From a0a8ca0ae0bc9dc7faa0b8bacf4ca376c7257348 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@unikernel.com>
Date: Tue, 29 Dec 2015 17:02:11 +0000
Subject: [PATCH] Block additional ptrace related syscalls in default seccomp
 profile

Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
---
 daemon/execdriver/native/seccomp_default.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/daemon/execdriver/native/seccomp_default.go b/daemon/execdriver/native/seccomp_default.go
index 1075a0b315..437bd6269f 100644
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@@ -111,6 +111,13 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Restrict process inspection capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "kcmp",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Sister syscall of kexec_load that does the same thing,
 			// slightly different arguments
@@ -209,6 +216,20 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Restrict process inspection capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "process_vm_readv",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// Restrict process modification capabilities
+			// Already blocked by dropping CAP_PTRACE
+			Name:   "process_vm_writev",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Already blocked by dropping CAP_PTRACE
 			Name:   "ptrace",