diff --git a/config-linux.md b/config-linux.md index 8f5f70a3e..984a0f304 100644 --- a/config-linux.md +++ b/config-linux.md @@ -498,41 +498,59 @@ For more information about Seccomp, see [Seccomp][seccomp] kernel documentation. The actions, architectures, and operators are strings that match the definitions in seccomp.h from [libseccomp][] and are translated to corresponding values. A valid list of constants as of libseccomp v2.3.2 is shown below. -Architecture Constants -* `SCMP_ARCH_X86` -* `SCMP_ARCH_X86_64` -* `SCMP_ARCH_X32` -* `SCMP_ARCH_ARM` -* `SCMP_ARCH_AARCH64` -* `SCMP_ARCH_MIPS` -* `SCMP_ARCH_MIPS64` -* `SCMP_ARCH_MIPS64N32` -* `SCMP_ARCH_MIPSEL` -* `SCMP_ARCH_MIPSEL64` -* `SCMP_ARCH_MIPSEL64N32` -* `SCMP_ARCH_PPC` -* `SCMP_ARCH_PPC64` -* `SCMP_ARCH_PPC64LE` -* `SCMP_ARCH_S390` -* `SCMP_ARCH_S390X` -* `SCMP_ARCH_PARISC` -* `SCMP_ARCH_PARISC64` - -Action Constants: -* `SCMP_ACT_KILL` -* `SCMP_ACT_TRAP` -* `SCMP_ACT_ERRNO` -* `SCMP_ACT_TRACE` -* `SCMP_ACT_ALLOW` - -Operator Constants: -* `SCMP_CMP_NE` -* `SCMP_CMP_LT` -* `SCMP_CMP_LE` -* `SCMP_CMP_EQ` -* `SCMP_CMP_GE` -* `SCMP_CMP_GT` -* `SCMP_CMP_MASKED_EQ` +**`seccomp`** (object, OPTIONAL) + +The following parameters can be specified to setup seccomp: + +* **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. + +* **`architectures`** *(array, OPTIONAL)* - the architecture used for system calls. + Implementations MUST support at least the following values: + + * `SCMP_ARCH_X86` + * `SCMP_ARCH_X86_64` + * `SCMP_ARCH_X32` + * `SCMP_ARCH_ARM` + * `SCMP_ARCH_AARCH64` + * `SCMP_ARCH_MIPS` + * `SCMP_ARCH_MIPS64` + * `SCMP_ARCH_MIPS64N32` + * `SCMP_ARCH_MIPSEL` + * `SCMP_ARCH_MIPSEL64` + * `SCMP_ARCH_MIPSEL64N32` + * `SCMP_ARCH_PPC` + * `SCMP_ARCH_PPC64` + * `SCMP_ARCH_PPC64LE` + * `SCMP_ARCH_S390` + * `SCMP_ARCH_S390X` + * `SCMP_ARCH_PARISC` + * `SCMP_ARCH_PARISC64` + +* **`syscalls`** *(object, REQUIRED)* - match a syscall in seccomp. + + * **`names`** *(array of strings, REQUIRED)* - the name of the syscall. + + * **`action`** *(string, REQUIRED)* - the action for seccomp rules. + Implementations MUST support at least the following values: + + * `SCMP_ACT_KILL` + * `SCMP_ACT_TRAP` + * `SCMP_ACT_ERRNO` + * `SCMP_ACT_TRACE` + * `SCMP_ACT_ALLOW` + + * **`args`** *(object, OPTIONAL)* - the specific syscall in seccomp. + + * **`op`** *(string, REQUIRED)* - the operator for syscall arguments in seccomp. + Implementations MUST support at least the following values: + + * `SCMP_CMP_NE` + * `SCMP_CMP_LT` + * `SCMP_CMP_LE` + * `SCMP_CMP_EQ` + * `SCMP_CMP_GE` + * `SCMP_CMP_GT` + * `SCMP_CMP_MASKED_EQ` ###### Example