Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update syscall tables and seccomp groups #5188

Closed
rusty-snake opened this issue Jun 10, 2022 · 4 comments
Closed

Update syscall tables and seccomp groups #5188

rusty-snake opened this issue Jun 10, 2022 · 4 comments
Labels
enhancement New feature request

Comments

@rusty-snake
Copy link
Collaborator

Related: #3106

Since your last seccomp groups update Linux got new syscalls like clone3 (@process), close_range (@basic-io) or move_mount,open_tree,fsconfig,fsmount,fsopen,fspick (@mount). We should update the group definitions to include newly added syscalls.
@rusty-snake rusty-snake added the enhancement New feature request label Jun 10, 2022
smitsohu added a commit that referenced this issue Jul 17, 2022
@smitsohu
refresh syscall groups (#5188)
f4f44a5 
now covers syscalls up to including process_madvise (440)

group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305

the only exception is close_range, which was added to both @basic-io and @File-system

this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
@rusty-snake
Copy link
Collaborator Author

@smitsohu can we close?

@smitsohu
Copy link
Collaborator

Closing!

@kmk3 kmk3 changed the title Update seccomp groups Update syscall tables and seccomp groups Aug 21, 2022
@kmk3
Copy link
Collaborator

kmk3 commented Aug 21, 2022

Misc: These commits seem to be related:

And I made a few WIP commits related to the first one.

Since this issue appears to be the most relevant one to that commit, I renamed
this issue to be about the syscalls too.

@kmk3
Copy link
Collaborator

kmk3 commented Aug 21, 2022

(Late review)

@smitsohu

  • fbceab9 ("refresh and sort syscall tables", 2022-07-15)

Please try to avoid doing both sorting and logical changes on the same commit,
as that can make it really hard to see what was changed (and I was interested
to see what syscalls were added/removed in this case).

Considering that the tables weren't fully sorted (by syscall name), the diffs
would have been clearer by splitting the changes like this:

  1. sort syscall tables (by name)
  2. refresh syscall tables
  3. sort syscall tables (by number)

Or like this:

  1. sort syscall tables (by number)
  2. refresh syscall tables

kmk3 added a commit that referenced this issue Nov 22, 2022
@kmk3
RELNOTES: add features
df27177 
Relates to #5188 #5217 #5271.
@kmk3 kmk3 moved this to Done (on RELNOTES) in Release 0.9.72 Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature request
Projects
Release 0.9.72
Status: Done (on RELNOTES)
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smitsohu @kmk3 @rusty-snake