From 33568405f34f363de49b1146119cc53bcb9e5f16 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@unikernel.com>
Date: Tue, 29 Dec 2015 17:28:30 +0000
Subject: [PATCH] Block bpf syscall from default seccomp profile

The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
---
 daemon/execdriver/native/seccomp_default.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/daemon/execdriver/native/seccomp_default.go b/daemon/execdriver/native/seccomp_default.go
index 1075a0b315..105b9374ab 100644
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@@ -28,6 +28,13 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Deny loading potentially persistent bpf programs into kernel
+			// already gated by CAP_SYS_ADMIN
+			Name:   "bpf",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Time/Date is not namespaced
 			Name:   "clock_settime",