github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #5982 from AkihiroSuda/clone3

Browse Source
This commit is contained in:
Fu Wei 2021-09-15 14:27:47 +08:00 committed by GitHub
commit da6b0efccd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
contrib/seccomp/seccomp_default.go
View File

@ -50,6 +50,7 @@ func arches() []specs.Arch {
// DefaultProfile defines the allowed syscalls for the default seccomp profile. // DefaultProfile defines the allowed syscalls for the default seccomp profile.
func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
nosys := uint(unix.ENOSYS)
syscalls := []specs.LinuxSyscall{ syscalls := []specs.LinuxSyscall{
{ {
Names: []string{ Names: []string{
@ -527,6 +528,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Names: []string{ Names: []string{
"bpf", "bpf",
"clone", "clone",
"clone3",
"fanotify_init", "fanotify_init",
"fsconfig", "fsconfig",
"fsmount", "fsmount",
@ -658,6 +660,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
}, },
}) })
} }
// clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset
// https://github.com/moby/moby/pull/42681
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{
"clone3",
},
Action: specs.ActErrno,
ErrnoRet: &nosys,
})
} }
return s return s