We use cookies to ensure you get the best experience on our website
Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
0ct0pu5
/
moby
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

Merge pull request #47344 from thaJeztah/25.0_backport_seccomp_updates

[25.0 backport] profiles/seccomp: add syscalls for kernel v5.17 - v6.6, match containerd's profile
Sebastiaan van Stijn 1 yıl önce
ebeveyn
aff7177ee7 ed7c26339e
işleme
7a075cacf9
2 değiştirilmiş dosya ile 15 ekleme ve 1 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 8 1
      profiles/seccomp/default.json
  2. 7 0
      profiles/seccomp/default_linux.go

+ 8 - 1
profiles/seccomp/default.json
Dosyayı Görüntüle 

@@ -64,6 +64,7 @@
 
 				"alarm",
 
 				"bind",
 
 				"brk",
 
+				"cachestat",
 
 				"capget",
 
 				"capset",
 
 				"chdir",
 
@@ -109,6 +110,7 @@
 
 				"fchdir",
 
 				"fchmod",
 
 				"fchmodat",
 
+				"fchmodat2",
 
 				"fchown",
 
 				"fchown32",
 
 				"fchownat",
 
@@ -130,8 +132,11 @@
 
 				"ftruncate",
 
 				"ftruncate64",
 
 				"futex",
 
+				"futex_requeue",
 
 				"futex_time64",
 
+				"futex_wait",
 
 				"futex_waitv",
 
+				"futex_wake",
 
 				"futimesat",
 
 				"getcpu",
 
 				"getcwd",
 
@@ -203,6 +208,7 @@
 
 				"lstat",
 
 				"lstat64",
 
 				"madvise",
 
+				"map_shadow_stack",
 
 				"membarrier",
 
 				"memfd_create",
 
 				"memfd_secret",
 
@@ -780,7 +786,8 @@
 
 			"names": [
 
 				"get_mempolicy",
 
 				"mbind",
 
-				"set_mempolicy"
 
+				"set_mempolicy",
 
+				"set_mempolicy_home_node"
 
 			],
 
 			"action": "SCMP_ACT_ALLOW",
 
 			"includes": {

+ 7 - 0
profiles/seccomp/default_linux.go
Dosyayı Görüntüle 

@@ -56,6 +56,7 @@ func DefaultProfile() *Seccomp {
 
 					"alarm",
 
 					"bind",
 
 					"brk",
 
+					"cachestat", // kernel v6.5, libseccomp v2.5.5
 
 					"capget",
 
 					"capset",
 
 					"chdir",
 
@@ -101,6 +102,7 @@ func DefaultProfile() *Seccomp {
 
 					"fchdir",
 
 					"fchmod",
 
 					"fchmodat",
 
+					"fchmodat2", // kernel v6.6, libseccomp v2.5.5
 
 					"fchown",
 
 					"fchown32",
 
 					"fchownat",
 
@@ -122,8 +124,11 @@ func DefaultProfile() *Seccomp {
 
 					"ftruncate",
 
 					"ftruncate64",
 
 					"futex",
 
+					"futex_requeue", // kernel v6.7, libseccomp v2.5.5
 
 					"futex_time64",
 
+					"futex_wait", // kernel v6.7, libseccomp v2.5.5
 
 					"futex_waitv",
 
+					"futex_wake", // kernel v6.7, libseccomp v2.5.5
 
 					"futimesat",
 
 					"getcpu",
 
 					"getcwd",
 
@@ -195,6 +200,7 @@ func DefaultProfile() *Seccomp {
 
 					"lstat",
 
 					"lstat64",
 
 					"madvise",
 
+					"map_shadow_stack", // kernel v6.6, libseccomp v2.5.5
 
 					"membarrier",
 
 					"memfd_create",
 
 					"memfd_secret",
 
@@ -768,6 +774,7 @@ func DefaultProfile() *Seccomp {
 
 					"get_mempolicy",
 
 					"mbind",
 
 					"set_mempolicy",
 
+					"set_mempolicy_home_node", // kernel v5.17, libseccomp v2.5.4
 
 				},
 
 				Action: specs.ActAllow,
 
 			},

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5