seccomp: allow syscalls used in rust panic

georgepisaltu · berciuliviu · commit 552cf7d23d2f · 2021-07-21T12:06:42.000+03:00
Signed-off-by: George Pisaltu &lt;gpl@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [Unreleased]
+
+### Fixed
+
+- Fixed seccomp blocking syscalls necessary for Rust panics.
+
 ## [0.24.4]
 
 ### Fixed
diff --git a/src/vmm/src/default_syscalls/filters.rs b/src/vmm/src/default_syscalls/filters.rs
@@ -115,6 +115,11 @@ pub fn default_filter() -> Result<SeccompFilter, Error> {
             allow_syscall(libc::SYS_read),
             // Used by the API thread and vsock
             allow_syscall(libc::SYS_recvfrom),
+            allow_syscall_if(
+                libc::SYS_rt_sigaction,
+                or![and![Cond::new(0, ArgLen::DWORD, Eq, libc::SIGABRT as u64)?]],
+            ),
+            allow_syscall(libc::SYS_rt_sigprocmask),
             // SYS_rt_sigreturn is needed in case a fault does occur, so that the signal handler
             // can return. Otherwise we get stuck in a fault loop.
             allow_syscall(libc::SYS_rt_sigreturn),
@@ -135,12 +140,15 @@ pub fn default_filter() -> Result<SeccompFilter, Error> {
             // Used to kick vcpus
             allow_syscall_if(
                 libc::SYS_tkill,
-                or![and![Cond::new(
-                    1,
-                    ArgLen::DWORD,
-                    Eq,
-                    (sigrtmin() + super::super::vstate::vcpu::VCPU_RTSIG_OFFSET) as u64
-                )?]],
+                or![
+                    and![Cond::new(
+                        1,
+                        ArgLen::DWORD,
+                        Eq,
+                        (sigrtmin() + super::super::vstate::vcpu::VCPU_RTSIG_OFFSET) as u64
+                    )?],
+                    and![Cond::new(1, ArgLen::DWORD, Eq, libc::SIGABRT as u64)?],
+                ],
             ),
             // Used to kick vcpus, on gnu
             #[cfg(target_env = "gnu")]
diff --git a/tests/integration_tests/build/test_coverage.py b/tests/integration_tests/build/test_coverage.py
@@ -23,7 +23,7 @@
 # this contains the frequency while on AMD it does not.
 # Checkout the cpuid crate. In the future other
 # differences may appear.
-COVERAGE_DICT = {"Intel": 85.1, "AMD": 84.37, "ARM": 83.16}
+COVERAGE_DICT = {"Intel": 85.15, "AMD": 84.37, "ARM": 83.07}
 
 PROC_MODEL = proc.proc_type()
 
