kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Fix seccomp profile for clone syscall 

All clone flags for namespace should be denied.

Based-on-patch-by: Kenta Tada <Kenta.Tada@sony.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2019-06-03 19:58:58 +02:00
parent 0105613eb2
commit a1ec8551ab
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
profiles/seccomp/default.json
View File

@ -596,7 +596,7 @@
"args": [
{
"index": 0,
"value": 2080505856,
"value": 2114060288,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}
@ -621,7 +621,7 @@
"args": [
{
"index": 1,
"value": 2080505856,
"value": 2114060288,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}

2
profiles/seccomp/fixtures/example.json
View File

@ -7,7 +7,7 @@
"args": [
{
"index": 0,
"value": 2080505856,
"value": 2114060288,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}

4
profiles/seccomp/seccomp_default.go
View File

@ -518,7 +518,7 @@ func DefaultProfile() *types.Seccomp {
Args: []*types.Arg{
{
Index: 0,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0,
Op: types.OpMaskedEqual,
},
@ -536,7 +536,7 @@ func DefaultProfile() *types.Seccomp {
Args: []*types.Arg{
{
Index: 1,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0,
Op: types.OpMaskedEqual,
},