docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Block bpf syscall from default seccomp profile 

The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
This commit is contained in:
Justin Cormack 2015-12-29 17:28:30 +00:00
parent eb551baf6f
commit 33568405f3
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
daemon/execdriver/native/seccomp_default.go
View File

@ -28,6 +28,13 @@ var defaultSeccompProfile = &configs.Seccomp{
Action: configs.Errno, Action: configs.Errno,
Args: []*configs.Arg{}, Args: []*configs.Arg{},
}, },
{
// Deny loading potentially persistent bpf programs into kernel
// already gated by CAP_SYS_ADMIN
Name: "bpf",
Action: configs.Errno,
Args: []*configs.Arg{},
},
{ {
// Time/Date is not namespaced // Time/Date is not namespaced
Name: "clock_settime", Name: "clock_settime",