From 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@unikernel.com>
Date: Tue, 29 Dec 2015 15:47:23 +0000
Subject: [PATCH] Block vm86 syscalls in default seccomp profile

These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
---
 daemon/execdriver/native/seccomp_default.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/daemon/execdriver/native/seccomp_default.go b/daemon/execdriver/native/seccomp_default.go
index 1075a0b315..f5c6e82a69 100644
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@@ -316,5 +316,17 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86old",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 	},
 }