_exit
_llseek
_newselect

# Description: Allows access to app-specific directories and basic runtime
#
# The default seccomp policy is default deny with a whitelist of allowed
# syscalls. The default policy is intended to be safe for any application to
# use and should be evaluated in conjunction with other security backends (eg
# AppArmor). For example, a few particularly problematic syscalls that are left
# out of the default policy are (non-exhaustive):
# - kexec_load
# - create_module, init_module, finit_module, delete_module (kernel modules)
# - name_to_handle_at (history of vulnerabilities)
# - open_by_handle_at (history of vulnerabilities)
# - ptrace (can be used to break out of sandbox with <4.8 kernels)
# - add_key, keyctl, request_key (kernel keyring)

#
# Allowed accesses
#

access
alarm
arch_prctl
arm_fadvise64_64
arm_sync_file_range

# ARM private syscalls
breakpoint
brk
cacheflush
capget
# AppArmor mediates capabilities, so allow capset (useful for apps that for
# example want to drop capabilities)
capset
chdir

# We can't effectively block file perms due to open() with O_CREAT, so allow
# chmod until we have syscall arg filtering (LP: #1446748)
chmod

# snappy doesn't currently support per-app UID/GIDs. All daemons run as 'root'
# so allow chown to 'root'. DAC will prevent non-root from chowning to root.
chown - 0 0
chown32 - 0 0
chroot
clock_getres
clock_gettime
clock_nanosleep
clone
close

# needed by ls -l
connect
creat
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
exit
exit_group
faccessat
fadvise64
fadvise64_64
fallocate
fchdir
fchmod
fchmodat
fchown - 0 0
fchown32 - 0 0

# requires CAP_SYS_ADMIN
#fanotify_init
#fanotify_mark

fcntl
fcntl64
fdatasync
fgetxattr
flistxattr
flock
fork
fremovexattr
fsetxattr
fstat
fstat64
fstatat64
fstatfs
fstatfs64
fstatvfs
fsync
ftime
ftruncate
ftruncate64
futex
futimesat
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
getpeername
getpgid
getpgrp
getpid
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
getrusage
getsid
getsockname

# For AF_NETLINK, we'll use a combination of AppArmor coarse mediation and
# seccomp arg filtering of netlink families.
# socket AF_NETLINK - -

# needed by snapctl
getsockopt
gettid
gettimeofday
getuid
getuid32
getxattr
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
io_cancel
io_destroy
io_getevents
io_setup
io_submit

# TIOCSTI allows for faking input (man tty_ioctl)
# TODO: this should be scaled back even more
# resolved by snapd, was: ioctl - !TIOCSTI
ioctl - !21522
ioprio_get
# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
#ioprio_set

ipc
kill
lchown - 0 0
lchown32 - 0 0
lgetxattr
link
linkat
listxattr
llistxattr
llseek
lremovexattr
lseek
lsetxattr
lstat
lstat
lstat64
madvise
mbind
membarrier
memfd_create
mincore
mkdir
mkdirat
# resolved by snapd, was: mknod - |S_IFIFO -
mknod - |4096 -

# Allow mknod for regular files, pipes and sockets (and not block or char
# devices)
# resolved by snapd, was: mknod - |S_IFREG -
mknod - |32768 -
# resolved by snapd, was: mknod - |S_IFSOCK -
mknod - |49152 -
# resolved by snapd, was: mknodat - - |S_IFIFO -
mknodat - - |4096 -
# resolved by snapd, was: mknodat - - |S_IFREG -
mknodat - - |32768 -
# resolved by snapd, was: mknodat - - |S_IFSOCK -
mknodat - - |49152 -
mlock
mlock2
mlockall
mmap
mmap2
modify_ldt
mprotect

# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
#mq_getsetattr
#mq_notify
#mq_open
#mq_timedreceive
#mq_timedsend
#mq_unlink

mremap
msgctl
msgget
msgrcv
msgsnd
msync
munlock
munlockall
munmap
nanosleep
newfstatat

# Allow using nice() with default or lower priority
# FIXME: https://github.com/seccomp/libseccomp/issues/69 which means we
# currently have to use <=19. When that bug is fixed, use >=0
nice <=19
oldfstat
oldlstat
oldolduname
oldstat
olduname
oldwait4

# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
open
openat
pause
personality
pipe
pipe2
poll
ppoll

# LP: #1446748 - support syscall arg filtering
prctl
pread
pread64
preadv
prlimit64
pselect
pselect6
pwrite
pwrite64
pwritev
read
readahead
readdir
readlink
readlinkat
readv

# allow reading from sockets
recv
recvfrom
recvmmsg
recvmsg
remap_file_pages
removexattr
rename
renameat
renameat2

# The man page says this shouldn't be needed, but we've seen denials for it
# in the wild
restart_syscall
rmdir
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_tgsigqueueinfo
sched_get_priority_max
sched_get_priority_min
sched_getaffinity
sched_getattr
sched_getparam
sched_getscheduler
sched_rr_get_interval
# enforce pid_t is 0 so the app may only change its own scheduler and affinity.
# Use process-control interface for controlling other pids.
sched_setaffinity 0 - -
sched_setparam 0 -

# 'sched_setscheduler' without argument filtering was allowed in 2.21 and
# earlier and 2.22 added 'sched_setscheduler 0 - -', introducing LP: #1661265.
# For now, continue to allow sched_setscheduler unconditionally.
sched_setscheduler
sched_yield

# Allow configuring seccomp filter. This is ok because the kernel enforces that
# the new filter is a subset of the current filter (ie, no widening
# permissions)
seccomp
select
semctl
semget
semop
semtimedop

# allow sending to sockets
send
sendfile
sendfile64
sendmmsg
sendmsg
sendto
set_mempolicy
set_robust_list
set_thread_area
set_tid_address
set_tls

# While we don't yet have seccomp arg filtering (LP: #1446748), we must allow
# these because the launcher drops privileges after seccomp_load(). Eventually
# we will only allow dropping to particular UIDs. For now, we mediate this with
# AppArmor
setgid
setgid32
setitimer
#setgroups
#setgroups32

# These break isolation but are common and can't be mediated at the seccomp
# level with arg filtering
setpgid
setpgrp
# Allow using setpriority to set the priority of the calling process to default
# or lower priority (eg, 'nice -n 9 <command>')
# default or lower priority.
# FIXME: https://github.com/seccomp/libseccomp/issues/69 which means we
# currently have to use <=19. When that bug is fixed, use >=0
# resolved by snapd, was: setpriority PRIO_PROCESS 0 <=19
setpriority 0 0 <=19
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32

# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
# limits
setrlimit
setsid
setsockopt
setuid
setuid32
setxattr
shmat
shmctl
shmdt
shmget
sigaction
sigaltstack
signal
signalfd
signalfd4
sigpending
sigprocmask
sigreturn
sigsuspend
sigtimedwait
sigwaitinfo

# AppArmor mediates AF_UNIX/AF_LOCAL via 'unix' rules and all other AF_*
# domains via 'network' rules. We won't allow bare 'network' AppArmor rules, so
# we can allow 'socket' for all domains except AF_NETLINK and let AppArmor
# handle the rest.
# resolved by snapd, was: socket AF_UNIX
socket 1
# resolved by snapd, was: socket AF_LOCAL
socket 1
# resolved by snapd, was: socket AF_INET
socket 2
# resolved by snapd, was: socket AF_AX25
socket 3
# resolved by snapd, was: socket AF_IPX
socket 4
# resolved by snapd, was: socket AF_APPLETALK
socket 5
# resolved by snapd, was: socket AF_NETROM
socket 6
# resolved by snapd, was: socket AF_BRIDGE
socket 7
# resolved by snapd, was: socket AF_ATMPVC
socket 8
# resolved by snapd, was: socket AF_X25
socket 9
# resolved by snapd, was: socket AF_INET6
socket 10
# resolved by snapd, was: socket AF_ROSE
socket 11
# resolved by snapd, was: socket AF_NETBEUI
socket 13
# resolved by snapd, was: socket AF_SECURITY
socket 14
# resolved by snapd, was: socket AF_KEY
socket 15
# resolved by snapd, was: socket AF_PACKET
socket 17
# resolved by snapd, was: socket AF_ASH
socket 18
# resolved by snapd, was: socket AF_ECONET
socket 19
# resolved by snapd, was: socket AF_RDS
socket 21
# resolved by snapd, was: socket AF_SNA
socket 22
# resolved by snapd, was: socket AF_IRDA
socket 23
# resolved by snapd, was: socket AF_PPPOX
socket 24
# resolved by snapd, was: socket AF_WANPIPE
socket 25
# resolved by snapd, was: socket AF_LLC
socket 26
# resolved by snapd, was: socket AF_IB
socket 27
# resolved by snapd, was: socket AF_MPLS
socket 28
# resolved by snapd, was: socket AF_CAN
socket 29
# resolved by snapd, was: socket AF_TIPC
socket 30
# resolved by snapd, was: socket AF_BLUETOOTH
socket 31
# resolved by snapd, was: socket AF_IUCV
socket 32
# resolved by snapd, was: socket AF_RXRPC
socket 33
# resolved by snapd, was: socket AF_ISDN
socket 34
# resolved by snapd, was: socket AF_PHONET
socket 35
# resolved by snapd, was: socket AF_IEEE802154
socket 36
# resolved by snapd, was: socket AF_CAIF
socket 37
# resolved by snapd, was: socket AF_ALG
socket 38
# resolved by snapd, was: socket AF_NFC
socket 39
# resolved by snapd, was: socket AF_VSOCK
socket 40

# FIXME: remove this after LP: #1446748 is implemented
# This is an older interface and single entry point that can be used instead
# of socket(), bind(), connect(), etc individually.
socketcall

# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
# in the default template
socketpair
splice
stat
stat64
statfs
statfs64
statvfs
symlink
symlinkat
sync
sync_file_range
sync_file_range2
syncfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_settime
timerfd
timerfd_create
timerfd_gettime
timerfd_settime
times
tkill
truncate
truncate64
ugetrlimit
umask
uname
unlink
unlinkat
usr26
usr32
ustat
utime
utimensat
utimes
vfork
vmsplice
wait4
waitid
waitpid
write
writev

# Description: Can access the network as a server.
accept
accept4
bind
listen
shutdown
# TODO: remove this rule once seccomp errno with logging is implemented.
# java apps attempt this, presumably to handle interface changes, but a
# corresponding AppArmor rule is required (eg, network netlink dgram) to use
# netlink. We allow it here but not network-bind policy for AppArmor since java
# falls back gracefully when faced with an EPERM. Without this rule, the
# application would be KILLed due to our default seccomp policy.
# resolved by snapd, was: socket AF_NETLINK - NETLINK_ROUTE
socket 16 - 0