Skip to content

Commit

Permalink
Allow different syscalls from kernels 5.12 -> 5.16
Browse files Browse the repository at this point in the history
Kernel 5.12:

    mount_setattr: needs CAP_SYS_ADMIN

Kernel 5.13:

    landlock_create_ruleset: always allowed
    landlock_add_rule: always allowed
    landlock_restrict_self : always allowed

Kernel 5.14:

    quotactl_fd: needs CAP_SYS_ADMIN
    memfd_secret: always allowed

Kernel 5.15:

    process_mrelease: always allowed

Kernel 5.16:

    futex_waitv: always allowed

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
  • Loading branch information
Ubuntu authored and rumpl committed May 13, 2022
1 parent e971246 commit 7cc8961
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
8 changes: 8 additions & 0 deletions profiles/seccomp/default.json
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@
"ftruncate64",
"futex",
"futex_time64",
"futex_waitv",
"futimesat",
"getcpu",
"getcwd",
Expand Down Expand Up @@ -186,6 +187,9 @@
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"lchown",
"lchown32",
"lgetxattr",
Expand All @@ -203,6 +207,7 @@
"madvise",
"membarrier",
"memfd_create",
"memfd_secret",
"mincore",
"mkdir",
"mkdirat",
Expand Down Expand Up @@ -250,6 +255,7 @@
"preadv",
"preadv2",
"prlimit64",
"process_mrelease",
"pselect6",
"pselect6_time64",
"pwrite64",
Expand Down Expand Up @@ -566,11 +572,13 @@
"fspick",
"lookup_dcookie",
"mount",
"mount_setattr",
"move_mount",
"name_to_handle_at",
"open_tree",
"perf_event_open",
"quotactl",
"quotactl_fd",
"setdomainname",
"sethostname",
"setns",
Expand Down
8 changes: 8 additions & 0 deletions profiles/seccomp/default_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ func DefaultProfile() *Seccomp {
"ftruncate64",
"futex",
"futex_time64",
"futex_waitv",
"futimesat",
"getcpu",
"getcwd",
Expand Down Expand Up @@ -178,6 +179,9 @@ func DefaultProfile() *Seccomp {
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"lchown",
"lchown32",
"lgetxattr",
Expand All @@ -195,6 +199,7 @@ func DefaultProfile() *Seccomp {
"madvise",
"membarrier",
"memfd_create",
"memfd_secret",
"mincore",
"mkdir",
"mkdirat",
Expand Down Expand Up @@ -242,6 +247,7 @@ func DefaultProfile() *Seccomp {
"preadv",
"preadv2",
"prlimit64",
"process_mrelease",
"pselect6",
"pselect6_time64",
"pwrite64",
Expand Down Expand Up @@ -557,11 +563,13 @@ func DefaultProfile() *Seccomp {
"fspick",
"lookup_dcookie",
"mount",
"mount_setattr",
"move_mount",
"name_to_handle_at",
"open_tree",
"perf_event_open",
"quotactl",
"quotactl_fd",
"setdomainname",
"sethostname",
"setns",
Expand Down

0 comments on commit 7cc8961

Please sign in to comment.