From af819bf623a8d414289b24f9817c6317cf3f96d5 Mon Sep 17 00:00:00 2001
From: Tudor Brindus <me@tbrindus.ca>
Date: Sun, 30 Jan 2022 13:08:46 -0500
Subject: [PATCH] seccomp: add support for Landlock syscalls in default policy

This commit allows the Landlock[0] system calls in the default seccomp
policy.

Landlock was introduced in kernel 5.13, to fill the gap that inspecting
filepaths passed as arguments to filesystem system calls is not really
possible with pure `seccomp` (unless involving `ptrace`).

Allowing Landlock by default fits in with allowing `seccomp` for
containerized applications to voluntarily restrict their access rights
to files within the container.

[0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html

Signed-off-by: Tudor Brindus <me@tbrindus.ca>
---
 profiles/seccomp/default.json     | 3 +++
 profiles/seccomp/default_linux.go | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 80213ddaca..73ad2d6418 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -183,6 +183,9 @@
 				"io_uring_setup",
 				"ipc",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index e51f1018aa..84d3b73820 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -178,6 +178,9 @@ func DefaultProfile() *Seccomp {
 					"io_uring_setup",
 					"ipc",
 					"kill",
+					"landlock_add_rule",
+					"landlock_create_ruleset",
+					"landlock_restrict_self",
 					"lchown",
 					"lchown32",
 					"lgetxattr",