github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: seccomp: add syscalls related to PKU in default policy

Browse Source 
Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure
the calling process's own memory, so they are existing "safe for everyone" syscalls.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2022-07-13 23:03:35 +02:00
parent ff91434af1
commit 19e8479837
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/seccomp/seccomp_default.go
View File

@ -249,6 +249,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"pidfd_send_signal",
"pipe",
"pipe2",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",