Allow restart_syscall in default seccomp profile

Fixes #20818 This syscall was blocked as there was some concern that it could be used to bypass filtering of other syscall arguments. However none of the potential syscalls where this could be an issue (poll, nanosleep, clock_nanosleep, futex) are blocked in the default profile anyway. Signed-off-by: Justin Cormack <justin.cormack@docker.com> Upstream-commit: 5abd881883883a132f96f8adb1b07b5545af452b Component: engine
2016-03-11 11:01:20 +00:00
parent a1a5012791
commit 8df9af807b
3 changed files with 10 additions and 1 deletions
--- a/components/engine/docs/security/seccomp.md
+++ b/components/engine/docs/security/seccomp.md
@ -114,7 +114,6 @@ the reason each syscall is blocked rather than white-listed.
 | `query_module`      | Deny manipulation and functions on kernel modules.                                                            |
 | `quotactl`          | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. |
 | `reboot`            | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`.                                           |
-| `restart_syscall`   | Don't allow containers to restart a syscall. Possible seccomp bypass see: https://code.google.com/p/chromium/issues/detail?id=408827. |
 | `request_key`       | Prevent containers from using the kernel keyring, which is not namespaced.                                    |
 | `set_mempolicy`     | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`.                       |
 | `setns`             | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`.                                    |