@@ -591,6 +591,7 @@

 			"names": [

 				"bpf",

 				"clone",

+				"clone3",

 				"fanotify_init",

 				"fsconfig",

 				"fsmount",

@@ -672,6 +673,21 @@

 		},

 		{

 			"names": [

+				"clone3"

+			],

+			"action": "SCMP_ACT_ERRNO",

+			"errnoRet": 38,

+			"args": [],

+			"comment": "",

+			"includes": {},

+			"excludes": {

+				"caps": [

+					"CAP_SYS_ADMIN"

+				]

+			}

+		},

+		{

+			"names": [

 				"reboot"

 			],

 			"action": "SCMP_ACT_ALLOW",

@@ -42,6 +42,7 @@ func arches() []Architecture {

 // DefaultProfile defines the allowed syscalls for the default seccomp profile.

 func DefaultProfile() *Seccomp {

+	nosys := uint(unix.ENOSYS)

 	syscalls := []*Syscall{

 		{

 			Names: []string{

@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {

 			Names: []string{

 				"bpf",

 				"clone",

+				"clone3",

 				"fanotify_init",

 				"fsconfig",

 				"fsmount",

@@ -589,6 +591,17 @@ func DefaultProfile() *Seccomp {

 		},

 		{

 			Names: []string{

+				"clone3",

+			},

+			Action:   specs.ActErrno,

+			ErrnoRet: &nosys,

+			Args:     []*specs.LinuxSeccompArg{},

+			Excludes: Filter{

+				Caps: []string{"CAP_SYS_ADMIN"},

+			},

+		},

+		{

+			Names: []string{

 				"reboot",

 			},

 			Action: specs.ActAllow,

@@ -45,6 +45,7 @@ type Syscall struct {

 	Name     string                   `json:"name,omitempty"`

 	Names    []string                 `json:"names,omitempty"`

 	Action   specs.LinuxSeccompAction `json:"action"`

+	ErrnoRet *uint                    `json:"errnoRet,omitempty"`

 	Args     []*specs.LinuxSeccompArg `json:"args"`

 	Comment  string                   `json:"comment"`

 	Includes Filter                   `json:"includes"`

@@ -150,29 +150,25 @@ Loop:

 			}

 		}

+		newCall := specs.LinuxSyscall{

+			Action:   call.Action,

+			ErrnoRet: call.ErrnoRet,

+		}

 		if call.Name != "" && len(call.Names) != 0 {

 			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")

 		}

-

 		if call.Name != "" {

-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))

+			newCall.Names = []string{call.Name}

 		} else {

-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))

+			newCall.Names = call.Names

+		}

+		// Loop through all the arguments of the syscall and convert them

+		for _, arg := range call.Args {

+			newCall.Args = append(newCall.Args, *arg)

 		}

-	}

-

-	return newConfig, nil

-}

-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {

-	newCall := specs.LinuxSyscall{

-		Names:  names,

-		Action: action,

+		newConfig.Syscalls = append(newConfig.Syscalls, newCall)

 	}

-	// Loop through all the arguments of the syscall and convert them

-	for _, arg := range args {

-		newCall.Args = append(newCall.Args, *arg)

-	}

-	return newCall

+	return newConfig, nil

 }