diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index f00e7f3d0..cd0ccc58e 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -502,9 +502,12 @@ fn signal_handler_thread_rules() -> Result)>, Backend (libc::SYS_exit_group, vec![]), (libc::SYS_futex, vec![]), (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?), + (libc::SYS_landlock_create_ruleset, vec![]), + (libc::SYS_landlock_restrict_self, vec![]), (libc::SYS_madvise, vec![]), (libc::SYS_mmap, vec![]), (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), (libc::SYS_recvfrom, vec![]), (libc::SYS_rt_sigprocmask, vec![]), (libc::SYS_rt_sigreturn, vec![]), @@ -607,6 +610,9 @@ fn vmm_thread_rules( (libc::SYS_io_uring_setup, vec![]), (libc::SYS_io_uring_register, vec![]), (libc::SYS_kill, vec![]), + (libc::SYS_landlock_create_ruleset, vec![]), + (libc::SYS_landlock_add_rule, vec![]), + (libc::SYS_landlock_restrict_self, vec![]), (libc::SYS_listen, vec![]), (libc::SYS_lseek, vec![]), (libc::SYS_madvise, vec![]), @@ -845,10 +851,13 @@ fn http_api_thread_rules() -> Result)>, BackendError> (libc::SYS_futex, vec![]), (libc::SYS_getrandom, vec![]), (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?), + (libc::SYS_landlock_create_ruleset, vec![]), + (libc::SYS_landlock_restrict_self, vec![]), (libc::SYS_madvise, vec![]), (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), (libc::SYS_recvfrom, vec![]), (libc::SYS_recvmsg, vec![]), (libc::SYS_sched_yield, vec![]), @@ -898,9 +907,13 @@ fn dbus_api_thread_rules() -> Result)>, BackendError> fn event_monitor_thread_rules() -> Result)>, BackendError> { Ok(vec![ (libc::SYS_brk, vec![]), + (libc::SYS_close, vec![]), (libc::SYS_futex, vec![]), + (libc::SYS_landlock_create_ruleset, vec![]), + (libc::SYS_landlock_restrict_self, vec![]), (libc::SYS_mmap, vec![]), (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), (libc::SYS_sched_yield, vec![]), (libc::SYS_write, vec![]), ])