seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default

These syscalls are part of a newer kernel API to replace interaction
with /proc/self/attr, with the goal of allowing LSM stacking. These are
being used now by e.g. libapparmor, so should be more easily available
to services using seccomp filtering.

(cherry picked from commit 7a1888954c4a4666150a59125c2e6c92277bb4e2)
(cherry picked from commit 515816197e8155c3ddc4ab2092d23744509c37ea)
(cherry picked from commit 75cbe81bba6eb9fa9e8ad6a4937658aec6680f11)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 75cf52579894ab5974c0de9c7bb5915839ba4a53..e6a361c82cc90d6b46049698a1895fd6ee3c8d10 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -359,6 +359,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "gettimeofday\0"
                 "getuid\0"
                 "getuid32\0"
+                "lsm_get_self_attr\0"
+                "lsm_list_modules\0"
                 "membarrier\0"
                 "mmap\0"
                 "mmap2\0"