diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c index 9222f2bc84..0b39cda9ba 100644 --- a/src/nspawn/nspawn-seccomp.c +++ b/src/nspawn/nspawn-seccomp.c @@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter( * @cpu-emulation * @keyring (NB: keyring is not namespaced!) * @obsolete + * @pkey * @swap * * bpf (NB: bpffs is not namespaced!) @@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter( * nfsservctl * open_by_handle_at * perf_event_open - * pkey_alloc - * pkey_free - * pkey_mprotect * quotactl */ }; diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 0701dc4b9d..22110d0d73 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -258,12 +258,16 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .help = "System calls that are always permitted", .value = "clock_getres\0" + "clock_getres_time64\0" "clock_gettime\0" + "clock_gettime64\0" "clock_nanosleep\0" + "clock_nanosleep_time64\0" "execve\0" "exit\0" "exit_group\0" "futex\0" + "futex_time64\0" "get_robust_list\0" "get_thread_area\0" "getegid\0" @@ -312,6 +316,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "io_destroy\0" "io_getevents\0" "io_pgetevents\0" + "io_pgetevents_time64\0" "io_setup\0" "io_submit\0" "io_uring_enter\0" @@ -357,7 +362,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .value = "adjtimex\0" "clock_adjtime\0" + "clock_adjtime64\0" "clock_settime\0" + "clock_settime64\0" "settimeofday\0" "stime\0" }, @@ -465,6 +472,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "unlinkat\0" "utime\0" "utimensat\0" + "utimensat_time64\0" "utimes\0" }, [SYSCALL_FILTER_SET_IO_EVENT] = { @@ -483,7 +491,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "eventfd2\0" "poll\0" "ppoll\0" + "ppoll_time64\0" "pselect6\0" + "pselect6_time64\0" "select\0" }, [SYSCALL_FILTER_SET_IPC] = { @@ -496,7 +506,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "mq_notify\0" "mq_open\0" "mq_timedreceive\0" + "mq_timedreceive_time64\0" "mq_timedsend\0" + "mq_timedsend_time64\0" "mq_unlink\0" "msgctl\0" "msgget\0" @@ -510,6 +522,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "semget\0" "semop\0" "semtimedop\0" + "semtimedop_time64\0" "shmat\0" "shmctl\0" "shmdt\0" @@ -572,6 +585,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "recv\0" "recvfrom\0" "recvmmsg\0" + "recvmmsg_time64\0" "recvmsg\0" "send\0" "sendmmsg\0" @@ -615,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "ustat\0" "vserver\0" }, + [SYSCALL_FILTER_SET_PKEY] = { + .name = "@pkey", + .help = "System calls used for memory protection keys", + .value = + "pkey_alloc\0" + "pkey_free\0" + "pkey_mprotect\0" + }, [SYSCALL_FILTER_SET_PRIVILEGED] = { .name = "@privileged", .help = "All system calls which need super-user capabilities", @@ -747,6 +769,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "rt_sigprocmask\0" "rt_sigsuspend\0" "rt_sigtimedwait\0" + "rt_sigtimedwait_time64\0" "sigaction\0" "sigaltstack\0" "signal\0" @@ -826,6 +849,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "sched_getparam\0" "sched_getscheduler\0" "sched_rr_get_interval\0" + "sched_rr_get_interval_time64\0" "sched_yield\0" "sendfile\0" "sendfile64\0" @@ -854,10 +878,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "timer_delete\0" "timer_getoverrun\0" "timer_gettime\0" + "timer_gettime64\0" "timer_settime\0" + "timer_settime64\0" "timerfd_create\0" "timerfd_gettime\0" + "timerfd_gettime64\0" "timerfd_settime\0" + "timerfd_settime64\0" "times\0" }, }; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 1729dc1b6e..b29082a488 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -38,6 +38,7 @@ enum { SYSCALL_FILTER_SET_MOUNT, SYSCALL_FILTER_SET_NETWORK_IO, SYSCALL_FILTER_SET_OBSOLETE, + SYSCALL_FILTER_SET_PKEY, SYSCALL_FILTER_SET_PRIVILEGED, SYSCALL_FILTER_SET_PROCESS, SYSCALL_FILTER_SET_RAW_IO,