From 7de9f4f82de417097f6fab150288ca2f1c0a9d91 Mon Sep 17 00:00:00 2001
From: Djordje Lukic <djordje.lukic@docker.com>
Date: Fri, 13 May 2022 11:20:48 +0200
Subject: [PATCH] Allow different syscalls from kernels 5.12 -> 5.16

Kernel 5.12:

    mount_setattr: needs CAP_SYS_ADMIN

Kernel 5.14:

    quotactl_fd: needs CAP_SYS_ADMIN
    memfd_secret: always allowed

Kernel 5.15:

    process_mrelease: always allowed

Kernel 5.16:

    futex_waitv: always allowed

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
---
 profiles/seccomp/default.json     | 5 +++++
 profiles/seccomp/default_linux.go | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 37e6febf53..ed553e2d9c 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -131,6 +131,7 @@
 				"ftruncate64",
 				"futex",
 				"futex_time64",
+				"futex_waitv",
 				"futimesat",
 				"getcpu",
 				"getcwd",
@@ -207,6 +208,7 @@
 				"madvise",
 				"membarrier",
 				"memfd_create",
+				"memfd_secret",
 				"mincore",
 				"mkdir",
 				"mkdirat",
@@ -254,6 +256,7 @@
 				"preadv",
 				"preadv2",
 				"prlimit64",
+				"process_mrelease",
 				"pselect6",
 				"pselect6_time64",
 				"pwrite64",
@@ -581,11 +584,13 @@
 				"fspick",
 				"lookup_dcookie",
 				"mount",
+				"mount_setattr",
 				"move_mount",
 				"name_to_handle_at",
 				"open_tree",
 				"perf_event_open",
 				"quotactl",
+				"quotactl_fd",
 				"setdomainname",
 				"sethostname",
 				"setns",
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index ca6dfd4661..1bc8ed86f0 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -123,6 +123,7 @@ func DefaultProfile() *Seccomp {
 					"ftruncate64",
 					"futex",
 					"futex_time64",
+					"futex_waitv",
 					"futimesat",
 					"getcpu",
 					"getcwd",
@@ -199,6 +200,7 @@ func DefaultProfile() *Seccomp {
 					"madvise",
 					"membarrier",
 					"memfd_create",
+					"memfd_secret",
 					"mincore",
 					"mkdir",
 					"mkdirat",
@@ -246,6 +248,7 @@ func DefaultProfile() *Seccomp {
 					"preadv",
 					"preadv2",
 					"prlimit64",
+					"process_mrelease",
 					"pselect6",
 					"pselect6_time64",
 					"pwrite64",
@@ -572,11 +575,13 @@ func DefaultProfile() *Seccomp {
 					"fspick",
 					"lookup_dcookie",
 					"mount",
+					"mount_setattr",
 					"move_mount",
 					"name_to_handle_at",
 					"open_tree",
 					"perf_event_open",
 					"quotactl",
+					"quotactl_fd",
 					"setdomainname",
 					"sethostname",
 					"setns",