diff options
| author | Djordje Lukic <djordje.lukic@docker.com> | 2022-05-13 11:20:48 +0200 |
|---|---|---|
| committer | Djordje Lukic <djordje.lukic@docker.com> | 2022-05-13 12:35:08 +0200 |
| commit | 7de9f4f82de417097f6fab150288ca2f1c0a9d91 (patch) | |
| tree | da5d77c441440e30566879118706ff41a680de41 | |
| parent | f1dd6bf84e28930e1ccd903361f9284fb22d3b8a (diff) | |
| download | docker-7de9f4f82de417097f6fab150288ca2f1c0a9d91.tar.gz | |
Allow different syscalls from kernels 5.12 -> 5.16
Kernel 5.12:
mount_setattr: needs CAP_SYS_ADMIN
Kernel 5.14:
quotactl_fd: needs CAP_SYS_ADMIN
memfd_secret: always allowed
Kernel 5.15:
process_mrelease: always allowed
Kernel 5.16:
futex_waitv: always allowed
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
| -rw-r--r-- | profiles/seccomp/default.json | 5 | ||||
| -rw-r--r-- | profiles/seccomp/default_linux.go | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 37e6febf53..ed553e2d9c 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -131,6 +131,7 @@ "ftruncate64", "futex", "futex_time64", + "futex_waitv", "futimesat", "getcpu", "getcwd", @@ -207,6 +208,7 @@ "madvise", "membarrier", "memfd_create", + "memfd_secret", "mincore", "mkdir", "mkdirat", @@ -254,6 +256,7 @@ "preadv", "preadv2", "prlimit64", + "process_mrelease", "pselect6", "pselect6_time64", "pwrite64", @@ -581,11 +584,13 @@ "fspick", "lookup_dcookie", "mount", + "mount_setattr", "move_mount", "name_to_handle_at", "open_tree", "perf_event_open", "quotactl", + "quotactl_fd", "setdomainname", "sethostname", "setns", diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index ca6dfd4661..1bc8ed86f0 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -123,6 +123,7 @@ func DefaultProfile() *Seccomp { "ftruncate64", "futex", "futex_time64", + "futex_waitv", "futimesat", "getcpu", "getcwd", @@ -199,6 +200,7 @@ func DefaultProfile() *Seccomp { "madvise", "membarrier", "memfd_create", + "memfd_secret", "mincore", "mkdir", "mkdirat", @@ -246,6 +248,7 @@ func DefaultProfile() *Seccomp { "preadv", "preadv2", "prlimit64", + "process_mrelease", "pselect6", "pselect6_time64", "pwrite64", @@ -572,11 +575,13 @@ func DefaultProfile() *Seccomp { "fspick", "lookup_dcookie", "mount", + "mount_setattr", "move_mount", "name_to_handle_at", "open_tree", "perf_event_open", "quotactl", + "quotactl_fd", "setdomainname", "sethostname", "setns", |