Merge release-20200914.0-130-g13a9a622e (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-09-22 17:03:20 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-09-22 17:03:20 +0000
commit: d07a4cfdf34371df1a94791d013e62a707cbb683 (patch)
tree: d1a3f9326a7125c8b367bbfef1b7b2220d4ce723 /runsc/fsgofer
parent: a425892df3749c96c8557546f185358c2f784a66 (diff)
parent: 13a9a622e13ccdda76ed02d3de99b565212f6b2f (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/runsc/fsgofer/filter/config_amd64.go b/runsc/fsgofer/filter/config_amd64.go
index 57b741a5c..686753d96 100644
--- a/runsc/fsgofer/filter/config_amd64.go
+++ b/runsc/fsgofer/filter/config_amd64.go
@@ -25,6 +25,7 @@ import (
 
 func init() {
 	allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{
+		// TODO(b/168828518): No longer used in Go 1.16+.
 		{seccomp.EqualTo(linux.ARCH_SET_FS)},
 	}
 
@@ -36,6 +37,21 @@ func init() {
 				syscall.CLONE_VM |
 					syscall.CLONE_FS |
 					syscall.CLONE_FILES |
+					syscall.CLONE_SETTLS |
+					syscall.CLONE_SIGHAND |
+					syscall.CLONE_SYSVSEM |
+					syscall.CLONE_THREAD),
+			seccomp.MatchAny{}, // newsp
+			seccomp.EqualTo(0), // parent_tidptr
+			seccomp.EqualTo(0), // child_tidptr
+			seccomp.MatchAny{}, // tls
+		},
+		{
+			// TODO(b/168828518): No longer used in Go 1.16+ (on amd64).
+			seccomp.EqualTo(
+				syscall.CLONE_VM |
+					syscall.CLONE_FS |
+					syscall.CLONE_FILES |
 					syscall.CLONE_SIGHAND |
 					syscall.CLONE_SYSVSEM |
 					syscall.CLONE_THREAD),
author	gVisor bot <gvisor-bot@google.com>	2020-09-22 17:03:20 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-09-22 17:03:20 +0000
commit	d07a4cfdf34371df1a94791d013e62a707cbb683 (patch)
tree	d1a3f9326a7125c8b367bbfef1b7b2220d4ce723 /runsc/fsgofer
parent	a425892df3749c96c8557546f185358c2f784a66 (diff)
parent	13a9a622e13ccdda76ed02d3de99b565212f6b2f (diff)