From 5b0d4bb398c0ad51f7de875942df2a4dd5942956 Mon Sep 17 00:00:00 2001 From: Markus Theil Date: Fri, 6 Aug 2021 12:36:47 +0200 Subject: [PATCH] virtio-devices: seccomp: allow unix socket connect in vsock thread Allow vsocks to connect to Unix sockets on the host running cloud-hypervisor with enabled seccomp. Reported-by: Philippe Schaaf Tested-by: Franz Girlich Signed-off-by: Markus Theil --- virtio-devices/src/seccomp_filters.rs | 3 +++ vmm/src/seccomp_filters.rs | 1 + 2 files changed, 4 insertions(+) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 02de8107d..1cbbb0c21 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -392,6 +392,7 @@ fn virtio_vsock_thread_rules() -> Vec { #[cfg(feature = "mshv")] allow_syscall(libc::SYS_clock_gettime), allow_syscall(libc::SYS_close), + allow_syscall(libc::SYS_connect), allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_ctl), @@ -402,11 +403,13 @@ fn virtio_vsock_thread_rules() -> Vec { allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()), allow_syscall(libc::SYS_futex), allow_syscall(libc::SYS_madvise), + allow_syscall(libc::SYS_mmap), allow_syscall(libc::SYS_munmap), allow_syscall(libc::SYS_read), allow_syscall(libc::SYS_recvfrom), allow_syscall(libc::SYS_rt_sigprocmask), allow_syscall(libc::SYS_sigaltstack), + allow_syscall(libc::SYS_socket), allow_syscall(libc::SYS_write), ] } diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index 7ac71fd9f..23bf8351e 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -562,6 +562,7 @@ fn vcpu_thread_rules() -> Result, Error> { allow_syscall_if(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?), allow_syscall(libc::SYS_lseek), allow_syscall(libc::SYS_madvise), + allow_syscall(libc::SYS_mmap), allow_syscall(libc::SYS_mprotect), allow_syscall(libc::SYS_munmap), allow_syscall(libc::SYS_nanosleep),