BACKPORT: Add /proc/scsi to masked paths

This is writeable, and can be used to remove devices. Containers do
not need to know about scsi devices.

Fix https://nvd.nist.gov/vuln/detail/CVE-2017-16539

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

Author: runcom

oci/defaults_linux.go

@@ -84,6 +84,7 @@ func DefaultSpec() specs.Spec {
 			"/proc/timer_list",
 			"/proc/timer_stats",
 			"/proc/sched_debug",
+			"/proc/scsi",
 		},
 		ReadonlyPaths: []string{
 			"/proc/asound",