From c1ca124682a90f3306b34ad104ba80e413f7bf88 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 10 Aug 2016 12:22:36 +0100
Subject: [PATCH] Gate name_to_handle_at by CAP_SYS_ADMIN not
 CAP_DAC_READ_SEARCH

Only open_by_handle_at requires CAP_DAC_READ_SEARCH.

This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 profiles/seccomp/seccomp_default.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 9e8d47f929..d23c7732e3 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -1667,11 +1667,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 		switch cap {
 		case "CAP_DAC_READ_SEARCH":
 			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "name_to_handle_at",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
 				{
 					Name:   "open_by_handle_at",
 					Action: types.ActAllow,
@@ -1706,6 +1701,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Action: types.ActAllow,
 					Args:   []*types.Arg{},
 				},
+				{
+					Name:   "name_to_handle_at",
+					Action: types.ActAllow,
+					Args:   []*types.Arg{},
+				},
 				{
 					Name:   "perf_event_open",
 					Action: types.ActAllow,