seccomp: make sure getrlimit() is among the default permitted syscalls

A lot of basic code wants to know the stack size, and it is safe if they do,
hence let's permit getrlimit() (but not setrlimit()) by default.

See: #3970

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d11..b549426 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -127,6 +127,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
+                "getrlimit\0"      /* make sure processes can query stack size and such */
                 "rt_sigreturn\0"
                 "sigreturn\0"
         }, {