Skip to content

Commit 12f20c9

Browse files
fuweidfuweid
authored
Merge pull request #4503 from thaJeztah/1.4_backport_seccomp_updates
[release/1.4] backport seccomp profile updates
2 parents 881db9b + 1f823f7 commit 12f20c9

1 file changed

Lines changed: 47 additions & 2 deletions

File tree

contrib/seccomp/seccomp_default.go

Lines changed: 47 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
5555
"accept",
5656
"accept4",
5757
"access",
58+
"adjtimex",
5859
"alarm",
5960
"bind",
6061
"brk",
@@ -173,6 +174,9 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
173174
"ioprio_set",
174175
"io_setup",
175176
"io_submit",
177+
"io_uring_enter",
178+
"io_uring_register",
179+
"io_uring_setup",
176180
"ipc",
177181
"kill",
178182
"lchown",
@@ -190,6 +194,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
190194
"lstat",
191195
"lstat64",
192196
"madvise",
197+
"membarrier",
193198
"memfd_create",
194199
"mincore",
195200
"mkdir",
@@ -233,11 +238,13 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
233238
"prctl",
234239
"pread64",
235240
"preadv",
241+
"preadv2",
236242
"prlimit64",
237243
"pselect6",
238244
"pselect6_time64",
239245
"pwrite64",
240246
"pwritev",
247+
"pwritev2",
241248
"read",
242249
"readahead",
243250
"readlink",
@@ -344,7 +351,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
344351
"sync_file_range",
345352
"syncfs",
346353
"sysinfo",
347-
"syslog",
348354
"tee",
349355
"tgkill",
350356
"time",
@@ -406,6 +412,28 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
406412
},
407413
},
408414
},
415+
{
416+
Names: []string{"personality"},
417+
Action: specs.ActAllow,
418+
Args: []specs.LinuxSeccompArg{
419+
{
420+
Index: 0,
421+
Value: 0x20000,
422+
Op: specs.OpEqualTo,
423+
},
424+
},
425+
},
426+
{
427+
Names: []string{"personality"},
428+
Action: specs.ActAllow,
429+
Args: []specs.LinuxSeccompArg{
430+
{
431+
Index: 0,
432+
Value: 0x20008,
433+
Op: specs.OpEqualTo,
434+
},
435+
},
436+
},
409437
{
410438
Names: []string{"personality"},
411439
Action: specs.ActAllow,
@@ -427,11 +455,20 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
427455

428456
// include by arch
429457
switch runtime.GOARCH {
458+
case "ppc64le":
459+
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
460+
Names: []string{
461+
"sync_file_range2",
462+
},
463+
Action: specs.ActAllow,
464+
Args: []specs.LinuxSeccompArg{},
465+
})
430466
case "arm", "arm64":
431467
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
432468
Names: []string{
433469
"arm_fadvise64_64",
434470
"arm_sync_file_range",
471+
"sync_file_range2",
435472
"breakpoint",
436473
"cacheflush",
437474
"set_tls",
@@ -488,9 +525,11 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
488525
"mount",
489526
"name_to_handle_at",
490527
"perf_event_open",
528+
"quotactl",
491529
"setdomainname",
492530
"sethostname",
493531
"setns",
532+
"syslog",
494533
"umount",
495534
"umount2",
496535
"unshare",
@@ -551,7 +590,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
551590
Names: []string{
552591
"settimeofday",
553592
"stime",
554-
"adjtimex",
593+
"clock_settime",
555594
},
556595
Action: specs.ActAllow,
557596
Args: []specs.LinuxSeccompArg{},
@@ -562,6 +601,12 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
562601
Action: specs.ActAllow,
563602
Args: []specs.LinuxSeccompArg{},
564603
})
604+
case "CAP_SYSLOG":
605+
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
606+
Names: []string{"syslog"},
607+
Action: specs.ActAllow,
608+
Args: []specs.LinuxSeccompArg{},
609+
})
565610
}
566611
}
567612

0 commit comments

Comments
 (0)