Browse code
Block stime in default seccomp profile
The stime syscall is a legacy syscall on some architectures
to set the clock, should be blocked as time is not namespaced.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Justin Cormack authored on 2015/12/30 00:22:52Showing 1 changed files
| ... | ... |
@@ -281,6 +281,12 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 281 | 281 |
Args: []*configs.Arg{},
|
| 282 | 282 |
}, |
| 283 | 283 |
{
|
| 284 |
+ // Time/Date is not namespaced |
|
| 285 |
+ Name: "stime", |
|
| 286 |
+ Action: configs.Errno, |
|
| 287 |
+ Args: []*configs.Arg{},
|
|
| 288 |
+ }, |
|
| 289 |
+ {
|
|
| 284 | 290 |
// Deny start/stop swapping to file/device |
| 285 | 291 |
Name: "swapon", |
| 286 | 292 |
Action: configs.Errno, |