diff options
| author | gVisor bot <gvisor-bot@google.com> | 2020-12-28 22:05:49 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-12-28 22:05:49 +0000 |
| commit | 5c21c7c3bd1552f4d5f87ef588fc213e2a2278ef (patch) | |
| tree | b62b3f2c71f46e145c15d7740262f7d59c91c87f /runsc/boot | |
| parent | b0f23fb7e0cf908622bc6b8c90e2819de6de6ccb (diff) | |
| parent | 3ff7324dfa7c096a50b628189d5c3f2d4d5ec2f6 (diff) | |
Merge release-20201208.0-89-g3ff7324df (automated)
Diffstat (limited to 'runsc/boot')
| -rw-r--r-- | runsc/boot/filter/config.go | 38 | ||||
| -rw-r--r-- | runsc/boot/loader.go | 2 |
2 files changed, 32 insertions, 8 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 4e3bb9ac7..eacd73531 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -353,6 +353,11 @@ func hostInetFilters() seccomp.SyscallRules { }, { seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_RECVERR), + }, + { + seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IPV6), seccomp.EqualTo(syscall.IPV6_TCLASS), }, @@ -364,6 +369,11 @@ func hostInetFilters() seccomp.SyscallRules { { seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(syscall.IPV6_RECVERR), + }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IPV6), seccomp.EqualTo(syscall.IPV6_V6ONLY), }, { @@ -446,13 +456,6 @@ func hostInetFilters() seccomp.SyscallRules { syscall.SYS_SETSOCKOPT: []seccomp.Rule{ { seccomp.MatchAny{}, - seccomp.EqualTo(syscall.SOL_IPV6), - seccomp.EqualTo(syscall.IPV6_V6ONLY), - seccomp.MatchAny{}, - seccomp.EqualTo(4), - }, - { - seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_SOCKET), seccomp.EqualTo(syscall.SO_SNDBUF), seccomp.MatchAny{}, @@ -523,6 +526,13 @@ func hostInetFilters() seccomp.SyscallRules { }, { seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IP), + seccomp.EqualTo(syscall.IP_RECVERR), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, + { + seccomp.MatchAny{}, seccomp.EqualTo(syscall.SOL_IPV6), seccomp.EqualTo(syscall.IPV6_TCLASS), seccomp.MatchAny{}, @@ -542,6 +552,20 @@ func hostInetFilters() seccomp.SyscallRules { seccomp.MatchAny{}, seccomp.EqualTo(4), }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(syscall.IPV6_RECVERR), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, + { + seccomp.MatchAny{}, + seccomp.EqualTo(syscall.SOL_IPV6), + seccomp.EqualTo(syscall.IPV6_V6ONLY), + seccomp.MatchAny{}, + seccomp.EqualTo(4), + }, }, syscall.SYS_SHUTDOWN: []seccomp.Rule{ { diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 3df013d34..98ea8db64 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -294,7 +294,7 @@ func New(args Args) (*Loader, error) { if args.TotalMem > 0 { // Adjust the total memory returned by the Sentry so that applications that // use /proc/meminfo can make allocations based on this limit. - usage.MinimumTotalMemoryBytes = args.TotalMem + usage.MaximumTotalMemoryBytes = args.TotalMem log.Infof("Setting total memory to %.2f GB", float64(args.TotalMem)/(1<<30)) } |