github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: add support for "swapcontext" syscall in default policy

Browse Source 
This system call is only available on 32- and 64-bit PowerPC, it is used
by modern programming language implementations to implement coroutine
features through userspace context switches.

moby [1] and systemd nspawn [2] already whitelist this system call so it
makes sense to whitelist it in containerd as well.

[1]: https://github.com/moby/moby/pull/43092
[2]: https://github.com/systemd/systemd/pull/9487

Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
This commit is contained in:
Sören Tempel 2022-01-07 18:05:59 +01:00
parent 3ccd43c8f6
commit adee2c7974
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contrib/seccomp/seccomp_default.go
View File

@ -467,6 +467,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{ Names: []string{
"sync_file_range2", "sync_file_range2",
"swapcontext",
}, },
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},