86 | /proc/sys/vm/overcommit_memory r, 87 | /opt/java/openjdk/lib/libjimage.so rm, 88 | /opt/java/openjdk/lib/jvm.cfg r, 89 | /apache-zookeeper-3.9.3-bin/lib/jline-2.14.6.jar r, 90 | /opt/java/openjdk/lib/libextnet.so rm, 91 | /tmp/** rwixmk, 92 | /apache-zookeeper-3.9.3-bin/lib/netty-common-4.1.113.Final.jar r, 93 | /etc/hosts r, 94 | /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache rm, 95 | /usr/bin/dirname rix, 96 | /apache-zookeeper-3.9.3-bin/lib/audience-annotations-0.12.0.jar r, 97 | /opt/java/openjdk/conf/security/java.security r, 98 | /apache-zookeeper-3.9.3-bin/lib/netty-handler-4.1.113.Final.jar r, 99 | /apache-zookeeper-3.9.3-bin/lib/commons-cli-1.5.0.jar r, 100 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 101 | /proc/stat r, 102 | /opt/java/openjdk/lib/libnio.so rm, 103 | /usr/lib/x86_64-linux-gnu/libdl.so.2 rm, 104 | /opt/java/openjdk/lib/modules rm, 105 | /apache-zookeeper-3.9.3-bin/lib/zookeeper-jute-3.9.3.jar r, 106 | /dev/random rw, 107 | /apache-zookeeper-3.9.3-bin/lib/netty-resolver-4.1.113.Final.jar r, 108 | /apache-zookeeper-3.9.3-bin/lib/jackson-annotations-2.15.2.jar r, 109 | /etc/resolv.conf r, 110 | /sys/devices/system/cpu rix, 111 | /apache-zookeeper-3.9.3-bin/lib/netty-transport-classes-epoll-4.1.113.Final.jar r, 112 | /apache-zookeeper-3.9.3-bin/lib/ rix, 113 | /opt/java/openjdk/lib/libjli.so rm, 114 | /proc/*/mountinfo r, 115 | /opt/java/openjdk/lib/security/default.policy r, 116 | /sys/devices/system/cpu/cpu0/microcode/version r, 117 | /opt/java/openjdk/conf/net.properties r, 118 | /apache-zookeeper-3.9.3-bin/ rix, 119 | /apache-zookeeper-3.9.3-bin/lib/simpleclient_servlet-0.9.0.jar r, 120 | /apache-zookeeper-3.9.3-bin/lib/javax.servlet-api-3.1.0.jar r, 121 | /opt/java/openjdk/lib/server/libjvm.so rm, 122 | /opt/java/openjdk/conf/management/management.properties r, 123 | /data/ rwix, 124 | /sys/kernel/mm/hugepages rix, 125 | /usr/bin/env ix, 126 | /dev/ rw, 127 | /conf/ rw, 128 | /dev/pts/ rw, 129 | /usr/sbin/runc ix, 130 | /sys/kernel/mm/transparent_hugepage/ r, 131 | /usr/lib/x86_64-linux-gnu/ r, 132 | /proc/self/uid_map r, 133 | /proc/self/ r, 134 | /proc/sys/net/ipv4/ping_group_range rw, 135 | /proc/sys/net/ipv4/ r, 136 | /sys/devices/system/cpu/cpu0/microcode/ r, 137 | /opt/java/openjdk/lib/ r, 138 | /usr/local/bin/bash rix, 139 | /opt/java/openjdk/conf/management/ r, 140 | /proc/self/fd/* rw, 141 | /dev/stdin r, 142 | /usr/share/locale/ r, 143 | /etc/ r, 144 | /proc/self/fd rw, 145 | /opt/java/openjdk/lib/security/ r, 146 | /sys/fs/cgroup/ r, 147 | /run/** rwixk, 148 | /dev/mqueue rw, 149 | / r, 150 | /proc/sys/kernel/ r, 151 | /proc/sys/kernel/cap_last_cap r, 152 | /etc/hostname r, 153 | /proc/self/coredump_filter rw, 154 | /proc/self/mountinfo r, 155 | /apache-zookeeper-3.9.3-bin/bin/ r, 156 | /proc/self/status r, 157 | /proc/ r, 158 | /usr/lib/x86_64-linux-gnu/gconv/ r, 159 | /usr/lib/locale/ r, 160 | /proc/self/attr/apparmor/ r, 161 | /proc/self/attr/apparmor/exec rw, 162 | /dev/shm/** rwk, 163 | /dev/stdout r, 164 | /opt/java/openjdk/lib/server/ r, 165 | /proc/kcore w, 166 | /dev/core r, 167 | /dev/ptmx r, 168 | /sys/fs/cgroup r, 169 | /sys/fs/ r, 170 | /datalog/version-2/ rw, 171 | /dev/tty rw, 172 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 173 | /sys/ r, 174 | /apache-zookeeper-3.9.3-bin/share/zookeeper/zookeeper-*.jar rix, 175 | /opt/java/openjdk/bin/bash rix, 176 | /opt/java/openjdk/conf/security/ r, 177 | /dev/zero rw, 178 | /data/version-2/ rw, 179 | /proc/self/cgroup r, 180 | /proc/net/ r, 181 | /proc/net/if_inet6 r, 182 | /usr/local/sbin/bash rix, 183 | /proc/self/setgroups r, 184 | /sys/devices/system/cpu/ r, 185 | /proc/self/maps r, 186 | /opt/java/openjdk/conf/ r, 187 | /proc/sys/vm/ r, 188 | /dev/fd r, 189 | /dev/full rw, 190 | /usr/sbin/bash rix, 191 | /proc/self/fd/ r, 192 | /dev/stderr r, 193 | /sys/kernel/mm/hugepages/ r, 194 | /apache-zookeeper-3.9.3-bin/lib/* r, 195 | /datalog/version-2/log.* rw, 196 | /data/version-2/snapshot.* rw, 197 | /apache-zookeeper-3.9.3-bin/lib/jetty-security-9.4.56.v*.jar r, 198 | /apache-zookeeper-3.9.3-bin/lib/jetty-http-9.4.56.v*.jar r, 199 | /apache-zookeeper-3.9.3-bin/lib/jetty-servlet-9.4.56.v*.jar r, 200 | /apache-zookeeper-3.9.3-bin/lib/jetty-io-9.4.56.v*.jar r, 201 | /apache-zookeeper-3.9.3-bin/lib/jetty-util-ajax-9.4.56.v*.jar r, 202 | /apache-zookeeper-3.9.3-bin/lib/jetty-server-9.4.56.v*.jar r, 203 | /apache-zookeeper-3.9.3-bin/lib/jetty-util-9.4.56.v*.jar r, 204 | } 205 | -------------------------------------------------------------------------------- /ruby/ruby.aa: -------------------------------------------------------------------------------- 1 | profile ruby.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/bin/ruby rix, 7 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/prism-0.19.0.gemspec r, 8 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/pstore-0.1.3.gemspec r, 9 | /usr/local/lib/ruby/3.3.0/rubygems/errors.rb r, 10 | /usr/local/lib/ruby/3.3.0/rubygems/requirement.rb r, 11 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/readline-0.0.4.gemspec r, 12 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/forwardable-1.3.3.gemspec r, 13 | /usr/local/lib/ruby/3.3.0/monitor.rb r, 14 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/io-wait-0.3.1.gemspec r, 15 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/json-2.7.2.gemspec r, 16 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/mutex_m-0.2.0.gemspec r, 17 | /usr/local/lib/ruby/3.3.0/rubygems/specification.rb r, 18 | /usr/local/lib/ruby/3.3.0/did_you_mean/jaro_winkler.rb r, 19 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/tempfile-0.2.1.gemspec r, 20 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/pathname-0.3.0.gemspec r, 21 | /usr/local/lib/ruby/3.3.0/rubygems/basic_specification.rb r, 22 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/find-0.2.0.gemspec r, 23 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/resolv-0.3.0.gemspec r, 24 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/drb-2.2.0.gemspec r, 25 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/syslog-0.1.2.gemspec r, 26 | /usr/local/lib/ruby/3.3.0/x86_64-linux/monitor.so rm, 27 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/openssl-3.2.0.gemspec r, 28 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/fiddle-1.1.2.gemspec r, 29 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/set-1.1.0.gemspec r, 30 | /usr/local/lib/ruby/3.3.0/x86_64-linux/enc/encdb.so rm, 31 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/pattern_key_name_checker.rb r, 32 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/yaml-0.3.0.gemspec r, 33 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/csv-3.2.8.gemspec r, 34 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/timeout-0.4.1.gemspec r, 35 | /usr/local/lib/ruby/3.3.0/rubygems/version.rb r, 36 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/psych-5.1.2.gemspec r, 37 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/abbrev-0.1.2.gemspec r, 38 | /usr/local/lib/ruby/3.3.0/rubygems/util/list.rb r, 39 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/open3-0.2.1.gemspec r, 40 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/irb-1.13.1.gemspec r, 41 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 42 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/require_path_checker.rb r, 43 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/singleton-0.2.0.gemspec r, 44 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/error_highlight-0.6.0.gemspec r, 45 | /usr/local/lib/ruby/3.3.0/did_you_mean/levenshtein.rb r, 46 | /usr/local/lib/ruby/3.3.0/did_you_mean/tree_spell_checker.rb r, 47 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/bundler-2.5.22.gemspec r, 48 | /usr/local/lib/ruby/3.3.0/rubygems.rb r, 49 | /usr/local/lib/ruby/3.3.0/rubygems/core_ext/kernel_gem.rb r, 50 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/syntax_suggest-2.0.1.gemspec r, 51 | /usr/local/lib/ruby/3.3.0/did_you_mean/core_ext/name_error.rb r, 52 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/fcntl-1.1.0.gemspec r, 53 | /usr/local/lib/ruby/3.3.0/bundled_gems.rb r, 54 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checker.rb r, 55 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/un-0.3.0.gemspec r, 56 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/did_you_mean-1.6.3.gemspec r, 57 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/resolv-replace-0.1.1.gemspec r, 58 | /usr/local/lib/ruby/3.3.0/rubygems/path_support.rb r, 59 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/ rix, 60 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/fileutils-1.7.2.gemspec r, 61 | /usr/share/zoneinfo/Etc/UTC r, 62 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/nkf-0.1.3.gemspec r, 63 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/ipaddr-1.2.6.gemspec r, 64 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/time-0.3.0.gemspec r, 65 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/key_error_checker.rb r, 66 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/net-http-0.4.1.gemspec r, 67 | /usr/local/lib/libruby.so.3.3.6 rm, 68 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/bigdecimal-3.1.5.gemspec r, 69 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/io-console-0.7.1.gemspec r, 70 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/pp-0.5.0.gemspec r, 71 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/rdoc-6.6.3.1.gemspec r, 72 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb r, 73 | /usr/local/lib/ruby/3.3.0/error_highlight.rb r, 74 | /usr/lib/x86_64-linux-gnu/libz.so.1.2.13 rm, 75 | /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0 rm, 76 | /usr/local/lib/ruby/3.3.0/error_highlight/version.rb r, 77 | /usr/local/lib/ruby/3.3.0/error_highlight/base.rb r, 78 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 79 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/tsort-0.2.0.gemspec r, 80 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/rinda-0.2.0.gemspec r, 81 | /usr/local/lib/ruby/3.3.0/rubygems/unknown_command_spell_checker.rb r, 82 | /usr/local/lib/ruby/3.3.0/rubygems/exceptions.rb r, 83 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/null_checker.rb r, 84 | /usr/local/lib/ruby/3.3.0/rubygems/dependency.rb r, 85 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/date-3.3.4.gemspec r, 86 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/getoptlong-0.2.1.gemspec r, 87 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/observer-0.1.2.gemspec r, 88 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/base64-0.2.0.gemspec r, 89 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/strscan-3.0.9.gemspec r, 90 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/delegate-0.3.1.gemspec r, 91 | /usr/local/lib/ruby/3.3.0/rubygems/specification_record.rb r, 92 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/logger-1.6.0.gemspec r, 93 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb r, 94 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/reline-0.5.10.gemspec r, 95 | /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1 rm, 96 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/shellwords-0.2.0.gemspec r, 97 | /usr/local/lib/ruby/3.3.0/rubygems/util.rb r, 98 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/erb-4.0.3.gemspec r, 99 | /proc/*/maps r, 100 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/weakref-0.1.3.gemspec r, 101 | /usr/local/lib/ruby/3.3.0/error_highlight/formatter.rb r, 102 | /usr/local/lib/ruby/gems/3.3.0/specifications/ rix, 103 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/digest-3.1.1.gemspec r, 104 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/benchmark-0.3.0.gemspec r, 105 | /usr/local/lib/ruby/3.3.0/rubygems/deprecate.rb r, 106 | /usr/local/lib/ruby/3.3.0/x86_64-linux/rbconfig.rb r, 107 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/english-0.8.0.gemspec r, 108 | /etc/ld.so.cache rm, 109 | /usr/local/lib/ruby/3.3.0/did_you_mean/version.rb r, 110 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/method_name_checker.rb r, 111 | /usr/local/lib/ruby/3.3.0/did_you_mean/formatter.rb r, 112 | /usr/local/lib/ruby/3.3.0/x86_64-linux/enc/trans/transdb.so rm, 113 | /usr/local/lib/ruby/3.3.0/rubygems/compatibility.rb r, 114 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/net-protocol-0.2.2.gemspec r, 115 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/prettyprint-0.2.0.gemspec r, 116 | /usr/local/lib/ruby/3.3.0/error_highlight/core_ext.rb r, 117 | /usr/local/lib/ruby/3.3.0/rubygems/platform.rb r, 118 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/securerandom-0.3.1.gemspec r, 119 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/optparse-0.4.0.gemspec r, 120 | /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 rm, 121 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/cgi-0.4.1.gemspec r, 122 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/open-uri-0.4.1.gemspec r, 123 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/io-nonblock-0.3.0.gemspec r, 124 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/name_error_checkers.rb r, 125 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.1.gemspec r, 126 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/zlib-3.1.1.gemspec r, 127 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/ruby2_keywords-0.0.5.gemspec r, 128 | /usr/local/lib/ruby/3.3.0/rubygems/stub_specification.rb r, 129 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/etc-1.4.3.gemspec r, 130 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/ostruct-0.6.0.gemspec r, 131 | /usr/local/lib/ruby/3.3.0/rubygems/defaults.rb r, 132 | /usr/local/lib/ruby/3.3.0/syntax_suggest/core_ext.rb r, 133 | /usr/local/lib/ruby/3.3.0/did_you_mean.rb r, 134 | /usr/local/lib/ruby/3.3.0/rubygems/core_ext/kernel_require.rb r, 135 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/stringio-3.1.1.gemspec r, 136 | /usr/lib/locale/C.utf8/LC_CTYPE rm, 137 | /usr/local/lib/ruby/gems/3.3.0/specifications/default/tmpdir-0.2.0.gemspec r, 138 | /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache rm, 139 | /proc/self/ r, 140 | /proc/self/setgroups r, 141 | /usr/sbin/runc ix, 142 | /proc/ r, 143 | /proc/filesystems r, 144 | /proc/self/uid_map r, 145 | /proc/kcore w, 146 | /dev/core r, 147 | /usr/local/lib/ruby/3.3.0/did_you_mean/ r, 148 | /sys/fs/ r, 149 | /sys/fs/cgroup r, 150 | /run/** rwixk, 151 | /usr/local/lib/ruby/3.3.0/error_highlight/ r, 152 | /usr/local/lib/ruby/3.3.0/ r, 153 | /usr/local/lib/ruby/3.3.0/rubygems/ r, 154 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/ r, 155 | / r, 156 | /dev/full rw, 157 | /dev/ r, 158 | /dev/null rw, 159 | /proc/self/maps r, 160 | /proc/self/mountinfo r, 161 | /usr/local/lib/ruby/3.3.0/rubygems/core_ext/ r, 162 | /dev/mqueue rw, 163 | /usr/local/lib/ruby/3.3.0/x86_64-linux/enc/ r, 164 | /proc/sys/net/ipv4/ r, 165 | /proc/sys/net/ipv4/ping_group_range rw, 166 | /usr/lib/x86_64-linux-gnu/ r, 167 | /dev/fd r, 168 | /proc/self/fd rw, 169 | /dev/urandom rw, 170 | /proc/self/status r, 171 | /usr/local/lib/ruby/3.3.0/rubygems/util/ r, 172 | /dev/pts/ rw, 173 | /dev/zero rw, 174 | /usr/local/lib/ruby/3.3.0/did_you_mean/core_ext/ r, 175 | /dev/shm/** rwk, 176 | /usr/local/lib/ruby/3.3.0/did_you_mean/spell_checkers/name_error_checkers/ r, 177 | /usr/local/lib/ruby/3.3.0/x86_64-linux/enc/trans/ r, 178 | /sys/ r, 179 | /etc/ r, 180 | /etc/hostname r, 181 | /usr/local/lib/ruby/3.3.0/syntax_suggest/ r, 182 | /etc/group r, 183 | /etc/passwd r, 184 | /usr/local/lib/ r, 185 | /usr/local/lib/ruby/3.3.0/x86_64-linux/ r, 186 | /proc/self/attr/apparmor/exec rw, 187 | /proc/self/attr/apparmor/ r, 188 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 189 | /proc/sys/kernel/cap_last_cap r, 190 | /proc/sys/kernel/ r, 191 | /proc/self/fd/* rw, 192 | /dev/stdin r, 193 | /dev/stderr r, 194 | /etc/resolv.conf r, 195 | /dev/ptmx r, 196 | /etc/hosts r, 197 | /dev/random rw, 198 | /dev/tty rw, 199 | /sys/kernel/mm/transparent_hugepage/ r, 200 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 201 | /dev/stdout r, 202 | /usr/lib/locale/C.utf8/ r, 203 | /proc/self/fd/ r, 204 | /sys/fs/cgroup/ r, 205 | /usr/lib/x86_64-linux-gnu/gconv/ r, 206 | /tmp/ r, 207 | } 208 | -------------------------------------------------------------------------------- /haproxy/haproxy.aa: -------------------------------------------------------------------------------- 1 | profile haproxy.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/local/sbin/haproxy rix, 7 | /usr/share/ca-certificates/mozilla/Certigna.crt r, 8 | /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt r, 9 | /sys/devices/virtual/dmi/id/board_vendor r, 10 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt r, 11 | /usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt r, 12 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt r, 13 | /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt r, 14 | /usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt r, 15 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_R46.crt r, 16 | /usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt r, 17 | /usr/local/etc/haproxy/haproxy.cfg r, 18 | /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 rm, 19 | /usr/share/ca-certificates/mozilla/HARICA_TLS_RSA_Root_CA_2021.crt r, 20 | /dev/urandom rw, 21 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt r, 22 | /usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt r, 23 | /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt r, 24 | /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt r, 25 | /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt r, 26 | /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt r, 27 | /usr/share/ca-certificates/mozilla/TunTrust_Root_CA.crt r, 28 | /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt r, 29 | /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt r, 30 | /usr/share/ca-certificates/mozilla/e-Szigno_Root_CA_2017.crt r, 31 | /sys/devices/virtual/dmi/id/board_name r, 32 | /usr/lib/x86_64-linux-gnu/libc.so.6 rm, 33 | /usr/share/ca-certificates/mozilla/E-Tugra_Global_Root_CA_RSA_v3.crt r, 34 | /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt r, 35 | /usr/lib/x86_64-linux-gnu/libcrypto.so.3 rm, 36 | /usr/local/bin/docker-entrypoint.sh rix, 37 | /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt r, 38 | /usr/share/ca-certificates/mozilla/TrustCor_ECA-1.crt r, 39 | /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt r, 40 | /usr/share/ca-certificates/mozilla/HiPKI_Root_CA_-_G1.crt r, 41 | /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt r, 42 | /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt r, 43 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt r, 44 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt r, 45 | /usr/share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt r, 46 | /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt r, 47 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt r, 48 | /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt r, 49 | /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt r, 50 | /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt r, 51 | /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt r, 52 | /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt r, 53 | /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt r, 54 | /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt r, 55 | /usr/lib/x86_64-linux-gnu/liblua5.4.so.0.0.0 rm, 56 | /sys/devices/virtual/dmi/id/product_family r, 57 | /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt r, 58 | /etc/resolv.conf r, 59 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt r, 60 | /usr/share/ca-certificates/mozilla/Secure_Global_CA.crt r, 61 | /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt r, 62 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt r, 63 | /usr/lib/x86_64-linux-gnu/libssl.so.3 rm, 64 | /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt r, 65 | /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt r, 66 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt r, 67 | /usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt r, 68 | /usr/lib/x86_64-linux-gnu/libm.so.6 rm, 69 | /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt r, 70 | /usr/share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt r, 71 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt r, 72 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt r, 73 | /usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt r, 74 | /usr/share/ca-certificates/mozilla/Security_Communication_ECC_RootCA1.crt r, 75 | /sys/devices/system/node rix, 76 | /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt r, 77 | /usr/share/ca-certificates/mozilla/E-Tugra_Global_Root_CA_ECC_v3.crt r, 78 | /usr/share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt r, 79 | /usr/share/ca-certificates/mozilla/D-TRUST_EV_Root_CA_1_2020.crt r, 80 | /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt r, 81 | /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt r, 82 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt r, 83 | /usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt r, 84 | /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 rm, 85 | /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt r, 86 | /usr/share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt r, 87 | /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt r, 88 | /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt r, 89 | /usr/share/ca-certificates/mozilla/Certum_EC-384_CA.crt r, 90 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt r, 91 | /usr/share/ca-certificates/mozilla/DigiCert_TLS_ECC_P384_Root_G5.crt r, 92 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt r, 93 | /usr/share/ca-certificates/mozilla/GTS_Root_R4.crt r, 94 | /usr/share/ca-certificates/mozilla/certSIGN_Root_CA_G2.crt r, 95 | /usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt r, 96 | /usr/share/zoneinfo/Etc/UTC r, 97 | /usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt r, 98 | /usr/share/ca-certificates/mozilla/vTrus_ECC_Root_CA.crt r, 99 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt r, 100 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt r, 101 | /etc/ssl/openssl.cnf r, 102 | /usr/share/ca-certificates/mozilla/ANF_Secure_Server_Root_CA.crt r, 103 | /usr/share/ca-certificates/mozilla/Certainly_Root_R1.crt r, 104 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt r, 105 | /usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt r, 106 | /usr/share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt r, 107 | /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt r, 108 | /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt r, 109 | /usr/share/ca-certificates/mozilla/GLOBALTRUST_2020.crt r, 110 | /etc/ssl/certs/ca-certificates.crt r, 111 | /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt r, 112 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt r, 113 | /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt r, 114 | /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt r, 115 | /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt r, 116 | /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt r, 117 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt r, 118 | /proc/cpuinfo r, 119 | /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt r, 120 | /usr/share/ca-certificates/mozilla/Izenpe.com.crt r, 121 | /usr/share/ca-certificates/mozilla/Telia_Root_CA_v2.crt r, 122 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_E46.crt r, 123 | /usr/share/ca-certificates/mozilla/DigiCert_TLS_RSA4096_Root_G5.crt r, 124 | /usr/share/ca-certificates/mozilla/UCA_Global_G2_Root.crt r, 125 | /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt r, 126 | /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt r, 127 | /usr/share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt r, 128 | /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt r, 129 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt r, 130 | /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0 rm, 131 | /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt r, 132 | /sys/devices/virtual/dmi/id/product_name r, 133 | /sys/devices/system/cpu/online r, 134 | /usr/share/ca-certificates/mozilla/Certainly_Root_E1.crt r, 135 | /usr/share/ca-certificates/mozilla/HARICA_TLS_ECC_Root_CA_2021.crt r, 136 | /usr/share/ca-certificates/mozilla/vTrus_Root_CA.crt r, 137 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt r, 138 | /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt r, 139 | /usr/share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt r, 140 | /usr/share/ca-certificates/mozilla/GTS_Root_R1.crt r, 141 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt r, 142 | /dev/shm/** rwmk, 143 | /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt r, 144 | /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt r, 145 | /usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt r, 146 | /etc/ld.so.cache rm, 147 | /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt r, 148 | /usr/share/ca-certificates/mozilla/D-TRUST_BR_Root_CA_1_2020.crt r, 149 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Root_CA.crt r, 150 | /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt r, 151 | /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt r, 152 | /usr/share/ca-certificates/mozilla/Security_Communication_RootCA3.crt r, 153 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt r, 154 | /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt r, 155 | /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt r, 156 | /usr/share/ca-certificates/mozilla/GTS_Root_R2.crt r, 157 | /usr/share/ca-certificates/mozilla/Certigna_Root_CA.crt r, 158 | /dev/null rw, 159 | /sys/devices/virtual/dmi/id/sys_vendor r, 160 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt r, 161 | /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt r, 162 | /etc/ssl/certs/ rix, 163 | /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt r, 164 | /usr/share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt r, 165 | /usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt r, 166 | /usr/bin/dash ix, 167 | /usr/sbin/runc ix, 168 | / r, 169 | /dev/ r, 170 | /usr/lib/x86_64-linux-gnu/ r, 171 | /proc/kcore w, 172 | /dev/core r, 173 | /sys/class/dmi/id/product_name r, 174 | /sys/class/dmi/id/ r, 175 | /usr/local/etc/haproxy/ r, 176 | /proc/sys/kernel/cap_last_cap r, 177 | /proc/sys/kernel/ r, 178 | /proc/self/ r, 179 | /proc/self/fd rw, 180 | /proc/self/uid_map r, 181 | /usr/local/bin/ r, 182 | /usr/lib/ssl/ r, 183 | /etc/ r, 184 | /etc/group r, 185 | /dev/mqueue rw, 186 | /etc/ssl/certs/Hongkong_Post_Root_CA_1.pem r, 187 | /run/** rwixk, 188 | /sys/fs/ r, 189 | /sys/fs/cgroup r, 190 | /var/run/** r, 191 | /sys/class/dmi/id/product_family r, 192 | /sys/ r, 193 | /dev/random rw, 194 | /etc/ssl/certs/TrustCor_RootCert_CA-1.pem r, 195 | /dev/zero rw, 196 | /proc/self/mountinfo r, 197 | /sys/devices/system/node/ r, 198 | /dev/ptmx r, 199 | /proc/self/status r, 200 | /proc/ r, 201 | /dev/tty rw, 202 | /proc/self/setgroups r, 203 | /proc/self/attr/apparmor/ r, 204 | /proc/self/attr/apparmor/exec rw, 205 | /sys/devices/system/cpu/ r, 206 | /proc/self/fd/ r, 207 | /proc/self/fd/* rw, 208 | /dev/pts/ rw, 209 | /etc/passwd r, 210 | /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F..tan..s..tv..ny.pem r, 211 | /etc/ssl/certs/E-Tugra_Global_Root_CA_ECC_v3.pem r, 212 | /sys/class/dmi/id/sys_vendor r, 213 | /dev/fd r, 214 | /etc/ssl/certs/TrustCor_ECA-1.pem r, 215 | /sys/kernel/mm/transparent_hugepage/ r, 216 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 217 | /etc/hostname r, 218 | /etc/ssl/certs/TrustCor_RootCert_CA-2.pem r, 219 | /etc/ssl/certs/E-Tugra_Global_Root_CA_RSA_v3.pem r, 220 | /proc/filesystems r, 221 | /sys/class/dmi/id/board_vendor r, 222 | /dev/full rw, 223 | /etc/hosts r, 224 | /etc/ssl/certs/E-Tugra_Certification_Authority.pem r, 225 | /sys/class/dmi/id/board_name r, 226 | /dev/stdin r, 227 | /sys/fs/cgroup/ r, 228 | /dev/stderr r, 229 | /dev/stdout r, 230 | /usr/share/ca-certificates/mozilla/* r, 231 | /etc/ssl/certs/* r, 232 | /tmp/ r, 233 | } 234 | -------------------------------------------------------------------------------- /grafana/grafana.aa: -------------------------------------------------------------------------------- 1 | profile grafanagrafana.aa flags=(attach_disconnected) { 2 | signal, 3 | ptrace, 4 | network, 5 | capability, 6 | /usr/share/grafana/bin/grafana rix, 7 | /proc/*/limits r, 8 | /usr/share/ca-certificates/mozilla/GTS_Root_R2.crt r, 9 | /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt r, 10 | /usr/share/grafana/public/build/322.177b4bb01c5d74f9b28f.js r, 11 | /usr/share/ca-certificates/mozilla/DigiCert_TLS_ECC_P384_Root_G5.crt r, 12 | /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt r, 13 | /run.sh rix, 14 | /usr/share/ca-certificates/mozilla/Secure_Global_CA.crt r, 15 | /usr/share/grafana/public/app/plugins/panel/datagrid/plugin.json r, 16 | /usr/share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt r, 17 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt r, 18 | /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt r, 19 | /usr/share/grafana/public/app/plugins/panel/news/plugin.json r, 20 | /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt r, 21 | /usr/share/grafana/public/app/plugins/datasource/loki/__mocks__/ rix, 22 | /usr/share/grafana/public/emails/alert_notification.html r, 23 | /usr/share/grafana/public/app/plugins/panel/nodeGraph/plugin.json r, 24 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt r, 25 | /usr/share/grafana/public/app/plugins/panel/xychart/ rix, 26 | /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/dist/dashboards/ rix, 27 | /var/lib/grafana/grafana.db rwk, 28 | /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt r, 29 | /usr/share/grafana/public/app/plugins/panel/bargauge/img/ rix, 30 | /usr/share/grafana/public/app/plugins/datasource/mssql/dist/ rix, 31 | /usr/share/grafana/public/app/plugins/panel/histogram/plugin.json r, 32 | /usr/share/grafana/public/app/plugins/panel/candlestick/plugin.json r, 33 | /usr/share/grafana/public/app/plugins/panel/table/cells/ rix, 34 | /usr/share/grafana/public/app/plugins/panel/gauge/plugin.json r, 35 | /usr/share/ca-certificates/mozilla/vTrus_Root_CA.crt r, 36 | /usr/share/grafana/public/app/plugins/panel/piechart/ rix, 37 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt r, 38 | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 39 | /usr/share/grafana/public/app/plugins/panel/annolist/ rix, 40 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/ rix, 41 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/config/ rix, 42 | /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt r, 43 | /usr/share/grafana/public/app/plugins/datasource/grafana/ rix, 44 | /etc/nsswitch.conf r, 45 | /usr/share/ca-certificates/mozilla/HARICA_TLS_RSA_Root_CA_2021.crt r, 46 | /var/lib/grafana/plugins/grafana-lokiexplore-app/MANIFEST.txt rw, 47 | /usr/share/grafana/public/robots.txt r, 48 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt r, 49 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/utils/rxjs/ rix, 50 | /proc/*/stat r, 51 | /usr/share/grafana/public/app/plugins/panel/traces/plugin.json r, 52 | /usr/share/grafana/public/app/plugins/panel/datagrid/components/ rix, 53 | /usr/share/grafana/public/fonts/ rix, 54 | /usr/share/grafana/public/app/plugins/datasource/tempo/dist/img/ rix, 55 | /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt r, 56 | /var/lib/grafana/plugins/grafana-lokiexplore-app/220.js.map rw, 57 | /var/lib/grafana/plugins/grafana-lokiexplore-app/854.js rw, 58 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt r, 59 | /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt r, 60 | /usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt r, 61 | /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt r, 62 | /usr/share/grafana/public/app/plugins/panel/gettingstarted/img/ rix, 63 | /var/lib/grafana/grafana.db-journal rw, 64 | /usr/share/grafana/public/emails/reset_password.txt r, 65 | /var/lib/grafana/plugins/grafana-lokiexplore-app/698.js rw, 66 | /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt r, 67 | /usr/share/ca-certificates/mozilla/SSL.com_TLS_ECC_Root_CA_2022.crt r, 68 | /usr/share/grafana/public/app/plugins/panel/graph/specs/__snapshots__/ rix, 69 | /usr/share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt r, 70 | /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/dist/ rix, 71 | /usr/share/grafana/public/app/plugins/panel/logs/plugin.json r, 72 | /usr/share/grafana/public/app/plugins/panel/bargauge/plugin.json r, 73 | /var/lib/grafana/plugins/grafana-lokiexplore-app/CHANGELOG.md rw, 74 | /usr/share/ca-certificates/mozilla/CommScope_Public_Trust_ECC_Root-02.crt r, 75 | /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt r, 76 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt r, 77 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/state/ rix, 78 | /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt r, 79 | /var/lib/grafana/plugins/grafana-lokiexplore-app/631.js.map rw, 80 | /usr/share/grafana/public/app/plugins/datasource/grafana-pyroscope-datasource/dist/plugin.json r, 81 | /usr/share/grafana/public/app/plugins/datasource/mysql/ rix, 82 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/grot_err.svg rw, 83 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/test-helpers/ rix, 84 | /usr/share/grafana/public/app/plugins/panel/timeseries/plugins/annotations2/ rix, 85 | /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt r, 86 | /usr/share/grafana/public/build/app.e617f902c769b0facee7.js r, 87 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/QueryEditor/LogsQueryEditor/ rix, 88 | /usr/share/grafana/public/app/plugins/datasource/graphite/dashboards/ rix, 89 | /usr/share/grafana/public/app/plugins/panel/candlestick/img/ rix, 90 | /usr/share/grafana/public/app/plugins/panel/graph/Legend/ rix, 91 | /usr/share/ca-certificates/mozilla/e-Szigno_Root_CA_2017.crt r, 92 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/plugin.json r, 93 | /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/dist/plugin.json r, 94 | /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt r, 95 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/explore-logs-features.jpeg rw, 96 | /var/lib/grafana/plugins/grafana-lokiexplore-app/944.js.map rw, 97 | /proc/sys/net/core/somaxconn r, 98 | /usr/share/grafana/public/app/plugins/panel/table/plugin.json r, 99 | /usr/share/grafana/public/app/plugins/datasource/grafana/img/ rix, 100 | /usr/share/grafana/public/app/plugins/panel/table-old/ rix, 101 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-ppl/completion/ rix, 102 | /usr/share/grafana/public/app/plugins/datasource/prometheus/img/ rix, 103 | /usr/share/grafana/public/app/plugins/datasource/loki/components/monaco-query-field/ rix, 104 | /usr/share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt r, 105 | /usr/share/ca-certificates/mozilla/TrustAsia_Global_Root_CA_G3.crt r, 106 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/Errors/ rix, 107 | /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt r, 108 | /usr/share/grafana/public/app/plugins/panel/timeseries/img/ rix, 109 | /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt r, 110 | /usr/share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt r, 111 | /usr/share/ca-certificates/mozilla/CommScope_Public_Trust_RSA_Root-02.crt r, 112 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/ rix, 113 | /usr/share/grafana/public/app/plugins/datasource/prometheus/ rix, 114 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/AnnotationQueryEditor/ rix, 115 | /proc/*/net/netstat r, 116 | /usr/share/grafana/public/app/plugins/panel/live/plugin.json r, 117 | /usr/share/grafana/public/app/plugins/datasource/loki/img/ rix, 118 | /usr/share/grafana/public/app/plugins/datasource/graphite/state/ rix, 119 | /var/lib/grafana/plugins/grafana-lokiexplore-app/854.js.map rw, 120 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/utils/ rix, 121 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt r, 122 | /usr/bin/busybox rix, 123 | /usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt r, 124 | /usr/share/grafana/public/emails/ng_alert_notification.txt r, 125 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_R46.crt r, 126 | /usr/share/grafana/public/app/plugins/panel/trend/plugin.json r, 127 | /var/lib/grafana/csv/ rwix, 128 | /usr/share/ca-certificates/mozilla/Telia_Root_CA_v2.crt r, 129 | /usr/lib/libreadline.so.8.2 rixm, 130 | /usr/lib/libncursesw.so.6.4 rixm, 131 | /usr/share/grafana/public/views/error.html r, 132 | /usr/share/grafana/public/app/plugins/panel/canvas/editor/element/ rix, 133 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/ rix, 134 | /usr/share/ca-certificates/mozilla/Telekom_Security_TLS_ECC_Root_2020.crt r, 135 | /var/lib/grafana/plugins/ rwix, 136 | /usr/share/grafana/public/app/plugins/datasource/graphite/specs/ rix, 137 | /usr/share/grafana/public/app/plugins/datasource/graphite/components/ rix, 138 | /usr/share/grafana/public/app/plugins/panel/table-old/img/ rix, 139 | /etc/resolv.conf r, 140 | /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt r, 141 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/grot_err_light.svg rw, 142 | /usr/share/ca-certificates/mozilla/HiPKI_Root_CA_-_G1.crt r, 143 | /var/lib/grafana/plugins/grafana-lokiexplore-app/c0c185d54d70cc490e9a.wasm rw, 144 | /usr/share/grafana/public/app/plugins/panel/table/img/ rix, 145 | /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt r, 146 | /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt r, 147 | /usr/share/grafana/public/emails/signup_started.html r, 148 | /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.crt r, 149 | /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt r, 150 | /usr/share/grafana/public/app/plugins/datasource/alertmanager/ rix, 151 | /usr/share/ca-certificates/mozilla/ANF_Secure_Server_Root_CA.crt r, 152 | /usr/share/grafana/public/emails/alert_notification.txt r, 153 | /usr/share/grafana/public/app/plugins/datasource/grafana-testdata-datasource/dist/plugin.json r, 154 | /usr/share/grafana/public/emails/new_user_invite.txt r, 155 | /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt r, 156 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt r, 157 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/ rix, 158 | /usr/share/grafana/public/app/plugins/datasource/zipkin/ rix, 159 | /usr/share/grafana/public/app/plugins/panel/graph/plugin.json r, 160 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt r, 161 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/logo.svg rw, 162 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/3d96a93cfcb32df74eef.svg rw, 163 | /usr/share/grafana/public/app/plugins/datasource/parca/dist/img/ rix, 164 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt r, 165 | /usr/share/grafana/public/app/plugins/panel/dashlist/plugin.json r, 166 | /usr/share/grafana/public/app/plugins/panel/dashlist/ rix, 167 | /usr/share/ca-certificates/mozilla/DigiCert_TLS_RSA4096_Root_G5.crt r, 168 | /usr/share/grafana/public/emails/reset_password.html r, 169 | /etc/grafana/provisioning/plugins/ rix, 170 | /usr/share/grafana/public/app/plugins/panel/welcome/img/ rix, 171 | /var/lib/grafana/plugins/grafana-lokiexplore-app/220.js rw, 172 | /usr/share/grafana/public/app/plugins/datasource/graphite/plugin.json r, 173 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/VariableQueryEditor/ rix, 174 | /usr/share/grafana/public/gazetteer/usa-states.json r, 175 | /usr/share/grafana/public/app/plugins/panel/canvas/editor/layer/ rix, 176 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt r, 177 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/cloudwatch-sql-test-data/ rix, 178 | /usr/share/grafana/public/app/plugins/datasource/grafana-pyroscope-datasource/dist/ rix, 179 | /usr/share/grafana/public/app/plugins/panel/datagrid/img/ rix, 180 | /usr/share/grafana/public/app/plugins/datasource/mysql/dist/plugin.json r, 181 | /proc/stat r, 182 | /usr/share/ca-certificates/mozilla/FIRMAPROFESIONAL_CA_ROOT-A_WEB.crt r, 183 | /usr/share/grafana/public/img/browserconfig.xml r, 184 | /usr/share/grafana/public/app/plugins/panel/news/component/ rix, 185 | /var/lib/grafana/plugins/grafana-lokiexplore-app/ rwix, 186 | /usr/share/grafana/public/app/plugins/datasource/dashboard/plugin.json r, 187 | /usr/share/grafana/public/app/plugins/datasource/loki/plugin.json r, 188 | /usr/share/grafana/public/app/plugins/panel/flamegraph/ rix, 189 | /usr/share/grafana/public/app/plugins/panel/annolist/img/ rix, 190 | /usr/share/grafana/public/app/plugins/panel/nodeGraph/editor/ rix, 191 | /usr/share/grafana/public/app/plugins/datasource/prometheus/plugin.json r, 192 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Root_CA.crt r, 193 | /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt r, 194 | /usr/share/grafana/public/app/plugins/panel/barchart/plugin.json r, 195 | /etc/grafana/provisioning/alerting/ rix, 196 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/variable/ rix, 197 | /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt r, 198 | /usr/share/grafana/public/img/icons/ rix, 199 | /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt r, 200 | /usr/share/grafana/public/app/plugins/datasource/alertmanager/img/ rix, 201 | /usr/share/ca-certificates/mozilla/Izenpe.com.crt r, 202 | /usr/share/grafana/public/app/plugins/panel/stat/ rix, 203 | /usr/share/grafana/public/app/plugins/panel/traces/img/ rix, 204 | /etc/hosts r, 205 | /var/lib/grafana/plugins/grafana-lokiexplore-app/599.js.map rw, 206 | /usr/share/grafana/public/app/plugins/panel/bargauge/ rix, 207 | /usr/share/grafana/public/app/plugins/panel/geomap/ rix, 208 | /usr/share/grafana/public/app/plugins/panel/text/plugin.json r, 209 | /usr/share/grafana/public/app/plugins/datasource/grafana-postgresql-datasource/dist/plugin.json r, 210 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/ rix, 211 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-sql/ rix, 212 | /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt r, 213 | /usr/share/grafana/public/emails/invited_to_org.html r, 214 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/influxql/utils/ rix, 215 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/fields.png rw, 216 | /dev/urandom rw, 217 | /usr/share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt r, 218 | /usr/share/grafana/public/build/assets-manifest.json r, 219 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/QueryEditor/MetricsQueryEditor/ rix, 220 | /usr/share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt r, 221 | /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt r, 222 | /usr/share/grafana/public/app/plugins/datasource/grafana-testdata-datasource/dist/img/ rix, 223 | /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt r, 224 | /usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt r, 225 | /usr/share/grafana/public/emails/verify_email.txt r, 226 | /usr/share/grafana/public/app/plugins/datasource/parca/dist/plugin.json r, 227 | /usr/share/grafana/public/app/plugins/panel/barchart/ rix, 228 | /usr/share/ca-certificates/mozilla/SSL.com_TLS_RSA_Root_CA_2022.crt r, 229 | /usr/share/grafana/public/emails/invited_to_org.txt r, 230 | /var/lib/grafana/plugins/grafana-lokiexplore-app/599.js rw, 231 | /usr/share/grafana/public/app/plugins/datasource/graphite/configuration/ rix, 232 | /usr/share/ca-certificates/mozilla/UCA_Global_G2_Root.crt r, 233 | /usr/share/grafana/public/app/plugins/panel/histogram/ rix, 234 | /usr/share/grafana/public/app/plugins/datasource/influxdb/fsql/ rix, 235 | /usr/share/grafana/public/app/plugins/datasource/parca/ rix, 236 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/QueryEditor/ rix, 237 | /usr/share/grafana/public/app/plugins/datasource/loki/querybuilder/components/ rix, 238 | /usr/share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt r, 239 | /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt r, 240 | /etc/grafana/grafana.ini r, 241 | /usr/share/grafana/public/emails/welcome_on_signup.html r, 242 | /etc/passwd r, 243 | /usr/share/grafana/public/app/plugins/panel/nodeGraph/img/ rix, 244 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/query-runner/ rix, 245 | /usr/share/grafana/public/app/plugins/datasource/grafana-testdata-datasource/dist/ rix, 246 | /usr/share/grafana/public/app/plugins/panel/gettingstarted/plugin.json r, 247 | /usr/share/ca-certificates/mozilla/TrustAsia_Global_Root_CA_G4.crt r, 248 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt r, 249 | /usr/share/grafana/public/views/index.html r, 250 | /usr/share/grafana/public/app/plugins/panel/table-old/plugin.json r, 251 | /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt r, 252 | /usr/share/ca-certificates/mozilla/D-TRUST_EV_Root_CA_1_2020.crt r, 253 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt r, 254 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_E46.crt r, 255 | /usr/share/grafana/public/app/plugins/datasource/opentsdb/components/ rix, 256 | /var/lib/grafana/plugins/grafana-lokiexplore-app/module.js.map rw, 257 | /usr/share/grafana/public/app/plugins/panel/text/img/ rix, 258 | /usr/share/grafana/public/app/plugins/datasource/grafana-testdata-datasource/dist/dashboards/ rix, 259 | /usr/share/grafana/public/app/plugins/panel/state-timeline/plugin.json r, 260 | /usr/share/grafana/conf/defaults.ini r, 261 | /etc/grafana/provisioning/datasources/ rix, 262 | /usr/share/ca-certificates/mozilla/Certainly_Root_E1.crt r, 263 | /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.crt r, 264 | /usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt r, 265 | /usr/share/grafana/public/app/plugins/panel/timeseries/plugin.json r, 266 | /usr/share/grafana/public/app/plugins/datasource/alertmanager/plugin.json r, 267 | /usr/share/grafana/public/app/plugins/datasource/mixed/plugin.json r, 268 | /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt r, 269 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-logs-sql/ rix, 270 | /usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt r, 271 | /var/lib/grafana/plugins/grafana-lokiexplore-app/698.js.map rw, 272 | /usr/share/grafana/public/app/plugins/datasource/tempo/dist/ rix, 273 | /usr/share/grafana/public/app/plugins/panel/alertlist/ rix, 274 | /usr/share/grafana/public/app/plugins/panel/dashlist/img/ rix, 275 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/dashboards/ rix, 276 | /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt r, 277 | /usr/share/grafana/public/app/plugins/panel/gauge/__snapshots__/ rix, 278 | /usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt r, 279 | /usr/share/grafana/public/app/plugins/datasource/loki/components/monaco-query-field/monaco-completion-provider/ rix, 280 | /usr/share/grafana/public/app/plugins/panel/geomap/components/ rix, 281 | /etc/ssl/certs/ rix, 282 | /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt r, 283 | /usr/share/ca-certificates/mozilla/Certainly_Root_R1.crt r, 284 | /usr/share/grafana/public/app/plugins/datasource/ rix, 285 | /usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt r, 286 | /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt r, 287 | /usr/share/grafana/public/app/plugins/panel/barchart/__snapshots__/ rix, 288 | /usr/share/grafana/public/app/plugins/panel/xychart/plugin.json r, 289 | /usr/share/grafana/public/app/plugins/datasource/jaeger/dist/ rix, 290 | /usr/share/grafana/public/app/plugins/panel/geomap/layers/ rix, 291 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/QueryEditor/LogsQueryEditor/code-editors/ rix, 292 | /usr/share/grafana/public/app/plugins/datasource/tempo/dist/plugin.json r, 293 | /var/lib/grafana/plugins/grafana-lokiexplore-app/README.md rw, 294 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-ppl/ rix, 295 | /usr/share/grafana/public/app/plugins/datasource/mssql/dist/plugin.json r, 296 | /usr/share/grafana/public/app/plugins/panel/gettingstarted/ rix, 297 | /usr/share/ca-certificates/mozilla/HARICA_TLS_ECC_Root_CA_2021.crt r, 298 | /usr/share/grafana/public/app/plugins/panel/state-timeline/ rix, 299 | /usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt r, 300 | /usr/share/ca-certificates/mozilla/TunTrust_Root_CA.crt r, 301 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/shared/LogGroups/ rix, 302 | /usr/share/grafana/public/app/plugins/panel/trend/ rix, 303 | /usr/share/grafana/public/app/plugins/panel/gettingstarted/components/ rix, 304 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt r, 305 | /usr/share/grafana/public/app/plugins/panel/trend/img/ rix, 306 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/img/ rix, 307 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/patterns.png rw, 308 | /var/lib/grafana/plugins/grafana-lokiexplore-app/module.js rw, 309 | /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt r, 310 | /var/lib/grafana/plugins/grafana-lokiexplore-app/631.js rw, 311 | /usr/share/grafana/public/app/plugins/panel/canvas/editor/inline/ rix, 312 | /usr/share/ca-certificates/mozilla/Sectigo_Public_Server_Authentication_Root_E46.crt r, 313 | /etc/grafana/provisioning/dashboards/ rix, 314 | /usr/share/ca-certificates/mozilla/Certigna_Root_CA.crt r, 315 | /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt r, 316 | /var/lib/grafana/plugins/grafana-lokiexplore-app/LICENSE rw, 317 | /usr/share/grafana/public/app/plugins/panel/debug/plugin.json r, 318 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt r, 319 | /usr/share/grafana/public/app/plugins/panel/alertlist/plugin.json r, 320 | /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt r, 321 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/influxql/code/ rix, 322 | /usr/share/grafana/public/app/plugins/panel/heatmap/partials/ rix, 323 | /usr/share/grafana/public/app/plugins/panel/gauge/ rix, 324 | /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt r, 325 | /usr/share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt r, 326 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/MetricAggregationsEditor/ rix, 327 | /usr/share/grafana/public/app/plugins/panel/news/ rix, 328 | /usr/share/grafana/public/app/plugins/panel/timeseries/__snapshots__/ rix, 329 | /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/ rix, 330 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/ rix, 331 | /usr/share/grafana/public/app/plugins/panel/stat/plugin.json r, 332 | /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt r, 333 | /usr/share/grafana/public/ rix, 334 | /usr/share/grafana/public/app/plugins/datasource/influxdb/ rix, 335 | /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt r, 336 | /var/lib/grafana/plugins/grafana-lokiexplore-app/944.js rw, 337 | /usr/share/grafana/public/app/plugins/panel/graph/ rix, 338 | /usr/share/ca-certificates/mozilla/Sectigo_Public_Server_Authentication_Root_R46.crt r, 339 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/ConfigEditor/ rix, 340 | /usr/share/grafana/public/app/plugins/datasource/mysql/dist/ rix, 341 | /usr/share/grafana/public/emails/ng_alert_notification.html r, 342 | /usr/share/grafana/public/app/plugins/panel/geomap/editor/ rix, 343 | /usr/share/grafana/public/app/plugins/datasource/azuremonitor/dist/plugin.json r, 344 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/docs/ rix, 345 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/table.png rw, 346 | /usr/share/grafana/public/views/swagger.html r, 347 | /usr/share/grafana/public/emails/new_user_invite.html r, 348 | /usr/share/grafana/public/app/plugins/panel/news/img/ rix, 349 | /usr/share/grafana/public/app/plugins/panel/geomap/style/ rix, 350 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt r, 351 | /usr/share/grafana/public/app/plugins/panel/geomap/plugin.json r, 352 | /usr/share/grafana/public/app/plugins/panel/alertlist/img/ rix, 353 | /usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt r, 354 | /usr/share/grafana/public/app/plugins/panel/flamegraph/plugin.json r, 355 | /usr/share/grafana/public/app/plugins/panel/canvas/ rix, 356 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt r, 357 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/logs/completion/ rix, 358 | /usr/share/grafana/public/emails/alert_notification_example.html r, 359 | /usr/share/grafana/public/app/plugins/datasource/jaeger/dist/plugin.json r, 360 | /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt r, 361 | /usr/share/grafana/public/app/plugins/datasource/grafana-postgresql-datasource/dist/img/ rix, 362 | /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt r, 363 | /usr/share/grafana/public/app/plugins/panel/geomap/layers/basemaps/ rix, 364 | /usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt r, 365 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/ rix, 366 | /usr/share/grafana/public/app/plugins/panel/gauge/img/ rix, 367 | /usr/share/grafana/public/emails/signup_started.txt r, 368 | /usr/share/grafana/public/app/plugins/datasource/dashboard/ rix, 369 | /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt r, 370 | /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt r, 371 | /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt r, 372 | /usr/share/grafana/public/app/plugins/panel/canvas/plugin.json r, 373 | /usr/share/grafana/public/app/plugins/panel/timeseries/overrides/ rix, 374 | /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt r, 375 | /usr/share/grafana/public/app/plugins/datasource/mixed/img/ rix, 376 | /usr/share/grafana/public/emails/verify_email.html r, 377 | /usr/share/grafana/public/app/plugins/panel/logs/img/ rix, 378 | /usr/share/grafana/public/app/plugins/panel/timeseries/ rix, 379 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/dynamic-label-test-data/ rix, 380 | /usr/share/grafana/public/app/plugins/datasource/grafana-postgresql-datasource/ rix, 381 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-logs-sql/completion/ rix, 382 | /usr/share/grafana/public/app/plugins/panel/piechart/img/ rix, 383 | /usr/share/grafana/public/app/plugins/panel/xychart/v2/plugin.json r, 384 | /usr/share/ca-certificates/mozilla/CommScope_Public_Trust_ECC_Root-01.crt r, 385 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/QueryEditor/MetricsQueryEditor/SQLBuilderEditor/ rix, 386 | /usr/share/grafana/public/build/ rix, 387 | /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt r, 388 | /var/lib/grafana/plugins/grafana-lokiexplore-app/32.js rw, 389 | /usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt r, 390 | /usr/share/grafana/public/app/plugins/panel/nodeGraph/ rix, 391 | /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt r, 392 | /usr/share/ca-certificates/mozilla/certSIGN_Root_CA_G2.crt r, 393 | /usr/share/grafana/public/app/plugins/panel/flamegraph/img/ rix, 394 | /usr/share/ca-certificates/mozilla/D-TRUST_BR_Root_CA_1_2020.crt r, 395 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/img/ rix, 396 | /usr/share/grafana/public/app/plugins/datasource/azuremonitor/ rix, 397 | /usr/share/grafana/public/app/plugins/panel/traces/ rix, 398 | /usr/share/ca-certificates/mozilla/Certum_EC-384_CA.crt r, 399 | /usr/share/grafana/public/app/plugins/panel/status-history/img/ rix, 400 | /usr/share/grafana/public/app/plugins/panel/barchart/img/ rix, 401 | /usr/share/grafana/public/app/plugins/datasource/grafana-pyroscope-datasource/ rix, 402 | /var/lib/grafana/plugins/grafana-lokiexplore-app/32.js.map rw, 403 | /usr/share/ca-certificates/mozilla/Security_Communication_ECC_RootCA1.crt r, 404 | /usr/share/grafana/public/app/plugins/datasource/zipkin/dist/img/ rix, 405 | /usr/share/grafana/public/app/plugins/panel/logs/ rix, 406 | /usr/share/grafana/public/app/plugins/panel/canvas/editor/ rix, 407 | /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt r, 408 | /tmp/** rwk, 409 | /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt r, 410 | /usr/share/grafana/public/img/user_profile.png r, 411 | /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt r, 412 | /usr/share/grafana/public/app/plugins/datasource/mysql/dist/img/ rix, 413 | /usr/share/grafana/public/app/plugins/panel/annolist/plugin.json r, 414 | /usr/share/ca-certificates/mozilla/GTS_Root_R1.crt r, 415 | /usr/share/grafana/public/dashboards/ rix, 416 | /usr/share/grafana/public/app/plugins/datasource/loki/components/ rix, 417 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/MetricAggregationsEditor/SettingsEditor/BucketScriptSettingsEditor/ rix, 418 | /usr/share/grafana/public/app/plugins/datasource/loki/ rix, 419 | /usr/share/grafana/public/app/plugins/panel/heatmap/tooltip/ rix, 420 | /usr/share/grafana/public/app/plugins/panel/debug/img/ rix, 421 | /usr/share/grafana/public/app/plugins/panel/heatmap/plugin.json r, 422 | /usr/share/ca-certificates/mozilla/BJCA_Global_Root_CA1.crt r, 423 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/fsql/ rix, 424 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/monarch/ rix, 425 | /usr/share/grafana/public/app/plugins/datasource/loki/docs/ rix, 426 | /usr/share/grafana/public/gazetteer/countries.json r, 427 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/ rix, 428 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/SettingsEditor/FiltersSettingsEditor/ rix, 429 | /usr/share/grafana/public/app/plugins/panel/stat/img/ rix, 430 | /usr/share/grafana/public/app/plugins/panel/piechart/plugin.json r, 431 | /usr/share/grafana/public/app/plugins/panel/canvas/img/ rix, 432 | /usr/share/grafana/public/app/plugins/datasource/zipkin/dist/plugin.json r, 433 | /usr/share/grafana/public/app/plugins/datasource/grafana-postgresql-datasource/dist/ rix, 434 | /usr/share/grafana/public/app/plugins/datasource/azuremonitor/dist/img/ rix, 435 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/metric-math-test-data/ rix, 436 | /usr/share/grafana/public/app/plugins/datasource/opentsdb/ rix, 437 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/migrations/ rix, 438 | /usr/share/grafana/public/app/plugins/datasource/graphite/img/ rix, 439 | /usr/share/grafana/public/app/plugins/panel/datagrid/ rix, 440 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-logs/ rix, 441 | /usr/share/grafana/public/app/plugins/datasource/prometheus/configuration/ rix, 442 | /usr/share/grafana/public/app/plugins/datasource/opentsdb/img/ rix, 443 | /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt r, 444 | /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt r, 445 | /usr/share/ca-certificates/mozilla/CommScope_Public_Trust_RSA_Root-01.crt r, 446 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/hooks/ rix, 447 | /usr/share/grafana/public/app/plugins/panel/histogram/img/ rix, 448 | /usr/share/grafana/public/app/plugins/panel/status-history/plugin.json r, 449 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/shared/Dimensions/ rix, 450 | /usr/share/grafana/public/app/plugins/datasource/jaeger/ rix, 451 | /usr/share/grafana/public/app/plugins/panel/debug/ rix, 452 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/resources/ rix, 453 | /etc/ssl/certs/ca-certificates.crt r, 454 | /var/lib/grafana/pdf/ rwix, 455 | /usr/share/grafana/public/app/plugins/panel/live/img/ rix, 456 | /usr/share/grafana/public/app/plugins/datasource/influxdb/img/ rix, 457 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/cloudwatch-logs-sql-test-data/ rix, 458 | /var/lib/grafana/plugins/grafana-lokiexplore-app/698.js.LICENSE.txt rw, 459 | /usr/share/grafana/public/app/plugins/datasource/dashboard/img/ rix, 460 | /usr/share/grafana/public/app/plugins/panel/heatmap/img/ rix, 461 | /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt r, 462 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/monarch/ rix, 463 | /usr/share/ca-certificates/mozilla/GTS_Root_R4.crt r, 464 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/shared/MetricStatEditor/ rix, 465 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/influxql/hooks/ rix, 466 | /usr/share/grafana/public/app/plugins/panel/graph/img/ rix, 467 | /usr/share/grafana/public/app/plugins/datasource/grafana-pyroscope-datasource/dist/img/ rix, 468 | /usr/share/grafana/public/app/plugins/panel/welcome/plugin.json r, 469 | /var/lib/grafana/plugins/grafana-lokiexplore-app/plugin.json rw, 470 | /usr/share/grafana/public/app/plugins/datasource/prometheus/dashboards/ rix, 471 | /usr/share/grafana/public/app/plugins/panel/welcome/ rix, 472 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/ rix, 473 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/SettingsEditor/ rix, 474 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/influxql/visual/ rix, 475 | /usr/share/grafana/public/app/plugins/panel/state-timeline/img/ rix, 476 | /usr/share/grafana/public/build/1518.a3f1f690c084a37f01c7.js r, 477 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/metric-math/ rix, 478 | /usr/share/ca-certificates/mozilla/Security_Communication_RootCA3.crt r, 479 | /usr/share/grafana/public/app/plugins/panel/geomap/layers/data/ rix, 480 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/cloudwatch-ppl-test-data/ rix, 481 | /var/lib/grafana/png/ rwix, 482 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/annotation/ rix, 483 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/dynamic-labels/ rix, 484 | /usr/share/grafana/public/app/plugins/panel/text/ rix, 485 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/flux/ rix, 486 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/configuration/__mocks__/ rix, 487 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/ rix, 488 | /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt r, 489 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/ rix, 490 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/configuration/ rix, 491 | /var/lib/grafana/plugins/grafana-lokiexplore-app/img/ rwix, 492 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/hooks/ rix, 493 | /usr/share/grafana/public/app/plugins/panel/geomap/utils/ rix, 494 | /usr/share/grafana/public/app/plugins/panel/xychart/v2/ rix, 495 | /usr/share/ca-certificates/mozilla/Telekom_Security_TLS_RSA_Root_2023.crt r, 496 | /usr/share/ca-certificates/mozilla/Certigna.crt r, 497 | /usr/share/grafana/public/emails/welcome_on_signup.txt r, 498 | /usr/share/grafana/public/app/plugins/panel/news/fixtures/ rix, 499 | /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt r, 500 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/__mocks__/cloudwatch-logs-test-data/ rix, 501 | /usr/share/grafana/public/app/plugins/panel/canvas/components/ rix, 502 | /usr/share/grafana/public/app/plugins/panel/xychart/img/ rix, 503 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/logs/ rix, 504 | /usr/share/grafana/public/app/plugins/datasource/loki/migrations/ rix, 505 | /usr/share/grafana/public/app/plugins/panel/canvas/components/connections/ rix, 506 | /usr/share/grafana/public/app/plugins/datasource/loki/configuration/ rix, 507 | /proc/*/fd rix, 508 | /usr/share/grafana/public/app/plugins/datasource/opentsdb/plugin.json r, 509 | /usr/share/grafana/public/app/plugins/datasource/influxdb/components/editor/query/influxql/ rix, 510 | /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt r, 511 | /usr/share/grafana/public/app/plugins/datasource/mssql/ rix, 512 | /usr/share/ca-certificates/mozilla/vTrus_ECC_Root_CA.crt r, 513 | /usr/share/grafana/public/app/plugins/datasource/influxdb/plugin.json r, 514 | /usr/share/grafana/public/app/plugins/panel/timeseries/plugins/ rix, 515 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/MetaInspector/ rix, 516 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/SettingsEditor/FiltersSettingsEditor/state/ rix, 517 | /usr/share/grafana/public/app/plugins/datasource/opentsdb/specs/ rix, 518 | /usr/share/grafana/public/app/plugins/panel/status-history/ rix, 519 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/MetricAggregationsEditor/state/ rix, 520 | /usr/share/grafana/public/views/ rix, 521 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/shared/ rix, 522 | /usr/share/grafana/public/app/plugins/datasource/grafana/plugin.json r, 523 | /usr/share/grafana/public/app/plugins/panel/candlestick/ rix, 524 | /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/dist/img/ rix, 525 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/metric-math/completion/ rix, 526 | /usr/share/grafana/public/app/plugins/datasource/grafana-testdata-datasource/ rix, 527 | /usr/share/grafana/public/app/plugins/datasource/tempo/ rix, 528 | /usr/share/ca-certificates/mozilla/BJCA_Global_Root_CA2.crt r, 529 | /usr/share/grafana/public/app/plugins/panel/geomap/img/ rix, 530 | /usr/share/grafana/public/app/plugins/datasource/mixed/ rix, 531 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/language/cloudwatch-sql/completion/ rix, 532 | /usr/share/grafana/public/app/plugins/datasource/graphite/ rix, 533 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/utils/query/ rix, 534 | /usr/share/grafana/public/app/plugins/datasource/parca/dist/ rix, 535 | /usr/share/grafana/public/app/plugins/datasource/jaeger/dist/img/ rix, 536 | /usr/share/grafana/public/app/plugins/panel/table/__snapshots__/ rix, 537 | /usr/share/grafana/public/emails/ rix, 538 | /usr/share/grafana/public/app/plugins/datasource/mssql/dist/img/ rix, 539 | /usr/share/grafana/public/app/plugins/panel/live/ rix, 540 | /usr/share/grafana/public/app/plugins/panel/table/ rix, 541 | /usr/share/grafana/public/app/plugins/datasource/zipkin/dist/ rix, 542 | /usr/share/grafana/public/app/plugins/panel/state-timeline/__snapshots__/ rix, 543 | /usr/share/grafana/public/app/plugins/datasource/azuremonitor/dist/ rix, 544 | /usr/share/grafana/public/app/plugins/panel/alertlist/unified-alerting/ rix, 545 | /var/lib/grafana/ rwix, 546 | /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt r, 547 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/MetricAggregationsEditor/SettingsEditor/ rix, 548 | /usr/share/grafana/public/app/plugins/datasource/elasticsearch/components/QueryEditor/MetricAggregationsEditor/SettingsEditor/BucketScriptSettingsEditor/state/ rix, 549 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/plugin.json r, 550 | /usr/share/grafana/public/app/plugins/datasource/azuremonitor/dist/dashboards/ rix, 551 | /usr/share/grafana/public/app/plugins/datasource/influxdb/__mocks__/ rix, 552 | /usr/share/grafana/public/app/plugins/panel/table-old/specs/ rix, 553 | /usr/share/grafana/public/app/plugins/datasource/grafana/components/ rix, 554 | /usr/share/grafana/public/app/plugins/datasource/loki/querybuilder/ rix, 555 | /usr/share/grafana/public/app/plugins/datasource/tempo/dist/test/ rix, 556 | /usr/share/grafana/public/app/plugins/panel/graph/specs/ rix, 557 | /usr/share/grafana/public/app/plugins/panel/heatmap/ rix, 558 | /usr/share/grafana/public/app/plugins/datasource/cloudwatch/components/CheatSheet/ rix, 559 | /usr/share/grafana/public/app/plugins/panel/ rix, 560 | /bin/busybox ix, 561 | /bin/bash ix, 562 | /usr/sbin/runc ix, 563 | / r, 564 | /etc/grafana/ r, 565 | /usr/lib/ r, 566 | /sys/kernel/mm/transparent_hugepage/ r, 567 | /etc/ssl/certs/ca-cert-NetLock_Arany_=Class_Gold=_F..tan..s..tv..ny.pem r, 568 | /etc/ r, 569 | /dev/mqueue rw, 570 | /proc/self/fd rw, 571 | /proc/self/ r, 572 | /proc/self/attr/apparmor/exec rw, 573 | /proc/self/attr/apparmor/ r, 574 | /proc/self/setgroups r, 575 | /proc/sys/net/ipv4/ping_group_range rw, 576 | /proc/sys/net/ipv4/ r, 577 | /proc/*/ r, 578 | /proc/sys/kernel/ r, 579 | /proc/sys/kernel/cap_last_cap r, 580 | /dev/ r, 581 | /etc/grafana/provisioning/ r, 582 | /usr/share/grafana/public/img/ r, 583 | /proc/self/status r, 584 | /dev/stderr r, 585 | /proc/self/fd/* rw, 586 | /var/lib/ r, 587 | /dev/shm/** rwk, 588 | /dev/null rwk, 589 | /dev/stdin r, 590 | /run/** rwixk, 591 | /proc/filesystems r, 592 | /proc/ r, 593 | /sys/ r, 594 | /dev/tty rw, 595 | /usr/share/grafana/conf/ r, 596 | /usr/share/grafana/public/gazetteer/ r, 597 | /etc/hostname r, 598 | /usr/share/grafana/public/app/plugins/ r, 599 | /dev/stdout r, 600 | /dev/ptmx r, 601 | /dev/zero rw, 602 | /etc/group r, 603 | /sys/fs/ r, 604 | /sys/fs/cgroup r, 605 | /proc/self/mountinfo r, 606 | /proc/self/uid_map r, 607 | /dev/full rw, 608 | /proc/*/net/ r, 609 | /dev/pts/ rw, 610 | /dev/core r, 611 | /proc/kcore w, 612 | /proc/sys/net/ipv4/ip_unprivileged_port_start rw, 613 | /usr/share/grafana/ r, 614 | /proc/sys/net/core/ r, 615 | /proc/self/fd/ r, 616 | /sys/fs/cgroup/ r, 617 | /usr/share/grafana/bin/ r, 618 | /etc/ssl/ r, 619 | /dev/random rw, 620 | /dev/fd r, 621 | /usr/share/ca-certificates/mozilla/* r, 622 | /usr/share/grafana/public/build/* r, 623 | /tmp/*.zip w, 624 | /usr/share/grafana/public/build/runtime.4cca0eee7c*d5f08.js r, 625 | /var/lib/grafana/plugins/grafana-lokiexplore-app/c9b2776a9b*e7123.wasm rw, 626 | /usr/share/grafana/public/build/4239.c2eca2b0222ddf*b.js r, 627 | } 628 | --------------------------------------------------------------------------------