Skip to content

Commit 8165b8b

Browse files
vvolandvvoland
committed
seccomp: Document AF_ALG and socketcall blocks from moby/moby#52494
Add `socket` and `socketcall` entries to the "Significant syscalls blocked by the default profile" table to reflect the seccomp profile changes that block AF_ALG sockets (CVE-2026-31431) and deny the socketcall multiplexer to prevent bypassing address family filters. Signed-off-by: Paweł Gronowski <[email protected]>
1 parent 9f9728e commit 8165b8b

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

content/manuals/engine/security/seccomp.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,8 @@ the reason each syscall is blocked rather than white-listed.
9898
| `setns` | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`. |
9999
| `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
100100
| `stime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. |
101+
| `socket` | Blocked for `AF_ALG` to prevent in-container privilege escalation via the kernel cryptographic API ([CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)). Also blocked for `AF_VSOCK`. See [moby/moby#52494](https://github.com/moby/moby/pull/52494). |
102+
| `socketcall` | Denied to prevent bypassing socket address family filters on architectures with the legacy `socketcall` multiplexer (i386, s390, MIPS o32). See [moby/moby#52494](https://github.com/moby/moby/pull/52494). |
101103
| `swapon` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. |
102104
| `swapoff` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. |
103105
| `sysfs` | Obsolete syscall. |

0 commit comments

Comments
 (0)