virtio-devices: Add openat() syscall to seccomp filter

When freeing memory sometimes glibc will attempt to read "/proc/sys/vm/overcommit_memory" to find out how it should release the blocks. This happens sporadically with Cloud Hypervisor but has been seen in use. It is not necessary to add the read() syscall to the list as it is already included in the virtio devices common set. Similarly the vCPU and vmm threads already have both these in the allowed list. Fixes: #3609 Signed-off-by: Rob Bradford <robert.bradford@intel.com> (cherry picked from commit 53caa565bb58c4ede48f421e46a0b54b9c987ebd) Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2025-01-31 08:55:31 +00:00 · 2022-01-21 17:14:25 +00:00 · 2022-01-21 17:14:25 +00:00 · 375356a097
commit 375356a097
parent 95ca79974a
1 changed files with 1 additions and 2 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -90,7 +90,6 @@ fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_io_uring_enter, vec![]),
        (libc::SYS_lseek, vec![]),
        (libc::SYS_mprotect, vec![]),
-        (libc::SYS_openat, vec![]),
        (libc::SYS_prctl, vec![]),
        (libc::SYS_pread64, vec![]),
        (libc::SYS_preadv, vec![]),
@ -130,7 +129,6 @@ fn virtio_mem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {

 fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        (libc::SYS_openat, vec![]),
        (libc::SYS_readv, vec![]),
        (libc::SYS_timerfd_settime, vec![]),
        (libc::SYS_writev, vec![]),
@ -258,6 +256,7 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_madvise, vec![]),
        (libc::SYS_mmap, vec![]),
        (libc::SYS_munmap, vec![]),
+        (libc::SYS_openat, vec![]),
        (libc::SYS_read, vec![]),
        (libc::SYS_rt_sigprocmask, vec![]),
        (libc::SYS_sigaltstack, vec![]),