interfaces/seccomp/template.go: allow copy_file_range

This was recently introduced as an optimization to Go 1.15, and so apps that start compiling may start to try and use it. Note that as of this commit, Go 1.15 does not fall back, and so apps that use this will fail outright, but there is work upstream in Go to fix this so that apps that get denied usage of copy_file_range with an EPERM will fallback to potentially slower implementations. See golang/go#40893 and https://go-review.googlesource.com/c/go/+/249257/ for more details on the Go issue and the fallback implementation. Signed-off-by: Ian Johnson <[email protected]>
anonymouse64 · Nov 25, 2020 · 7717d17 · 7717d17
1 parent d65f9fa
commit 7717d17
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go
@@ -316,6 +316,10 @@ readdir
 readlink
 readlinkat
 
+# the file descriptors used here will already be mediated by apparmor, so it's 
+# safe to not filter syscall args here 
+copy_file_range
+
 # allow reading from sockets
 recv
 recvfrom