/usr/share/seccomp/templates/ubuntu-personal/15.10/ubuntu-scope-network is in ubuntu-personal-security-seccomp 16.04.4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 | # Description: default seccomp filter for Ubuntu network scopes
# Usage: common
#
# Dangerous syscalls that we don't ever want to allow
# kexec
deny kexec_load
# kernel modules
deny create_module
deny init_module
deny finit_module
deny delete_module
# these have a history of vulnerabilities, are not widely used, and
# open_by_handle_at has been used to break out of docker containers by brute
# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
deny name_to_handle_at
deny open_by_handle_at
# Explicitly deny ptrace since it can be abused to break out of the seccomp
# sandbox
deny ptrace
# Explicitly deny capability mknod so apps can't create devices
deny mknod
deny mknodat
# Explicitly deny (u)mount so apps can't change mounts in their namespace
deny mount
deny umount
deny umount2
# Explicitly deny kernel keyring access
deny add_key
deny keyctl
deny request_key
# end dangerous syscalls
access
faccessat
alarm
brk
# ARM private syscalls
breakpoint
cacheflush
set_tls
usr26
usr32
capget
chdir
fchdir
# We can't effectively block file perms due to open() with O_CREAT, so allow
# chmod until we have syscall arg filtering (LP: #1446748)
chmod
fchmod
fchmodat
# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
# properly support chown, we need to have syscall arg filtering (LP: #1446748)
# and per-app UID/GIDs.
#chown
#chown32
#fchown
#fchown32
#fchownat
#lchown
#lchown32
clock_getres
clock_gettime
clock_nanosleep
clone
close
creat
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
_exit
exit
exit_group
fallocate
# requires CAP_SYS_ADMIN
#fanotify_init
#fanotify_mark
fcntl
fcntl64
flock
fork
ftime
futex
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
getpgid
getpgrp
getpid
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
ugetrlimit
getrusage
getsid
gettid
gettimeofday
getuid
getuid32
getxattr
fgetxattr
lgetxattr
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
# Needed by shell
ioctl
io_cancel
io_destroy
io_getevents
io_setup
io_submit
ioprio_get
# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
#ioprio_set
ipc
kill
link
linkat
listxattr
llistxattr
flistxattr
lseek
llseek
_llseek
lstat
lstat64
madvise
fadvise64
fadvise64_64
arm_fadvise64_64
mbind
mincore
mkdir
mkdirat
mlock
mlockall
mmap
mmap2
mprotect
# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
#mq_getsetattr
#mq_notify
#mq_open
#mq_timedreceive
#mq_timedsend
#mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
munlock
munlockall
munmap
nanosleep
# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
# and allow this call
#nice
# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
open
openat
pause
pipe
pipe2
poll
ppoll
# LP: #1446748 - support syscall arg filtering
prctl
arch_prctl
read
pread
pread64
preadv
readv
readahead
readdir
readlink
readlinkat
remap_file_pages
removexattr
fremovexattr
lremovexattr
rename
renameat
renameat2
# The man page says this shouldn't be needed, but we've seen denials for it
# in the wild
restart_syscall
rmdir
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_tgsigqueueinfo
sched_getaffinity
sched_getattr
sched_getparam
sched_get_priority_max
sched_get_priority_min
sched_getscheduler
sched_rr_get_interval
# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
# app may only change its own scheduler
sched_setscheduler
sched_yield
select
_newselect
pselect
pselect6
semctl
semget
semop
semtimedop
sendfile
sendfile64
# snappy doesn't currently support per-app UID/GIDs so don't allow this family
# of syscalls. To properly support these, we need to have syscall arg filtering
# (LP: #1446748) and per-app UID/GIDs.
#setgid
#setgid32
#setgroups
#setgroups32
#setregid
#setregid32
#setresgid
#setresgid32
#setresuid
#setresuid32
#setreuid
#setreuid32
#setuid
#setuid32
# These break isolation but are common and can't be mediated at the seccomp
# level with arg filtering
setpgid
setpgrp
set_thread_area
setitimer
# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
# limits
setrlimit
prlimit64
set_mempolicy
set_robust_list
setsid
set_tid_address
setxattr
fsetxattr
lsetxattr
shmat
shmctl
shmdt
shmget
signal
sigaction
signalfd
signalfd4
sigaltstack
sigpending
sigprocmask
sigreturn
sigsuspend
sigtimedwait
sigwaitinfo
splice
stat
stat64
fstat
fstat64
fstatat64
lstat
newfstatat
oldfstat
oldlstat
oldstat
statfs
statfs64
fstatfs
fstatfs64
statvfs
fstatvfs
ustat
symlink
symlinkat
sync
sync_file_range
sync_file_range2
arm_sync_file_range
fdatasync
fsync
syncfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_settime
timerfd_create
timerfd_gettime
timerfd_settime
times
tkill
truncate
truncate64
ftruncate
ftruncate64
umask
uname
olduname
oldolduname
unlink
unlinkat
utime
utimensat
utimes
futimesat
vfork
vmsplice
wait4
oldwait4
waitpid
waitid
write
writev
pwrite
pwrite64
pwritev
# for connecting to DBus
connect
getsockname
recvmsg
send
sendto
sendmsg
socket
|