seccomp: beef up @process group a bit

Include the waid syscalls. If we permit forking then we should also
permit waiting for a process.

Similar to that: also permit determining the usage counters for
processes.

Include calls to determine process/thread identity. They have little
impact security-wise, but are very likely used when process management
of any form is done.

Also, add rt_sigqueueinfo + rt_tgsigqueueinfo as they are similar to
kill() and friends, but permit passing along a userdata ptr.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index eee7f04..d96b449 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -612,13 +612,23 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "clone\0"
                 "execveat\0"
                 "fork\0"
+                "getpid\0"
+                "getppid\0"
+                "getrusage\0"
+                "gettid\0"
                 "kill\0"
                 "prctl\0"
+                "rt_sigqueueinfo\0"
+                "rt_tgsigqueueinfo\0"
                 "setns\0"
                 "tgkill\0"
+                "times\0"
                 "tkill\0"
                 "unshare\0"
                 "vfork\0"
+                "wait4\0"
+                "waitid\0"
+                "waitpid\0"
         },
         [SYSCALL_FILTER_SET_RAW_IO] = {
                 .name = "@raw-io",