{ "comment": "Strict seccomp profile for minimal containers - blocks dangerous syscalls and restricts to essential operations only", "defaultAction": "SCMP_ACT_ERRNO", "defaultErrnoRet": 1, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", "subArchitectures": [ "SCMP_ARCH_X86", "SCMP_ARCH_X32" ] }, { "architecture": "SCMP_ARCH_AARCH64", "subArchitectures": [ "SCMP_ARCH_ARM" ] } ], "syscalls": [ { "names": [ "accept", "accept4", "access", "alarm", "bind", "brk", "capget", "chdir", "clock_getres", "clock_getres_time64", "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64", "close", "close_range", "connect", "dup", "dup2", "dup3", "epoll_create", "epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_pwait2", "epoll_wait", "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group", "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fcntl", "fcntl64", "fdatasync", "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync", "futex", "futex_time64", "futex_waitv", "getcpu", "getcwd", "getdents", "getdents64", "getegid", "getegid32", "geteuid", "geteuid32", "getgid", "getgid32", "getgroups", "getgroups32", "getpeername", "getpgid", "getpgrp", "getpid", "getppid", "getpriority", "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32", "getrlimit", "get_robust_list", "getrusage", "getsid", "getsockname", "getsockopt", "get_thread_area", "gettid", "gettimeofday", "getuid", "getuid32", "ioctl", "kill", "listen", "lseek", "lstat", "lstat64", "madvise", "membarrier", "mincore", "mmap", "mmap2", "mprotect", "mremap", "msync", "munmap", "nanosleep", "newfstatat", "open", "openat", "openat2", "pause", "pipe", "pipe2", "poll", "ppoll", "ppoll_time64", "prctl", "pread64", "preadv", "preadv2", "prlimit64", "pselect6", "pselect6_time64", "pwrite64", "pwritev", "pwritev2", "read", "readlink", "readlinkat", "readv", "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg", "restart_syscall", "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo", "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "sched_getaffinity", "sched_getattr", "sched_getparam", "sched_get_priority_max", "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler", "sched_yield", "seccomp", "select", "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto", "setfsgid", "setfsgid32", "setfsuid", "setfsuid32", "setgid", "setgid32", "setgroups", "setgroups32", "setpgid", "setpriority", "setregid", "setregid32", "setresgid", "setresgid32", "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit", "set_robust_list", "setsid", "setsockopt", "set_thread_area", "set_tid_address", "setuid", "setuid32", "shutdown", "sigaltstack", "signalfd", "signalfd4", "sigprocmask", "sigreturn", "socket", "socketcall", "socketpair", "stat", "stat64", "statfs", "statfs64", "statx", "sysinfo", "tgkill", "time", "timer_create", "timer_delete", "timer_getoverrun", "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", "timerfd_settime", "timerfd_settime64", "times", "tkill", "ugetrlimit", "umask", "uname", "wait4", "waitid", "waitpid", "write", "writev" ], "action": "SCMP_ACT_ALLOW", "comment": "Essential syscalls for stateless services" }, { "names": [ "clone" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 2114060288, "op": "SCMP_CMP_MASKED_EQ" } ], "comment": "Allow clone for thread creation only (no CLONE_NEWUSER)" } ], "blockedSyscalls": { "comment": "Explicitly blocked dangerous syscalls", "syscalls": [ { "names": [ "acct", "add_key", "bpf", "clock_adjtime", "clock_adjtime64", "clock_settime", "clock_settime64", "clone3", "create_module", "delete_module", "finit_module", "get_kernel_syms", "get_mempolicy", "init_module", "ioperm", "iopl", "kcmp", "kexec_file_load", "kexec_load", "keyctl", "lookup_dcookie", "mbind", "migrate_pages", "modify_ldt", "mount", "move_pages", "name_to_handle_at", "nfsservctl", "open_by_handle_at", "perf_event_open", "personality", "pivot_root", "process_vm_readv", "process_vm_writev", "ptrace", "query_module", "quotactl", "quotactl_fd", "reboot", "request_key", "set_mempolicy", "setdomainname", "sethostname", "settimeofday", "setns", "stime", "swapoff", "swapon", "sysfs", "syslog", "_sysctl", "umount", "umount2", "unshare", "uselib", "userfaultfd", "ustat", "vm86", "vm86old" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1, "comment": "Block dangerous administrative and privileged syscalls" } ] }, "notes": { "description": "Strict seccomp profile for minimal, stateless containers", "use_cases": [ "Stateless API servers", "Message queue consumers", "Stream processing workers", "Serverless functions", "Minimal microservices" ], "blocked_operations": [ "Kernel module loading", "System time modification", "Host mounting/unmounting", "Process tracing (ptrace)", "Namespace manipulation", "BPF operations", "Key management", "Performance monitoring", "Memory policy", "Reboot/shutdown" ], "allowed_operations": [ "File I/O (limited by Landlock)", "Network operations", "Thread management", "Time reading", "Signal handling", "Memory management", "Process management (limited)" ], "security_notes": [ "This profile blocks all administrative syscalls", "No kernel modification allowed", "No debugging/tracing capabilities", "No namespace creation (except thread cloning)", "No module loading or unloading", "No time manipulation", "No host filesystem mounting", "Combine with Landlock for filesystem restrictions", "Use with minimal capabilities (ideally none)" ], "testing": [ "Test thoroughly with your application before production", "Monitor for SCMP_ACT_ERRNO returns (syscall denials)", "Check logs for unexpected syscall usage", "Use strace during testing to identify required syscalls", "Example: strace -c -f -S name your-app 2>&1 | tail -n +3 | head -n -2 | awk '{print $NF}' | sort -u" ] } }