diff options
| author | Jorge E. Moreira <jemoreira@google.com> | 2022-10-28 16:44:35 -0700 |
|---|---|---|
| committer | Jorge E. Moreira <jemoreira@google.com> | 2022-10-28 16:44:35 -0700 |
| commit | b76c16fab94dcb5b372983f741ce8d26da309b17 (patch) | |
| tree | 6802c7a5b6c4cac3f5296b43cf0df3eb21b708f7 | |
| parent | 5c7ba3fd9f8749c85aa83623c5013a7657e68abf (diff) | |
| download | cuttlefish_vmm-b76c16fab94dcb5b372983f741ce8d26da309b17.tar.gz | |
Add missing system calls to seccomp policy
clone3
rseq
Bug: 252979960
Change-Id: I42660409decdfdf4c1b3378b5e17533e0204a2ba
59 files changed, 118 insertions, 0 deletions
diff --git a/aarch64-linux-gnu/etc/seccomp/9p_device.policy b/aarch64-linux-gnu/etc/seccomp/9p_device.policy index 076df6d..9235caf 100644 --- a/aarch64-linux-gnu/etc/seccomp/9p_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/9p_device.policy @@ -75,3 +75,5 @@ fchown: 1 fstatfs: 1 newfstatat: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/balloon_device.policy b/aarch64-linux-gnu/etc/seccomp/balloon_device.policy index 0388231..c55f630 100644 --- a/aarch64-linux-gnu/etc/seccomp/balloon_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/balloon_device.policy @@ -54,3 +54,5 @@ uname: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/battery.policy b/aarch64-linux-gnu/etc/seccomp/battery.policy index cc18e69..1dbb6f8 100644 --- a/aarch64-linux-gnu/etc/seccomp/battery.policy +++ b/aarch64-linux-gnu/etc/seccomp/battery.policy @@ -52,3 +52,5 @@ writev: 1 fcntl: 1 uname: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/block_device.policy b/aarch64-linux-gnu/etc/seccomp/block_device.policy index 7b20871..6c45185 100644 --- a/aarch64-linux-gnu/etc/seccomp/block_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/block_device.policy @@ -67,3 +67,5 @@ timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/coiommu_device.policy b/aarch64-linux-gnu/etc/seccomp/coiommu_device.policy index 3385e1f..bf78ff7 100644 --- a/aarch64-linux-gnu/etc/seccomp/coiommu_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/coiommu_device.policy @@ -57,3 +57,5 @@ prctl: arg0 == PR_SET_NAME timerfd_create: 1 timerfd_settime: 1 timerfd_gettime: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/common_device.policy b/aarch64-linux-gnu/etc/seccomp/common_device.policy index ba11bac..de67dc8 100644 --- a/aarch64-linux-gnu/etc/seccomp/common_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/common_device.policy @@ -50,3 +50,5 @@ write: 1 writev: 1 fcntl: 1 uname: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/cras_audio_device.policy b/aarch64-linux-gnu/etc/seccomp/cras_audio_device.policy index bf2fb18..d3cb371 100644 --- a/aarch64-linux-gnu/etc/seccomp/cras_audio_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/cras_audio_device.policy @@ -62,3 +62,5 @@ prctl: arg0 == PR_SET_NAME timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/cras_snd_device.policy b/aarch64-linux-gnu/etc/seccomp/cras_snd_device.policy index bbf81a4..e995fc4 100644 --- a/aarch64-linux-gnu/etc/seccomp/cras_snd_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/cras_snd_device.policy @@ -63,3 +63,5 @@ sched_setscheduler: 1 timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/fs_device.policy b/aarch64-linux-gnu/etc/seccomp/fs_device.policy index 9d5362b..896c6b1 100644 --- a/aarch64-linux-gnu/etc/seccomp/fs_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/fs_device.policy @@ -104,3 +104,5 @@ prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECURE capget: 1 capset: 1 unshare: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/gpu_common.policy b/aarch64-linux-gnu/etc/seccomp/gpu_common.policy index 1798ebd..abe3d3e 100644 --- a/aarch64-linux-gnu/etc/seccomp/gpu_common.policy +++ b/aarch64-linux-gnu/etc/seccomp/gpu_common.policy @@ -93,3 +93,5 @@ faccessat: 1 faccessat2: 1 getgid: 1 getegid: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/gpu_device.policy b/aarch64-linux-gnu/etc/seccomp/gpu_device.policy index b019905..0679834 100644 --- a/aarch64-linux-gnu/etc/seccomp/gpu_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/gpu_device.policy @@ -87,3 +87,5 @@ getegid: 1 socket: arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC && arg2 == 0 clone: arg0 & CLONE_THREAD +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/gpu_render_server.policy b/aarch64-linux-gnu/etc/seccomp/gpu_render_server.policy index 11d39b3..63de1fc 100644 --- a/aarch64-linux-gnu/etc/seccomp/gpu_render_server.policy +++ b/aarch64-linux-gnu/etc/seccomp/gpu_render_server.policy @@ -97,3 +97,5 @@ socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0 # allow signalfd() signalfd4: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/input_device.policy b/aarch64-linux-gnu/etc/seccomp/input_device.policy index 597ef92..363c8f3 100644 --- a/aarch64-linux-gnu/etc/seccomp/input_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/input_device.policy @@ -56,3 +56,5 @@ ioctl: 1 getsockname: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/net_device.policy b/aarch64-linux-gnu/etc/seccomp/net_device.policy index 17c5932..a26976b 100644 --- a/aarch64-linux-gnu/etc/seccomp/net_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/net_device.policy @@ -57,3 +57,5 @@ ioctl: arg1 == 0x400454d0 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/null_audio_device.policy b/aarch64-linux-gnu/etc/seccomp/null_audio_device.policy index 7024059..89f640f 100644 --- a/aarch64-linux-gnu/etc/seccomp/null_audio_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/null_audio_device.policy @@ -57,3 +57,5 @@ prlimit64: 1 setrlimit: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/pmem_device.policy b/aarch64-linux-gnu/etc/seccomp/pmem_device.policy index 7986aaf..d4bf97a 100644 --- a/aarch64-linux-gnu/etc/seccomp/pmem_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/pmem_device.policy @@ -56,3 +56,5 @@ fdatasync: 1 fsync: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/rng_device.policy b/aarch64-linux-gnu/etc/seccomp/rng_device.policy index f8af59c..835d721 100644 --- a/aarch64-linux-gnu/etc/seccomp/rng_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/rng_device.policy @@ -55,3 +55,5 @@ uname: 1 getrandom: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/serial.policy b/aarch64-linux-gnu/etc/seccomp/serial.policy index bb9723c..00540d6 100644 --- a/aarch64-linux-gnu/etc/seccomp/serial.policy +++ b/aarch64-linux-gnu/etc/seccomp/serial.policy @@ -9,3 +9,5 @@ connect: 1 bind: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/serial_device.policy b/aarch64-linux-gnu/etc/seccomp/serial_device.policy index 5eadf34..11e7e1d 100644 --- a/aarch64-linux-gnu/etc/seccomp/serial_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/serial_device.policy @@ -59,3 +59,5 @@ connect: 1 bind: 1 openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/tpm_device.policy b/aarch64-linux-gnu/etc/seccomp/tpm_device.policy index b06f9c1..bd3ad1f 100644 --- a/aarch64-linux-gnu/etc/seccomp/tpm_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/tpm_device.policy @@ -65,3 +65,5 @@ openat: 1 prctl: arg0 == PR_SET_NAME socket: return EACCES statx: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/vhost_net_device.policy b/aarch64-linux-gnu/etc/seccomp/vhost_net_device.policy index 6a7cf64..4e7f85c 100644 --- a/aarch64-linux-gnu/etc/seccomp/vhost_net_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/vhost_net_device.policy @@ -72,3 +72,5 @@ ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/vhost_vsock_device.policy b/aarch64-linux-gnu/etc/seccomp/vhost_vsock_device.policy index c396ecf..66ebefd 100644 --- a/aarch64-linux-gnu/etc/seccomp/vhost_vsock_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/vhost_vsock_device.policy @@ -73,3 +73,5 @@ ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/video_device.policy b/aarch64-linux-gnu/etc/seccomp/video_device.policy index d9644b1..7fa85f7 100644 --- a/aarch64-linux-gnu/etc/seccomp/video_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/video_device.policy @@ -67,3 +67,5 @@ openat: 1 setpriority: 1 socket: arg0 == AF_UNIX prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/vios_audio_device.policy b/aarch64-linux-gnu/etc/seccomp/vios_audio_device.policy index e75181e..d4bbf0d 100644 --- a/aarch64-linux-gnu/etc/seccomp/vios_audio_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/vios_audio_device.policy @@ -58,3 +58,5 @@ prlimit64: 1 sched_setscheduler: 1 setrlimit: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/wl_device.policy b/aarch64-linux-gnu/etc/seccomp/wl_device.policy index 8cab77e..7d62d17 100644 --- a/aarch64-linux-gnu/etc/seccomp/wl_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/wl_device.policy @@ -66,3 +66,5 @@ ftruncate: 1 lseek: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/xhci.policy b/aarch64-linux-gnu/etc/seccomp/xhci.policy index a2b9d6c..6f7e5b4 100644 --- a/aarch64-linux-gnu/etc/seccomp/xhci.policy +++ b/aarch64-linux-gnu/etc/seccomp/xhci.policy @@ -74,3 +74,5 @@ ioctl: arg1 == 0xc0105500 || arg1 == 0x802c550a || arg1 == 0x8004551a || arg1 == fstat: 1 getrandom: 1 lseek: 1 +clone3: 1 +rseq: 1 diff --git a/aarch64-linux-gnu/etc/seccomp/xhci_device.policy b/aarch64-linux-gnu/etc/seccomp/xhci_device.policy index cefeff7..3e435fd 100644 --- a/aarch64-linux-gnu/etc/seccomp/xhci_device.policy +++ b/aarch64-linux-gnu/etc/seccomp/xhci_device.policy @@ -83,3 +83,5 @@ fstat: 1 getrandom: 1 lseek: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/9p_device.policy b/x86_64-linux-gnu/etc/seccomp/9p_device.policy index 61ec749..b60abcf 100644 --- a/x86_64-linux-gnu/etc/seccomp/9p_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/9p_device.policy @@ -79,3 +79,5 @@ fchown: 1 fstatfs: 1 newfstatat: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/balloon_device.policy b/x86_64-linux-gnu/etc/seccomp/balloon_device.policy index 91b8bbe..f2942d3 100644 --- a/x86_64-linux-gnu/etc/seccomp/balloon_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/balloon_device.policy @@ -57,3 +57,5 @@ uname: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/battery.policy b/x86_64-linux-gnu/etc/seccomp/battery.policy index b02b6df..1029982 100644 --- a/x86_64-linux-gnu/etc/seccomp/battery.policy +++ b/x86_64-linux-gnu/etc/seccomp/battery.policy @@ -67,3 +67,5 @@ openat: 1 socket: arg0 == AF_UNIX tgkill: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/block_device.policy b/x86_64-linux-gnu/etc/seccomp/block_device.policy index 744f3d8..7826977 100644 --- a/x86_64-linux-gnu/etc/seccomp/block_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/block_device.policy @@ -72,3 +72,5 @@ timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/coiommu.policy b/x86_64-linux-gnu/etc/seccomp/coiommu.policy index 528e790..d2e4c62 100644 --- a/x86_64-linux-gnu/etc/seccomp/coiommu.policy +++ b/x86_64-linux-gnu/etc/seccomp/coiommu.policy @@ -59,3 +59,5 @@ prctl: arg0 == PR_SET_NAME timerfd_create: 1 timerfd_settime: 1 timerfd_gettime: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/coiommu_device.policy b/x86_64-linux-gnu/etc/seccomp/coiommu_device.policy index 528e790..d2e4c62 100644 --- a/x86_64-linux-gnu/etc/seccomp/coiommu_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/coiommu_device.policy @@ -59,3 +59,5 @@ prctl: arg0 == PR_SET_NAME timerfd_create: 1 timerfd_settime: 1 timerfd_gettime: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/common_device.policy b/x86_64-linux-gnu/etc/seccomp/common_device.policy index 1f677ea..e1d76d9 100644 --- a/x86_64-linux-gnu/etc/seccomp/common_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/common_device.policy @@ -53,3 +53,5 @@ write: 1 writev: 1 fcntl: 1 uname: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/cras_audio_device.policy b/x86_64-linux-gnu/etc/seccomp/cras_audio_device.policy index 633ac43..f82a4a2 100644 --- a/x86_64-linux-gnu/etc/seccomp/cras_audio_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/cras_audio_device.policy @@ -65,3 +65,5 @@ prctl: arg0 == PR_SET_NAME timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/cras_snd_device.policy b/x86_64-linux-gnu/etc/seccomp/cras_snd_device.policy index 59bd13a..ef86153 100644 --- a/x86_64-linux-gnu/etc/seccomp/cras_snd_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/cras_snd_device.policy @@ -66,3 +66,5 @@ sched_setscheduler: 1 timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/fs_device.policy b/x86_64-linux-gnu/etc/seccomp/fs_device.policy index 0fe014e..bdb23fb 100644 --- a/x86_64-linux-gnu/etc/seccomp/fs_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/fs_device.policy @@ -108,3 +108,5 @@ utimensat: 1 prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS capget: 1 capset: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/gpu_common.policy b/x86_64-linux-gnu/etc/seccomp/gpu_common.policy index c8cf74f..fabfa4c 100644 --- a/x86_64-linux-gnu/etc/seccomp/gpu_common.policy +++ b/x86_64-linux-gnu/etc/seccomp/gpu_common.policy @@ -104,3 +104,5 @@ kcmp: 1 access: 1 getgid: 1 getegid: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/gpu_device.policy b/x86_64-linux-gnu/etc/seccomp/gpu_device.policy index fde03e8..b9172a6 100644 --- a/x86_64-linux-gnu/etc/seccomp/gpu_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/gpu_device.policy @@ -94,3 +94,5 @@ getegid: 1 socket: arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC && arg2 == 0 clone: arg0 & CLONE_THREAD +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/gpu_render_server.policy b/x86_64-linux-gnu/etc/seccomp/gpu_render_server.policy index efef70c..43c6970 100644 --- a/x86_64-linux-gnu/etc/seccomp/gpu_render_server.policy +++ b/x86_64-linux-gnu/etc/seccomp/gpu_render_server.policy @@ -104,3 +104,5 @@ socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0 # allow signalfd() signalfd4: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/input_device.policy b/x86_64-linux-gnu/etc/seccomp/input_device.policy index 75cce9c..f4f3eab 100644 --- a/x86_64-linux-gnu/etc/seccomp/input_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/input_device.policy @@ -59,3 +59,5 @@ getsockname: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/iommu_device.policy b/x86_64-linux-gnu/etc/seccomp/iommu_device.policy index 7a9639a..eeb839c 100644 --- a/x86_64-linux-gnu/etc/seccomp/iommu_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/iommu_device.policy @@ -61,3 +61,5 @@ openat: return ENOENT # 0x3B71: VFIO_IOMMU_MAP_DMA # 0x3B72: VFIO_IOMMU_UNMAP_DMA ioctl: arg1 == 0x3B71 || arg1 == 0x3B72 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/net_device.policy b/x86_64-linux-gnu/etc/seccomp/net_device.policy index ff25469..129035d 100644 --- a/x86_64-linux-gnu/etc/seccomp/net_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/net_device.policy @@ -59,3 +59,5 @@ ioctl: arg1 == 0x400454d0 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/null_audio_device.policy b/x86_64-linux-gnu/etc/seccomp/null_audio_device.policy index e3dcdb1..8262269 100644 --- a/x86_64-linux-gnu/etc/seccomp/null_audio_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/null_audio_device.policy @@ -61,3 +61,5 @@ prlimit64: 1 setrlimit: 1 sched_setscheduler: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/pmem_device.policy b/x86_64-linux-gnu/etc/seccomp/pmem_device.policy index 5be7b30..fa040de 100644 --- a/x86_64-linux-gnu/etc/seccomp/pmem_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/pmem_device.policy @@ -59,3 +59,5 @@ fsync: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/rng_device.policy b/x86_64-linux-gnu/etc/seccomp/rng_device.policy index 478535d..295284f 100644 --- a/x86_64-linux-gnu/etc/seccomp/rng_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/rng_device.policy @@ -58,3 +58,5 @@ getrandom: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/serial.policy b/x86_64-linux-gnu/etc/seccomp/serial.policy index 545670f..e2ba66b 100644 --- a/x86_64-linux-gnu/etc/seccomp/serial.policy +++ b/x86_64-linux-gnu/etc/seccomp/serial.policy @@ -10,3 +10,5 @@ bind: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/serial_device.policy b/x86_64-linux-gnu/etc/seccomp/serial_device.policy index 8ad5d21..f083d46 100644 --- a/x86_64-linux-gnu/etc/seccomp/serial_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/serial_device.policy @@ -62,3 +62,5 @@ bind: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/tpm_device.policy b/x86_64-linux-gnu/etc/seccomp/tpm_device.policy index 931857d..e240692 100644 --- a/x86_64-linux-gnu/etc/seccomp/tpm_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/tpm_device.policy @@ -69,3 +69,5 @@ prctl: arg0 == PR_SET_NAME socket: return EACCES stat: 1 statx: 1 +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vfio_device.policy b/x86_64-linux-gnu/etc/seccomp/vfio_device.policy index 0a227fa..6438cb1 100644 --- a/x86_64-linux-gnu/etc/seccomp/vfio_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vfio_device.policy @@ -60,3 +60,5 @@ openat: return ENOENT pread64: 1 pwrite64: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vhost_net_device.policy b/x86_64-linux-gnu/etc/seccomp/vhost_net_device.policy index 84651b6..55b8ce6 100644 --- a/x86_64-linux-gnu/etc/seccomp/vhost_net_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vhost_net_device.policy @@ -74,3 +74,5 @@ ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vhost_vsock_device.policy b/x86_64-linux-gnu/etc/seccomp/vhost_vsock_device.policy index c0e9e5f..268dc92 100644 --- a/x86_64-linux-gnu/etc/seccomp/vhost_vsock_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vhost_vsock_device.policy @@ -76,3 +76,5 @@ connect: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/video_device.policy b/x86_64-linux-gnu/etc/seccomp/video_device.policy index e147a63..794381f 100644 --- a/x86_64-linux-gnu/etc/seccomp/video_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/video_device.policy @@ -90,3 +90,5 @@ sched_setscheduler: arg1 == SCHED_IDLE || arg1 == SCHED_BATCH sysinfo: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vios_audio_device.policy b/x86_64-linux-gnu/etc/seccomp/vios_audio_device.policy index 5a7faa7..cc81948 100644 --- a/x86_64-linux-gnu/etc/seccomp/vios_audio_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vios_audio_device.policy @@ -61,3 +61,5 @@ prlimit64: 1 sched_setscheduler: 1 setrlimit: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vtpm_proxy_device.policy b/x86_64-linux-gnu/etc/seccomp/vtpm_proxy_device.policy index 5245a44..84aa436 100644 --- a/x86_64-linux-gnu/etc/seccomp/vtpm_proxy_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vtpm_proxy_device.policy @@ -68,3 +68,5 @@ openat: 1 socket: arg0 == AF_UNIX tgkill: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/vvu_proxy_device.policy b/x86_64-linux-gnu/etc/seccomp/vvu_proxy_device.policy index 9504767..32a9627 100644 --- a/x86_64-linux-gnu/etc/seccomp/vvu_proxy_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/vvu_proxy_device.policy @@ -61,3 +61,5 @@ getdents64: 1 ioctl: arg1 == SIOCGIFFLAGS || arg1 == SIOCSIFFLAGS || arg1 == TCGETS prctl: arg0 == PR_SET_NAME socket: arg0 == AF_UNIX +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/wl_device.policy b/x86_64-linux-gnu/etc/seccomp/wl_device.policy index 529b2ee..3e707ad 100644 --- a/x86_64-linux-gnu/etc/seccomp/wl_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/wl_device.policy @@ -68,3 +68,5 @@ lseek: 1 open: return ENOENT openat: return ENOENT prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/xhci.policy b/x86_64-linux-gnu/etc/seccomp/xhci.policy index 1a7f09f..bc6f421 100644 --- a/x86_64-linux-gnu/etc/seccomp/xhci.policy +++ b/x86_64-linux-gnu/etc/seccomp/xhci.policy @@ -92,3 +92,5 @@ getdents: 1 getdents64: 1 lseek: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 diff --git a/x86_64-linux-gnu/etc/seccomp/xhci_device.policy b/x86_64-linux-gnu/etc/seccomp/xhci_device.policy index 1a7f09f..bc6f421 100644 --- a/x86_64-linux-gnu/etc/seccomp/xhci_device.policy +++ b/x86_64-linux-gnu/etc/seccomp/xhci_device.policy @@ -92,3 +92,5 @@ getdents: 1 getdents64: 1 lseek: 1 prctl: arg0 == PR_SET_NAME +clone3: 1 +rseq: 1 |