From 7e071e5c68c81d4fdcb379b79272266f5dd517a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dav=C3=AD=C3=B0=20Steinn=20Geirsson?= <david@dsg.is>
Date: Sat, 21 Mar 2026 11:15:32 +0000
Subject: [PATCH] virtio-devices: Allow fcntl syscall in release builds

The fcntl syscall was only allowed for virtio device threads in debug
builds (behind #[cfg(debug_assertions)]), causing seccomp violations
in release builds across rng, balloon, net, gpu, fs, and vsock threads.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 virtio-devices/src/seccomp_filters.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs
index 59f364320..dbb6e488d 100644
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@@ -318,7 +318,6 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
         (libc::SYS_rt_sigreturn, vec![]),
         (libc::SYS_sigaltstack, vec![]),
         (libc::SYS_write, vec![]),
-        #[cfg(debug_assertions)]
         (libc::SYS_fcntl, vec![]),
     ]
 }