Browse code
Merge pull request #18972 from justincormack/bpf
Block bpf syscall from default seccomp profile
Arnaud Porterie authored on 2015/12/30 04:57:07Showing 1 changed files
| ... | ... |
@@ -29,6 +29,13 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 29 | 29 |
Args: []*configs.Arg{},
|
| 30 | 30 |
}, |
| 31 | 31 |
{
|
| 32 |
+ // Deny loading potentially persistent bpf programs into kernel |
|
| 33 |
+ // already gated by CAP_SYS_ADMIN |
|
| 34 |
+ Name: "bpf", |
|
| 35 |
+ Action: configs.Errno, |
|
| 36 |
+ Args: []*configs.Arg{},
|
|
| 37 |
+ }, |
|
| 38 |
+ {
|
|
| 32 | 39 |
// Time/Date is not namespaced |
| 33 | 40 |
Name: "clock_adjtime", |
| 34 | 41 |
Action: configs.Errno, |