GitList

Browse code

Add ipc syscall to default seccomp profile

On 32 bit x86 this is a multiplexing syscall for the system V
ipc syscalls such as shmget, and so needs to be allowed for
shared memory access for 32 bit binaries.

Fixes #20733

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

Justin Cormack authored on 2016/03/06 07:10:12
Showing 2 changed files

profiles/seccomp/default.json index 1addba4..91f04d6 100755
profiles/seccomp/seccomp_default.go index 9fa5097..181e9f5 100644

profiles/seccomp/default.json

History View file @ 31410a6

@@ -594,6 +594,11 @@
                      			"args": []
                      		},
+                     		{
                     +			"name": "ipc",
                     +			"action": "SCMP_ACT_ALLOW",
                     +			"args": []
                     +		},
                     +		{
                      			"name": "kill",
                      			"action": "SCMP_ACT_ALLOW",
                      			"args": []

profiles/seccomp/seccomp_default.go

History View file @ 31410a6

@@ -626,6 +626,11 @@ var DefaultProfile = &types.Seccomp{
                      			Args:   []*types.Arg{},
                      		},
+                     		{
                     +			Name:   "ipc",
                     +			Action: types.ActAllow,
                     +			Args:   []*types.Arg{},
                     +		},
                     +		{
                      			Name:   "kill",
                      			Action: types.ActAllow,
                      			Args:   []*types.Arg{},