From a2a492f3df9fe104dea0ef37c25a490ebe34ab2c Mon Sep 17 00:00:00 2001
From: Akira Moroo <retrage01@gmail.com>
Date: Sun, 30 Jan 2022 19:59:15 +0900
Subject: [PATCH] seccomp: Add ioctls to seccomp filter for guest debug

This commit adds `KVM_SET_GUEST_DEBUG` and `KVM_TRANSLATE` ioctls to
seccomp filter to enable guest debugging without `--seccomp=false`.

Signed-off-by: Akira Moroo <retrage01@gmail.com>
---
 vmm/src/seccomp_filters.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 4af4ed875..f0b354329 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -294,6 +294,8 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError>
     const KVM_SET_TSS_ADDR: u64 = 0xae47;
     const KVM_SET_XCRS: u64 = 0x4188_aea7;
     const KVM_SET_XSAVE: u64 = 0x5000_aea5;
+    const KVM_SET_GUEST_DEBUG: u64 = 0x4048_ae9b;
+    const KVM_TRANSLATE: u64 = 0xc018_ae85;
 
     let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
     let mut arch_rules = or![
@@ -318,6 +320,8 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError>
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MSRS)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XCRS,)?],
         and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XSAVE,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GUEST_DEBUG,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_TRANSLATE,)?],
     ];
     arch_rules.extend(common_rules);