From 23e5a726ec6f9261397e213ce9ea3dcc30d9d9a1 Mon Sep 17 00:00:00 2001
From: Michael Zhao <michael.zhao@arm.com>
Date: Wed, 26 Aug 2020 12:57:07 +0800
Subject: [PATCH] virtio-devices: Add seccomp rules for vhost-user backend

The missing rules caused failures when guest powered off.

Signed-off-by: Michael Zhao <michael.zhao@arm.com>
---
 virtio-devices/src/seccomp_filters.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs
index c82fda5af..b7e4cd698 100644
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@@ -290,6 +290,13 @@ fn virtio_vhost_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
         allow_syscall(libc::SYS_futex),
         allow_syscall(libc::SYS_read),
         allow_syscall(libc::SYS_write),
+        allow_syscall(libc::SYS_close),
+        allow_syscall(libc::SYS_sigaltstack),
+        allow_syscall(libc::SYS_munmap),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_madvise),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_exit),
     ])
 }
 
@@ -304,6 +311,15 @@ fn virtio_vhost_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
         allow_syscall(libc::SYS_epoll_wait),
         allow_syscall(libc::SYS_futex),
         allow_syscall(libc::SYS_read),
+        allow_syscall(libc::SYS_close),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_sigaltstack),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_munmap),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_madvise),
+        #[cfg(target_arch = "aarch64")]
+        allow_syscall(libc::SYS_exit),
     ])
 }