kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Block additional ptrace related syscalls in default seccomp profile

Browse source 
Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
This commit is contained in:
Justin Cormack 2015-12-29 17:02:11 +00:00
parent eb551baf6f
commit a0a8ca0ae0
1 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
daemon/execdriver/native/seccomp_default.go
View file

@ -111,6 +111,13 @@ var defaultSeccompProfile = &configs.Seccomp{
Action: configs.Errno,
Args: []*configs.Arg{},
},
{
// Restrict process inspection capabilities
// Already blocked by dropping CAP_PTRACE
Name: "kcmp",
Action: configs.Errno,
Args: []*configs.Arg{},
},
{
// Sister syscall of kexec_load that does the same thing,
// slightly different arguments
@ -209,6 +216,20 @@ var defaultSeccompProfile = &configs.Seccomp{
Action: configs.Errno,
Args: []*configs.Arg{},
},
{
// Restrict process inspection capabilities
// Already blocked by dropping CAP_PTRACE
Name: "process_vm_readv",
Action: configs.Errno,
Args: []*configs.Arg{},
},
{
// Restrict process modification capabilities
// Already blocked by dropping CAP_PTRACE
Name: "process_vm_writev",
Action: configs.Errno,
Args: []*configs.Arg{},
},
{
// Already blocked by dropping CAP_PTRACE
Name: "ptrace",