virtio-devices: Add openat() syscall to seccomp filter

When freeing memory sometimes glibc will attempt to read "/proc/sys/vm/overcommit_memory" to find out how it should release the blocks. This happens sporadically with Cloud Hypervisor but has been seen in use. It is not necessary to add the read() syscall to the list as it is already included in the virtio devices common set. Similarly the vCPU and vmm threads already have both these in the allowed list. Fixes: #3609 Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2024-10-02 11:35:46 +00:00 · 2022-01-21 17:14:25 +00:00 · 2022-01-21 17:14:25 +00:00 · 53caa565bb
commit 53caa565bb
parent db5583d6a3
1 changed files with 1 additions and 2 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -90,7 +90,6 @@ fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_io_uring_enter, vec![]),
        (libc::SYS_lseek, vec![]),
        (libc::SYS_mprotect, vec![]),
-        (libc::SYS_openat, vec![]),
        (libc::SYS_prctl, vec![]),
        (libc::SYS_pread64, vec![]),
        (libc::SYS_preadv, vec![]),
@ -130,7 +129,6 @@ fn virtio_mem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {

 fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        (libc::SYS_openat, vec![]),
        (libc::SYS_readv, vec![]),
        (libc::SYS_timerfd_settime, vec![]),
        (libc::SYS_writev, vec![]),
@ -258,6 +256,7 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_madvise, vec![]),
        (libc::SYS_mmap, vec![]),
        (libc::SYS_munmap, vec![]),
+        (libc::SYS_openat, vec![]),
        (libc::SYS_read, vec![]),
        (libc::SYS_rt_sigprocmask, vec![]),
        (libc::SYS_sigaltstack, vec![]),