Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299.
This change doesn't solve the issue, but makes it easier to whitelist the
syscall group.
* @cpu-emulation
* @keyring (NB: keyring is not namespaced!)
* @obsolete
+ * @pkey
* @swap
*
* bpf (NB: bpffs is not namespaced!)
* nfsservctl
* open_by_handle_at
* perf_event_open
- * pkey_alloc
- * pkey_free
- * pkey_mprotect
* quotactl
*/
};
"ustat\0"
"vserver\0"
},
+ [SYSCALL_FILTER_SET_PKEY] = {
+ .name = "@pkey",
+ .help = "System calls used for memory protection keys",
+ .value =
+ "pkey_alloc\0"
+ "pkey_free\0"
+ "pkey_mprotect\0"
+ },
[SYSCALL_FILTER_SET_PRIVILEGED] = {
.name = "@privileged",
.help = "All system calls which need super-user capabilities",
SYSCALL_FILTER_SET_MOUNT,
SYSCALL_FILTER_SET_NETWORK_IO,
SYSCALL_FILTER_SET_OBSOLETE,
+ SYSCALL_FILTER_SET_PKEY,
SYSCALL_FILTER_SET_PRIVILEGED,
SYSCALL_FILTER_SET_PROCESS,
SYSCALL_FILTER_SET_RAW_IO,