alt Hacker NewsBoth of these (copy fail and dirtyfrag) exploit obscure socket address families. Are these filtered by commonly used seccomp profiles in eg docker (assuming seccomp can express it)?
Both of these (copy fail and dirtyfrag) exploit obscure socket address families. Are these filtered by commonly used seccomp profiles in eg docker (assuming seccomp can express it)?
At least in the k8s setup I looked at the dirtyfrag were filtered (by default).
"XFRM SA registration requires CAP_NET_ADMIN".