vmm: seccomp: Add fork, gettid and pipe2 syscalls to permitted list

This is needed for self spawning with the musl target. Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2024-07-15 13:47:14 +00:00 · 2020-04-27 15:18:05 +01:00 · 2020-04-27 15:18:05 +01:00 · 8cef35745b
commit 8cef35745b
parent ce7678f29f
1 changed files with 3 additions and 0 deletions
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -211,12 +211,14 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
            allow_syscall(libc::SYS_fallocate),
            allow_syscall(libc::SYS_fcntl),
            allow_syscall(libc::SYS_fdatasync),
+            allow_syscall(libc::SYS_fork),
            allow_syscall(libc::SYS_fstat),
            allow_syscall(libc::SYS_fsync),
            allow_syscall(libc::SYS_ftruncate),
            allow_syscall(libc::SYS_futex),
            allow_syscall(libc::SYS_getpid),
            allow_syscall(libc::SYS_getrandom),
+            allow_syscall(libc::SYS_gettid),
            allow_syscall(libc::SYS_gettimeofday),
            allow_syscall(libc::SYS_getuid),
            allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
@ -231,6 +233,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
            allow_syscall(libc::SYS_nanosleep),
            allow_syscall(libc::SYS_open),
            allow_syscall(libc::SYS_openat),
+            allow_syscall(libc::SYS_pipe2),
            allow_syscall(libc::SYS_prctl),
            allow_syscall(libc::SYS_pread64),
            allow_syscall(libc::SYS_prlimit64),