Block vm86 syscalls in default seccomp profile

These provide an in kernel virtual machine for x86 real mode on x86 used by one very early DOS emulator. Not required for any normal use. Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
2026-03-27 14:28:47 +07:00 · 2015-12-29 15:47:23 +00:00
parent eb551baf6f
commit 6c3ea7a511
1 changed files with 12 additions and 0 deletions
--- a/daemon/execdriver/native/seccomp_default.go
+++ b/daemon/execdriver/native/seccomp_default.go
@@ -316,5 +316,17 @@ var defaultSeccompProfile = &configs.Seccomp{
 			Action: configs.Errno,
 			Args:   []*configs.Arg{},
 		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
+		{
+			// In kernel x86 real mode virtual machine
+			Name:   "vm86old",
+			Action: configs.Errno,
+			Args:   []*configs.Arg{},
+		},
 	},
 }