From 17a93240359b406c78e5f08a20013f759ea230bf Mon Sep 17 00:00:00 2001
From: Zhuchen Wang <zcwang@google.com>
Date: Tue, 11 Oct 2022 15:02:22 -0700
Subject: [PATCH] Update the default seccomp to block socket calls to AF_VSOCK

Signed-off-by: Zhuchen Wang <zcwang@google.com>
---
 contrib/seccomp/seccomp_default.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 9940bf700..899242137 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -357,7 +357,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"signalfd4",
 				"sigprocmask",
 				"sigreturn",
-				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -411,6 +410,17 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},
 		},
+		{
+			Names:  []string{"socket"},
+			Action: specs.ActAllow,
+			Args: []specs.LinuxSeccompArg{
+				{
+					Index: 0,
+					Value: unix.AF_VSOCK,
+					Op:    specs.OpNotEqual,
+				},
+			},
+		},
 		{
 			Names:  []string{"personality"},
 			Action: specs.ActAllow,