From a6a88b3145c33bbec871cc9d3bea2170ed785142 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 17 Jan 2021 23:39:31 +1100 Subject: [PATCH] profiles: seccomp: update to Linux 5.11 syscall list These syscalls (some of which have been in Linux for a while but were missing from the profile) fall into a few buckets: * close_range(2), epoll_pwait2(2) are just extensions of existing "safe for everyone" syscalls. * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are all equivalent to aspects of mount(2) and thus go into the CAP_SYS_ADMIN category. * process_madvise(2) is similar to the other process_*(2) syscalls and thus goes in the CAP_SYS_PTRACE category. Signed-off-by: Aleksa Sarai (cherry picked from commit 54eff4354b17a9c460b851300f28aed1408a8615) Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default.json | 9 +++++++++ profiles/seccomp/default_linux.go | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 3ae143c8b1..4213799ddb 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -74,6 +74,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -85,6 +86,7 @@ "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -590,9 +592,15 @@ "bpf", "clone", "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", "lookup_dcookie", "mount", + "move_mount", "name_to_handle_at", + "open_tree", "perf_event_open", "quotactl", "setdomainname", @@ -724,6 +732,7 @@ "names": [ "kcmp", "pidfd_getfd", + "process_madvise", "process_vm_readv", "process_vm_writev", "ptrace" diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 232a4149cd..879eb88c64 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -67,6 +67,7 @@ func DefaultProfile() *Seccomp { "clock_nanosleep", "clock_nanosleep_time64", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -78,6 +79,7 @@ func DefaultProfile() *Seccomp { "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -521,9 +523,15 @@ func DefaultProfile() *Seccomp { "bpf", "clone", "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", "lookup_dcookie", "mount", + "move_mount", "name_to_handle_at", + "open_tree", "perf_event_open", "quotactl", "setdomainname", @@ -625,6 +633,7 @@ func DefaultProfile() *Seccomp { Names: []string{ "kcmp", "pidfd_getfd", + "process_madvise", "process_vm_readv", "process_vm_writev", "ptrace",