seccomp: allow clock_settime64 under CAP_SYS_TIME

[bpascard]

Description

Setting time within a container (for example using date -s "2 OCT 2006 18:00:00") fails with 'Operation not permitted' if the clock_settime64 syscall is used. I have confirmed this behavior using strace.

Steps to reproduce the issue:

1. Start a container with --cap-add SYS_TIME
2. Try to set the time with date -s "2 OCT 2006 18:00:00"
3. If the clock_settime64 syscall is used, the operation fails. This can be confirmed with strace.
4. Start the same image with --security-opt seccomp:unconfined
5. Run date -s "2 OCT 2006 18:00:00", it works

Describe the results you received:

'Operation not permitted' whenever clock_settime64 is used.

Describe the results you expected:

Being able to set the time within the container with --cap-add SYS_TIME.

Additional information you deem important (e.g. issue happens only occasionally):

I could only reproduce this issue on ARM32 hosts. On amd64 date uses clock_settime which is currently allowed by the default seccomp profile under SYS_TIME.

Output of docker version:

Docker version 20.10.17

[cpuguy83]

Seems ok to me, care to open a PR?

[bpascard]

I gave it a try, see PR #43775