seccomp: allow 'rseq' syscall in default seccomp profile

Flowdalic · thaJeztah · commit 39052fa79bc2 · 2020-09-14T16:17:34.000+02:00
Restartable Sequences (rseq) are a kernel-based mechanism for fast update operations on per-core data in user-space. Some libraries, like the newest version of Google's TCMalloc, depend on it [1]. This also makes dockers default seccomp profile on par with systemd's, which enabled 'rseq' in early 2019 [2]. 1: https://google.github.io/tcmalloc/design.html 2: systemd/systemd@6fee3be Signed-off-by: Florian Schmaus <flo@geekplace.eu> (cherry picked from commit e977564) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -257,6 +257,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"renameat2",
 				"restart_syscall",
 				"rmdir",
+				"rseq",
 				"rt_sigaction",
 				"rt_sigpending",
 				"rt_sigprocmask",
