1. docker
  2. Commit d0d99b04cf6e00ed3fc27e81fc3d94e7eda70af3
Browse code

seccomp: allow 'rseq' syscall in default seccomp profile

Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: https://github.com/systemd/systemd/pull/12133/commits/6fee3be0b4929d5641bf1c850fce7884b6d1e44e

Signed-off-by: Florian Schmaus <flo@geekplace.eu>

Florian Schmaus authored on 2020/06/26 22:33:50
Showing 2 changed files
profiles/seccomp/default.json
History View file @ d0d99b0
... ... 
@@ -262,6 +262,7 @@
262 262 
 				"renameat2",
263 263 
 				"restart_syscall",
264 264 
 				"rmdir",
265 
+				"rseq",
265 266 
 				"rt_sigaction",
266 267 
 				"rt_sigpending",
267 268 
 				"rt_sigprocmask",
profiles/seccomp/seccomp_default.go
History View file @ d0d99b0
... ... 
@@ -255,6 +255,7 @@ func DefaultProfile() *types.Seccomp {
255 255 
 				"renameat2",
256 256 
 				"restart_syscall",
257 257 
 				"rmdir",
258 
+				"rseq",
258 259 
 				"rt_sigaction",
259 260 
 				"rt_sigpending",
260 261 
 				"rt_sigprocmask",