Please have a look at the detailed description: https://copy.fail/ .
We need to insert the following rule to protect Docker users without/before kernel patches to disable unwanted root escalation when multiple users and tenants spawn containers and accesses the shells:
{
"names": ["socket", "socketpair"],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 97,
"args": [
{
"index": 0,
"value": 38,
"op": "SCMP_CMP_EQ"
}
]
}
- errno 97 =
ERRNOSUPPORT. It lets user processes silently fallback to userspace crypto implementation.
- arg 0 value 38 =
AF_ALG.
Please have a look at the detailed description: https://copy.fail/ .
We need to insert the following rule to protect Docker users without/before kernel patches to disable unwanted root escalation when multiple users and tenants spawn containers and accesses the shells:
{ "names": ["socket", "socketpair"], "action": "SCMP_ACT_ERRNO", "errnoRet": 97, "args": [ { "index": 0, "value": 38, "op": "SCMP_CMP_EQ" } ] }ERRNOSUPPORT. It lets user processes silently fallback to userspace crypto implementation.AF_ALG.