From 8e24b1d23f5fa711bfdfd38bcfef525de04cd3c1 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 29 Sep 2020 15:59:28 +0200
Subject: [PATCH] seccomp-util: add cacheflush() syscall to @default syscall
 set

This is like membarrier() I guess and basically just exposes CPU
functionality via kernel syscall on some archs. Let's whitelist it for
everyone.

Fixes: #17197
---
 src/shared/seccomp-util.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 358960d5c4..b22ef7cec1 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -272,6 +272,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "cacheflush\0"
                 "clock_getres\0"
                 "clock_getres_time64\0"
                 "clock_gettime\0"