vmm, virtio-devices:seccomp: Add MSHV related seccomp rule

MSHV needs SYS_clock_gettime to pause and resume the guest VM. Signed-off-by: Muminul Islam <muislam@microsoft.com>
2025-02-22 11:22:26 +00:00 · 2021-07-12 14:41:24 -07:00 · 2021-07-12 14:41:24 -07:00 · e481f97550
commit e481f97550
parent 3937e03c02
1 changed files with 16 additions and 0 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -99,6 +99,8 @@ fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -142,6 +144,8 @@ fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -168,6 +172,8 @@ fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -191,6 +197,8 @@ fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -214,6 +222,8 @@ fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -243,6 +253,8 @@ fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error>
 fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    Ok(vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -265,6 +277,8 @@ fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
 fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),
@ -287,6 +301,8 @@ fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
 fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
+        #[cfg(feature = "mshv")]
+        allow_syscall(libc::SYS_clock_gettime),
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
        allow_syscall(libc::SYS_epoll_create1),