seccomp: Allow Landlock syscalls

Landlock is a Linux feature that enables creating security sandboxes (see https://docs.kernel.org/userspace-api/landlock.html). Allow the three related system calls (available since Linux 5.13): landlock_create_ruleset, landlock_add_rule, and landlock_restrict_self. Signed-off-by: Mickaël Salaün <mic@digikod.net>
2022-06-30 14:47:57 +02:00 · 2022-06-30 14:47:57 +02:00 · 4ddc450d00
parent e278379025
commit 4ddc450d00
2 changed files with 6 additions and 0 deletions
--- a/common/pkg/seccomp/default_linux.go
+++ b/common/pkg/seccomp/default_linux.go
@ -221,6 +221,9 @@ func DefaultProfile() *Seccomp {
 				"ipc",
 				"keyctl",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",
--- a/common/pkg/seccomp/seccomp.json
+++ b/common/pkg/seccomp/seccomp.json
@ -228,6 +228,9 @@
 				"ipc",
 				"keyctl",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",