diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index c6d82f668b9bb..c4d91109c3a5b 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -64,6 +64,7 @@ "alarm", "bind", "brk", + "cachestat", "capget", "capset", "chdir", @@ -109,6 +110,7 @@ "fchdir", "fchmod", "fchmodat", + "fchmodat2", "fchown", "fchown32", "fchownat", @@ -130,8 +132,11 @@ "ftruncate", "ftruncate64", "futex", + "futex_requeue", "futex_time64", + "futex_wait", "futex_waitv", + "futex_wake", "futimesat", "getcpu", "getcwd", @@ -203,6 +208,7 @@ "lstat", "lstat64", "madvise", + "map_shadow_stack", "membarrier", "memfd_create", "memfd_secret", @@ -780,7 +786,8 @@ "names": [ "get_mempolicy", "mbind", - "set_mempolicy" + "set_mempolicy", + "set_mempolicy_home_node" ], "action": "SCMP_ACT_ALLOW", "includes": { diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index d2f7d5653a34e..09fb33765d4a2 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -56,6 +56,7 @@ func DefaultProfile() *Seccomp { "alarm", "bind", "brk", + "cachestat", // kernel v6.5, libseccomp v2.5.5 "capget", "capset", "chdir", @@ -101,6 +102,7 @@ func DefaultProfile() *Seccomp { "fchdir", "fchmod", "fchmodat", + "fchmodat2", // kernel v6.6, libseccomp v2.5.5 "fchown", "fchown32", "fchownat", @@ -122,8 +124,11 @@ func DefaultProfile() *Seccomp { "ftruncate", "ftruncate64", "futex", + "futex_requeue", // kernel v6.7, libseccomp v2.5.5 "futex_time64", + "futex_wait", // kernel v6.7, libseccomp v2.5.5 "futex_waitv", + "futex_wake", // kernel v6.7, libseccomp v2.5.5 "futimesat", "getcpu", "getcwd", @@ -195,6 +200,7 @@ func DefaultProfile() *Seccomp { "lstat", "lstat64", "madvise", + "map_shadow_stack", // kernel v6.6, libseccomp v2.5.5 "membarrier", "memfd_create", "memfd_secret", @@ -768,6 +774,7 @@ func DefaultProfile() *Seccomp { "get_mempolicy", "mbind", "set_mempolicy", + "set_mempolicy_home_node", // kernel v5.17, libseccomp v2.5.4 }, Action: specs.ActAllow, },