nspawn: Allow bpf() syscall if CAP_BPF is retained

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 25 Jun 2025 11:19:59 +0000 (13:19 +0200)

committer Luca Boccassi <luca.boccassi@gmail.com>

Wed, 25 Jun 2025 13:58:31 +0000 (14:58 +0100)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 25 Jun 2025 11:19:59 +0000 (13:19 +0200)
committer Luca Boccassi <luca.boccassi@gmail.com>
Wed, 25 Jun 2025 13:58:31 +0000 (14:58 +0100)
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c

index 710c874ddd20d231821060358ee8f12316915afc..6956689ab5701f6ab0d4e547c0b15cff633e6426 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -108,6 +108,7 @@ static int add_syscall_filters(
                  { CAP_SYS_BOOT,       "reboot"                       },
                  { CAP_SYSLOG,         "syslog"                       },
                  { CAP_SYS_TTY_CONFIG, "vhangup"                      },
+                { CAP_BPF,            "bpf",                         },
  
                  /*
                   * The following syscalls and groups are knowingly excluded:
@@ -117,7 +118,6 @@ static int add_syscall_filters(
                   * @pkey
                   * @swap
                   *
-                 * bpf
                   * fanotify_init
                   * fanotify_mark
                   * kexec_file_load
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 25 Jun 2025 11:19:59 +0000 (13:19 +0200)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 25 Jun 2025 13:58:31 +0000 (14:58 +0100)