From 7bc9a315e181d6925a4ffe7702a25d3ac90ef5ab Mon Sep 17 00:00:00 2001 From: xiadanni Date: Sun, 26 Sep 2021 05:45:02 +0800 Subject: [PATCH] docker:update seccomp whitelist to Linux 5.10 syscall list Signed-off-by: xiadanni --- .../profiles/seccomp/seccomp_default.go | 39 +++++++++++++++++-- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go index ac81c2e0e9..2c6706237d 100644 --- a/components/engine/profiles/seccomp/seccomp_default.go +++ b/components/engine/profiles/seccomp/seccomp_default.go @@ -58,10 +58,16 @@ func DefaultProfile() *types.Seccomp { "chmod", "chown", "chown32", + "clock_adjtime", + "clock_adjtime64", "clock_getres", + "clock_getres_time64", "clock_gettime", + "clock_gettime64", "clock_nanosleep", + "clock_nanosleep_time64", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -73,6 +79,7 @@ func DefaultProfile() *types.Seccomp { "epoll_ctl", "epoll_ctl_old", "epoll_pwait", + "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", @@ -82,6 +89,7 @@ func DefaultProfile() *types.Seccomp { "exit", "exit_group", "faccessat", + "faccessat2", "fadvise64", "fadvise64_64", "fallocate", @@ -110,6 +118,7 @@ func DefaultProfile() *types.Seccomp { "ftruncate", "ftruncate64", "futex", + "futex_time64", "futimesat", "getcpu", "getcwd", @@ -155,10 +164,15 @@ func DefaultProfile() *types.Seccomp { "ioctl", "io_destroy", "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", "ioprio_get", "ioprio_set", "io_setup", "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", "ipc", "kill", "lchown", @@ -176,6 +190,7 @@ func DefaultProfile() *types.Seccomp { "lstat", "lstat64", "madvise", + "membarrier", "memfd_create", "mincore", "mkdir", @@ -192,7 +207,9 @@ func DefaultProfile() *types.Seccomp { "mq_notify", "mq_open", "mq_timedreceive", + "mq_timedreceive_time64", "mq_timedsend", + "mq_timedsend_time64", "mq_unlink", "mremap", "msgctl", @@ -208,17 +225,22 @@ func DefaultProfile() *types.Seccomp { "_newselect", "open", "openat", + "openat2", "pause", + "pidfd_open", + "pidfd_send_signal", "pipe", "pipe2", "poll", "ppoll", + "ppoll_time64", "prctl", "pread64", "preadv", "preadv2", "prlimit64", "pselect6", + "pselect6_time64", "pwrite64", "pwritev", "pwritev2", @@ -230,6 +252,7 @@ func DefaultProfile() *types.Seccomp { "recv", "recvfrom", "recvmmsg", + "recvmmsg_time64", "recvmsg", "remap_file_pages", "removexattr", @@ -238,6 +261,7 @@ func DefaultProfile() *types.Seccomp { "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -245,6 +269,7 @@ func DefaultProfile() *types.Seccomp { "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", + "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "sched_getaffinity", "sched_getattr", @@ -253,6 +278,7 @@ func DefaultProfile() *types.Seccomp { "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", + "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", @@ -264,6 +290,7 @@ func DefaultProfile() *types.Seccomp { "semget", "semop", "semtimedop", + "semtimedop_time64", "send", "sendfile", "sendfile64", @@ -306,6 +333,7 @@ func DefaultProfile() *types.Seccomp { "sigaltstack", "signalfd", "signalfd4", + "sigprocmask", "sigreturn", "socket", "socketcall", @@ -327,12 +355,16 @@ func DefaultProfile() *types.Seccomp { "time", "timer_create", "timer_delete", - "timerfd_create", - "timerfd_gettime", - "timerfd_settime", "timer_getoverrun", "timer_gettime", + "timer_gettime64", "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", "times", "tkill", "truncate", @@ -344,6 +376,7 @@ func DefaultProfile() *types.Seccomp { "unlinkat", "utime", "utimensat", + "utimensat_time64", "utimes", "vfork", "vmsplice", -- 2.27.0