From e76b5dd8955fb5edb2d3240ea57eefa2dc9c25f8 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@unikernel.com>
Date: Tue, 29 Dec 2015 15:47:23 +0000
Subject: [PATCH] Block vm86 syscalls in default seccomp profile

These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e
Component: engine
---
 .../daemon/execdriver/native/seccomp_default.go      | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/components/engine/daemon/execdriver/native/seccomp_default.go b/components/engine/daemon/execdriver/native/seccomp_default.go
index 1075a0b315..f5c6e82a69 100644
--- a/components/engine/daemon/execdriver/native/seccomp_default.go
+++ b/components/engine/daemon/execdriver/native/seccomp_default.go
@@ -316,5 +316,17 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86old",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 	},
 }