profiles: seccomp: update to Linux 5.11 syscall list

These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:

 * close_range(2), epoll_pwait2(2) are just extensions of existing "safe
   for everyone" syscalls.

 * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
   all equivalent to aspects of mount(2) and thus go into the
   CAP_SYS_ADMIN category.

 * process_madvise(2) is similar to the other process_*(2) syscalls and
   thus goes in the CAP_SYS_PTRACE category.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 54eff4354b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Aleksa Sarai 2021-01-17 23:39:31 +11:00 committed by Sebastiaan van Stijn
parent fae366b323
commit a6a88b3145
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
2 changed files with 18 additions and 0 deletions

View file

@ -74,6 +74,7 @@
"clock_nanosleep", "clock_nanosleep",
"clock_nanosleep_time64", "clock_nanosleep_time64",
"close", "close",
"close_range",
"connect", "connect",
"copy_file_range", "copy_file_range",
"creat", "creat",
@ -85,6 +86,7 @@
"epoll_ctl", "epoll_ctl",
"epoll_ctl_old", "epoll_ctl_old",
"epoll_pwait", "epoll_pwait",
"epoll_pwait2",
"epoll_wait", "epoll_wait",
"epoll_wait_old", "epoll_wait_old",
"eventfd", "eventfd",
@ -590,9 +592,15 @@
"bpf", "bpf",
"clone", "clone",
"fanotify_init", "fanotify_init",
"fsconfig",
"fsmount",
"fsopen",
"fspick",
"lookup_dcookie", "lookup_dcookie",
"mount", "mount",
"move_mount",
"name_to_handle_at", "name_to_handle_at",
"open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"setdomainname", "setdomainname",
@ -724,6 +732,7 @@
"names": [ "names": [
"kcmp", "kcmp",
"pidfd_getfd", "pidfd_getfd",
"process_madvise",
"process_vm_readv", "process_vm_readv",
"process_vm_writev", "process_vm_writev",
"ptrace" "ptrace"

View file

@ -67,6 +67,7 @@ func DefaultProfile() *Seccomp {
"clock_nanosleep", "clock_nanosleep",
"clock_nanosleep_time64", "clock_nanosleep_time64",
"close", "close",
"close_range",
"connect", "connect",
"copy_file_range", "copy_file_range",
"creat", "creat",
@ -78,6 +79,7 @@ func DefaultProfile() *Seccomp {
"epoll_ctl", "epoll_ctl",
"epoll_ctl_old", "epoll_ctl_old",
"epoll_pwait", "epoll_pwait",
"epoll_pwait2",
"epoll_wait", "epoll_wait",
"epoll_wait_old", "epoll_wait_old",
"eventfd", "eventfd",
@ -521,9 +523,15 @@ func DefaultProfile() *Seccomp {
"bpf", "bpf",
"clone", "clone",
"fanotify_init", "fanotify_init",
"fsconfig",
"fsmount",
"fsopen",
"fspick",
"lookup_dcookie", "lookup_dcookie",
"mount", "mount",
"move_mount",
"name_to_handle_at", "name_to_handle_at",
"open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"setdomainname", "setdomainname",
@ -625,6 +633,7 @@ func DefaultProfile() *Seccomp {
Names: []string{ Names: []string{
"kcmp", "kcmp",
"pidfd_getfd", "pidfd_getfd",
"process_madvise",
"process_vm_readv", "process_vm_readv",
"process_vm_writev", "process_vm_writev",
"ptrace", "ptrace",