diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-08-28 17:08:49 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-08-28 17:10:03 -0700 |
| commit | 30c025f3efdf5b599d8fbd4172bb5b856cc269af (patch) | |
| tree | cd52725df8f5534db8d39c51e9c31b65d0e6c51e /runsc/boot/loader.go | |
| parent | 3b11769c772ab667f6f7a1863f6a614a095445ad (diff) | |
Add argument checks to seccomp
This is required to increase protection when running in GKE.
PiperOrigin-RevId: 210635123
Change-Id: Iaaa8be49e73f7a3a90805313885e75894416f0b5
Diffstat (limited to 'runsc/boot/loader.go')
| -rw-r--r-- | runsc/boot/loader.go | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 0ad830a6b..74d0c2534 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -351,9 +351,13 @@ func (l *Loader) run() error { if l.conf.DisableSeccomp { filter.Report("syscall filter is DISABLED. Running in less secure mode.") } else { - whitelistFS := l.conf.FileAccess == FileAccessDirect - hostNet := l.conf.Network == NetworkHost - if err := filter.Install(l.k.Platform, whitelistFS, hostNet); err != nil { + opts := filter.Options{ + Platform: l.k.Platform, + WhitelistFS: l.conf.FileAccess == FileAccessDirect, + HostNetwork: l.conf.Network == NetworkHost, + ControllerFD: l.ctrl.srv.FD(), + } + if err := filter.Install(opts); err != nil { return fmt.Errorf("Failed to install seccomp filters: %v", err) } } |