List of blocking Linux syscalls used in Docker

docker-syscalls.txt

# list-syscalls.sh ~/docker ~/containerd ~/cli ~/runc ~/go/src/github.com/docker/libnetwork ~/go/src/github.com/rootless-containers/rootlesskit
procCreateVirtualDisk.Addr()
procOpenVirtualDisk.Addr()
SYS_ACCEPT
SYS_ADD_KEY
SYS_BIND
SYS_CHDIR
SYS_CHROOT
SYS_CLOCK_GETTIME
SYS_CLONE
SYS_CLOSE
SYS_CONNECT
SYS_COPY_FILE_RANGE
SYS_DUP
SYS_EPOLL_WAIT
SYS_EVENTFD2
SYS_EXIT_GROUP
SYS_FACCESSAT
SYS_FALLOCATE
SYS_FCHDIR
SYS_FCHMOD
SYS_FCHMODAT
SYS_FCHOWN
SYS_FCHOWNAT
SYS_FCNTL
SYS_FDATASYNC
SYS_FLOCK
SYS_FSTAT
SYS_FSYNC
SYS_GETCWD
SYS_GETDENTS64
SYS_GETRANDOM
SYS_GETSOCKOPT
SYS_GETXATTR
SYS_INOTIFY_ADD_WATCH
SYS_IOCTL
SYS_KEYCTL
SYS_LCHOWN
SYS_LGETXATTR
SYS_LINKAT
SYS_LISTEN
SYS_LISTXATTR
SYS_LLISTXATTR
SYS_LREMOVEXATTR
SYS_LSEEK
SYS_LSETXATTR
SYS_MADVISE
SYS_MKDIRAT
SYS_MKNODAT
SYS_MLOCK
SYS_MMAP
SYS_MOUNT
SYS_MUNMAP
SYS_NEWFSTATAT
SYS_OPENAT
SYS_PAUSE
SYS_PERF_EVENT_OPEN
SYS_PIVOT_ROOT
SYS_POLL
SYS_PRCTL
SYS_PRLIMIT64
SYS_PSELECT6
SYS_READ
SYS_REBOOT
SYS_RECVFROM
SYS_REMOVEXATTR
SYS_RENAMEAT
SYS_REQUEST_KEY
SYS_SELECT
SYS_SENDTO
SYS_SETHOSTNAME
SYS_SETNS
SYS_SETSOCKOPT
SYS_SETXATTR
SYS_SHUTDOWN
SYS_SYMLINKAT
SYS_SYNC
SYS_SYSLOG
SYS_TEE
SYS_TRUNCATE
SYS_UMOUNT2
SYS_UNLINKAT
SYS_UNSHARE
SYS_UTIME
SYS_WAIT4
SYS_WAITID
SYS_WRITE

list-syscalls.sh

#!/usr/bin/env sh

paths="$@"
run_regexp="go run regexp.go"
# syscalls file comes from https://gist.github.com/tiborvass/eb0a4054679a43aaca22690a7c4452ed
syscalls=syscalls

(
	x="\b(unix|syscall)\.[0-9A-Z_a-z]*Syscall[0-9A-Z_a-z]+\(([^,]+)"
	# Print syscall numbers resulting from calling Syscall directly
	for d in $paths; do
		d=$(realpath "$d")
		# only look in files matching linux tag and filter out golang.org/x/ packages
		files=$(go list -tags linux -json $d/... $d/vendor/... | jq -r 'select(.GoFiles != null) | select(.Dir | contains("golang.org/x/") | not) | . as $root | .Dir | "." + ltrimstr("'"$d"'") as $dir | $root.GoFiles | map($dir + "/" + .)[]')
		git -C "$d" grep -E "$x" -- $files | $run_regexp "$x" | cut -d'(' -f2- | sed -E 's/^(syscall|unix)\.//'
	done

	x=$(echo '('$(echo $(awk '{print $1}' $syscalls | sort -u) | tr ' ' '|')')');

	# Print syscall numbers resulting from calling syscall functions
	grep -E '^('$(
		echo $(
			echo
			(
				# print syscall functions used
				for d in $paths; do
					d=$(realpath "$d")
					files=$(go list -tags linux -json $d/... $d/vendor/... | jq -r 'select(.GoFiles != null) | select(.Dir | contains("golang.org/x/") | not) | . as $root | .Dir | "." + ltrimstr("'"$d"'") as $dir | $root.GoFiles | map($dir + "/" + .)[]')
					git -C "$d" grep -E "$x" -- $files | $run_regexp "$x" | sed -E 's/^(syscall|unix)\.//'
				done
			) | sort -u
		) | tr ' ' '|'
		# find corresponding syscall constant number
	)') ' $syscalls | cut -d' ' -f2-
) | sort -u

regexp.go

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"regexp"
)

func main() {
	s := os.Args[1]
	r := regexp.MustCompile(s)
	b, err := ioutil.ReadAll(os.Stdin)
	if err != nil {
		panic(err)
	}
	for _, s := range r.FindAll(b, -1) {
		fmt.Println(string(s))
	}
}

procCreateVirtualDisk.Addr()
procOpenVirtualDisk.Addr()

come from windows: https://github.com/microsoft/go-winio/blob/dcdaf955de651d5b5caff082fc6026f69f9fc31d/vhd/zvhd.go it is an outlier, it should have a windows tag but doesn't, just ignore these two.