Move mlock back into the default ungated seccomp profile

Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.

Fixes #23587

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit bdf01cf5deee11deb426eb33e1c8433c410084b6)

profiles/seccomp/default.json

@@ -686,6 +686,21 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "mlock",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlock2",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
+		{
+			"name": "mlockall",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "mmap",
 			"action": "SCMP_ACT_ALLOW",

profiles/seccomp/seccomp_default.go

@@ -721,6 +721,21 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "mlock",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlock2",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Name:   "mlockall",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "mmap",
 			Action: types.ActAllow,
@@ -1663,24 +1678,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Args:   []*types.Arg{},
 				},
 			}...)
-		case "CAP_IPC_LOCK":
-			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "mlock",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlock2",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-				{
-					Name:   "mlockall",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
-			}...)
 		case "CAP_SYS_ADMIN":
 			capSysAdmin = true
 			syscalls = append(syscalls, []*types.Syscall{