Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH

Only open_by_handle_at requires CAP_DAC_READ_SEARCH.

This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.

Signed-off-by: Justin Cormack <[email protected]>

Author: justincormack

profiles/seccomp/seccomp_default.go

@@ -1667,11 +1667,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 		switch cap {
 		case "CAP_DAC_READ_SEARCH":
 			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "name_to_handle_at",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
 				{
 					Name:   "open_by_handle_at",
 					Action: types.ActAllow,
@@ -1706,6 +1701,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Action: types.ActAllow,
 					Args:   []*types.Arg{},
 				},
+				{
+					Name:   "name_to_handle_at",
+					Action: types.ActAllow,
+					Args:   []*types.Arg{},
+				},
 				{
 					Name:   "perf_event_open",
 					Action: types.ActAllow,