github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #3314 from KentaTada/fix-clone-seccomp-cgroupns

Browse Source 
Fix seccomp contributed profile for clone syscall
This commit is contained in:
Phil Estes 2019-06-03 17:51:55 +01:00 committed by GitHub
commit 48a1fca855
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
contrib/seccomp/seccomp_default.go
View File

@ -20,7 +20,8 @@ package seccomp
import ( import (
"runtime" "runtime"
"syscall"
"golang.org/x/sys/unix"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
) )
@ -555,7 +556,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Args: []specs.LinuxSeccompArg{ Args: []specs.LinuxSeccompArg{
{ {
Index: 1, Index: 1,
Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0, ValueTwo: 0,
Op: specs.OpMaskedEqual, Op: specs.OpMaskedEqual,
}, },
@ -570,7 +571,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Args: []specs.LinuxSeccompArg{ Args: []specs.LinuxSeccompArg{
{ {
Index: 0, Index: 0,
Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
ValueTwo: 0, ValueTwo: 0,
Op: specs.OpMaskedEqual, Op: specs.OpMaskedEqual,
}, },