From adee2c797433f8de084e6500bf901b6ade75c24f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
Date: Fri, 7 Jan 2022 18:05:59 +0100
Subject: [PATCH] seccomp: add support for "swapcontext" syscall in default
 policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This system call is only available on 32- and 64-bit PowerPC, it is used
by modern programming language implementations to implement coroutine
features through userspace context switches.

moby [1] and systemd nspawn [2] already whitelist this system call so it
makes sense to whitelist it in containerd as well.

[1]: https://github.com/moby/moby/pull/43092
[2]: https://github.com/systemd/systemd/pull/9487

Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
---
 contrib/seccomp/seccomp_default.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index c369e9f50..6515d38b6 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -467,6 +467,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 			Names: []string{
 				"sync_file_range2",
+				"swapcontext",
 			},
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},