Skip to content

Commit

Permalink
Merge pull request #47344 from thaJeztah/25.0_backport_seccomp_updates
Browse files Browse the repository at this point in the history 
[25.0 backport] profiles/seccomp: add syscalls for kernel v5.17 - v6.6, match containerd's profile
  • Loading branch information
@thaJeztah
thaJeztah committed Feb 6, 2024
2 parents aff7177 + ed7c263 commit 7a075ca
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
9 changes: 8 additions & 1 deletion profiles/seccomp/default.json
View file
Expand Up @@ -64,6 +64,7 @@
"alarm",
"bind",
"brk",
"cachestat",
"capget",
"capset",
"chdir",
Expand Down Expand Up @@ -109,6 +110,7 @@
"fchdir",
"fchmod",
"fchmodat",
"fchmodat2",
"fchown",
"fchown32",
"fchownat",
Expand All @@ -130,8 +132,11 @@
"ftruncate",
"ftruncate64",
"futex",
"futex_requeue",
"futex_time64",
"futex_wait",
"futex_waitv",
"futex_wake",
"futimesat",
"getcpu",
"getcwd",
Expand Down Expand Up @@ -203,6 +208,7 @@
"lstat",
"lstat64",
"madvise",
"map_shadow_stack",
"membarrier",
"memfd_create",
"memfd_secret",
Expand Down Expand Up @@ -780,7 +786,8 @@
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
"set_mempolicy",
"set_mempolicy_home_node"
],
"action": "SCMP_ACT_ALLOW",
"includes": {
Expand Down
7 changes: 7 additions & 0 deletions profiles/seccomp/default_linux.go
View file
Expand Up @@ -56,6 +56,7 @@ func DefaultProfile() *Seccomp {
"alarm",
"bind",
"brk",
"cachestat", // kernel v6.5, libseccomp v2.5.5
"capget",
"capset",
"chdir",
Expand Down Expand Up @@ -101,6 +102,7 @@ func DefaultProfile() *Seccomp {
"fchdir",
"fchmod",
"fchmodat",
"fchmodat2", // kernel v6.6, libseccomp v2.5.5
"fchown",
"fchown32",
"fchownat",
Expand All @@ -122,8 +124,11 @@ func DefaultProfile() *Seccomp {
"ftruncate",
"ftruncate64",
"futex",
"futex_requeue", // kernel v6.7, libseccomp v2.5.5
"futex_time64",
"futex_wait", // kernel v6.7, libseccomp v2.5.5
"futex_waitv",
"futex_wake", // kernel v6.7, libseccomp v2.5.5
"futimesat",
"getcpu",
"getcwd",
Expand Down Expand Up @@ -195,6 +200,7 @@ func DefaultProfile() *Seccomp {
"lstat",
"lstat64",
"madvise",
"map_shadow_stack", // kernel v6.6, libseccomp v2.5.5
"membarrier",
"memfd_create",
"memfd_secret",
Expand Down Expand Up @@ -768,6 +774,7 @@ func DefaultProfile() *Seccomp {
"get_mempolicy",
"mbind",
"set_mempolicy",
"set_mempolicy_home_node", // kernel v5.17, libseccomp v2.5.4
},
Action: specs.ActAllow,
},
Expand Down

0 comments on commit 7a075ca

Please sign in to comment.