Merge pull request #18959 from justincormack/finit_module

Deny finit_module in default seccomp profile

daemon/execdriver/native/seccomp_default.go

@@ -77,6 +77,12 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Deny manipulation and functions on kernel modules.
+			Name:   "finit_module",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Deny retrieval of exported kernel and module symbols
 			Name:   "get_kernel_syms",