Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile

nvcastet · nvcastet · commit 47dfff68e436 · 2018-06-20T07:32:08.000-05:00
* Update profile to match docker documentation at https://docs.docker.com/engine/security/seccomp/ Signed-off-by: Nicolas V Castet <nvcastet@us.ibm.com>
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -746,6 +746,22 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_NICE"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
@@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
+		{
+			Names: []string{
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_NICE"},
+			},
+		},
 	}
 
 	return &types.Seccomp{

Original file line number	Diff line number	Diff line change
`@@ -746,6 +746,22 @@`
`746`	`746`	`]`
`747`	`747`	`},`
`748`	`748`	`"excludes": {}`
	`749`	`+ },`
	`750`	`+ {`
	`751`	`+ "names": [`
	`752`	`+ "get_mempolicy",`
	`753`	`+ "mbind",`
	`754`	`+ "set_mempolicy"`
	`755`	`+ ],`
	`756`	`+ "action": "SCMP_ACT_ALLOW",`
	`757`	`+ "args": [],`
	`758`	`+ "comment": "",`
	`759`	`+ "includes": {`
	`760`	`+ "caps": [`
	`761`	`+ "CAP_SYS_NICE"`
	`762`	`+ ]`
	`763`	`+ },`
	`764`	`+ "excludes": {}`
`749`	`765`	`}`
`750`	`766`	`]`
`751`	`767`	`}`