containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

seccomp: block syscall() 

syscall() emulates all other syscalls, so having this allowed makes no
sense as far as seccomp filters go.

This is a breaking change, but this probably will not break much.

Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
This commit is contained in:
Dominique Martinet 2024-06-04 11:30:58 +09:00
parent 9ce468e30f
commit ad947e0c3f
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/pkg/seccomp/default_linux.go
View File

@ -77,6 +77,7 @@ func DefaultProfile() *Seccomp {
"ssetmask", "ssetmask",
"swapoff", "swapoff",
"swapon", "swapon",
"syscall",
"sysfs", "sysfs",
"uselib", "uselib",
"userfaultfd", "userfaultfd",
@ -422,7 +423,6 @@ func DefaultProfile() *Seccomp {
"sync", "sync",
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"syscall",
"sysinfo", "sysinfo",
"syslog", "syslog",
"tee", "tee",

2
common/pkg/seccomp/seccomp.json
View File

@ -81,6 +81,7 @@
"ssetmask", "ssetmask",
"swapoff", "swapoff",
"swapon", "swapon",
"syscall",
"sysfs", "sysfs",
"uselib", "uselib",
"userfaultfd", "userfaultfd",
@ -429,7 +430,6 @@
"sync", "sync",
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"syscall",
"sysinfo", "sysinfo",
"syslog", "syslog",
"tee", "tee",