mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Deny finit_module in default seccomp profile
This is a new version of init_module that takes a file descriptor rather than a file name. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
This commit is contained in:
parent
eb551baf6f
commit
0d5306a0b6
1 changed files with 6 additions and 0 deletions
|
@ -71,6 +71,12 @@ var defaultSeccompProfile = &configs.Seccomp{
|
||||||
Action: configs.Errno,
|
Action: configs.Errno,
|
||||||
Args: []*configs.Arg{},
|
Args: []*configs.Arg{},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
// Deny manipulation and functions on kernel modules.
|
||||||
|
Name: "finit_module",
|
||||||
|
Action: configs.Errno,
|
||||||
|
Args: []*configs.Arg{},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
// Deny retrieval of exported kernel and module symbols
|
// Deny retrieval of exported kernel and module symbols
|
||||||
Name: "get_kernel_syms",
|
Name: "get_kernel_syms",
|
||||||
|
|
Loading…
Reference in a new issue