seccomp: Require CAP_SYS_ADMIN for lsm_* syscalls

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-01-11 10:41:43 +00:00 · 2025-05-28 11:22:50 +02:00
parent 0ab8108b57
commit 148a19b6d6
2 changed files with 6 additions and 6 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -208,9 +208,6 @@
 				"lremovexattr",
 				"lseek",
 				"lsetxattr",
-				"lsm_get_self_attr",
-				"lsm_list_modules",
-				"lsm_set_self_attrs",
 				"lstat",
 				"lstat64",
 				"madvise",
@@ -614,6 +611,9 @@
 				"fsopen",
 				"fspick",
 				"lookup_dcookie",
+				"lsm_get_self_attr",
+				"lsm_list_modules",
+				"lsm_set_self_attr",
 				"mount",
 				"mount_setattr",
 				"move_mount",
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -200,9 +200,6 @@ func DefaultProfile() *Seccomp {
 					"lremovexattr",
 					"lseek",
 					"lsetxattr",
-					"lsm_get_self_attr", // kernel v6.8, libseccomp v2.6.0
-					"lsm_list_modules",  // kernel v6.8, libseccomp v2.6.0
-					"lsm_set_self_attr", // kernel v6.8, libseccomp v2.6.0
 					"lstat",
 					"lstat64",
 					"madvise",
@@ -605,6 +602,9 @@ func DefaultProfile() *Seccomp {
 					"fsopen",
 					"fspick",
 					"lookup_dcookie",
+					"lsm_get_self_attr", // kernel v6.8, libseccomp v2.6.0
+					"lsm_list_modules",  // kernel v6.8, libseccomp v2.6.0
+					"lsm_set_self_attr", // kernel v6.8, libseccomp v2.6.0
 					"mount",
 					"mount_setattr",
 					"move_mount",