Merge pull request #18971 from justincormack/ptrace

Block additional ptrace related syscalls in default seccomp profile
2015-12-29 11:56:51 -08:00 · 2015-12-29 11:56:51 -08:00 · e01cab1cc5
parent 3858027e27 a0a8ca0ae0
commit e01cab1cc5
1 changed files with 21 additions and 0 deletions
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@ -117,6 +117,13 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Restrict process inspection capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "kcmp",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Sister syscall of kexec_load that does the same thing,
 			// slightly different arguments
@ -215,6 +222,20 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Restrict process inspection capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "process_vm_readv",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// Restrict process modification capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "process_vm_writev",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Already blocked by dropping CAP_PTRACE
 			Name:   "ptrace",