From 96896f2d0bc16269778dd4f60a4920b49953ffed Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 16 Mar 2016 21:17:32 +0000
Subject: [PATCH] Add new syscalls in libseccomp 2.3.0 to seccomp default
 profile

This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.

The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration

The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 docs/security/seccomp.md            |  1 +
 profiles/seccomp/default.json       | 10 ++++++++++
 profiles/seccomp/seccomp_default.go | 10 ++++++++++
 3 files changed, 21 insertions(+)

diff --git a/docs/security/seccomp.md b/docs/security/seccomp.md
index e046aef9b0..f39eb9fae3 100644
--- a/docs/security/seccomp.md
+++ b/docs/security/seccomp.md
@@ -127,6 +127,7 @@ the reason each syscall is blocked rather than white-listed.
 | `umount2`           | Should be a privileged operation.                                                                             |
 | `unshare`           | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. |
 | `uselib`            | Older syscall related to shared libraries, unused for a long time.                                            |
+| `userfaultfd`       | Userspace page fault handling, largely needed for process migration.                                          |
 | `ustat`             | Obsolete syscall.                                                                                             |
 | `vm86`              | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`.                                       |
 | `vm86old`           | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`.                                       |
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index bdebd7158b..28d564c1e0 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -113,6 +113,11 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "copy_file_range",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "creat",
 			"action": "SCMP_ACT_ALLOW",
@@ -713,6 +718,11 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "mlock2",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "mlockall",
 			"action": "SCMP_ACT_ALLOW",
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index c5e6b736db..be93d780a5 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -145,6 +145,11 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "copy_file_range",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "creat",
 			Action: types.ActAllow,
@@ -745,6 +750,11 @@ var DefaultProfile = &types.Seccomp{
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "mlock2",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "mlockall",
 			Action: types.ActAllow,