From 47dfff68e4365668279e235bf8c7778b637f2517 Mon Sep 17 00:00:00 2001
From: Nicolas V Castet <nvcastet@us.ibm.com>
Date: Fri, 8 Jun 2018 10:41:48 -0500
Subject: [PATCH] Whitelist syscalls linked to CAP_SYS_NICE in default seccomp
 profile

* Update profile to match docker documentation at
  https://docs.docker.com/engine/security/seccomp/

Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
---
 profiles/seccomp/default.json       | 16 ++++++++++++++++
 profiles/seccomp/seccomp_default.go | 12 ++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 5717c00cde..c0f140524e 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -746,6 +746,22 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_NICE"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }
\ No newline at end of file
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index be29aa4f70..25360a1277 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
+		{
+			Names: []string{
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_NICE"},
+			},
+		},
 	}
 
 	return &types.Seccomp{