From 04b5f87b2886aeccc21639923fb35a78a8032a2e Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 17 Oct 2019 09:44:40 +0100 Subject: [PATCH] Remove socket from blocked syscalls Socket syscalls are no longer blocked on the default profile for a while now. More information: https://github.com/moby/moby/commit/dcf2632945b87acedeea989a5aa36c084a20ae88#diff-0ebf5796a57d68894d5550c407061035 --- engine/security/seccomp.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md index c001f28c7a..0f2b2a0f5c 100644 --- a/engine/security/seccomp.md +++ b/engine/security/seccomp.md @@ -101,9 +101,8 @@ the reason each syscall is blocked rather than white-listed. | `request_key` | Prevent containers from using the kernel keyring, which is not namespaced. | | `set_mempolicy` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | | `setns` | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`. | -| `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. -| `socket`, `socketcall` | Used to send or receive packets and for other socket operations. All `socket` and `socketcall` calls are blocked except communication domains `AF_UNIX`, `AF_INET`, `AF_INET6`, `AF_NETLINK`, and `AF_PACKET`. | -| `stime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `stime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | | `swapon` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. | | `swapoff` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. | | `sysfs` | Obsolete syscall. |