From bbb8d3470483c8054fd435d815ba699f94350928 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Thu, 14 Jul 2022 10:39:55 +0200
Subject: [PATCH] seccomp: add get_mempolicy, mbind, set_mempolicy, with
 CAP_SYS_NICE

This aligns the profile with docker's profile, which added this in
https://github.com/moby/moby/commit/47dfff68e4365668279e235bf8c7778b637f2517

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 contrib/seccomp/seccomp_default.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 714a8ae0b..22638e278 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -652,6 +652,16 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				Action: specs.ActAllow,
 				Args:   []specs.LinuxSeccompArg{},
 			})
+		case "CAP_SYS_NICE":
+			s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
+				Names: []string{
+					"get_mempolicy",
+					"mbind",
+					"set_mempolicy",
+				},
+				Action: specs.ActAllow,
+				Args:   []specs.LinuxSeccompArg{},
+			})
 		case "CAP_SYSLOG":
 			s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 				Names:  []string{"syslog"},