Merge pull request #2928 from topimiettinen/seccomp-more-groups

Add further seccomp groups

2 files changed, 997 insertions, 7 deletions

diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d31b719d6..5d83786bb 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -50,6 +50,99 @@ static const SyscallEntry syslist[] = {
 }; // end of syslist
 
 static const SyscallGroupList sysgroups[] = {
+        { .name = "@aio", .list =
+#ifdef SYS_io_cancel
+          "io_cancel,"
+#endif
+#ifdef SYS_io_destroy
+          "io_destroy,"
+#endif
+#ifdef SYS_io_getevents
+          "io_getevents,"
+#endif
+#ifdef SYS_io_pgetevents
+          "io_pgetevents,"
+#endif
+#ifdef SYS_io_setup
+          "io_setup,"
+#endif
+#ifdef SYS_io_submit
+          "io_submit"
+#endif
+        },
+        { .name = "@basic-io", .list =
+#ifdef SYS__llseek
+          "_llseek,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_dup
+          "dup,"
+#endif
+#ifdef SYS_dup2
+          "dup2,"
+#endif
+#ifdef SYS_dup3
+          "dup3,"
+#endif
+#ifdef SYS_lseek
+          "lseek,"
+#endif
+#ifdef SYS_pread64
+          "pread64,"
+#endif
+#ifdef SYS_preadv
+          "preadv,"
+#endif
+#ifdef SYS_preadv2
+          "preadv2,"
+#endif
+#ifdef SYS_pwrite64
+          "pwrite64,"
+#endif
+#ifdef SYS_pwritev
+          "pwritev,"
+#endif
+#ifdef SYS_pwritev2
+          "pwritev2,"
+#endif
+#ifdef SYS_read
+          "read,"
+#endif
+#ifdef SYS_readv
+          "readv,"
+#endif
+#ifdef SYS_write
+          "write,"
+#endif
+#ifdef SYS_writev
+          "writev"
+#endif
+        },
+        { .name = "@chown", .list =
+#ifdef SYS_chown
+          "chown,"
+#endif
+#ifdef SYS_chown32
+          "chown32,"
+#endif
+#ifdef SYS_fchown
+          "fchown,"
+#endif
+#ifdef SYS_fchown32
+          "fchown32,"
+#endif
+#ifdef SYS_fchownat
+          "fchownat,"
+#endif
+#ifdef SYS_lchown
+          "lchown,"
+#endif
+#ifdef SYS_lchown32
+          "lchown32"
+#endif
+        },
         { .name = "@clock", .list =
 #ifdef SYS_adjtimex
           "adjtimex,"
@@ -190,6 +283,382 @@ static const SyscallGroupList sysgroups[] = {
           "execve,"
           "prctl"
         },
+        { .name = "@file-system", .list =
+#ifdef SYS_access
+          "access,"
+#endif
+#ifdef SYS_chdir
+          "chdir,"
+#endif
+#ifdef SYS_chmod
+          "chmod,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_creat
+          "creat,"
+#endif
+#ifdef SYS_faccessat
+          "faccessat,"
+#endif
+#ifdef SYS_fallocate
+          "fallocate,"
+#endif
+#ifdef SYS_fchdir
+          "fchdir,"
+#endif
+#ifdef SYS_fchmod
+          "fchmod,"
+#endif
+#ifdef SYS_fchmodat
+          "fchmodat,"
+#endif
+#ifdef SYS_fcntl
+          "fcntl,"
+#endif
+#ifdef SYS_fcntl64
+          "fcntl64,"
+#endif
+#ifdef SYS_fgetxattr
+          "fgetxattr,"
+#endif
+#ifdef SYS_flistxattr
+          "flistxattr,"
+#endif
+#ifdef SYS_fremovexattr
+          "fremovexattr,"
+#endif
+#ifdef SYS_fsetxattr
+          "fsetxattr,"
+#endif
+#ifdef SYS_fstat
+          "fstat,"
+#endif
+#ifdef SYS_fstat64
+          "fstat64,"
+#endif
+#ifdef SYS_fstatat64
+          "fstatat64,"
+#endif
+#ifdef SYS_fstatfs
+          "fstatfs,"
+#endif
+#ifdef SYS_fstatfs64
+          "fstatfs64,"
+#endif
+#ifdef SYS_ftruncate
+          "ftruncate,"
+#endif
+#ifdef SYS_ftruncate64
+          "ftruncate64,"
+#endif
+#ifdef SYS_futimesat
+          "futimesat,"
+#endif
+#ifdef SYS_getcwd
+          "getcwd,"
+#endif
+#ifdef SYS_getdents
+          "getdents,"
+#endif
+#ifdef SYS_getdents64
+          "getdents64,"
+#endif
+#ifdef SYS_getxattr
+          "getxattr,"
+#endif
+#ifdef SYS_inotify_add_watch
+          "inotify_add_watch,"
+#endif
+#ifdef SYS_inotify_init
+          "inotify_init,"
+#endif
+#ifdef SYS_inotify_init1
+          "inotify_init1,"
+#endif
+#ifdef SYS_inotify_rm_watch
+          "inotify_rm_watch,"
+#endif
+#ifdef SYS_lgetxattr
+          "lgetxattr,"
+#endif
+#ifdef SYS_link
+          "link,"
+#endif
+#ifdef SYS_linkat
+          "linkat,"
+#endif
+#ifdef SYS_listxattr
+          "listxattr,"
+#endif
+#ifdef SYS_llistxattr
+          "llistxattr,"
+#endif
+#ifdef SYS_lremovexattr
+          "lremovexattr,"
+#endif
+#ifdef SYS_lsetxattr
+          "lsetxattr,"
+#endif
+#ifdef SYS_lstat
+          "lstat,"
+#endif
+#ifdef SYS_lstat64
+          "lstat64,"
+#endif
+#ifdef SYS_mkdir
+          "mkdir,"
+#endif
+#ifdef SYS_mkdirat
+          "mkdirat,"
+#endif
+#ifdef SYS_mknod
+          "mknod,"
+#endif
+#ifdef SYS_mknodat
+          "mknodat,"
+#endif
+#ifdef SYS_mmap
+          "mmap,"
+#endif
+#ifdef SYS_mmap2
+          "mmap2,"
+#endif
+#ifdef SYS_munmap
+          "munmap,"
+#endif
+#ifdef SYS_newfstatat
+          "newfstatat,"
+#endif
+#ifdef SYS_oldfstat
+          "oldfstat,"
+#endif
+#ifdef SYS_oldlstat
+          "oldlstat,"
+#endif
+#ifdef SYS_oldstat
+          "oldstat,"
+#endif
+#ifdef SYS_open
+          "open,"
+#endif
+#ifdef SYS_openat
+          "openat,"
+#endif
+#ifdef SYS_readlink
+          "readlink,"
+#endif
+#ifdef SYS_readlinkat
+          "readlinkat,"
+#endif
+#ifdef SYS_removexattr
+          "removexattr,"
+#endif
+#ifdef SYS_rename
+          "rename,"
+#endif
+#ifdef SYS_renameat
+          "renameat,"
+#endif
+#ifdef SYS_renameat2
+          "renameat2,"
+#endif
+#ifdef SYS_rmdir
+          "rmdir,"
+#endif
+#ifdef SYS_setxattr
+          "setxattr,"
+#endif
+#ifdef SYS_stat
+          "stat,"
+#endif
+#ifdef SYS_stat64
+          "stat64,"
+#endif
+#ifdef SYS_statfs
+          "statfs,"
+#endif
+#ifdef SYS_statfs64
+          "statfs64,"
+#endif
+#ifdef SYS_statx
+          "statx,"
+#endif
+#ifdef SYS_symlink
+          "symlink,"
+#endif
+#ifdef SYS_symlinkat
+          "symlinkat,"
+#endif
+#ifdef SYS_truncate
+          "truncate,"
+#endif
+#ifdef SYS_truncate64
+          "truncate64,"
+#endif
+#ifdef SYS_unlink
+          "unlink,"
+#endif
+#ifdef SYS_unlinkat
+          "unlinkat,"
+#endif
+#ifdef SYS_utime
+          "utime,"
+#endif
+#ifdef SYS_utimensat
+          "utimensat,"
+#endif
+#ifdef SYS_utimes
+          "utimes"
+#endif
+        },
+        { .name = "@io-event", .list =
+#ifdef SYS__newselect
+          "_newselect,"
+#endif
+#ifdef SYS_epoll_create
+          "epoll_create,"
+#endif
+#ifdef SYS_epoll_create1
+          "epoll_create1,"
+#endif
+#ifdef SYS_epoll_ctl
+          "epoll_ctl,"
+#endif
+#ifdef SYS_epoll_ctl_old
+          "epoll_ctl_old,"
+#endif
+#ifdef SYS_epoll_pwait
+          "epoll_pwait,"
+#endif
+#ifdef SYS_epoll_wait
+          "epoll_wait,"
+#endif
+#ifdef SYS_epoll_wait_old
+          "epoll_wait_old,"
+#endif
+#ifdef SYS_eventfd
+          "eventfd,"
+#endif
+#ifdef SYS_eventfd2
+          "eventfd2,"
+#endif
+#ifdef SYS_poll
+          "poll,"
+#endif
+#ifdef SYS_ppoll
+          "ppoll,"
+#endif
+#ifdef SYS_pselect6
+          "pselect6,"
+#endif
+#ifdef SYS_select
+          "select"
+#endif
+        },
+        { .name = "@ipc", .list =
+#ifdef SYS_ipc
+          "ipc,"
+#endif
+#ifdef SYS_memfd_create
+          "memfd_create,"
+#endif
+#ifdef SYS_mq_getsetattr
+          "mq_getsetattr,"
+#endif
+#ifdef SYS_mq_notify
+          "mq_notify,"
+#endif
+#ifdef SYS_mq_open
+          "mq_open,"
+#endif
+#ifdef SYS_mq_timedreceive
+          "mq_timedreceive,"
+#endif
+#ifdef SYS_mq_timedsend
+          "mq_timedsend,"
+#endif
+#ifdef SYS_mq_unlink
+          "mq_unlink,"
+#endif
+#ifdef SYS_msgctl
+          "msgctl,"
+#endif
+#ifdef SYS_msgget
+          "msgget,"
+#endif
+#ifdef SYS_msgrcv
+          "msgrcv,"
+#endif
+#ifdef SYS_msgsnd
+          "msgsnd,"
+#endif
+#ifdef SYS_pipe
+          "pipe,"
+#endif
+#ifdef SYS_pipe2
+          "pipe2,"
+#endif
+#ifdef SYS_process_vm_readv
+          "process_vm_readv,"
+#endif
+#ifdef SYS_process_vm_writev
+          "process_vm_writev,"
+#endif
+#ifdef SYS_semctl
+          "semctl,"
+#endif
+#ifdef SYS_semget
+          "semget,"
+#endif
+#ifdef SYS_semop
+          "semop,"
+#endif
+#ifdef SYS_semtimedop
+          "semtimedop,"
+#endif
+#ifdef SYS_shmat
+          "shmat,"
+#endif
+#ifdef SYS_shmctl
+          "shmctl,"
+#endif
+#ifdef SYS_shmdt
+          "shmdt,"
+#endif
+#ifdef SYS_shmget
+          "shmget"
+#endif
+        },
+        { .name = "@keyring", .list =
+#ifdef SYS_add_key
+          "add_key,"
+#endif
+#ifdef SYS_keyctl
+          "keyctl,"
+#endif
+#ifdef SYS_request_key
+          "request_key"
+#endif
+        },
+        { .name = "@memlock", .list =
+#ifdef SYS_mlock
+          "mlock,"
+#endif
+#ifdef SYS_mlock2
+          "mlock2,"
+#endif
+#ifdef SYS_mlockall
+          "mlockall,"
+#endif
+#ifdef SYS_munlock
+          "munlock,"
+#endif
+#ifdef SYS_munlockall
+          "munlockall"
+#endif
+        },
         { .name = "@module", .list =
 #ifdef SYS_delete_module
           "delete_module,"
@@ -201,6 +670,88 @@ static const SyscallGroupList sysgroups[] = {
           "init_module"
 #endif
         },
+        { .name = "@mount", .list =
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_umount
+          "umount,"
+#endif
+#ifdef SYS_umount2
+          "umount2"
+#endif
+        },
+        { .name = "@network-io", .list =
+#ifdef SYS_accept
+          "accept,"
+#endif
+#ifdef SYS_accept4
+          "accept4,"
+#endif
+#ifdef SYS_bind
+          "bind,"
+#endif
+#ifdef SYS_connect
+          "connect,"
+#endif
+#ifdef SYS_getpeername
+          "getpeername,"
+#endif
+#ifdef SYS_getsockname
+          "getsockname,"
+#endif
+#ifdef SYS_getsockopt
+          "getsockopt,"
+#endif
+#ifdef SYS_listen
+          "listen,"
+#endif
+#ifdef SYS_recv
+          "recv,"
+#endif
+#ifdef SYS_recvfrom
+          "recvfrom,"
+#endif
+#ifdef SYS_recvmmsg
+          "recvmmsg,"
+#endif
+#ifdef SYS_recvmsg
+          "recvmsg,"
+#endif
+#ifdef SYS_send
+          "send,"
+#endif
+#ifdef SYS_sendmmsg
+          "sendmmsg,"
+#endif
+#ifdef SYS_sendmsg
+          "sendmsg,"
+#endif
+#ifdef SYS_sendto
+          "sendto,"
+#endif
+#ifdef SYS_setsockopt
+          "setsockopt,"
+#endif
+#ifdef SYS_shutdown
+          "shutdown,"
+#endif
+#ifdef SYS_socket
+          "socket,"
+#endif
+#ifdef SYS_socketcall
+          "socketcall,"
+#endif
+#ifdef SYS_socketpair
+          "socketpair"
+#endif
+        },
         { .name = "@obsolete", .list =
 #ifdef SYS__sysctl
           "_sysctl,"
@@ -229,6 +780,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_gtty
           "gtty,"
 #endif
+#ifdef SYS_idle
+          "idle,"
+#endif
 #ifdef SYS_lock
           "lock,"
 #endif
@@ -282,35 +836,81 @@ static const SyscallGroupList sysgroups[] = {
 #endif
         },
         { .name = "@privileged", .list =
+          "@chown,"
           "@clock,"
           "@module,"
           "@raw-io,"
           "@reboot,"
           "@swap,"
+#ifdef SYS__sysctl
+          "_sysctl,"
+#endif
 #ifdef SYS_acct
           "acct,"
 #endif
 #ifdef SYS_bpf
           "bpf,"
 #endif
+#ifdef SYS_capset
+          "capset,"
+#endif
 #ifdef SYS_chroot
           "chroot,"
 #endif
+#ifdef SYS_fanotify_init
+          "fanotify_init,"
+#endif
 #ifdef SYS_mount
           "mount,"
 #endif
 #ifdef SYS_nfsservctl
           "nfsservctl,"
 #endif
+#ifdef SYS_open_by_handle_at
+          "open_by_handle_at,"
+#endif
 #ifdef SYS_pivot_root
           "pivot_root,"
 #endif
+#ifdef SYS_quotactl
+          "quotactl,"
+#endif
 #ifdef SYS_setdomainname
           "setdomainname,"
 #endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
 #ifdef SYS_sethostname
           "sethostname,"
 #endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32,"
+#endif
 #ifdef SYS_umount2
           "umount2,"
 #endif
@@ -318,6 +918,71 @@ static const SyscallGroupList sysgroups[] = {
           "vhangup"
 #endif
         },
+        { .name = "@process", .list =
+#ifdef SYS_arch_prctl
+          "arch_prctl,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_clone
+          "clone,"
+#endif
+#ifdef SYS_execveat
+          "execveat,"
+#endif
+#ifdef SYS_fork
+          "fork,"
+#endif
+#ifdef SYS_getrusage
+          "getrusage,"
+#endif
+#ifdef SYS_kill
+          "kill,"
+#endif
+#ifdef SYS_pidfd_send_signal
+          "pidfd_send_signal,"
+#endif
+#ifdef SYS_prctl
+          "prctl,"
+#endif
+#ifdef SYS_rt_sigqueueinfo
+          "rt_sigqueueinfo,"
+#endif
+#ifdef SYS_rt_tgsigqueueinfo
+          "rt_tgsigqueueinfo,"
+#endif
+#ifdef SYS_setns
+          "setns,"
+#endif
+#ifdef SYS_swapcontext
+          "swapcontext,"
+#endif
+#ifdef SYS_tgkill
+          "tgkill,"
+#endif
+#ifdef SYS_times
+          "times,"
+#endif
+#ifdef SYS_tkill
+          "tkill,"
+#endif
+#ifdef SYS_unshare
+          "unshare,"
+#endif
+#ifdef SYS_vfork
+          "vfork,"
+#endif
+#ifdef SYS_wait4
+          "wait4,"
+#endif
+#ifdef SYS_waitid
+          "waitid,"
+#endif
+#ifdef SYS_waitpid
+          "waitpid"
+#endif
+        },
         { .name = "@raw-io", .list =
 #ifdef SYS_ioperm
           "ioperm,"
@@ -356,8 +1021,11 @@ static const SyscallGroupList sysgroups[] = {
 #endif
         },
         { .name = "@resources", .list =
-#ifdef SYS_set_mempolicy
-          "set_mempolicy,"
+#ifdef SYS_ioprio_set
+          "ioprio_set,"
+#endif
+#ifdef SYS_mbind
+          "mbind,"
 #endif
 #ifdef SYS_migrate_pages
           "migrate_pages,"
@@ -365,8 +1033,108 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_move_pages
           "move_pages,"
 #endif
-#ifdef SYS_mbind
-          "mbind"
+#ifdef SYS_nice
+          "nice,"
+#endif
+#ifdef SYS_sched_setaffinity
+          "sched_setaffinity,"
+#endif
+#ifdef SYS_sched_setattr
+          "sched_setattr,"
+#endif
+#ifdef SYS_sched_setparam
+          "sched_setparam,"
+#endif
+#ifdef SYS_sched_setscheduler
+          "sched_setscheduler,"
+#endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
+        },
+        { .name = "@setuid", .list =
+#ifdef SYS_setgid
+          "setgid,"
+#endif
+#ifdef SYS_setgid32
+          "setgid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
+#ifdef SYS_setregid
+          "setregid,"
+#endif
+#ifdef SYS_setregid32
+          "setregid32,"
+#endif
+#ifdef SYS_setresgid
+          "setresgid,"
+#endif
+#ifdef SYS_setresgid32
+          "setresgid32,"
+#endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32"
+#endif
+        },
+        { .name = "@signal", .list =
+#ifdef SYS_rt_sigaction
+          "rt_sigaction,"
+#endif
+#ifdef SYS_rt_sigpending
+          "rt_sigpending,"
+#endif
+#ifdef SYS_rt_sigprocmask
+          "rt_sigprocmask,"
+#endif
+#ifdef SYS_rt_sigsuspend
+          "rt_sigsuspend,"
+#endif
+#ifdef SYS_rt_sigtimedwait
+          "rt_sigtimedwait,"
+#endif
+#ifdef SYS_sigaction
+          "sigaction,"
+#endif
+#ifdef SYS_sigaltstack
+          "sigaltstack,"
+#endif
+#ifdef SYS_signal
+          "signal,"
+#endif
+#ifdef SYS_signalfd
+          "signalfd,"
+#endif
+#ifdef SYS_signalfd4
+          "signalfd4,"
+#endif
+#ifdef SYS_sigpending
+          "sigpending,"
+#endif
+#ifdef SYS_sigprocmask
+          "sigprocmask,"
+#endif
+#ifdef SYS_sigsuspend
+          "sigsuspend"
 #endif
         },
         { .name = "@swap", .list =
@@ -376,6 +1144,226 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_swapoff
           "swapoff"
 #endif
+        },
+        { .name = "@sync", .list =
+#ifdef SYS_fdatasync
+          "fdatasync,"
+#endif
+#ifdef SYS_fsync
+          "fsync,"
+#endif
+#ifdef SYS_msync
+          "msync,"
+#endif
+#ifdef SYS_sync
+          "sync,"
+#endif
+#ifdef SYS_sync_file_range
+          "sync_file_range,"
+#endif
+#ifdef SYS_sync_file_range2
+          "sync_file_range2,"
+#endif
+#ifdef SYS_syncfs
+          "syncfs"
+#endif
+        },
+        { .name = "@system-service", .list =
+          "@aio,"
+          "@basic-io,"
+          "@chown,"
+          "@default,"
+          "@file-system,"
+          "@io-event,"
+          "@ipc,"
+          "@keyring,"
+          "@memlock,"
+          "@network-io,"
+          "@process,"
+          "@resources,"
+          "@setuid,"
+          "@signal,"
+          "@sync,"
+          "@timer,"
+#ifdef SYS_brk
+          "brk,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_capset
+          "capset,"
+#endif
+#ifdef SYS_copy_file_range
+          "copy_file_range,"
+#endif
+#ifdef SYS_fadvise64
+          "fadvise64,"
+#endif
+#ifdef SYS_fadvise64_64
+          "fadvise64_64,"
+#endif
+#ifdef SYS_flock
+          "flock,"
+#endif
+#ifdef SYS_get_mempolicy
+          "get_mempolicy,"
+#endif
+#ifdef SYS_getcpu
+          "getcpu,"
+#endif
+#ifdef SYS_getpriority
+          "getpriority,"
+#endif
+#ifdef SYS_getrandom
+          "getrandom,"
+#endif
+#ifdef SYS_ioctl
+          "ioctl,"
+#endif
+#ifdef SYS_ioprio_get
+          "ioprio_get,"
+#endif
+#ifdef SYS_kcmp
+          "kcmp,"
+#endif
+#ifdef SYS_madvise
+          "madvise,"
+#endif
+#ifdef SYS_mprotect
+          "mprotect,"
+#endif
+#ifdef SYS_mremap
+          "mremap,"
+#endif
+#ifdef SYS_name_to_handle_at
+          "name_to_handle_at,"
+#endif
+#ifdef SYS_oldolduname
+          "oldolduname,"
+#endif
+#ifdef SYS_olduname
+          "olduname,"
+#endif
+#ifdef SYS_personality
+          "personality,"
+#endif
+#ifdef SYS_readahead
+          "readahead,"
+#endif
+#ifdef SYS_readdir
+          "readdir,"
+#endif
+#ifdef SYS_remap_file_pages
+          "remap_file_pages,"
+#endif
+#ifdef SYS_sched_get_priority_max
+          "sched_get_priority_max,"
+#endif
+#ifdef SYS_sched_get_priority_min
+          "sched_get_priority_min,"
+#endif
+#ifdef SYS_sched_getaffinity
+          "sched_getaffinity,"
+#endif
+#ifdef SYS_sched_getattr
+          "sched_getattr,"
+#endif
+#ifdef SYS_sched_getparam
+          "sched_getparam,"
+#endif
+#ifdef SYS_sched_getscheduler
+          "sched_getscheduler,"
+#endif
+#ifdef SYS_sched_rr_get_interval
+          "sched_rr_get_interval,"
+#endif
+#ifdef SYS_sched_yield
+          "sched_yield,"
+#endif
+#ifdef SYS_sendfile
+          "sendfile,"
+#endif
+#ifdef SYS_sendfile64
+          "sendfile64,"
+#endif
+#ifdef SYS_setfsgid
+          "setfsgid,"
+#endif
+#ifdef SYS_setfsgid32
+          "setfsgid32,"
+#endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setpgid
+          "setpgid,"
+#endif
+#ifdef SYS_setsid
+          "setsid,"
+#endif
+#ifdef SYS_splice
+          "splice,"
+#endif
+#ifdef SYS_sysinfo
+          "sysinfo,"
+#endif
+#ifdef SYS_tee
+          "tee,"
+#endif
+#ifdef SYS_umask
+          "umask,"
+#endif
+#ifdef SYS_uname
+          "uname,"
+#endif
+#ifdef SYS_userfaultfd
+          "userfaultfd,"
+#endif
+#ifdef SYS_vmsplice
+          "vmsplice"
+#endif
+        },
+        { .name = "@timer", .list =
+#ifdef SYS_alarm
+          "alarm,"
+#endif
+#ifdef SYS_getitimer
+          "getitimer,"
+#endif
+#ifdef SYS_setitimer
+          "setitimer,"
+#endif
+#ifdef SYS_timer_create
+          "timer_create,"
+#endif
+#ifdef SYS_timer_delete
+          "timer_delete,"
+#endif
+#ifdef SYS_timer_getoverrun
+          "timer_getoverrun,"
+#endif
+#ifdef SYS_timer_gettime
+          "timer_gettime,"
+#endif
+#ifdef SYS_timer_settime
+          "timer_settime,"
+#endif
+#ifdef SYS_timerfd_create
+          "timerfd_create,"
+#endif
+#ifdef SYS_timerfd_gettime
+          "timerfd_gettime,"
+#endif
+#ifdef SYS_timerfd_settime
+          "timerfd_settime,"
+#endif
+#ifdef SYS_times
+          "times"
+#endif
         }
 };
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index afff3d5fa..500850413 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1776,9 +1776,11 @@ vm86, vm86old, vmsplice and vserver.
 
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @clock, @cpu-emulation, @debug,
-@default, @default-nodebuggers, @default-keep, @module, @obsolete,
-@privileged, @raw-io, @reboot, @resources and @swap. In addition, a
+system call groups are defined: @aio, @basic-io, @chown, @clock,
+@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
+@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
+@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
+@resources, @setuid, @swap, @sync, @system-service and @timer. In addition, a
 system call can be specified by its number instead of name with prefix
 $, so for example $165 would be equal to mount on i386. Exceptions
 can be allowed with prefix !.