@@ -115,37 +115,37 @@ the reason each syscall is blocked rather than white-listed.
115115|---------------------|---------------------------------------------------------------------------------------------------------------------------------------|
116116| `acct` | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`. |
117117| `add_key` | Prevent containers from using the kernel keyring, which is not namespaced. |
118- | `adjtimex` | Similar to `clock_settime` and `settimeofday`, time/date is not namespaced. |
118+ | `adjtimex` | Similar to `clock_settime` and `settimeofday`, time/date is not namespaced. Also gated by `CAP_SYS_TIME` |
119119| `bpf` | Deny loading potentially persistent bpf programs into kernel, already gated by `CAP_SYS_ADMIN`. |
120- | `clock_adjtime` | Time/date is not namespaced. |
121- | `clock_settime` | Time/date is not namespaced. |
120+ | `clock_adjtime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
121+ | `clock_settime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
122122| `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE_* flags, except `CLONE_USERNS`. |
123- | `create_module` | Deny manipulation and functions on kernel modules. |
123+ | `create_module` | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE` |
124124| `delete_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
125125| `finit_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
126- | `get_kernel_syms` | Deny retrieval of exported kernel and module symbols. |
126+ | `get_kernel_syms` | Deny retrieval of exported kernel and module symbols. Obsolete. |
127127| `get_mempolicy` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. |
128128| `init_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
129129| `ioperm` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. |
130130| `iopl` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. |
131131| `kcmp` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. |
132- | `kexec_file_load` | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. |
133- | `kexec_load` | Deny loading a new kernel for later execution. |
132+ | `kexec_file_load` | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`. |
133+ | `kexec_load` | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`. |
134134| `keyctl` | Prevent containers from using the kernel keyring, which is not namespaced. |
135- | `lookup_dcookie` | Tracing/profiling syscall, which could leak a lot of information on the host. |
135+ | `lookup_dcookie` | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by `CAP_SYS_ADMIN`. |
136136| `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. |
137137| `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. |
138138| `move_pages` | Syscall that modifies kernel memory and NUMA settings. |
139139| `name_to_handle_at` | Sister syscall to `open_by_handle_at`. Already gated by `CAP_SYS_NICE`. |
140- | `nfsservctl` | Deny interaction with the kernel nfs daemon. |
140+ | `nfsservctl` | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. |
141141| `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`. |
142142| `perf_event_open` | Tracing/profiling syscall, which could leak a lot of information on the host. |
143143| `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. |
144144| `pivot_root` | Deny `pivot_root`, should be privileged operation. |
145145| `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. |
146146| `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. |
147147| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. |
148- | `query_module` | Deny manipulation and functions on kernel modules. |
148+ | `query_module` | Deny manipulation and functions on kernel modules. Obsolete. |
149149| `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. |
150150| `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. |
151151| `request_key` | Prevent containers from using the kernel keyring, which is not namespaced. |
@@ -158,7 +158,7 @@ the reason each syscall is blocked rather than white-listed.
158158| `sysfs` | Obsolete syscall. |
159159| `_sysctl` | Obsolete, replaced by /proc/sys. |
160160| `umount` | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`. |
161- | `umount2` | Should be a privileged operation. |
161+ | `umount2` | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`. |
162162| `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. |
163163| `uselib` | Older syscall related to shared libraries, unused for a long time. |
164164| `userfaultfd` | Userspace page fault handling, largely needed for process migration. |
0 commit comments