From c50ea2c70891998959d7505f67e7ecdaa8802e2f Mon Sep 17 00:00:00 2001
From: Praveen K Paladugu <prapal@linux.microsoft.com>
Date: Mon, 12 Feb 2024 18:17:40 +0000
Subject: [PATCH] vmm: Add seccomp rules to allow landlock syscalls

landlock syscalls are required by event_monitor, signal_handler,
http-server and vmm threads. Rest of the threads are spawned by the vmm
thread and they automatically inherit the ruleset from the vmm thread.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
---
 vmm/src/seccomp_filters.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index f00e7f3d0..cd0ccc58e 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -502,9 +502,12 @@ fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
         (libc::SYS_exit_group, vec![]),
         (libc::SYS_futex, vec![]),
         (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
+        (libc::SYS_landlock_create_ruleset, vec![]),
+        (libc::SYS_landlock_restrict_self, vec![]),
         (libc::SYS_madvise, vec![]),
         (libc::SYS_mmap, vec![]),
         (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
         (libc::SYS_recvfrom, vec![]),
         (libc::SYS_rt_sigprocmask, vec![]),
         (libc::SYS_rt_sigreturn, vec![]),
@@ -607,6 +610,9 @@ fn vmm_thread_rules(
         (libc::SYS_io_uring_setup, vec![]),
         (libc::SYS_io_uring_register, vec![]),
         (libc::SYS_kill, vec![]),
+        (libc::SYS_landlock_create_ruleset, vec![]),
+        (libc::SYS_landlock_add_rule, vec![]),
+        (libc::SYS_landlock_restrict_self, vec![]),
         (libc::SYS_listen, vec![]),
         (libc::SYS_lseek, vec![]),
         (libc::SYS_madvise, vec![]),
@@ -845,10 +851,13 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
         (libc::SYS_futex, vec![]),
         (libc::SYS_getrandom, vec![]),
         (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
+        (libc::SYS_landlock_create_ruleset, vec![]),
+        (libc::SYS_landlock_restrict_self, vec![]),
         (libc::SYS_madvise, vec![]),
         (libc::SYS_mmap, vec![]),
         (libc::SYS_mprotect, vec![]),
         (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
         (libc::SYS_recvfrom, vec![]),
         (libc::SYS_recvmsg, vec![]),
         (libc::SYS_sched_yield, vec![]),
@@ -898,9 +907,13 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
 fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
     Ok(vec![
         (libc::SYS_brk, vec![]),
+        (libc::SYS_close, vec![]),
         (libc::SYS_futex, vec![]),
+        (libc::SYS_landlock_create_ruleset, vec![]),
+        (libc::SYS_landlock_restrict_self, vec![]),
         (libc::SYS_mmap, vec![]),
         (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
         (libc::SYS_sched_yield, vec![]),
         (libc::SYS_write, vec![]),
     ])