seccomp: add SYS_getcwd (79) to support proper Rust backtraces

When a proper Rust backtrace is printed, the Rust std wants to use the SYS_getcwd(79) system call to prettify some paths while printing. In Cloud Hypervisor, this is at least relevant for printing panics or if a `anyhow::Error` value is printed using `{e:?}` (but not `{e:#?}`). The syscall cause can be found in `impl fmt::Display for Backtrace {}` in `library/std/src/backtrace.rs`. Without this addition, the seccomp violation of the SYS_getcwd (79) hinders the proper error message including a full backtrace from showing up. This annoying behaviour already delayed many debugging efforts. With this fix, things just work. The new syscall itself should be pretty harmless for normal operation. ``` thread 'vmm' panicked at virtio-devices/src/rng.rs:224:9: Yikes, things went horribly wrong! ==== Possible seccomp violation ==== Try running with `strace -ff` to identify the cause and open an issue: https://github.com/cloud-hypervisor/cloud-hypervisor/issues/new [1] 287683 invalid system call (core dumped) RUST_BACKTRACE=full cargo run --bin cloud-hypervisor -- --api-socket --kerne ``` ``` thread 'vmm' panicked at virtio-devices/src/rng.rs:224:9: Yikes, things went horribly wrong! stack backtrace: 0: 0x557d91286b62 - std::backtrace_rs::backtrace::libunwind::trace::hc20b48b31ee52608 at /rustc/17067e9ac6d7ecb70e50f92c1944e545188d2359/library/std/src/../../backtrace/src/backtrace/libunwind.rs:117:9 1: 0x557d91286b62 - std::backtrace_rs::backtrace::trace_unsynchronized::h5d207cd20f193d88 at /rustc/17067e9ac6d7ecb70e50f92c1944e545188d2359/library/std/src/../../backtrace/src/backtrace/mod.rs:66:14 ... 67: 0x0 - <unknown> Error: Cloud Hypervisor exited with the following error: Failed to join on VMM thread: Any { .. } Debug Info: ThreadJoin(Any { .. }) ``` - add any panic, for example into the create or drop function of a device - add --seccomp=true|log to analyze the situation Signed-off-by: Philipp Schuster <philipp.schuster@cyberus-technology.de> On-behalf-of: SAP philipp.schuster@sap.com
2025-06-26 15:54:02 +02:00 · 2025-06-26 15:54:02 +02:00 · d580ed55c6
commit d580ed55c6
parent 2cb8c41adc
2 changed files with 7 additions and 0 deletions
--- a/scripts/gitlint/rules/TitleStartsWithComponent.py
+++ b/scripts/gitlint/rules/TitleStartsWithComponent.py
@ -56,6 +56,7 @@ class TitleStartsWithComponent(LineRule):
            'README',
            'resources',
            'scripts',
+            'seccomp',
            'serial_buffer',
            'test_data',
            'test_infra',
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -549,6 +549,7 @@ fn pty_foreground_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
        (libc::SYS_write, vec![]),
        #[cfg(debug_assertions)]
        (libc::SYS_fcntl, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }

@ -697,6 +698,7 @@ fn vmm_thread_rules(
        (libc::SYS_wait4, vec![]),
        (libc::SYS_write, vec![]),
        (libc::SYS_writev, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }

@ -835,6 +837,7 @@ fn vcpu_thread_rules(
        (libc::SYS_writev, vec![]),
        #[cfg(debug_assertions)]
        (libc::SYS_fcntl, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }

@ -870,6 +873,7 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
        (libc::SYS_sigaltstack, vec![]),
        (libc::SYS_write, vec![]),
        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }

@ -907,6 +911,7 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
        (libc::SYS_set_robust_list, vec![]),
        (libc::SYS_sigaltstack, vec![]),
        (libc::SYS_write, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }

@ -922,6 +927,7 @@ fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendE
        (libc::SYS_prctl, vec![]),
        (libc::SYS_sched_yield, vec![]),
        (libc::SYS_write, vec![]),
+        (libc::SYS_getcwd, vec![]),
    ])
 }