Skip to content

Commit 8330a08

Browse files
vvolandvvoland
authored
Merge pull request #50097 from vvoland/seccomp-lsm
seccomp: Require CAP_SYS_ADMIN for lsm_* syscalls
2 parents 5d7550e + 148a19b commit 8330a08

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

profiles/seccomp/default.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -208,9 +208,6 @@
208208
"lremovexattr",
209209
"lseek",
210210
"lsetxattr",
211-
"lsm_get_self_attr",
212-
"lsm_list_modules",
213-
"lsm_set_self_attrs",
214211
"lstat",
215212
"lstat64",
216213
"madvise",
@@ -614,6 +611,9 @@
614611
"fsopen",
615612
"fspick",
616613
"lookup_dcookie",
614+
"lsm_get_self_attr",
615+
"lsm_list_modules",
616+
"lsm_set_self_attr",
617617
"mount",
618618
"mount_setattr",
619619
"move_mount",

profiles/seccomp/default_linux.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -200,9 +200,6 @@ func DefaultProfile() *Seccomp {
200200
"lremovexattr",
201201
"lseek",
202202
"lsetxattr",
203-
"lsm_get_self_attr", // kernel v6.8, libseccomp v2.6.0
204-
"lsm_list_modules", // kernel v6.8, libseccomp v2.6.0
205-
"lsm_set_self_attrs", // kernel v6.8, libseccomp v2.6.0
206203
"lstat",
207204
"lstat64",
208205
"madvise",
@@ -605,6 +602,9 @@ func DefaultProfile() *Seccomp {
605602
"fsopen",
606603
"fspick",
607604
"lookup_dcookie",
605+
"lsm_get_self_attr", // kernel v6.8, libseccomp v2.6.0
606+
"lsm_list_modules", // kernel v6.8, libseccomp v2.6.0
607+
"lsm_set_self_attr", // kernel v6.8, libseccomp v2.6.0
608608
"mount",
609609
"mount_setattr",
610610
"move_mount",

0 commit comments

Comments
 (0)