mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile
* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
This commit is contained in:
Nicolas V Castet
parent
e2593239d9
commit
47dfff68e4
2 changed files with 28 additions and 0 deletions
|
|
@ -746,6 +746,22 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"excludes": {}
|
"excludes": {}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"names": [
|
||||||
|
"get_mempolicy",
|
||||||
|
"mbind",
|
||||||
|
"set_mempolicy"
|
||||||
|
],
|
||||||
|
"action": "SCMP_ACT_ALLOW",
|
||||||
|
"args": [],
|
||||||
|
"comment": "",
|
||||||
|
"includes": {
|
||||||
|
"caps": [
|
||||||
|
"CAP_SYS_NICE"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"excludes": {}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
|
||||||
Caps: []string{"CAP_SYS_TTY_CONFIG"},
|
Caps: []string{"CAP_SYS_TTY_CONFIG"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Names: []string{
|
||||||
|
"get_mempolicy",
|
||||||
|
"mbind",
|
||||||
|
"set_mempolicy",
|
||||||
|
},
|
||||||
|
Action: types.ActAllow,
|
||||||
|
Args: []*types.Arg{},
|
||||||
|
Includes: types.Filter{
|
||||||
|
Caps: []string{"CAP_SYS_NICE"},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
return &types.Seccomp{
|
return &types.Seccomp{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue