Block vm86 syscalls in default seccomp profile

These provide an in kernel virtual machine for x86 real mode on x86 used by one very early DOS emulator. Not required for any normal use. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2022-11-09 12:21:53 -05:00 · 2015-12-29 15:47:23 +00:00 · 2015-12-29 15:47:23 +00:00 · 6c3ea7a511
commit 6c3ea7a511
parent eb551baf6f
1 changed files with 12 additions and 0 deletions
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@ -316,5 +316,17 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86old",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 	},
 }