Remove mlock and vhangup from the default seccomp profile

These syscalls are already blocked by the default capabilities: mlock mlock2 mlockall require CAP_IPC_LOCK vhangup requires CAP_SYS_TTY_CONFIG There is therefore no reason to allow them in the default profile as they cannot be used anyway. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-04-21 18:23:59 +01:00 · 2016-04-21 18:23:59 +01:00 · e7a99ae5e1
commit e7a99ae5e1
parent 228759fd42
2 changed files with 0 additions and 40 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -713,21 +713,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "mlock",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlock2",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
-		{
-			"name": "mlockall",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",
@ -1564,11 +1549,6 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
-		{
-			"name": "vhangup",
-			"action": "SCMP_ACT_ALLOW",
-			"args": []
-		},
 		{
 			"name": "vmsplice",
 			"action": "SCMP_ACT_ALLOW",
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@ -745,21 +745,6 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
-		{
-			Name:   "mlock",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
-		{
-			Name:   "mlock2",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
-		{
-			Name:   "mlockall",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
 		{
 			Name:   "mmap",
 			Action: types.ActAllow,
@ -1593,11 +1578,6 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
-		{
-			Name:   "vhangup",
-			Action: types.ActAllow,
-			Args:   []*types.Arg{},
-		},
 		{
 			Name:   "vmsplice",
 			Action: types.ActAllow,