From 7c8cc170da5491cc795cb154c6233a32740bdc9e Mon Sep 17 00:00:00 2001 From: katie Date: Wed, 27 Nov 2024 08:50:50 +0100 Subject: [PATCH] interfaces: update template with new syscalls --- interfaces/builtin/hardware_observe.go | 2 ++ interfaces/builtin/mount_observe.go | 3 +++ interfaces/seccomp/template.go | 13 +++++++++++++ 3 files changed, 18 insertions(+) diff --git a/interfaces/builtin/hardware_observe.go b/interfaces/builtin/hardware_observe.go index 96391b1b14e..ede9379159f 100644 --- a/interfaces/builtin/hardware_observe.go +++ b/interfaces/builtin/hardware_observe.go @@ -145,6 +145,8 @@ const hardwareObserveConnectedPlugSecComp = ` # used by 'lspci -A intel-conf1/intel-conf2' iopl +riscv_hwprobe + # multicast statistics socket AF_NETLINK - NETLINK_GENERIC diff --git a/interfaces/builtin/mount_observe.go b/interfaces/builtin/mount_observe.go index 141b2873368..ceffb735147 100644 --- a/interfaces/builtin/mount_observe.go +++ b/interfaces/builtin/mount_observe.go @@ -76,6 +76,9 @@ quotactl Q_GETINFO - - - quotactl Q_GETFMT - - - quotactl Q_XGETQUOTA - - - quotactl Q_XGETQSTAT - - - + +listmount +statmount ` func init() { diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go index 8a1c288dfae..09fd279b571 100644 --- a/interfaces/seccomp/template.go +++ b/interfaces/seccomp/template.go @@ -55,6 +55,15 @@ set_tls usr26 usr32 +# Requries input fd and so should not pose more security +# issues than access to the file in the first place +# Flags are currently unused and should be 0 +cachestat - - - 0 + +# Flags are currently unused and should be 0 +mseal - - 0 +map_shadow_stack + capget # AppArmor mediates capabilities, so allow capset (useful for apps that for # example want to drop capabilities) @@ -68,6 +77,7 @@ fchdir chmod fchmod fchmodat +fchmodat2 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent # non-root from chowning to root. @@ -146,8 +156,11 @@ flock fork ftime futex +futex_requeue futex_time64 +futex_wait futex_waitv +futex_wake get_mempolicy get_robust_list get_thread_area