shared/seccomp: add note about clone2() being unimportant

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c

index c465bf58ddd99d0e4c9e5c1e391aab21b74e987f..50ad6bc244911c8528af4df24cc8b617a92c5a6c 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -718,6 +718,9 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                  .value =
                  "capget\0"      /* Able to query arbitrary processes */
                  "clone\0"
+                /* ia64 as the only architecture has clone2, a replacement for clone, but ia64 doesn't
+                 * implement seccomp, so we don't need to list it at all. C.f.
+                 * acce2f71779c54086962fefce3833d886c655f62 in the kernel. */
                  "clone3\0"
                  "execveat\0"
                  "fork\0"
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 19 Apr 2022 09:56:23 +0000 (11:56 +0200)