Fliter out bpf,clone ns,sched in Seccomp profile

src/seccomp.c

@@ -41,9 +41,9 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(acct), 0);
 	}
 	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(add_key), 0);
+	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0);
 	if (ruri_is_in_caplist(container->drop_caplist, CAP_SYS_ADMIN)) {
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioctl), 1, SCMP_CMP(1, SCMP_CMP_EQ, TIOCSTI));
-		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(bpf), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(lookup_dcookie), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mount), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(quotactl), 0);
@@ -53,6 +53,7 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(umount2), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(unshare), 0);
+		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(clone), 1, SCMP_CMP(0, SCMP_CMP_MASKED_EQ, CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET));
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(vm86old), 0);
 	}
@@ -73,6 +74,8 @@ void ruri_setup_seccomp(const struct RURI_CONTAINER *_Nonnull container)
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(get_mempolicy), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mbind), 0);
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(set_mempolicy), 0);
+		seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sched_setscheduler), 0);
+		seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sched_setattr), 0);
 	}
 	if (ruri_is_in_caplist(container->drop_caplist, CAP_SYS_RAWIO)) {
 		seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(ioperm), 0);