kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Allow different syscalls from kernels 5.12 -> 5.16 

Kernel 5.12:

    mount_setattr: needs CAP_SYS_ADMIN

Kernel 5.14:

    quotactl_fd: needs CAP_SYS_ADMIN
    memfd_secret: always allowed

Kernel 5.15:

    process_mrelease: always allowed

Kernel 5.16:

    futex_waitv: always allowed

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 7de9f4f82d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Djordje Lukic 2022-05-13 11:20:48 +02:00 committed by Sebastiaan van Stijn
parent 57db169641
commit d127287d92
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
profiles/seccomp/default.json
View File

@ -126,6 +126,7 @@
"ftruncate64", "ftruncate64",
"futex", "futex",
"futex_time64", "futex_time64",
"futex_waitv",
"futimesat", "futimesat",
"getcpu", "getcpu",
"getcwd", "getcwd",
@ -202,6 +203,7 @@
"madvise", "madvise",
"membarrier", "membarrier",
"memfd_create", "memfd_create",
"memfd_secret",
"mincore", "mincore",
"mkdir", "mkdir",
"mkdirat", "mkdirat",
@ -249,6 +251,7 @@
"preadv", "preadv",
"preadv2", "preadv2",
"prlimit64", "prlimit64",
"process_mrelease",
"pselect6", "pselect6",
"pselect6_time64", "pselect6_time64",
"pwrite64", "pwrite64",
@ -602,11 +605,13 @@
"fspick", "fspick",
"lookup_dcookie", "lookup_dcookie",
"mount", "mount",
"mount_setattr",
"move_mount", "move_mount",
"name_to_handle_at", "name_to_handle_at",
"open_tree", "open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"quotactl_fd",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns",

5
profiles/seccomp/default_linux.go
View File

@ -121,6 +121,7 @@ func DefaultProfile() *Seccomp {
"ftruncate64", "ftruncate64",
"futex", "futex",
"futex_time64", "futex_time64",
"futex_waitv",
"futimesat", "futimesat",
"getcpu", "getcpu",
"getcwd", "getcwd",
@ -197,6 +198,7 @@ func DefaultProfile() *Seccomp {
"madvise", "madvise",
"membarrier", "membarrier",
"memfd_create", "memfd_create",
"memfd_secret",
"mincore", "mincore",
"mkdir", "mkdir",
"mkdirat", "mkdirat",
@ -244,6 +246,7 @@ func DefaultProfile() *Seccomp {
"preadv", "preadv",
"preadv2", "preadv2",
"prlimit64", "prlimit64",
"process_mrelease",
"pselect6", "pselect6",
"pselect6_time64", "pselect6_time64",
"pwrite64", "pwrite64",
@ -535,11 +538,13 @@ func DefaultProfile() *Seccomp {
"fspick", "fspick",
"lookup_dcookie", "lookup_dcookie",
"mount", "mount",
"mount_setattr",
"move_mount", "move_mount",
"name_to_handle_at", "name_to_handle_at",
"open_tree", "open_tree",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"quotactl_fd",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns",