From 8abe8c679b8a5c32e554c9ce7643cafd707f97f2 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Fri, 10 Sep 2021 18:16:17 +0000 Subject: [PATCH] seccomp: allow mmap everywhere brk is allowed Musl often uses mmap to allocate memory where Glibc would use brk. This has caused seccomp violations for me on the API and signal handling threads. Signed-off-by: Alyssa Ross --- virtio-devices/src/seccomp_filters.rs | 8 +------- vmm/src/seccomp_filters.rs | 2 ++ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index ab1fb7214..af36d1345 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -84,7 +84,6 @@ fn virtio_block_thread_rules() -> Vec<(i64, Vec)> { (libc::SYS_getrandom, vec![]), (libc::SYS_io_uring_enter, vec![]), (libc::SYS_lseek, vec![]), - (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_openat, vec![]), (libc::SYS_prctl, vec![]), @@ -100,7 +99,6 @@ fn virtio_block_thread_rules() -> Vec<(i64, Vec)> { fn virtio_console_thread_rules() -> Vec<(i64, Vec)> { vec![ - (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_prctl, vec![]), (libc::SYS_sched_getaffinity, vec![]), @@ -111,7 +109,6 @@ fn virtio_console_thread_rules() -> Vec<(i64, Vec)> { fn virtio_iommu_thread_rules() -> Vec<(i64, Vec)> { vec![ (libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()), - (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), ] } @@ -146,7 +143,6 @@ fn virtio_pmem_thread_rules() -> Vec<(i64, Vec)> { fn virtio_rng_thread_rules() -> Vec<(i64, Vec)> { vec![ - (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_prctl, vec![]), (libc::SYS_sched_getaffinity, vec![]), @@ -157,7 +153,6 @@ fn virtio_rng_thread_rules() -> Vec<(i64, Vec)> { fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec)> { vec![ (libc::SYS_connect, vec![]), - (libc::SYS_mmap, vec![]), (libc::SYS_nanosleep, vec![]), (libc::SYS_recvmsg, vec![]), (libc::SYS_sendmsg, vec![]), @@ -201,7 +196,6 @@ fn virtio_vsock_thread_rules() -> Vec<(i64, Vec)> { (libc::SYS_accept4, vec![]), (libc::SYS_connect, vec![]), (libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()), - (libc::SYS_mmap, vec![]), (libc::SYS_recvfrom, vec![]), (libc::SYS_socket, vec![]), ] @@ -209,7 +203,6 @@ fn virtio_vsock_thread_rules() -> Vec<(i64, Vec)> { fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec)> { vec![ - (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_prctl, vec![]), (libc::SYS_sched_getaffinity, vec![]), @@ -255,6 +248,7 @@ fn virtio_thread_common() -> Vec<(i64, Vec)> { (libc::SYS_exit, vec![]), (libc::SYS_futex, vec![]), (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), (libc::SYS_munmap, vec![]), (libc::SYS_read, vec![]), (libc::SYS_rt_sigprocmask, vec![]), diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index f6069caf6..621904d6a 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -356,6 +356,7 @@ fn signal_handler_thread_rules() -> Result)>, Backend (libc::SYS_futex, vec![]), (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?), (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), (libc::SYS_munmap, vec![]), (libc::SYS_recvfrom, vec![]), (libc::SYS_rt_sigprocmask, vec![]), @@ -598,6 +599,7 @@ fn api_thread_rules() -> Result)>, BackendError> { (libc::SYS_getrandom, vec![]), (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?), (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]), (libc::SYS_munmap, vec![]), (libc::SYS_recvfrom, vec![]),