seccomp: add support for Landlock syscalls in default policy

This commit allows the Landlock[0] system calls in the default seccomp policy. Landlock was introduced in kernel 5.13, to fill the gap that inspecting filepaths passed as arguments to filesystem system calls is not really possible with pure `seccomp` (unless involving `ptrace`). Allowing Landlock by default fits in with allowing `seccomp` for containerized applications to voluntarily restrict their access rights to files within the container. [0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html Signed-off-by: Tudor Brindus <me@tbrindus.ca> (cherry picked from commit af819bf623) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-30 13:08:46 -05:00 · 2022-01-30 13:08:46 -05:00 · 57db169641
commit 57db169641
parent 32debe0986
2 changed files with 6 additions and 0 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -182,6 +182,9 @@
 				"io_uring_setup",
 				"ipc",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@ -177,6 +177,9 @@ func DefaultProfile() *Seccomp {
 				"io_uring_setup",
 				"ipc",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",