├── .gitignore ├── LICENSE ├── README.md ├── alpine └── config.json ├── busybox └── config.json ├── chrome └── config.json ├── debian └── config.json ├── hack └── scripts │ ├── add-host │ ├── get-rootfs │ ├── remove-host │ ├── strace-process │ └── update-all-rootfs ├── hollywood └── config.json ├── htop └── config.json ├── irssi └── config.json ├── mitmproxy └── config.json ├── nginx └── config.json ├── pulseaudio └── config.json ├── rainbowstream └── config.json ├── redis └── config.json ├── remmina └── config.json ├── runc@.service ├── skype └── config.json ├── spotify └── config.json ├── tor-browser └── config.json ├── tor-proxy └── config.json ├── traceroute └── config.json ├── transmission └── config.json ├── virtualbox ├── config.json ├── load_kernel_modules.sh └── runtime.json └── vlc └── config.json /.gitignore: -------------------------------------------------------------------------------- 1 | ###Go### 2 | 3 | # Compiled Object files, Static and Dynamic libs (Shared Objects) 4 | *.o 5 | *.a 6 | *.so 7 | *.swo 8 | *.swp 9 | 10 | # Folders 11 | _obj 12 | _test 13 | 14 | # Architecture specific extensions/prefixes 15 | *.[568vq] 16 | [568vq].out 17 | 18 | *.cgo1.go 19 | *.cgo2.c 20 | _cgo_defun.c 21 | _cgo_gotypes.go 22 | _cgo_export.* 23 | 24 | _testmain.go 25 | 26 | *.exe 27 | *.test 28 | 29 | 30 | ###OSX### 31 | 32 | .DS_Store 33 | .AppleDouble 34 | .LSOverride 35 | 36 | # Icon must ends with two \r. 37 | Icon 38 | 39 | 40 | # Thumbnails 41 | ._* 42 | 43 | # Files that might appear on external disk 44 | .Spotlight-V100 45 | .Trashes 46 | 47 | */rootfs/* 48 | rootfs/* 49 | *.tar 50 | .ip 51 | strace.log 52 | *.pid 53 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Jessie Frazelle 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # containers 2 | 3 | runc configs for containers. 4 | 5 | You can run any of these with the systemd service file 6 | [runc@.service](runc@.service) in this repo like so: 7 | 8 | ```console 9 | # just pass a directory name 10 | $ sudo systemctl start runc@notify-osd 11 | 12 | $ sudo systemctl start runc@chrome 13 | ``` 14 | 15 | Check out my blog post about this: 16 | [blog.jessfraz.com/post/runc-containers-on-the-desktop/](https://blog.jessfraz.com/post/runc-containers-on-the-desktop/). 17 | -------------------------------------------------------------------------------- /debian/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "process": { 4 | "terminal": true, 5 | "user": { 6 | "uid": 0, 7 | "gid": 0 8 | }, 9 | "args": [ 10 | "bash" 11 | ], 12 | "env": [ 13 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 14 | "TERM=xterm" 15 | ], 16 | "cwd": "/", 17 | "capabilities": { 18 | "bounding": [ 19 | "CAP_CHOWN", 20 | "CAP_DAC_OVERRIDE", 21 | "CAP_FSETID", 22 | "CAP_FOWNER", 23 | "CAP_MKNOD", 24 | "CAP_NET_RAW", 25 | "CAP_SETGID", 26 | "CAP_SETUID", 27 | "CAP_SETFCAP", 28 | "CAP_SETPCAP", 29 | "CAP_NET_BIND_SERVICE", 30 | "CAP_SYS_CHROOT", 31 | "CAP_KILL", 32 | "CAP_AUDIT_WRITE" 33 | ], 34 | "effective": [ 35 | "CAP_CHOWN", 36 | "CAP_DAC_OVERRIDE", 37 | "CAP_FSETID", 38 | "CAP_FOWNER", 39 | "CAP_MKNOD", 40 | "CAP_NET_RAW", 41 | "CAP_SETGID", 42 | "CAP_SETUID", 43 | "CAP_SETFCAP", 44 | "CAP_SETPCAP", 45 | "CAP_NET_BIND_SERVICE", 46 | "CAP_SYS_CHROOT", 47 | "CAP_KILL", 48 | "CAP_AUDIT_WRITE" 49 | ], 50 | "inheritable": [ 51 | "CAP_CHOWN", 52 | "CAP_DAC_OVERRIDE", 53 | "CAP_FSETID", 54 | "CAP_FOWNER", 55 | "CAP_MKNOD", 56 | "CAP_NET_RAW", 57 | "CAP_SETGID", 58 | "CAP_SETUID", 59 | "CAP_SETFCAP", 60 | "CAP_SETPCAP", 61 | "CAP_NET_BIND_SERVICE", 62 | "CAP_SYS_CHROOT", 63 | "CAP_KILL", 64 | "CAP_AUDIT_WRITE" 65 | ], 66 | "permitted": [ 67 | "CAP_CHOWN", 68 | "CAP_DAC_OVERRIDE", 69 | "CAP_FSETID", 70 | "CAP_FOWNER", 71 | "CAP_MKNOD", 72 | "CAP_NET_RAW", 73 | "CAP_SETGID", 74 | "CAP_SETUID", 75 | "CAP_SETFCAP", 76 | "CAP_SETPCAP", 77 | "CAP_NET_BIND_SERVICE", 78 | "CAP_SYS_CHROOT", 79 | "CAP_KILL", 80 | "CAP_AUDIT_WRITE" 81 | ], 82 | "ambient": [ 83 | "CAP_CHOWN", 84 | "CAP_DAC_OVERRIDE", 85 | "CAP_FSETID", 86 | "CAP_FOWNER", 87 | "CAP_MKNOD", 88 | "CAP_NET_RAW", 89 | "CAP_SETGID", 90 | "CAP_SETUID", 91 | "CAP_SETFCAP", 92 | "CAP_SETPCAP", 93 | "CAP_NET_BIND_SERVICE", 94 | "CAP_SYS_CHROOT", 95 | "CAP_KILL", 96 | "CAP_AUDIT_WRITE" 97 | ] 98 | }, 99 | "rlimits": [ 100 | { 101 | "type": "RLIMIT_NOFILE", 102 | "hard": 1024, 103 | "soft": 1024 104 | } 105 | ] 106 | }, 107 | "root": { 108 | "path": "rootfs" 109 | }, 110 | "hostname": "runc", 111 | "mounts": [ 112 | { 113 | "destination": "/proc", 114 | "type": "proc", 115 | "source": "proc" 116 | }, 117 | { 118 | "destination": "/dev", 119 | "type": "tmpfs", 120 | "source": "tmpfs", 121 | "options": [ 122 | "nosuid", 123 | "strictatime", 124 | "mode=755", 125 | "size=65536k" 126 | ] 127 | }, 128 | { 129 | "destination": "/dev/pts", 130 | "type": "devpts", 131 | "source": "devpts", 132 | "options": [ 133 | "nosuid", 134 | "noexec", 135 | "newinstance", 136 | "ptmxmode=0666", 137 | "mode=0620", 138 | "gid=5" 139 | ] 140 | }, 141 | { 142 | "destination": "/dev/shm", 143 | "type": "tmpfs", 144 | "source": "shm", 145 | "options": [ 146 | "nosuid", 147 | "noexec", 148 | "nodev", 149 | "mode=1777", 150 | "size=65536k" 151 | ] 152 | }, 153 | { 154 | "destination": "/dev/mqueue", 155 | "type": "mqueue", 156 | "source": "mqueue", 157 | "options": [ 158 | "nosuid", 159 | "noexec", 160 | "nodev" 161 | ] 162 | }, 163 | { 164 | "destination": "/sys", 165 | "type": "sysfs", 166 | "source": "sysfs", 167 | "options": [ 168 | "nosuid", 169 | "noexec", 170 | "nodev", 171 | "ro" 172 | ] 173 | }, 174 | { 175 | "destination": "/sys/fs/cgroup", 176 | "type": "cgroup", 177 | "source": "cgroup", 178 | "options": [ 179 | "nosuid", 180 | "noexec", 181 | "nodev", 182 | "relatime", 183 | "ro" 184 | ] 185 | }, 186 | { 187 | 188 | "destination": "/etc/hosts", 189 | "type": "bind", 190 | "source": "/etc/hosts", 191 | "options": [ 192 | "rbind", 193 | "ro" 194 | ] 195 | }, 196 | { 197 | "destination": "/etc/resolv.conf", 198 | "type": "bind", 199 | "source": "/etc/resolv.conf", 200 | "options": [ 201 | "rbind" 202 | ] 203 | } 204 | ], 205 | "linux": { 206 | "resources": { 207 | "devices": [ 208 | { 209 | "allow": false, 210 | "access": "rwm" 211 | } 212 | ] 213 | }, 214 | "namespaces": [ 215 | { 216 | "type": "pid" 217 | }, 218 | { 219 | "type": "network" 220 | }, 221 | { 222 | "type": "ipc" 223 | }, 224 | { 225 | "type": "uts" 226 | }, 227 | { 228 | "type": "mount" 229 | } 230 | ], 231 | "maskedPaths": [ 232 | "/proc/kcore", 233 | "/proc/latency_stats", 234 | "/proc/timer_list", 235 | "/proc/timer_stats", 236 | "/proc/sched_debug", 237 | "/sys/firmware", 238 | "/proc/scsi" 239 | ], 240 | "readonlyPaths": [ 241 | "/proc/asound", 242 | "/proc/bus", 243 | "/proc/fs", 244 | "/proc/irq", 245 | "/proc/sys", 246 | "/proc/sysrq-trigger" 247 | ] 248 | }, 249 | "hooks": { 250 | "prestart": [ 251 | { 252 | "path": "/home/jessie/.go/bin/netns" 253 | } 254 | ] 255 | } 256 | } 257 | -------------------------------------------------------------------------------- /hack/scripts/add-host: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | read input 4 | name=$(echo "$input" | jq --raw-output '.id') 5 | /home/jessie/.go/bin/hostess add "$name" "$(cat .ip)" 6 | -------------------------------------------------------------------------------- /hack/scripts/get-rootfs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | get_rootfs(){ 5 | image="$1" 6 | bundle=rootfs 7 | userns_uid=$(cat config.json | jq '.linux.uidMappings' | jq --raw-output '.[0].hostID' || echo "") 8 | 9 | if [[ -z "$image" ]]; then 10 | # get the basename of the current directory 11 | image=$(basename "$(pwd)") 12 | fi 13 | 14 | docker pull --disable-content-trust=false "$image" || { 15 | image="r.j3ss.co/${image}" 16 | docker pull --disable-content-trust=false "$image" 17 | } 18 | 19 | shortname=${image%%:*} 20 | if echo "$shortname" | grep -q "/" ; then 21 | shortname=${shortname#*/} 22 | fi 23 | 24 | id=$(docker create "$image" || docker create "$image" sh) 25 | docker export "$id" > "${shortname}.tar" 26 | 27 | # remove the container you created 28 | docker rm -f "$id" 29 | 30 | if [[ -d "$bundle" ]]; then 31 | sudo rm -rf "$bundle" 32 | fi 33 | 34 | mkdir -p "$bundle" 35 | sudo tar -C "$bundle" -xf "${shortname}.tar" 36 | 37 | # chown for userns 38 | if [ ! -z "$userns_uid" ] && [ "$userns_uid" != "null" ]; then 39 | sudo chown -R "${userns_uid}":"${userns_uid}" "${bundle}" 40 | fi 41 | 42 | rm -f "${shortname}.tar" 43 | } 44 | 45 | get_rootfs $@ 46 | -------------------------------------------------------------------------------- /hack/scripts/remove-host: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | read input 4 | name=$(echo "$input" | jq --raw-output '.id') 5 | /home/jessie/.go/bin/hostess rm "$name" 6 | rm -f .ip 7 | -------------------------------------------------------------------------------- /hack/scripts/strace-process: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | read input 4 | pid=$(echo "$input" | jq --raw-output '.pid') 5 | strace -f -ttt -T -p "$pid" -o strace.log & 6 | exit 0 7 | -------------------------------------------------------------------------------- /hack/scripts/update-all-rootfs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 4 | 5 | update_rootfs() { 6 | container_dir=$HOME/containers 7 | 8 | containers=( $(find "$container_dir" -maxdepth 1 ! -path "$container_dir" -type d -not -name "hack" -not -name ".*") ) 9 | for container in "${containers[@]}"; do 10 | ( 11 | cd "$container" 12 | exec "${DIR}/get-rootfs" 13 | echo 14 | echo "Updated $(basename container) to latest rootfs" 15 | echo 16 | ) 17 | done 18 | } 19 | 20 | update_rootfs $@ 21 | -------------------------------------------------------------------------------- /htop/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "x86_64" 6 | }, 7 | "process": { 8 | "terminal": true, 9 | "user": {}, 10 | "args": [ 11 | "htop" 12 | ], 13 | "env": [ 14 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 15 | "TERM=xterm" 16 | ], 17 | "cwd": "/", 18 | "capabilities": [ 19 | "CAP_CHOWN", 20 | "CAP_DAC_OVERRIDE", 21 | "CAP_FSETID", 22 | "CAP_FOWNER", 23 | "CAP_MKNOD", 24 | "CAP_NET_RAW", 25 | "CAP_SETGID", 26 | "CAP_SETUID", 27 | "CAP_SETFCAP", 28 | "CAP_SETPCAP", 29 | "CAP_NET_BIND_SERVICE", 30 | "CAP_SYS_CHROOT", 31 | "CAP_KILL", 32 | "CAP_AUDIT_WRITE" 33 | ], 34 | "rlimits": [ 35 | { 36 | "type": "RLIMIT_NOFILE", 37 | "hard": 1024, 38 | "soft": 1024 39 | } 40 | ], 41 | "noNewPrivileges": true, 42 | "apparmorProfile": "docker-default" 43 | }, 44 | "root": { 45 | "path": "rootfs", 46 | "readonly": false 47 | }, 48 | "hostname": "htop", 49 | "mounts": [ 50 | { 51 | "destination": "/proc", 52 | "type": "proc", 53 | "source": "proc" 54 | }, 55 | { 56 | "destination": "/dev", 57 | "type": "tmpfs", 58 | "source": "tmpfs", 59 | "options": [ 60 | "nosuid", 61 | "strictatime", 62 | "mode=755", 63 | "size=65536k" 64 | ] 65 | }, 66 | { 67 | "destination": "/dev/pts", 68 | "type": "devpts", 69 | "source": "devpts", 70 | "options": [ 71 | "nosuid", 72 | "noexec", 73 | "newinstance", 74 | "ptmxmode=0666", 75 | "mode=0620", 76 | "gid=5" 77 | ] 78 | }, 79 | { 80 | "destination": "/dev/shm", 81 | "type": "tmpfs", 82 | "source": "shm", 83 | "options": [ 84 | "nosuid", 85 | "noexec", 86 | "nodev", 87 | "mode=1777", 88 | "size=65536k" 89 | ] 90 | }, 91 | { 92 | "destination": "/dev/mqueue", 93 | "type": "mqueue", 94 | "source": "mqueue", 95 | "options": [ 96 | "nosuid", 97 | "noexec", 98 | "nodev" 99 | ] 100 | }, 101 | { 102 | "destination": "/sys", 103 | "type": "sysfs", 104 | "source": "sysfs", 105 | "options": [ 106 | "nosuid", 107 | "noexec", 108 | "nodev" 109 | ] 110 | }, 111 | { 112 | "destination": "/sys/fs/cgroup", 113 | "type": "cgroup", 114 | "source": "cgroup", 115 | "options": [ 116 | "nosuid", 117 | "noexec", 118 | "nodev", 119 | "relatime", 120 | "ro" 121 | ] 122 | } 123 | ], 124 | "hooks": {}, 125 | "linux": { 126 | "resources": { 127 | "devices": [ 128 | { 129 | "allow": true, 130 | "type": "c", 131 | "major": 1, 132 | "minor": 3, 133 | "access": "rwm" 134 | }, 135 | { 136 | "allow": true, 137 | "type": "c", 138 | "major": 1, 139 | "minor": 5, 140 | "access": "rwm" 141 | }, 142 | { 143 | "allow": true, 144 | "type": "c", 145 | "major": 1, 146 | "minor": 7, 147 | "access": "rwm" 148 | }, 149 | { 150 | "allow": true, 151 | "type": "c", 152 | "major": 5, 153 | "minor": 0, 154 | "access": "rwm" 155 | }, 156 | { 157 | "allow": true, 158 | "type": "c", 159 | "major": 1, 160 | "minor": 9, 161 | "access": "rwm" 162 | }, 163 | { 164 | "allow": true, 165 | "type": "c", 166 | "major": 1, 167 | "minor": 8, 168 | "access": "rwm" 169 | } 170 | ], 171 | "disableOOMKiller": false, 172 | "oomScoreAdj": 0, 173 | "memory": { 174 | "limit": 0, 175 | "reservation": 0, 176 | "swap": 0, 177 | "kernel": 0, 178 | "kernelTCP": null, 179 | "swappiness": 18446744073709551615 180 | }, 181 | "cpu": { 182 | "shares": 0, 183 | "quota": 0, 184 | "period": 0, 185 | "cpus": "", 186 | "mems": "" 187 | }, 188 | "pids": { 189 | "limit": 0 190 | }, 191 | "blockIO": { 192 | "blkioWeight": 0 193 | } 194 | }, 195 | "namespaces": [ 196 | { 197 | "type": "ipc" 198 | }, 199 | { 200 | "type": "uts" 201 | }, 202 | { 203 | "type": "mount" 204 | }, 205 | { 206 | "type": "network" 207 | } 208 | ], 209 | "devices": [ 210 | { 211 | "path": "/dev/null", 212 | "type": "c", 213 | "major": 1, 214 | "minor": 3, 215 | "fileMode": 438, 216 | "uid": 0, 217 | "gid": 0 218 | }, 219 | { 220 | "path": "/dev/zero", 221 | "type": "c", 222 | "major": 1, 223 | "minor": 5, 224 | "fileMode": 438, 225 | "uid": 0, 226 | "gid": 0 227 | }, 228 | { 229 | "path": "/dev/full", 230 | "type": "c", 231 | "major": 1, 232 | "minor": 7, 233 | "fileMode": 438, 234 | "uid": 0, 235 | "gid": 0 236 | }, 237 | { 238 | "path": "/dev/tty", 239 | "type": "c", 240 | "major": 5, 241 | "minor": 0, 242 | "fileMode": 438, 243 | "uid": 0, 244 | "gid": 0 245 | }, 246 | { 247 | "path": "/dev/urandom", 248 | "type": "c", 249 | "major": 1, 250 | "minor": 9, 251 | "fileMode": 438, 252 | "uid": 0, 253 | "gid": 0 254 | }, 255 | { 256 | "path": "/dev/random", 257 | "type": "c", 258 | "major": 1, 259 | "minor": 8, 260 | "fileMode": 438, 261 | "uid": 0, 262 | "gid": 0 263 | } 264 | ], 265 | "seccomp": { 266 | "defaultAction": "SCMP_ACT_ERRNO", 267 | "architectures": null, 268 | "syscalls": [ 269 | { 270 | "name": "accept", 271 | "action": "SCMP_ACT_ALLOW" 272 | }, 273 | { 274 | "name": "accept4", 275 | "action": "SCMP_ACT_ALLOW" 276 | }, 277 | { 278 | "name": "access", 279 | "action": "SCMP_ACT_ALLOW" 280 | }, 281 | { 282 | "name": "alarm", 283 | "action": "SCMP_ACT_ALLOW" 284 | }, 285 | { 286 | "name": "arch_prctl", 287 | "action": "SCMP_ACT_ALLOW" 288 | }, 289 | { 290 | "name": "bind", 291 | "action": "SCMP_ACT_ALLOW" 292 | }, 293 | { 294 | "name": "brk", 295 | "action": "SCMP_ACT_ALLOW" 296 | }, 297 | { 298 | "name": "capget", 299 | "action": "SCMP_ACT_ALLOW" 300 | }, 301 | { 302 | "name": "capset", 303 | "action": "SCMP_ACT_ALLOW" 304 | }, 305 | { 306 | "name": "chdir", 307 | "action": "SCMP_ACT_ALLOW" 308 | }, 309 | { 310 | "name": "chmod", 311 | "action": "SCMP_ACT_ALLOW" 312 | }, 313 | { 314 | "name": "chown", 315 | "action": "SCMP_ACT_ALLOW" 316 | }, 317 | { 318 | "name": "chown32", 319 | "action": "SCMP_ACT_ALLOW" 320 | }, 321 | { 322 | "name": "chroot", 323 | "action": "SCMP_ACT_ALLOW" 324 | }, 325 | { 326 | "name": "clock_getres", 327 | "action": "SCMP_ACT_ALLOW" 328 | }, 329 | { 330 | "name": "clock_gettime", 331 | "action": "SCMP_ACT_ALLOW" 332 | }, 333 | { 334 | "name": "clock_nanosleep", 335 | "action": "SCMP_ACT_ALLOW" 336 | }, 337 | { 338 | "name": "clone", 339 | "action": "SCMP_ACT_ALLOW", 340 | "args": [ 341 | { 342 | "index": 0, 343 | "value": 2080505856, 344 | "valueTwo": 0, 345 | "op": "SCMP_CMP_MASKED_EQ" 346 | } 347 | ] 348 | }, 349 | { 350 | "name": "close", 351 | "action": "SCMP_ACT_ALLOW" 352 | }, 353 | { 354 | "name": "connect", 355 | "action": "SCMP_ACT_ALLOW" 356 | }, 357 | { 358 | "name": "creat", 359 | "action": "SCMP_ACT_ALLOW" 360 | }, 361 | { 362 | "name": "dup", 363 | "action": "SCMP_ACT_ALLOW" 364 | }, 365 | { 366 | "name": "dup2", 367 | "action": "SCMP_ACT_ALLOW" 368 | }, 369 | { 370 | "name": "dup3", 371 | "action": "SCMP_ACT_ALLOW" 372 | }, 373 | { 374 | "name": "epoll_create", 375 | "action": "SCMP_ACT_ALLOW" 376 | }, 377 | { 378 | "name": "epoll_create1", 379 | "action": "SCMP_ACT_ALLOW" 380 | }, 381 | { 382 | "name": "epoll_ctl", 383 | "action": "SCMP_ACT_ALLOW" 384 | }, 385 | { 386 | "name": "epoll_ctl_old", 387 | "action": "SCMP_ACT_ALLOW" 388 | }, 389 | { 390 | "name": "epoll_pwait", 391 | "action": "SCMP_ACT_ALLOW" 392 | }, 393 | { 394 | "name": "epoll_wait", 395 | "action": "SCMP_ACT_ALLOW" 396 | }, 397 | { 398 | "name": "epoll_wait_old", 399 | "action": "SCMP_ACT_ALLOW" 400 | }, 401 | { 402 | "name": "eventfd", 403 | "action": "SCMP_ACT_ALLOW" 404 | }, 405 | { 406 | "name": "eventfd2", 407 | "action": "SCMP_ACT_ALLOW" 408 | }, 409 | { 410 | "name": "execve", 411 | "action": "SCMP_ACT_ALLOW" 412 | }, 413 | { 414 | "name": "execveat", 415 | "action": "SCMP_ACT_ALLOW" 416 | }, 417 | { 418 | "name": "exit", 419 | "action": "SCMP_ACT_ALLOW" 420 | }, 421 | { 422 | "name": "exit_group", 423 | "action": "SCMP_ACT_ALLOW" 424 | }, 425 | { 426 | "name": "faccessat", 427 | "action": "SCMP_ACT_ALLOW" 428 | }, 429 | { 430 | "name": "fadvise64", 431 | "action": "SCMP_ACT_ALLOW" 432 | }, 433 | { 434 | "name": "fadvise64_64", 435 | "action": "SCMP_ACT_ALLOW" 436 | }, 437 | { 438 | "name": "fallocate", 439 | "action": "SCMP_ACT_ALLOW" 440 | }, 441 | { 442 | "name": "fanotify_init", 443 | "action": "SCMP_ACT_ALLOW" 444 | }, 445 | { 446 | "name": "fanotify_mark", 447 | "action": "SCMP_ACT_ALLOW" 448 | }, 449 | { 450 | "name": "fchdir", 451 | "action": "SCMP_ACT_ALLOW" 452 | }, 453 | { 454 | "name": "fchmod", 455 | "action": "SCMP_ACT_ALLOW" 456 | }, 457 | { 458 | "name": "fchmodat", 459 | "action": "SCMP_ACT_ALLOW" 460 | }, 461 | { 462 | "name": "fchown", 463 | "action": "SCMP_ACT_ALLOW" 464 | }, 465 | { 466 | "name": "fchown32", 467 | "action": "SCMP_ACT_ALLOW" 468 | }, 469 | { 470 | "name": "fchownat", 471 | "action": "SCMP_ACT_ALLOW" 472 | }, 473 | { 474 | "name": "fcntl", 475 | "action": "SCMP_ACT_ALLOW" 476 | }, 477 | { 478 | "name": "fcntl64", 479 | "action": "SCMP_ACT_ALLOW" 480 | }, 481 | { 482 | "name": "fdatasync", 483 | "action": "SCMP_ACT_ALLOW" 484 | }, 485 | { 486 | "name": "fgetxattr", 487 | "action": "SCMP_ACT_ALLOW" 488 | }, 489 | { 490 | "name": "flistxattr", 491 | "action": "SCMP_ACT_ALLOW" 492 | }, 493 | { 494 | "name": "flock", 495 | "action": "SCMP_ACT_ALLOW" 496 | }, 497 | { 498 | "name": "fork", 499 | "action": "SCMP_ACT_ALLOW" 500 | }, 501 | { 502 | "name": "fremovexattr", 503 | "action": "SCMP_ACT_ALLOW" 504 | }, 505 | { 506 | "name": "fsetxattr", 507 | "action": "SCMP_ACT_ALLOW" 508 | }, 509 | { 510 | "name": "fstat", 511 | "action": "SCMP_ACT_ALLOW" 512 | }, 513 | { 514 | "name": "fstat64", 515 | "action": "SCMP_ACT_ALLOW" 516 | }, 517 | { 518 | "name": "fstatat64", 519 | "action": "SCMP_ACT_ALLOW" 520 | }, 521 | { 522 | "name": "fstatfs", 523 | "action": "SCMP_ACT_ALLOW" 524 | }, 525 | { 526 | "name": "fstatfs64", 527 | "action": "SCMP_ACT_ALLOW" 528 | }, 529 | { 530 | "name": "fsync", 531 | "action": "SCMP_ACT_ALLOW" 532 | }, 533 | { 534 | "name": "ftruncate", 535 | "action": "SCMP_ACT_ALLOW" 536 | }, 537 | { 538 | "name": "ftruncate64", 539 | "action": "SCMP_ACT_ALLOW" 540 | }, 541 | { 542 | "name": "futex", 543 | "action": "SCMP_ACT_ALLOW" 544 | }, 545 | { 546 | "name": "futimesat", 547 | "action": "SCMP_ACT_ALLOW" 548 | }, 549 | { 550 | "name": "getcpu", 551 | "action": "SCMP_ACT_ALLOW" 552 | }, 553 | { 554 | "name": "getcwd", 555 | "action": "SCMP_ACT_ALLOW" 556 | }, 557 | { 558 | "name": "getdents", 559 | "action": "SCMP_ACT_ALLOW" 560 | }, 561 | { 562 | "name": "getdents64", 563 | "action": "SCMP_ACT_ALLOW" 564 | }, 565 | { 566 | "name": "getegid", 567 | "action": "SCMP_ACT_ALLOW" 568 | }, 569 | { 570 | "name": "getegid32", 571 | "action": "SCMP_ACT_ALLOW" 572 | }, 573 | { 574 | "name": "geteuid", 575 | "action": "SCMP_ACT_ALLOW" 576 | }, 577 | { 578 | "name": "geteuid32", 579 | "action": "SCMP_ACT_ALLOW" 580 | }, 581 | { 582 | "name": "getgid", 583 | "action": "SCMP_ACT_ALLOW" 584 | }, 585 | { 586 | "name": "getgid32", 587 | "action": "SCMP_ACT_ALLOW" 588 | }, 589 | { 590 | "name": "getgroups", 591 | "action": "SCMP_ACT_ALLOW" 592 | }, 593 | { 594 | "name": "getgroups32", 595 | "action": "SCMP_ACT_ALLOW" 596 | }, 597 | { 598 | "name": "getitimer", 599 | "action": "SCMP_ACT_ALLOW" 600 | }, 601 | { 602 | "name": "getpeername", 603 | "action": "SCMP_ACT_ALLOW" 604 | }, 605 | { 606 | "name": "getpgid", 607 | "action": "SCMP_ACT_ALLOW" 608 | }, 609 | { 610 | "name": "getpgrp", 611 | "action": "SCMP_ACT_ALLOW" 612 | }, 613 | { 614 | "name": "getpid", 615 | "action": "SCMP_ACT_ALLOW" 616 | }, 617 | { 618 | "name": "getppid", 619 | "action": "SCMP_ACT_ALLOW" 620 | }, 621 | { 622 | "name": "getpriority", 623 | "action": "SCMP_ACT_ALLOW" 624 | }, 625 | { 626 | "name": "getrandom", 627 | "action": "SCMP_ACT_ALLOW" 628 | }, 629 | { 630 | "name": "getresgid", 631 | "action": "SCMP_ACT_ALLOW" 632 | }, 633 | { 634 | "name": "getresgid32", 635 | "action": "SCMP_ACT_ALLOW" 636 | }, 637 | { 638 | "name": "getresuid", 639 | "action": "SCMP_ACT_ALLOW" 640 | }, 641 | { 642 | "name": "getresuid32", 643 | "action": "SCMP_ACT_ALLOW" 644 | }, 645 | { 646 | "name": "getrlimit", 647 | "action": "SCMP_ACT_ALLOW" 648 | }, 649 | { 650 | "name": "get_robust_list", 651 | "action": "SCMP_ACT_ALLOW" 652 | }, 653 | { 654 | "name": "getrusage", 655 | "action": "SCMP_ACT_ALLOW" 656 | }, 657 | { 658 | "name": "getsid", 659 | "action": "SCMP_ACT_ALLOW" 660 | }, 661 | { 662 | "name": "getsockname", 663 | "action": "SCMP_ACT_ALLOW" 664 | }, 665 | { 666 | "name": "getsockopt", 667 | "action": "SCMP_ACT_ALLOW" 668 | }, 669 | { 670 | "name": "get_thread_area", 671 | "action": "SCMP_ACT_ALLOW" 672 | }, 673 | { 674 | "name": "gettid", 675 | "action": "SCMP_ACT_ALLOW" 676 | }, 677 | { 678 | "name": "gettimeofday", 679 | "action": "SCMP_ACT_ALLOW" 680 | }, 681 | { 682 | "name": "getuid", 683 | "action": "SCMP_ACT_ALLOW" 684 | }, 685 | { 686 | "name": "getuid32", 687 | "action": "SCMP_ACT_ALLOW" 688 | }, 689 | { 690 | "name": "getxattr", 691 | "action": "SCMP_ACT_ALLOW" 692 | }, 693 | { 694 | "name": "inotify_add_watch", 695 | "action": "SCMP_ACT_ALLOW" 696 | }, 697 | { 698 | "name": "inotify_init", 699 | "action": "SCMP_ACT_ALLOW" 700 | }, 701 | { 702 | "name": "inotify_init1", 703 | "action": "SCMP_ACT_ALLOW" 704 | }, 705 | { 706 | "name": "inotify_rm_watch", 707 | "action": "SCMP_ACT_ALLOW" 708 | }, 709 | { 710 | "name": "io_cancel", 711 | "action": "SCMP_ACT_ALLOW" 712 | }, 713 | { 714 | "name": "ioctl", 715 | "action": "SCMP_ACT_ALLOW" 716 | }, 717 | { 718 | "name": "io_destroy", 719 | "action": "SCMP_ACT_ALLOW" 720 | }, 721 | { 722 | "name": "io_getevents", 723 | "action": "SCMP_ACT_ALLOW" 724 | }, 725 | { 726 | "name": "ioprio_get", 727 | "action": "SCMP_ACT_ALLOW" 728 | }, 729 | { 730 | "name": "ioprio_set", 731 | "action": "SCMP_ACT_ALLOW" 732 | }, 733 | { 734 | "name": "io_setup", 735 | "action": "SCMP_ACT_ALLOW" 736 | }, 737 | { 738 | "name": "io_submit", 739 | "action": "SCMP_ACT_ALLOW" 740 | }, 741 | { 742 | "name": "kill", 743 | "action": "SCMP_ACT_ALLOW" 744 | }, 745 | { 746 | "name": "lchown", 747 | "action": "SCMP_ACT_ALLOW" 748 | }, 749 | { 750 | "name": "lchown32", 751 | "action": "SCMP_ACT_ALLOW" 752 | }, 753 | { 754 | "name": "lgetxattr", 755 | "action": "SCMP_ACT_ALLOW" 756 | }, 757 | { 758 | "name": "link", 759 | "action": "SCMP_ACT_ALLOW" 760 | }, 761 | { 762 | "name": "linkat", 763 | "action": "SCMP_ACT_ALLOW" 764 | }, 765 | { 766 | "name": "listen", 767 | "action": "SCMP_ACT_ALLOW" 768 | }, 769 | { 770 | "name": "listxattr", 771 | "action": "SCMP_ACT_ALLOW" 772 | }, 773 | { 774 | "name": "llistxattr", 775 | "action": "SCMP_ACT_ALLOW" 776 | }, 777 | { 778 | "name": "_llseek", 779 | "action": "SCMP_ACT_ALLOW" 780 | }, 781 | { 782 | "name": "lremovexattr", 783 | "action": "SCMP_ACT_ALLOW" 784 | }, 785 | { 786 | "name": "lseek", 787 | "action": "SCMP_ACT_ALLOW" 788 | }, 789 | { 790 | "name": "lsetxattr", 791 | "action": "SCMP_ACT_ALLOW" 792 | }, 793 | { 794 | "name": "lstat", 795 | "action": "SCMP_ACT_ALLOW" 796 | }, 797 | { 798 | "name": "lstat64", 799 | "action": "SCMP_ACT_ALLOW" 800 | }, 801 | { 802 | "name": "madvise", 803 | "action": "SCMP_ACT_ALLOW" 804 | }, 805 | { 806 | "name": "memfd_create", 807 | "action": "SCMP_ACT_ALLOW" 808 | }, 809 | { 810 | "name": "mincore", 811 | "action": "SCMP_ACT_ALLOW" 812 | }, 813 | { 814 | "name": "mkdir", 815 | "action": "SCMP_ACT_ALLOW" 816 | }, 817 | { 818 | "name": "mkdirat", 819 | "action": "SCMP_ACT_ALLOW" 820 | }, 821 | { 822 | "name": "mknod", 823 | "action": "SCMP_ACT_ALLOW" 824 | }, 825 | { 826 | "name": "mknodat", 827 | "action": "SCMP_ACT_ALLOW" 828 | }, 829 | { 830 | "name": "mlock", 831 | "action": "SCMP_ACT_ALLOW" 832 | }, 833 | { 834 | "name": "mlockall", 835 | "action": "SCMP_ACT_ALLOW" 836 | }, 837 | { 838 | "name": "mmap", 839 | "action": "SCMP_ACT_ALLOW" 840 | }, 841 | { 842 | "name": "mmap2", 843 | "action": "SCMP_ACT_ALLOW" 844 | }, 845 | { 846 | "name": "mprotect", 847 | "action": "SCMP_ACT_ALLOW" 848 | }, 849 | { 850 | "name": "mq_getsetattr", 851 | "action": "SCMP_ACT_ALLOW" 852 | }, 853 | { 854 | "name": "mq_notify", 855 | "action": "SCMP_ACT_ALLOW" 856 | }, 857 | { 858 | "name": "mq_open", 859 | "action": "SCMP_ACT_ALLOW" 860 | }, 861 | { 862 | "name": "mq_timedreceive", 863 | "action": "SCMP_ACT_ALLOW" 864 | }, 865 | { 866 | "name": "mq_timedsend", 867 | "action": "SCMP_ACT_ALLOW" 868 | }, 869 | { 870 | "name": "mq_unlink", 871 | "action": "SCMP_ACT_ALLOW" 872 | }, 873 | { 874 | "name": "mremap", 875 | "action": "SCMP_ACT_ALLOW" 876 | }, 877 | { 878 | "name": "msgctl", 879 | "action": "SCMP_ACT_ALLOW" 880 | }, 881 | { 882 | "name": "msgget", 883 | "action": "SCMP_ACT_ALLOW" 884 | }, 885 | { 886 | "name": "msgrcv", 887 | "action": "SCMP_ACT_ALLOW" 888 | }, 889 | { 890 | "name": "msgsnd", 891 | "action": "SCMP_ACT_ALLOW" 892 | }, 893 | { 894 | "name": "msync", 895 | "action": "SCMP_ACT_ALLOW" 896 | }, 897 | { 898 | "name": "munlock", 899 | "action": "SCMP_ACT_ALLOW" 900 | }, 901 | { 902 | "name": "munlockall", 903 | "action": "SCMP_ACT_ALLOW" 904 | }, 905 | { 906 | "name": "munmap", 907 | "action": "SCMP_ACT_ALLOW" 908 | }, 909 | { 910 | "name": "nanosleep", 911 | "action": "SCMP_ACT_ALLOW" 912 | }, 913 | { 914 | "name": "newfstatat", 915 | "action": "SCMP_ACT_ALLOW" 916 | }, 917 | { 918 | "name": "_newselect", 919 | "action": "SCMP_ACT_ALLOW" 920 | }, 921 | { 922 | "name": "open", 923 | "action": "SCMP_ACT_ALLOW" 924 | }, 925 | { 926 | "name": "openat", 927 | "action": "SCMP_ACT_ALLOW" 928 | }, 929 | { 930 | "name": "pause", 931 | "action": "SCMP_ACT_ALLOW" 932 | }, 933 | { 934 | "name": "pipe", 935 | "action": "SCMP_ACT_ALLOW" 936 | }, 937 | { 938 | "name": "pipe2", 939 | "action": "SCMP_ACT_ALLOW" 940 | }, 941 | { 942 | "name": "poll", 943 | "action": "SCMP_ACT_ALLOW" 944 | }, 945 | { 946 | "name": "ppoll", 947 | "action": "SCMP_ACT_ALLOW" 948 | }, 949 | { 950 | "name": "prctl", 951 | "action": "SCMP_ACT_ALLOW" 952 | }, 953 | { 954 | "name": "pread64", 955 | "action": "SCMP_ACT_ALLOW" 956 | }, 957 | { 958 | "name": "preadv", 959 | "action": "SCMP_ACT_ALLOW" 960 | }, 961 | { 962 | "name": "prlimit64", 963 | "action": "SCMP_ACT_ALLOW" 964 | }, 965 | { 966 | "name": "pselect6", 967 | "action": "SCMP_ACT_ALLOW" 968 | }, 969 | { 970 | "name": "pwrite64", 971 | "action": "SCMP_ACT_ALLOW" 972 | }, 973 | { 974 | "name": "pwritev", 975 | "action": "SCMP_ACT_ALLOW" 976 | }, 977 | { 978 | "name": "read", 979 | "action": "SCMP_ACT_ALLOW" 980 | }, 981 | { 982 | "name": "readahead", 983 | "action": "SCMP_ACT_ALLOW" 984 | }, 985 | { 986 | "name": "readlink", 987 | "action": "SCMP_ACT_ALLOW" 988 | }, 989 | { 990 | "name": "readlinkat", 991 | "action": "SCMP_ACT_ALLOW" 992 | }, 993 | { 994 | "name": "readv", 995 | "action": "SCMP_ACT_ALLOW" 996 | }, 997 | { 998 | "name": "recvfrom", 999 | "action": "SCMP_ACT_ALLOW" 1000 | }, 1001 | { 1002 | "name": "recvmmsg", 1003 | "action": "SCMP_ACT_ALLOW" 1004 | }, 1005 | { 1006 | "name": "recvmsg", 1007 | "action": "SCMP_ACT_ALLOW" 1008 | }, 1009 | { 1010 | "name": "remap_file_pages", 1011 | "action": "SCMP_ACT_ALLOW" 1012 | }, 1013 | { 1014 | "name": "removexattr", 1015 | "action": "SCMP_ACT_ALLOW" 1016 | }, 1017 | { 1018 | "name": "rename", 1019 | "action": "SCMP_ACT_ALLOW" 1020 | }, 1021 | { 1022 | "name": "renameat", 1023 | "action": "SCMP_ACT_ALLOW" 1024 | }, 1025 | { 1026 | "name": "renameat2", 1027 | "action": "SCMP_ACT_ALLOW" 1028 | }, 1029 | { 1030 | "name": "rmdir", 1031 | "action": "SCMP_ACT_ALLOW" 1032 | }, 1033 | { 1034 | "name": "rt_sigaction", 1035 | "action": "SCMP_ACT_ALLOW" 1036 | }, 1037 | { 1038 | "name": "rt_sigpending", 1039 | "action": "SCMP_ACT_ALLOW" 1040 | }, 1041 | { 1042 | "name": "rt_sigprocmask", 1043 | "action": "SCMP_ACT_ALLOW" 1044 | }, 1045 | { 1046 | "name": "rt_sigqueueinfo", 1047 | "action": "SCMP_ACT_ALLOW" 1048 | }, 1049 | { 1050 | "name": "rt_sigreturn", 1051 | "action": "SCMP_ACT_ALLOW" 1052 | }, 1053 | { 1054 | "name": "rt_sigsuspend", 1055 | "action": "SCMP_ACT_ALLOW" 1056 | }, 1057 | { 1058 | "name": "rt_sigtimedwait", 1059 | "action": "SCMP_ACT_ALLOW" 1060 | }, 1061 | { 1062 | "name": "rt_tgsigqueueinfo", 1063 | "action": "SCMP_ACT_ALLOW" 1064 | }, 1065 | { 1066 | "name": "sched_getaffinity", 1067 | "action": "SCMP_ACT_ALLOW" 1068 | }, 1069 | { 1070 | "name": "sched_getattr", 1071 | "action": "SCMP_ACT_ALLOW" 1072 | }, 1073 | { 1074 | "name": "sched_getparam", 1075 | "action": "SCMP_ACT_ALLOW" 1076 | }, 1077 | { 1078 | "name": "sched_get_priority_max", 1079 | "action": "SCMP_ACT_ALLOW" 1080 | }, 1081 | { 1082 | "name": "sched_get_priority_min", 1083 | "action": "SCMP_ACT_ALLOW" 1084 | }, 1085 | { 1086 | "name": "sched_getscheduler", 1087 | "action": "SCMP_ACT_ALLOW" 1088 | }, 1089 | { 1090 | "name": "sched_rr_get_interval", 1091 | "action": "SCMP_ACT_ALLOW" 1092 | }, 1093 | { 1094 | "name": "sched_setaffinity", 1095 | "action": "SCMP_ACT_ALLOW" 1096 | }, 1097 | { 1098 | "name": "sched_setattr", 1099 | "action": "SCMP_ACT_ALLOW" 1100 | }, 1101 | { 1102 | "name": "sched_setparam", 1103 | "action": "SCMP_ACT_ALLOW" 1104 | }, 1105 | { 1106 | "name": "sched_setscheduler", 1107 | "action": "SCMP_ACT_ALLOW" 1108 | }, 1109 | { 1110 | "name": "sched_yield", 1111 | "action": "SCMP_ACT_ALLOW" 1112 | }, 1113 | { 1114 | "name": "seccomp", 1115 | "action": "SCMP_ACT_ALLOW" 1116 | }, 1117 | { 1118 | "name": "select", 1119 | "action": "SCMP_ACT_ALLOW" 1120 | }, 1121 | { 1122 | "name": "semctl", 1123 | "action": "SCMP_ACT_ALLOW" 1124 | }, 1125 | { 1126 | "name": "semget", 1127 | "action": "SCMP_ACT_ALLOW" 1128 | }, 1129 | { 1130 | "name": "semop", 1131 | "action": "SCMP_ACT_ALLOW" 1132 | }, 1133 | { 1134 | "name": "semtimedop", 1135 | "action": "SCMP_ACT_ALLOW" 1136 | }, 1137 | { 1138 | "name": "sendfile", 1139 | "action": "SCMP_ACT_ALLOW" 1140 | }, 1141 | { 1142 | "name": "sendfile64", 1143 | "action": "SCMP_ACT_ALLOW" 1144 | }, 1145 | { 1146 | "name": "sendmmsg", 1147 | "action": "SCMP_ACT_ALLOW" 1148 | }, 1149 | { 1150 | "name": "sendmsg", 1151 | "action": "SCMP_ACT_ALLOW" 1152 | }, 1153 | { 1154 | "name": "sendto", 1155 | "action": "SCMP_ACT_ALLOW" 1156 | }, 1157 | { 1158 | "name": "setdomainname", 1159 | "action": "SCMP_ACT_ALLOW" 1160 | }, 1161 | { 1162 | "name": "setfsgid", 1163 | "action": "SCMP_ACT_ALLOW" 1164 | }, 1165 | { 1166 | "name": "setfsgid32", 1167 | "action": "SCMP_ACT_ALLOW" 1168 | }, 1169 | { 1170 | "name": "setfsuid", 1171 | "action": "SCMP_ACT_ALLOW" 1172 | }, 1173 | { 1174 | "name": "setfsuid32", 1175 | "action": "SCMP_ACT_ALLOW" 1176 | }, 1177 | { 1178 | "name": "setgid", 1179 | "action": "SCMP_ACT_ALLOW" 1180 | }, 1181 | { 1182 | "name": "setgid32", 1183 | "action": "SCMP_ACT_ALLOW" 1184 | }, 1185 | { 1186 | "name": "setgroups", 1187 | "action": "SCMP_ACT_ALLOW" 1188 | }, 1189 | { 1190 | "name": "setgroups32", 1191 | "action": "SCMP_ACT_ALLOW" 1192 | }, 1193 | { 1194 | "name": "sethostname", 1195 | "action": "SCMP_ACT_ALLOW" 1196 | }, 1197 | { 1198 | "name": "setitimer", 1199 | "action": "SCMP_ACT_ALLOW" 1200 | }, 1201 | { 1202 | "name": "setpgid", 1203 | "action": "SCMP_ACT_ALLOW" 1204 | }, 1205 | { 1206 | "name": "setpriority", 1207 | "action": "SCMP_ACT_ALLOW" 1208 | }, 1209 | { 1210 | "name": "setregid", 1211 | "action": "SCMP_ACT_ALLOW" 1212 | }, 1213 | { 1214 | "name": "setregid32", 1215 | "action": "SCMP_ACT_ALLOW" 1216 | }, 1217 | { 1218 | "name": "setresgid", 1219 | "action": "SCMP_ACT_ALLOW" 1220 | }, 1221 | { 1222 | "name": "setresgid32", 1223 | "action": "SCMP_ACT_ALLOW" 1224 | }, 1225 | { 1226 | "name": "setresuid", 1227 | "action": "SCMP_ACT_ALLOW" 1228 | }, 1229 | { 1230 | "name": "setresuid32", 1231 | "action": "SCMP_ACT_ALLOW" 1232 | }, 1233 | { 1234 | "name": "setreuid", 1235 | "action": "SCMP_ACT_ALLOW" 1236 | }, 1237 | { 1238 | "name": "setreuid32", 1239 | "action": "SCMP_ACT_ALLOW" 1240 | }, 1241 | { 1242 | "name": "setrlimit", 1243 | "action": "SCMP_ACT_ALLOW" 1244 | }, 1245 | { 1246 | "name": "set_robust_list", 1247 | "action": "SCMP_ACT_ALLOW" 1248 | }, 1249 | { 1250 | "name": "setsid", 1251 | "action": "SCMP_ACT_ALLOW" 1252 | }, 1253 | { 1254 | "name": "setsockopt", 1255 | "action": "SCMP_ACT_ALLOW" 1256 | }, 1257 | { 1258 | "name": "set_thread_area", 1259 | "action": "SCMP_ACT_ALLOW" 1260 | }, 1261 | { 1262 | "name": "set_tid_address", 1263 | "action": "SCMP_ACT_ALLOW" 1264 | }, 1265 | { 1266 | "name": "setuid", 1267 | "action": "SCMP_ACT_ALLOW" 1268 | }, 1269 | { 1270 | "name": "setuid32", 1271 | "action": "SCMP_ACT_ALLOW" 1272 | }, 1273 | { 1274 | "name": "setxattr", 1275 | "action": "SCMP_ACT_ALLOW" 1276 | }, 1277 | { 1278 | "name": "shmat", 1279 | "action": "SCMP_ACT_ALLOW" 1280 | }, 1281 | { 1282 | "name": "shmctl", 1283 | "action": "SCMP_ACT_ALLOW" 1284 | }, 1285 | { 1286 | "name": "shmdt", 1287 | "action": "SCMP_ACT_ALLOW" 1288 | }, 1289 | { 1290 | "name": "shmget", 1291 | "action": "SCMP_ACT_ALLOW" 1292 | }, 1293 | { 1294 | "name": "shutdown", 1295 | "action": "SCMP_ACT_ALLOW" 1296 | }, 1297 | { 1298 | "name": "sigaltstack", 1299 | "action": "SCMP_ACT_ALLOW" 1300 | }, 1301 | { 1302 | "name": "signalfd", 1303 | "action": "SCMP_ACT_ALLOW" 1304 | }, 1305 | { 1306 | "name": "signalfd4", 1307 | "action": "SCMP_ACT_ALLOW" 1308 | }, 1309 | { 1310 | "name": "sigreturn", 1311 | "action": "SCMP_ACT_ALLOW" 1312 | }, 1313 | { 1314 | "name": "socket", 1315 | "action": "SCMP_ACT_ALLOW" 1316 | }, 1317 | { 1318 | "name": "socketpair", 1319 | "action": "SCMP_ACT_ALLOW" 1320 | }, 1321 | { 1322 | "name": "splice", 1323 | "action": "SCMP_ACT_ALLOW" 1324 | }, 1325 | { 1326 | "name": "stat", 1327 | "action": "SCMP_ACT_ALLOW" 1328 | }, 1329 | { 1330 | "name": "stat64", 1331 | "action": "SCMP_ACT_ALLOW" 1332 | }, 1333 | { 1334 | "name": "statfs", 1335 | "action": "SCMP_ACT_ALLOW" 1336 | }, 1337 | { 1338 | "name": "statfs64", 1339 | "action": "SCMP_ACT_ALLOW" 1340 | }, 1341 | { 1342 | "name": "symlink", 1343 | "action": "SCMP_ACT_ALLOW" 1344 | }, 1345 | { 1346 | "name": "symlinkat", 1347 | "action": "SCMP_ACT_ALLOW" 1348 | }, 1349 | { 1350 | "name": "sync", 1351 | "action": "SCMP_ACT_ALLOW" 1352 | }, 1353 | { 1354 | "name": "sync_file_range", 1355 | "action": "SCMP_ACT_ALLOW" 1356 | }, 1357 | { 1358 | "name": "syncfs", 1359 | "action": "SCMP_ACT_ALLOW" 1360 | }, 1361 | { 1362 | "name": "sysinfo", 1363 | "action": "SCMP_ACT_ALLOW" 1364 | }, 1365 | { 1366 | "name": "syslog", 1367 | "action": "SCMP_ACT_ALLOW" 1368 | }, 1369 | { 1370 | "name": "tee", 1371 | "action": "SCMP_ACT_ALLOW" 1372 | }, 1373 | { 1374 | "name": "tgkill", 1375 | "action": "SCMP_ACT_ALLOW" 1376 | }, 1377 | { 1378 | "name": "time", 1379 | "action": "SCMP_ACT_ALLOW" 1380 | }, 1381 | { 1382 | "name": "timer_create", 1383 | "action": "SCMP_ACT_ALLOW" 1384 | }, 1385 | { 1386 | "name": "timer_delete", 1387 | "action": "SCMP_ACT_ALLOW" 1388 | }, 1389 | { 1390 | "name": "timerfd_create", 1391 | "action": "SCMP_ACT_ALLOW" 1392 | }, 1393 | { 1394 | "name": "timerfd_gettime", 1395 | "action": "SCMP_ACT_ALLOW" 1396 | }, 1397 | { 1398 | "name": "timerfd_settime", 1399 | "action": "SCMP_ACT_ALLOW" 1400 | }, 1401 | { 1402 | "name": "timer_getoverrun", 1403 | "action": "SCMP_ACT_ALLOW" 1404 | }, 1405 | { 1406 | "name": "timer_gettime", 1407 | "action": "SCMP_ACT_ALLOW" 1408 | }, 1409 | { 1410 | "name": "timer_settime", 1411 | "action": "SCMP_ACT_ALLOW" 1412 | }, 1413 | { 1414 | "name": "times", 1415 | "action": "SCMP_ACT_ALLOW" 1416 | }, 1417 | { 1418 | "name": "tkill", 1419 | "action": "SCMP_ACT_ALLOW" 1420 | }, 1421 | { 1422 | "name": "truncate", 1423 | "action": "SCMP_ACT_ALLOW" 1424 | }, 1425 | { 1426 | "name": "truncate64", 1427 | "action": "SCMP_ACT_ALLOW" 1428 | }, 1429 | { 1430 | "name": "ugetrlimit", 1431 | "action": "SCMP_ACT_ALLOW" 1432 | }, 1433 | { 1434 | "name": "umask", 1435 | "action": "SCMP_ACT_ALLOW" 1436 | }, 1437 | { 1438 | "name": "uname", 1439 | "action": "SCMP_ACT_ALLOW" 1440 | }, 1441 | { 1442 | "name": "unlink", 1443 | "action": "SCMP_ACT_ALLOW" 1444 | }, 1445 | { 1446 | "name": "unlinkat", 1447 | "action": "SCMP_ACT_ALLOW" 1448 | }, 1449 | { 1450 | "name": "utime", 1451 | "action": "SCMP_ACT_ALLOW" 1452 | }, 1453 | { 1454 | "name": "utimensat", 1455 | "action": "SCMP_ACT_ALLOW" 1456 | }, 1457 | { 1458 | "name": "utimes", 1459 | "action": "SCMP_ACT_ALLOW" 1460 | }, 1461 | { 1462 | "name": "vfork", 1463 | "action": "SCMP_ACT_ALLOW" 1464 | }, 1465 | { 1466 | "name": "vhangup", 1467 | "action": "SCMP_ACT_ALLOW" 1468 | }, 1469 | { 1470 | "name": "vmsplice", 1471 | "action": "SCMP_ACT_ALLOW" 1472 | }, 1473 | { 1474 | "name": "wait4", 1475 | "action": "SCMP_ACT_ALLOW" 1476 | }, 1477 | { 1478 | "name": "waitid", 1479 | "action": "SCMP_ACT_ALLOW" 1480 | }, 1481 | { 1482 | "name": "waitpid", 1483 | "action": "SCMP_ACT_ALLOW" 1484 | }, 1485 | { 1486 | "name": "write", 1487 | "action": "SCMP_ACT_ALLOW" 1488 | }, 1489 | { 1490 | "name": "writev", 1491 | "action": "SCMP_ACT_ALLOW" 1492 | }, 1493 | { 1494 | "name": "modify_ldt", 1495 | "action": "SCMP_ACT_ALLOW" 1496 | }, 1497 | { 1498 | "name": "breakpoint", 1499 | "action": "SCMP_ACT_ALLOW" 1500 | }, 1501 | { 1502 | "name": "cacheflush", 1503 | "action": "SCMP_ACT_ALLOW" 1504 | }, 1505 | { 1506 | "name": "set_tls", 1507 | "action": "SCMP_ACT_ALLOW" 1508 | } 1509 | ] 1510 | } 1511 | } 1512 | } -------------------------------------------------------------------------------- /nginx/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "x86_64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": {}, 10 | "args": [ 11 | "nginx", 12 | "-g", 13 | "daemon off;" 14 | ], 15 | "env": [ 16 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 17 | "NGINX_VERSION=1.9.12-1~jessie" 18 | ], 19 | "cwd": "/", 20 | "capabilities": [ 21 | "CAP_CHOWN", 22 | "CAP_DAC_OVERRIDE", 23 | "CAP_FSETID", 24 | "CAP_FOWNER", 25 | "CAP_MKNOD", 26 | "CAP_NET_RAW", 27 | "CAP_SETGID", 28 | "CAP_SETUID", 29 | "CAP_SETFCAP", 30 | "CAP_SETPCAP", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_SYS_CHROOT", 33 | "CAP_KILL", 34 | "CAP_AUDIT_WRITE" 35 | ], 36 | "rlimits": [ 37 | { 38 | "type": "RLIMIT_NOFILE", 39 | "hard": 1024, 40 | "soft": 1024 41 | } 42 | ], 43 | "noNewPrivileges": true, 44 | "apparmorProfile": "docker-default" 45 | }, 46 | "root": { 47 | "path": "rootfs", 48 | "readonly": false 49 | }, 50 | "hostname": "nginx", 51 | "mounts": [ 52 | { 53 | "destination": "/proc", 54 | "type": "proc", 55 | "source": "proc" 56 | }, 57 | { 58 | "destination": "/dev", 59 | "type": "tmpfs", 60 | "source": "tmpfs", 61 | "options": [ 62 | "nosuid", 63 | "strictatime", 64 | "mode=755", 65 | "size=65536k" 66 | ] 67 | }, 68 | { 69 | "destination": "/dev/pts", 70 | "type": "devpts", 71 | "source": "devpts", 72 | "options": [ 73 | "nosuid", 74 | "noexec", 75 | "newinstance", 76 | "ptmxmode=0666", 77 | "mode=0620" 78 | ] 79 | }, 80 | { 81 | "destination": "/dev/shm", 82 | "type": "tmpfs", 83 | "source": "shm", 84 | "options": [ 85 | "nosuid", 86 | "noexec", 87 | "nodev", 88 | "mode=1777", 89 | "size=65536k" 90 | ] 91 | }, 92 | { 93 | "destination": "/dev/mqueue", 94 | "type": "mqueue", 95 | "source": "mqueue", 96 | "options": [ 97 | "nosuid", 98 | "noexec", 99 | "nodev" 100 | ] 101 | }, 102 | { 103 | "destination": "/sys", 104 | "type": "sysfs", 105 | "source": "sysfs", 106 | "options": [ 107 | "nosuid", 108 | "noexec", 109 | "nodev" 110 | ] 111 | }, 112 | { 113 | "destination": "/sys/fs/cgroup", 114 | "type": "cgroup", 115 | "source": "cgroup", 116 | "options": [ 117 | "nosuid", 118 | "noexec", 119 | "nodev", 120 | "relatime" 121 | ] 122 | } 123 | ], 124 | "hooks": { 125 | "prestart": [ 126 | { 127 | "path": "/home/jessie/.go/bin/netns" 128 | }, 129 | { 130 | "path": "/home/jessie/containers/hack/scripts/add-host" 131 | } 132 | ], 133 | "poststop": [ 134 | { 135 | "path": "/home/jessie/containers/hack/scripts/remove-host" 136 | } 137 | ] 138 | }, 139 | "linux": { 140 | "uidMappings": [ 141 | { 142 | "hostID": 886432, 143 | "containerID": 0, 144 | "size": 46578392 145 | } 146 | ], 147 | "gidMappings": [ 148 | { 149 | "hostID": 886432, 150 | "containerID": 0, 151 | "size": 46578392 152 | } 153 | ], 154 | "resources": { 155 | "devices": [ 156 | { 157 | "allow": true, 158 | "type": "c", 159 | "major": 1, 160 | "minor": 3, 161 | "access": "rwm" 162 | }, 163 | { 164 | "allow": true, 165 | "type": "c", 166 | "major": 1, 167 | "minor": 5, 168 | "access": "rwm" 169 | }, 170 | { 171 | "allow": true, 172 | "type": "c", 173 | "major": 1, 174 | "minor": 7, 175 | "access": "rwm" 176 | }, 177 | { 178 | "allow": true, 179 | "type": "c", 180 | "major": 1, 181 | "minor": 9, 182 | "access": "rwm" 183 | }, 184 | { 185 | "allow": true, 186 | "type": "c", 187 | "major": 1, 188 | "minor": 8, 189 | "access": "rwm" 190 | } 191 | ], 192 | "disableOOMKiller": false, 193 | "oomScoreAdj": 0, 194 | "memory": { 195 | "limit": 0, 196 | "reservation": 0, 197 | "swap": 0, 198 | "kernel": 0, 199 | "kernelTCP": null, 200 | "swappiness": 18446744073709551615 201 | }, 202 | "cpu": { 203 | "shares": 0, 204 | "quota": 0, 205 | "period": 0, 206 | "cpus": "", 207 | "mems": "" 208 | }, 209 | "pids": { 210 | "limit": 0 211 | }, 212 | "blockIO": { 213 | "blkioWeight": 0 214 | } 215 | }, 216 | "namespaces": [ 217 | { 218 | "type": "ipc" 219 | }, 220 | { 221 | "type": "uts" 222 | }, 223 | { 224 | "type": "mount" 225 | }, 226 | { 227 | "type": "network" 228 | }, 229 | { 230 | "type": "pid" 231 | }, 232 | { 233 | "type": "user" 234 | } 235 | ], 236 | "devices": [ 237 | { 238 | "path": "/dev/null", 239 | "type": "c", 240 | "major": 1, 241 | "minor": 3, 242 | "fileMode": 438, 243 | "uid": 0, 244 | "gid": 0 245 | }, 246 | { 247 | "path": "/dev/zero", 248 | "type": "c", 249 | "major": 1, 250 | "minor": 5, 251 | "fileMode": 438, 252 | "uid": 0, 253 | "gid": 0 254 | }, 255 | { 256 | "path": "/dev/full", 257 | "type": "c", 258 | "major": 1, 259 | "minor": 7, 260 | "fileMode": 438, 261 | "uid": 0, 262 | "gid": 0 263 | }, 264 | { 265 | "path": "/dev/urandom", 266 | "type": "c", 267 | "major": 1, 268 | "minor": 9, 269 | "fileMode": 438, 270 | "uid": 0, 271 | "gid": 0 272 | }, 273 | { 274 | "path": "/dev/random", 275 | "type": "c", 276 | "major": 1, 277 | "minor": 8, 278 | "fileMode": 438, 279 | "uid": 0, 280 | "gid": 0 281 | } 282 | ], 283 | "seccomp": { 284 | "defaultAction": "SCMP_ACT_ERRNO", 285 | "architectures": null, 286 | "syscalls": [ 287 | { 288 | "name": "accept", 289 | "action": "SCMP_ACT_ALLOW" 290 | }, 291 | { 292 | "name": "accept4", 293 | "action": "SCMP_ACT_ALLOW" 294 | }, 295 | { 296 | "name": "access", 297 | "action": "SCMP_ACT_ALLOW" 298 | }, 299 | { 300 | "name": "alarm", 301 | "action": "SCMP_ACT_ALLOW" 302 | }, 303 | { 304 | "name": "arch_prctl", 305 | "action": "SCMP_ACT_ALLOW" 306 | }, 307 | { 308 | "name": "bind", 309 | "action": "SCMP_ACT_ALLOW" 310 | }, 311 | { 312 | "name": "brk", 313 | "action": "SCMP_ACT_ALLOW" 314 | }, 315 | { 316 | "name": "capget", 317 | "action": "SCMP_ACT_ALLOW" 318 | }, 319 | { 320 | "name": "capset", 321 | "action": "SCMP_ACT_ALLOW" 322 | }, 323 | { 324 | "name": "chdir", 325 | "action": "SCMP_ACT_ALLOW" 326 | }, 327 | { 328 | "name": "chmod", 329 | "action": "SCMP_ACT_ALLOW" 330 | }, 331 | { 332 | "name": "chown", 333 | "action": "SCMP_ACT_ALLOW" 334 | }, 335 | { 336 | "name": "chown32", 337 | "action": "SCMP_ACT_ALLOW" 338 | }, 339 | { 340 | "name": "chroot", 341 | "action": "SCMP_ACT_ALLOW" 342 | }, 343 | { 344 | "name": "clock_getres", 345 | "action": "SCMP_ACT_ALLOW" 346 | }, 347 | { 348 | "name": "clock_gettime", 349 | "action": "SCMP_ACT_ALLOW" 350 | }, 351 | { 352 | "name": "clock_nanosleep", 353 | "action": "SCMP_ACT_ALLOW" 354 | }, 355 | { 356 | "name": "clone", 357 | "action": "SCMP_ACT_ALLOW", 358 | "args": [ 359 | { 360 | "index": 0, 361 | "value": 2080505856, 362 | "valueTwo": 0, 363 | "op": "SCMP_CMP_MASKED_EQ" 364 | } 365 | ] 366 | }, 367 | { 368 | "name": "close", 369 | "action": "SCMP_ACT_ALLOW" 370 | }, 371 | { 372 | "name": "connect", 373 | "action": "SCMP_ACT_ALLOW" 374 | }, 375 | { 376 | "name": "creat", 377 | "action": "SCMP_ACT_ALLOW" 378 | }, 379 | { 380 | "name": "dup", 381 | "action": "SCMP_ACT_ALLOW" 382 | }, 383 | { 384 | "name": "dup2", 385 | "action": "SCMP_ACT_ALLOW" 386 | }, 387 | { 388 | "name": "dup3", 389 | "action": "SCMP_ACT_ALLOW" 390 | }, 391 | { 392 | "name": "epoll_create", 393 | "action": "SCMP_ACT_ALLOW" 394 | }, 395 | { 396 | "name": "epoll_create1", 397 | "action": "SCMP_ACT_ALLOW" 398 | }, 399 | { 400 | "name": "epoll_ctl", 401 | "action": "SCMP_ACT_ALLOW" 402 | }, 403 | { 404 | "name": "epoll_ctl_old", 405 | "action": "SCMP_ACT_ALLOW" 406 | }, 407 | { 408 | "name": "epoll_pwait", 409 | "action": "SCMP_ACT_ALLOW" 410 | }, 411 | { 412 | "name": "epoll_wait", 413 | "action": "SCMP_ACT_ALLOW" 414 | }, 415 | { 416 | "name": "epoll_wait_old", 417 | "action": "SCMP_ACT_ALLOW" 418 | }, 419 | { 420 | "name": "eventfd", 421 | "action": "SCMP_ACT_ALLOW" 422 | }, 423 | { 424 | "name": "eventfd2", 425 | "action": "SCMP_ACT_ALLOW" 426 | }, 427 | { 428 | "name": "execve", 429 | "action": "SCMP_ACT_ALLOW" 430 | }, 431 | { 432 | "name": "execveat", 433 | "action": "SCMP_ACT_ALLOW" 434 | }, 435 | { 436 | "name": "exit", 437 | "action": "SCMP_ACT_ALLOW" 438 | }, 439 | { 440 | "name": "exit_group", 441 | "action": "SCMP_ACT_ALLOW" 442 | }, 443 | { 444 | "name": "faccessat", 445 | "action": "SCMP_ACT_ALLOW" 446 | }, 447 | { 448 | "name": "fadvise64", 449 | "action": "SCMP_ACT_ALLOW" 450 | }, 451 | { 452 | "name": "fadvise64_64", 453 | "action": "SCMP_ACT_ALLOW" 454 | }, 455 | { 456 | "name": "fallocate", 457 | "action": "SCMP_ACT_ALLOW" 458 | }, 459 | { 460 | "name": "fanotify_init", 461 | "action": "SCMP_ACT_ALLOW" 462 | }, 463 | { 464 | "name": "fanotify_mark", 465 | "action": "SCMP_ACT_ALLOW" 466 | }, 467 | { 468 | "name": "fchdir", 469 | "action": "SCMP_ACT_ALLOW" 470 | }, 471 | { 472 | "name": "fchmod", 473 | "action": "SCMP_ACT_ALLOW" 474 | }, 475 | { 476 | "name": "fchmodat", 477 | "action": "SCMP_ACT_ALLOW" 478 | }, 479 | { 480 | "name": "fchown", 481 | "action": "SCMP_ACT_ALLOW" 482 | }, 483 | { 484 | "name": "fchown32", 485 | "action": "SCMP_ACT_ALLOW" 486 | }, 487 | { 488 | "name": "fchownat", 489 | "action": "SCMP_ACT_ALLOW" 490 | }, 491 | { 492 | "name": "fcntl", 493 | "action": "SCMP_ACT_ALLOW" 494 | }, 495 | { 496 | "name": "fcntl64", 497 | "action": "SCMP_ACT_ALLOW" 498 | }, 499 | { 500 | "name": "fdatasync", 501 | "action": "SCMP_ACT_ALLOW" 502 | }, 503 | { 504 | "name": "fgetxattr", 505 | "action": "SCMP_ACT_ALLOW" 506 | }, 507 | { 508 | "name": "flistxattr", 509 | "action": "SCMP_ACT_ALLOW" 510 | }, 511 | { 512 | "name": "flock", 513 | "action": "SCMP_ACT_ALLOW" 514 | }, 515 | { 516 | "name": "fork", 517 | "action": "SCMP_ACT_ALLOW" 518 | }, 519 | { 520 | "name": "fremovexattr", 521 | "action": "SCMP_ACT_ALLOW" 522 | }, 523 | { 524 | "name": "fsetxattr", 525 | "action": "SCMP_ACT_ALLOW" 526 | }, 527 | { 528 | "name": "fstat", 529 | "action": "SCMP_ACT_ALLOW" 530 | }, 531 | { 532 | "name": "fstat64", 533 | "action": "SCMP_ACT_ALLOW" 534 | }, 535 | { 536 | "name": "fstatat64", 537 | "action": "SCMP_ACT_ALLOW" 538 | }, 539 | { 540 | "name": "fstatfs", 541 | "action": "SCMP_ACT_ALLOW" 542 | }, 543 | { 544 | "name": "fstatfs64", 545 | "action": "SCMP_ACT_ALLOW" 546 | }, 547 | { 548 | "name": "fsync", 549 | "action": "SCMP_ACT_ALLOW" 550 | }, 551 | { 552 | "name": "ftruncate", 553 | "action": "SCMP_ACT_ALLOW" 554 | }, 555 | { 556 | "name": "ftruncate64", 557 | "action": "SCMP_ACT_ALLOW" 558 | }, 559 | { 560 | "name": "futex", 561 | "action": "SCMP_ACT_ALLOW" 562 | }, 563 | { 564 | "name": "futimesat", 565 | "action": "SCMP_ACT_ALLOW" 566 | }, 567 | { 568 | "name": "getcpu", 569 | "action": "SCMP_ACT_ALLOW" 570 | }, 571 | { 572 | "name": "getcwd", 573 | "action": "SCMP_ACT_ALLOW" 574 | }, 575 | { 576 | "name": "getdents", 577 | "action": "SCMP_ACT_ALLOW" 578 | }, 579 | { 580 | "name": "getdents64", 581 | "action": "SCMP_ACT_ALLOW" 582 | }, 583 | { 584 | "name": "getegid", 585 | "action": "SCMP_ACT_ALLOW" 586 | }, 587 | { 588 | "name": "getegid32", 589 | "action": "SCMP_ACT_ALLOW" 590 | }, 591 | { 592 | "name": "geteuid", 593 | "action": "SCMP_ACT_ALLOW" 594 | }, 595 | { 596 | "name": "geteuid32", 597 | "action": "SCMP_ACT_ALLOW" 598 | }, 599 | { 600 | "name": "getgid", 601 | "action": "SCMP_ACT_ALLOW" 602 | }, 603 | { 604 | "name": "getgid32", 605 | "action": "SCMP_ACT_ALLOW" 606 | }, 607 | { 608 | "name": "getgroups", 609 | "action": "SCMP_ACT_ALLOW" 610 | }, 611 | { 612 | "name": "getgroups32", 613 | "action": "SCMP_ACT_ALLOW" 614 | }, 615 | { 616 | "name": "getitimer", 617 | "action": "SCMP_ACT_ALLOW" 618 | }, 619 | { 620 | "name": "getpeername", 621 | "action": "SCMP_ACT_ALLOW" 622 | }, 623 | { 624 | "name": "getpgid", 625 | "action": "SCMP_ACT_ALLOW" 626 | }, 627 | { 628 | "name": "getpgrp", 629 | "action": "SCMP_ACT_ALLOW" 630 | }, 631 | { 632 | "name": "getpid", 633 | "action": "SCMP_ACT_ALLOW" 634 | }, 635 | { 636 | "name": "getppid", 637 | "action": "SCMP_ACT_ALLOW" 638 | }, 639 | { 640 | "name": "getpriority", 641 | "action": "SCMP_ACT_ALLOW" 642 | }, 643 | { 644 | "name": "getrandom", 645 | "action": "SCMP_ACT_ALLOW" 646 | }, 647 | { 648 | "name": "getresgid", 649 | "action": "SCMP_ACT_ALLOW" 650 | }, 651 | { 652 | "name": "getresgid32", 653 | "action": "SCMP_ACT_ALLOW" 654 | }, 655 | { 656 | "name": "getresuid", 657 | "action": "SCMP_ACT_ALLOW" 658 | }, 659 | { 660 | "name": "getresuid32", 661 | "action": "SCMP_ACT_ALLOW" 662 | }, 663 | { 664 | "name": "getrlimit", 665 | "action": "SCMP_ACT_ALLOW" 666 | }, 667 | { 668 | "name": "get_robust_list", 669 | "action": "SCMP_ACT_ALLOW" 670 | }, 671 | { 672 | "name": "getrusage", 673 | "action": "SCMP_ACT_ALLOW" 674 | }, 675 | { 676 | "name": "getsid", 677 | "action": "SCMP_ACT_ALLOW" 678 | }, 679 | { 680 | "name": "getsockname", 681 | "action": "SCMP_ACT_ALLOW" 682 | }, 683 | { 684 | "name": "getsockopt", 685 | "action": "SCMP_ACT_ALLOW" 686 | }, 687 | { 688 | "name": "get_thread_area", 689 | "action": "SCMP_ACT_ALLOW" 690 | }, 691 | { 692 | "name": "gettid", 693 | "action": "SCMP_ACT_ALLOW" 694 | }, 695 | { 696 | "name": "gettimeofday", 697 | "action": "SCMP_ACT_ALLOW" 698 | }, 699 | { 700 | "name": "getuid", 701 | "action": "SCMP_ACT_ALLOW" 702 | }, 703 | { 704 | "name": "getuid32", 705 | "action": "SCMP_ACT_ALLOW" 706 | }, 707 | { 708 | "name": "getxattr", 709 | "action": "SCMP_ACT_ALLOW" 710 | }, 711 | { 712 | "name": "inotify_add_watch", 713 | "action": "SCMP_ACT_ALLOW" 714 | }, 715 | { 716 | "name": "inotify_init", 717 | "action": "SCMP_ACT_ALLOW" 718 | }, 719 | { 720 | "name": "inotify_init1", 721 | "action": "SCMP_ACT_ALLOW" 722 | }, 723 | { 724 | "name": "inotify_rm_watch", 725 | "action": "SCMP_ACT_ALLOW" 726 | }, 727 | { 728 | "name": "io_cancel", 729 | "action": "SCMP_ACT_ALLOW" 730 | }, 731 | { 732 | "name": "ioctl", 733 | "action": "SCMP_ACT_ALLOW" 734 | }, 735 | { 736 | "name": "io_destroy", 737 | "action": "SCMP_ACT_ALLOW" 738 | }, 739 | { 740 | "name": "io_getevents", 741 | "action": "SCMP_ACT_ALLOW" 742 | }, 743 | { 744 | "name": "ioprio_get", 745 | "action": "SCMP_ACT_ALLOW" 746 | }, 747 | { 748 | "name": "ioprio_set", 749 | "action": "SCMP_ACT_ALLOW" 750 | }, 751 | { 752 | "name": "io_setup", 753 | "action": "SCMP_ACT_ALLOW" 754 | }, 755 | { 756 | "name": "io_submit", 757 | "action": "SCMP_ACT_ALLOW" 758 | }, 759 | { 760 | "name": "kill", 761 | "action": "SCMP_ACT_ALLOW" 762 | }, 763 | { 764 | "name": "lchown", 765 | "action": "SCMP_ACT_ALLOW" 766 | }, 767 | { 768 | "name": "lchown32", 769 | "action": "SCMP_ACT_ALLOW" 770 | }, 771 | { 772 | "name": "lgetxattr", 773 | "action": "SCMP_ACT_ALLOW" 774 | }, 775 | { 776 | "name": "link", 777 | "action": "SCMP_ACT_ALLOW" 778 | }, 779 | { 780 | "name": "linkat", 781 | "action": "SCMP_ACT_ALLOW" 782 | }, 783 | { 784 | "name": "listen", 785 | "action": "SCMP_ACT_ALLOW" 786 | }, 787 | { 788 | "name": "listxattr", 789 | "action": "SCMP_ACT_ALLOW" 790 | }, 791 | { 792 | "name": "llistxattr", 793 | "action": "SCMP_ACT_ALLOW" 794 | }, 795 | { 796 | "name": "_llseek", 797 | "action": "SCMP_ACT_ALLOW" 798 | }, 799 | { 800 | "name": "lremovexattr", 801 | "action": "SCMP_ACT_ALLOW" 802 | }, 803 | { 804 | "name": "lseek", 805 | "action": "SCMP_ACT_ALLOW" 806 | }, 807 | { 808 | "name": "lsetxattr", 809 | "action": "SCMP_ACT_ALLOW" 810 | }, 811 | { 812 | "name": "lstat", 813 | "action": "SCMP_ACT_ALLOW" 814 | }, 815 | { 816 | "name": "lstat64", 817 | "action": "SCMP_ACT_ALLOW" 818 | }, 819 | { 820 | "name": "madvise", 821 | "action": "SCMP_ACT_ALLOW" 822 | }, 823 | { 824 | "name": "memfd_create", 825 | "action": "SCMP_ACT_ALLOW" 826 | }, 827 | { 828 | "name": "mincore", 829 | "action": "SCMP_ACT_ALLOW" 830 | }, 831 | { 832 | "name": "mkdir", 833 | "action": "SCMP_ACT_ALLOW" 834 | }, 835 | { 836 | "name": "mkdirat", 837 | "action": "SCMP_ACT_ALLOW" 838 | }, 839 | { 840 | "name": "mknod", 841 | "action": "SCMP_ACT_ALLOW" 842 | }, 843 | { 844 | "name": "mknodat", 845 | "action": "SCMP_ACT_ALLOW" 846 | }, 847 | { 848 | "name": "mlock", 849 | "action": "SCMP_ACT_ALLOW" 850 | }, 851 | { 852 | "name": "mlockall", 853 | "action": "SCMP_ACT_ALLOW" 854 | }, 855 | { 856 | "name": "mmap", 857 | "action": "SCMP_ACT_ALLOW" 858 | }, 859 | { 860 | "name": "mmap2", 861 | "action": "SCMP_ACT_ALLOW" 862 | }, 863 | { 864 | "name": "mprotect", 865 | "action": "SCMP_ACT_ALLOW" 866 | }, 867 | { 868 | "name": "mq_getsetattr", 869 | "action": "SCMP_ACT_ALLOW" 870 | }, 871 | { 872 | "name": "mq_notify", 873 | "action": "SCMP_ACT_ALLOW" 874 | }, 875 | { 876 | "name": "mq_open", 877 | "action": "SCMP_ACT_ALLOW" 878 | }, 879 | { 880 | "name": "mq_timedreceive", 881 | "action": "SCMP_ACT_ALLOW" 882 | }, 883 | { 884 | "name": "mq_timedsend", 885 | "action": "SCMP_ACT_ALLOW" 886 | }, 887 | { 888 | "name": "mq_unlink", 889 | "action": "SCMP_ACT_ALLOW" 890 | }, 891 | { 892 | "name": "mremap", 893 | "action": "SCMP_ACT_ALLOW" 894 | }, 895 | { 896 | "name": "msgctl", 897 | "action": "SCMP_ACT_ALLOW" 898 | }, 899 | { 900 | "name": "msgget", 901 | "action": "SCMP_ACT_ALLOW" 902 | }, 903 | { 904 | "name": "msgrcv", 905 | "action": "SCMP_ACT_ALLOW" 906 | }, 907 | { 908 | "name": "msgsnd", 909 | "action": "SCMP_ACT_ALLOW" 910 | }, 911 | { 912 | "name": "msync", 913 | "action": "SCMP_ACT_ALLOW" 914 | }, 915 | { 916 | "name": "munlock", 917 | "action": "SCMP_ACT_ALLOW" 918 | }, 919 | { 920 | "name": "munlockall", 921 | "action": "SCMP_ACT_ALLOW" 922 | }, 923 | { 924 | "name": "munmap", 925 | "action": "SCMP_ACT_ALLOW" 926 | }, 927 | { 928 | "name": "nanosleep", 929 | "action": "SCMP_ACT_ALLOW" 930 | }, 931 | { 932 | "name": "newfstatat", 933 | "action": "SCMP_ACT_ALLOW" 934 | }, 935 | { 936 | "name": "_newselect", 937 | "action": "SCMP_ACT_ALLOW" 938 | }, 939 | { 940 | "name": "open", 941 | "action": "SCMP_ACT_ALLOW" 942 | }, 943 | { 944 | "name": "openat", 945 | "action": "SCMP_ACT_ALLOW" 946 | }, 947 | { 948 | "name": "pause", 949 | "action": "SCMP_ACT_ALLOW" 950 | }, 951 | { 952 | "name": "pipe", 953 | "action": "SCMP_ACT_ALLOW" 954 | }, 955 | { 956 | "name": "pipe2", 957 | "action": "SCMP_ACT_ALLOW" 958 | }, 959 | { 960 | "name": "poll", 961 | "action": "SCMP_ACT_ALLOW" 962 | }, 963 | { 964 | "name": "ppoll", 965 | "action": "SCMP_ACT_ALLOW" 966 | }, 967 | { 968 | "name": "prctl", 969 | "action": "SCMP_ACT_ALLOW" 970 | }, 971 | { 972 | "name": "pread64", 973 | "action": "SCMP_ACT_ALLOW" 974 | }, 975 | { 976 | "name": "preadv", 977 | "action": "SCMP_ACT_ALLOW" 978 | }, 979 | { 980 | "name": "prlimit64", 981 | "action": "SCMP_ACT_ALLOW" 982 | }, 983 | { 984 | "name": "pselect6", 985 | "action": "SCMP_ACT_ALLOW" 986 | }, 987 | { 988 | "name": "pwrite64", 989 | "action": "SCMP_ACT_ALLOW" 990 | }, 991 | { 992 | "name": "pwritev", 993 | "action": "SCMP_ACT_ALLOW" 994 | }, 995 | { 996 | "name": "read", 997 | "action": "SCMP_ACT_ALLOW" 998 | }, 999 | { 1000 | "name": "readahead", 1001 | "action": "SCMP_ACT_ALLOW" 1002 | }, 1003 | { 1004 | "name": "readlink", 1005 | "action": "SCMP_ACT_ALLOW" 1006 | }, 1007 | { 1008 | "name": "readlinkat", 1009 | "action": "SCMP_ACT_ALLOW" 1010 | }, 1011 | { 1012 | "name": "readv", 1013 | "action": "SCMP_ACT_ALLOW" 1014 | }, 1015 | { 1016 | "name": "recvfrom", 1017 | "action": "SCMP_ACT_ALLOW" 1018 | }, 1019 | { 1020 | "name": "recvmmsg", 1021 | "action": "SCMP_ACT_ALLOW" 1022 | }, 1023 | { 1024 | "name": "recvmsg", 1025 | "action": "SCMP_ACT_ALLOW" 1026 | }, 1027 | { 1028 | "name": "remap_file_pages", 1029 | "action": "SCMP_ACT_ALLOW" 1030 | }, 1031 | { 1032 | "name": "removexattr", 1033 | "action": "SCMP_ACT_ALLOW" 1034 | }, 1035 | { 1036 | "name": "rename", 1037 | "action": "SCMP_ACT_ALLOW" 1038 | }, 1039 | { 1040 | "name": "renameat", 1041 | "action": "SCMP_ACT_ALLOW" 1042 | }, 1043 | { 1044 | "name": "renameat2", 1045 | "action": "SCMP_ACT_ALLOW" 1046 | }, 1047 | { 1048 | "name": "rmdir", 1049 | "action": "SCMP_ACT_ALLOW" 1050 | }, 1051 | { 1052 | "name": "rt_sigaction", 1053 | "action": "SCMP_ACT_ALLOW" 1054 | }, 1055 | { 1056 | "name": "rt_sigpending", 1057 | "action": "SCMP_ACT_ALLOW" 1058 | }, 1059 | { 1060 | "name": "rt_sigprocmask", 1061 | "action": "SCMP_ACT_ALLOW" 1062 | }, 1063 | { 1064 | "name": "rt_sigqueueinfo", 1065 | "action": "SCMP_ACT_ALLOW" 1066 | }, 1067 | { 1068 | "name": "rt_sigreturn", 1069 | "action": "SCMP_ACT_ALLOW" 1070 | }, 1071 | { 1072 | "name": "rt_sigsuspend", 1073 | "action": "SCMP_ACT_ALLOW" 1074 | }, 1075 | { 1076 | "name": "rt_sigtimedwait", 1077 | "action": "SCMP_ACT_ALLOW" 1078 | }, 1079 | { 1080 | "name": "rt_tgsigqueueinfo", 1081 | "action": "SCMP_ACT_ALLOW" 1082 | }, 1083 | { 1084 | "name": "sched_getaffinity", 1085 | "action": "SCMP_ACT_ALLOW" 1086 | }, 1087 | { 1088 | "name": "sched_getattr", 1089 | "action": "SCMP_ACT_ALLOW" 1090 | }, 1091 | { 1092 | "name": "sched_getparam", 1093 | "action": "SCMP_ACT_ALLOW" 1094 | }, 1095 | { 1096 | "name": "sched_get_priority_max", 1097 | "action": "SCMP_ACT_ALLOW" 1098 | }, 1099 | { 1100 | "name": "sched_get_priority_min", 1101 | "action": "SCMP_ACT_ALLOW" 1102 | }, 1103 | { 1104 | "name": "sched_getscheduler", 1105 | "action": "SCMP_ACT_ALLOW" 1106 | }, 1107 | { 1108 | "name": "sched_rr_get_interval", 1109 | "action": "SCMP_ACT_ALLOW" 1110 | }, 1111 | { 1112 | "name": "sched_setaffinity", 1113 | "action": "SCMP_ACT_ALLOW" 1114 | }, 1115 | { 1116 | "name": "sched_setattr", 1117 | "action": "SCMP_ACT_ALLOW" 1118 | }, 1119 | { 1120 | "name": "sched_setparam", 1121 | "action": "SCMP_ACT_ALLOW" 1122 | }, 1123 | { 1124 | "name": "sched_setscheduler", 1125 | "action": "SCMP_ACT_ALLOW" 1126 | }, 1127 | { 1128 | "name": "sched_yield", 1129 | "action": "SCMP_ACT_ALLOW" 1130 | }, 1131 | { 1132 | "name": "seccomp", 1133 | "action": "SCMP_ACT_ALLOW" 1134 | }, 1135 | { 1136 | "name": "select", 1137 | "action": "SCMP_ACT_ALLOW" 1138 | }, 1139 | { 1140 | "name": "semctl", 1141 | "action": "SCMP_ACT_ALLOW" 1142 | }, 1143 | { 1144 | "name": "semget", 1145 | "action": "SCMP_ACT_ALLOW" 1146 | }, 1147 | { 1148 | "name": "semop", 1149 | "action": "SCMP_ACT_ALLOW" 1150 | }, 1151 | { 1152 | "name": "semtimedop", 1153 | "action": "SCMP_ACT_ALLOW" 1154 | }, 1155 | { 1156 | "name": "sendfile", 1157 | "action": "SCMP_ACT_ALLOW" 1158 | }, 1159 | { 1160 | "name": "sendfile64", 1161 | "action": "SCMP_ACT_ALLOW" 1162 | }, 1163 | { 1164 | "name": "sendmmsg", 1165 | "action": "SCMP_ACT_ALLOW" 1166 | }, 1167 | { 1168 | "name": "sendmsg", 1169 | "action": "SCMP_ACT_ALLOW" 1170 | }, 1171 | { 1172 | "name": "sendto", 1173 | "action": "SCMP_ACT_ALLOW" 1174 | }, 1175 | { 1176 | "name": "setdomainname", 1177 | "action": "SCMP_ACT_ALLOW" 1178 | }, 1179 | { 1180 | "name": "setfsgid", 1181 | "action": "SCMP_ACT_ALLOW" 1182 | }, 1183 | { 1184 | "name": "setfsgid32", 1185 | "action": "SCMP_ACT_ALLOW" 1186 | }, 1187 | { 1188 | "name": "setfsuid", 1189 | "action": "SCMP_ACT_ALLOW" 1190 | }, 1191 | { 1192 | "name": "setfsuid32", 1193 | "action": "SCMP_ACT_ALLOW" 1194 | }, 1195 | { 1196 | "name": "setgid", 1197 | "action": "SCMP_ACT_ALLOW" 1198 | }, 1199 | { 1200 | "name": "setgid32", 1201 | "action": "SCMP_ACT_ALLOW" 1202 | }, 1203 | { 1204 | "name": "setgroups", 1205 | "action": "SCMP_ACT_ALLOW" 1206 | }, 1207 | { 1208 | "name": "setgroups32", 1209 | "action": "SCMP_ACT_ALLOW" 1210 | }, 1211 | { 1212 | "name": "sethostname", 1213 | "action": "SCMP_ACT_ALLOW" 1214 | }, 1215 | { 1216 | "name": "setitimer", 1217 | "action": "SCMP_ACT_ALLOW" 1218 | }, 1219 | { 1220 | "name": "setpgid", 1221 | "action": "SCMP_ACT_ALLOW" 1222 | }, 1223 | { 1224 | "name": "setpriority", 1225 | "action": "SCMP_ACT_ALLOW" 1226 | }, 1227 | { 1228 | "name": "setregid", 1229 | "action": "SCMP_ACT_ALLOW" 1230 | }, 1231 | { 1232 | "name": "setregid32", 1233 | "action": "SCMP_ACT_ALLOW" 1234 | }, 1235 | { 1236 | "name": "setresgid", 1237 | "action": "SCMP_ACT_ALLOW" 1238 | }, 1239 | { 1240 | "name": "setresgid32", 1241 | "action": "SCMP_ACT_ALLOW" 1242 | }, 1243 | { 1244 | "name": "setresuid", 1245 | "action": "SCMP_ACT_ALLOW" 1246 | }, 1247 | { 1248 | "name": "setresuid32", 1249 | "action": "SCMP_ACT_ALLOW" 1250 | }, 1251 | { 1252 | "name": "setreuid", 1253 | "action": "SCMP_ACT_ALLOW" 1254 | }, 1255 | { 1256 | "name": "setreuid32", 1257 | "action": "SCMP_ACT_ALLOW" 1258 | }, 1259 | { 1260 | "name": "setrlimit", 1261 | "action": "SCMP_ACT_ALLOW" 1262 | }, 1263 | { 1264 | "name": "set_robust_list", 1265 | "action": "SCMP_ACT_ALLOW" 1266 | }, 1267 | { 1268 | "name": "setsid", 1269 | "action": "SCMP_ACT_ALLOW" 1270 | }, 1271 | { 1272 | "name": "setsockopt", 1273 | "action": "SCMP_ACT_ALLOW" 1274 | }, 1275 | { 1276 | "name": "set_thread_area", 1277 | "action": "SCMP_ACT_ALLOW" 1278 | }, 1279 | { 1280 | "name": "set_tid_address", 1281 | "action": "SCMP_ACT_ALLOW" 1282 | }, 1283 | { 1284 | "name": "setuid", 1285 | "action": "SCMP_ACT_ALLOW" 1286 | }, 1287 | { 1288 | "name": "setuid32", 1289 | "action": "SCMP_ACT_ALLOW" 1290 | }, 1291 | { 1292 | "name": "setxattr", 1293 | "action": "SCMP_ACT_ALLOW" 1294 | }, 1295 | { 1296 | "name": "shmat", 1297 | "action": "SCMP_ACT_ALLOW" 1298 | }, 1299 | { 1300 | "name": "shmctl", 1301 | "action": "SCMP_ACT_ALLOW" 1302 | }, 1303 | { 1304 | "name": "shmdt", 1305 | "action": "SCMP_ACT_ALLOW" 1306 | }, 1307 | { 1308 | "name": "shmget", 1309 | "action": "SCMP_ACT_ALLOW" 1310 | }, 1311 | { 1312 | "name": "shutdown", 1313 | "action": "SCMP_ACT_ALLOW" 1314 | }, 1315 | { 1316 | "name": "sigaltstack", 1317 | "action": "SCMP_ACT_ALLOW" 1318 | }, 1319 | { 1320 | "name": "signalfd", 1321 | "action": "SCMP_ACT_ALLOW" 1322 | }, 1323 | { 1324 | "name": "signalfd4", 1325 | "action": "SCMP_ACT_ALLOW" 1326 | }, 1327 | { 1328 | "name": "sigreturn", 1329 | "action": "SCMP_ACT_ALLOW" 1330 | }, 1331 | { 1332 | "name": "socket", 1333 | "action": "SCMP_ACT_ALLOW" 1334 | }, 1335 | { 1336 | "name": "socketpair", 1337 | "action": "SCMP_ACT_ALLOW" 1338 | }, 1339 | { 1340 | "name": "splice", 1341 | "action": "SCMP_ACT_ALLOW" 1342 | }, 1343 | { 1344 | "name": "stat", 1345 | "action": "SCMP_ACT_ALLOW" 1346 | }, 1347 | { 1348 | "name": "stat64", 1349 | "action": "SCMP_ACT_ALLOW" 1350 | }, 1351 | { 1352 | "name": "statfs", 1353 | "action": "SCMP_ACT_ALLOW" 1354 | }, 1355 | { 1356 | "name": "statfs64", 1357 | "action": "SCMP_ACT_ALLOW" 1358 | }, 1359 | { 1360 | "name": "symlink", 1361 | "action": "SCMP_ACT_ALLOW" 1362 | }, 1363 | { 1364 | "name": "symlinkat", 1365 | "action": "SCMP_ACT_ALLOW" 1366 | }, 1367 | { 1368 | "name": "sync", 1369 | "action": "SCMP_ACT_ALLOW" 1370 | }, 1371 | { 1372 | "name": "sync_file_range", 1373 | "action": "SCMP_ACT_ALLOW" 1374 | }, 1375 | { 1376 | "name": "syncfs", 1377 | "action": "SCMP_ACT_ALLOW" 1378 | }, 1379 | { 1380 | "name": "sysinfo", 1381 | "action": "SCMP_ACT_ALLOW" 1382 | }, 1383 | { 1384 | "name": "syslog", 1385 | "action": "SCMP_ACT_ALLOW" 1386 | }, 1387 | { 1388 | "name": "tee", 1389 | "action": "SCMP_ACT_ALLOW" 1390 | }, 1391 | { 1392 | "name": "tgkill", 1393 | "action": "SCMP_ACT_ALLOW" 1394 | }, 1395 | { 1396 | "name": "time", 1397 | "action": "SCMP_ACT_ALLOW" 1398 | }, 1399 | { 1400 | "name": "timer_create", 1401 | "action": "SCMP_ACT_ALLOW" 1402 | }, 1403 | { 1404 | "name": "timer_delete", 1405 | "action": "SCMP_ACT_ALLOW" 1406 | }, 1407 | { 1408 | "name": "timerfd_create", 1409 | "action": "SCMP_ACT_ALLOW" 1410 | }, 1411 | { 1412 | "name": "timerfd_gettime", 1413 | "action": "SCMP_ACT_ALLOW" 1414 | }, 1415 | { 1416 | "name": "timerfd_settime", 1417 | "action": "SCMP_ACT_ALLOW" 1418 | }, 1419 | { 1420 | "name": "timer_getoverrun", 1421 | "action": "SCMP_ACT_ALLOW" 1422 | }, 1423 | { 1424 | "name": "timer_gettime", 1425 | "action": "SCMP_ACT_ALLOW" 1426 | }, 1427 | { 1428 | "name": "timer_settime", 1429 | "action": "SCMP_ACT_ALLOW" 1430 | }, 1431 | { 1432 | "name": "times", 1433 | "action": "SCMP_ACT_ALLOW" 1434 | }, 1435 | { 1436 | "name": "tkill", 1437 | "action": "SCMP_ACT_ALLOW" 1438 | }, 1439 | { 1440 | "name": "truncate", 1441 | "action": "SCMP_ACT_ALLOW" 1442 | }, 1443 | { 1444 | "name": "truncate64", 1445 | "action": "SCMP_ACT_ALLOW" 1446 | }, 1447 | { 1448 | "name": "ugetrlimit", 1449 | "action": "SCMP_ACT_ALLOW" 1450 | }, 1451 | { 1452 | "name": "umask", 1453 | "action": "SCMP_ACT_ALLOW" 1454 | }, 1455 | { 1456 | "name": "uname", 1457 | "action": "SCMP_ACT_ALLOW" 1458 | }, 1459 | { 1460 | "name": "unlink", 1461 | "action": "SCMP_ACT_ALLOW" 1462 | }, 1463 | { 1464 | "name": "unlinkat", 1465 | "action": "SCMP_ACT_ALLOW" 1466 | }, 1467 | { 1468 | "name": "utime", 1469 | "action": "SCMP_ACT_ALLOW" 1470 | }, 1471 | { 1472 | "name": "utimensat", 1473 | "action": "SCMP_ACT_ALLOW" 1474 | }, 1475 | { 1476 | "name": "utimes", 1477 | "action": "SCMP_ACT_ALLOW" 1478 | }, 1479 | { 1480 | "name": "vfork", 1481 | "action": "SCMP_ACT_ALLOW" 1482 | }, 1483 | { 1484 | "name": "vhangup", 1485 | "action": "SCMP_ACT_ALLOW" 1486 | }, 1487 | { 1488 | "name": "vmsplice", 1489 | "action": "SCMP_ACT_ALLOW" 1490 | }, 1491 | { 1492 | "name": "wait4", 1493 | "action": "SCMP_ACT_ALLOW" 1494 | }, 1495 | { 1496 | "name": "waitid", 1497 | "action": "SCMP_ACT_ALLOW" 1498 | }, 1499 | { 1500 | "name": "waitpid", 1501 | "action": "SCMP_ACT_ALLOW" 1502 | }, 1503 | { 1504 | "name": "write", 1505 | "action": "SCMP_ACT_ALLOW" 1506 | }, 1507 | { 1508 | "name": "writev", 1509 | "action": "SCMP_ACT_ALLOW" 1510 | }, 1511 | { 1512 | "name": "modify_ldt", 1513 | "action": "SCMP_ACT_ALLOW" 1514 | }, 1515 | { 1516 | "name": "breakpoint", 1517 | "action": "SCMP_ACT_ALLOW" 1518 | }, 1519 | { 1520 | "name": "cacheflush", 1521 | "action": "SCMP_ACT_ALLOW" 1522 | }, 1523 | { 1524 | "name": "set_tls", 1525 | "action": "SCMP_ACT_ALLOW" 1526 | } 1527 | ] 1528 | } 1529 | } 1530 | } 1531 | -------------------------------------------------------------------------------- /runc@.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Use runc to run %i 3 | After=network.target 4 | 5 | [Service] 6 | Type=forking 7 | ExecStart=/usr/local/sbin/runc start -d --pid-file /home/jessie/containers/%i/.pid %i 8 | ExecStopPost=-/usr/local/sbin/runc delete %i 9 | WorkingDirectory=/home/jessie/containers/%i 10 | PIDFile=/home/jessie/containers/%i/.pid 11 | # set delegate yes so that systemd does not reset the cgroups of containers 12 | Delegate=yes 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /skype/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "x86_64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "additionalGids": [ 11 | 44, 12 | 29 13 | ] 14 | }, 15 | "args": [ 16 | "skype" 17 | ], 18 | "env": [ 19 | "DISPLAY=unix:0.0", 20 | "PULSE_SERVER=pulseaudio", 21 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 22 | "DEBIAN_FRONTEND=noninteractive", 23 | "HOME=/home/skype" 24 | ], 25 | "cwd": "/home/skype", 26 | "capabilities": [ 27 | "CAP_CHOWN", 28 | "CAP_DAC_OVERRIDE", 29 | "CAP_FSETID", 30 | "CAP_FOWNER", 31 | "CAP_MKNOD", 32 | "CAP_NET_RAW", 33 | "CAP_SETGID", 34 | "CAP_SETUID", 35 | "CAP_SETFCAP", 36 | "CAP_SETPCAP", 37 | "CAP_NET_BIND_SERVICE", 38 | "CAP_SYS_CHROOT", 39 | "CAP_KILL", 40 | "CAP_AUDIT_WRITE" 41 | ], 42 | "rlimits": [ 43 | { 44 | "type": "RLIMIT_NOFILE", 45 | "hard": 1024, 46 | "soft": 1024 47 | } 48 | ], 49 | "noNewPrivileges": true, 50 | "apparmorProfile": "docker-default" 51 | }, 52 | "root": { 53 | "path": "rootfs", 54 | "readonly": false 55 | }, 56 | "hostname": "skype", 57 | "mounts": [ 58 | { 59 | "destination": "/tmp/.X11-unix", 60 | "type": "bind", 61 | "source": "/tmp/.X11-unix", 62 | "options": [ 63 | "rw", 64 | "rbind" 65 | ] 66 | }, 67 | { 68 | "destination": "/etc/localtime", 69 | "type": "bind", 70 | "source": "/etc/localtime", 71 | "options": [ 72 | "ro", 73 | "rbind" 74 | ] 75 | }, 76 | { 77 | "destination": "/proc", 78 | "type": "proc", 79 | "source": "proc" 80 | }, 81 | { 82 | "destination": "/dev", 83 | "type": "tmpfs", 84 | "source": "tmpfs", 85 | "options": [ 86 | "nosuid", 87 | "strictatime", 88 | "mode=755", 89 | "size=65536k" 90 | ] 91 | }, 92 | { 93 | "destination": "/dev/pts", 94 | "type": "devpts", 95 | "source": "devpts", 96 | "options": [ 97 | "nosuid", 98 | "noexec", 99 | "newinstance", 100 | "ptmxmode=0666", 101 | "mode=0620" 102 | ] 103 | }, 104 | { 105 | "destination": "/dev/shm", 106 | "type": "tmpfs", 107 | "source": "shm", 108 | "options": [ 109 | "nosuid", 110 | "noexec", 111 | "nodev", 112 | "mode=1777", 113 | "size=65536k" 114 | ] 115 | }, 116 | { 117 | "destination": "/dev/mqueue", 118 | "type": "mqueue", 119 | "source": "mqueue", 120 | "options": [ 121 | "nosuid", 122 | "noexec", 123 | "nodev" 124 | ] 125 | }, 126 | { 127 | "destination": "/sys", 128 | "type": "sysfs", 129 | "source": "sysfs", 130 | "options": [ 131 | "nosuid", 132 | "noexec", 133 | "nodev" 134 | ] 135 | }, 136 | { 137 | "destination": "/sys/fs/cgroup", 138 | "type": "cgroup", 139 | "source": "cgroup", 140 | "options": [ 141 | "nosuid", 142 | "noexec", 143 | "nodev", 144 | "relatime" 145 | ] 146 | }, 147 | { 148 | "destination": "/etc/hosts", 149 | "type": "bind", 150 | "source": "/etc/hosts", 151 | "options": [ 152 | "rbind", 153 | "ro" 154 | ] 155 | }, 156 | { 157 | "destination": "/etc/resolv.conf", 158 | "type": "bind", 159 | "source": "/etc/resolv.conf", 160 | "options": [ 161 | "rbind" 162 | ] 163 | } 164 | ], 165 | "hooks": { 166 | "prestart": [ 167 | { 168 | "path": "/home/jessie/.go/bin/netns" 169 | } 170 | ] 171 | }, 172 | "linux": { 173 | "uidMappings": [ 174 | { 175 | "hostID": 886432, 176 | "containerID": 0, 177 | "size": 46578392 178 | } 179 | ], 180 | "gidMappings": [ 181 | { 182 | "hostID": 44, 183 | "containerID": 44, 184 | "size": 1 185 | }, 186 | { 187 | "hostID": 886475, 188 | "containerID": 45, 189 | "size": 46578347 190 | }, 191 | { 192 | "hostID": 29, 193 | "containerID": 29, 194 | "size": 1 195 | }, 196 | { 197 | "hostID": 886460, 198 | "containerID": 30, 199 | "size": 13 200 | }, 201 | { 202 | "hostID": 886432, 203 | "containerID": 0, 204 | "size": 28 205 | } 206 | ], 207 | "resources": { 208 | "devices": [ 209 | { 210 | "allow": true, 211 | "type": "c", 212 | "major": 1, 213 | "minor": 3, 214 | "access": "rwm" 215 | }, 216 | { 217 | "allow": true, 218 | "type": "c", 219 | "major": 1, 220 | "minor": 5, 221 | "access": "rwm" 222 | }, 223 | { 224 | "allow": true, 225 | "type": "c", 226 | "major": 1, 227 | "minor": 7, 228 | "access": "rwm" 229 | }, 230 | { 231 | "allow": true, 232 | "type": "c", 233 | "major": 1, 234 | "minor": 9, 235 | "access": "rwm" 236 | }, 237 | { 238 | "allow": true, 239 | "type": "c", 240 | "major": 1, 241 | "minor": 8, 242 | "access": "rwm" 243 | }, 244 | { 245 | "allow": true, 246 | "type": "c", 247 | "major": 81, 248 | "minor": 0, 249 | "access": "rwm" 250 | } 251 | ], 252 | "disableOOMKiller": false, 253 | "oomScoreAdj": 0, 254 | "memory": { 255 | "limit": 0, 256 | "reservation": 0, 257 | "swap": 0, 258 | "kernel": 0, 259 | "kernelTCP": null, 260 | "swappiness": 18446744073709551615 261 | }, 262 | "cpu": { 263 | "shares": 0, 264 | "quota": 0, 265 | "period": 0, 266 | "cpus": "", 267 | "mems": "" 268 | }, 269 | "pids": { 270 | "limit": 0 271 | }, 272 | "blockIO": { 273 | "blkioWeight": 0 274 | } 275 | }, 276 | "namespaces": [ 277 | { 278 | "type": "ipc" 279 | }, 280 | { 281 | "type": "uts" 282 | }, 283 | { 284 | "type": "mount" 285 | }, 286 | { 287 | "type": "network" 288 | }, 289 | { 290 | "type": "pid" 291 | }, 292 | { 293 | "type": "user" 294 | } 295 | ], 296 | "devices": [ 297 | { 298 | "path": "/dev/null", 299 | "type": "c", 300 | "major": 1, 301 | "minor": 3, 302 | "fileMode": 438, 303 | "uid": 0, 304 | "gid": 0 305 | }, 306 | { 307 | "path": "/dev/zero", 308 | "type": "c", 309 | "major": 1, 310 | "minor": 5, 311 | "fileMode": 438, 312 | "uid": 0, 313 | "gid": 0 314 | }, 315 | { 316 | "path": "/dev/full", 317 | "type": "c", 318 | "major": 1, 319 | "minor": 7, 320 | "fileMode": 438, 321 | "uid": 0, 322 | "gid": 0 323 | }, 324 | { 325 | "path": "/dev/urandom", 326 | "type": "c", 327 | "major": 1, 328 | "minor": 9, 329 | "fileMode": 438, 330 | "uid": 0, 331 | "gid": 0 332 | }, 333 | { 334 | "path": "/dev/random", 335 | "type": "c", 336 | "major": 1, 337 | "minor": 8, 338 | "fileMode": 438, 339 | "uid": 0, 340 | "gid": 0 341 | }, 342 | { 343 | "path": "/dev/video0", 344 | "type": "c", 345 | "major": 81, 346 | "minor": 0, 347 | "fileMode": 8624, 348 | "uid": 0, 349 | "gid": 44 350 | } 351 | ] 352 | } 353 | } 354 | -------------------------------------------------------------------------------- /tor-proxy/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "x86_64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 100, 11 | "gid": 100 12 | }, 13 | "args": [ 14 | "tor", 15 | "-f", 16 | "/etc/tor/torrc.default" 17 | ], 18 | "env": [ 19 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 20 | ], 21 | "cwd": "/", 22 | "capabilities": [ 23 | "CAP_CHOWN", 24 | "CAP_DAC_OVERRIDE", 25 | "CAP_FSETID", 26 | "CAP_FOWNER", 27 | "CAP_MKNOD", 28 | "CAP_NET_RAW", 29 | "CAP_SETGID", 30 | "CAP_SETUID", 31 | "CAP_SETFCAP", 32 | "CAP_SETPCAP", 33 | "CAP_NET_BIND_SERVICE", 34 | "CAP_SYS_CHROOT", 35 | "CAP_KILL", 36 | "CAP_AUDIT_WRITE" 37 | ], 38 | "rlimits": [ 39 | { 40 | "type": "RLIMIT_NOFILE", 41 | "hard": 1024, 42 | "soft": 1024 43 | } 44 | ], 45 | "noNewPrivileges": true, 46 | "apparmorProfile": "docker-default" 47 | }, 48 | "root": { 49 | "path": "rootfs", 50 | "readonly": false 51 | }, 52 | "hostname": "tor-proxy", 53 | "mounts": [ 54 | { 55 | "destination": "/etc/localtime", 56 | "type": "bind", 57 | "source": "/etc/localtime", 58 | "options": [ 59 | "ro", 60 | "rbind" 61 | ] 62 | }, 63 | { 64 | "destination": "/proc", 65 | "type": "proc", 66 | "source": "proc" 67 | }, 68 | { 69 | "destination": "/dev", 70 | "type": "tmpfs", 71 | "source": "tmpfs", 72 | "options": [ 73 | "nosuid", 74 | "strictatime", 75 | "mode=755", 76 | "size=65536k" 77 | ] 78 | }, 79 | { 80 | "destination": "/dev/pts", 81 | "type": "devpts", 82 | "source": "devpts", 83 | "options": [ 84 | "nosuid", 85 | "noexec", 86 | "newinstance", 87 | "ptmxmode=0666", 88 | "mode=0620" 89 | ] 90 | }, 91 | { 92 | "destination": "/dev/shm", 93 | "type": "tmpfs", 94 | "source": "shm", 95 | "options": [ 96 | "nosuid", 97 | "noexec", 98 | "nodev", 99 | "mode=1777", 100 | "size=65536k" 101 | ] 102 | }, 103 | { 104 | "destination": "/dev/mqueue", 105 | "type": "mqueue", 106 | "source": "mqueue", 107 | "options": [ 108 | "nosuid", 109 | "noexec", 110 | "nodev" 111 | ] 112 | }, 113 | { 114 | "destination": "/sys", 115 | "type": "sysfs", 116 | "source": "sysfs", 117 | "options": [ 118 | "nosuid", 119 | "noexec", 120 | "nodev" 121 | ] 122 | }, 123 | { 124 | "destination": "/sys/fs/cgroup", 125 | "type": "cgroup", 126 | "source": "cgroup", 127 | "options": [ 128 | "nosuid", 129 | "noexec", 130 | "nodev", 131 | "relatime" 132 | ] 133 | } 134 | ], 135 | "hooks": { 136 | "prestart": [ 137 | { 138 | "path": "/home/jessie/.go/bin/netns" 139 | }, 140 | { 141 | "path": "/home/jessie/containers/hack/scripts/add-host" 142 | } 143 | ], 144 | "poststop": [ 145 | { 146 | "path": "/home/jessie/containers/hack/scripts/remove-host" 147 | } 148 | ] 149 | }, 150 | "linux": { 151 | "uidMappings": [ 152 | { 153 | "hostID": 886332, 154 | "containerID": 0, 155 | "size": 46578392 156 | } 157 | ], 158 | "gidMappings": [ 159 | { 160 | "hostID": 886332, 161 | "containerID": 0, 162 | "size": 46578392 163 | } 164 | ], 165 | "resources": { 166 | "devices": [ 167 | { 168 | "allow": true, 169 | "type": "c", 170 | "major": 1, 171 | "minor": 3, 172 | "access": "rwm" 173 | }, 174 | { 175 | "allow": true, 176 | "type": "c", 177 | "major": 1, 178 | "minor": 5, 179 | "access": "rwm" 180 | }, 181 | { 182 | "allow": true, 183 | "type": "c", 184 | "major": 1, 185 | "minor": 7, 186 | "access": "rwm" 187 | }, 188 | { 189 | "allow": true, 190 | "type": "c", 191 | "major": 1, 192 | "minor": 9, 193 | "access": "rwm" 194 | }, 195 | { 196 | "allow": true, 197 | "type": "c", 198 | "major": 1, 199 | "minor": 8, 200 | "access": "rwm" 201 | } 202 | ], 203 | "disableOOMKiller": false, 204 | "oomScoreAdj": 0, 205 | "memory": { 206 | "limit": 0, 207 | "reservation": 0, 208 | "swap": 0, 209 | "kernel": 0, 210 | "kernelTCP": null, 211 | "swappiness": 18446744073709551615 212 | }, 213 | "cpu": { 214 | "shares": 0, 215 | "quota": 0, 216 | "period": 0, 217 | "cpus": "", 218 | "mems": "" 219 | }, 220 | "pids": { 221 | "limit": 0 222 | }, 223 | "blockIO": { 224 | "blkioWeight": 0 225 | } 226 | }, 227 | "namespaces": [ 228 | { 229 | "type": "ipc" 230 | }, 231 | { 232 | "type": "uts" 233 | }, 234 | { 235 | "type": "mount" 236 | }, 237 | { 238 | "type": "network" 239 | }, 240 | { 241 | "type": "pid" 242 | }, 243 | { 244 | "type": "user" 245 | } 246 | ], 247 | "devices": [ 248 | { 249 | "path": "/dev/null", 250 | "type": "c", 251 | "major": 1, 252 | "minor": 3, 253 | "fileMode": 438, 254 | "uid": 0, 255 | "gid": 0 256 | }, 257 | { 258 | "path": "/dev/zero", 259 | "type": "c", 260 | "major": 1, 261 | "minor": 5, 262 | "fileMode": 438, 263 | "uid": 0, 264 | "gid": 0 265 | }, 266 | { 267 | "path": "/dev/full", 268 | "type": "c", 269 | "major": 1, 270 | "minor": 7, 271 | "fileMode": 438, 272 | "uid": 0, 273 | "gid": 0 274 | }, 275 | { 276 | "path": "/dev/urandom", 277 | "type": "c", 278 | "major": 1, 279 | "minor": 9, 280 | "fileMode": 438, 281 | "uid": 0, 282 | "gid": 0 283 | }, 284 | { 285 | "path": "/dev/random", 286 | "type": "c", 287 | "major": 1, 288 | "minor": 8, 289 | "fileMode": 438, 290 | "uid": 0, 291 | "gid": 0 292 | } 293 | ], 294 | "seccomp": { 295 | "defaultAction": "SCMP_ACT_ERRNO", 296 | "architectures": null, 297 | "syscalls": [ 298 | { 299 | "name": "accept", 300 | "action": "SCMP_ACT_ALLOW" 301 | }, 302 | { 303 | "name": "accept4", 304 | "action": "SCMP_ACT_ALLOW" 305 | }, 306 | { 307 | "name": "access", 308 | "action": "SCMP_ACT_ALLOW" 309 | }, 310 | { 311 | "name": "alarm", 312 | "action": "SCMP_ACT_ALLOW" 313 | }, 314 | { 315 | "name": "arch_prctl", 316 | "action": "SCMP_ACT_ALLOW" 317 | }, 318 | { 319 | "name": "bind", 320 | "action": "SCMP_ACT_ALLOW" 321 | }, 322 | { 323 | "name": "brk", 324 | "action": "SCMP_ACT_ALLOW" 325 | }, 326 | { 327 | "name": "capget", 328 | "action": "SCMP_ACT_ALLOW" 329 | }, 330 | { 331 | "name": "capset", 332 | "action": "SCMP_ACT_ALLOW" 333 | }, 334 | { 335 | "name": "chdir", 336 | "action": "SCMP_ACT_ALLOW" 337 | }, 338 | { 339 | "name": "chmod", 340 | "action": "SCMP_ACT_ALLOW" 341 | }, 342 | { 343 | "name": "chown", 344 | "action": "SCMP_ACT_ALLOW" 345 | }, 346 | { 347 | "name": "chown32", 348 | "action": "SCMP_ACT_ALLOW" 349 | }, 350 | { 351 | "name": "chroot", 352 | "action": "SCMP_ACT_ALLOW" 353 | }, 354 | { 355 | "name": "clock_getres", 356 | "action": "SCMP_ACT_ALLOW" 357 | }, 358 | { 359 | "name": "clock_gettime", 360 | "action": "SCMP_ACT_ALLOW" 361 | }, 362 | { 363 | "name": "clock_nanosleep", 364 | "action": "SCMP_ACT_ALLOW" 365 | }, 366 | { 367 | "name": "clone", 368 | "action": "SCMP_ACT_ALLOW", 369 | "args": [ 370 | { 371 | "index": 0, 372 | "value": 2080505856, 373 | "valueTwo": 0, 374 | "op": "SCMP_CMP_MASKED_EQ" 375 | } 376 | ] 377 | }, 378 | { 379 | "name": "close", 380 | "action": "SCMP_ACT_ALLOW" 381 | }, 382 | { 383 | "name": "connect", 384 | "action": "SCMP_ACT_ALLOW" 385 | }, 386 | { 387 | "name": "creat", 388 | "action": "SCMP_ACT_ALLOW" 389 | }, 390 | { 391 | "name": "dup", 392 | "action": "SCMP_ACT_ALLOW" 393 | }, 394 | { 395 | "name": "dup2", 396 | "action": "SCMP_ACT_ALLOW" 397 | }, 398 | { 399 | "name": "dup3", 400 | "action": "SCMP_ACT_ALLOW" 401 | }, 402 | { 403 | "name": "epoll_create", 404 | "action": "SCMP_ACT_ALLOW" 405 | }, 406 | { 407 | "name": "epoll_create1", 408 | "action": "SCMP_ACT_ALLOW" 409 | }, 410 | { 411 | "name": "epoll_ctl", 412 | "action": "SCMP_ACT_ALLOW" 413 | }, 414 | { 415 | "name": "epoll_ctl_old", 416 | "action": "SCMP_ACT_ALLOW" 417 | }, 418 | { 419 | "name": "epoll_pwait", 420 | "action": "SCMP_ACT_ALLOW" 421 | }, 422 | { 423 | "name": "epoll_wait", 424 | "action": "SCMP_ACT_ALLOW" 425 | }, 426 | { 427 | "name": "epoll_wait_old", 428 | "action": "SCMP_ACT_ALLOW" 429 | }, 430 | { 431 | "name": "eventfd", 432 | "action": "SCMP_ACT_ALLOW" 433 | }, 434 | { 435 | "name": "eventfd2", 436 | "action": "SCMP_ACT_ALLOW" 437 | }, 438 | { 439 | "name": "execve", 440 | "action": "SCMP_ACT_ALLOW" 441 | }, 442 | { 443 | "name": "execveat", 444 | "action": "SCMP_ACT_ALLOW" 445 | }, 446 | { 447 | "name": "exit", 448 | "action": "SCMP_ACT_ALLOW" 449 | }, 450 | { 451 | "name": "exit_group", 452 | "action": "SCMP_ACT_ALLOW" 453 | }, 454 | { 455 | "name": "faccessat", 456 | "action": "SCMP_ACT_ALLOW" 457 | }, 458 | { 459 | "name": "fadvise64", 460 | "action": "SCMP_ACT_ALLOW" 461 | }, 462 | { 463 | "name": "fadvise64_64", 464 | "action": "SCMP_ACT_ALLOW" 465 | }, 466 | { 467 | "name": "fallocate", 468 | "action": "SCMP_ACT_ALLOW" 469 | }, 470 | { 471 | "name": "fanotify_init", 472 | "action": "SCMP_ACT_ALLOW" 473 | }, 474 | { 475 | "name": "fanotify_mark", 476 | "action": "SCMP_ACT_ALLOW" 477 | }, 478 | { 479 | "name": "fchdir", 480 | "action": "SCMP_ACT_ALLOW" 481 | }, 482 | { 483 | "name": "fchmod", 484 | "action": "SCMP_ACT_ALLOW" 485 | }, 486 | { 487 | "name": "fchmodat", 488 | "action": "SCMP_ACT_ALLOW" 489 | }, 490 | { 491 | "name": "fchown", 492 | "action": "SCMP_ACT_ALLOW" 493 | }, 494 | { 495 | "name": "fchown32", 496 | "action": "SCMP_ACT_ALLOW" 497 | }, 498 | { 499 | "name": "fchownat", 500 | "action": "SCMP_ACT_ALLOW" 501 | }, 502 | { 503 | "name": "fcntl", 504 | "action": "SCMP_ACT_ALLOW" 505 | }, 506 | { 507 | "name": "fcntl64", 508 | "action": "SCMP_ACT_ALLOW" 509 | }, 510 | { 511 | "name": "fdatasync", 512 | "action": "SCMP_ACT_ALLOW" 513 | }, 514 | { 515 | "name": "fgetxattr", 516 | "action": "SCMP_ACT_ALLOW" 517 | }, 518 | { 519 | "name": "flistxattr", 520 | "action": "SCMP_ACT_ALLOW" 521 | }, 522 | { 523 | "name": "flock", 524 | "action": "SCMP_ACT_ALLOW" 525 | }, 526 | { 527 | "name": "fork", 528 | "action": "SCMP_ACT_ALLOW" 529 | }, 530 | { 531 | "name": "fremovexattr", 532 | "action": "SCMP_ACT_ALLOW" 533 | }, 534 | { 535 | "name": "fsetxattr", 536 | "action": "SCMP_ACT_ALLOW" 537 | }, 538 | { 539 | "name": "fstat", 540 | "action": "SCMP_ACT_ALLOW" 541 | }, 542 | { 543 | "name": "fstat64", 544 | "action": "SCMP_ACT_ALLOW" 545 | }, 546 | { 547 | "name": "fstatat64", 548 | "action": "SCMP_ACT_ALLOW" 549 | }, 550 | { 551 | "name": "fstatfs", 552 | "action": "SCMP_ACT_ALLOW" 553 | }, 554 | { 555 | "name": "fstatfs64", 556 | "action": "SCMP_ACT_ALLOW" 557 | }, 558 | { 559 | "name": "fsync", 560 | "action": "SCMP_ACT_ALLOW" 561 | }, 562 | { 563 | "name": "ftruncate", 564 | "action": "SCMP_ACT_ALLOW" 565 | }, 566 | { 567 | "name": "ftruncate64", 568 | "action": "SCMP_ACT_ALLOW" 569 | }, 570 | { 571 | "name": "futex", 572 | "action": "SCMP_ACT_ALLOW" 573 | }, 574 | { 575 | "name": "futimesat", 576 | "action": "SCMP_ACT_ALLOW" 577 | }, 578 | { 579 | "name": "getcpu", 580 | "action": "SCMP_ACT_ALLOW" 581 | }, 582 | { 583 | "name": "getcwd", 584 | "action": "SCMP_ACT_ALLOW" 585 | }, 586 | { 587 | "name": "getdents", 588 | "action": "SCMP_ACT_ALLOW" 589 | }, 590 | { 591 | "name": "getdents64", 592 | "action": "SCMP_ACT_ALLOW" 593 | }, 594 | { 595 | "name": "getegid", 596 | "action": "SCMP_ACT_ALLOW" 597 | }, 598 | { 599 | "name": "getegid32", 600 | "action": "SCMP_ACT_ALLOW" 601 | }, 602 | { 603 | "name": "geteuid", 604 | "action": "SCMP_ACT_ALLOW" 605 | }, 606 | { 607 | "name": "geteuid32", 608 | "action": "SCMP_ACT_ALLOW" 609 | }, 610 | { 611 | "name": "getgid", 612 | "action": "SCMP_ACT_ALLOW" 613 | }, 614 | { 615 | "name": "getgid32", 616 | "action": "SCMP_ACT_ALLOW" 617 | }, 618 | { 619 | "name": "getgroups", 620 | "action": "SCMP_ACT_ALLOW" 621 | }, 622 | { 623 | "name": "getgroups32", 624 | "action": "SCMP_ACT_ALLOW" 625 | }, 626 | { 627 | "name": "getitimer", 628 | "action": "SCMP_ACT_ALLOW" 629 | }, 630 | { 631 | "name": "getpeername", 632 | "action": "SCMP_ACT_ALLOW" 633 | }, 634 | { 635 | "name": "getpgid", 636 | "action": "SCMP_ACT_ALLOW" 637 | }, 638 | { 639 | "name": "getpgrp", 640 | "action": "SCMP_ACT_ALLOW" 641 | }, 642 | { 643 | "name": "getpid", 644 | "action": "SCMP_ACT_ALLOW" 645 | }, 646 | { 647 | "name": "getppid", 648 | "action": "SCMP_ACT_ALLOW" 649 | }, 650 | { 651 | "name": "getpriority", 652 | "action": "SCMP_ACT_ALLOW" 653 | }, 654 | { 655 | "name": "getrandom", 656 | "action": "SCMP_ACT_ALLOW" 657 | }, 658 | { 659 | "name": "getresgid", 660 | "action": "SCMP_ACT_ALLOW" 661 | }, 662 | { 663 | "name": "getresgid32", 664 | "action": "SCMP_ACT_ALLOW" 665 | }, 666 | { 667 | "name": "getresuid", 668 | "action": "SCMP_ACT_ALLOW" 669 | }, 670 | { 671 | "name": "getresuid32", 672 | "action": "SCMP_ACT_ALLOW" 673 | }, 674 | { 675 | "name": "getrlimit", 676 | "action": "SCMP_ACT_ALLOW" 677 | }, 678 | { 679 | "name": "get_robust_list", 680 | "action": "SCMP_ACT_ALLOW" 681 | }, 682 | { 683 | "name": "getrusage", 684 | "action": "SCMP_ACT_ALLOW" 685 | }, 686 | { 687 | "name": "getsid", 688 | "action": "SCMP_ACT_ALLOW" 689 | }, 690 | { 691 | "name": "getsockname", 692 | "action": "SCMP_ACT_ALLOW" 693 | }, 694 | { 695 | "name": "getsockopt", 696 | "action": "SCMP_ACT_ALLOW" 697 | }, 698 | { 699 | "name": "get_thread_area", 700 | "action": "SCMP_ACT_ALLOW" 701 | }, 702 | { 703 | "name": "gettid", 704 | "action": "SCMP_ACT_ALLOW" 705 | }, 706 | { 707 | "name": "gettimeofday", 708 | "action": "SCMP_ACT_ALLOW" 709 | }, 710 | { 711 | "name": "getuid", 712 | "action": "SCMP_ACT_ALLOW" 713 | }, 714 | { 715 | "name": "getuid32", 716 | "action": "SCMP_ACT_ALLOW" 717 | }, 718 | { 719 | "name": "getxattr", 720 | "action": "SCMP_ACT_ALLOW" 721 | }, 722 | { 723 | "name": "inotify_add_watch", 724 | "action": "SCMP_ACT_ALLOW" 725 | }, 726 | { 727 | "name": "inotify_init", 728 | "action": "SCMP_ACT_ALLOW" 729 | }, 730 | { 731 | "name": "inotify_init1", 732 | "action": "SCMP_ACT_ALLOW" 733 | }, 734 | { 735 | "name": "inotify_rm_watch", 736 | "action": "SCMP_ACT_ALLOW" 737 | }, 738 | { 739 | "name": "io_cancel", 740 | "action": "SCMP_ACT_ALLOW" 741 | }, 742 | { 743 | "name": "ioctl", 744 | "action": "SCMP_ACT_ALLOW" 745 | }, 746 | { 747 | "name": "io_destroy", 748 | "action": "SCMP_ACT_ALLOW" 749 | }, 750 | { 751 | "name": "io_getevents", 752 | "action": "SCMP_ACT_ALLOW" 753 | }, 754 | { 755 | "name": "ioprio_get", 756 | "action": "SCMP_ACT_ALLOW" 757 | }, 758 | { 759 | "name": "ioprio_set", 760 | "action": "SCMP_ACT_ALLOW" 761 | }, 762 | { 763 | "name": "io_setup", 764 | "action": "SCMP_ACT_ALLOW" 765 | }, 766 | { 767 | "name": "io_submit", 768 | "action": "SCMP_ACT_ALLOW" 769 | }, 770 | { 771 | "name": "kill", 772 | "action": "SCMP_ACT_ALLOW" 773 | }, 774 | { 775 | "name": "lchown", 776 | "action": "SCMP_ACT_ALLOW" 777 | }, 778 | { 779 | "name": "lchown32", 780 | "action": "SCMP_ACT_ALLOW" 781 | }, 782 | { 783 | "name": "lgetxattr", 784 | "action": "SCMP_ACT_ALLOW" 785 | }, 786 | { 787 | "name": "link", 788 | "action": "SCMP_ACT_ALLOW" 789 | }, 790 | { 791 | "name": "linkat", 792 | "action": "SCMP_ACT_ALLOW" 793 | }, 794 | { 795 | "name": "listen", 796 | "action": "SCMP_ACT_ALLOW" 797 | }, 798 | { 799 | "name": "listxattr", 800 | "action": "SCMP_ACT_ALLOW" 801 | }, 802 | { 803 | "name": "llistxattr", 804 | "action": "SCMP_ACT_ALLOW" 805 | }, 806 | { 807 | "name": "_llseek", 808 | "action": "SCMP_ACT_ALLOW" 809 | }, 810 | { 811 | "name": "lremovexattr", 812 | "action": "SCMP_ACT_ALLOW" 813 | }, 814 | { 815 | "name": "lseek", 816 | "action": "SCMP_ACT_ALLOW" 817 | }, 818 | { 819 | "name": "lsetxattr", 820 | "action": "SCMP_ACT_ALLOW" 821 | }, 822 | { 823 | "name": "lstat", 824 | "action": "SCMP_ACT_ALLOW" 825 | }, 826 | { 827 | "name": "lstat64", 828 | "action": "SCMP_ACT_ALLOW" 829 | }, 830 | { 831 | "name": "madvise", 832 | "action": "SCMP_ACT_ALLOW" 833 | }, 834 | { 835 | "name": "memfd_create", 836 | "action": "SCMP_ACT_ALLOW" 837 | }, 838 | { 839 | "name": "mincore", 840 | "action": "SCMP_ACT_ALLOW" 841 | }, 842 | { 843 | "name": "mkdir", 844 | "action": "SCMP_ACT_ALLOW" 845 | }, 846 | { 847 | "name": "mkdirat", 848 | "action": "SCMP_ACT_ALLOW" 849 | }, 850 | { 851 | "name": "mknod", 852 | "action": "SCMP_ACT_ALLOW" 853 | }, 854 | { 855 | "name": "mknodat", 856 | "action": "SCMP_ACT_ALLOW" 857 | }, 858 | { 859 | "name": "mlock", 860 | "action": "SCMP_ACT_ALLOW" 861 | }, 862 | { 863 | "name": "mlockall", 864 | "action": "SCMP_ACT_ALLOW" 865 | }, 866 | { 867 | "name": "mmap", 868 | "action": "SCMP_ACT_ALLOW" 869 | }, 870 | { 871 | "name": "mmap2", 872 | "action": "SCMP_ACT_ALLOW" 873 | }, 874 | { 875 | "name": "mprotect", 876 | "action": "SCMP_ACT_ALLOW" 877 | }, 878 | { 879 | "name": "mq_getsetattr", 880 | "action": "SCMP_ACT_ALLOW" 881 | }, 882 | { 883 | "name": "mq_notify", 884 | "action": "SCMP_ACT_ALLOW" 885 | }, 886 | { 887 | "name": "mq_open", 888 | "action": "SCMP_ACT_ALLOW" 889 | }, 890 | { 891 | "name": "mq_timedreceive", 892 | "action": "SCMP_ACT_ALLOW" 893 | }, 894 | { 895 | "name": "mq_timedsend", 896 | "action": "SCMP_ACT_ALLOW" 897 | }, 898 | { 899 | "name": "mq_unlink", 900 | "action": "SCMP_ACT_ALLOW" 901 | }, 902 | { 903 | "name": "mremap", 904 | "action": "SCMP_ACT_ALLOW" 905 | }, 906 | { 907 | "name": "msgctl", 908 | "action": "SCMP_ACT_ALLOW" 909 | }, 910 | { 911 | "name": "msgget", 912 | "action": "SCMP_ACT_ALLOW" 913 | }, 914 | { 915 | "name": "msgrcv", 916 | "action": "SCMP_ACT_ALLOW" 917 | }, 918 | { 919 | "name": "msgsnd", 920 | "action": "SCMP_ACT_ALLOW" 921 | }, 922 | { 923 | "name": "msync", 924 | "action": "SCMP_ACT_ALLOW" 925 | }, 926 | { 927 | "name": "munlock", 928 | "action": "SCMP_ACT_ALLOW" 929 | }, 930 | { 931 | "name": "munlockall", 932 | "action": "SCMP_ACT_ALLOW" 933 | }, 934 | { 935 | "name": "munmap", 936 | "action": "SCMP_ACT_ALLOW" 937 | }, 938 | { 939 | "name": "nanosleep", 940 | "action": "SCMP_ACT_ALLOW" 941 | }, 942 | { 943 | "name": "newfstatat", 944 | "action": "SCMP_ACT_ALLOW" 945 | }, 946 | { 947 | "name": "_newselect", 948 | "action": "SCMP_ACT_ALLOW" 949 | }, 950 | { 951 | "name": "open", 952 | "action": "SCMP_ACT_ALLOW" 953 | }, 954 | { 955 | "name": "openat", 956 | "action": "SCMP_ACT_ALLOW" 957 | }, 958 | { 959 | "name": "pause", 960 | "action": "SCMP_ACT_ALLOW" 961 | }, 962 | { 963 | "name": "pipe", 964 | "action": "SCMP_ACT_ALLOW" 965 | }, 966 | { 967 | "name": "pipe2", 968 | "action": "SCMP_ACT_ALLOW" 969 | }, 970 | { 971 | "name": "poll", 972 | "action": "SCMP_ACT_ALLOW" 973 | }, 974 | { 975 | "name": "ppoll", 976 | "action": "SCMP_ACT_ALLOW" 977 | }, 978 | { 979 | "name": "prctl", 980 | "action": "SCMP_ACT_ALLOW" 981 | }, 982 | { 983 | "name": "pread64", 984 | "action": "SCMP_ACT_ALLOW" 985 | }, 986 | { 987 | "name": "preadv", 988 | "action": "SCMP_ACT_ALLOW" 989 | }, 990 | { 991 | "name": "prlimit64", 992 | "action": "SCMP_ACT_ALLOW" 993 | }, 994 | { 995 | "name": "pselect6", 996 | "action": "SCMP_ACT_ALLOW" 997 | }, 998 | { 999 | "name": "pwrite64", 1000 | "action": "SCMP_ACT_ALLOW" 1001 | }, 1002 | { 1003 | "name": "pwritev", 1004 | "action": "SCMP_ACT_ALLOW" 1005 | }, 1006 | { 1007 | "name": "read", 1008 | "action": "SCMP_ACT_ALLOW" 1009 | }, 1010 | { 1011 | "name": "readahead", 1012 | "action": "SCMP_ACT_ALLOW" 1013 | }, 1014 | { 1015 | "name": "readlink", 1016 | "action": "SCMP_ACT_ALLOW" 1017 | }, 1018 | { 1019 | "name": "readlinkat", 1020 | "action": "SCMP_ACT_ALLOW" 1021 | }, 1022 | { 1023 | "name": "readv", 1024 | "action": "SCMP_ACT_ALLOW" 1025 | }, 1026 | { 1027 | "name": "recvfrom", 1028 | "action": "SCMP_ACT_ALLOW" 1029 | }, 1030 | { 1031 | "name": "recvmmsg", 1032 | "action": "SCMP_ACT_ALLOW" 1033 | }, 1034 | { 1035 | "name": "recvmsg", 1036 | "action": "SCMP_ACT_ALLOW" 1037 | }, 1038 | { 1039 | "name": "remap_file_pages", 1040 | "action": "SCMP_ACT_ALLOW" 1041 | }, 1042 | { 1043 | "name": "removexattr", 1044 | "action": "SCMP_ACT_ALLOW" 1045 | }, 1046 | { 1047 | "name": "rename", 1048 | "action": "SCMP_ACT_ALLOW" 1049 | }, 1050 | { 1051 | "name": "renameat", 1052 | "action": "SCMP_ACT_ALLOW" 1053 | }, 1054 | { 1055 | "name": "renameat2", 1056 | "action": "SCMP_ACT_ALLOW" 1057 | }, 1058 | { 1059 | "name": "rmdir", 1060 | "action": "SCMP_ACT_ALLOW" 1061 | }, 1062 | { 1063 | "name": "rt_sigaction", 1064 | "action": "SCMP_ACT_ALLOW" 1065 | }, 1066 | { 1067 | "name": "rt_sigpending", 1068 | "action": "SCMP_ACT_ALLOW" 1069 | }, 1070 | { 1071 | "name": "rt_sigprocmask", 1072 | "action": "SCMP_ACT_ALLOW" 1073 | }, 1074 | { 1075 | "name": "rt_sigqueueinfo", 1076 | "action": "SCMP_ACT_ALLOW" 1077 | }, 1078 | { 1079 | "name": "rt_sigreturn", 1080 | "action": "SCMP_ACT_ALLOW" 1081 | }, 1082 | { 1083 | "name": "rt_sigsuspend", 1084 | "action": "SCMP_ACT_ALLOW" 1085 | }, 1086 | { 1087 | "name": "rt_sigtimedwait", 1088 | "action": "SCMP_ACT_ALLOW" 1089 | }, 1090 | { 1091 | "name": "rt_tgsigqueueinfo", 1092 | "action": "SCMP_ACT_ALLOW" 1093 | }, 1094 | { 1095 | "name": "sched_getaffinity", 1096 | "action": "SCMP_ACT_ALLOW" 1097 | }, 1098 | { 1099 | "name": "sched_getattr", 1100 | "action": "SCMP_ACT_ALLOW" 1101 | }, 1102 | { 1103 | "name": "sched_getparam", 1104 | "action": "SCMP_ACT_ALLOW" 1105 | }, 1106 | { 1107 | "name": "sched_get_priority_max", 1108 | "action": "SCMP_ACT_ALLOW" 1109 | }, 1110 | { 1111 | "name": "sched_get_priority_min", 1112 | "action": "SCMP_ACT_ALLOW" 1113 | }, 1114 | { 1115 | "name": "sched_getscheduler", 1116 | "action": "SCMP_ACT_ALLOW" 1117 | }, 1118 | { 1119 | "name": "sched_rr_get_interval", 1120 | "action": "SCMP_ACT_ALLOW" 1121 | }, 1122 | { 1123 | "name": "sched_setaffinity", 1124 | "action": "SCMP_ACT_ALLOW" 1125 | }, 1126 | { 1127 | "name": "sched_setattr", 1128 | "action": "SCMP_ACT_ALLOW" 1129 | }, 1130 | { 1131 | "name": "sched_setparam", 1132 | "action": "SCMP_ACT_ALLOW" 1133 | }, 1134 | { 1135 | "name": "sched_setscheduler", 1136 | "action": "SCMP_ACT_ALLOW" 1137 | }, 1138 | { 1139 | "name": "sched_yield", 1140 | "action": "SCMP_ACT_ALLOW" 1141 | }, 1142 | { 1143 | "name": "seccomp", 1144 | "action": "SCMP_ACT_ALLOW" 1145 | }, 1146 | { 1147 | "name": "select", 1148 | "action": "SCMP_ACT_ALLOW" 1149 | }, 1150 | { 1151 | "name": "semctl", 1152 | "action": "SCMP_ACT_ALLOW" 1153 | }, 1154 | { 1155 | "name": "semget", 1156 | "action": "SCMP_ACT_ALLOW" 1157 | }, 1158 | { 1159 | "name": "semop", 1160 | "action": "SCMP_ACT_ALLOW" 1161 | }, 1162 | { 1163 | "name": "semtimedop", 1164 | "action": "SCMP_ACT_ALLOW" 1165 | }, 1166 | { 1167 | "name": "sendfile", 1168 | "action": "SCMP_ACT_ALLOW" 1169 | }, 1170 | { 1171 | "name": "sendfile64", 1172 | "action": "SCMP_ACT_ALLOW" 1173 | }, 1174 | { 1175 | "name": "sendmmsg", 1176 | "action": "SCMP_ACT_ALLOW" 1177 | }, 1178 | { 1179 | "name": "sendmsg", 1180 | "action": "SCMP_ACT_ALLOW" 1181 | }, 1182 | { 1183 | "name": "sendto", 1184 | "action": "SCMP_ACT_ALLOW" 1185 | }, 1186 | { 1187 | "name": "setdomainname", 1188 | "action": "SCMP_ACT_ALLOW" 1189 | }, 1190 | { 1191 | "name": "setfsgid", 1192 | "action": "SCMP_ACT_ALLOW" 1193 | }, 1194 | { 1195 | "name": "setfsgid32", 1196 | "action": "SCMP_ACT_ALLOW" 1197 | }, 1198 | { 1199 | "name": "setfsuid", 1200 | "action": "SCMP_ACT_ALLOW" 1201 | }, 1202 | { 1203 | "name": "setfsuid32", 1204 | "action": "SCMP_ACT_ALLOW" 1205 | }, 1206 | { 1207 | "name": "setgid", 1208 | "action": "SCMP_ACT_ALLOW" 1209 | }, 1210 | { 1211 | "name": "setgid32", 1212 | "action": "SCMP_ACT_ALLOW" 1213 | }, 1214 | { 1215 | "name": "setgroups", 1216 | "action": "SCMP_ACT_ALLOW" 1217 | }, 1218 | { 1219 | "name": "setgroups32", 1220 | "action": "SCMP_ACT_ALLOW" 1221 | }, 1222 | { 1223 | "name": "sethostname", 1224 | "action": "SCMP_ACT_ALLOW" 1225 | }, 1226 | { 1227 | "name": "setitimer", 1228 | "action": "SCMP_ACT_ALLOW" 1229 | }, 1230 | { 1231 | "name": "setpgid", 1232 | "action": "SCMP_ACT_ALLOW" 1233 | }, 1234 | { 1235 | "name": "setpriority", 1236 | "action": "SCMP_ACT_ALLOW" 1237 | }, 1238 | { 1239 | "name": "setregid", 1240 | "action": "SCMP_ACT_ALLOW" 1241 | }, 1242 | { 1243 | "name": "setregid32", 1244 | "action": "SCMP_ACT_ALLOW" 1245 | }, 1246 | { 1247 | "name": "setresgid", 1248 | "action": "SCMP_ACT_ALLOW" 1249 | }, 1250 | { 1251 | "name": "setresgid32", 1252 | "action": "SCMP_ACT_ALLOW" 1253 | }, 1254 | { 1255 | "name": "setresuid", 1256 | "action": "SCMP_ACT_ALLOW" 1257 | }, 1258 | { 1259 | "name": "setresuid32", 1260 | "action": "SCMP_ACT_ALLOW" 1261 | }, 1262 | { 1263 | "name": "setreuid", 1264 | "action": "SCMP_ACT_ALLOW" 1265 | }, 1266 | { 1267 | "name": "setreuid32", 1268 | "action": "SCMP_ACT_ALLOW" 1269 | }, 1270 | { 1271 | "name": "setrlimit", 1272 | "action": "SCMP_ACT_ALLOW" 1273 | }, 1274 | { 1275 | "name": "set_robust_list", 1276 | "action": "SCMP_ACT_ALLOW" 1277 | }, 1278 | { 1279 | "name": "setsid", 1280 | "action": "SCMP_ACT_ALLOW" 1281 | }, 1282 | { 1283 | "name": "setsockopt", 1284 | "action": "SCMP_ACT_ALLOW" 1285 | }, 1286 | { 1287 | "name": "set_thread_area", 1288 | "action": "SCMP_ACT_ALLOW" 1289 | }, 1290 | { 1291 | "name": "set_tid_address", 1292 | "action": "SCMP_ACT_ALLOW" 1293 | }, 1294 | { 1295 | "name": "setuid", 1296 | "action": "SCMP_ACT_ALLOW" 1297 | }, 1298 | { 1299 | "name": "setuid32", 1300 | "action": "SCMP_ACT_ALLOW" 1301 | }, 1302 | { 1303 | "name": "setxattr", 1304 | "action": "SCMP_ACT_ALLOW" 1305 | }, 1306 | { 1307 | "name": "shmat", 1308 | "action": "SCMP_ACT_ALLOW" 1309 | }, 1310 | { 1311 | "name": "shmctl", 1312 | "action": "SCMP_ACT_ALLOW" 1313 | }, 1314 | { 1315 | "name": "shmdt", 1316 | "action": "SCMP_ACT_ALLOW" 1317 | }, 1318 | { 1319 | "name": "shmget", 1320 | "action": "SCMP_ACT_ALLOW" 1321 | }, 1322 | { 1323 | "name": "shutdown", 1324 | "action": "SCMP_ACT_ALLOW" 1325 | }, 1326 | { 1327 | "name": "sigaltstack", 1328 | "action": "SCMP_ACT_ALLOW" 1329 | }, 1330 | { 1331 | "name": "signalfd", 1332 | "action": "SCMP_ACT_ALLOW" 1333 | }, 1334 | { 1335 | "name": "signalfd4", 1336 | "action": "SCMP_ACT_ALLOW" 1337 | }, 1338 | { 1339 | "name": "sigreturn", 1340 | "action": "SCMP_ACT_ALLOW" 1341 | }, 1342 | { 1343 | "name": "socket", 1344 | "action": "SCMP_ACT_ALLOW" 1345 | }, 1346 | { 1347 | "name": "socketpair", 1348 | "action": "SCMP_ACT_ALLOW" 1349 | }, 1350 | { 1351 | "name": "splice", 1352 | "action": "SCMP_ACT_ALLOW" 1353 | }, 1354 | { 1355 | "name": "stat", 1356 | "action": "SCMP_ACT_ALLOW" 1357 | }, 1358 | { 1359 | "name": "stat64", 1360 | "action": "SCMP_ACT_ALLOW" 1361 | }, 1362 | { 1363 | "name": "statfs", 1364 | "action": "SCMP_ACT_ALLOW" 1365 | }, 1366 | { 1367 | "name": "statfs64", 1368 | "action": "SCMP_ACT_ALLOW" 1369 | }, 1370 | { 1371 | "name": "symlink", 1372 | "action": "SCMP_ACT_ALLOW" 1373 | }, 1374 | { 1375 | "name": "symlinkat", 1376 | "action": "SCMP_ACT_ALLOW" 1377 | }, 1378 | { 1379 | "name": "sync", 1380 | "action": "SCMP_ACT_ALLOW" 1381 | }, 1382 | { 1383 | "name": "sync_file_range", 1384 | "action": "SCMP_ACT_ALLOW" 1385 | }, 1386 | { 1387 | "name": "syncfs", 1388 | "action": "SCMP_ACT_ALLOW" 1389 | }, 1390 | { 1391 | "name": "sysinfo", 1392 | "action": "SCMP_ACT_ALLOW" 1393 | }, 1394 | { 1395 | "name": "syslog", 1396 | "action": "SCMP_ACT_ALLOW" 1397 | }, 1398 | { 1399 | "name": "tee", 1400 | "action": "SCMP_ACT_ALLOW" 1401 | }, 1402 | { 1403 | "name": "tgkill", 1404 | "action": "SCMP_ACT_ALLOW" 1405 | }, 1406 | { 1407 | "name": "time", 1408 | "action": "SCMP_ACT_ALLOW" 1409 | }, 1410 | { 1411 | "name": "timer_create", 1412 | "action": "SCMP_ACT_ALLOW" 1413 | }, 1414 | { 1415 | "name": "timer_delete", 1416 | "action": "SCMP_ACT_ALLOW" 1417 | }, 1418 | { 1419 | "name": "timerfd_create", 1420 | "action": "SCMP_ACT_ALLOW" 1421 | }, 1422 | { 1423 | "name": "timerfd_gettime", 1424 | "action": "SCMP_ACT_ALLOW" 1425 | }, 1426 | { 1427 | "name": "timerfd_settime", 1428 | "action": "SCMP_ACT_ALLOW" 1429 | }, 1430 | { 1431 | "name": "timer_getoverrun", 1432 | "action": "SCMP_ACT_ALLOW" 1433 | }, 1434 | { 1435 | "name": "timer_gettime", 1436 | "action": "SCMP_ACT_ALLOW" 1437 | }, 1438 | { 1439 | "name": "timer_settime", 1440 | "action": "SCMP_ACT_ALLOW" 1441 | }, 1442 | { 1443 | "name": "times", 1444 | "action": "SCMP_ACT_ALLOW" 1445 | }, 1446 | { 1447 | "name": "tkill", 1448 | "action": "SCMP_ACT_ALLOW" 1449 | }, 1450 | { 1451 | "name": "truncate", 1452 | "action": "SCMP_ACT_ALLOW" 1453 | }, 1454 | { 1455 | "name": "truncate64", 1456 | "action": "SCMP_ACT_ALLOW" 1457 | }, 1458 | { 1459 | "name": "ugetrlimit", 1460 | "action": "SCMP_ACT_ALLOW" 1461 | }, 1462 | { 1463 | "name": "umask", 1464 | "action": "SCMP_ACT_ALLOW" 1465 | }, 1466 | { 1467 | "name": "uname", 1468 | "action": "SCMP_ACT_ALLOW" 1469 | }, 1470 | { 1471 | "name": "unlink", 1472 | "action": "SCMP_ACT_ALLOW" 1473 | }, 1474 | { 1475 | "name": "unlinkat", 1476 | "action": "SCMP_ACT_ALLOW" 1477 | }, 1478 | { 1479 | "name": "utime", 1480 | "action": "SCMP_ACT_ALLOW" 1481 | }, 1482 | { 1483 | "name": "utimensat", 1484 | "action": "SCMP_ACT_ALLOW" 1485 | }, 1486 | { 1487 | "name": "utimes", 1488 | "action": "SCMP_ACT_ALLOW" 1489 | }, 1490 | { 1491 | "name": "vfork", 1492 | "action": "SCMP_ACT_ALLOW" 1493 | }, 1494 | { 1495 | "name": "vhangup", 1496 | "action": "SCMP_ACT_ALLOW" 1497 | }, 1498 | { 1499 | "name": "vmsplice", 1500 | "action": "SCMP_ACT_ALLOW" 1501 | }, 1502 | { 1503 | "name": "wait4", 1504 | "action": "SCMP_ACT_ALLOW" 1505 | }, 1506 | { 1507 | "name": "waitid", 1508 | "action": "SCMP_ACT_ALLOW" 1509 | }, 1510 | { 1511 | "name": "waitpid", 1512 | "action": "SCMP_ACT_ALLOW" 1513 | }, 1514 | { 1515 | "name": "write", 1516 | "action": "SCMP_ACT_ALLOW" 1517 | }, 1518 | { 1519 | "name": "writev", 1520 | "action": "SCMP_ACT_ALLOW" 1521 | }, 1522 | { 1523 | "name": "modify_ldt", 1524 | "action": "SCMP_ACT_ALLOW" 1525 | }, 1526 | { 1527 | "name": "breakpoint", 1528 | "action": "SCMP_ACT_ALLOW" 1529 | }, 1530 | { 1531 | "name": "cacheflush", 1532 | "action": "SCMP_ACT_ALLOW" 1533 | }, 1534 | { 1535 | "name": "set_tls", 1536 | "action": "SCMP_ACT_ALLOW" 1537 | } 1538 | ] 1539 | } 1540 | } 1541 | } 1542 | -------------------------------------------------------------------------------- /virtualbox/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0-dev", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "x86_64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/virtualbox" 15 | ], 16 | "env": [ 17 | "DISPLAY=unix:0.0", 18 | "GDK_SCALE=2", 19 | "GDK_DPI_SCALE=0.5", 20 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 21 | ], 22 | "cwd": "/" 23 | }, 24 | "root": { 25 | "path": "rootfs", 26 | "readonly": false 27 | }, 28 | "mounts": [ 29 | { 30 | "name": "/root/.config/VirtualBox", 31 | "path": "/root/.config/VirtualBox" 32 | }, 33 | { 34 | "name": "/etc/localtime", 35 | "path": "/etc/localtime" 36 | }, 37 | { 38 | "name": "/tmp/.X11-unix", 39 | "path": "/tmp/.X11-unix" 40 | }, 41 | { 42 | "name": "/root/VirtualBox VMs", 43 | "path": "/root/VirtualBox VMs" 44 | }, 45 | { 46 | "name": "proc", 47 | "path": "/proc" 48 | }, 49 | { 50 | "name": "/dev", 51 | "path": "/dev" 52 | }, 53 | { 54 | "name": "sysfs", 55 | "path": "/sys" 56 | }, 57 | { 58 | "name": "cgroup", 59 | "path": "/sys/fs/cgroup" 60 | } 61 | ], 62 | "linux": { 63 | "capabilities": [ 64 | "CAP_CHOWN", 65 | "CAP_DAC_OVERRIDE", 66 | "CAP_DAC_READ_SEARCH", 67 | "CAP_FOWNER", 68 | "CAP_FSETID", 69 | "CAP_KILL", 70 | "CAP_SETGID", 71 | "CAP_SETUID", 72 | "CAP_SETPCAP", 73 | "CAP_LINUX_IMMUTABLE", 74 | "CAP_NET_BIND_SERVICE", 75 | "CAP_NET_BROADCAST", 76 | "CAP_NET_ADMIN", 77 | "CAP_NET_RAW", 78 | "CAP_IPC_LOCK", 79 | "CAP_IPC_OWNER", 80 | "CAP_SYS_MODULE", 81 | "CAP_SYS_RAWIO", 82 | "CAP_SYS_CHROOT", 83 | "CAP_SYS_PTRACE", 84 | "CAP_SYS_PACCT", 85 | "CAP_SYS_ADMIN", 86 | "CAP_SYS_BOOT", 87 | "CAP_SYS_NICE", 88 | "CAP_SYS_RESOURCE", 89 | "CAP_SYS_TIME", 90 | "CAP_SYS_TTY_CONFIG", 91 | "CAP_MKNOD", 92 | "CAP_LEASE", 93 | "CAP_AUDIT_WRITE", 94 | "CAP_AUDIT_CONTROL", 95 | "CAP_SETFCAP", 96 | "CAP_MAC_OVERRIDE", 97 | "CAP_MAC_ADMIN", 98 | "CAP_SYSLOG", 99 | "CAP_WAKE_ALARM", 100 | "CAP_BLOCK_SUSPEND", 101 | "CAP_AUDIT_READ" 102 | ] 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /virtualbox/load_kernel_modules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | modprobe vboxdrv &>/dev/null || true; 4 | insmod /lib/modules/$(uname -r)/misc/vboxnet*.ko &>/dev/null || true; 5 | -------------------------------------------------------------------------------- /virtualbox/runtime.json: -------------------------------------------------------------------------------- 1 | { 2 | "mounts": { 3 | "/etc/localtime": { 4 | "type": "bind", 5 | "source": "/etc/localtime", 6 | "options": [ 7 | "ro", 8 | "rbind" 9 | ] 10 | }, 11 | "/root/.config/VirtualBox": { 12 | "type": "bind", 13 | "source": "/home/jessie/.vbox/config", 14 | "options": [ 15 | "rw", 16 | "rbind" 17 | ] 18 | }, 19 | "/root/VirtualBox VMs": { 20 | "type": "bind", 21 | "source": "/home/jessie/.vbox/vms", 22 | "options": [ 23 | "rw", 24 | "rbind" 25 | ] 26 | }, 27 | "/tmp/.X11-unix": { 28 | "type": "bind", 29 | "source": "/tmp/.X11-unix", 30 | "options": [ 31 | "rw", 32 | "rbind" 33 | ] 34 | }, 35 | "cgroup": { 36 | "type": "cgroup", 37 | "source": "cgroup", 38 | "options": [ 39 | "nosuid", 40 | "noexec", 41 | "nodev", 42 | "relatime" 43 | ] 44 | }, 45 | "/dev": { 46 | "type": "bind", 47 | "source": "/dev", 48 | "options": [ 49 | "rw", 50 | "rbind" 51 | ] 52 | }, 53 | "proc": { 54 | "type": "proc", 55 | "source": "proc" 56 | }, 57 | "sysfs": { 58 | "type": "sysfs", 59 | "source": "sysfs", 60 | "options": [ 61 | "nosuid", 62 | "noexec", 63 | "nodev" 64 | ] 65 | } 66 | }, 67 | "hooks": { 68 | "prestart": [ 69 | { 70 | "path": "/home/jessie/containers/virtualbox/load_kernel_modules.sh" 71 | } 72 | ] 73 | }, 74 | "linux": { 75 | "rlimits": [ 76 | { 77 | "type": "RLIMIT_NOFILE", 78 | "hard": 1024, 79 | "soft": 1024 80 | } 81 | ], 82 | "resources": { 83 | "disableOOMKiller": false, 84 | "oomScoreAdj": 0, 85 | "memory": { 86 | "limit": 0, 87 | "reservation": 0, 88 | "swap": 0, 89 | "kernel": 0, 90 | "kernelTCP": null, 91 | "swappiness": 18446744073709551615 92 | }, 93 | "cpu": { 94 | "shares": 0, 95 | "quota": 0, 96 | "period": 0, 97 | "cpus": "", 98 | "mems": "" 99 | }, 100 | "pids": { 101 | "limit": 0 102 | }, 103 | "blockIO": { 104 | "blkioWeight": 0 105 | } 106 | }, 107 | "namespaces": [ 108 | { 109 | "type": "ipc" 110 | }, 111 | { 112 | "type": "uts" 113 | }, 114 | { 115 | "type": "mount" 116 | }, 117 | { 118 | "type": "pid" 119 | } 120 | ], 121 | "devices": [], 122 | "apparmorProfile": "unconfined", 123 | "selinuxProcessLabel": "", 124 | "seccomp": { 125 | "defaultAction": "", 126 | "architectures": null, 127 | "syscalls": null 128 | } 129 | } 130 | } 131 | --------------------------------------------------------------------------------