Browse code
profiles: seccomp: update to Linux 5.11 syscall list
These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:
* close_range(2), epoll_pwait2(2) are just extensions of existing "safe
for everyone" syscalls.
* The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
all equivalent to aspects of mount(2) and thus go into the
CAP_SYS_ADMIN category.
* process_madvise(2) is similar to the other process_*(2) syscalls and
thus goes in the CAP_SYS_PTRACE category.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 54eff4354b17a9c460b851300f28aed1408a8615)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Aleksa Sarai authored on 2021/01/17 21:39:31Showing 2 changed files
| ... | ... |
@@ -74,6 +74,7 @@ |
| 74 | 74 |
"clock_nanosleep", |
| 75 | 75 |
"clock_nanosleep_time64", |
| 76 | 76 |
"close", |
| 77 |
+ "close_range", |
|
| 77 | 78 |
"connect", |
| 78 | 79 |
"copy_file_range", |
| 79 | 80 |
"creat", |
| ... | ... |
@@ -85,6 +86,7 @@ |
| 85 | 85 |
"epoll_ctl", |
| 86 | 86 |
"epoll_ctl_old", |
| 87 | 87 |
"epoll_pwait", |
| 88 |
+ "epoll_pwait2", |
|
| 88 | 89 |
"epoll_wait", |
| 89 | 90 |
"epoll_wait_old", |
| 90 | 91 |
"eventfd", |
| ... | ... |
@@ -590,9 +592,15 @@ |
| 590 | 590 |
"bpf", |
| 591 | 591 |
"clone", |
| 592 | 592 |
"fanotify_init", |
| 593 |
+ "fsconfig", |
|
| 594 |
+ "fsmount", |
|
| 595 |
+ "fsopen", |
|
| 596 |
+ "fspick", |
|
| 593 | 597 |
"lookup_dcookie", |
| 594 | 598 |
"mount", |
| 599 |
+ "move_mount", |
|
| 595 | 600 |
"name_to_handle_at", |
| 601 |
+ "open_tree", |
|
| 596 | 602 |
"perf_event_open", |
| 597 | 603 |
"quotactl", |
| 598 | 604 |
"setdomainname", |
| ... | ... |
@@ -724,6 +732,7 @@ |
| 724 | 724 |
"names": [ |
| 725 | 725 |
"kcmp", |
| 726 | 726 |
"pidfd_getfd", |
| 727 |
+ "process_madvise", |
|
| 727 | 728 |
"process_vm_readv", |
| 728 | 729 |
"process_vm_writev", |
| 729 | 730 |
"ptrace" |
| ... | ... |
@@ -67,6 +67,7 @@ func DefaultProfile() *Seccomp {
|
| 67 | 67 |
"clock_nanosleep", |
| 68 | 68 |
"clock_nanosleep_time64", |
| 69 | 69 |
"close", |
| 70 |
+ "close_range", |
|
| 70 | 71 |
"connect", |
| 71 | 72 |
"copy_file_range", |
| 72 | 73 |
"creat", |
| ... | ... |
@@ -78,6 +79,7 @@ func DefaultProfile() *Seccomp {
|
| 78 | 78 |
"epoll_ctl", |
| 79 | 79 |
"epoll_ctl_old", |
| 80 | 80 |
"epoll_pwait", |
| 81 |
+ "epoll_pwait2", |
|
| 81 | 82 |
"epoll_wait", |
| 82 | 83 |
"epoll_wait_old", |
| 83 | 84 |
"eventfd", |
| ... | ... |
@@ -521,9 +523,15 @@ func DefaultProfile() *Seccomp {
|
| 521 | 521 |
"bpf", |
| 522 | 522 |
"clone", |
| 523 | 523 |
"fanotify_init", |
| 524 |
+ "fsconfig", |
|
| 525 |
+ "fsmount", |
|
| 526 |
+ "fsopen", |
|
| 527 |
+ "fspick", |
|
| 524 | 528 |
"lookup_dcookie", |
| 525 | 529 |
"mount", |
| 530 |
+ "move_mount", |
|
| 526 | 531 |
"name_to_handle_at", |
| 532 |
+ "open_tree", |
|
| 527 | 533 |
"perf_event_open", |
| 528 | 534 |
"quotactl", |
| 529 | 535 |
"setdomainname", |
| ... | ... |
@@ -625,6 +633,7 @@ func DefaultProfile() *Seccomp {
|
| 625 | 625 |
Names: []string{
|
| 626 | 626 |
"kcmp", |
| 627 | 627 |
"pidfd_getfd", |
| 628 |
+ "process_madvise", |
|
| 628 | 629 |
"process_vm_readv", |
| 629 | 630 |
"process_vm_writev", |
| 630 | 631 |
"ptrace", |