github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Update the default seccomp to block socket calls to AF_VSOCK

Browse Source 
Signed-off-by: Zhuchen Wang <zcwang@google.com>
This commit is contained in:
Zhuchen Wang 2022-10-11 15:02:22 -07:00
parent 32aa33a9f4
commit 17a9324035
No known key found for this signature in database
GPG Key ID: 552984AE2AA910B5
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
contrib/seccomp/seccomp_default.go
View File

@ -357,7 +357,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"signalfd4", "signalfd4",
"sigprocmask", "sigprocmask",
"sigreturn", "sigreturn",
"socket",
"socketcall", "socketcall",
"socketpair", "socketpair",
"splice", "splice",
@ -411,6 +410,17 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},
}, },
{
Names: []string{"socket"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{
{
Index: 0,
Value: unix.AF_VSOCK,
Op: specs.OpNotEqual,
},
},
},
{ {
Names: []string{"personality"}, Names: []string{"personality"},
Action: specs.ActAllow, Action: specs.ActAllow,