Skip to content

Commit 17a9324

Browse files
zhuchenwangzhuchenwang
committed
Update the default seccomp to block socket calls to AF_VSOCK
Signed-off-by: Zhuchen Wang <[email protected]>
1 parent 32aa33a commit 17a9324

1 file changed

Lines changed: 11 additions & 1 deletion

File tree

contrib/seccomp/seccomp_default.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -357,7 +357,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
357357
"signalfd4",
358358
"sigprocmask",
359359
"sigreturn",
360-
"socket",
361360
"socketcall",
362361
"socketpair",
363362
"splice",
@@ -411,6 +410,17 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
411410
Action: specs.ActAllow,
412411
Args: []specs.LinuxSeccompArg{},
413412
},
413+
{
414+
Names: []string{"socket"},
415+
Action: specs.ActAllow,
416+
Args: []specs.LinuxSeccompArg{
417+
{
418+
Index: 0,
419+
Value: unix.AF_VSOCK,
420+
Op: specs.OpNotEqual,
421+
},
422+
},
423+
},
414424
{
415425
Names: []string{"personality"},
416426
Action: specs.ActAllow,

0 commit comments

Comments
 (0)