Browse code
Merge pull request #18959 from justincormack/finit_module
Deny finit_module in default seccomp profile
Arnaud Porterie authored on 2015/12/30 03:12:50Showing 1 changed files
| ... | ... |
@@ -78,6 +78,12 @@ var defaultSeccompProfile = &configs.Seccomp{
|
| 78 | 78 |
Args: []*configs.Arg{},
|
| 79 | 79 |
}, |
| 80 | 80 |
{
|
| 81 |
+ // Deny manipulation and functions on kernel modules. |
|
| 82 |
+ Name: "finit_module", |
|
| 83 |
+ Action: configs.Errno, |
|
| 84 |
+ Args: []*configs.Arg{},
|
|
| 85 |
+ }, |
|
| 86 |
+ {
|
|
| 81 | 87 |
// Deny retrieval of exported kernel and module symbols |
| 82 | 88 |
Name: "get_kernel_syms", |
| 83 | 89 |
Action: configs.Errno, |