Add @pkey syscall group

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299.
This change doesn't solve the issue, but makes it easier to whitelist the
syscall group.

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 9222f2bc847e42f919f56c36da4d96f9b9f18cb2..0b39cda9ba9b8f4c7dc4e56f4938a4cd1e458bdd 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
                  * @cpu-emulation
                  * @keyring           (NB: keyring is not namespaced!)
                  * @obsolete
+                 * @pkey
                  * @swap
                  *
                  * bpf                (NB: bpffs is not namespaced!)
@@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
                  * nfsservctl
                  * open_by_handle_at
                  * perf_event_open
-                 * pkey_alloc
-                 * pkey_free
-                 * pkey_mprotect
                  * quotactl
                  */
         };

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2a4334b784aa2b07af70e80c778fae3613a9045e..22110d0d73194adf2e336248912e4890c806ec68 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -629,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "ustat\0"
                 "vserver\0"
         },
+        [SYSCALL_FILTER_SET_PKEY] = {
+                .name = "@pkey",
+                .help = "System calls used for memory protection keys",
+                .value =
+                "pkey_alloc\0"
+                "pkey_free\0"
+                "pkey_mprotect\0"
+        },
         [SYSCALL_FILTER_SET_PRIVILEGED] = {
                 .name = "@privileged",
                 .help = "All system calls which need super-user capabilities",

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 1729dc1b6eeaaf5eaac3242e4a6cff709b988b52..b29082a48852c9a56c7f7e3dc46ea3751ecda954 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -38,6 +38,7 @@ enum {
         SYSCALL_FILTER_SET_MOUNT,
         SYSCALL_FILTER_SET_NETWORK_IO,
         SYSCALL_FILTER_SET_OBSOLETE,
+        SYSCALL_FILTER_SET_PKEY,
         SYSCALL_FILTER_SET_PRIVILEGED,
         SYSCALL_FILTER_SET_PROCESS,
         SYSCALL_FILTER_SET_RAW_IO,