Merge pull request #33403 from szegedim/33126-whitelist-adjtimex

Whitelisting adjtimex get time operation and requiring CAP_SYS_TIME only in case of adjustment
Upstream-commit: 4f259698b07653e9e5220e097df79862f9e54b74
Component: engine

components/engine/profiles/seccomp/default.json

@@ -55,6 +55,7 @@
 				"accept",
 				"accept4",
 				"access",
+				"adjtimex",
 				"alarm",
 				"alarm",
 				"bind",
@@ -719,7 +720,6 @@
 			"names": [
 				"settimeofday",
 				"stime",
-				"adjtimex",
 				"clock_settime"
 			],
 			"action": "SCMP_ACT_ALLOW",

components/engine/profiles/seccomp/seccomp_default.go

@@ -49,6 +49,7 @@ func DefaultProfile() *types.Seccomp {
 				"accept",
 				"accept4",
 				"access",
+				"adjtimex",
 				"alarm",
 				"alarm",
 				"bind",
@@ -611,7 +612,6 @@ func DefaultProfile() *types.Seccomp {
 			Names: []string{
 				"settimeofday",
 				"stime",
-				"adjtimex",
 				"clock_settime",
 			},
 			Action: types.ActAllow,