seccomp: move brk+mmap+mmap2 into @default syscall filter set

These three syscalls are internally used by libc's memory allocation
logic, i.e. ultimately back malloc(). Allocating a bit of memory is so
basic, it should just be in the default set.

This fixes a couple of issues with asan/msan and the seccomp tests: when
asan/msan is used some additional, large memory allocations take place
in the background, and unless mmap/mmap2/brk are allowlisted these will
fail, aborting the test prematurely.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 6ca2c5713ddd98487c4c1f961a1a0b015898597d..c02035c80f64b926397f7c62cfb2c41aca88711f 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -282,6 +282,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 .name = "@default",
                 .help = "System calls that are always permitted",
                 .value =
+                "brk\0"
                 "cacheflush\0"
                 "clock_getres\0"
                 "clock_getres_time64\0"
@@ -319,6 +320,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "getuid\0"
                 "getuid32\0"
                 "membarrier\0"
+                "mmap\0"
+                "mmap2\0"
                 "nanosleep\0"
                 "pause\0"
                 "prlimit64\0"
@@ -468,8 +471,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "mkdirat\0"
                 "mknod\0"
                 "mknodat\0"
-                "mmap\0"
-                "mmap2\0"
                 "munmap\0"
                 "newfstatat\0"
                 "oldfstat\0"
@@ -844,7 +845,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "@signal\0"
                 "@sync\0"
                 "@timer\0"
-                "brk\0"
                 "capget\0"
                 "capset\0"
                 "copy_file_range\0"