Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile

* Update profile to match docker documentation at
  https://docs.docker.com/engine/security/seccomp/

Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
This commit is contained in:
Nicolas V Castet 2018-06-08 10:41:48 -05:00
parent e2593239d9
commit 47dfff68e4
2 changed files with 28 additions and 0 deletions

View file

@ -746,6 +746,22 @@
]
},
"excludes": {}
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
}
]
}

View file

@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: types.ActAllow,
Args: []*types.Arg{},
Includes: types.Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
}
return &types.Seccomp{