seccomp: allow TUNSETOFFLOAD ioctl in the vCPU threads

bchalios · bchalios · commit cb3b00ec08b6 · 2024-07-17T10:49:51.000+02:00
Before, we were calling this ioctl() from the VMM thread when creating
the virtio network device. Moreover, this ioctl() was called before
setting up seccomp filters. Now, we call it during device activation,
which is handled by the vCPU threads. Change the seccomp filters to
allow these ioctl()s.

Signed-off-by: Babis Chalios &lt;bchalios@amazon.es&gt;
diff --git a/resources/seccomp/aarch64-unknown-linux-musl.json b/resources/seccomp/aarch64-unknown-linux-musl.json
@@ -1038,6 +1038,18 @@
                     }
                 ]
             },
+            {
+                "syscall": "ioctl",
+                "args": [
+                    {
+                        "index": 1,
+                        "type": "dword",
+                        "op": "eq",
+                        "val": 1074025680,
+                        "comment": "TUNSETOFFLOAD"
+                    }
+                ]
+            },
             {
                 "syscall": "sched_yield",
                 "comment": "Used by the rust standard library in std::sync::mpmc. Firecracker uses mpsc channels from this module for inter-thread communication"
diff --git a/resources/seccomp/x86_64-unknown-linux-musl.json b/resources/seccomp/x86_64-unknown-linux-musl.json
@@ -1238,6 +1238,18 @@
                     }
                 ]
             },
+            {
+                "syscall": "ioctl",
+                "args": [
+                    {
+                        "index": 1,
+                        "type": "dword",
+                        "op": "eq",
+                        "val": 1074025680,
+                        "comment": "TUNSETOFFLOAD"
+                    }
+                ]
+            },
             {
                 "syscall": "sched_yield",
                 "comment": "Used by the rust standard library in std::sync::mpmc. Firecracker uses mpsc channels from this module for inter-thread communication"

Original file line number	Diff line number	Diff line change
`@@ -1038,6 +1038,18 @@`
`1038`	`1038`	`}`
`1039`	`1039`	`]`
`1040`	`1040`	`},`
	`1041`	`+ {`
	`1042`	`+ "syscall": "ioctl",`
	`1043`	`+ "args": [`
	`1044`	`+ {`
	`1045`	`+ "index": 1,`
	`1046`	`+ "type": "dword",`
	`1047`	`+ "op": "eq",`
	`1048`	`+ "val": 1074025680,`
	`1049`	`+ "comment": "TUNSETOFFLOAD"`
	`1050`	`+ }`
	`1051`	`+ ]`
	`1052`	`+ },`
`1041`	`1053`	`{`
`1042`	`1054`	`"syscall": "sched_yield",`
`1043`	`1055`	`"comment": "Used by the rust standard library in std::sync::mpmc. Firecracker uses mpsc channels from this module for inter-thread communication"`
Original file line number	Diff line number	Diff line change
`@@ -1238,6 +1238,18 @@`
`1238`	`1238`	`}`
`1239`	`1239`	`]`
`1240`	`1240`	`},`
	`1241`	`+ {`
	`1242`	`+ "syscall": "ioctl",`
	`1243`	`+ "args": [`
	`1244`	`+ {`
	`1245`	`+ "index": 1,`
	`1246`	`+ "type": "dword",`
	`1247`	`+ "op": "eq",`
	`1248`	`+ "val": 1074025680,`
	`1249`	`+ "comment": "TUNSETOFFLOAD"`
	`1250`	`+ }`
	`1251`	`+ ]`
	`1252`	`+ },`
`1241`	`1253`	`{`
`1242`	`1254`	`"syscall": "sched_yield",`
`1243`	`1255`	`"comment": "Used by the rust standard library in std::sync::mpmc. Firecracker uses mpsc channels from this module for inter-thread communication"`