Commits on Aug 18, 2022

1. seccomp: add support for Landlock syscalls in default policy …

   This commit allows the Landlock[0] system calls in the default seccomp
   policy.
   
   Landlock was introduced in kernel 5.13, to fill the gap that inspecting
   filepaths passed as arguments to filesystem system calls is not really
   possible with pure `seccomp` (unless involving `ptrace`).
   
   Allowing Landlock by default fits in with allowing `seccomp` for
   containerized applications to voluntarily restrict their access rights
   to files within the container.
   
   [0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html
   
   Signed-off-by: Tudor Brindus <me@tbrindus.ca>
   (cherry picked from commit af819bf)
   Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

   

   Xyene authored and thaJeztah committed Aug 18, 2022
   Copy the full SHA

   57db169 View commit details

   Browse the repository at this point in the history

2. Allow different syscalls from kernels 5.12 -> 5.16 …

   Kernel 5.12:
   
       mount_setattr: needs CAP_SYS_ADMIN
   
   Kernel 5.14:
   
       quotactl_fd: needs CAP_SYS_ADMIN
       memfd_secret: always allowed
   
   Kernel 5.15:
   
       process_mrelease: always allowed
   
   Kernel 5.16:
   
       futex_waitv: always allowed
   
   Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
   (cherry picked from commit 7de9f4f)
   Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

   

   rumpl authored and thaJeztah committed Aug 18, 2022
   Copy the full SHA

   d127287 View commit details

   Browse the repository at this point in the history