containerd

Author	SHA1	Message	Date
Michael Crosby	86f8be86e1	Add sigprocmask to default profile Signed-off-by: Michael Crosby <crosbymichael@gmail.com>	2019-08-29 11:07:03 -04:00
Kenta Tada	5b9a43d2e7	Fix seccomp contributed profile for clone syscall All clone flags for namespace should be denied. Also x/sys should be used instead of syscall. Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>	2019-06-03 14:23:34 +09:00
Sebastiaan van Stijn	8f8fd3c3a8	seccomp: whitelist statx syscall This whitelists the statx syscall; libseccomp-2.3.3 or up is needed for this, older seccomp versions will ignore this. Equivalent of https://github.com/moby/moby/pull/36417 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2019-03-20 11:59:02 +01:00
Avi Kivity	4506eb45bf	seccomp: whitelist io_pgetevents io_pgetevents() is a new Linux system call, similar to the already-whitelisted io_getevents(). It has no security implications. Whitelist it so applications can use the new system call. Fixes #3105. Signed-off-by: Avi Kivity <avi@scylladb.com>	2019-03-19 11:56:32 +02:00
Justin Cormack	9435aeeb30	The set of bounding capabilities is the largest group No capabilities can be granted outside the bounding set, so there is no point looking at any other set for the largest scope. Signed-off-by: Justin Cormack <justin.cormack@docker.com>	2018-03-28 17:36:46 -07:00
Kunal Kushwaha	b12c3215a0	Licence header added Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>	2018-02-19 10:32:26 +09:00
Justin Cormack	35be3d5127	Remove a really confusing fallthrough This is so confusing, and not needed. Signed-off-by: Justin Cormack <justin.cormack@docker.com>	2018-02-08 16:22:29 +00:00
Mike Brown	120bb4cd47	fixes missing default permission Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2017-09-20 13:15:39 -05:00
Mike Brown	426650f21b	adds seccomp helpers Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2017-09-13 13:11:30 -05:00

9 Commits