From: Michał Górny <mgorny@gentoo.org>
Date: Sun, 17 Nov 2024 15:34:35 +0000 (+0100)
Subject: nspawn: Include arm_fadvise64_64 in syscall allow_list
X-Git-Tag: v256.9~2
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=964ced4100fb5f5b5d41b988512f681a1b0b20f7;p=systemd%2F.git

nspawn: Include arm_fadvise64_64 in syscall allow_list

Add the `arm_fadvise64_64` syscall to the allow_list, in addition
to the existing `fadvise64` and `fadvise64_64` syscalls, as this is
the syscall actually defined for `arm` architecture.  Adding it fixes
the syscall being rejected in arm32 containers.

Fixes #35194

(cherry picked from commit 7fd70a532681c0ea4cd6ff04d1a7950dae3efc8c)
---

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 673b627c3b..7dac7f330e 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -50,6 +50,7 @@ static int add_syscall_filters(
                 { CAP_IPC_LOCK,       "@memlock"                     },
 
                 /* Plus a good set of additional syscalls which are not part of any of the groups above */
+                { 0,                  "arm_fadvise64_64"             },
                 { 0,                  "brk"                          },
                 { 0,                  "capget"                       },
                 { 0,                  "capset"                       },