From 9a202e342b71720266963931e4820f57662b92c2 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn.neergaard@docker.com>
Date: Tue, 27 Jun 2023 13:31:28 -0600
Subject: [PATCH] seccomp: always allow name_to_handle_at

This syscall is used by systemd to request unique internal names for
paths in the cgroup hierarchy from the kernel, and is overall innocuous.

Due to [previous][1] [mistakes][2] in moby/moby, it ended up attached to
`CAP_SYS_ADMIN`; however, it should not be filtered at all.

An in-depth analysis is available [at moby/moby][3].

  [1]: https://github.com/moby/moby/commit/a01c4dc8f85827f32d88522e5153dddc02f11806#diff-6c0d906dbef148d2060ed71a7461907e5601fea78866e4183835c60e5d2ff01aR1627-R1639
  [2]: https://github.com/moby/moby/commit/c1ca124682a90f3306b34ad104ba80e413f7bf88
  [3]: https://github.com/moby/moby/pull/45766#pullrequestreview-1493908145

Co-authored-by: Vitor Anjos <bartier@users.noreply.github.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
---
 contrib/seccomp/seccomp_default.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 4cda6d9fd..7df50c34a 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -237,6 +237,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"munlock",
 				"munlockall",
 				"munmap",
+				"name_to_handle_at",
 				"nanosleep",
 				"newfstatat",
 				"_newselect",
@@ -585,7 +586,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 					"mount",
 					"mount_setattr",
 					"move_mount",
-					"name_to_handle_at",
 					"open_tree",
 					"perf_event_open",
 					"quotactl",