vmm: Add missing syscalls to the seccomp filters

Both clock_gettime and gettimeofday syscalls where missing when running Cloud-Hypervisor on a Linux host without vDSO enabled. On a system with vDSO enabled, the syscalls performed by vDSO were not filtered, that's why we didn't have to whitelist them. Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2025-02-22 11:22:26 +00:00 · 2020-03-27 09:16:34 +01:00 · 2020-03-27 09:16:34 +01:00 · e4ea8b0bef
commit e4ea8b0bef
parent 33be24bd5a
1 changed files with 2 additions and 0 deletions
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -175,6 +175,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
            allow_syscall(libc::SYS_arch_prctl),
            allow_syscall(libc::SYS_bind),
            allow_syscall(libc::SYS_brk),
+            allow_syscall(libc::SYS_clock_gettime),
            allow_syscall(libc::SYS_clone),
            allow_syscall(libc::SYS_close),
            allow_syscall(libc::SYS_connect),
@ -195,6 +196,7 @@ pub fn vmm_thread_filter() -> Result<SeccompFilter, Error> {
            allow_syscall(libc::SYS_futex),
            allow_syscall(libc::SYS_getpid),
            allow_syscall(libc::SYS_getrandom),
+            allow_syscall(libc::SYS_gettimeofday),
            allow_syscall(libc::SYS_getuid),
            allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
            allow_syscall(libc::SYS_listen),