From 701a29c7375d26a3d4d55b1878a72d753317bee9 Mon Sep 17 00:00:00 2001
From: Felix Geyer <debfx@fobos.de>
Date: Thu, 28 Dec 2023 23:25:14 +0100
Subject: [PATCH] Block io_uring syscalls by default

See https://github.com/containerd/containerd/commit/a48ddf4a208b24eadea82f0eac62e236f2acf004
---
 seccomp_lists.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/seccomp_lists.go b/seccomp_lists.go
index 5ca5fe2..f09daa9 100644
--- a/seccomp_lists.go
+++ b/seccomp_lists.go
@@ -135,9 +135,6 @@ var SeccompAllow = []string{
 	"ioprio_set",
 	"io_setup",
 	"io_submit",
-	"io_uring_enter",
-	"io_uring_register",
-	"io_uring_setup",
 	"ipc",
 	"kill",
 	"landlock_add_rule",
@@ -377,6 +374,13 @@ var SeccompAllowDevel = []string{
 	"ptrace",
 }
 
+/*
+blocked but not part of this list so ENOSYS is returned instead:
+"clone3",
+"io_uring_enter",
+"io_uring_register",
+"io_uring_setup",
+*/
 var SeccompEperm = []string{
 	"_sysctl",
 	"acct",
@@ -389,8 +393,6 @@ var SeccompEperm = []string{
 	"chroot",
 	"clock_settime",
 	"clock_settime64",
-	// return the default action ENOSYS instead
-	//"clone3",
 	"create_module",
 	"delete_module",
 	"fanotify_init",