Browse code
docs: update seccomp whitelist
the 'modify_ldt' was listed as "blocked by default",
but was whitelisted in 13a9d4e8993997b2bf9be7e96a8d7978a73d0b9b
this updates the documentation to reflect this
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2016/05/12 01:45:27Showing 1 changed files
| ... | ... |
@@ -99,7 +99,6 @@ the reason each syscall is blocked rather than white-listed. |
| 99 | 99 |
| `keyctl` | Prevent containers from using the kernel keyring, which is not namespaced. | |
| 100 | 100 |
| `lookup_dcookie` | Tracing/profiling syscall, which could leak a lot of information on the host. | |
| 101 | 101 |
| `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | |
| 102 |
-| `modify_ldt` | Old syscall only used in 16-bit code and a potential information leak. | |
|
| 103 | 102 |
| `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. | |
| 104 | 103 |
| `move_pages` | Syscall that modifies kernel memory and NUMA settings. | |
| 105 | 104 |
| `name_to_handle_at` | Sister syscall to `open_by_handle_at`. Already gated by `CAP_SYS_NICE`. | |