From 4cb276be895c9d937a3cef83c8c275e4dfdd5759 Mon Sep 17 00:00:00 2001
From: Sebastian Eydam <sebastian.eydam@cyberus-technology.de>
Date: Tue, 2 Jun 2026 09:39:32 +0200
Subject: [PATCH 1/2] vmm: seccomp: add read to event-monitor allowlist

Seccomp violation found in
https://gitlab.cyberus-technology.de/cyberus/cloud/libvirt/-/jobs/2109117

On-behalf-of: SAP sebastian.eydam@sap.com
Signed-off-by: Sebastian Eydam <sebastian.eydam@cyberus-technology.de>
---
 vmm/src/seccomp_filters.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 7ab3ab63b8..4381b14be8 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -1041,6 +1041,7 @@ fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendE
         (libc::SYS_sched_yield, vec![]),
         (libc::SYS_write, vec![]),
         (libc::SYS_madvise, vec![]),
+        (libc::SYS_read, vec![]),
     ])
 }
 

From b4fe3664bd52c05dcd1f94e25915e78f28bb3568 Mon Sep 17 00:00:00 2001
From: Sebastian Eydam <sebastian.eydam@cyberus-technology.de>
Date: Tue, 2 Jun 2026 09:42:21 +0200
Subject: [PATCH 2/2] vmm: seccomp: add read to http-server allowlist

Seccomp violation found in
https://gitlab.cyberus-technology.de/cyberus/cloud/libvirt/-/jobs/2109212

On-behalf-of: SAP sebastian.eydam@sap.com
Signed-off-by: Sebastian Eydam <sebastian.eydam@cyberus-technology.de>
---
 vmm/src/seccomp_filters.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
index 4381b14be8..69c4a83f3f 100644
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@@ -988,6 +988,7 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
         (libc::SYS_rt_sigprocmask, vec![]),
         (libc::SYS_getcwd, vec![]),
         (libc::SYS_clock_nanosleep, vec![]),
+        (libc::SYS_read, vec![]),
     ])
 }