Skip to content

Commit d0d99b0

Browse files
FlowdalicFlowdalic
committed
seccomp: allow 'rseq' syscall in default seccomp profile
Restartable Sequences (rseq) are a kernel-based mechanism for fast update operations on per-core data in user-space. Some libraries, like the newest version of Google's TCMalloc, depend on it [1]. This also makes dockers default seccomp profile on par with systemd's, which enabled 'rseq' in early 2019 [2]. 1: https://google.github.io/tcmalloc/design.html 2: systemd/systemd@6fee3be Signed-off-by: Florian Schmaus <[email protected]>
1 parent 07cea2e commit d0d99b0

File tree

2 files changed

+2
-0
lines changed

2 files changed

+2
-0
lines changed

profiles/seccomp/default.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -262,6 +262,7 @@
262262
"renameat2",
263263
"restart_syscall",
264264
"rmdir",
265+
"rseq",
265266
"rt_sigaction",
266267
"rt_sigpending",
267268
"rt_sigprocmask",

profiles/seccomp/seccomp_default.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -255,6 +255,7 @@ func DefaultProfile() *types.Seccomp {
255255
"renameat2",
256256
"restart_syscall",
257257
"rmdir",
258+
"rseq",
258259
"rt_sigaction",
259260
"rt_sigpending",
260261
"rt_sigprocmask",

0 commit comments

Comments
 (0)