Allow rt_sigaction in gofer seccomp

rt_sigaction may be called by Go runtime when trying to panic: https://cs.opensource.google/go/go/+/master:src/runtime/signal_unix.go;drc=ed3e4afa12d655a0c5606bcf3dd4e1cdadcb1476;bpv=1;bpt=1;l=780?q=rt_sigaction&ss=go Updates #5038 PiperOrigin-RevId: 357013186
2021-02-11 10:58:55 -08:00 · 2021-02-11 10:58:55 -08:00 · 192780946f
parent 81ea0016e6
commit 192780946f
1 changed files with 5 additions and 3 deletions
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@ -182,9 +182,11 @@ var allowedSyscalls = seccomp.SyscallRules{
 	},
 	syscall.SYS_RENAMEAT:        {},
 	syscall.SYS_RESTART_SYSCALL: {},
-	syscall.SYS_RT_SIGPROCMASK:  {},
+	// May be used by the runtime during panic().
-	syscall.SYS_RT_SIGRETURN:    {},
+	syscall.SYS_RT_SIGACTION:   {},
-	syscall.SYS_SCHED_YIELD:     {},
+	syscall.SYS_RT_SIGPROCMASK: {},
 	syscall.SYS_RT_SIGRETURN:   {},
 	syscall.SYS_SCHED_YIELD:    {},
 	syscall.SYS_SENDMSG: []seccomp.Rule{
 		// Used by fdchannel.Endpoint.SendFD().
 		{