From 17a2831f703ee315e51bd4f10b17eb7855fb45ad Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 31 Jan 2022 15:29:38 +0900
Subject: [PATCH] seccomp: kernel 5.13
 (landlock_{add_rule,create_ruleset,restrict_self})

Allow the following syscalls by default:
- `landlock_add_rule`
- `landlock_create_ruleset`
- `landlock_restrict_self`

See https://landlock.io/

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 contrib/seccomp/seccomp_default.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 7f7cc47eb..39bb4adf8 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -184,6 +184,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"io_uring_setup",
 				"ipc",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",