Enable `process_vm_readv` and `process_vm_writev` for kernel > 4.8

These syscalls were disabled in #18971 due to them requiring CAP_PTRACE. CAP_PTRACE was blocked by default due to a ptrace related exploit. This has been patched in the Linux kernel (version 4.8) and thus `ptrace` has been re-enabled. However, these associated syscalls seem to have been left behind. This commit brings them in line with `ptrace`, and re-enables it for kernel > 4.8. Signed-off-by: clubby789 <jamie@hill-daniel.co.uk>
2021-03-04 17:12:01 +00:00 · 2021-03-04 17:12:01 +00:00 · d39b075302
parent 2ae2ddf51d
commit d39b075302
2 changed files with 7 additions and 1 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -401,6 +401,8 @@
 		},
 		{
 			"names": [
+				"process_vm_readv",
+				"process_vm_writev",
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ALLOW",
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@ -390,7 +390,11 @@ func DefaultProfile() *Seccomp {
 			Args:   []*specs.LinuxSeccompArg{},
 		},
 		{
-			Names:  []string{"ptrace"},
+			Names: []string{
+				"process_vm_readv",
+				"process_vm_writev",
+				"ptrace",
+			},
 			Action: specs.ActAllow,
 			Includes: Filter{
 				MinKernel: &KernelVersion{4, 8},