Browse code
Fix seccomp profile for clone syscall
All clone flags for namespace should be denied.
Based-on-patch-by: Kenta Tada <Kenta.Tada@sony.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2019/06/04 02:58:58Showing 3 changed files
- profiles/seccomp/default.json
- profiles/seccomp/fixtures/example.json
- profiles/seccomp/seccomp_default.go
| ... | ... |
@@ -596,7 +596,7 @@ |
| 596 | 596 |
"args": [ |
| 597 | 597 |
{
|
| 598 | 598 |
"index": 0, |
| 599 |
- "value": 2080505856, |
|
| 599 |
+ "value": 2114060288, |
|
| 600 | 600 |
"valueTwo": 0, |
| 601 | 601 |
"op": "SCMP_CMP_MASKED_EQ" |
| 602 | 602 |
} |
| ... | ... |
@@ -621,7 +621,7 @@ |
| 621 | 621 |
"args": [ |
| 622 | 622 |
{
|
| 623 | 623 |
"index": 1, |
| 624 |
- "value": 2080505856, |
|
| 624 |
+ "value": 2114060288, |
|
| 625 | 625 |
"valueTwo": 0, |
| 626 | 626 |
"op": "SCMP_CMP_MASKED_EQ" |
| 627 | 627 |
} |
| ... | ... |
@@ -518,7 +518,7 @@ func DefaultProfile() *types.Seccomp {
|
| 518 | 518 |
Args: []*types.Arg{
|
| 519 | 519 |
{
|
| 520 | 520 |
Index: 0, |
| 521 |
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, |
|
| 521 |
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, |
|
| 522 | 522 |
ValueTwo: 0, |
| 523 | 523 |
Op: types.OpMaskedEqual, |
| 524 | 524 |
}, |
| ... | ... |
@@ -536,7 +536,7 @@ func DefaultProfile() *types.Seccomp {
|
| 536 | 536 |
Args: []*types.Arg{
|
| 537 | 537 |
{
|
| 538 | 538 |
Index: 1, |
| 539 |
- Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET, |
|
| 539 |
+ Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, |
|
| 540 | 540 |
ValueTwo: 0, |
| 541 | 541 |
Op: types.OpMaskedEqual, |
| 542 | 542 |
}, |