From e7a99ae5e16f8688a0735c91856d13633f48185c Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Thu, 21 Apr 2016 18:23:59 +0100
Subject: [PATCH] Remove mlock and vhangup from the default seccomp profile

These syscalls are already blocked by the default capabilities:
mlock mlock2 mlockall require CAP_IPC_LOCK
vhangup requires CAP_SYS_TTY_CONFIG

There is therefore no reason to allow them in the default profile
as they cannot be used anyway.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 profiles/seccomp/default.json       | 20 --------------------
 profiles/seccomp/seccomp_default.go | 20 --------------------
 2 files changed, 40 deletions(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 28d564c1e0..dc67c7ac37 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -713,21 +713,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "mlock",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlock2",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlockall",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",
@@ -1564,11 +1549,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "vhangup",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "vmsplice",
 			"action": "SCMP_ACT_ALLOW",
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index be93d780a5..9471edfcc3 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -745,21 +745,6 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
-		{
-			Name:   "mlock",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
-		{
-			Name:   "mlock2",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
-		{
-			Name:   "mlockall",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
 		{
 			Name:   "mmap",
 			Action: types.ActAllow,
@@ -1593,11 +1578,6 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
-		{
-			Name:   "vhangup",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
 		{
 			Name:   "vmsplice",
 			Action: types.ActAllow,