From e1445dff12e49d38221f24d8abafac530c944808 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 21 Jan 2021 21:30:25 +0100 Subject: [PATCH] profiles: seccomp: update to Linux 5.11 syscall list These syscalls (some of which have been in Linux for a while but were missing from the profile) fall into a few buckets: * close_range(2), epoll_wait2(2) are just extensions of existing "safe for everyone" syscalls. * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are all equivalent to aspects of mount(2) and thus go into the CAP_SYS_ADMIN category. * process_madvise(2) is similar to the other process_*(2) syscalls and thus goes in the CAP_SYS_PTRACE category. Co-authored-by: Aleksa Sarai Signed-off-by: Sebastiaan van Stijn --- contrib/seccomp/seccomp_default.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index dcf6a75e9..f7087ad94 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -74,6 +74,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "clock_nanosleep", "clock_nanosleep_time64", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -85,6 +86,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -525,9 +527,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "bpf", "clone", "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", "lookup_dcookie", "mount", + "move_mount", "name_to_handle_at", + "open_tree", "perf_event_open", "quotactl", "setdomainname", @@ -574,6 +582,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { Names: []string{ "kcmp", "pidfd_getfd", + "process_madvise", "process_vm_readv", "process_vm_writev", "ptrace",