From ad2821698757d702389f9c0841130336cc5648e5 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 15 Jun 2016 16:25:27 -0400
Subject: [PATCH] Move mlock back into the default ungated seccomp profile

Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.

Fixes #23587

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit bdf01cf5deee11deb426eb33e1c8433c410084b6)
---
 profiles/seccomp/default.json       | 15 +++++++++++++
 profiles/seccomp/seccomp_default.go | 33 +++++++++++++----------------
 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 51ec3d43bb..40af6ad3b5 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -686,6 +686,21 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "mlock",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlock2",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlockall",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 87ae358ff5..9e8d47f929 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -721,6 +721,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "mlock",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlock2",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlockall",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "mmap",
 			Action: types.ActAllow,
@@ -1663,24 +1678,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Args:   []*types.Arg{},
 				},
 			}...)
-		case "CAP_IPC_LOCK":
-			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "mlock",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlock2",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlockall",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-			}...)
 		case "CAP_SYS_ADMIN":
 			capSysAdmin = true
 			syscalls = append(syscalls, []*types.Syscall{