From 1329ea3716c661fc655111bdff56e2d93a469cd5 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 31 Jan 2022 15:28:11 +0900 Subject: [PATCH 1/5] seccomp: kernel 5.12 (mount_setattr) Allow `mount_setattr` when `CAP_SYS_ADMIN` is granted. See https://man7.org/linux/man-pages/man2/mount_setattr.2.html Signed-off-by: Akihiro Suda --- contrib/seccomp/seccomp_default.go | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index 6515d38b6..7f7cc47eb 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -537,6 +537,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "fspick", "lookup_dcookie", "mount", + "mount_setattr", "move_mount", "name_to_handle_at", "open_tree", From 17a2831f703ee315e51bd4f10b17eb7855fb45ad Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 31 Jan 2022 15:29:38 +0900 Subject: [PATCH 2/5] seccomp: kernel 5.13 (landlock_{add_rule,create_ruleset,restrict_self}) Allow the following syscalls by default: - `landlock_add_rule` - `landlock_create_ruleset` - `landlock_restrict_self` See https://landlock.io/ Signed-off-by: Akihiro Suda --- contrib/seccomp/seccomp_default.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index 7f7cc47eb..39bb4adf8 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -184,6 +184,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "io_uring_setup", "ipc", "kill", + "landlock_add_rule", + "landlock_create_ruleset", + "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", From c013db69656f8c4fc27b740f1c29ff6015becf6b Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 31 Jan 2022 15:31:37 +0900 Subject: [PATCH 3/5] seccomp: kernel 5.14 (quotactl_fd, memfd_secret) - Allow `quotactl_fd` when `CAP_SYS_ADMIN` is granted. See https://lwn.net/Articles/859679/ - Allow `memfd_secret` by default. See https://lwn.net/Articles/865256/ Signed-off-by: Akihiro Suda --- contrib/seccomp/seccomp_default.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index 39bb4adf8..b3efcdf48 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -204,6 +204,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "madvise", "membarrier", "memfd_create", + "memfd_secret", "mincore", "mkdir", "mkdirat", @@ -546,6 +547,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "open_tree", "perf_event_open", "quotactl", + "quotactl_fd", "setdomainname", "sethostname", "setns", From 8632bdcb7bd64b9939455c1184637f8225e0ce5d Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 31 Jan 2022 15:36:40 +0900 Subject: [PATCH 4/5] seccomp: kernel 5.15 (process_mrelease) Allow `process_mrelease` by default. See https://lwn.net/Articles/864184/ Signed-off-by: Akihiro Suda --- contrib/seccomp/seccomp_default.go | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index b3efcdf48..dee37d0e9 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -252,6 +252,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "preadv", "preadv2", "prlimit64", + "process_mrelease", "pselect6", "pselect6_time64", "pwrite64", From 34f7173491c45cca5c19643b54cc6f9fe0f92f04 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 31 Jan 2022 15:37:41 +0900 Subject: [PATCH 5/5] seccomp: kernel 5.16 (futex_waitv) Allow `futex_waitv` by default. See https://www.phoronix.com/scan.php?page=news_item&px=FUTEX2-futex-waiv-More-Archs Note: libseccomp does not cover kernel 5.16 at this moment: https://github.com/seccomp/libseccomp/blob/51b50f95e1fb717e4560818f8b90b7ebde314ad1/src/syscalls.csv Signed-off-by: Akihiro Suda --- contrib/seccomp/seccomp_default.go | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go index dee37d0e9..10ae7c6f7 100644 --- a/contrib/seccomp/seccomp_default.go +++ b/contrib/seccomp/seccomp_default.go @@ -128,6 +128,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { "ftruncate64", "futex", "futex_time64", + "futex_waitv", "futimesat", "getcpu", "getcwd",