seccomp: add support for "swapcontext" syscall in default policy

This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: https://github.com/moby/moby/pull/43092 [2]: https://github.com/systemd/systemd/pull/9487 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
2022-01-07 18:05:59 +01:00
parent 3ccd43c8f6
commit adee2c7974
1 changed files with 1 additions and 0 deletions
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -467,6 +467,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 			Names: []string{
 				"sync_file_range2",
+				"swapcontext",
 			},
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},