1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

9 commits

Author SHA1 Message Date
Justin Cormack
39b799ac53 Add some uses of personality syscall to default seccomp filter
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.

See issue #20634

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-02-26 18:43:08 +01:00
Antonio Murdaca
11435b674b
add seccomp default profile fix tests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-19 13:32:54 -08:00
Jessica Frazelle
ad600239bc
generate seccomp profile convert type
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-19 13:32:54 -08:00
Aleksa Sarai
284d9d451e apparmor: use correct version for ptrace denial suppression
Ubuntu ships apparmor_parser 2.9 erroniously as "2.8.95". Fix the
incorrect version check for >=2.8, when in fact 2.8 deosn't support the
required feature.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:29 +11:00
Aleksa Sarai
4bf7a84c96 apparmor: fix version checks to work properly
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-15 20:36:07 +11:00
Jessica Frazelle
9bc771af9d
add validation for generating default secccomp profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-08 13:04:52 -08:00
Jessica Frazelle
d57816de02
add default seccomp profile as json
profile is created by go generate

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-08 08:19:21 -08:00
Jessica Frazelle
bed0bb7d01
move default seccomp profile into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:29 -08:00
Jessica Frazelle
35e50119fc
move default apparmor policy into package
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-21 16:55:27 -08:00