diff options
author | Justin Cormack <justin.cormack@docker.com> | 2016-05-23 15:19:19 -0700 |
---|---|---|
committer | Justin Cormack <justin.cormack@docker.com> | 2016-05-23 22:35:55 -0700 |
commit | a83cedddc6d3e0fe1df352ec54245090df641ab8 (patch) | |
tree | b7a38a9883d8f39c69bb2e06a9a1deff3d674168 /profiles | |
parent | a5aba7752a9716cde55e94705048407bed17374f (diff) | |
download | docker-a83cedddc6d3e0fe1df352ec54245090df641ab8.tar.gz |
Enable seccomp on ppc64le
In order to do this, allow the socketcall syscall in the default
seccomp profile. This is a multiplexing syscall for the socket
operations, which is becoming obsolete gradually, but it is used
in some architectures. libseccomp has special handling for it for
x86 where it is common, so we did not need it in the profile,
but does not have any handling for ppc64le. It turns out that the
Debian images we use for tests do use the socketcall, while the
newer images such as Ubuntu 16.04 do not. Enabling this does no
harm as we allow all the socket operations anyway, and we allow
the similar ipc call for similar reasons already.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Diffstat (limited to 'profiles')
-rwxr-xr-x | profiles/seccomp/default.json | 5 | ||||
-rw-r--r-- | profiles/seccomp/seccomp_default.go | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 049195fe97..212ff49942 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -1293,6 +1293,11 @@ "args": [] }, { + "name": "socketcall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { "name": "socketpair", "action": "SCMP_ACT_ALLOW", "args": [] diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index 36aab3479a..a088412351 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -1322,6 +1322,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, { + Name: "socketcall", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { Name: "socketpair", Action: types.ActAllow, Args: []*types.Arg{}, |