profiles: seccomp: update to Linux 5.11 syscall list

thaJeztah · cyphar · thaJeztah · commit e1445dff12e4 · 2021-01-21T21:30:25.000+01:00
These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:

 * close_range(2), epoll_wait2(2) are just extensions of existing "safe
   for everyone" syscalls.

 * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
   all equivalent to aspects of mount(2) and thus go into the
   CAP_SYS_ADMIN category.

 * process_madvise(2) is similar to the other process_*(2) syscalls and
   thus goes in the CAP_SYS_PTRACE category.

Co-authored-by: Aleksa Sarai &lt;asarai@suse.de&gt;
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -74,6 +74,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"clock_nanosleep",
 				"clock_nanosleep_time64",
 				"close",
+				"close_range",
 				"connect",
 				"copy_file_range",
 				"creat",
@@ -85,6 +86,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"epoll_ctl",
 				"epoll_ctl_old",
 				"epoll_pwait",
+				"epoll_pwait2",
 				"epoll_wait",
 				"epoll_wait_old",
 				"eventfd",
@@ -525,9 +527,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 					"bpf",
 					"clone",
 					"fanotify_init",
+					"fsconfig",
+					"fsmount",
+					"fsopen",
+					"fspick",
 					"lookup_dcookie",
 					"mount",
+					"move_mount",
 					"name_to_handle_at",
+					"open_tree",
 					"perf_event_open",
 					"quotactl",
 					"setdomainname",
@@ -574,6 +582,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				Names: []string{
 					"kcmp",
 					"pidfd_getfd",
+					"process_madvise",
 					"process_vm_readv",
 					"process_vm_writev",
 					"ptrace",
