Merge pull request #37242 from nvcastet/fix_sys_nice_seccomp

Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile
This commit is contained in:
Sebastiaan van Stijn 2018-07-03 19:23:07 +02:00 committed by GitHub
commit 6273dffbda
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 0 deletions

View file

@ -746,6 +746,22 @@
]
},
"excludes": {}
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
}
]
}

View file

@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
Caps: []string{"CAP_SYS_TTY_CONFIG"},
},
},
{
Names: []string{
"get_mempolicy",
"mbind",
"set_mempolicy",
},
Action: types.ActAllow,
Args: []*types.Arg{},
Includes: types.Filter{
Caps: []string{"CAP_SYS_NICE"},
},
},
}
return &types.Seccomp{