mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-05 04:15:20 +00:00
vmm: seccomp: Allow all threads to call sched_yield()
We occasionally saw cloud-hypervisor crashed due to seccomp violations. The coredumps showed the HTTP API thread crashing after it attempted to call sched_yield(). The call came from rust stdlib's mpmc module, which calls sched_yield() if several attempts to busy-wait for a condition to fulfil fall short. Since the system call is harmless and it comes from the stdlib, I opted to allow all threads to call it. Signed-off-by: Peteris Rudzusiks <rye@stripe.com>
This commit is contained in:
parent
321d6f47e6
commit
612a8dfb1b
@ -465,6 +465,7 @@ fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
|
|||||||
(libc::SYS_recvfrom, vec![]),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
(libc::SYS_rt_sigprocmask, vec![]),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
(libc::SYS_rt_sigreturn, vec![]),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_sendto, vec![]),
|
(libc::SYS_sendto, vec![]),
|
||||||
(libc::SYS_sigaltstack, vec![]),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
(libc::SYS_write, vec![]),
|
(libc::SYS_write, vec![]),
|
||||||
@ -496,6 +497,7 @@ fn pty_foreground_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
|
|||||||
(libc::SYS_restart_syscall, vec![]),
|
(libc::SYS_restart_syscall, vec![]),
|
||||||
(libc::SYS_rt_sigaction, vec![]),
|
(libc::SYS_rt_sigaction, vec![]),
|
||||||
(libc::SYS_rt_sigreturn, vec![]),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_setsid, vec![]),
|
(libc::SYS_setsid, vec![]),
|
||||||
(libc::SYS_sigaltstack, vec![]),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
(libc::SYS_write, vec![]),
|
(libc::SYS_write, vec![]),
|
||||||
@ -607,6 +609,7 @@ fn vmm_thread_rules(
|
|||||||
(libc::SYS_rt_sigreturn, vec![]),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
(libc::SYS_sched_getaffinity, vec![]),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
(libc::SYS_sched_setaffinity, vec![]),
|
(libc::SYS_sched_setaffinity, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_seccomp, vec![]),
|
(libc::SYS_seccomp, vec![]),
|
||||||
(libc::SYS_sendmsg, vec![]),
|
(libc::SYS_sendmsg, vec![]),
|
||||||
(libc::SYS_sendto, vec![]),
|
(libc::SYS_sendto, vec![]),
|
||||||
@ -747,6 +750,7 @@ fn vcpu_thread_rules(
|
|||||||
(libc::SYS_rt_sigaction, vec![]),
|
(libc::SYS_rt_sigaction, vec![]),
|
||||||
(libc::SYS_rt_sigprocmask, vec![]),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
(libc::SYS_rt_sigreturn, vec![]),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_sendmsg, vec![]),
|
(libc::SYS_sendmsg, vec![]),
|
||||||
(libc::SYS_shutdown, vec![]),
|
(libc::SYS_shutdown, vec![]),
|
||||||
(libc::SYS_sigaltstack, vec![]),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
@ -785,6 +789,7 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
|
|||||||
(libc::SYS_munmap, vec![]),
|
(libc::SYS_munmap, vec![]),
|
||||||
(libc::SYS_recvfrom, vec![]),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
(libc::SYS_recvmsg, vec![]),
|
(libc::SYS_recvmsg, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_sigaltstack, vec![]),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
(libc::SYS_write, vec![]),
|
(libc::SYS_write, vec![]),
|
||||||
])
|
])
|
||||||
@ -819,6 +824,7 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
|
|||||||
(293, vec![]),
|
(293, vec![]),
|
||||||
(libc::SYS_rt_sigprocmask, vec![]),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
(libc::SYS_sched_getaffinity, vec![]),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_sendmsg, vec![]),
|
(libc::SYS_sendmsg, vec![]),
|
||||||
(libc::SYS_set_robust_list, vec![]),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
(libc::SYS_sigaltstack, vec![]),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
@ -831,6 +837,7 @@ fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendE
|
|||||||
(libc::SYS_brk, vec![]),
|
(libc::SYS_brk, vec![]),
|
||||||
(libc::SYS_futex, vec![]),
|
(libc::SYS_futex, vec![]),
|
||||||
(libc::SYS_mmap, vec![]),
|
(libc::SYS_mmap, vec![]),
|
||||||
|
(libc::SYS_sched_yield, vec![]),
|
||||||
(libc::SYS_write, vec![]),
|
(libc::SYS_write, vec![]),
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user