seccomp: fix multi-condition rule handling and follow runc for duplicate arg comparators#3489
Open
saku3 wants to merge 1 commit intoyouki-dev:mainfrom
Open
seccomp: fix multi-condition rule handling and follow runc for duplicate arg comparators#3489saku3 wants to merge 1 commit intoyouki-dev:mainfrom
saku3 wants to merge 1 commit intoyouki-dev:mainfrom
Conversation
nayuta723
reviewed
Apr 10, 2026
Contributor
nayuta723
left a comment
nayuta723
left a comment
There was a problem hiding this comment.
Thanks for the PR! I've left a few nit comments, so please take a look when you have a moment.
| // When multiple comparisons target the same argument index, | ||
| // we follow runc's behavior and add each condition as a separate rule. | ||
| // Ref: libseccomp seccomp_rule_add(3) | ||
| // https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_rule_add.3#L137 |
Contributor
There was a problem hiding this comment.
Please use a permalink (tag or commit hash) for this reference so the line numbers stay consistent.
|
|
||
| if has_duplicate_index { | ||
| for comparator in &comparators { | ||
| tracing::trace!( |
Contributor
There was a problem hiding this comment.
In youki, most developers use the --debug flag for development and troubleshooting. Given this, is there a specific reason why some logs are set to tracing::trace instead of tracing::debug?
Member
Author
There was a problem hiding this comment.
I think trace is appropriate here. I had the same thought while working on this change.
The reason is that changing these logs to debug would produce a large amount of seccomp-related output.
If someone specifically wants to inspect the seccomp flow in detail, they can use:
youki --log-level trace run -b tutorial/ a
And the output will look like the following.
log
youki --log-level trace run -b tutorial/ a
DEBUG youki: started by user 0 with ArgsOs { inner: ["youki", "--log-level", "trace", "run", "-b", "tutorial/", "a"] }
DEBUG libcontainer::user_ns: this container does NOT create a new user namespace
DEBUG libcontainer::container::init_builder: container directory will be "/run/youki/a"
DEBUG libcontainer::container::container: Save container status: Container { state: State { oci_version: "1.1.0", id: "a", status: Creating, pid: None, bundle: "/home/ubuntu/workspace/youki-1/tutorial", annotations: Some({}), created: None, creator: None, use_systemd: false, clean_up_intel_rdt_subdirectory: None }, root: "/run/youki/a" } in "/run/youki/a"
DEBUG libcontainer::user_ns: this container does NOT create a new user namespace
DEBUG libcontainer::notify_socket: create notify listener socket_path="/run/youki/a/notify.sock"
DEBUG libcontainer::notify_socket: the cwd to create the notify socket cwd="/home/ubuntu/workspace/youki-1"
INFO libcgroups::common: cgroup manager V2 will be used
DEBUG libcontainer::process::cpu_affinity: affinity: 0x3
WARN libcgroups::v2::util: Controller rdma is not yet implemented.
WARN libcgroups::v2::util: Controller misc is not yet implemented.
WARN libcgroups::v2::util: Controller dmem is not yet implemented.
DEBUG libcgroups::v2::hugetlb: Apply hugetlb cgroup v2 config
DEBUG libcgroups::v2::io: Apply io cgroup v2 config
DEBUG libcgroups::v2::pids: Apply pids cgroup v2 config
WARN libcgroups::v2::util: Controller rdma is not yet implemented.
WARN libcgroups::v2::util: Controller misc is not yet implemented.
WARN libcgroups::v2::util: Controller dmem is not yet implemented.
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Pid, path: None }
DEBUG libcontainer::process::channel: sending init pid (Pid(9281))
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Uts, path: None }
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Ipc, path: None }
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Network, path: None }
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Cgroup, path: None }
DEBUG libcontainer::namespaces: unshare or setns: LinuxNamespace { typ: Mount, path: None }
DEBUG libcontainer::rootfs::rootfs: prepare rootfs rootfs="/home/ubuntu/workspace/youki-1/tutorial/rootfs"
DEBUG libcontainer::rootfs::rootfs: mount root fs "/home/ubuntu/workspace/youki-1/tutorial/rootfs"
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/proc", typ: Some("proc"), source: Some("proc"), options: None, uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/dev", typ: Some("tmpfs"), source: Some("tmpfs"), options: Some(["nosuid", "strictatime", "mode=755", "size=65536k"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/dev/pts", typ: Some("devpts"), source: Some("devpts"), options: Some(["nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/dev/shm", typ: Some("tmpfs"), source: Some("shm"), options: Some(["nosuid", "noexec", "nodev", "mode=1777", "size=65536k"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/dev/mqueue", typ: Some("mqueue"), source: Some("mqueue"), options: Some(["nosuid", "noexec", "nodev"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/sys", typ: Some("sysfs"), source: Some("sysfs"), options: Some(["nosuid", "noexec", "nodev", "ro"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: mounting Mount { destination: "/sys/fs/cgroup", typ: Some("cgroup"), source: Some("cgroup"), options: Some(["nosuid", "noexec", "nodev", "relatime", "ro"]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::rootfs::mount: Mounting cgroup v2 filesystem
DEBUG libcontainer::rootfs::mount: Mount { destination: "/sys/fs/cgroup", typ: Some("cgroup2"), source: Some("cgroup"), options: Some([]), uid_mappings: None, gid_mappings: None }
DEBUG libcontainer::process::init::process: readonly path "/proc/bus" mounted
DEBUG libcontainer::process::init::process: readonly path "/proc/fs" mounted
DEBUG libcontainer::process::init::process: readonly path "/proc/irq" mounted
DEBUG libcontainer::process::init::process: readonly path "/proc/sys" mounted
DEBUG libcontainer::process::init::process: readonly path "/proc/sysrq-trigger" mounted
DEBUG libcontainer::capabilities: reset all caps
DEBUG libcontainer::capabilities: dropping bounding capabilities to {NetBindService, AuditWrite, Kill}
DEBUG libcontainer::capabilities: dropping effective capabilities to {Kill, AuditWrite, NetBindService}
DEBUG libcontainer::capabilities: dropping permitted capabilities to {Kill, AuditWrite, NetBindService}
DEBUG libcontainer::capabilities: dropping inheritable capabilities to {NetBindService, Kill, AuditWrite}
DEBUG libcontainer::capabilities: dropping ambient capabilities to {NetBindService, AuditWrite, Kill}
TRACE initialize_seccomp: libcontainer::seccomp: initializing seccomp default_action=ScmpActErrno errno=Some(38)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(38)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(38)
TRACE initialize_seccomp: libcontainer::seccomp: adding architecture arch=ScmpArchX86_64
TRACE initialize_seccomp: libcontainer::seccomp: adding architecture arch=ScmpArchX86
TRACE initialize_seccomp: libcontainer::seccomp: adding architecture arch=ScmpArchX32
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="bdflush" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="cachestat" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex_requeue" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex_wait" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex_waitv" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex_wake" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_pgetevents" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_pgetevents_time64" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="kexec_file_load" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="kexec_load" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="map_shadow_stack" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="migrate_pages" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="move_pages" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="nfsservctl" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="nice" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="oldfstat" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="oldlstat" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="oldolduname" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="oldstat" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="olduname" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pciconfig_iobase" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pciconfig_read" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pciconfig_write" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sgetmask" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ssetmask" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="swapoff" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="swapon" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="syscall" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sysfs" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="uselib" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="userfaultfd" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ustat" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="vm86" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="vm86old" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="vmsplice" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="_llseek" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="_newselect" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="accept" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="accept4" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="access" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="adjtimex" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="alarm" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="bind" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="brk" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="capget" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="capset" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="chdir" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="chmod" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="chown" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="chown32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_adjtime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_adjtime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_getres" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_getres_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_gettime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_gettime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_nanosleep" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_nanosleep_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="writev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="writev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="close" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="close_range" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="connect" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="copy_file_range" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="creat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="dup" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="dup2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="dup3" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_create" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_create1" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_ctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_ctl_old" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_pwait" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_pwait2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_wait" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="epoll_wait_old" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="eventfd" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="eventfd2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="execve" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="execveat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="exit" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="exit_group" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="faccessat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="faccessat2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fadvise64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fadvise64_64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fallocate" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fanotify_init" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fanotify_mark" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchdir" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchmod" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchmodat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchmodat2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchown" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchown32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fchownat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fcntl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fcntl64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fdatasync" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fgetxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="flistxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="flock" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fork" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fremovexattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fsconfig" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fsetxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fsmount" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fsopen" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fspick" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fstat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fstat64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fstatat64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fstatfs" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fstatfs64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="fsync" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ftruncate" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ftruncate64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futex_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="futimesat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="get_mempolicy" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="get_robust_list" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="get_thread_area" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getcpu" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getcwd" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getdents" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getdents64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getegid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getegid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="geteuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="geteuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getgid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getgroups" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getgroups32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getitimer" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getpeername" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getpgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getpgrp" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getpid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getppid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getpriority" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getrandom" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getresgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getresgid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getresuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getresuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getrlimit" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getrusage" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getsid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getsockname" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getsockopt" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="gettid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="gettimeofday" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="getxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="inotify_add_watch" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="inotify_init" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="inotify_init1" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="inotify_rm_watch" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_cancel" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_destroy" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_getevents" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_setup" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="io_submit" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ioctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ioprio_get" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ioprio_set" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ipc" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="keyctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="kill" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="landlock_add_rule" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="landlock_create_ruleset" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="landlock_restrict_self" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lchown" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lchown32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lgetxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="link" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="linkat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="listen" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="listxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="llistxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lremovexattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lseek" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lsetxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lstat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lstat64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="madvise" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mbind" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="membarrier" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="memfd_create" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="memfd_secret" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mincore" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mkdir" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mkdirat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mknod" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mknodat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mlock" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mlock2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mlockall" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mmap" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mmap2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mount" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mount_setattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="move_mount" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mprotect" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_getsetattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_notify" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_open" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_timedreceive" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_timedreceive_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_timedsend" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_timedsend_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mq_unlink" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="mremap" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="msgctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="msgget" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="msgrcv" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="msgsnd" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="msync" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="munlock" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="munlockall" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="munmap" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="name_to_handle_at" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="nanosleep" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="newfstatat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="open" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="open_tree" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="openat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="openat2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pause" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pidfd_getfd" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pidfd_open" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pidfd_send_signal" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pipe" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pipe2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pivot_root" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pkey_alloc" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pkey_free" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pkey_mprotect" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="poll" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ppoll" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ppoll_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="prctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pread64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="preadv" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="preadv2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="prlimit64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="process_mrelease" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="process_vm_readv" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="process_vm_writev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pselect6" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pselect6_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ptrace" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pwrite64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pwritev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="pwritev2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="read" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="readahead" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="readlink" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="readlinkat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="readv" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="reboot" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="recv" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="recvfrom" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="recvmmsg" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="recvmmsg_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="recvmsg" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="remap_file_pages" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="removexattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rename" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="renameat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="renameat2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="restart_syscall" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rmdir" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rseq" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigaction" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigpending" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigprocmask" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigqueueinfo" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigreturn" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigsuspend" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigtimedwait" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_sigtimedwait_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="rt_tgsigqueueinfo" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_get_priority_max" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_get_priority_min" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_getaffinity" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_getattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_getparam" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_getscheduler" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_rr_get_interval" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_rr_get_interval_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_setaffinity" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_setattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_setparam" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_setscheduler" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sched_yield" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="seccomp" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="select" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="semctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="semget" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="semop" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="semtimedop" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="semtimedop_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="send" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sendfile" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sendfile64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sendmmsg" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sendmsg" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sendto" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="set_mempolicy" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="set_robust_list" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="set_thread_area" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="set_tid_address" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setfsgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setfsgid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setfsuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setfsuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setgid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setgroups" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setgroups32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setitimer" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setns" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setpgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setpriority" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setregid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setregid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setresgid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setresgid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setresuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setresuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setreuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setreuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setrlimit" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setsid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setsockopt" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setuid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setuid32" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setxattr" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="shmat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="shmctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="shmdt" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="shmget" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="shutdown" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sigaltstack" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="signal" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="signalfd" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="signalfd4" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sigprocmask" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sigreturn" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="socketcall" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="socketpair" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="splice" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="stat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="stat64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="statfs" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="statfs64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="statx" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="symlink" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="symlinkat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sync" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sync_file_range" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="syncfs" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sysinfo" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="syslog" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="tee" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="tgkill" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="time" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_create" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_delete" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_getoverrun" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_gettime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_gettime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_settime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timer_settime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timerfd_create" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timerfd_gettime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timerfd_gettime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timerfd_settime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="timerfd_settime64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="times" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="tkill" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="truncate" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="truncate64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ugetrlimit" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="umask" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="umount" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="umount2" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="uname" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="unlink" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="unlinkat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="writev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="utime" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="utimensat" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="utimensat_time64" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="utimes" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="vfork" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="wait4" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="waitid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="waitpid" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="write" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="writev" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="personality" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 0, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="personality" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 8, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="personality" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 131072, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="personality" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 131080, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="personality" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 4294967295, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="arch_prctl" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="modify_ldt" action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="open_by_handle_at" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="lookup_dcookie" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="quotactl" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="quotactl_fd" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setdomainname" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="sethostname" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="setns" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="chroot" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="delete_module" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="finit_module" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="init_module" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="query_module" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="acct" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="kcmp" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="process_madvise" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="ioperm" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="iopl" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_settime" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="clock_settime64" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="settimeofday" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="stime" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="vhangup" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="socket" action=Errno(1) comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 40, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(22)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(22)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="socket" action=Errno(22) comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 16, datum_b: 0 }), ScmpArgCompare(scmp_arg_cmp { arg: 2, op: SCMP_CMP_EQ, datum_a: 9, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="socket" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 16, datum_b: 0 }), ScmpArgCompare(scmp_arg_cmp { arg: 2, op: SCMP_CMP_NE, datum_a: 9, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="socket" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_NE, datum_a: 16, datum_b: 0 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="bpf" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp rule name="perf_event_open" action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActAllow errno=None
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Allow
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule name="clone" action=Allow comparators=[ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 0, datum_b: 2114060288 })]
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(1)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(1)
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 131072, datum_b: 131072 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 67108864, datum_b: 67108864 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 134217728, datum_b: 134217728 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 268435456, datum_b: 268435456 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 536870912, datum_b: 536870912 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 1073741824, datum_b: 1073741824 })
TRACE initialize_seccomp: libcontainer::seccomp: add seccomp conditional rule separately name="clone" action=Errno(1) comparator=ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_MASKED_EQ, datum_a: 33554432, datum_b: 33554432 })
TRACE initialize_seccomp: libcontainer::seccomp: translating action action=ScmpActErrno errno=Some(38)
TRACE initialize_seccomp: libcontainer::seccomp: translated action action=Errno(38)
WARN initialize_seccomp: libcontainer::seccomp: detect a seccomp action that is the same as the default action: LinuxSyscall { names: ["clone3"], action: ScmpActErrno, errno_ret: Some(38), args: None }
DEBUG libcontainer::workload::default: found executable in executor executable="/bin/sh"
DEBUG libcontainer::process::container_main_process: init pid is Pid(9281)
DEBUG libcontainer::container::container: Save container status: Container { state: State { oci_version: "1.1.0", id: "a", status: Created, pid: Some(9281), bundle: "/home/ubuntu/workspace/youki-1/tutorial", annotations: Some({}), created: Some(2026-04-10T20:20:30.804777149Z), creator: Some(0), use_systemd: false, clean_up_intel_rdt_subdirectory: Some(false) }, root: "/run/youki/a" } in "/run/youki/a"
DEBUG libcontainer::notify_socket: notify container start
DEBUG libcontainer::notify_socket: notify finished
DEBUG libcontainer::notify_socket: received: start container
DEBUG libcontainer::workload::default: executing workload with default handler
DEBUG libcontainer::container::container: Save container status: Container { state: State { oci_version: "1.1.0", id: "a", status: Running, pid: Some(9281), bundle: "/home/ubuntu/workspace/youki-1/tutorial", annotations: Some({}), created: Some(2026-04-10T20:20:30.804777149Z), creator: Some(0), use_systemd: false, clean_up_intel_rdt_subdirectory: Some(false) }, root: "/run/youki/a" } in "/run/youki/a"
TRACE handle_foreground{init_pid=Pid(9281)}: youki::commands::run: waiting for container init process to exit
sh: can't access tty; job control turned off
Contributor
There was a problem hiding this comment.
I see.
On a separate note, I'd like to define some logging conventions for 'youki.' It seems like our current standards haven't been updated in a while.
https://github.com/youki-dev/youki/blob/main/docs/src/developer/unwritten_rules.md#logs
saku3
force-pushed
the
fix/seccomp-multi-condition
branch
from
21650d5 to
0888a27
Compare
Member
Author
|
build error The repository does not exist. https://hub.docker.com/u/jorgeprendes420 https://github.com/jprendes/apk-anywhere |
Member
Author
|
Hi, I tried building with the
https://github.com/youki-dev/youki/blob/main/cross/Dockerfile.musl#L4 The error says that Do you know whether this image was moved, removed, or made private? |
…ate arg comparators Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>
saku3
force-pushed
the
fix/seccomp-multi-condition
branch
from
0888a27 to
f3d06f6
Compare
nayuta723
approved these changes
Apr 13, 2026
|
|
||
| if has_duplicate_index { | ||
| for comparator in &comparators { | ||
| tracing::trace!( |
Contributor
There was a problem hiding this comment.
I see.
On a separate note, I'd like to define some logging conventions for 'youki.' It seems like our current standards haven't been updated in a while.
https://github.com/youki-dev/youki/blob/main/docs/src/developer/unwritten_rules.md#logs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
I fixed a bug related to seccomp.
Fixed the behavior when multiple syscall arguments are specified
When multiple syscall arguments are specified, they must be evaluated with AND semantics.
For example, when a seccomp syscall entry like the following is specified, the two arguments should be combined with AND semantics:
To implement this, the args can be passed directly to
add_rule_conditionalas comparators.Align seccomp argument condition handling with runc
If multiple syscalls are specified with the same argument condition, as in the example below, the condition should be applied to each syscall individually. This follows the behavior of runc.
https://github.com/opencontainers/runc/blob/main/libcontainer/seccomp/seccomp_linux.go#L327
Type of Change
Testing
Related Issues
Fixed #3479
Additional Context
The following command completed successfully.
For the detailed configuration, please refer to the issue.
Execution with the following
config.jsonusingyoukisucceeded.config.json
{ "ociVersion": "1.0.2-dev", "root": { "path": "rootfs", "readonly": true }, "mounts": [ { "destination": "/proc", "type": "proc", "source": "proc" }, { "destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": [ "nosuid", "strictatime", "mode=755", "size=65536k" ] }, { "destination": "/dev/pts", "type": "devpts", "source": "devpts", "options": [ "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5" ] }, { "destination": "/dev/shm", "type": "tmpfs", "source": "shm", "options": [ "nosuid", "noexec", "nodev", "mode=1777", "size=65536k" ] }, { "destination": "/dev/mqueue", "type": "mqueue", "source": "mqueue", "options": [ "nosuid", "noexec", "nodev" ] }, { "destination": "/sys", "type": "sysfs", "source": "sysfs", "options": [ "nosuid", "noexec", "nodev", "ro" ] }, { "destination": "/sys/fs/cgroup", "type": "cgroup", "source": "cgroup", "options": [ "nosuid", "noexec", "nodev", "relatime", "ro" ] } ], "process": { "terminal": false, "user": { "uid": 0, "gid": 0 }, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "/", "capabilities": { "bounding": [ "CAP_NET_BIND_SERVICE", "CAP_KILL", "CAP_AUDIT_WRITE" ], "effective": [ "CAP_NET_BIND_SERVICE", "CAP_KILL", "CAP_AUDIT_WRITE" ], "inheritable": [ "CAP_NET_BIND_SERVICE", "CAP_KILL", "CAP_AUDIT_WRITE" ], "permitted": [ "CAP_NET_BIND_SERVICE", "CAP_KILL", "CAP_AUDIT_WRITE" ], "ambient": [ "CAP_NET_BIND_SERVICE", "CAP_KILL", "CAP_AUDIT_WRITE" ] }, "rlimits": [ { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ], "noNewPrivileges": true }, "hostname": "youki", "annotations": {}, "linux": { "seccomp": { "defaultAction": "SCMP_ACT_ERRNO", "defaultErrnoRet": 38, "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "names": [ "bdflush", "cachestat", "futex_requeue", "futex_wait", "futex_waitv", "futex_wake", "io_pgetevents", "io_pgetevents_time64", "kexec_file_load", "kexec_load", "map_shadow_stack", "migrate_pages", "move_pages", "nfsservctl", "nice", "oldfstat", "oldlstat", "oldolduname", "oldstat", "olduname", "pciconfig_iobase", "pciconfig_read", "pciconfig_write", "sgetmask", "ssetmask", "swapoff", "swapon", "syscall", "sysfs", "uselib", "userfaultfd", "ustat", "vm86", "vm86old", "vmsplice" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "_llseek", "_newselect", "accept", "accept4", "access", "adjtimex", "alarm", "bind", "brk", "capget", "capset", "chdir", "chmod", "chown", "chown32", "clock_adjtime", "clock_adjtime64", "clock_getres", "clock_getres_time64", "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64", "writev", "writev", "close", "close_range", "connect", "copy_file_range", "creat", "dup", "dup2", "dup3", "epoll_create", "epoll_create1", "epoll_ctl", "epoll_ctl_old", "epoll_pwait", "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group", "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fallocate", "fanotify_init", "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchmodat2", "fchown", "fchown32", "fchownat", "fcntl", "fcntl64", "fdatasync", "fgetxattr", "flistxattr", "flock", "fork", "fremovexattr", "fsconfig", "fsetxattr", "fsmount", "fsopen", "fspick", "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync", "ftruncate", "ftruncate64", "futex", "futex_time64", "futimesat", "get_mempolicy", "get_robust_list", "get_thread_area", "getcpu", "getcwd", "getdents", "getdents64", "getegid", "getegid32", "geteuid", "geteuid32", "getgid", "getgid32", "getgroups", "getgroups32", "getitimer", "getpeername", "getpgid", "getpgrp", "getpid", "getppid", "getpriority", "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32", "getrlimit", "getrusage", "getsid", "getsockname", "getsockopt", "gettid", "gettimeofday", "getuid", "getuid32", "getxattr", "inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch", "io_cancel", "io_destroy", "io_getevents", "io_setup", "io_submit", "ioctl", "ioprio_get", "ioprio_set", "ipc", "keyctl", "kill", "landlock_add_rule", "landlock_create_ruleset", "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", "link", "linkat", "listen", "listxattr", "llistxattr", "lremovexattr", "lseek", "lsetxattr", "lstat", "lstat64", "madvise", "mbind", "membarrier", "memfd_create", "memfd_secret", "mincore", "mkdir", "mkdirat", "mknod", "mknodat", "mlock", "mlock2", "mlockall", "mmap", "mmap2", "mount", "mount_setattr", "move_mount", "mprotect", "mq_getsetattr", "mq_notify", "mq_open", "mq_timedreceive", "mq_timedreceive_time64", "mq_timedsend", "mq_timedsend_time64", "mq_unlink", "mremap", "msgctl", "msgget", "msgrcv", "msgsnd", "msync", "munlock", "munlockall", "munmap", "name_to_handle_at", "nanosleep", "newfstatat", "open", "open_tree", "openat", "openat2", "pause", "pidfd_getfd", "pidfd_open", "pidfd_send_signal", "pipe", "pipe2", "pivot_root", "pkey_alloc", "pkey_free", "pkey_mprotect", "poll", "ppoll", "ppoll_time64", "prctl", "pread64", "preadv", "preadv2", "prlimit64", "process_mrelease", "process_vm_readv", "process_vm_writev", "pselect6", "pselect6_time64", "ptrace", "pwrite64", "pwritev", "pwritev2", "read", "readahead", "readlink", "readlinkat", "readv", "reboot", "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg", "remap_file_pages", "removexattr", "rename", "renameat", "renameat2", "restart_syscall", "rmdir", "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo", "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "sched_get_priority_max", "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", "sched_getscheduler", "sched_rr_get_interval", "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler", "sched_yield", "seccomp", "select", "semctl", "semget", "semop", "semtimedop", "semtimedop_time64", "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto", "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", "setfsuid32", "setgid", "setgid32", "setgroups", "setgroups32", "setitimer", "setns", "setpgid", "setpriority", "setregid", "setregid32", "setresgid", "setresgid32", "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit", "setsid", "setsockopt", "setuid", "setuid32", "setxattr", "shmat", "shmctl", "shmdt", "shmget", "shutdown", "sigaltstack", "signal", "signalfd", "signalfd4", "sigprocmask", "sigreturn", "socketcall", "socketpair", "splice", "stat", "stat64", "statfs", "statfs64", "statx", "symlink", "symlinkat", "sync", "sync_file_range", "syncfs", "sysinfo", "syslog", "tee", "tgkill", "time", "timer_create", "timer_delete", "timer_getoverrun", "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", "timerfd_settime", "timerfd_settime64", "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask", "umount", "umount2", "uname", "unlink", "unlinkat", "writev", "utime", "utimensat", "utimensat_time64", "utimes", "vfork", "wait4", "waitid", "waitpid", "write", "writev" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 0, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 8, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 131072, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 131080, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "arch_prctl" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "modify_ldt" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "open_by_handle_at" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "lookup_dcookie", "quotactl", "quotactl_fd", "setdomainname", "sethostname", "setns" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "chroot" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "delete_module", "finit_module", "init_module", "query_module" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "acct" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "kcmp", "process_madvise" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "ioperm", "iopl" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "clock_settime", "clock_settime64", "settimeofday", "stime" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "vhangup" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "socket" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1, "args": [ { "index": 0, "value": 40, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 22, "args": [ { "index": 0, "value": 16, "op": "SCMP_CMP_EQ" }, { "index": 2, "value": 9, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 16, "op": "SCMP_CMP_EQ" }, { "index": 2, "value": 9, "op": "SCMP_CMP_NE" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 16, "op": "SCMP_CMP_NE" } ] }, { "names": [ "bpf" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "perf_event_open" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "clone" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 2114060288, "op": "SCMP_CMP_MASKED_EQ" } ] }, { "names": [ "clone" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1, "args": [ { "index": 0, "value": 131072, "valueTwo": 131072, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 67108864, "valueTwo": 67108864, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 134217728, "valueTwo": 134217728, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 268435456, "valueTwo": 268435456, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 536870912, "valueTwo": 536870912, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 1073741824, "valueTwo": 1073741824, "op": "SCMP_CMP_MASKED_EQ" }, { "index": 0, "value": 33554432, "valueTwo": 33554432, "op": "SCMP_CMP_MASKED_EQ" } ] }, { "names": [ "clone3" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 38 } ] }, "resources": { "devices": [] }, "namespaces": [ { "type": "pid" }, { "type": "network" }, { "type": "ipc" }, { "type": "uts" }, { "type": "mount" }, { "type": "cgroup" } ], "maskedPaths": [ "/proc/acpi", "/proc/asound", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/sys/firmware", "/proc/scsi" ], "readonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] } }