[seccomp]: Allow mmap syscall with MAP_PRIVATE

AlexandruCihodaru · luminitavoicu · commit a3f5d47b0635 · 2021-08-23T13:32:36.000+03:00
When there is a large buffer sent there will be an attempt to map
it using MAP_PRIVATE | MAP_ANONYMOUS flags.

Signed-off-by: AlexandruCihodaru &lt;cihodar@amazon.com&gt;
diff --git a/resources/seccomp/aarch64-unknown-linux-musl.json b/resources/seccomp/aarch64-unknown-linux-musl.json
@@ -189,6 +189,19 @@
                     }
                 ]
             },
+            {
+                "syscall": "mmap",
+                "comment": "Used for large buffers sent to api_server",
+                "args": [
+                    {
+                        "index": 3,
+                        "type": "dword",
+                        "op": "eq",
+                        "val": 34,
+                        "comment": " libc::MAP_ANONYMOUS | libc::MAP_PRIVATE"
+                    }
+                ]
+            },
             {
                 "syscall": "mmap",
                 "comment": "Used for reading the timezone in LocalTime::now()",
diff --git a/resources/seccomp/x86_64-unknown-linux-musl.json b/resources/seccomp/x86_64-unknown-linux-musl.json
@@ -519,6 +519,19 @@
                     }
                 ]
             },
+            {
+                "syscall": "mmap",
+                "comment": "Used for large buffers sent to api_server",
+                "args": [
+                    {
+                        "index": 3,
+                        "type": "dword",
+                        "op": "eq",
+                        "val": 34,
+                        "comment": " libc::MAP_ANONYMOUS | libc::MAP_PRIVATE"
+                    }
+                ]
+            },
             {
                 "syscall": "mmap",
                 "comment": "Used for reading the timezone in LocalTime::now()",
