github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: kernel 5.14 (quotactl_fd, memfd_secret)

Browse Source 
- Allow `quotactl_fd` when `CAP_SYS_ADMIN` is granted.
  See https://lwn.net/Articles/859679/

- Allow `memfd_secret` by default.
  See https://lwn.net/Articles/865256/

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2022-01-31 15:31:37 +09:00
parent 17a2831f70
commit c013db6965
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/seccomp/seccomp_default.go
View File

@ -204,6 +204,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"madvise", "madvise",
"membarrier", "membarrier",
"memfd_create", "memfd_create",
"memfd_secret",
"mincore", "mincore",
"mkdir", "mkdir",
"mkdirat", "mkdirat",
@ -546,6 +547,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"open_tree", "open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"quotactl_fd",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns",