From a0ddcc68d709a4797cba4eaaa561cc4ac6a0f0b8 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Thu, 30 Mar 2023 21:24:55 +0000 Subject: [PATCH] virtio-devices: seccomp: add vhost-user syscalls Cloud Hypervisor's vhost-user implementation will reconnect if it gets disconnected from the backend. That means connections happen inside the vhost-user seccomp sandbox, so all syscalls used in reconnecting have to be allowed in that sandbox. clock_nanosleep is used by Glibc, and nanosleep is used by musl. Signed-off-by: Alyssa Ross --- virtio-devices/src/seccomp_filters.rs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 1e6895914..10dc34d35 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -151,6 +151,7 @@ fn virtio_rng_thread_rules() -> Vec<(i64, Vec)> { fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec)> { vec![ + (libc::SYS_clock_nanosleep, vec![]), (libc::SYS_connect, vec![]), (libc::SYS_nanosleep, vec![]), (libc::SYS_pread64, vec![]), @@ -170,8 +171,11 @@ fn virtio_vhost_net_thread_rules() -> Vec<(i64, Vec)> { vec![ (libc::SYS_accept4, vec![]), (libc::SYS_bind, vec![]), + (libc::SYS_clock_nanosleep, vec![]), + (libc::SYS_connect, vec![]), (libc::SYS_getcwd, vec![]), (libc::SYS_listen, vec![]), + (libc::SYS_nanosleep, vec![]), (libc::SYS_recvmsg, vec![]), (libc::SYS_sendmsg, vec![]), (libc::SYS_sendto, vec![]), @@ -184,7 +188,14 @@ fn virtio_vhost_net_thread_rules() -> Vec<(i64, Vec)> { } fn virtio_vhost_block_thread_rules() -> Vec<(i64, Vec)> { - vec![] + vec![ + (libc::SYS_clock_nanosleep, vec![]), + (libc::SYS_connect, vec![]), + (libc::SYS_nanosleep, vec![]), + (libc::SYS_recvmsg, vec![]), + (libc::SYS_sendmsg, vec![]), + (libc::SYS_socket, vec![]), + ] } fn create_vsock_ioctl_seccomp_rule() -> Vec {