vmm: Update seccomp filters for HTTP thread

The micro-http crate now uses recvmsg() syscall in order to receive file
descriptors through control messages. This means the syscall must be
part of the authorized list in the seccomp filters.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit is contained in:
Sebastien Boeuf 2021-07-15 09:45:41 +02:00 committed by dependabot[bot]
parent e60078d939
commit d68c388cac

View File

@ -595,6 +595,7 @@ fn api_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
allow_syscall(libc::SYS_mprotect),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_recvfrom),
allow_syscall(libc::SYS_recvmsg),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
])