Skip to content

Commit

Permalink
seccomp: allow madvise(DONT_NEED) on all threads
Browse files Browse the repository at this point in the history 
This is a system call used on the vmm thread by the balloon
device. It was also called by the musl toolchain for some
workloads.

When the per-thread triage of the allowlist was performed,
the syscall was allowed only on the vmm thread.
We are however unsure of the calling thread, since we do not
have any test to reproduce it.

Adding it an all thread categories, to be sure we're not
adding a regression.

Signed-off-by: alindima <alindima@amazon.com>
  • Loading branch information
@alindima @acatangiu
alindima authored and acatangiu committed Jul 5, 2021
1 parent d7c6303 commit 6b4a4b1
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 2 deletions.
28 changes: 27 additions & 1 deletion resources/seccomp/aarch64-unknown-linux-musl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@
},
{
"syscall": "madvise",
"comment": "Used by the VirtIO balloon device",
"comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
"args": [
{
"index": 2,
Expand Down Expand Up @@ -464,6 +464,19 @@
}
]
},
{
"syscall": "madvise",
"comment": "Triggered by musl for some customer workloads",
"args": [
{
"index": 2,
"type": "dword",
"op": "eq",
"val": 4,
"comment": "libc::MADV_DONTNEED"
}
]
},
{
"syscall": "mmap",
"comment": "Used for reading the timezone in LocalTime::now()",
Expand Down Expand Up @@ -621,6 +634,19 @@
}
]
},
{
"syscall": "madvise",
"comment": "Triggered by musl for some customer workloads",
"args": [
{
"index": 2,
"type": "dword",
"op": "eq",
"val": 4,
"comment": "libc::MADV_DONTNEED"
}
]
},
{
"syscall": "mmap",
"comment": "Used for reading the timezone in LocalTime::now()",
Expand Down
28 changes: 27 additions & 1 deletion resources/seccomp/x86_64-unknown-linux-musl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@
},
{
"syscall": "madvise",
"comment": "Used by the VirtIO balloon device",
"comment": "Used by the VirtIO balloon device and by musl for some customer workloads",
"args": [
{
"index": 2,
Expand Down Expand Up @@ -476,6 +476,19 @@
}
]
},
{
"syscall": "madvise",
"comment": "Triggered by musl for some customer workloads",
"args": [
{
"index": 2,
"type": "dword",
"op": "eq",
"val": 4,
"comment": "libc::MADV_DONTNEED"
}
]
},
{
"syscall": "mmap",
"comment": "Used for reading the timezone in LocalTime::now()",
Expand Down Expand Up @@ -633,6 +646,19 @@
}
]
},
{
"syscall": "madvise",
"comment": "Triggered by musl for some customer workloads",
"args": [
{
"index": 2,
"type": "dword",
"op": "eq",
"val": 4,
"comment": "libc::MADV_DONTNEED"
}
]
},
{
"syscall": "mmap",
"comment": "Used for reading the timezone in LocalTime::now()",
Expand Down

0 comments on commit 6b4a4b1

Please sign in to comment.