diff options
author | Justin Cormack <justin.cormack@docker.com> | 2016-06-15 16:25:27 -0400 |
---|---|---|
committer | Justin Cormack <justin.cormack@docker.com> | 2016-06-15 16:25:27 -0400 |
commit | bdf01cf5deee11deb426eb33e1c8433c410084b6 (patch) | |
tree | ef2015a17dfe8e99824cfe63aa5933cae0eebc9e /profiles | |
parent | 2a96ac66ea41d206161a6ef022e10d53f99e86ec (diff) | |
download | docker-bdf01cf5deee11deb426eb33e1c8433c410084b6.tar.gz |
Move mlock back into the default ungated seccomp profile
Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.
Fixes #23587
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Diffstat (limited to 'profiles')
-rwxr-xr-x | profiles/seccomp/default.json | 15 | ||||
-rw-r--r-- | profiles/seccomp/seccomp_default.go | 33 |
2 files changed, 30 insertions, 18 deletions
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 51ec3d43bb..40af6ad3b5 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -687,6 +687,21 @@ "args": [] }, { + "name": "mlock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mlock2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mlockall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { "name": "mmap", "action": "SCMP_ACT_ALLOW", "args": [] diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index 87ae358ff5..9e8d47f929 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -722,6 +722,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, { + Name: "mlock", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "mlock2", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { + Name: "mlockall", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, + { Name: "mmap", Action: types.ActAllow, Args: []*types.Arg{}, @@ -1663,24 +1678,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp { Args: []*types.Arg{}, }, }...) - case "CAP_IPC_LOCK": - syscalls = append(syscalls, []*types.Syscall{ - { - Name: "mlock", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "mlock2", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - { - Name: "mlockall", - Action: types.ActAllow, - Args: []*types.Arg{}, - }, - }...) case "CAP_SYS_ADMIN": capSysAdmin = true syscalls = append(syscalls, []*types.Syscall{ |