External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-23 20:02:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: iommu: Update the list of seccomp filters

Browse Source 
While using the virtio-iommu device involving L2 scenario, and tearing
things down all the way from L2 back to L0 exposed some bad syscalls
that were not part of the authorized list.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit is contained in:
Sebastien Boeuf 2020-10-14 17:19:12 +02:00 committed by Samuel Ortiz
parent 57f81d0375
commit 0c967e1aa0
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
virtio-devices/src/seccomp_filters.rs
View File

@ -166,14 +166,21 @@ fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl), allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait), allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex), allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_mmap),
allow_syscall(libc::SYS_mprotect),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read), allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write), allow_syscall(libc::SYS_write),
]) ])
} }