From 6f242f1a28a9e658a6dd29a314cd2d1923427579 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Feb 2024 13:59:04 +0100 Subject: [PATCH] seccomp: add fchmodat2 syscall (kernel v6.6, libseccomp v2.5.5) Add this syscall to match the profile in containerd containerd: https://github.com/containerd/containerd/commit/a6e52c74fa043a63d7dae4ac6998215f6c1bb6ac libseccomp: https://github.com/seccomp/libseccomp/commit/53267af3fb56eed93a50b8ef92f41825c97a7813 kernel: https://github.com/torvalds/linux/commit/09da082b07bbae1c11d9560c8502800039aebcea fs: Add fchmodat2() On the userspace side fchmodat(3) is implemented as a wrapper function which implements the POSIX-specified interface. This interface differs from the underlying kernel system call, which does not have a flags argument. Most implementations require procfs [1][2]. There doesn't appear to be a good userspace workaround for this issue but the implementation in the kernel is pretty straight-forward. The new fchmodat2() syscall allows to pass the AT_SYMLINK_NOFOLLOW flag, unlike existing fchmodat. Signed-off-by: Sebastiaan van Stijn --- profiles/seccomp/default.json | 1 + profiles/seccomp/default_linux.go | 1 + 2 files changed, 2 insertions(+) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 4b26dbae60..40ec582af0 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -110,6 +110,7 @@ "fchdir", "fchmod", "fchmodat", + "fchmodat2", "fchown", "fchown32", "fchownat", diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 01d71c7941..6e94ab024b 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -102,6 +102,7 @@ func DefaultProfile() *Seccomp { "fchdir", "fchmod", "fchmodat", + "fchmodat2", // kernel v6.6, libseccomp v2.5.5 "fchown", "fchown32", "fchownat",