Block bpf syscall from default seccomp profile

The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 33568405f34f363de49b1146119cc53bcb9e5f16
Component: engine

components/engine/daemon/execdriver/native/seccomp_default.go

@@ -28,6 +28,13 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// Deny loading potentially persistent bpf programs into kernel
+			// already gated by CAP_SYS_ADMIN
+			Name:   "bpf",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 		{
 			// Time/Date is not namespaced
 			Name:   "clock_settime",