From e481f97550747bd7447c7da3e29b423d53034720 Mon Sep 17 00:00:00 2001
From: Muminul Islam <muislam@microsoft.com>
Date: Mon, 12 Jul 2021 14:41:24 -0700
Subject: [PATCH] vmm, virtio-devices:seccomp: Add MSHV related seccomp rule

MSHV needs SYS_clock_gettime to pause and resume
the guest VM.

Signed-off-by: Muminul Islam <muislam@microsoft.com>
---
 virtio-devices/src/seccomp_filters.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs
index 2b81ddf85..45982e3f9 100644
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@@ -99,6 +99,8 @@ fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -142,6 +144,8 @@ fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -168,6 +172,8 @@ fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -191,6 +197,8 @@ fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -214,6 +222,8 @@ fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -243,6 +253,8 @@ fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error>
 fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
     Ok(vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -265,6 +277,8 @@ fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
 fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),
@@ -287,6 +301,8 @@ fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
     vec![
         allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
         allow_syscall(libc::SYS_epoll_create1),