Allow mlock in fsgofer system call filters
Go 1.14 has a workaround for a Linux 5.2-5.4 bug which requires mlock'ing the g stack to prevent register corruption. We need to allow this syscall until it is removed from Go. PiperOrigin-RevId: 293212935
This commit is contained in:
parent
6823b5e244
commit
6d8bf405bc
|
@ -128,6 +128,18 @@ var allowedSyscalls = seccomp.SyscallRules{
|
|||
syscall.SYS_MADVISE: {},
|
||||
unix.SYS_MEMFD_CREATE: {}, /// Used by flipcall.PacketWindowAllocator.Init().
|
||||
syscall.SYS_MKDIRAT: {},
|
||||
// Used by the Go runtime as a temporarily workaround for a Linux
|
||||
// 5.2-5.4 bug.
|
||||
//
|
||||
// See src/runtime/os_linux_x86.go.
|
||||
//
|
||||
// TODO(b/148688965): Remove once this is gone from Go.
|
||||
syscall.SYS_MLOCK: []seccomp.Rule{
|
||||
{
|
||||
seccomp.AllowAny{},
|
||||
seccomp.AllowValue(4096),
|
||||
},
|
||||
},
|
||||
syscall.SYS_MMAP: []seccomp.Rule{
|
||||
{
|
||||
seccomp.AllowAny{},
|
||||
|
|
Loading…
Reference in New Issue