From 8cef35745be0f05594c712569c40c238de94f3f4 Mon Sep 17 00:00:00 2001
From: Rob Bradford <robert.bradford@intel.com>
Date: Mon, 27 Apr 2020 15:18:05 +0100
Subject: [PATCH] vmm: seccomp: Add fork, gettid and pipe2 syscalls to
 permitted list

This is needed for self spawning with the musl target.

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
---
 vmm/src/seccomp_filters.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 1dfae78ec..dcb3f3faf 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -211,12 +211,14 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
             allow_syscall(libc::SYS_fallocate),
             allow_syscall(libc::SYS_fcntl),
             allow_syscall(libc::SYS_fdatasync),
+            allow_syscall(libc::SYS_fork),
             allow_syscall(libc::SYS_fstat),
             allow_syscall(libc::SYS_fsync),
             allow_syscall(libc::SYS_ftruncate),
             allow_syscall(libc::SYS_futex),
             allow_syscall(libc::SYS_getpid),
             allow_syscall(libc::SYS_getrandom),
+            allow_syscall(libc::SYS_gettid),
             allow_syscall(libc::SYS_gettimeofday),
             allow_syscall(libc::SYS_getuid),
             allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
@@ -231,6 +233,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
             allow_syscall(libc::SYS_nanosleep),
             allow_syscall(libc::SYS_open),
             allow_syscall(libc::SYS_openat),
+            allow_syscall(libc::SYS_pipe2),
             allow_syscall(libc::SYS_prctl),
             allow_syscall(libc::SYS_pread64),
             allow_syscall(libc::SYS_prlimit64),