seccomp: allowlist uretprobe() syscall

This is a new syscall provided by the kernel used to implement faster uprobes. It's not supposed to be called by userspace, but only by kernel generated uprobe code. It should be fine to allow this, as the kernel authenticates the invocation itself, and we shouldn't break compat with things. Note that this allowlisting is not sufficient to make ureprobe() work. libseccomp must be tought the syscall too, but this can happen independently. Fixes: #34615
2026-04-14 08:25:20 +09:00 · 2024-10-11 09:46:14 +02:00
parent 40fadab195
commit d693c483a2
1 changed files with 1 additions and 0 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -382,6 +382,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "sigreturn\0"
                "time\0"
                "ugetrlimit\0"
+                "uretprobe\0"
        },
        [SYSCALL_FILTER_SET_AIO] = {
                .name = "@aio",