Default seccomp policy does not allow calling fanotify_init without CAP_SYS_ADMIN

[betelgeuse]

Description

moby/profiles/seccomp/default.json

Lines 599 to 624 in 6cbca96

	"fanotify_init",
	"fsconfig",
	"fsmount",
	"fsopen",
	"fspick",
	"lookup_dcookie",
	"mount",
	"mount_setattr",
	"move_mount",
	"open_tree",
	"perf_event_open",
	"quotactl",
	"quotactl_fd",
	"setdomainname",
	"sethostname",
	"setns",
	"syslog",
	"umount",
	"umount2",
	"unshare"
	],
	"action": "SCMP_ACT_ALLOW",
	"includes": {
	"caps": [
	"CAP_SYS_ADMIN"
	]

The default policy needs to be updated to allow for the use case described here:

Since Linux 5.13 (and
       5.10.220), users may call fanotify_init() without the
       CAP_SYS_ADMIN capability to create and initialize an fanotify
       group with limited functionality.

https://www.man7.org/linux/man-pages/man2/fanotify_init.2.html

Reproduce

require 'ffi'
require 'fcntl'

module Fanotify
  extend FFI::Library
  ffi_lib 'c'
  attach_function :init, :fanotify_init, [:uint, :uint], :int
  attach_function :mark, :fanotify_mark, [:int, :uint, :uint64, :int, :string], :int
  attach_function :strerror, [:int], :string
end

# 0x200 is FAN_REPORT_FID in hex
fd = Fanotify.init 512, Fcntl::O_RDONLY
unless fd > 0
  raise "Init failed #{FFI.errno}: #{Fanotify.strerror(FFI.errno)}"
end

Inside a docker container without --privileged:

Traceback (most recent call last):
/app/fanotify.rb:15:in `<main>': Init failed 1: Operation not permitted (RuntimeError)

Expected behavior

fanotify_init should succeed

docker version

Client: Docker Engine - Community
 Version:           28.0.4
 API version:       1.48
 Go version:        go1.23.7
 Git commit:        b8034c0
 Built:             Tue Mar 25 15:07:18 2025
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.0.4
  API version:      1.48 (minimum version 1.24)
  Go version:       go1.23.7
  Git commit:       6430e49
  Built:            Tue Mar 25 15:07:18 2025
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    28.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 12
 Server Version: 28.0.4
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-31-arm64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.567GiB
 Name: XXXXX
 ID: XXXXX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: XXXXX
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response