From 0ac4545c5bd4833d12e3f9cf430c886cfdb970ca Mon Sep 17 00:00:00 2001
From: Sebastien Boeuf <sebastien.boeuf@intel.com>
Date: Wed, 21 Jul 2021 14:31:17 +0200
Subject: [PATCH] vmm: Extend seccomp filters with fcntl() for HTTP thread

Whenever a file descriptor is sent through the control message, it
requires fcntl() syscall to handle it, meaning we must allow it through
the list of syscalls authorized for the HTTP thread.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
---
 vmm/src/seccomp_filters.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 1e31b48fd..67fdbc4a3 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -588,6 +588,7 @@ fn api_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
         #[cfg(target_arch = "x86_64")]
         allow_syscall(libc::SYS_epoll_wait),
         allow_syscall(libc::SYS_exit),
+        allow_syscall(libc::SYS_fcntl),
         allow_syscall(libc::SYS_futex),
         allow_syscall(libc::SYS_getrandom),
         allow_syscall_if(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),