diff --git a/docs/security/seccomp.md b/docs/security/seccomp.md index e046aef9b0..f39eb9fae3 100644 --- a/docs/security/seccomp.md +++ b/docs/security/seccomp.md @@ -127,6 +127,7 @@ the reason each syscall is blocked rather than white-listed. | `umount2` | Should be a privileged operation. | | `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. | | `uselib` | Older syscall related to shared libraries, unused for a long time. | +| `userfaultfd` | Userspace page fault handling, largely needed for process migration. | | `ustat` | Obsolete syscall. | | `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | | `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index bdebd7158b..28d564c1e0 100755 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -113,6 +113,11 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "copy_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "creat", "action": "SCMP_ACT_ALLOW", @@ -713,6 +718,11 @@ "action": "SCMP_ACT_ALLOW", "args": [] }, + { + "name": "mlock2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, { "name": "mlockall", "action": "SCMP_ACT_ALLOW", diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go index c5e6b736db..be93d780a5 100644 --- a/profiles/seccomp/seccomp_default.go +++ b/profiles/seccomp/seccomp_default.go @@ -145,6 +145,11 @@ var DefaultProfile = &types.Seccomp{ Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "copy_file_range", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, { Name: "creat", Action: types.ActAllow, @@ -745,6 +750,11 @@ var DefaultProfile = &types.Seccomp{ Action: types.ActAllow, Args: []*types.Arg{}, }, + { + Name: "mlock2", + Action: types.ActAllow, + Args: []*types.Arg{}, + }, { Name: "mlockall", Action: types.ActAllow,