From 9cb6d2bf859f0b28953d18ae647ca19e81a1b55a Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 25 Jun 2025 13:19:59 +0200
Subject: [PATCH] nspawn: Allow bpf() syscall if CAP_BPF is retained

CAP_BPF is closely associated with the bpf() syscall so it makes sense
to allow the latter if the former is retained.
---
 src/nspawn/nspawn-seccomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 710c874ddd2..6956689ab57 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -108,6 +108,7 @@ static int add_syscall_filters(
                 { CAP_SYS_BOOT,       "reboot"                       },
                 { CAP_SYSLOG,         "syslog"                       },
                 { CAP_SYS_TTY_CONFIG, "vhangup"                      },
+                { CAP_BPF,            "bpf",                         },
 
                 /*
                  * The following syscalls and groups are knowingly excluded:
@@ -117,7 +118,6 @@ static int add_syscall_filters(
                  * @pkey
                  * @swap
                  *
-                 * bpf
                  * fanotify_init
                  * fanotify_mark
                  * kexec_file_load
-- 
2.47.3