seccomp: block syscall()

syscall() emulates all other syscalls, so having this allowed makes no sense as far as seccomp filters go. This is a breaking change, but this probably will not break much. Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
2024-06-04 11:30:58 +09:00 · 2024-06-04 11:30:58 +09:00 · ad947e0c3f
parent 9ce468e30f
commit ad947e0c3f
2 changed files with 2 additions and 2 deletions
--- a/common/pkg/seccomp/default_linux.go
+++ b/common/pkg/seccomp/default_linux.go
@ -77,6 +77,7 @@ func DefaultProfile() *Seccomp {
 				"ssetmask",
 				"swapoff",
 				"swapon",
+				"syscall",
 				"sysfs",
 				"uselib",
 				"userfaultfd",
@ -422,7 +423,6 @@ func DefaultProfile() *Seccomp {
 				"sync",
 				"sync_file_range",
 				"syncfs",
-				"syscall",
 				"sysinfo",
 				"syslog",
 				"tee",
--- a/common/pkg/seccomp/seccomp.json
+++ b/common/pkg/seccomp/seccomp.json
@ -81,6 +81,7 @@
 				"ssetmask",
 				"swapoff",
 				"swapon",
+				"syscall",
 				"sysfs",
 				"uselib",
 				"userfaultfd",
@ -429,7 +430,6 @@
 				"sync",
 				"sync_file_range",
 				"syncfs",
-				"syscall",
 				"sysinfo",
 				"syslog",
 				"tee",