From 5462fd810ccf72aff765ddc2041d50948b5af8f5 Mon Sep 17 00:00:00 2001
From: Jianyong Wu <jianyong.wu@arm.com>
Date: Thu, 20 Jan 2022 09:51:39 +0800
Subject: [PATCH] seccomp: add ioctl group to seccomp authorized list for arm64

When enable PMU on arm64, ioctl with group KVM_HAS_DEVICE_ATTR will be
blocked by seccomp, add it to authorized list.

Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
---
 vmm/src/seccomp_filters.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 9fed14944..4af4ed875 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -99,6 +99,7 @@ mod kvm {
     pub const KVM_SET_MP_STATE: u64 = 0x4004_ae99;
     pub const KVM_SET_GSI_ROUTING: u64 = 0x4008_ae6a;
     pub const KVM_SET_DEVICE_ATTR: u64 = 0x4018_aee1;
+    pub const KVM_HAS_DEVICE_ATTR: u64 = 0x4018_aee3;
     pub const KVM_SET_ONE_REG: u64 = 0x4010_aeac;
     pub const KVM_SET_USER_MEMORY_REGION: u64 = 0x4020_ae46;
     pub const KVM_IRQFD: u64 = 0x4020_ae76;
@@ -195,6 +196,7 @@ fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, Backen
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_MEMORY_ENCRYPT_OP)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_HAS_DEVICE_ATTR,)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MP_STATE)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_ONE_REG)?],