Update the default seccomp to block socket calls to AF_VSOCK

Signed-off-by: Zhuchen Wang <zcwang@google.com>
containerd · Oct 11, 2022 · 17a9324 · 17a9324
1 parent 32aa33a
commit 17a9324
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -357,7 +357,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"signalfd4",
 				"sigprocmask",
 				"sigreturn",
-				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@@ -411,6 +410,17 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},
 		},
+		{
+			Names:  []string{"socket"},
+			Action: specs.ActAllow,
+			Args: []specs.LinuxSeccompArg{
+				{
+					Index: 0,
+					Value: unix.AF_VSOCK,
+					Op:    specs.OpNotEqual,
+				},
+			},
+		},
 		{
 			Names:  []string{"personality"},
 			Action: specs.ActAllow,