From 2e4fa9a27f079b46468b3166b78a91ce2a9e53e7 Mon Sep 17 00:00:00 2001 From: Sebastian Eydam Date: Fri, 17 Apr 2026 15:22:18 +0200 Subject: [PATCH 1/2] vmm: add seccomp rules for absolute timestamps The function used to create the absolute timestamps uses the readlink and openat syscalls. We always add these two seccomp rules, because every thread may do logging. On-behalf-of: SAP sebastian.eydam@sap.com Signed-off-by: Sebastian Eydam --- vmm/src/seccomp_filters.rs | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index 4da2c767f3..870882d321 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -939,20 +939,28 @@ fn event_monitor_thread_rules() -> Result)>, BackendE ]) } +/// Rules needed to print absolute timestamps. +fn logging_rules() -> Vec<(i64, Vec)> { + vec![(libc::SYS_readlink, vec![]), (libc::SYS_openat, vec![])] +} + fn get_seccomp_rules( thread_type: Thread, hypervisor_type: HypervisorType, ) -> Result)>, BackendError> { - match thread_type { - Thread::HttpApi => Ok(http_api_thread_rules()?), + let mut rules = match thread_type { + Thread::HttpApi => http_api_thread_rules()?, #[cfg(feature = "dbus_api")] - Thread::DBusApi => Ok(dbus_api_thread_rules()?), - Thread::EventMonitor => Ok(event_monitor_thread_rules()?), - Thread::SignalHandler => Ok(signal_handler_thread_rules()?), - Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?), - Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?), - Thread::PtyForeground => Ok(pty_foreground_thread_rules()?), - } + Thread::DBusApi => dbus_api_thread_rules()?, + Thread::EventMonitor => event_monitor_thread_rules()?, + Thread::SignalHandler => signal_handler_thread_rules()?, + Thread::Vcpu => vcpu_thread_rules(hypervisor_type)?, + Thread::Vmm => vmm_thread_rules(hypervisor_type)?, + Thread::PtyForeground => pty_foreground_thread_rules()?, + }; + + rules.append(&mut logging_rules()); + Ok(rules) } /// Generate a BPF program based on the seccomp_action value From ae15b70daa2e1f5aa555ba76731e924d4c008ed1 Mon Sep 17 00:00:00 2001 From: Sebastian Eydam Date: Fri, 17 Apr 2026 15:24:20 +0200 Subject: [PATCH 2/2] virtio-devices: add seccomp rules for absolute timestamps The function used to create the absolute teimstamps uses the readlink and openat syscalls. We always add these two seccomp rules, because every thread may do logging. On-behalf-of: SAP sebastian.eydam@sap.com Signed-off-by: Sebastian Eydam --- virtio-devices/src/seccomp_filters.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 5afd056a6b..9d5cd235c5 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -258,6 +258,11 @@ fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec)> { ] } +/// Rules needed to print absolute timestamps. +fn logging_rules() -> Vec<(i64, Vec)> { + vec![(libc::SYS_readlink, vec![]), (libc::SYS_openat, vec![])] +} + fn get_seccomp_rules(thread_type: Thread) -> Vec<(i64, Vec)> { let mut rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules(), @@ -277,6 +282,7 @@ fn get_seccomp_rules(thread_type: Thread) -> Vec<(i64, Vec)> { Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), }; rules.append(&mut virtio_thread_common()); + rules.append(&mut logging_rules()); rules }