aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-10-25 07:22:11 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-10-25 16:50:45 -0400
commita42c131c80fc8c7220687c56cf4384a224572ca0 (patch)
tree6b3907947aa49553ace7642034632b0ad8206157 /vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
parentdbe770e3ce2ac2e34ffa8e28b80df57eb0182a68 (diff)
downloadpodman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.gz
podman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.bz2
podman-a42c131c80fc8c7220687c56cf4384a224572ca0.zip
Update vendor github.com/opencontainers/runtime-tools
This will change mount of /dev within container to noexec, making containers slightly more secure. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go')
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go14
1 files changed, 14 insertions, 0 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
index 5fee5a3b2..8a8dc3970 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
@@ -566,6 +566,20 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
},
}...)
/* Flags parameter of the clone syscall is the 2nd on s390 */
+ syscalls = append(syscalls, []rspec.LinuxSyscall{
+ {
+ Names: []string{"clone"},
+ Action: rspec.ActAllow,
+ Args: []rspec.LinuxSeccompArg{
+ {
+ Index: 1,
+ Value: 2080505856,
+ ValueTwo: 0,
+ Op: rspec.OpMaskedEqual,
+ },
+ },
+ },
+ }...)
}
return &rspec.LinuxSeccomp{