seccomp: add support for "swapcontext" syscall in default policy

nmeum · nmeum · commit adee2c797433 · 2022-01-07T18:05:59.000+01:00
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -467,6 +467,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 			Names: []string{
 				"sync_file_range2",
+				"swapcontext",
 			},
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},
