Disallow mount-related system calls

These should be blocked by not having CAP_SYS_ADMIN, but better safe
than sorry.

runtime/init-container/src/seccomp.c

@@ -90,11 +90,7 @@ static const char *allow_syscalls[] = {
     "flock",
     "fork",
     "fremovexattr",
-    "fsconfig",
     "fsetxattr",
-    "fsmount",
-    "fsopen",
-    "fspick",
     "fstat",
     "fstat64",
     "fstatat64",
@@ -189,9 +185,6 @@ static const char *allow_syscalls[] = {
     "mlockall",
     "mmap",
     "mmap2",
-    "mount",
-    "mount_setattr",
-    "move_mount",
     "mprotect",
     "mq_getsetattr",
     "mq_notify",
@@ -385,8 +378,6 @@ static const char *allow_syscalls[] = {
     "truncate64",
     "ugetrlimit",
     "umask",
-    "umount",
-    "umount2",
     "uname",
     "unlink",
     "unlinkat",
@@ -417,10 +408,19 @@ static const char *x86_syscalls[] = {
 
 static const char *eperm_syscalls[] = {
     "bdflush",
+    "bpf",
+    "fanotify_init",
+    "fsconfig",
+    "fsmount",
+    "fsopen",
+    "fspick",
     "io_pgetevents",
     "kexec_file_load",
     "kexec_load",
     "migrate_pages",
+    "mount",
+    "mount_setattr",
+    "move_mount",
     "move_pages",
     "nfsservctl",
     "nice",
@@ -432,26 +432,26 @@ static const char *eperm_syscalls[] = {
     "pciconfig_iobase",
     "pciconfig_read",
     "pciconfig_write",
+    "perf_event_open",
+    "quotactl",
+    "setdomainname",
+    "sethostname",
+    "setns",
     "sgetmask",
     "ssetmask",
     "swapcontext",
     "swapoff",
     "swapon",
     "sysfs",
+    "umount",
+    "umount2",
+    "unshare",
     "uselib",
     "userfaultfd",
     "ustat",
     "vm86",
     "vm86old",
     "vmsplice",
-    "bpf",
-    "fanotify_init",
-    "perf_event_open",
-    "quotactl",
-    "setdomainname",
-    "sethostname",
-    "setns",
-    "unshare",
 };
 
 #define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))