@@ -46,6 +46,12 @@ bool g_syscall_sandbox_log_violation_before_terminating{false};
4646
4747// Define system call numbers for x86_64 that are referenced in the system call profile
4848// but not provided by the kernel headers used in the GUIX build.
49+ // Usually, they can be found via "grep name /usr/include/x86_64-linux-gnu/asm/unistd_64.h"
50+
51+ #ifndef __NR_clone3
52+ #define __NR_clone3 435
53+ #endif
54+
4955#ifndef __NR_statx
5056#define __NR_statx 332
5157#endif
@@ -115,6 +121,7 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
115121 {__NR_clock_nanosleep, " clock_nanosleep"
116122 {__NR_clock_settime, " clock_settime"
117123 {__NR_clone, " clone"
124+ {__NR_clone3, " clone3"
118125 {__NR_close, " close"
119126 {__NR_connect, " connect"
120127 {__NR_copy_file_range, " copy_file_range"
@@ -540,6 +547,7 @@ class SeccompPolicyBuilder
540547 allowed_syscalls.insert (__NR_brk); // change data segment size
541548 allowed_syscalls.insert (__NR_madvise); // give advice about use of memory
542549 allowed_syscalls.insert (__NR_membarrier); // issue memory barriers on a set of threads
550+ allowed_syscalls.insert (__NR_mincore); // check if virtual memory is in RAM
543551 allowed_syscalls.insert (__NR_mlock); // lock memory
544552 allowed_syscalls.insert (__NR_mmap); // map files or devices into memory
545553 allowed_syscalls.insert (__NR_mprotect); // set protection on a region of memory
@@ -705,6 +713,7 @@ class SeccompPolicyBuilder
705713 void AllowProcessStartOrDeath ()
706714 {
707715 allowed_syscalls.insert (__NR_clone); // create a child process
716+ allowed_syscalls.insert (__NR_clone3); // create a child process
708717 allowed_syscalls.insert (__NR_exit); // terminate the calling process
709718 allowed_syscalls.insert (__NR_exit_group); // exit all threads in a process
710719 allowed_syscalls.insert (__NR_fork); // create a child process
0 commit comments