kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #21262 from justincormack/newsyscalls

Browse source 
Add new syscalls in libseccomp 2.3.0 to seccomp default profile
This commit is contained in:
Antonio Murdaca 2016-03-17 09:37:36 +01:00
commit 8bbe3de4b3
3 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/security/seccomp.md
View file

@ -127,6 +127,7 @@ the reason each syscall is blocked rather than white-listed.
| `umount2` | Should be a privileged operation. | | `umount2` | Should be a privileged operation. |
| `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. | | `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. |
| `uselib` | Older syscall related to shared libraries, unused for a long time. | | `uselib` | Older syscall related to shared libraries, unused for a long time. |
| `userfaultfd` | Userspace page fault handling, largely needed for process migration. |
| `ustat` | Obsolete syscall. | | `ustat` | Obsolete syscall. |
| `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | | `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. |
| `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | | `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. |

10
profiles/seccomp/default.json
View file

@ -113,6 +113,11 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "copy_file_range",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "creat", "name": "creat",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -713,6 +718,11 @@
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [] "args": []
}, },
{
"name": "mlock2",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{ {
"name": "mlockall", "name": "mlockall",
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",

10
profiles/seccomp/seccomp_default.go
View file

@ -145,6 +145,11 @@ var DefaultProfile = &types.Seccomp{
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "copy_file_range",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "creat", Name: "creat",
Action: types.ActAllow, Action: types.ActAllow,
@ -745,6 +750,11 @@ var DefaultProfile = &types.Seccomp{
Action: types.ActAllow, Action: types.ActAllow,
Args: []*types.Arg{}, Args: []*types.Arg{},
}, },
{
Name: "mlock2",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{ {
Name: "mlockall", Name: "mlockall",
Action: types.ActAllow, Action: types.ActAllow,