Block vm86 syscalls in default seccomp profile

These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e
Component: engine

components/engine/daemon/execdriver/native/seccomp_default.go

@@ -316,5 +316,17 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86old",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 	},
 }