update seccomp.json

Merge the following changes from the upstream Moby seccomp profile: * commit b2a907c8cab6 ("Whitelist statx syscall for libseccomp-2.3.3 onward") * commit 47dfff68e436 ("Whitelist syscalls linked to CAP_SYS_NICE in default seccomp profile") * commit ccd22ffcc8b5 ("Move the syslog syscall to be gated by CAP_SYS_ADMIN or CAP_SYSLOG") Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
2025-07-04 10:10:32 +08:00 · 2018-11-08 14:10:39 +01:00
parent 76360d9a6e
commit 19faaba945
1 changed files with 32 additions and 1 deletions
--- a/seccomp.json
+++ b/seccomp.json
@ -322,13 +322,13 @@
 				"stat64",
 				"statfs",
 				"statfs64",
+				"statx",
 				"symlink",
 				"symlinkat",
 				"sync",
 				"sync_file_range",
 				"syncfs",
 				"sysinfo",
-				"syslog",
 				"tee",
 				"tgkill",
 				"time",
@ -565,6 +565,7 @@
 				"setdomainname",
 				"sethostname",
 				"setns",
+				"syslog",
 				"umount",
 				"umount2",
 				"unshare"
@ -750,6 +751,36 @@
 				]
 			},
 			"excludes": {}
+		},
+		{
+			"names": [
+				"get_mempolicy",
+				"mbind",
+				"set_mempolicy"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_NICE"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"syslog"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYSLOG"
+				]
+			},
+			"excludes": {}
 		}
 	]
 }