Additional seccomp profiles - mrrl - Minimal Reliable Reproducible Linux

commit cddbf27fc49978ee12ffe2554cbe576cb3e9b9b9
parent ee6b07320fd2e00de4a2b981f10c908717f3899d
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Tue,  6 May 2025 11:32:37 +0000

Additional seccomp profiles

Diffstat:
M commitlist.sha1  | 1 -
M filelist.sha256  | 3 ++-
M files/default-policy.easyseccomp  | 144 +++++++++++++++++++++++++++++++++++++++++++++++--------------------------------
M templates/pkg/container-bin-image  | 2 ++
M variants/ccx-x86_64/container-bin-image  | 4 +++-
M variants/ccx-x86_64/containers  | 8 ++++----
M variants/ccx-x86_64/containers.environment  | 2 +-
M variants/ccx-x86_64/default.environment  | 8 ++++----
M variants/ccx-x86_64/system-config  | 2 +-
M variants/ccx-x86_64/system-config-init  | 4 ++--
M variants/ccx-x86_64/system-config-rc  | 4 ++--
M variants/ccx-x86_64/userspace.environment  | 2 +-
M variants/root-x86_64/container-bin-image  | 4 +++-
M variants/root-x86_64/containers  | 8 ++++----
M variants/root-x86_64/containers.environment  | 2 +-
M variants/root-x86_64/default.environment  | 8 ++++----
M variants/root-x86_64/system-config  | 2 +-
M variants/root-x86_64/system-config-init  | 4 ++--
M variants/root-x86_64/system-config-rc  | 4 ++--
M variants/root-x86_64/userspace.environment  | 2 +-

20 files changed, 125 insertions(+), 93 deletions(-)
diff --git a/commitlist.sha1 b/commitlist.sha1
@@ -352,7 +352,6 @@ c5eed37c744c786076a1ec13132ade7ef410ed16  sources/ccx-utils
 fae441e25a1ac266742ba6446b37ae56c8e57076  sources/ccx-utils
 c6aef8098d37a1773439117a5674bfc8662ef62b  sources/confz
 3955e658562cef8e6012c1936a6c79c6b6628773  sources/containers
-407c24d106815e8f7d2563b88f348d171e441b9b  sources/containers
 41d6ee2d6aa33b323eee611013dd4aab6a09fc89  sources/containers
 c33438f227efa4e8541c3152b684e3925c944f71  sources/containers
 94422be00da71ff44c8ad1fe3455587c62ca29d3  sources/easyseccomp
diff --git a/filelist.sha256 b/filelist.sha256
@@ -1,3 +1,4 @@
+290a776a580be57238f599b57cab804c9305b97e4169aaf979c21d9e072bb03a  files/.default-policy.easyseccomp.swp
 9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4  files/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
 ebf31683b56410ecc4c00acd9f6e2839e237a3b62b5ae7ef686705c7ba0396a9  files/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
 1bb2a846c0ea4ca9d0e7862f970863857fc33c32f5506098c636a62a726a847b  files/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
@@ -24,7 +25,7 @@ e81557d01115c246b88d9138281a6d16e484acb0581d396e6c03b02a378dcc1d  files/busybox.
 955edd28faae9dd665f002c85466eef58ef8fd36d76d1f39eb974e22933478ab  files/busybox.config.1_12_0-8342-gaa4d303a3
 9ee52091d7a41e7e492d508574573fbebe64155d85a07980128f21105eaad1e2  files/busybox_bootstrap.config
 75d5d255a2a273b6e651f82eecfabf6cbcd8eaeae70e86b417384c8f4a58d8d3  files/config.sub
-192690edcdc853fa659a1cdfb043c25d58400032dc069e7c534da2f1781081a7  files/default-policy.easyseccomp
+8a2e661492d1100d10414a99a5b930feab18082193310927933809ebf1cdb89d  files/default-policy.easyseccomp
 9be2e5a97b3fcbc60dedb71967667b9a21d562dbfdaa7f9f74f4b3d9cbb5df86  files/dwarf.h
 1b44a63d415c48ac68d210951fec8d4761d3522f3d82d53182e66fabe5e2f2cd  files/easyseccomp-configure.tar
 eec15ac67403946e9d988d485f11764cf313b4798efe01d40f951ff521a23d10  files/easyseccomp_fix_includes.patch
diff --git a/files/default-policy.easyseccomp b/files/default-policy.easyseccomp
@@ -1,68 +1,94 @@
 $syscall in (
-@bind, @connect, @execve, @execveat, @fallocate, @fanotify_mark,
-@inotify_add_watch, @kill, @memfd_create, @socket, @statfs, @statfs64,
-@sysinfo, @uname, @breakpoint, @cachestat, @mseal, @rt_sigtimedwait_time64,
-@set_tls, @riscv_flush_icache, @cacheflush, @capset, @fanotify_init,
-@set_robust_list, @setdomainname, @sethostname, @setsockopt,
-@pidfd_send_signal, @fchown, @fchownat, @chown32, @lchown32, @chown, @fchown32,
-@lchown, @clone3, @clone, @utimensat_time64, @fchmodat2, @removexattrat,
-@setxattrat, @chmod, @fchmod, @fchmodat, @link, @linkat, @mkdir, @mkdirat,
-@creat, @open, @openat, @openat2, @fremovexattr, @lremovexattr, @removexattr,
-@rename, @renameat, @renameat2, @rmdir, @fsetxattr, @lsetxattr, @setxattr,
-@symlink, @symlinkat, @unlink, @unlinkat, @utime, @utimes, @utimensat, @fcntl,
-@fcntl64, @ioctl, @prctl, @socketcall, @setpriority, @ioprio_set,
-@sched_setattr, @sched_setparam, @sched_setscheduler, @brk, @mremap,
-@process_mrelease, @membarrier, @process_madvise, @mmap, @mmap2,
-@futex_requeue, @futex_time64, @futex_wait, @futex_waitv, @futex_wake,
-@futex, @getxattrat, @listxattrat, @accept, @accept4,
-@access, @faccessat, @faccessat2, @chdir, @fchdir, @getdents64, @prlimit64,
-@setrlimit, @getsockname, @fgetxattr, @getxattr, @lgetxattr, @flistxattr,
-@listxattr, @llistxattr, @rt_sigqueueinfo, @rt_tgsigqueueinfo, @sendmsg,
-@sendto, @sendmmsg, @rt_sigaction, @sigaction, @fstat, @fstat64, @fstatat64,
-@lstat, @newfstatat, @stat, @stat64, @fstatfs, @fstatfs64, @statx, @tgkill,
-@ftruncate, @truncate, @rseq, @exit, @capget, @clock_getres, @clock_gettime,
-@clock_nanosleep, @close, @close_range, @copy_file_range, @dup, @dup2, @dup3,
-@epoll_create, @epoll_create1, @epoll_ctl, @epoll_pwait, @epoll_pwait2,
-@epoll_wait, @eventfd, @eventfd2, @exit_group, @flock, @fork, @fdatasync,
-@fsync, @get_robust_list, @getcpu, @getcwd, @getgroups, @getitimer, @setitimer,
-@getpagesize, @getpeername, @getpid, @getppid, @getpriority, @getrandom,
-@getresgid, @getresuid, @getrusage, @getsid, @getsockopt, @gettid,
-@gettimeofday, @inotify_init, @inotify_init1, @inotify_rm_watch, @ioprio_get,
-@listen, @lseek, @madvise, @mlock, @mlock2, @mlockall, @munlock, @munlockall,
-@munmap, @mprotect, @msync, @nanosleep, @pause, @pidfd_getfd, @pipe, @pipe2,
-@poll, @ppoll, @fadvise64, @pread64, @pwrite64, @read, @readahead, @readlink,
-@readlinkat, @preadv, @preadv2, @pwritev, @pwritev2, @readv, @writev,
-@recvfrom, @recvmsg, @recvmmsg, @restart_syscall, @sched_get_priority_max,
-@sched_get_priority_min, @sched_rr_get_interval, @sched_getaffinity,
-@sched_setaffinity, @sched_getattr, @sched_getparam, @sched_getscheduler,
-@sched_yield, @pselect6, @select, @sendfile, @set_tid_address, @getpgid,
-@getpgrp, @setpgid, @setsid, @shutdown, @sigaltstack, @signalfd, @signalfd4,
-@rt_sigpending, @rt_sigprocmask, @rt_sigsuspend, @rt_sigtimedwait, @socketpair,
-@splice, @arm_sync_file_range, @sync_file_range, @tee, @time, @timer_create,
-@timer_delete, @timer_getoverrun, @timer_gettime, @timer_settime,
-@timerfd_create, @timerfd_gettime, @timerfd_settime, @times, @umask, @vfork,
-@waitid, @wait4, @write, @getegid32, @getgid32, @getresgid32, @getresuid32,
-@geteuid32, @getuid32, @sigreturn, @lstat64, @sync_file_range2, @swapcontext,
-@ftruncate64, @truncate64, @atomic_barrier, @atomic_cmpxchg_32,
-@clock_getres_time64, @clock_gettime64, @clock_nanosleep_time64,
-@epoll_ctl_old, @epoll_wait_old, @ppoll_time64, @pselect6_time64,
-@recvmmsg_time64, @sched_rr_get_interval_time64, @timer_gettime64,
-@timer_settime64, @timerfd_gettime64, @timerfd_settime64, @alarm, @arch_prctl,
-@getgroups32, @getrlimit, @ugetrlimit, @_llseek, @arm_fadvise64_64,
-@fadvise64_64, @recv, @s390_pci_mmio_read, @s390_pci_mmio_write,
-@s390_runtime_instr, @_newselect, @send, @sendfile64, @get_thread_area,
-@set_thread_area, @signal, @sigpending, @sigsuspend, @waitpid, @getdents,
-@getegid, @getgid, @geteuid, @getuid, @shmctl, @shmget, @shmat, @shmdt,
-@setgroups32, @setfsgid32, @setfsuid32, @setgroups, @setfsgid, @setfsuid
+	@bind, @connect, @execve, @execveat, @fallocate, @fanotify_mark,
+	@inotify_add_watch, @kill, @memfd_create, @socket, @statfs, @statfs64,
+	@sysinfo, @uname, @breakpoint, @cachestat, @mseal,
+	@rt_sigtimedwait_time64, @set_tls, @riscv_flush_icache, @cacheflush,
+	@capset, @fanotify_init, @set_robust_list, @setdomainname,
+	@sethostname, @setsockopt, @pidfd_send_signal, @fchown, @fchownat,
+	@chown32, @lchown32, @chown, @fchown32, @lchown, @clone3, @clone,
+	@utimensat_time64, @fchmodat2, @removexattrat, @setxattrat, @chmod,
+	@fchmod, @fchmodat, @link, @linkat, @mkdir, @mkdirat, @creat, @open,
+	@openat, @openat2, @fremovexattr, @lremovexattr, @removexattr, @rename,
+	@renameat, @renameat2, @rmdir, @fsetxattr, @lsetxattr, @setxattr,
+	@symlink, @symlinkat, @unlink, @unlinkat, @utime, @utimes, @utimensat,
+	@fcntl, @fcntl64, @ioctl, @prctl, @socketcall, @setpriority,
+	@ioprio_set, @sched_setattr, @sched_setparam, @sched_setscheduler,
+	@brk, @mremap, @process_mrelease, @membarrier, @process_madvise, @mmap,
+	@mmap2, @futex_requeue, @futex_time64, @futex_wait, @futex_waitv,
+	@futex_wake, @futex, @getxattrat, @listxattrat, @accept, @accept4,
+	@access, @faccessat, @faccessat2, @chdir, @fchdir, @getdents64,
+	@prlimit64, @setrlimit, @getsockname, @fgetxattr, @getxattr,
+	@lgetxattr, @flistxattr, @listxattr, @llistxattr, @rt_sigqueueinfo,
+	@rt_tgsigqueueinfo, @sendmsg, @sendto, @sendmmsg, @rt_sigaction,
+	@sigaction, @fstat, @fstat64, @fstatat64, @lstat, @newfstatat, @stat,
+	@stat64, @fstatfs, @fstatfs64, @statx, @tgkill, @ftruncate, @truncate,
+	@rseq, @exit, @capget, @clock_getres, @clock_gettime, @clock_nanosleep,
+	@close, @close_range, @copy_file_range, @dup, @dup2, @dup3,
+	@epoll_create, @epoll_create1, @epoll_ctl, @epoll_pwait, @epoll_pwait2,
+	@epoll_wait, @eventfd, @eventfd2, @exit_group, @flock, @fork,
+	@fdatasync, @fsync, @get_robust_list, @getcpu, @getcwd, @getgroups,
+	@getitimer, @setitimer, @getpagesize, @getpeername, @getpid, @getppid,
+	@getpriority, @getrandom, @getresgid, @getresuid, @getrusage, @getsid,
+	@getsockopt, @gettid, @gettimeofday, @inotify_init, @inotify_init1,
+	@inotify_rm_watch, @ioprio_get, @listen, @lseek, @madvise, @mlock,
+	@mlock2, @mlockall, @munlock, @munlockall, @munmap, @mprotect, @msync,
+	@nanosleep, @pause, @pidfd_getfd, @pipe, @pipe2, @poll, @ppoll,
+	@fadvise64, @pread64, @pwrite64, @read, @readahead, @readlink,
+	@readlinkat, @preadv, @preadv2, @pwritev, @pwritev2, @readv, @writev,
+	@recvfrom, @recvmsg, @recvmmsg, @restart_syscall,
+	@sched_get_priority_max, @sched_get_priority_min,
+	@sched_rr_get_interval, @sched_getaffinity, @sched_setaffinity,
+	@sched_getattr, @sched_getparam, @sched_getscheduler, @sched_yield,
+	@pselect6, @select, @sendfile, @set_tid_address, @getpgid, @getpgrp,
+	@setpgid, @setsid, @shutdown, @sigaltstack, @signalfd, @signalfd4,
+	@rt_sigpending, @rt_sigprocmask, @rt_sigsuspend, @rt_sigtimedwait,
+	@socketpair, @splice, @arm_sync_file_range, @sync_file_range, @tee,
+	@time, @timer_create, @timer_delete, @timer_getoverrun, @timer_gettime,
+	@timer_settime, @timerfd_create, @timerfd_gettime, @timerfd_settime,
+	@times, @umask, @vfork, @waitid, @wait4, @write, @getegid32, @getgid32,
+	@getresgid32, @getresuid32, @geteuid32, @getuid32, @sigreturn,
+	@lstat64, @sync_file_range2, @swapcontext, @ftruncate64, @truncate64,
+	@atomic_barrier, @atomic_cmpxchg_32, @clock_getres_time64,
+	@clock_gettime64, @clock_nanosleep_time64, @epoll_ctl_old,
+	@epoll_wait_old, @ppoll_time64, @pselect6_time64, @recvmmsg_time64,
+	@sched_rr_get_interval_time64, @timer_gettime64, @timer_settime64,
+	@timerfd_gettime64, @timerfd_settime64, @alarm, @arch_prctl,
+	@getgroups32, @getrlimit, @ugetrlimit, @_llseek, @arm_fadvise64_64,
+	@fadvise64_64, @recv, @s390_pci_mmio_read, @s390_pci_mmio_write,
+	@s390_runtime_instr, @_newselect, @send, @sendfile64, @get_thread_area,
+	@set_thread_area, @signal, @sigpending, @sigsuspend, @waitpid,
+	@getdents, @getegid, @getgid, @geteuid, @getuid, @shmctl, @shmget,
+	@shmat, @shmdt, @setgroups32, @setfsgid32, @setfsuid32, @setgroups,
+	@setfsgid, @setfsuid
 ) => ALLOW();
 
 $syscall in (
-@mknod, @mknodat,
-@rt_sigreturn,
-@sync, @syncfs
+	@mknod, @mknodat,
+	@rt_sigreturn,  // zsh
+	@sync, @syncfs
 ) => ALLOW();
 
-$syscall in KERNEL(5.3) => ERRNO(EPERM);
+#ifdef ALLOW_PTRACE
+$syscall in (
+	@pidfd_open,
+	@process_vm_readv,
+	@process_vm_writev,
+	@ptrace,
+	@kcmp,
+) => ALLOW();
+#endif
 
+$syscall in KERNEL(5.3) => ERRNO(EPERM);
 => ERRNO(ENOSYS);
 
+#ifdef ALLOW_SECCOMP
+$syscall == @seccomp => ALLOW();
+#endif
+
+#ifdef ALLOW_LANDLOCK
+$syscall in (
+	@landlock_add_rule,
+	@landlock_create_ruleset,
+	@landlock_restrict_self,
+) => ALLOW();
+#endif
diff --git a/templates/pkg/container-bin-image b/templates/pkg/container-bin-image
@@ -12,6 +12,8 @@
 img="$pthbs_destdir{{versions}}/$pthbs_package/container-bin-image"
 mkdir -p "$img"
 easyseccomp -i default-policy.easyseccomp -o "$img/seccomp-default.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_PTRACE -o "$img/seccomp-ptrace.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_SECCOMP -d ALLOW_LANDLOCK -o "$img/seccomp-build.bpf"
 cd "$img"
 
 # first commands without argv0 aliases
diff --git a/variants/ccx-x86_64/container-bin-image b/variants/ccx-x86_64/container-bin-image
@@ -6,11 +6,13 @@
 #+ccx-utils.ab28a8d701f60db69818ef22c546d02eca1ba3900bcdeaf5676bcc13d4b7f114
 #+applyuidgid-caps.9856a13db04a0f0192c4208744de2c649db2ae721dc0d0dd37eb90346236a514
 #+easyseccomp.6631f58c9fe090f2b2becc5ac606901736aba4ad2a0075f6402bec85eaa3df7b
-#@sha256:192690edcdc853fa659a1cdfb043c25d58400032dc069e7c534da2f1781081a7:default-policy.easyseccomp
+#@sha256:8a2e661492d1100d10414a99a5b930feab18082193310927933809ebf1cdb89d:default-policy.easyseccomp
 
 img="$pthbs_destdir/home/ccx/versions/$pthbs_package/container-bin-image"
 mkdir -p "$img"
 easyseccomp -i default-policy.easyseccomp -o "$img/seccomp-default.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_PTRACE -o "$img/seccomp-ptrace.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_SECCOMP -d ALLOW_LANDLOCK -o "$img/seccomp-build.bpf"
 cd "$img"
 
 # first commands without argv0 aliases
diff --git a/variants/ccx-x86_64/containers b/variants/ccx-x86_64/containers
@@ -6,7 +6,7 @@
 #+alpine-keys.dedc78b0b50e461d33a449adf40691698925b5eb9af8a6b69e7c0ece6b708ef4
 #+apk-tools.69a8c172d8dc6f60957469c555cfa3627fef38bb076dde5f758fd64854ecb275
 #+xbps.0c1ece8bbd380938c5c0744cf9d37f2a2f402dd2f16dfe9b9ec891a5c84b9646
-#+container-bin-image.6ef2098800e907d4ff48d0ed102e1c3323d32ff0118a2af00ff748b1e4e05bf3
+#+container-bin-image.2b4493f2372f8c96e0082ac9abdc8e2f1c9c7150ef6a6fd4ec56146a27ff0538
 #@git:c33438f227efa4e8541c3152b684e3925c944f71:containers
 
 : ${JOBS:=1}
@@ -58,9 +58,9 @@ for f in '/home/ccx/versions/xbps.0c1ece8bbd380938c5c0744cf9d37f2a2f402dd2f16dfe
 	ln -sf "$f" "$pkgdir/deps/keys/void/"
 done
 
-test -d '/home/ccx/versions/container-bin-image.6ef2098800e907d4ff48d0ed102e1c3323d32ff0118a2af00ff748b1e4e05bf3/container-bin-image'
-test -f '/home/ccx/versions/container-bin-image.6ef2098800e907d4ff48d0ed102e1c3323d32ff0118a2af00ff748b1e4e05bf3/container-bin-image/if'
-ln -sf '/home/ccx/versions/container-bin-image.6ef2098800e907d4ff48d0ed102e1c3323d32ff0118a2af00ff748b1e4e05bf3/container-bin-image' "$pkgdir/deps/"
+test -d '/home/ccx/versions/container-bin-image.2b4493f2372f8c96e0082ac9abdc8e2f1c9c7150ef6a6fd4ec56146a27ff0538/container-bin-image'
+test -f '/home/ccx/versions/container-bin-image.2b4493f2372f8c96e0082ac9abdc8e2f1c9c7150ef6a6fd4ec56146a27ff0538/container-bin-image/if'
+ln -sf '/home/ccx/versions/container-bin-image.2b4493f2372f8c96e0082ac9abdc8e2f1c9c7150ef6a6fd4ec56146a27ff0538/container-bin-image' "$pkgdir/deps/"
 
 cd "$pthbs_destdir/home/ccx/versions/$pthbs_package"
 find -type d -o -print | awk -F/ '
diff --git a/variants/ccx-x86_64/containers.environment b/variants/ccx-x86_64/containers.environment
@@ -7,7 +7,7 @@
 #+s6-linux-utils.1990b55837ff2c28a81500d80292c6d530c8516347eb896007eb5aed2af6c425
 #+zsh.f79a20125b2f520d3719411e6f0895cf4f2e0657565c3fef07b3069436b8960f
 #+confz.9733b0a5d832c848bfeeb2dc737c05a77163fc4d8aca4156a18f2074f2902b8a
-#+containers.e234cb20d331c35b041a0cbe4970f2eae75e9b4215a7a9b99a8a7da64eededfb
+#+containers.3f8cb6d5940d12d2bcebcc51b9bf76eb1e85fa0c6bc2655c788d62b871a64ac2
 #+xbps.0c1ece8bbd380938c5c0744cf9d37f2a2f402dd2f16dfe9b9ec891a5c84b9646
 #+zstd.8b11bd81c450d61aa6a44ffd019654c590439df68ebd8987db4cdbbcf182d67c
 #+apk-tools.69a8c172d8dc6f60957469c555cfa3627fef38bb076dde5f758fd64854ecb275
diff --git a/variants/ccx-x86_64/default.environment b/variants/ccx-x86_64/default.environment
@@ -21,7 +21,7 @@
 #+pthbs-banginstall.7ddbf08ba8b1298841fad793d4ed7ba4979b9346155195489fc5e492ed5f0fe2
 #+aat.0698d0082830b7f8bcf3840f3f8c25382ef2d9f174dd6d5407c5e2132d1f16e4
 #+confz.9733b0a5d832c848bfeeb2dc737c05a77163fc4d8aca4156a18f2074f2902b8a
-#+containers.e234cb20d331c35b041a0cbe4970f2eae75e9b4215a7a9b99a8a7da64eededfb
+#+containers.3f8cb6d5940d12d2bcebcc51b9bf76eb1e85fa0c6bc2655c788d62b871a64ac2
 #+fileset.4e84d6846c9db82c5ad691b8a6b63b6364b367e84f9d1490b0942b3fa28f3737
 #+logincaps.04accf875f567934eb11016453454f691d056c66e0dc36a971f98aaaefdbe360
 #+snaprep.00aa9b9a8cd250e823959881ee26d93cab1be5fe7bbb06ad9abc7242c481b4f7
@@ -37,8 +37,8 @@
 #+ccx-utils.ab28a8d701f60db69818ef22c546d02eca1ba3900bcdeaf5676bcc13d4b7f114
 #+user-env.4e95a5387aa403e1d16a22254f21fb4cec046c69341a5eae764dd8126fb638a8
 #+strace.53097be3dbf67dbf52aa675a59980a7d965fd8cdf965ef3005035e70fc7e4103
-#+system-config.293a3929178b4962a2a01536f71b3c4f4be00dea827f53e37a759c9f2ca0d177
-#+system-config-rc.81601ae469e65f883f9d5e2204a304d143f2481212b579107ff23dcfb336c5aa
+#+system-config.b838949b274572e3dcea434b9ecbf322e9705d01d943fd1bc2d8fee16213961e
+#+system-config-rc.d9909249e1d3c50e4c4081b4ee5e04fbd90ac0229debce5221cb16ce6d7d592b
 #+system-config-scripts.bdedb957b96fc1efd8259d16dac786d1d9c220dcde66996a16688989f104925d
-#+system-config-init.fcf1dc5a855bd4e4cee539301c5613e03e1bb256d2ca7fc0803b2782ff7d6974
+#+system-config-init.928f03ce6118a86827e3ff190e552b0a6f9f22de1d90349c60e22bdc7ed89ab2
 #+system-config-zsh.250277c1fe17ccb13b5efbacd35ecb3b8342e30910cdd709f89475773bb7f309 
\ No newline at end of file
diff --git a/variants/ccx-x86_64/system-config b/variants/ccx-x86_64/system-config
@@ -52,7 +52,7 @@ printf '%s\n' >config/etc/skel/loginexec \
 chmod +x config/etc/skel/loginexec
 
 env 'pthbs_path_system-config'="$prefix" \
-	'pthbs_path_containers=/home/ccx/versions/env.1f0a35c7f8da4b7fb84638e0d63f5c3d2f2858aaa214b4df1fd5d447336199f1' \
+	'pthbs_path_containers=/home/ccx/versions/env.a2fd5275a2cfa76b02480ee3a498a40b340146e21ea50921ad69fd845e5c6fcb' \
 	'pthbs_path_mdevd=/home/ccx/versions/env.5049027ea8b6b4d373e16aadd3cdc63a940582ff297656e395f2131eef181671' \
 	make -j${JOBS:-1} -l$((1+${JOBS:-1})) all
 
diff --git a/variants/ccx-x86_64/system-config-init b/variants/ccx-x86_64/system-config-init
@@ -5,9 +5,9 @@
 #+s6-portable-utils.1b8fd31be72bfe84afb28c3dfff03b1fc45121d11fc85f79c90f085fe61bc132
 #+s6-linux-init.cd3e307b62e7dde98e1572eed297bd544e888d2589d4c1e7fd79271c4078ddf2
 #+execline.1505a32c24aa5dbf362550f39283c9ff1936e717e5a82d220f8212cd9e604d8f
-#+system-config-rc.81601ae469e65f883f9d5e2204a304d143f2481212b579107ff23dcfb336c5aa
+#+system-config-rc.d9909249e1d3c50e4c4081b4ee5e04fbd90ac0229debce5221cb16ce6d7d592b
 
-s6rcdb=/home/ccx/versions/system-config-rc.81601ae469e65f883f9d5e2204a304d143f2481212b579107ff23dcfb336c5aa/config/s6-rc-db
+s6rcdb=/home/ccx/versions/system-config-rc.d9909249e1d3c50e4c4081b4ee5e04fbd90ac0229debce5221cb16ce6d7d592b/config/s6-rc-db
 prefix=/home/ccx/versions/$pthbs_package
 pkgdir="$pthbs_destdir/$prefix"
 
diff --git a/variants/ccx-x86_64/system-config-rc b/variants/ccx-x86_64/system-config-rc
@@ -3,7 +3,7 @@
 #+busybox-diffutils.c2ebcfcad050ad71b8e30322a463b5c009f254c7a42e95c627d32665e17134dc
 #+s6-rc.fecfa43aebb0615904e0e120b9ce8c0596c9b6c577611cbadc8fbaca75196ed9
 #+fileset.4e84d6846c9db82c5ad691b8a6b63b6364b367e84f9d1490b0942b3fa28f3737
-#+system-config.293a3929178b4962a2a01536f71b3c4f4be00dea827f53e37a759c9f2ca0d177
+#+system-config.b838949b274572e3dcea434b9ecbf322e9705d01d943fd1bc2d8fee16213961e
 
 def_prefix() {
 	prefix=/home/ccx/versions/$pthbs_package
@@ -13,7 +13,7 @@ def_dest() {
 }
 def_dest
 
-src=/home/ccx/versions/system-config.293a3929178b4962a2a01536f71b3c4f4be00dea827f53e37a759c9f2ca0d177/config/s6-rc-source
+src=/home/ccx/versions/system-config.b838949b274572e3dcea434b9ecbf322e9705d01d943fd1bc2d8fee16213961e/config/s6-rc-source
 s6-rc-compile ./s6-rc-db "$src"
 mkdir -p "$dest/config"
 mv -v s6-rc-db "$dest/config/"
diff --git a/variants/ccx-x86_64/userspace.environment b/variants/ccx-x86_64/userspace.environment
@@ -21,7 +21,7 @@
 #+pthbs-banginstall.7ddbf08ba8b1298841fad793d4ed7ba4979b9346155195489fc5e492ed5f0fe2
 #+aat.0698d0082830b7f8bcf3840f3f8c25382ef2d9f174dd6d5407c5e2132d1f16e4
 #+confz.9733b0a5d832c848bfeeb2dc737c05a77163fc4d8aca4156a18f2074f2902b8a
-#+containers.e234cb20d331c35b041a0cbe4970f2eae75e9b4215a7a9b99a8a7da64eededfb
+#+containers.3f8cb6d5940d12d2bcebcc51b9bf76eb1e85fa0c6bc2655c788d62b871a64ac2
 #+fileset.4e84d6846c9db82c5ad691b8a6b63b6364b367e84f9d1490b0942b3fa28f3737
 #+logincaps.04accf875f567934eb11016453454f691d056c66e0dc36a971f98aaaefdbe360
 #+snaprep.00aa9b9a8cd250e823959881ee26d93cab1be5fe7bbb06ad9abc7242c481b4f7
diff --git a/variants/root-x86_64/container-bin-image b/variants/root-x86_64/container-bin-image
@@ -6,11 +6,13 @@
 #+ccx-utils.ccaa449ada3142ef075f3c80a6e475520219814490557f308ded4685231a70ac
 #+applyuidgid-caps.2d571b717bda734b4464e7d3b36bb2c9eaa265fffd595bc090cbb137258121b8
 #+easyseccomp.a69f369af91163a534bf0d1bf51c74cd98c971d7eb5f61c2ee29afb6ba7a9344
-#@sha256:192690edcdc853fa659a1cdfb043c25d58400032dc069e7c534da2f1781081a7:default-policy.easyseccomp
+#@sha256:8a2e661492d1100d10414a99a5b930feab18082193310927933809ebf1cdb89d:default-policy.easyseccomp
 
 img="$pthbs_destdir/versions/$pthbs_package/container-bin-image"
 mkdir -p "$img"
 easyseccomp -i default-policy.easyseccomp -o "$img/seccomp-default.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_PTRACE -o "$img/seccomp-ptrace.bpf"
+easyseccomp -i default-policy.easyseccomp -d ALLOW_SECCOMP -d ALLOW_LANDLOCK -o "$img/seccomp-build.bpf"
 cd "$img"
 
 # first commands without argv0 aliases
diff --git a/variants/root-x86_64/containers b/variants/root-x86_64/containers
@@ -6,7 +6,7 @@
 #+alpine-keys.4ecd9fac6efcc329a98af1b0b1318771a77eb83ac10832c6e769ebf11c14cae1
 #+apk-tools.f56b624a4ea26318bf9117754fb5e0c564f7f466fedde43e1c45e86278dc2552
 #+xbps.e82f8c85f25413cdfa1e23926d635ec0d5aa6059a953750d63de49eeacf3c672
-#+container-bin-image.6bd0993f9e0816ad7f3f320e82ac6e7e8f8bcd9588c55d9dd3f0cb8c35c4a032
+#+container-bin-image.0090f29a950bc5f19ae6b975292940848fe8e27a5b5e394d0e89d2ad704e4f6b
 #@git:c33438f227efa4e8541c3152b684e3925c944f71:containers
 
 : ${JOBS:=1}
@@ -58,9 +58,9 @@ for f in '/versions/xbps.e82f8c85f25413cdfa1e23926d635ec0d5aa6059a953750d63de49e
 	ln -sf "$f" "$pkgdir/deps/keys/void/"
 done
 
-test -d '/versions/container-bin-image.6bd0993f9e0816ad7f3f320e82ac6e7e8f8bcd9588c55d9dd3f0cb8c35c4a032/container-bin-image'
-test -f '/versions/container-bin-image.6bd0993f9e0816ad7f3f320e82ac6e7e8f8bcd9588c55d9dd3f0cb8c35c4a032/container-bin-image/if'
-ln -sf '/versions/container-bin-image.6bd0993f9e0816ad7f3f320e82ac6e7e8f8bcd9588c55d9dd3f0cb8c35c4a032/container-bin-image' "$pkgdir/deps/"
+test -d '/versions/container-bin-image.0090f29a950bc5f19ae6b975292940848fe8e27a5b5e394d0e89d2ad704e4f6b/container-bin-image'
+test -f '/versions/container-bin-image.0090f29a950bc5f19ae6b975292940848fe8e27a5b5e394d0e89d2ad704e4f6b/container-bin-image/if'
+ln -sf '/versions/container-bin-image.0090f29a950bc5f19ae6b975292940848fe8e27a5b5e394d0e89d2ad704e4f6b/container-bin-image' "$pkgdir/deps/"
 
 cd "$pthbs_destdir/versions/$pthbs_package"
 find -type d -o -print | awk -F/ '
diff --git a/variants/root-x86_64/containers.environment b/variants/root-x86_64/containers.environment
@@ -7,7 +7,7 @@
 #+s6-linux-utils.f7e0654375f11beedafd731ad1dd66c0de8d03452bb8e38bb647cc51cc3adb2e
 #+zsh.4ac9e4166454e8d60c15837b7ca4938abe99db029b3fffa11b1cfd54d40ae09b
 #+confz.2c5f5b9bb69976bb57be5de332d8e7a2cf69c0b41c006ee7e6912abe8e8a0edf
-#+containers.a6910d00e224457687fdb70f7c2431baf1785b25135027c4d00aa343726362ea
+#+containers.4e5a74aaf62f2601ff320f61e4b13ac3c694666c459b10edc656922d2e08bf4e
 #+xbps.e82f8c85f25413cdfa1e23926d635ec0d5aa6059a953750d63de49eeacf3c672
 #+zstd.a83f72c5953bd6b7afc171528a503710b3144bf9197961833fd27926b0a18137
 #+apk-tools.f56b624a4ea26318bf9117754fb5e0c564f7f466fedde43e1c45e86278dc2552
diff --git a/variants/root-x86_64/default.environment b/variants/root-x86_64/default.environment
@@ -21,7 +21,7 @@
 #+pthbs-banginstall.30ed98ef3fedfb6b25b3f58c27e845f123a22a756b37a5cd75764315bba23571
 #+aat.9432aa485263e75ca3e43d6511c561a9cd328c417ebe26b890ed4a8061fee06f
 #+confz.2c5f5b9bb69976bb57be5de332d8e7a2cf69c0b41c006ee7e6912abe8e8a0edf
-#+containers.a6910d00e224457687fdb70f7c2431baf1785b25135027c4d00aa343726362ea
+#+containers.4e5a74aaf62f2601ff320f61e4b13ac3c694666c459b10edc656922d2e08bf4e
 #+fileset.7159458f5e8c9237e1e1708cafced263dd342d5fd24ccec97ae8092d9b1c5150
 #+logincaps.3c7957125c5700c2436df091d2fba6324b1ac5f2bfcd54948f6a5b8049047afc
 #+snaprep.73784e7863284b4cc1597b76b0d869eb2eaaa5eed08245e629937044a2c0c3b5
@@ -37,8 +37,8 @@
 #+ccx-utils.ccaa449ada3142ef075f3c80a6e475520219814490557f308ded4685231a70ac
 #+user-env.8ad55eebe32b11f005f7b5c6dc204fdccc0a53cd7294f87c1e959ea47793dbca
 #+strace.ce1707d2cf1dfcd965827af80a18c6b97ca20b563b8967be8297322e8adf9296
-#+system-config.25a1c2b55f3670625c41b920dc55f6efd4641b25e99bd7455fef217c5fa7189a
-#+system-config-rc.5da5ab397b34c3824a2e5512c4a76fbae07f7b9bd08641e5641cd3b5ecfd549e
+#+system-config.42e42d32cf87f6a18a77d8cb569d3b94c292511388ec0b7a291a09f0afb6b965
+#+system-config-rc.339a5fcf1634be893b8dc26578ac97aee999ad18743c621251b2883f0bf14f2f
 #+system-config-scripts.4c00e32b8c4f6feef53b562356abd54830cc7e889149e4f8bcb928d6e6e93378
-#+system-config-init.d39d5e6c441160738bbac3007b695646a8149179d435daac4d26321101ead67d
+#+system-config-init.dbb135791e6543bb80e9fb548d0905c075d9d3ba9485c5dceab8a4ddc6f70eb8
 #+system-config-zsh.01286ec545c7035b2e08ded96e40b73f912f33fd7eec44993a1e93e12577dc0f 
\ No newline at end of file
diff --git a/variants/root-x86_64/system-config b/variants/root-x86_64/system-config
@@ -52,7 +52,7 @@ printf '%s\n' >config/etc/skel/loginexec \
 chmod +x config/etc/skel/loginexec
 
 env 'pthbs_path_system-config'="$prefix" \
-	'pthbs_path_containers=/versions/env.823611e010d17cbaa83c07d685f80fc54ede4c2ad6c7704b0fc21f5e0fd6b20c' \
+	'pthbs_path_containers=/versions/env.81ecb1f92c584a6df8ec6754080bf4b75175dc78081c16ae940fb65040f09b83' \
 	'pthbs_path_mdevd=/versions/env.699c310193b7957c8ec17e16d6846443f99c198e3e2ce6425066f4523de2cf1e' \
 	make -j${JOBS:-1} -l$((1+${JOBS:-1})) all
 
diff --git a/variants/root-x86_64/system-config-init b/variants/root-x86_64/system-config-init
@@ -5,9 +5,9 @@
 #+s6-portable-utils.f6171ad521d6be72875f1d5c1b28f966662ba93cfe5790e1ef010f9e76211bc3
 #+s6-linux-init.8fbed3537ce9accc1a31e36f4648d1a0df0f1d155fcfa8fb5b1079786cf1442c
 #+execline.c89bee1b1207461afa2d2ab9250f0940a2a6bbca3e45bdd60037049a75f4adf9
-#+system-config-rc.5da5ab397b34c3824a2e5512c4a76fbae07f7b9bd08641e5641cd3b5ecfd549e
+#+system-config-rc.339a5fcf1634be893b8dc26578ac97aee999ad18743c621251b2883f0bf14f2f
 
-s6rcdb=/versions/system-config-rc.5da5ab397b34c3824a2e5512c4a76fbae07f7b9bd08641e5641cd3b5ecfd549e/config/s6-rc-db
+s6rcdb=/versions/system-config-rc.339a5fcf1634be893b8dc26578ac97aee999ad18743c621251b2883f0bf14f2f/config/s6-rc-db
 prefix=/versions/$pthbs_package
 pkgdir="$pthbs_destdir/$prefix"
 
diff --git a/variants/root-x86_64/system-config-rc b/variants/root-x86_64/system-config-rc
@@ -3,7 +3,7 @@
 #+busybox-diffutils.4a0933977737282afcd82b39d435b50946a700fe13472d24e4580a41fa852123
 #+s6-rc.c131bb99b2054bcd9705c5a5652822938265a8587a54d2894667b8b620815c7f
 #+fileset.7159458f5e8c9237e1e1708cafced263dd342d5fd24ccec97ae8092d9b1c5150
-#+system-config.25a1c2b55f3670625c41b920dc55f6efd4641b25e99bd7455fef217c5fa7189a
+#+system-config.42e42d32cf87f6a18a77d8cb569d3b94c292511388ec0b7a291a09f0afb6b965
 
 def_prefix() {
 	prefix=/versions/$pthbs_package
@@ -13,7 +13,7 @@ def_dest() {
 }
 def_dest
 
-src=/versions/system-config.25a1c2b55f3670625c41b920dc55f6efd4641b25e99bd7455fef217c5fa7189a/config/s6-rc-source
+src=/versions/system-config.42e42d32cf87f6a18a77d8cb569d3b94c292511388ec0b7a291a09f0afb6b965/config/s6-rc-source
 s6-rc-compile ./s6-rc-db "$src"
 mkdir -p "$dest/config"
 mv -v s6-rc-db "$dest/config/"
diff --git a/variants/root-x86_64/userspace.environment b/variants/root-x86_64/userspace.environment
@@ -21,7 +21,7 @@
 #+pthbs-banginstall.30ed98ef3fedfb6b25b3f58c27e845f123a22a756b37a5cd75764315bba23571
 #+aat.9432aa485263e75ca3e43d6511c561a9cd328c417ebe26b890ed4a8061fee06f
 #+confz.2c5f5b9bb69976bb57be5de332d8e7a2cf69c0b41c006ee7e6912abe8e8a0edf
-#+containers.a6910d00e224457687fdb70f7c2431baf1785b25135027c4d00aa343726362ea
+#+containers.4e5a74aaf62f2601ff320f61e4b13ac3c694666c459b10edc656922d2e08bf4e
 #+fileset.7159458f5e8c9237e1e1708cafced263dd342d5fd24ccec97ae8092d9b1c5150
 #+logincaps.3c7957125c5700c2436df091d2fba6324b1ac5f2bfcd54948f6a5b8049047afc
 #+snaprep.73784e7863284b4cc1597b76b0d869eb2eaaa5eed08245e629937044a2c0c3b5

	mrrl Minimal Reliable Reproducible Linux
	git clone https://ccx.te2000.cz/git/mrrl
	Log \| Files \| Refs \| Submodules \| README

M	commitlist.sha1	\|	1	-
M	filelist.sha256	\|	3	++-
M	files/default-policy.easyseccomp	\|	144	+++++++++++++++++++++++++++++++++++++++++++++++--------------------------------
M	templates/pkg/container-bin-image	\|	2	++
M	variants/ccx-x86_64/container-bin-image	\|	4	+++-
M	variants/ccx-x86_64/containers	\|	8	++++----
M	variants/ccx-x86_64/containers.environment	\|	2	+-
M	variants/ccx-x86_64/default.environment	\|	8	++++----
M	variants/ccx-x86_64/system-config	\|	2	+-
M	variants/ccx-x86_64/system-config-init	\|	4	++--
M	variants/ccx-x86_64/system-config-rc	\|	4	++--
M	variants/ccx-x86_64/userspace.environment	\|	2	+-
M	variants/root-x86_64/container-bin-image	\|	4	+++-
M	variants/root-x86_64/containers	\|	8	++++----
M	variants/root-x86_64/containers.environment	\|	2	+-
M	variants/root-x86_64/default.environment	\|	8	++++----
M	variants/root-x86_64/system-config	\|	2	+-
M	variants/root-x86_64/system-config-init	\|	4	++--
M	variants/root-x86_64/system-config-rc	\|	4	++--
M	variants/root-x86_64/userspace.environment	\|	2	+-