Move mlock back into the default ungated seccomp profile

Do not gate with CAP_IPC_LOCK as unprivileged use is now allowed in Linux. This returns it to how it was in 1.11. Fixes #23587 Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-06-15 16:25:27 -04:00 · 2016-06-15 16:25:27 -04:00 · bdf01cf5de
commit bdf01cf5de
parent 2a96ac66ea
2 changed files with 30 additions and 18 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -686,6 +686,21 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "mlock",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlock2",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlockall",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@ -721,6 +721,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "mlock",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlock2",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlockall",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "mmap",
 			Action: types.ActAllow,
@ -1663,24 +1678,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Args:   []*types.Arg{},
 				},
 			}...)
-		case "CAP_IPC_LOCK":
-			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "mlock",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlock2",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlockall",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-			}...)
 		case "CAP_SYS_ADMIN":
 			capSysAdmin = true
 			syscalls = append(syscalls, []*types.Syscall{