From 432b7c4134a44e432d57d0b1d72f11d2f09591eb Mon Sep 17 00:00:00 2001
From: Paulo Gomes <pjbgf@linux.com>
Date: Thu, 28 Nov 2019 09:06:03 +0000
Subject: [PATCH] Improve clarity.

---
 engine/security/seccomp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/engine/security/seccomp.md b/engine/security/seccomp.md
index 21ec4d36c2..6d520ae37e 100644
--- a/engine/security/seccomp.md
+++ b/engine/security/seccomp.md
@@ -94,7 +94,7 @@ the reason each syscall is blocked rather than white-listed.
 | `pivot_root`        | Deny `pivot_root`, should be privileged operation.                                                           |
 | `process_vm_readv`  | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`.                          |
 | `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`.                          |
-| `ptrace`            |  Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in kernel versions before 4.8, as it provides a way to bypass seccomp policies. |
+| `ptrace`            | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. Blocked in Linux kernel versions before 4.8 to mitigate CVE-2019-2054. |
 | `query_module`      | Deny manipulation and functions on kernel modules. Obsolete.                                                  |
 | `quotactl`          | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. |
 | `reboot`            | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`.                                           |