From c013db69656f8c4fc27b740f1c29ff6015becf6b Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 31 Jan 2022 15:31:37 +0900
Subject: [PATCH] seccomp: kernel 5.14 (quotactl_fd, memfd_secret)

- Allow `quotactl_fd` when `CAP_SYS_ADMIN` is granted.
  See https://lwn.net/Articles/859679/

- Allow `memfd_secret` by default.
  See https://lwn.net/Articles/865256/

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 contrib/seccomp/seccomp_default.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index 39bb4adf8..b3efcdf48 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -204,6 +204,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"madvise",
 				"membarrier",
 				"memfd_create",
+				"memfd_secret",
 				"mincore",
 				"mkdir",
 				"mkdirat",
@@ -546,6 +547,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 					"open_tree",
 					"perf_event_open",
 					"quotactl",
+					"quotactl_fd",
 					"setdomainname",
 					"sethostname",
 					"setns",