Browse code
Remove mlock and vhangup from the default seccomp profile
These syscalls are already blocked by the default capabilities:
mlock mlock2 mlockall require CAP_IPC_LOCK
vhangup requires CAP_SYS_TTY_CONFIG
There is therefore no reason to allow them in the default profile
as they cannot be used anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/04/22 02:23:59Showing 2 changed files
| ... | ... |
@@ -714,21 +714,6 @@ |
| 714 | 714 |
"args": [] |
| 715 | 715 |
}, |
| 716 | 716 |
{
|
| 717 |
- "name": "mlock", |
|
| 718 |
- "action": "SCMP_ACT_ALLOW", |
|
| 719 |
- "args": [] |
|
| 720 |
- }, |
|
| 721 |
- {
|
|
| 722 |
- "name": "mlock2", |
|
| 723 |
- "action": "SCMP_ACT_ALLOW", |
|
| 724 |
- "args": [] |
|
| 725 |
- }, |
|
| 726 |
- {
|
|
| 727 |
- "name": "mlockall", |
|
| 728 |
- "action": "SCMP_ACT_ALLOW", |
|
| 729 |
- "args": [] |
|
| 730 |
- }, |
|
| 731 |
- {
|
|
| 732 | 717 |
"name": "mmap", |
| 733 | 718 |
"action": "SCMP_ACT_ALLOW", |
| 734 | 719 |
"args": [] |
| ... | ... |
@@ -1565,11 +1550,6 @@ |
| 1565 | 1565 |
"args": [] |
| 1566 | 1566 |
}, |
| 1567 | 1567 |
{
|
| 1568 |
- "name": "vhangup", |
|
| 1569 |
- "action": "SCMP_ACT_ALLOW", |
|
| 1570 |
- "args": [] |
|
| 1571 |
- }, |
|
| 1572 |
- {
|
|
| 1573 | 1568 |
"name": "vmsplice", |
| 1574 | 1569 |
"action": "SCMP_ACT_ALLOW", |
| 1575 | 1570 |
"args": [] |
| ... | ... |
@@ -746,21 +746,6 @@ var DefaultProfile = &types.Seccomp{
|
| 746 | 746 |
Args: []*types.Arg{},
|
| 747 | 747 |
}, |
| 748 | 748 |
{
|
| 749 |
- Name: "mlock", |
|
| 750 |
- Action: types.ActAllow, |
|
| 751 |
- Args: []*types.Arg{},
|
|
| 752 |
- }, |
|
| 753 |
- {
|
|
| 754 |
- Name: "mlock2", |
|
| 755 |
- Action: types.ActAllow, |
|
| 756 |
- Args: []*types.Arg{},
|
|
| 757 |
- }, |
|
| 758 |
- {
|
|
| 759 |
- Name: "mlockall", |
|
| 760 |
- Action: types.ActAllow, |
|
| 761 |
- Args: []*types.Arg{},
|
|
| 762 |
- }, |
|
| 763 |
- {
|
|
| 764 | 749 |
Name: "mmap", |
| 765 | 750 |
Action: types.ActAllow, |
| 766 | 751 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -1594,11 +1579,6 @@ var DefaultProfile = &types.Seccomp{
|
| 1594 | 1594 |
Args: []*types.Arg{},
|
| 1595 | 1595 |
}, |
| 1596 | 1596 |
{
|
| 1597 |
- Name: "vhangup", |
|
| 1598 |
- Action: types.ActAllow, |
|
| 1599 |
- Args: []*types.Arg{},
|
|
| 1600 |
- }, |
|
| 1601 |
- {
|
|
| 1602 | 1597 |
Name: "vmsplice", |
| 1603 | 1598 |
Action: types.ActAllow, |
| 1604 | 1599 |
Args: []*types.Arg{},
|