From a1ec8551ab48962c0b71111de8917c189bf0226b Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 3 Jun 2019 19:58:58 +0200
Subject: [PATCH] Fix seccomp profile for clone syscall

All clone flags for namespace should be denied.

Based-on-patch-by: Kenta Tada <Kenta.Tada@sony.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 profiles/seccomp/default.json          | 4 ++--
 profiles/seccomp/fixtures/example.json | 2 +-
 profiles/seccomp/seccomp_default.go    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 4508c3ccce..250a03e13c 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -596,7 +596,7 @@
 			"args": [
 				{
 					"index": 0,
-					"value": 2080505856,
+					"value": 2114060288,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
@@ -621,7 +621,7 @@
 			"args": [
 				{
 					"index": 1,
-					"value": 2080505856,
+					"value": 2114060288,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json
index 674ca50fd9..848045899b 100755
--- a/profiles/seccomp/fixtures/example.json
+++ b/profiles/seccomp/fixtures/example.json
@@ -7,7 +7,7 @@
             "args": [
                 {
                     "index": 0,
-                    "value": 2080505856,
+                    "value": 2114060288,
                     "valueTwo": 0,
                     "op": "SCMP_CMP_MASKED_EQ"
                 }
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 36bc4ea9d4..53333f43e5 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -518,7 +518,7 @@ func DefaultProfile() *types.Seccomp {
 			Args: []*types.Arg{
 				{
 					Index:    0,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
 					Op:       types.OpMaskedEqual,
 				},
@@ -536,7 +536,7 @@ func DefaultProfile() *types.Seccomp {
 			Args: []*types.Arg{
 				{
 					Index:    1,
-					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
 					ValueTwo: 0,
 					Op:       types.OpMaskedEqual,
 				},