From 9493b168717a445abb12f62c2503edd019e00ab5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 8 Nov 2019 12:56:56 +0100
Subject: [PATCH] Add @pkey syscall group

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299.
This change doesn't solve the issue, but makes it easier to whitelist the
syscall group.
---
 src/nspawn/nspawn-seccomp.c | 4 +---
 src/shared/seccomp-util.c   | 8 ++++++++
 src/shared/seccomp-util.h   | 1 +
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 9222f2bc847..0b39cda9ba9 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
                  * @cpu-emulation
                  * @keyring           (NB: keyring is not namespaced!)
                  * @obsolete
+                 * @pkey
                  * @swap
                  *
                  * bpf                (NB: bpffs is not namespaced!)
@@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
                  * nfsservctl
                  * open_by_handle_at
                  * perf_event_open
-                 * pkey_alloc
-                 * pkey_free
-                 * pkey_mprotect
                  * quotactl
                  */
         };
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2a4334b784a..22110d0d731 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -629,6 +629,14 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "ustat\0"
                 "vserver\0"
         },
+        [SYSCALL_FILTER_SET_PKEY] = {
+                .name = "@pkey",
+                .help = "System calls used for memory protection keys",
+                .value =
+                "pkey_alloc\0"
+                "pkey_free\0"
+                "pkey_mprotect\0"
+        },
         [SYSCALL_FILTER_SET_PRIVILEGED] = {
                 .name = "@privileged",
                 .help = "All system calls which need super-user capabilities",
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 1729dc1b6ee..b29082a4885 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -38,6 +38,7 @@ enum {
         SYSCALL_FILTER_SET_MOUNT,
         SYSCALL_FILTER_SET_NETWORK_IO,
         SYSCALL_FILTER_SET_OBSOLETE,
+        SYSCALL_FILTER_SET_PKEY,
         SYSCALL_FILTER_SET_PRIVILEGED,
         SYSCALL_FILTER_SET_PROCESS,
         SYSCALL_FILTER_SET_RAW_IO,
-- 
2.47.3