From 5c9c9044507ce3db6fab15de4cc94d295bb16fbc Mon Sep 17 00:00:00 2001 From: Sebastian Eydam Date: Fri, 17 Apr 2026 15:22:18 +0200 Subject: [PATCH 1/2] vmm: add seccomp rules for absolute timestamps The function used to create the absolute timestamps uses the readlink and openat syscalls. We always add these two seccomp rules, because every thread may do logging. On-behalf-of: SAP sebastian.eydam@sap.com Signed-off-by: Sebastian Eydam --- vmm/src/seccomp_filters.rs | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index 8b4996ccc5..70bf253117 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -1043,20 +1043,28 @@ fn event_monitor_thread_rules() -> Result)>, BackendE ]) } +/// Rules needed to print absolute timestamps. +fn logging_rules() -> Vec<(i64, Vec)> { + vec![(libc::SYS_readlink, vec![]), (libc::SYS_openat, vec![])] +} + fn get_seccomp_rules( thread_type: Thread, hypervisor_type: HypervisorType, ) -> Result)>, BackendError> { - match thread_type { - Thread::HttpApi => Ok(http_api_thread_rules()?), + let mut rules = match thread_type { + Thread::HttpApi => http_api_thread_rules()?, #[cfg(feature = "dbus_api")] - Thread::DBusApi => Ok(dbus_api_thread_rules()?), - Thread::EventMonitor => Ok(event_monitor_thread_rules()?), - Thread::SignalHandler => Ok(signal_handler_thread_rules()?), - Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?), - Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?), - Thread::PtyForeground => Ok(pty_foreground_thread_rules()?), - } + Thread::DBusApi => dbus_api_thread_rules()?, + Thread::EventMonitor => event_monitor_thread_rules()?, + Thread::SignalHandler => signal_handler_thread_rules()?, + Thread::Vcpu => vcpu_thread_rules(hypervisor_type)?, + Thread::Vmm => vmm_thread_rules(hypervisor_type)?, + Thread::PtyForeground => pty_foreground_thread_rules()?, + }; + + rules.append(&mut logging_rules()); + Ok(rules) } /// Generate a BPF program based on the seccomp_action value From 93a82a2fb943d2bc479ee17babf178c7bc3177c8 Mon Sep 17 00:00:00 2001 From: Sebastian Eydam Date: Fri, 17 Apr 2026 15:24:20 +0200 Subject: [PATCH 2/2] virtio-devices: add seccomp rules for absolute timestamps The function used to create the absolute teimstamps uses the readlink and openat syscalls. We always add these two seccomp rules, because every thread may do logging. On-behalf-of: SAP sebastian.eydam@sap.com Signed-off-by: Sebastian Eydam --- virtio-devices/src/seccomp_filters.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 73c347edef..402b22721f 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -286,6 +286,11 @@ fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec)> { ] } +/// Rules needed to print absolute timestamps. +fn logging_rules() -> Vec<(i64, Vec)> { + vec![(libc::SYS_readlink, vec![]), (libc::SYS_openat, vec![])] +} + fn get_seccomp_rules(thread_type: Thread) -> Vec<(i64, Vec)> { let mut rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules(), @@ -306,6 +311,7 @@ fn get_seccomp_rules(thread_type: Thread) -> Vec<(i64, Vec)> { Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), }; rules.append(&mut virtio_thread_common()); + rules.append(&mut logging_rules()); rules }