Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: remove timerfd_create from allow-list #2606

Merged
merged 1 commit into from
Jun 2, 2021
Merged

seccomp: remove timerfd_create from allow-list #2606

merged 1 commit into from
Jun 2, 2021

Conversation

acatangiu
Copy link
Contributor

@acatangiu acatangiu commented Jun 2, 2021
edited
Loading

Reason for This PR

Fixes #962

Description of Changes

TimerFds are used by rate-limiters, metrics, and balloon device.

Since #1494, #1735 and #1736, all of them are created before boot, thus before seccomp filters are applied.

This means we don't need timerfd_create syscall on our allow-list, and can be removed to tighten it.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

  • All commits in this PR are signed (git commit -s).
  • The reason for this PR is clearly provided (issue no. or explanation).
  • The description of changes is clear and encompassing.
  • Any required documentation changes (code and docs) are included in this PR.
  • Any newly added unsafe code is properly documented.
  • Any API changes are reflected in firecracker/swagger.yaml.
  • Any user-facing changes are mentioned in CHANGELOG.md.
  • All added/changed functionality is tested.

@acatangiu
seccomp: remove timerfd_create from allow-list
826a9d1 
`TimerFd`s are used by rate-limiters, metrics, and balloon device.
All of them are created before boot, thus before seccomp filters
are applied.
This means we don't need `timerfd_create` syscall on our allow-list,
and can be removed to tighten it.

Signed-off-by: Adrian Catangiu <acatan@amazon.com>
@acatangiu acatangiu self-assigned this Jun 2, 2021
alindima
alindima approved these changes Jun 2, 2021
View reviewed changes
Copy link
Contributor

@alindima alindima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

too easy 🚀

@sandreim sandreim merged commit c484aee into firecracker-microvm:main Jun 2, 2021
@acatangiu acatangiu mentioned this pull request Jun 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sandreim sandreim sandreim approved these changes

@alindima alindima alindima approved these changes

Assignees

@acatangiu acatangiu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove timerfd_create() syscall from the seccomp allow-list
3 participants
@acatangiu @alindima @sandreim