From 19e8479837e16630685780de75ea3486f0dc777a Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 13 Jul 2022 23:03:35 +0200
Subject: [PATCH] seccomp: seccomp: add syscalls related to PKU in default
 policy

Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure
the calling process's own memory, so they are existing "safe for everyone" syscalls.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 contrib/seccomp/seccomp_default.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 714a8ae0b..40ae48806 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -249,6 +249,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"pidfd_send_signal",
 				"pipe",
 				"pipe2",
+				"pkey_alloc",
+				"pkey_free",
+				"pkey_mprotect",
 				"poll",
 				"ppoll",
 				"ppoll_time64",