From e258d66f176a4447931edfd9398c55b3e8ee4a07 Mon Sep 17 00:00:00 2001
From: zhubojun <bojun.zhu@foxmail.com>
Date: Fri, 15 Apr 2022 11:29:11 +0800
Subject: [PATCH] profiles: seccomp: add syscalls related to PKU in default
 policy

Add pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) in seccomp default profile.
pkey_alloc(2), pkey_free(2) and pkey_mprotect(2) can only configure
the calling process's own memory, so they are existing "safe for everyone" syscalls.

close issue: #43481

Signed-off-by: zhubojun <bojun.zhu@foxmail.com>
---
 profiles/seccomp/default.json     | 3 +++
 profiles/seccomp/default_linux.go | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index fb9c44eff7..d71499f1bc 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -248,6 +248,9 @@
 				"pidfd_send_signal",
 				"pipe",
 				"pipe2",
+				"pkey_alloc",
+				"pkey_free",
+				"pkey_mprotect",
 				"poll",
 				"ppoll",
 				"ppoll_time64",
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index 4e747eef82..45d53ab7af 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -240,6 +240,9 @@ func DefaultProfile() *Seccomp {
 					"pidfd_send_signal",
 					"pipe",
 					"pipe2",
+					"pkey_alloc",
+					"pkey_free",
+					"pkey_mprotect",
 					"poll",
 					"ppoll",
 					"ppoll_time64",