Comment by fulafel
7 hours ago
Both of these (copy fail and dirtyfrag) exploit obscure socket address families. Are these filtered by commonly used seccomp profiles in eg docker (assuming seccomp can express it)?
7 hours ago
Both of these (copy fail and dirtyfrag) exploit obscure socket address families. Are these filtered by commonly used seccomp profiles in eg docker (assuming seccomp can express it)?
At least in the k8s setup I looked at the dirtyfrag were filtered (by default).
"XFRM SA registration requires CAP_NET_ADMIN".