refresh syscall groups (#5188)

now covers syscalls up to including process_madvise (440)

group assignment was blindly copied from systemd:
https://github.com/systemd/systemd/blob/729d2df8065ac90ac606e1fff91dc2d588b2795d/src/shared/seccomp-util.c#L305

the only exception is close_range, which was added to both @basic-io and @file-system

this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree

1 files changed, 50 insertions, 2 deletions

diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index a17f6423a..29cf6318f 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = {
           "io_setup,"
 #endif
 #ifdef SYS_io_submit
-          "io_submit"
+          "io_submit,"
+#endif
+#ifdef SYS_io_uring_enter
+          "io_uring_enter,"
+#endif
+#ifdef SYS_io_uring_register
+          "io_uring_register,"
+#endif
+#ifdef SYS_io_uring_setup
+          "io_uring_setup"
 #endif
         },
         { .name = "@basic-io", .list =
@@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
           "close,"
 #endif
+#ifdef SYS_close_range
+          "close_range,"
+#endif
 #ifdef SYS_dup
           "dup,"
 #endif
@@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_perf_event_open
           "perf_event_open,"
 #endif
+#ifdef SYS_pidfd_getfd
+          "pidfd_getfd,"
+#endif
 #ifdef SYS_process_vm_writev
           "process_vm_writev,"
 #endif
@@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = {
           "remap_file_pages,"
 #endif
 #ifdef SYS_set_mempolicy
-          "set_mempolicy"
+          "set_mempolicy,"
 #endif
 #ifdef SYS_vmsplice
           "vmsplice,"
@@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
           "close,"
 #endif
+#ifdef SYS_close_range
+          "close_range,"
+#endif
 #ifdef SYS_creat
           "creat,"
 #endif
@@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_openat
           "openat,"
 #endif
+#ifdef SYS_openat2
+          "openat2,"
+#endif
 #ifdef SYS_readlink
           "readlink,"
 #endif
@@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pipe2
           "pipe2,"
 #endif
+#ifdef SYS_process_madvise
+          "process_madvise,"
+#endif
 #ifdef SYS_process_vm_readv
           "process_vm_readv,"
 #endif
@@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_chroot
           "chroot,"
 #endif
+#ifdef SYS_fsconfig
+          "fsconfig,"
+#endif
+#ifdef SYS_fsmount
+          "fsmount,"
+#endif
+#ifdef SYS_fsopen
+          "fsopen,"
+#endif
+#ifdef SYS_fspick
+          "fspick,"
+#endif
 #ifdef SYS_mount
           "mount,"
 #endif
+#ifdef SYS_move_mount
+          "move_mount,"
+#endif
+#ifdef SYS_open_tree
+          "open_tree,"
+#endif
 #ifdef SYS_pivot_root
           "pivot_root,"
 #endif
@@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_clone
           "clone,"
 #endif
+#ifdef SYS_clone3
+          "clone3,"
+#endif
 #ifdef SYS_execveat
           "execveat,"
 #endif
@@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_kill
           "kill,"
 #endif
+#ifdef SYS_pidfd_open
+          "pidfd_open,"
+#endif
 #ifdef SYS_pidfd_send_signal
           "pidfd_send_signal,"
 #endif