Path: blob/main/resources/seccomp/aarch64-unknown-linux-musl.json
1956 views
{1"vmm": {2"default_action": "trap",3"filter_action": "allow",4"filter": [5{6"syscall": "epoll_ctl"7},8{9"syscall": "epoll_pwait"10},11{12"syscall": "exit"13},14{15"syscall": "exit_group"16},17{18"syscall": "openat"19},20{21"syscall": "read"22},23{24"syscall": "write"25},26{27"syscall": "fsync"28},29{30"syscall": "close"31},32{33"syscall": "brk",34"comment": "Called for expanding the heap"35},36{37"syscall": "clock_gettime",38"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."39},40{41"syscall": "connect",42"comment": "Needed for vsock"43},44{45"syscall": "fstat",46"comment": "Used for drive patching & rescanning, for reading the local timezone from /etc/localtime"47},48{49"syscall": "ftruncate",50"comment": "Used for snapshotting"51},52{53"syscall": "lseek",54"comment": "Used by the block device"55},56{57"syscall": "mremap",58"comment": "Used for re-allocating large memory regions, for example vectors"59},60{61"syscall": "munmap",62"comment": "Used for freeing memory"63},64{65"syscall": "recvfrom",66"comment": "Used by vsock to retrieve data from the socket"67},68{69"syscall": "rt_sigreturn",70"comment": "rt_sigreturn is needed in case a fault does occur, so that the signal handler can return. Otherwise we get stuck in a fault loop."71},72{73"syscall": "sigaltstack",74"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."75},76{77"syscall": "accept4",78"comment": "Called to accept vsock connections",79"args": [80{81"index": 3,82"type": "dword",83"op": "eq",84"val": 524288,85"comment": "libc::SOCK_CLOEXEC"86}87]88},89{90"syscall": "fcntl",91"comment": "Used by snapshotting, drive patching and rescanning",92"args": [93{94"index": 1,95"type": "dword",96"op": "eq",97"val": 2,98"comment": "FCNTL_F_SETFD"99},100{101"index": 2,102"type": "dword",103"op": "eq",104"val": 1,105"comment": "FCNTL_FD_CLOEXEC"106}107]108},109{110"syscall": "futex",111"comment": "Used for synchronization (during thread teardown when joining multiple vcpu threads at once)",112"args": [113{114"index": 1,115"type": "dword",116"op": "eq",117"val": 0,118"comment": "FUTEX_WAIT"119}120]121},122{123"syscall": "futex",124"comment": "Used for synchronization (during thread teardown)",125"args": [126{127"index": 1,128"type": "dword",129"op": "eq",130"val": 1,131"comment": "FUTEX_WAKE"132}133]134},135{136"syscall": "futex",137"comment": "Used for synchronization",138"args": [139{140"index": 1,141"type": "dword",142"op": "eq",143"val": 128,144"comment": "FUTEX_WAIT_PRIVATE"145}146]147},148{149"syscall": "futex",150"comment": "Used for synchronization",151"args": [152{153"index": 1,154"type": "dword",155"op": "eq",156"val": 129,157"comment": "FUTEX_WAKE_PRIVATE"158}159]160},161{162"syscall": "madvise",163"comment": "Used by the VirtIO balloon device and by musl for some customer workloads",164"args": [165{166"index": 2,167"type": "dword",168"op": "eq",169"val": 4,170"comment": "libc::MADV_DONTNEED"171}172]173},174{175"syscall": "mmap",176"comment": "Used by the VirtIO balloon device",177"args": [178{179"index": 3,180"type": "dword",181"op": "eq",182"val": 50,183"comment": "libc::MAP_FIXED | libc::MAP_ANONYMOUS | libc::MAP_PRIVATE"184}185]186},187{188"syscall": "mmap",189"comment": "Used for reading the timezone in LocalTime::now()",190"args": [191{192"index": 3,193"type": "dword",194"op": "eq",195"val": 1,196"comment": "libc::MAP_SHARED"197}198]199},200{201"syscall": "socket",202"comment": "Called to open the vsock UDS",203"args": [204{205"index": 0,206"type": "dword",207"op": "eq",208"val": 1,209"comment": "libc::AF_UNIX"210},211{212"index": 1,213"type": "dword",214"op": "eq",215"val": 524289,216"comment": "libc::SOCK_STREAM | libc::SOCK_CLOEXEC"217},218{219"index": 2,220"type": "dword",221"op": "eq",222"val": 0223}224]225},226{227"syscall": "tkill",228"comment": "Used to kick vcpus",229"args": [230{231"index": 1,232"type": "dword",233"op": "eq",234"val": 35,235"comment": "sigrtmin() + vcpu::VCPU_RTSIG_OFFSET"236}237]238},239{240"syscall": "timerfd_settime",241"comment": "Needed for rate limiting and metrics",242"args": [243{244"index": 1,245"type": "dword",246"op": "eq",247"val": 0248}249]250},251{252"syscall": "ioctl",253"comment": "Used to make vsock UDS nonblocking",254"args": [255{256"index": 1,257"type": "dword",258"op": "eq",259"val": 21537,260"comment": "FIONBIO"261}262]263},264{265"syscall": "ioctl",266"comment": "Triggered on shutdown, to restore the initial terminal settings.",267"args": [268{269"index": 1,270"type": "dword",271"op": "eq",272"val": 21523,273"comment": "TIOCGWINSZ"274}275]276},277{278"syscall": "ioctl",279"comment": "Triggered on shutdown, to restore the initial terminal settings, only when Firecracker was launched from a shell.",280"args": [281{282"index": 1,283"type": "dword",284"op": "eq",285"val": 21505,286"comment": "TCGETS"287}288]289},290{291"syscall": "ioctl",292"comment": "Triggered on shutdown, to restore the initial terminal settings, only when Firecracker was launched from a shell.",293"args": [294{295"index": 1,296"type": "dword",297"op": "eq",298"val": 21506,299"comment": "TCSETS"300}301]302},303{304"syscall": "ioctl",305"args": [306{307"index": 1,308"type": "dword",309"op": "eq",310"val": 1074835010,311"comment": "KVM_GET_DIRTY_LOG"312}313]314},315{316"syscall": "ioctl",317"args": [318{319"index": 1,320"type": "dword",321"op": "eq",322"val": 1075359457,323"comment": "KVM_SET_DEVICE_ATTR"324}325]326},327{328"syscall": "ioctl",329"args": [330{331"index": 1,332"type": "dword",333"op": "eq",334"val": 1075359458,335"comment": "KVM_GET_DEVICE_ATTR"336}337]338}339]340},341"api": {342"default_action": "trap",343"filter_action": "allow",344"filter": [345{346"syscall": "epoll_ctl"347},348{349"syscall": "epoll_pwait"350},351{352"syscall": "exit"353},354{355"syscall": "exit_group"356},357{358"syscall": "openat"359},360{361"syscall": "read"362},363{364"syscall": "write"365},366{367"syscall": "close"368},369{370"syscall": "brk",371"comment": "Called for expanding the heap"372},373{374"syscall": "clock_gettime",375"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."376},377{378"syscall": "fstat",379"comment": "Used for reading the local timezone from /etc/localtime"380},381{382"syscall": "mremap",383"comment": "Used for re-allocating large memory regions, for example vectors"384},385{386"syscall": "munmap",387"comment": "Used for freeing memory"388},389{390"syscall": "recvfrom",391"comment": "Used to retrieve data from the socket"392},393{394"syscall": "rt_sigprocmask",395"comment": "rt_sigprocmask is used by Rust stdlib to remove custom signal handler during thread teardown."396},397{398"syscall": "sigaltstack",399"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."400},401{402"syscall": "accept4",403"comment": "Called to accept socket connections",404"args": [405{406"index": 3,407"type": "dword",408"op": "eq",409"val": 524288,410"comment": "libc::SOCK_CLOEXEC"411}412]413},414{415"syscall": "futex",416"comment": "Used for synchronization (during thread teardown)",417"args": [418{419"index": 1,420"type": "dword",421"op": "eq",422"val": 0,423"comment": "FUTEX_WAIT"424}425]426},427{428"syscall": "futex",429"comment": "Used for synchronization (during thread teardown)",430"args": [431{432"index": 1,433"type": "dword",434"op": "eq",435"val": 1,436"comment": "FUTEX_WAKE"437}438]439},440{441"syscall": "futex",442"comment": "Used for synchronization",443"args": [444{445"index": 1,446"type": "dword",447"op": "eq",448"val": 128,449"comment": "FUTEX_WAIT_PRIVATE"450}451]452},453{454"syscall": "futex",455"comment": "Used for synchronization",456"args": [457{458"index": 1,459"type": "dword",460"op": "eq",461"val": 129,462"comment": "FUTEX_WAKE_PRIVATE"463}464]465},466{467"syscall": "madvise",468"comment": "Triggered by musl for some customer workloads",469"args": [470{471"index": 2,472"type": "dword",473"op": "eq",474"val": 4,475"comment": "libc::MADV_DONTNEED"476}477]478},479{480"syscall": "mmap",481"comment": "Used for reading the timezone in LocalTime::now()",482"args": [483{484"index": 3,485"type": "dword",486"op": "eq",487"val": 1,488"comment": "libc::MAP_SHARED"489}490]491},492{493"syscall": "socket",494"comment": "Called to open the unix domain socket",495"args": [496{497"index": 0,498"type": "dword",499"op": "eq",500"val": 1,501"comment": "libc::AF_UNIX"502},503{504"index": 1,505"type": "dword",506"op": "eq",507"val": 524289,508"comment": "libc::SOCK_STREAM | libc::SOCK_CLOEXEC"509},510{511"index": 2,512"type": "dword",513"op": "eq",514"val": 0515}516]517},518{519"syscall": "ioctl",520"comment": "Used to make api socket nonblocking",521"args": [522{523"index": 1,524"type": "dword",525"op": "eq",526"val": 21537,527"comment": "FIONBIO"528}529]530}531]532},533"vcpu": {534"default_action": "trap",535"filter_action": "allow",536"filter": [537{538"syscall": "exit"539},540{541"syscall": "exit_group"542},543{544"syscall": "write"545},546{547"syscall": "openat"548},549{550"syscall": "close"551},552{553"syscall": "fstat",554"comment": "Used for reading the local timezone from /etc/localtime"555},556{557"syscall": "brk",558"comment": "Called for expanding the heap"559},560{561"syscall": "clock_gettime",562"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."563},564{565"syscall": "mremap",566"comment": "Used for re-allocating large memory regions, for example vectors"567},568{569"syscall": "munmap",570"comment": "Used for freeing memory"571},572{573"syscall": "rt_sigprocmask",574"comment": "rt_sigprocmask is used by Rust stdlib to remove custom signal handler during thread teardown."575},576{577"syscall": "rt_sigreturn",578"comment": "rt_sigreturn is needed in case a fault does occur, so that the signal handler can return. Otherwise we get stuck in a fault loop."579},580{581"syscall": "sigaltstack",582"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."583},584{585"syscall": "futex",586"comment": "Used for synchronization (during thread teardown when joining multiple vcpu threads at once)",587"args": [588{589"index": 1,590"type": "dword",591"op": "eq",592"val": 0,593"comment": "FUTEX_WAIT"594}595]596},597{598"syscall": "futex",599"comment": "Used for synchronization (during thread teardown)",600"args": [601{602"index": 1,603"type": "dword",604"op": "eq",605"val": 1,606"comment": "FUTEX_WAKE"607}608]609},610{611"syscall": "futex",612"comment": "Used for synchronization",613"args": [614{615"index": 1,616"type": "dword",617"op": "eq",618"val": 128,619"comment": "FUTEX_WAIT_PRIVATE"620}621]622},623{624"syscall": "futex",625"comment": "Used for synchronization",626"args": [627{628"index": 1,629"type": "dword",630"op": "eq",631"val": 129,632"comment": "FUTEX_WAKE_PRIVATE"633}634]635},636{637"syscall": "madvise",638"comment": "Triggered by musl for some customer workloads",639"args": [640{641"index": 2,642"type": "dword",643"op": "eq",644"val": 4,645"comment": "libc::MADV_DONTNEED"646}647]648},649{650"syscall": "mmap",651"comment": "Used for reading the timezone in LocalTime::now()",652"args": [653{654"index": 3,655"type": "dword",656"op": "eq",657"val": 1,658"comment": "libc::MAP_SHARED"659}660]661},662{663"syscall": "timerfd_settime",664"comment": "Needed for updating the balloon statistics interval",665"args": [666{667"index": 1,668"type": "dword",669"op": "eq",670"val": 0671}672]673},674{675"syscall": "ioctl",676"args": [677{678"index": 1,679"type": "dword",680"op": "eq",681"val": 44672,682"comment": "KVM_RUN"683}684]685},686{687"syscall": "ioctl",688"args": [689{690"index": 1,691"type": "dword",692"op": "eq",693"val": 2147790488,694"comment": "KVM_GET_MP_STATE"695}696]697},698{699"syscall": "ioctl",700"args": [701{702"index": 1,703"type": "dword",704"op": "eq",705"val": 1074048665,706"comment": "KVM_SET_MP_STATE"707}708]709},710{711"syscall": "ioctl",712"args": [713{714"index": 1,715"type": "dword",716"op": "eq",717"val": 2151722655,718"comment": "KVM_GET_VCPU_EVENTS"719}720]721},722{723"syscall": "ioctl",724"args": [725{726"index": 1,727"type": "dword",728"op": "eq",729"val": 1077980832,730"comment": "KVM_SET_VCPU_EVENTS"731}732]733},734{735"syscall": "ioctl",736"args": [737{738"index": 1,739"type": "dword",740"op": "eq",741"val": 1074835115,742"comment": "KVM_GET_ONE_REG"743}744]745},746{747"syscall": "ioctl",748"args": [749{750"index": 1,751"type": "dword",752"op": "eq",753"val": 1074835116,754"comment": "KVM_SET_ONE_REG"755}756]757},758{759"syscall": "ioctl",760"args": [761{762"index": 1,763"type": "dword",764"op": "eq",765"val": 3221794480,766"comment": "KVM_GET_REG_LIST"767}768]769}770]771}772}773774775