profiles: seccomp: update to Linux 5.11 syscall list

These syscalls (some of which have been in Linux for a while but were missing from the profile) fall into a few buckets: * close_range(2), epoll_wait2(2) are just extensions of existing "safe for everyone" syscalls. * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are all equivalent to aspects of mount(2) and thus go into the CAP_SYS_ADMIN category. * process_madvise(2) is similar to the other process_*(2) syscalls and thus goes in the CAP_SYS_PTRACE category. Co-authored-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-21 21:30:25 +01:00 · 2021-01-21 21:30:25 +01:00 · e1445dff12
commit e1445dff12
parent 83f8d6126b
1 changed files with 9 additions and 0 deletions
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@ -74,6 +74,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"clock_nanosleep",
 				"clock_nanosleep_time64",
 				"close",
+				"close_range",
 				"connect",
 				"copy_file_range",
 				"creat",
@ -85,6 +86,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"epoll_ctl",
 				"epoll_ctl_old",
 				"epoll_pwait",
+				"epoll_pwait2",
 				"epoll_wait",
 				"epoll_wait_old",
 				"eventfd",
@ -525,9 +527,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 					"bpf",
 					"clone",
 					"fanotify_init",
+					"fsconfig",
+					"fsmount",
+					"fsopen",
+					"fspick",
 					"lookup_dcookie",
 					"mount",
+					"move_mount",
 					"name_to_handle_at",
+					"open_tree",
 					"perf_event_open",
 					"quotactl",
 					"setdomainname",
@ -574,6 +582,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				Names: []string{
 					"kcmp",
 					"pidfd_getfd",
+					"process_madvise",
 					"process_vm_readv",
 					"process_vm_writev",
 					"ptrace",