update seccomp.json

Merge the following changes from the upstream Moby seccomp profile:

 * commit b2a907c8cab6 ("Whitelist statx syscall for libseccomp-2.3.3
                         onward")

 * commit 47dfff68e436 ("Whitelist syscalls linked to CAP_SYS_NICE in
                         default seccomp profile")

 * commit ccd22ffcc8b5 ("Move the syslog syscall to be gated by
                         CAP_SYS_ADMIN or CAP_SYSLOG")

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
This commit is contained in:
Valentin Rothberg
2018-11-08 14:10:39 +01:00
parent 76360d9a6e
commit 19faaba945

View File

@ -322,13 +322,13 @@
"stat64",
"statfs",
"statfs64",
"statx",
"symlink",
"symlinkat",
"sync",
"sync_file_range",
"syncfs",
"sysinfo",
"syslog",
"tee",
"tgkill",
"time",
@ -565,6 +565,7 @@
"setdomainname",
"sethostname",
"setns",
"syslog",
"umount",
"umount2",
"unshare"
@ -750,6 +751,36 @@
]
},
"excludes": {}
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_NICE"
]
},
"excludes": {}
},
{
"names": [
"syslog"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYSLOG"
]
},
"excludes": {}
}
]
}