seccomp: block syscall()

syscall() emulates all other syscalls, so having this allowed makes no sense as far as seccomp filters go. This is a breaking change, but this probably will not break much. Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
containers · Jun 6, 2024 · d3283f8 · d3283f8
1 parent daa81f1
commit d3283f8
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go
@@ -77,6 +77,7 @@ func DefaultProfile() *Seccomp {
 				"ssetmask",
 				"swapoff",
 				"swapon",
+				"syscall",
 				"sysfs",
 				"uselib",
 				"userfaultfd",
@@ -422,7 +423,6 @@ func DefaultProfile() *Seccomp {
 				"sync",
 				"sync_file_range",
 				"syncfs",
-				"syscall",
 				"sysinfo",
 				"syslog",
 				"tee",

diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json
@@ -81,6 +81,7 @@
 				"ssetmask",
 				"swapoff",
 				"swapon",
+				"syscall",
 				"sysfs",
 				"uselib",
 				"userfaultfd",
@@ -429,7 +430,6 @@
 				"sync",
 				"sync_file_range",
 				"syncfs",
-				"syscall",
 				"sysinfo",
 				"syslog",
 				"tee",