vmm, virtio-devices: Add missing seccomp rules for MSHV

This patch adds all the seccomp rules missing for MSHV. With this patch MSFT internal CI runs with seccomp enabled. Signed-off-by: Muminul Islam <muislam@microsoft.com>
2025-02-01 17:35:19 +00:00 · 2021-08-02 11:38:42 -07:00 · 2021-08-02 11:38:42 -07:00 · 83c44a2411
commit 83c44a2411
parent c597655d06
2 changed files with 13 additions and 0 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -77,6 +77,8 @@ fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> {
 fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -329,6 +331,8 @@ fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_connect),
        allow_syscall(libc::SYS_dup),
@ -357,6 +361,8 @@ fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -383,6 +389,8 @@ fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_accept4),
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -406,6 +414,8 @@ fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_watchdog_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -517,6 +517,9 @@ fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> {
        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?],
        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?],
        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?],
+        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?],
    ])
 }