diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-10-25 07:22:11 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-10-25 16:50:45 -0400 |
commit | a42c131c80fc8c7220687c56cf4384a224572ca0 (patch) | |
tree | 6b3907947aa49553ace7642034632b0ad8206157 /vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go | |
parent | dbe770e3ce2ac2e34ffa8e28b80df57eb0182a68 (diff) | |
download | podman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.gz podman-a42c131c80fc8c7220687c56cf4384a224572ca0.tar.bz2 podman-a42c131c80fc8c7220687c56cf4384a224572ca0.zip |
Update vendor github.com/opencontainers/runtime-tools
This will change mount of /dev within container to noexec, making
containers slightly more secure.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go')
-rw-r--r-- | vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go index 5fee5a3b2..8a8dc3970 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go @@ -566,6 +566,20 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { }, }...) /* Flags parameter of the clone syscall is the 2nd on s390 */ + syscalls = append(syscalls, []rspec.LinuxSyscall{ + { + Names: []string{"clone"}, + Action: rspec.ActAllow, + Args: []rspec.LinuxSeccompArg{ + { + Index: 1, + Value: 2080505856, + ValueTwo: 0, + Op: rspec.OpMaskedEqual, + }, + }, + }, + }...) } return &rspec.LinuxSeccomp{ |