interfaces: update template with new syscalls

canonical · Dec 16, 2024 · 7c8cc17 · 7c8cc17
1 parent e5ccc39
commit 7c8cc17
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/interfaces/builtin/hardware_observe.go b/interfaces/builtin/hardware_observe.go
@@ -145,6 +145,8 @@ const hardwareObserveConnectedPlugSecComp = `
 # used by 'lspci -A intel-conf1/intel-conf2'
 iopl
 
+riscv_hwprobe
+
 # multicast statistics
 socket AF_NETLINK - NETLINK_GENERIC
 

diff --git a/interfaces/builtin/mount_observe.go b/interfaces/builtin/mount_observe.go
@@ -76,6 +76,9 @@ quotactl Q_GETINFO - - -
 quotactl Q_GETFMT - - -
 quotactl Q_XGETQUOTA - - -
 quotactl Q_XGETQSTAT - - -
+
+listmount
+statmount
 `
 
 func init() {

diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go
@@ -55,6 +55,15 @@ set_tls
 usr26
 usr32
 
+# Requries input fd and so should not pose more security 
+# issues than access to the file in the first place
+# Flags are currently unused and should be 0
+cachestat - - - 0
+
+# Flags are currently unused and should be 0
+mseal - - 0
+map_shadow_stack
+
 capget
 # AppArmor mediates capabilities, so allow capset (useful for apps that for
 # example want to drop capabilities)
@@ -68,6 +77,7 @@ fchdir
 chmod
 fchmod
 fchmodat
+fchmodat2
 
 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent
 # non-root from chowning to root.
@@ -146,8 +156,11 @@ flock
 fork
 ftime
 futex
+futex_requeue
 futex_time64
+futex_wait
 futex_waitv
+futex_wake
 get_mempolicy
 get_robust_list
 get_thread_area