Add @pkey syscall group

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1769299. This change doesn't solve the issue, but makes it easier to whitelist the syscall group.
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2019-11-08 12:56:56 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2019-11-08 14:41:22 +0100
commit: 9493b168717a445abb12f62c2503edd019e00ab5 (patch)
tree: 796fe5a0c060633ce8ff8986b28321fb3b5694a6 /src/nspawn
parent: seccomp: add all *time64 syscalls (diff)
download: systemd-9493b168717a445abb12f62c2503edd019e00ab5.tar.xz
systemd-9493b168717a445abb12f62c2503edd019e00ab5.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 9222f2bc84..0b39cda9ba 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -123,6 +123,7 @@ static int seccomp_add_default_syscall_filter(
                  * @cpu-emulation
                  * @keyring           (NB: keyring is not namespaced!)
                  * @obsolete
+                 * @pkey
                  * @swap
                  *
                  * bpf                (NB: bpffs is not namespaced!)
@@ -134,9 +135,6 @@ static int seccomp_add_default_syscall_filter(
                  * nfsservctl
                  * open_by_handle_at
                  * perf_event_open
-                 * pkey_alloc
-                 * pkey_free
-                 * pkey_mprotect
                  * quotactl
                  */
         };
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2019-11-08 12:56:56 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2019-11-08 14:41:22 +0100
commit	9493b168717a445abb12f62c2503edd019e00ab5 (patch)
tree	796fe5a0c060633ce8ff8986b28321fb3b5694a6 /src/nspawn
parent	seccomp: add all *time64 syscalls (diff)
download	systemd-9493b168717a445abb12f62c2503edd019e00ab5.tar.xz systemd-9493b168717a445abb12f62c2503edd019e00ab5.zip