refresh syscall groups (#5188)

now covers syscalls up to including process_madvise (440)

group assignment was blindly copied from systemd:
729d2df806/src/shared/seccomp-util.c (L305)

the only exception is close_range, which was added to both @basic-io and @file-system

this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree

etc/templates/syscalls.txt

@@ -27,26 +27,26 @@ Always have a look at 'man 1 firejail'.
 Definition of groups
 --------------------
 
-@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
-@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup
+@basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
 @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
-@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
-@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
-@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
 @keyring=add_key,keyctl,request_key
 @memlock=mlock,mlock2,mlockall,munlock,munlockall
 @module=delete_module,finit_module,init_module
-@mount=chroot,mount,pivot_root,umount,umount2
+@mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2
 @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
 @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
-@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
 @reboot=kexec_load,kexec_file_load,reboot
 @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy

src/lib/syscall.c

@@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = {
 	  "io_setup,"
 #endif
 #ifdef SYS_io_submit
-	  "io_submit"
+	  "io_submit,"
+#endif
+#ifdef SYS_io_uring_enter
+	  "io_uring_enter,"
+#endif
+#ifdef SYS_io_uring_register
+	  "io_uring_register,"
+#endif
+#ifdef SYS_io_uring_setup
+	  "io_uring_setup"
 #endif
 	},
 	{ .name = "@basic-io", .list =
@@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
 	  "close,"
 #endif
+#ifdef SYS_close_range
+	  "close_range,"
+#endif
 #ifdef SYS_dup
 	  "dup,"
 #endif
@@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_perf_event_open
 	  "perf_event_open,"
 #endif
+#ifdef SYS_pidfd_getfd
+	  "pidfd_getfd,"
+#endif
 #ifdef SYS_process_vm_writev
 	  "process_vm_writev,"
 #endif
@@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = {
 	  "remap_file_pages,"
 #endif
 #ifdef SYS_set_mempolicy
-	  "set_mempolicy"
+	  "set_mempolicy,"
 #endif
 #ifdef SYS_vmsplice
 	  "vmsplice,"
@@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
 	  "close,"
 #endif
+#ifdef SYS_close_range
+	  "close_range,"
+#endif
 #ifdef SYS_creat
 	  "creat,"
 #endif
@@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_openat
 	  "openat,"
 #endif
+#ifdef SYS_openat2
+	  "openat2,"
+#endif
 #ifdef SYS_readlink
 	  "readlink,"
 #endif
@@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pipe2
 	  "pipe2,"
 #endif
+#ifdef SYS_process_madvise
+	  "process_madvise,"
+#endif
 #ifdef SYS_process_vm_readv
 	  "process_vm_readv,"
 #endif
@@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_chroot
 	  "chroot,"
 #endif
+#ifdef SYS_fsconfig
+	  "fsconfig,"
+#endif
+#ifdef SYS_fsmount
+	  "fsmount,"
+#endif
+#ifdef SYS_fsopen
+	  "fsopen,"
+#endif
+#ifdef SYS_fspick
+	  "fspick,"
+#endif
 #ifdef SYS_mount
 	  "mount,"
 #endif
+#ifdef SYS_move_mount
+	  "move_mount,"
+#endif
+#ifdef SYS_open_tree
+	  "open_tree,"
+#endif
 #ifdef SYS_pivot_root
 	  "pivot_root,"
 #endif
@@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_clone
 	  "clone,"
 #endif
+#ifdef SYS_clone3
+	  "clone3,"
+#endif
 #ifdef SYS_execveat
 	  "execveat,"
 #endif
@@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_kill
 	  "kill,"
 #endif
+#ifdef SYS_pidfd_open
+	  "pidfd_open,"
+#endif
 #ifdef SYS_pidfd_send_signal
 	  "pidfd_send_signal,"
 #endif