Merge pull request #18972 from justincormack/bpf

Block bpf syscall from default seccomp profile

daemon/execdriver/native/seccomp_default.go

@@ -28,6 +28,13 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Deny loading potentially persistent bpf programs into kernel
+			// already gated by CAP_SYS_ADMIN
+			Name:   "bpf",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Time/Date is not namespaced
 			Name:   "clock_adjtime",