Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile
* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
This commit is contained in:
parent
e2593239d9
commit
47dfff68e4
2 changed files with 28 additions and 0 deletions
|
@ -746,6 +746,22 @@
|
|||
]
|
||||
},
|
||||
"excludes": {}
|
||||
},
|
||||
{
|
||||
"names": [
|
||||
"get_mempolicy",
|
||||
"mbind",
|
||||
"set_mempolicy"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
"comment": "",
|
||||
"includes": {
|
||||
"caps": [
|
||||
"CAP_SYS_NICE"
|
||||
]
|
||||
},
|
||||
"excludes": {}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
|
|||
Caps: []string{"CAP_SYS_TTY_CONFIG"},
|
||||
},
|
||||
},
|
||||
{
|
||||
Names: []string{
|
||||
"get_mempolicy",
|
||||
"mbind",
|
||||
"set_mempolicy",
|
||||
},
|
||||
Action: types.ActAllow,
|
||||
Args: []*types.Arg{},
|
||||
Includes: types.Filter{
|
||||
Caps: []string{"CAP_SYS_NICE"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
return &types.Seccomp{
|
||||
|
|
Loading…
Reference in a new issue