Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add restart_syscall(2) to seccomp allowlist #5040

Merged
merged 3 commits into from
Feb 14, 2025
Merged

add restart_syscall(2) to seccomp allowlist #5040

merged 3 commits into from
Feb 14, 2025
+36 −0

Conversation

roypat
Copy link
Contributor

@roypat roypat commented Feb 13, 2025

This syscall is issued transparently by the linux kernel when
timing-related syscalls (such as nanosleep) get interrupted, for example
because of SIGSTOP.

Signed-off-by: Patrick Roy roypat@amazon.co.uk## Changes

...

Reason

...

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@roypat
add restart_syscall(2) to seccomp allowlist
117dddd 
This syscall is issued transparently by the linux kernel when
timing-related syscalls (such as nanosleep) get interrupted, for example
because of SIGSTOP.

Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
@roypat
test: explicitly exclude restart_syscall from seccomp analysis
16cf8b7 
This syscall is inserted at runtime by the linux kernel, and thus not
actually present in our binary. The static analysis tool thus correctly
marks it as unused. Introduce an allowlist of syscalls that are ignored
by the static analysis tool to deal with this.

Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
@codecov Codecov
Copy link

codecov bot commented Feb 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.21%. Comparing base (d1badbb) to head (402d75a).
Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5040   +/-   ##
=======================================
  Coverage   83.21%   83.21%           
=======================================
  Files         245      245           
  Lines       26626    26626           
=======================================
  Hits        22156    22156           
  Misses       4470     4470
Flag Coverage Δ
5.10-c5n.metal 83.69% <ø> (-0.01%) ⬇️
5.10-m5n.metal 83.68% <ø> (+<0.01%) ⬆️
5.10-m6a.metal 82.89% <ø> (ø)
5.10-m6g.metal 79.64% <ø> (ø)
5.10-m6i.metal 83.67% <ø> (ø)
5.10-m7g.metal 79.64% <ø> (ø)
6.1-c5n.metal 83.69% <ø> (ø)
6.1-m5n.metal 83.67% <ø> (-0.01%) ⬇️
6.1-m6a.metal 82.89% <ø> (ø)
6.1-m6g.metal 79.63% <ø> (ø)
6.1-m6i.metal 83.67% <ø> (ø)
6.1-m7g.metal 79.63% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@roypat roypat added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Feb 13, 2025
@roypat roypat merged commit d6a14fb into firecracker-microvm:main Feb 14, 2025
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kalyazin kalyazin kalyazin approved these changes

@pb8o pb8o pb8o approved these changes

Assignees
No one assigned
Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@roypat @kalyazin @pb8o