profiles: seccomp: update to Linux 5.11 syscall list
These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:
* close_range(2), epoll_pwait2(2) are just extensions of existing "safe
for everyone" syscalls.
* The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
all equivalent to aspects of mount(2) and thus go into the
CAP_SYS_ADMIN category.
* process_madvise(2) is similar to the other process_*(2) syscalls and
thus goes in the CAP_SYS_PTRACE category.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 54eff4354b
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
fae366b323
commit
a6a88b3145
2 changed files with 18 additions and 0 deletions
|
@ -74,6 +74,7 @@
|
||||||
"clock_nanosleep",
|
"clock_nanosleep",
|
||||||
"clock_nanosleep_time64",
|
"clock_nanosleep_time64",
|
||||||
"close",
|
"close",
|
||||||
|
"close_range",
|
||||||
"connect",
|
"connect",
|
||||||
"copy_file_range",
|
"copy_file_range",
|
||||||
"creat",
|
"creat",
|
||||||
|
@ -85,6 +86,7 @@
|
||||||
"epoll_ctl",
|
"epoll_ctl",
|
||||||
"epoll_ctl_old",
|
"epoll_ctl_old",
|
||||||
"epoll_pwait",
|
"epoll_pwait",
|
||||||
|
"epoll_pwait2",
|
||||||
"epoll_wait",
|
"epoll_wait",
|
||||||
"epoll_wait_old",
|
"epoll_wait_old",
|
||||||
"eventfd",
|
"eventfd",
|
||||||
|
@ -590,9 +592,15 @@
|
||||||
"bpf",
|
"bpf",
|
||||||
"clone",
|
"clone",
|
||||||
"fanotify_init",
|
"fanotify_init",
|
||||||
|
"fsconfig",
|
||||||
|
"fsmount",
|
||||||
|
"fsopen",
|
||||||
|
"fspick",
|
||||||
"lookup_dcookie",
|
"lookup_dcookie",
|
||||||
"mount",
|
"mount",
|
||||||
|
"move_mount",
|
||||||
"name_to_handle_at",
|
"name_to_handle_at",
|
||||||
|
"open_tree",
|
||||||
"perf_event_open",
|
"perf_event_open",
|
||||||
"quotactl",
|
"quotactl",
|
||||||
"setdomainname",
|
"setdomainname",
|
||||||
|
@ -724,6 +732,7 @@
|
||||||
"names": [
|
"names": [
|
||||||
"kcmp",
|
"kcmp",
|
||||||
"pidfd_getfd",
|
"pidfd_getfd",
|
||||||
|
"process_madvise",
|
||||||
"process_vm_readv",
|
"process_vm_readv",
|
||||||
"process_vm_writev",
|
"process_vm_writev",
|
||||||
"ptrace"
|
"ptrace"
|
||||||
|
|
|
@ -67,6 +67,7 @@ func DefaultProfile() *Seccomp {
|
||||||
"clock_nanosleep",
|
"clock_nanosleep",
|
||||||
"clock_nanosleep_time64",
|
"clock_nanosleep_time64",
|
||||||
"close",
|
"close",
|
||||||
|
"close_range",
|
||||||
"connect",
|
"connect",
|
||||||
"copy_file_range",
|
"copy_file_range",
|
||||||
"creat",
|
"creat",
|
||||||
|
@ -78,6 +79,7 @@ func DefaultProfile() *Seccomp {
|
||||||
"epoll_ctl",
|
"epoll_ctl",
|
||||||
"epoll_ctl_old",
|
"epoll_ctl_old",
|
||||||
"epoll_pwait",
|
"epoll_pwait",
|
||||||
|
"epoll_pwait2",
|
||||||
"epoll_wait",
|
"epoll_wait",
|
||||||
"epoll_wait_old",
|
"epoll_wait_old",
|
||||||
"eventfd",
|
"eventfd",
|
||||||
|
@ -521,9 +523,15 @@ func DefaultProfile() *Seccomp {
|
||||||
"bpf",
|
"bpf",
|
||||||
"clone",
|
"clone",
|
||||||
"fanotify_init",
|
"fanotify_init",
|
||||||
|
"fsconfig",
|
||||||
|
"fsmount",
|
||||||
|
"fsopen",
|
||||||
|
"fspick",
|
||||||
"lookup_dcookie",
|
"lookup_dcookie",
|
||||||
"mount",
|
"mount",
|
||||||
|
"move_mount",
|
||||||
"name_to_handle_at",
|
"name_to_handle_at",
|
||||||
|
"open_tree",
|
||||||
"perf_event_open",
|
"perf_event_open",
|
||||||
"quotactl",
|
"quotactl",
|
||||||
"setdomainname",
|
"setdomainname",
|
||||||
|
@ -625,6 +633,7 @@ func DefaultProfile() *Seccomp {
|
||||||
Names: []string{
|
Names: []string{
|
||||||
"kcmp",
|
"kcmp",
|
||||||
"pidfd_getfd",
|
"pidfd_getfd",
|
||||||
|
"process_madvise",
|
||||||
"process_vm_readv",
|
"process_vm_readv",
|
||||||
"process_vm_writev",
|
"process_vm_writev",
|
||||||
"ptrace",
|
"ptrace",
|
||||||
|
|
Loading…
Reference in a new issue