seccomp: always allow name_to_handle_at

neersighted · bartier · neersighted · commit 07ea7b9e789e · 2023-06-28T05:51:34.000-06:00
This syscall is used by systemd to request unique internal names for paths in the cgroup hierarchy from the kernel, and is overall innocuous. Due to [previous][1] [mistakes][2] in moby/moby, it ended up attached to `CAP_SYS_ADMIN`; however, it should not be filtered at all. An in-depth analysis is available [at moby/moby][3]. [1]: moby/moby@a01c4dc#diff-6c0d906dbef148d2060ed71a7461907e5601fea78866e4183835c60e5d2ff01aR1627-R1639 [2]: moby/moby@c1ca124 [3]: moby/moby#45766 (review) Co-authored-by: Vitor Anjos <bartier@users.noreply.github.com> Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> (cherry picked from commit 9a202e3) Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -238,6 +238,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"munlock",
 				"munlockall",
 				"munmap",
+				"name_to_handle_at",
 				"nanosleep",
 				"newfstatat",
 				"_newselect",
@@ -572,7 +573,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 					"mount",
 					"mount_setattr",
 					"move_mount",
-					"name_to_handle_at",
 					"open_tree",
 					"perf_event_open",
 					"quotactl",
