Browse code
Move mlock back into the default ungated seccomp profile
Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.
Fixes #23587
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/06/16 05:25:27Showing 2 changed files
| ... | ... |
@@ -687,6 +687,21 @@ |
| 687 | 687 |
"args": [] |
| 688 | 688 |
}, |
| 689 | 689 |
{
|
| 690 |
+ "name": "mlock", |
|
| 691 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 692 |
+ "args": [] |
|
| 693 |
+ }, |
|
| 694 |
+ {
|
|
| 695 |
+ "name": "mlock2", |
|
| 696 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 697 |
+ "args": [] |
|
| 698 |
+ }, |
|
| 699 |
+ {
|
|
| 700 |
+ "name": "mlockall", |
|
| 701 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 702 |
+ "args": [] |
|
| 703 |
+ }, |
|
| 704 |
+ {
|
|
| 690 | 705 |
"name": "mmap", |
| 691 | 706 |
"action": "SCMP_ACT_ALLOW", |
| 692 | 707 |
"args": [] |
| ... | ... |
@@ -722,6 +722,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 722 | 722 |
Args: []*types.Arg{},
|
| 723 | 723 |
}, |
| 724 | 724 |
{
|
| 725 |
+ Name: "mlock", |
|
| 726 |
+ Action: types.ActAllow, |
|
| 727 |
+ Args: []*types.Arg{},
|
|
| 728 |
+ }, |
|
| 729 |
+ {
|
|
| 730 |
+ Name: "mlock2", |
|
| 731 |
+ Action: types.ActAllow, |
|
| 732 |
+ Args: []*types.Arg{},
|
|
| 733 |
+ }, |
|
| 734 |
+ {
|
|
| 735 |
+ Name: "mlockall", |
|
| 736 |
+ Action: types.ActAllow, |
|
| 737 |
+ Args: []*types.Arg{},
|
|
| 738 |
+ }, |
|
| 739 |
+ {
|
|
| 725 | 740 |
Name: "mmap", |
| 726 | 741 |
Action: types.ActAllow, |
| 727 | 742 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -1663,24 +1678,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1663 | 1663 |
Args: []*types.Arg{},
|
| 1664 | 1664 |
}, |
| 1665 | 1665 |
}...) |
| 1666 |
- case "CAP_IPC_LOCK": |
|
| 1667 |
- syscalls = append(syscalls, []*types.Syscall{
|
|
| 1668 |
- {
|
|
| 1669 |
- Name: "mlock", |
|
| 1670 |
- Action: types.ActAllow, |
|
| 1671 |
- Args: []*types.Arg{},
|
|
| 1672 |
- }, |
|
| 1673 |
- {
|
|
| 1674 |
- Name: "mlock2", |
|
| 1675 |
- Action: types.ActAllow, |
|
| 1676 |
- Args: []*types.Arg{},
|
|
| 1677 |
- }, |
|
| 1678 |
- {
|
|
| 1679 |
- Name: "mlockall", |
|
| 1680 |
- Action: types.ActAllow, |
|
| 1681 |
- Args: []*types.Arg{},
|
|
| 1682 |
- }, |
|
| 1683 |
- }...) |
|
| 1684 | 1666 |
case "CAP_SYS_ADMIN": |
| 1685 | 1667 |
capSysAdmin = true |
| 1686 | 1668 |
syscalls = append(syscalls, []*types.Syscall{
|