Deny finit_module in default seccomp profile

This is a new version of init_module that takes a file descriptor
rather than a file name.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>

daemon/execdriver/native/seccomp_default.go

@@ -71,6 +71,12 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Deny manipulation and functions on kernel modules.
+			Name:   "finit_module",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Deny retrieval of exported kernel and module symbols
 			Name:   "get_kernel_syms",