Browse code
Add new syscalls in libseccomp 2.3.0 to seccomp default profile
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.
The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration
The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/03/17 06:17:32Showing 3 changed files
| ... | ... |
@@ -127,6 +127,7 @@ the reason each syscall is blocked rather than white-listed. |
| 127 | 127 |
| `umount2` | Should be a privileged operation. | |
| 128 | 128 |
| `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. | |
| 129 | 129 |
| `uselib` | Older syscall related to shared libraries, unused for a long time. | |
| 130 |
+| `userfaultfd` | Userspace page fault handling, largely needed for process migration. | |
|
| 130 | 131 |
| `ustat` | Obsolete syscall. | |
| 131 | 132 |
| `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | |
| 132 | 133 |
| `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | |
| ... | ... |
@@ -114,6 +114,11 @@ |
| 114 | 114 |
"args": [] |
| 115 | 115 |
}, |
| 116 | 116 |
{
|
| 117 |
+ "name": "copy_file_range", |
|
| 118 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 119 |
+ "args": [] |
|
| 120 |
+ }, |
|
| 121 |
+ {
|
|
| 117 | 122 |
"name": "creat", |
| 118 | 123 |
"action": "SCMP_ACT_ALLOW", |
| 119 | 124 |
"args": [] |
| ... | ... |
@@ -714,6 +719,11 @@ |
| 714 | 714 |
"args": [] |
| 715 | 715 |
}, |
| 716 | 716 |
{
|
| 717 |
+ "name": "mlock2", |
|
| 718 |
+ "action": "SCMP_ACT_ALLOW", |
|
| 719 |
+ "args": [] |
|
| 720 |
+ }, |
|
| 721 |
+ {
|
|
| 717 | 722 |
"name": "mlockall", |
| 718 | 723 |
"action": "SCMP_ACT_ALLOW", |
| 719 | 724 |
"args": [] |
| ... | ... |
@@ -146,6 +146,11 @@ var DefaultProfile = &types.Seccomp{
|
| 146 | 146 |
Args: []*types.Arg{},
|
| 147 | 147 |
}, |
| 148 | 148 |
{
|
| 149 |
+ Name: "copy_file_range", |
|
| 150 |
+ Action: types.ActAllow, |
|
| 151 |
+ Args: []*types.Arg{},
|
|
| 152 |
+ }, |
|
| 153 |
+ {
|
|
| 149 | 154 |
Name: "creat", |
| 150 | 155 |
Action: types.ActAllow, |
| 151 | 156 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -746,6 +751,11 @@ var DefaultProfile = &types.Seccomp{
|
| 746 | 746 |
Args: []*types.Arg{},
|
| 747 | 747 |
}, |
| 748 | 748 |
{
|
| 749 |
+ Name: "mlock2", |
|
| 750 |
+ Action: types.ActAllow, |
|
| 751 |
+ Args: []*types.Arg{},
|
|
| 752 |
+ }, |
|
| 753 |
+ {
|
|
| 749 | 754 |
Name: "mlockall", |
| 750 | 755 |
Action: types.ActAllow, |
| 751 | 756 |
Args: []*types.Arg{},
|