Merge pull request #37242 from nvcastet/fix_sys_nice_seccomp

Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile

profiles/seccomp/default.json

@@ -746,6 +746,22 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_NICE"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }

profiles/seccomp/seccomp_default.go

@@ -630,6 +630,18 @@ func DefaultProfile() *types.Seccomp {
 				Caps: []string{"CAP_SYS_TTY_CONFIG"},
 			},
 		},
+		{
+			Names: []string{
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_NICE"},
+			},
+		},
 	}
 
 	return &types.Seccomp{