profile/seccomp: Update to kernel v6.13 (libseccomp v2.6.0, containerd)

[vvoland]

• related to: seccomp: kernel v6.13 (libseccomp v2.6.0) containerd/containerd#11839
• fixes: seccomp: add {get,list,remove,set}xattrat syscalls (kernel v6.13, libseccomp v2.6.0) #49954

Update default seccomp profile to match libseccomp v2.6.0

seccomp: kernel v6.12

reference: seccomp/libseccomp@f01e675 (libseccomp v2.6.0)

• v6.8:

  • listmount (torvalds/linux@b4c2bea)
  • lsm_get_self_attr, lsm_set_self_attrs (torvalds/linux@a04a119)
  • lsm_list_modules (torvalds/linux@ad4aff9)
  • statmount (torvalds/linux@46eae99)

• v6.9:

  • mseal (torvalds/linux@8be7258)

• v6.11:

  • uretprobe (torvalds/linux@190fec7)

• v6.12:

  • riscv_hwprobe (torvalds/linux@3db80c9)

seccomp: kernel v6.13

reference: seccomp/libseccomp@42b5968 (libseccomp v2.6.0)

• v6.13:
  • getxattrat, listxattrat, removexattrat, setxattrat (torvalds/linux@6140be9)

- Human readable description for the release notes

Update the default seccomp profile to match the libseccomp v2.6.0. The new syscalls are: `listmount`, `statmount`, `lsm_get_self_attr`, `lsm_list_modules`, `lsm_set_self_attr`, `mseal`, `uretprobe`, `riscv_hwprobe`, `getxattrat`, `listxattrat`, `removexattrat`, and `setxattrat`. This prevents containers from receiving EPERM errors when using them.

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

LGTM

[Copilot]

Pull Request Overview

Update the default seccomp profile to include new syscalls introduced in kernel v6.8–v6.13 (libseccomp v2.6.0), preventing EPERM errors in containers.

• Added new syscalls (listmount, getxattrat, mseal, etc.) to the Go default profile.
• Mirrored the same syscall additions in the JSON default profile.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
profiles/seccomp/default_linux.go	Inserted new syscalls matching kernel v6.8–v6.13 changes
profiles/seccomp/default.json	Added identical syscall entries to the JSON profile

Comments suppressed due to low confidence (2)

profiles/seccomp/default_linux.go:169

• Consider adding or updating unit tests to assert that DefaultProfile() includes the newly added syscall getxattrat.

"getxattrat", // kernel v6.13, libseccomp v2.6.0

profiles/seccomp/default.json:177

• Add or update tests to verify that the JSON default profile includes the new getxattrat syscall.

"getxattrat",

[tonistiigi]

lsm_set_self_attr

[tonistiigi]

Are we sure this is a secure syscall?

[vvoland]

Thanks, good catch! My upstream containerd doesn't have this error in code (but it does in the PR body), so I must have made a mistake when making this PR 🙈

[vvoland]

Regarding is it safe - you can already do what this syscall does via userspace procfs /proc/self/attr/.

[thaJeztah]

My upstream containerd doesn't have this error in code (but it does in the PR body), so I must have made a mistake when making this PR 🙈

Good catch indeed; I definitely missed it (but probably assumed this was a literal copy/paste from the containerd PR 😓)

you can already do what this syscall does via userspace procfs /proc/self/attr/.

Curious (bear with me, I haven't read up what kind of things this would set); even though possible through /proc/self/attr, would allowing this syscall potentially mean that something in the container would do things that are not generally expected to be ran in a container? (And if so, would blocking by default be useful?); not from a security perspective, but more a "guardrails" perspective.

[vvoland]

That's a good point. Opened a PR to put them behind CAP_SYS_ADMIN: #50097

We can revisit this later