From 554ba3142b07c38d0013d4239708d6425bd9a895 Mon Sep 17 00:00:00 2001 From: Katie May <63071677+maykathm@users.noreply.github.com> Date: Wed, 18 Dec 2024 15:26:38 +0100 Subject: [PATCH] interfaces: update template with new syscalls (#14861) --- interfaces/builtin/hardware_observe.go | 2 ++ interfaces/builtin/mount_observe.go | 3 +++ interfaces/seccomp/template.go | 13 +++++++++++++ 3 files changed, 18 insertions(+) diff --git a/interfaces/builtin/hardware_observe.go b/interfaces/builtin/hardware_observe.go index 96391b1b14e..ede9379159f 100644 --- a/interfaces/builtin/hardware_observe.go +++ b/interfaces/builtin/hardware_observe.go @@ -145,6 +145,8 @@ const hardwareObserveConnectedPlugSecComp = ` # used by 'lspci -A intel-conf1/intel-conf2' iopl +riscv_hwprobe + # multicast statistics socket AF_NETLINK - NETLINK_GENERIC diff --git a/interfaces/builtin/mount_observe.go b/interfaces/builtin/mount_observe.go index 141b2873368..ceffb735147 100644 --- a/interfaces/builtin/mount_observe.go +++ b/interfaces/builtin/mount_observe.go @@ -76,6 +76,9 @@ quotactl Q_GETINFO - - - quotactl Q_GETFMT - - - quotactl Q_XGETQUOTA - - - quotactl Q_XGETQSTAT - - - + +listmount +statmount ` func init() { diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go index 8a1c288dfae..939f43bf578 100644 --- a/interfaces/seccomp/template.go +++ b/interfaces/seccomp/template.go @@ -55,6 +55,15 @@ set_tls usr26 usr32 +# Requires input fd and so should not pose more security +# issues than access to the file in the first place +# Flags are currently unused and should be 0 +cachestat - - - 0 + +# Flags are currently unused and should be 0 +mseal - - 0 +map_shadow_stack + capget # AppArmor mediates capabilities, so allow capset (useful for apps that for # example want to drop capabilities) @@ -68,6 +77,7 @@ fchdir chmod fchmod fchmodat +fchmodat2 # Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent # non-root from chowning to root. @@ -146,8 +156,11 @@ flock fork ftime futex +futex_requeue futex_time64 +futex_wait futex_waitv +futex_wake get_mempolicy get_robust_list get_thread_area