Path: blob/main/resources/seccomp/x86_64-unknown-linux-musl.json
1956 views
{1"vmm": {2"default_action": "trap",3"filter_action": "allow",4"filter": [5{6"syscall": "epoll_ctl"7},8{9"syscall": "epoll_pwait"10},11{12"syscall": "exit"13},14{15"syscall": "exit_group"16},17{18"syscall": "open"19},20{21"syscall": "read"22},23{24"syscall": "write"25},26{27"syscall": "fsync"28},29{30"syscall": "close"31},32{33"syscall": "brk",34"comment": "Called for expanding the heap"35},36{37"syscall": "clock_gettime",38"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."39},40{41"syscall": "connect",42"comment": "Needed for vsock"43},44{45"syscall": "fstat",46"comment": "Used for drive patching & rescanning, for reading the local timezone from /etc/localtime"47},48{49"syscall": "ftruncate",50"comment": "Used for snapshotting"51},52{53"syscall": "lseek",54"comment": "Used by the block device"55},56{57"syscall": "mremap",58"comment": "Used for re-allocating large memory regions, for example vectors"59},60{61"syscall": "munmap",62"comment": "Used for freeing memory"63},64{65"syscall": "recvfrom",66"comment": "Used by vsock to retrieve data from the socket"67},68{69"syscall": "rt_sigreturn",70"comment": "rt_sigreturn is needed in case a fault does occur, so that the signal handler can return. Otherwise we get stuck in a fault loop."71},72{73"syscall": "sigaltstack",74"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."75},76{77"syscall": "accept4",78"comment": "Called to accept vsock connections",79"args": [80{81"index": 3,82"type": "dword",83"op": "eq",84"val": 524288,85"comment": "libc::SOCK_CLOEXEC"86}87]88},89{90"syscall": "fcntl",91"comment": "Used by snapshotting, drive patching and rescanning",92"args": [93{94"index": 1,95"type": "dword",96"op": "eq",97"val": 2,98"comment": "FCNTL_F_SETFD"99},100{101"index": 2,102"type": "dword",103"op": "eq",104"val": 1,105"comment": "FCNTL_FD_CLOEXEC"106}107]108},109{110"syscall": "futex",111"comment": "Used for synchronization (during thread teardown when joining multiple vcpu threads at once)",112"args": [113{114"index": 1,115"type": "dword",116"op": "eq",117"val": 0,118"comment": "FUTEX_WAIT"119}120]121},122{123"syscall": "futex",124"comment": "Used for synchronization (during thread teardown)",125"args": [126{127"index": 1,128"type": "dword",129"op": "eq",130"val": 1,131"comment": "FUTEX_WAKE"132}133]134},135{136"syscall": "futex",137"comment": "Used for synchronization",138"args": [139{140"index": 1,141"type": "dword",142"op": "eq",143"val": 128,144"comment": "FUTEX_WAIT_PRIVATE"145}146]147},148{149"syscall": "futex",150"comment": "Used for synchronization",151"args": [152{153"index": 1,154"type": "dword",155"op": "eq",156"val": 129,157"comment": "FUTEX_WAKE_PRIVATE"158}159]160},161{162"syscall": "madvise",163"comment": "Used by the VirtIO balloon device and by musl for some customer workloads",164"args": [165{166"index": 2,167"type": "dword",168"op": "eq",169"val": 4,170"comment": "libc::MADV_DONTNEED"171}172]173},174{175"syscall": "mmap",176"comment": "Used by the VirtIO balloon device",177"args": [178{179"index": 3,180"type": "dword",181"op": "eq",182"val": 50,183"comment": "libc::MAP_FIXED | libc::MAP_ANONYMOUS | libc::MAP_PRIVATE"184}185]186},187{188"syscall": "mmap",189"comment": "Used for reading the timezone in LocalTime::now()",190"args": [191{192"index": 3,193"type": "dword",194"op": "eq",195"val": 1,196"comment": "libc::MAP_SHARED"197}198]199},200{201"syscall": "socket",202"comment": "Called to open the vsock UDS",203"args": [204{205"index": 0,206"type": "dword",207"op": "eq",208"val": 1,209"comment": "libc::AF_UNIX"210},211{212"index": 1,213"type": "dword",214"op": "eq",215"val": 524289,216"comment": "libc::SOCK_STREAM | libc::SOCK_CLOEXEC"217},218{219"index": 2,220"type": "dword",221"op": "eq",222"val": 0223}224]225},226{227"syscall": "tkill",228"comment": "Used to kick vcpus",229"args": [230{231"index": 1,232"type": "dword",233"op": "eq",234"val": 35,235"comment": "sigrtmin() + vcpu::VCPU_RTSIG_OFFSET"236}237]238},239{240"syscall": "timerfd_settime",241"comment": "Needed for rate limiting and metrics",242"args": [243{244"index": 1,245"type": "dword",246"op": "eq",247"val": 0248}249]250},251{252"syscall": "ioctl",253"comment": "Used to make vsock UDS nonblocking",254"args": [255{256"index": 1,257"type": "dword",258"op": "eq",259"val": 21537,260"comment": "FIONBIO"261}262]263},264{265"syscall": "ioctl",266"comment": "Triggered on shutdown, to restore the initial terminal settings.",267"args": [268{269"index": 1,270"type": "dword",271"op": "eq",272"val": 21523,273"comment": "TIOCGWINSZ"274}275]276},277{278"syscall": "ioctl",279"comment": "Triggered on shutdown, to restore the initial terminal settings, only when Firecracker was launched from a shell.",280"args": [281{282"index": 1,283"type": "dword",284"op": "eq",285"val": 21505,286"comment": "TCGETS"287}288]289},290{291"syscall": "ioctl",292"comment": "Triggered on shutdown, to restore the initial terminal settings, only when Firecracker was launched from a shell.",293"args": [294{295"index": 1,296"type": "dword",297"op": "eq",298"val": 21506,299"comment": "TCSETS"300}301]302},303{304"syscall": "ioctl",305"args": [306{307"index": 1,308"type": "dword",309"op": "eq",310"val": 1074835010,311"comment": "KVM_GET_DIRTY_LOG"312}313]314},315{316"syscall": "ioctl",317"args": [318{319"index": 1,320"type": "dword",321"op": "eq",322"val": 3255348834,323"comment": "KVM_GET_IRQCHIP"324}325]326},327{328"syscall": "ioctl",329"args": [330{331"index": 1,332"type": "dword",333"op": "eq",334"val": 2150674044,335"comment": "KVM_GET_CLOCK"336}337]338},339{340"syscall": "ioctl",341"args": [342{343"index": 1,344"type": "dword",345"op": "eq",346"val": 2154868383,347"comment": "KVM_GET_PIT2"348}349]350}351]352},353"api": {354"default_action": "trap",355"filter_action": "allow",356"filter": [357{358"syscall": "epoll_ctl"359},360{361"syscall": "epoll_pwait"362},363{364"syscall": "exit"365},366{367"syscall": "exit_group"368},369{370"syscall": "open"371},372{373"syscall": "read"374},375{376"syscall": "write"377},378{379"syscall": "close"380},381{382"syscall": "brk",383"comment": "Called for expanding the heap"384},385{386"syscall": "clock_gettime",387"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."388},389{390"syscall": "fstat",391"comment": "Used for reading the local timezone from /etc/localtime"392},393{394"syscall": "mremap",395"comment": "Used for re-allocating large memory regions, for example vectors"396},397{398"syscall": "munmap",399"comment": "Used for freeing memory"400},401{402"syscall": "recvfrom",403"comment": "Used to retrieve data from the socket"404},405{406"syscall": "rt_sigprocmask",407"comment": "rt_sigprocmask is used by Rust stdlib to remove custom signal handler during thread teardown."408},409{410"syscall": "sigaltstack",411"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."412},413{414"syscall": "accept4",415"comment": "Called to accept socket connections",416"args": [417{418"index": 3,419"type": "dword",420"op": "eq",421"val": 524288,422"comment": "libc::SOCK_CLOEXEC"423}424]425},426{427"syscall": "futex",428"comment": "Used for synchronization (during thread teardown)",429"args": [430{431"index": 1,432"type": "dword",433"op": "eq",434"val": 0,435"comment": "FUTEX_WAIT"436}437]438},439{440"syscall": "futex",441"comment": "Used for synchronization (during thread teardown)",442"args": [443{444"index": 1,445"type": "dword",446"op": "eq",447"val": 1,448"comment": "FUTEX_WAKE"449}450]451},452{453"syscall": "futex",454"comment": "Used for synchronization",455"args": [456{457"index": 1,458"type": "dword",459"op": "eq",460"val": 128,461"comment": "FUTEX_WAIT_PRIVATE"462}463]464},465{466"syscall": "futex",467"comment": "Used for synchronization",468"args": [469{470"index": 1,471"type": "dword",472"op": "eq",473"val": 129,474"comment": "FUTEX_WAKE_PRIVATE"475}476]477},478{479"syscall": "madvise",480"comment": "Triggered by musl for some customer workloads",481"args": [482{483"index": 2,484"type": "dword",485"op": "eq",486"val": 4,487"comment": "libc::MADV_DONTNEED"488}489]490},491{492"syscall": "mmap",493"comment": "Used for reading the timezone in LocalTime::now()",494"args": [495{496"index": 3,497"type": "dword",498"op": "eq",499"val": 1,500"comment": "libc::MAP_SHARED"501}502]503},504{505"syscall": "socket",506"comment": "Called to open the unix domain socket",507"args": [508{509"index": 0,510"type": "dword",511"op": "eq",512"val": 1,513"comment": "libc::AF_UNIX"514},515{516"index": 1,517"type": "dword",518"op": "eq",519"val": 524289,520"comment": "libc::SOCK_STREAM | libc::SOCK_CLOEXEC"521},522{523"index": 2,524"type": "dword",525"op": "eq",526"val": 0527}528]529},530{531"syscall": "ioctl",532"comment": "Used to make api socket nonblocking",533"args": [534{535"index": 1,536"type": "dword",537"op": "eq",538"val": 21537,539"comment": "FIONBIO"540}541]542}543]544},545"vcpu": {546"default_action": "trap",547"filter_action": "allow",548"filter": [549{550"syscall": "exit"551},552{553"syscall": "exit_group"554},555{556"syscall": "write"557},558{559"syscall": "open"560},561{562"syscall": "close"563},564{565"syscall": "fstat",566"comment": "Used for reading the local timezone from /etc/localtime"567},568{569"syscall": "brk",570"comment": "Called for expanding the heap"571},572{573"syscall": "clock_gettime",574"comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."575},576{577"syscall": "mremap",578"comment": "Used for re-allocating large memory regions, for example vectors"579},580{581"syscall": "munmap",582"comment": "Used for freeing memory"583},584{585"syscall": "rt_sigprocmask",586"comment": "rt_sigprocmask is used by Rust stdlib to remove custom signal handler during thread teardown."587},588{589"syscall": "rt_sigreturn",590"comment": "rt_sigreturn is needed in case a fault does occur, so that the signal handler can return. Otherwise we get stuck in a fault loop."591},592{593"syscall": "sigaltstack",594"comment": "sigaltstack is used by Rust stdlib to remove alternative signal stack during thread teardown."595},596{597"syscall": "futex",598"comment": "Used for synchronization (during thread teardown when joining multiple vcpu threads at once)",599"args": [600{601"index": 1,602"type": "dword",603"op": "eq",604"val": 0,605"comment": "FUTEX_WAIT"606}607]608},609{610"syscall": "futex",611"comment": "Used for synchronization (during thread teardown)",612"args": [613{614"index": 1,615"type": "dword",616"op": "eq",617"val": 1,618"comment": "FUTEX_WAKE"619}620]621},622{623"syscall": "futex",624"comment": "Used for synchronization",625"args": [626{627"index": 1,628"type": "dword",629"op": "eq",630"val": 128,631"comment": "FUTEX_WAIT_PRIVATE"632}633]634},635{636"syscall": "futex",637"comment": "Used for synchronization",638"args": [639{640"index": 1,641"type": "dword",642"op": "eq",643"val": 129,644"comment": "FUTEX_WAKE_PRIVATE"645}646]647},648{649"syscall": "madvise",650"comment": "Triggered by musl for some customer workloads",651"args": [652{653"index": 2,654"type": "dword",655"op": "eq",656"val": 4,657"comment": "libc::MADV_DONTNEED"658}659]660},661{662"syscall": "mmap",663"comment": "Used for reading the timezone in LocalTime::now()",664"args": [665{666"index": 3,667"type": "dword",668"op": "eq",669"val": 1,670"comment": "libc::MAP_SHARED"671}672]673},674{675"syscall": "timerfd_settime",676"comment": "Needed for updating the balloon statistics interval",677"args": [678{679"index": 1,680"type": "dword",681"op": "eq",682"val": 0683}684]685},686{687"syscall": "ioctl",688"args": [689{690"index": 1,691"type": "dword",692"op": "eq",693"val": 44672,694"comment": "KVM_RUN"695}696]697},698{699"syscall": "ioctl",700"args": [701{702"index": 1,703"type": "dword",704"op": "eq",705"val": 2147790488,706"comment": "KVM_GET_MP_STATE"707}708]709},710{711"syscall": "ioctl",712"args": [713{714"index": 1,715"type": "dword",716"op": "eq",717"val": 1074048665,718"comment": "KVM_SET_MP_STATE"719}720]721},722{723"syscall": "ioctl",724"args": [725{726"index": 1,727"type": "dword",728"op": "eq",729"val": 2151722655,730"comment": "KVM_GET_VCPU_EVENTS"731}732]733},734{735"syscall": "ioctl",736"args": [737{738"index": 1,739"type": "dword",740"op": "eq",741"val": 1077980832,742"comment": "KVM_SET_VCPU_EVENTS"743}744]745},746{747"syscall": "ioctl",748"args": [749{750"index": 1,751"type": "dword",752"op": "eq",753"val": 2214637198,754"comment": "KVM_GET_LAPIC"755}756]757},758{759"syscall": "ioctl",760"args": [761{762"index": 1,763"type": "dword",764"op": "eq",765"val": 2167975555,766"comment": "KVM_GET_SREGS"767}768]769},770{771"syscall": "ioctl",772"args": [773{774"index": 1,775"type": "dword",776"op": "eq",777"val": 1074310800,778"comment": "KVM_SET_CPUID2"779}780]781},782{783"syscall": "ioctl",784"args": [785{786"index": 1,787"type": "dword",788"op": "eq",789"val": 1140895375,790"comment": "KVM_SET_LAPIC"791}792]793},794{795"syscall": "ioctl",796"args": [797{798"index": 1,799"type": "dword",800"op": "eq",801"val": 1074310793,802"comment": "KVM_SET_MSRS"803}804]805},806{807"syscall": "ioctl",808"args": [809{810"index": 1,811"type": "dword",812"op": "eq",813"val": 1083223682,814"comment": "KVM_SET_REGS"815}816]817},818{819"syscall": "ioctl",820"args": [821{822"index": 1,823"type": "dword",824"op": "eq",825"val": 1094233732,826"comment": "KVM_SET_SREGS"827}828]829},830{831"syscall": "ioctl",832"args": [833{834"index": 1,835"type": "dword",836"op": "eq",837"val": 2154868383,838"comment": "KVM_GET_PIT2"839}840]841},842{843"syscall": "ioctl",844"args": [845{846"index": 1,847"type": "dword",848"op": "eq",849"val": 2156965505,850"comment": "KVM_GET_REGS"851}852]853},854{855"syscall": "ioctl",856"args": [857{858"index": 1,859"type": "dword",860"op": "eq",861"val": 3221794440,862"comment": "KVM_GET_MSRS"863}864]865},866{867"syscall": "ioctl",868"args": [869{870"index": 1,871"type": "dword",872"op": "eq",873"val": 3221794449,874"comment": "KVM_GET_CPUID2"875}876]877},878{879"syscall": "ioctl",880"args": [881{882"index": 1,883"type": "dword",884"op": "eq",885"val": 2155916961,886"comment": "KVM_GET_DEBUGREGS"887}888]889},890{891"syscall": "ioctl",892"args": [893{894"index": 1,895"type": "dword",896"op": "eq",897"val": 1082175138,898"comment": "KVM_SET_DEBUGREGS"899}900]901},902{903"syscall": "ioctl",904"args": [905{906"index": 1,907"type": "dword",908"op": "eq",909"val": 2415963812,910"comment": "KVM_GET_XSAVE"911}912]913},914{915"syscall": "ioctl",916"args": [917{918"index": 1,919"type": "dword",920"op": "eq",921"val": 1342221989,922"comment": "KVM_SET_XSAVE"923}924]925},926{927"syscall": "ioctl",928"args": [929{930"index": 1,931"type": "dword",932"op": "eq",933"val": 2173218470,934"comment": "KVM_GET_XCRS"935}936]937},938{939"syscall": "ioctl",940"args": [941{942"index": 1,943"type": "dword",944"op": "eq",945"val": 1099476647,946"comment": "KVM_SET_XCRS"947}948]949},950{951"syscall": "ioctl",952"args": [953{954"index": 1,955"type": "dword",956"op": "eq",957"val": 44706,958"comment": "KVM_SET_TSC_KHZ"959}960]961},962{963"syscall": "ioctl",964"args": [965{966"index": 1,967"type": "dword",968"op": "eq",969"val": 44707,970"comment": "KVM_GET_TSC_KHZ"971}972]973}974]975}976}977978979