Skip to content

Commit 02d0b5e

Browse files
author
Mike Ludwig
committed
update controller seccomp profile
1 parent 500d176 commit 02d0b5e

File tree

1 file changed

+82
-2
lines changed

1 file changed

+82
-2
lines changed

helm/openwhisk/templates/seccomp-cm.yaml

Lines changed: 82 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -478,9 +478,11 @@ data:
478478
"syscalls": [
479479
{
480480
"names": [
481-
"setgid",
482-
"setuid",
481+
"accept",
482+
"accept4",
483483
"access",
484+
"adjtimex",
485+
"alarm",
484486
"bind",
485487
"brk",
486488
"capget",
@@ -489,11 +491,16 @@ data:
489491
"chmod",
490492
"chown",
491493
"chown32",
494+
"clock_adjtime",
495+
"clock_adjtime64",
492496
"clock_getres",
493497
"clock_getres_time64",
494498
"clock_gettime",
495499
"clock_gettime64",
500+
"clock_nanosleep",
501+
"clock_nanosleep_time64",
496502
"close",
503+
"close_range",
497504
"connect",
498505
"copy_file_range",
499506
"creat",
@@ -591,6 +598,8 @@ data:
591598
"ioprio_set",
592599
"ipc",
593600
"kill",
601+
"lchown",
602+
"lchown32",
594603
"lgetxattr",
595604
"link",
596605
"linkat",
@@ -623,6 +632,8 @@ data:
623632
"msgrcv",
624633
"msgsnd",
625634
"msync",
635+
"munlock",
636+
"munlockall",
626637
"munmap",
627638
"nanosleep",
628639
"newfstatat",
@@ -643,6 +654,11 @@ data:
643654
"preadv",
644655
"preadv2",
645656
"prlimit64",
657+
"pselect6",
658+
"pselect6_time64",
659+
"pwrite64",
660+
"pwritev",
661+
"pwritev2",
646662
"read",
647663
"readahead",
648664
"readlink",
@@ -696,6 +712,12 @@ data:
696712
"sendmmsg",
697713
"sendmsg",
698714
"sendto",
715+
"setfsgid",
716+
"setfsgid32",
717+
"setfsuid",
718+
"setfsuid32",
719+
"setgid",
720+
"setgid32",
699721
"setgroups",
700722
"setgroups32",
701723
"setitimer",
@@ -705,17 +727,24 @@ data:
705727
"setregid32",
706728
"setresgid",
707729
"setresgid32",
730+
"setresuid",
731+
"setresuid32",
732+
"setreuid",
733+
"setreuid32",
708734
"setrlimit",
709735
"set_robust_list",
710736
"setsid",
711737
"setsockopt",
712738
"set_thread_area",
713739
"set_tid_address",
740+
"setuid",
741+
"setuid32",
714742
"setxattr",
715743
"shmat",
716744
"shmctl",
717745
"shmdt",
718746
"shmget",
747+
"shutdown",
719748
"sigaltstack",
720749
"signalfd",
721750
"signalfd4",
@@ -739,6 +768,18 @@ data:
739768
"tee",
740769
"tgkill",
741770
"time",
771+
"timer_create",
772+
"timer_delete",
773+
"timer_getoverrun",
774+
"timer_gettime",
775+
"timer_gettime64",
776+
"timer_settime",
777+
"timer_settime64",
778+
"timerfd_create",
779+
"timerfd_gettime",
780+
"timerfd_gettime64",
781+
"timerfd_settime",
782+
"timerfd_settime64",
742783
"times",
743784
"tkill",
744785
"truncate",
@@ -838,6 +879,45 @@ data:
838879
"s390x"
839880
]
840881
}
882+
},
883+
{
884+
"names": [
885+
"clone"
886+
],
887+
"action": "SCMP_ACT_ALLOW",
888+
"args": [
889+
{
890+
"index": 1,
891+
"value": 2114060288,
892+
"op": "SCMP_CMP_MASKED_EQ"
893+
}
894+
],
895+
"comment": "s390 parameter ordering for clone is different",
896+
"includes": {
897+
"arches": [
898+
"s390",
899+
"s390x"
900+
]
901+
},
902+
"excludes": {
903+
"caps": [
904+
"CAP_SYS_ADMIN"
905+
]
906+
}
907+
},
908+
{
909+
"names": [
910+
"syslog"
911+
],
912+
"action": "SCMP_ACT_ALLOW",
913+
"args": [],
914+
"comment": "",
915+
"includes": {
916+
"caps": [
917+
"CAP_SYSLOG"
918+
]
919+
},
920+
"excludes": {}
841921
}
842922
]
843923
}

0 commit comments

Comments
 (0)