seccomp: move brk+mmap+mmap2 into @default syscall filter set

These three syscalls are internally used by libc's memory allocation logic, i.e. ultimately back malloc(). Allocating a bit of memory is so basic, it should just be in the default set. This fixes a couple of issues with asan/msan and the seccomp tests: when asan/msan is used some additional, large memory allocations take place in the background, and unless mmap/mmap2/brk are allowlisted these will fail, aborting the test prematurely.
2025-03-09 12:58:26 +03:00 · 2020-11-19 11:14:41 +01:00 · 2020-11-19 11:14:41 +01:00 · 5abede3247
commit 5abede3247
parent bca0618705
1 changed files with 3 additions and 3 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -282,6 +282,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
+                "brk\0"
                "cacheflush\0"
                "clock_getres\0"
                "clock_getres_time64\0"
@ -319,6 +320,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "getuid\0"
                "getuid32\0"
                "membarrier\0"
+                "mmap\0"
+                "mmap2\0"
                "nanosleep\0"
                "pause\0"
                "prlimit64\0"
@ -468,8 +471,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "mkdirat\0"
                "mknod\0"
                "mknodat\0"
-                "mmap\0"
-                "mmap2\0"
                "munmap\0"
                "newfstatat\0"
                "oldfstat\0"
@ -844,7 +845,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "@signal\0"
                "@sync\0"
                "@timer\0"
-                "brk\0"
                "capget\0"
                "capset\0"
                "copy_file_range\0"