Allow unshare(CLONE_NEWUSER|CLONE_NEWNS|CLONE_NEWUTS) syscall

slonopotamus · slonopotamus · commit 3988452ec217 · 2025-10-02T15:44:18.000+03:00
This syscall is required for multiple usecases, one of them is buildah. See moby/moby#42441 Signed-off-by: Marat Radchenko <marat@slonopotamus.org>
diff --git a/seccomp/default_linux.go b/seccomp/default_linux.go
@@ -646,6 +646,34 @@ func DefaultProfile() *Seccomp {
 				Arches: []string{"s390", "s390x"},
 			},
 		},
+		{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"unshare",
+				},
+				Action: specs.ActAllow,
+				Args: []specs.LinuxSeccompArg{
+					{
+						Index:    0,
+						Value:    unix.CLONE_NEWNS,
+						ValueTwo: unix.CLONE_NEWNS,
+						Op:       specs.OpMaskedEqual,
+					},
+					{
+						Index:    0,
+						Value:    unix.CLONE_NEWUTS,
+						ValueTwo: unix.CLONE_NEWUTS,
+						Op:       specs.OpMaskedEqual,
+					},
+					{
+						Index:    0,
+						Value:    unix.CLONE_NEWUTS,
+						ValueTwo: unix.CLONE_NEWNS,
+						Op:       specs.OpMaskedEqual,
+					},
+				},
+			},
+		},
 		{
 			LinuxSyscall: specs.LinuxSyscall{
 				Names: []string{
