github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #4491 from thaJeztah/seccomp_syslog

Browse Source 
seccomp: move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG
This commit is contained in:
Michael Crosby 2020-08-25 11:35:28 -04:00 committed by GitHub
commit 396b863138
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
contrib/seccomp/seccomp_default.go
View File

@ -350,7 +350,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"sysinfo", "sysinfo",
"syslog",
"tee", "tee",
"tgkill", "tgkill",
"time", "time",
@ -529,6 +528,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns",
"syslog",
"umount", "umount",
"umount2", "umount2",
"unshare", "unshare",
@ -600,6 +600,12 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},
}) })
case "CAP_SYSLOG":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{"syslog"},
Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{},
})
} }
} }