We use cookies to ensure you get the best experience on our website
Startseite Erkunden Hilfe
Registrieren Anmelden
0ct0pu5
/
moby
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

profiles: seccomp: update to Linux 5.11 syscall list

These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:

 * close_range(2), epoll_pwait2(2) are just extensions of existing "safe
   for everyone" syscalls.

 * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
   all equivalent to aspects of mount(2) and thus go into the
   CAP_SYS_ADMIN category.

 * process_madvise(2) is similar to the other process_*(2) syscalls and
   thus goes in the CAP_SYS_PTRACE category.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 54eff4354b17a9c460b851300f28aed1408a8615)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Aleksa Sarai vor 4 Jahren
Ursprung
fae366b323
Commit
a6a88b3145
2 geänderte Dateien mit 18 neuen und 0 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 9 0
      profiles/seccomp/default.json
  2. 9 0
      profiles/seccomp/default_linux.go

+ 9 - 0
profiles/seccomp/default.json
Datei anzeigen 

@@ -74,6 +74,7 @@
 
 				"clock_nanosleep",
 
 				"clock_nanosleep_time64",
 
 				"close",
 
+				"close_range",
 
 				"connect",
 
 				"copy_file_range",
 
 				"creat",
 
@@ -85,6 +86,7 @@
 
 				"epoll_ctl",
 
 				"epoll_ctl_old",
 
 				"epoll_pwait",
 
+				"epoll_pwait2",
 
 				"epoll_wait",
 
 				"epoll_wait_old",
 
 				"eventfd",
 
@@ -590,9 +592,15 @@
 
 				"bpf",
 
 				"clone",
 
 				"fanotify_init",
 
+				"fsconfig",
 
+				"fsmount",
 
+				"fsopen",
 
+				"fspick",
 
 				"lookup_dcookie",
 
 				"mount",
 
+				"move_mount",
 
 				"name_to_handle_at",
 
+				"open_tree",
 
 				"perf_event_open",
 
 				"quotactl",
 
 				"setdomainname",
 
@@ -724,6 +732,7 @@
 
 			"names": [
 
 				"kcmp",
 
 				"pidfd_getfd",
 
+				"process_madvise",
 
 				"process_vm_readv",
 
 				"process_vm_writev",
 
 				"ptrace"

+ 9 - 0
profiles/seccomp/default_linux.go
Datei anzeigen 

@@ -67,6 +67,7 @@ func DefaultProfile() *Seccomp {
 
 				"clock_nanosleep",
 
 				"clock_nanosleep_time64",
 
 				"close",
 
+				"close_range",
 
 				"connect",
 
 				"copy_file_range",
 
 				"creat",
 
@@ -78,6 +79,7 @@ func DefaultProfile() *Seccomp {
 
 				"epoll_ctl",
 
 				"epoll_ctl_old",
 
 				"epoll_pwait",
 
+				"epoll_pwait2",
 
 				"epoll_wait",
 
 				"epoll_wait_old",
 
 				"eventfd",
 
@@ -521,9 +523,15 @@ func DefaultProfile() *Seccomp {
 
 				"bpf",
 
 				"clone",
 
 				"fanotify_init",
 
+				"fsconfig",
 
+				"fsmount",
 
+				"fsopen",
 
+				"fspick",
 
 				"lookup_dcookie",
 
 				"mount",
 
+				"move_mount",
 
 				"name_to_handle_at",
 
+				"open_tree",
 
 				"perf_event_open",
 
 				"quotactl",
 
 				"setdomainname",
 
@@ -625,6 +633,7 @@ func DefaultProfile() *Seccomp {
 
 			Names: []string{
 
 				"kcmp",
 
 				"pidfd_getfd",
 
+				"process_madvise",
 
 				"process_vm_readv",
 
 				"process_vm_writev",
 
 				"ptrace",

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5