X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=qemu-seccomp.c;h=df75d9c4710f7336acac8d9b33cd69a874e08230;hb=856178852032404dee69665c2dcb65f00b4bb48e;hp=caa926ebf2d81d4d265ef0fe4067fdfa93061580;hpb=2b2449f7e467957778ca006904471b231dc0ac8e;p=mirror_qemu.git

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index caa926ebf2..df75d9c471 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -12,10 +12,20 @@
  * Contributions after 2012-01-13 are licensed under the terms of the
  * GNU GPL, version 2 or (at your option) any later version.
  */
-#include <stdio.h>
+#include "qemu/osdep.h"
 #include <seccomp.h>
 #include "sysemu/seccomp.h"
 
+/* For some architectures (notably ARM) cacheflush is not supported until
+ * libseccomp 2.2.3, but configure enforces that we are using a more recent
+ * version on those hosts, so it is OK for this check to be less strict.
+ */
+#if SCMP_VER_MAJOR >= 3
+  #define HAVE_CACHEFLUSH
+#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 2
+  #define HAVE_CACHEFLUSH
+#endif
+
 struct QemuSeccompSyscall {
     int32_t num;
     uint8_t priority;
@@ -55,6 +65,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(prctl), 245 },
     { SCMP_SYS(signalfd), 245 },
     { SCMP_SYS(getrlimit), 245 },
+    { SCMP_SYS(getrusage), 245 },
     { SCMP_SYS(set_tid_address), 245 },
     { SCMP_SYS(statfs), 245 },
     { SCMP_SYS(unlink), 245 },
@@ -143,6 +154,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(getsockname), 242 },
     { SCMP_SYS(getpeername), 242 },
     { SCMP_SYS(accept4), 242 },
+    { SCMP_SYS(timerfd_settime), 242 },
     { SCMP_SYS(newfstatat), 241 },
     { SCMP_SYS(shutdown), 241 },
     { SCMP_SYS(getsockopt), 241 },
@@ -225,7 +237,23 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(fchmod), 240 },
     { SCMP_SYS(shmget), 240 },
     { SCMP_SYS(shmat), 240 },
-    { SCMP_SYS(shmdt), 240 }
+    { SCMP_SYS(shmdt), 240 },
+    { SCMP_SYS(timerfd_create), 240 },
+    { SCMP_SYS(shmctl), 240 },
+    { SCMP_SYS(mlockall), 240 },
+    { SCMP_SYS(mlock), 240 },
+    { SCMP_SYS(munlock), 240 },
+    { SCMP_SYS(semctl), 240 },
+    { SCMP_SYS(fallocate), 240 },
+    { SCMP_SYS(fadvise64), 240 },
+    { SCMP_SYS(inotify_init1), 240 },
+    { SCMP_SYS(inotify_add_watch), 240 },
+    { SCMP_SYS(mbind), 240 },
+    { SCMP_SYS(memfd_create), 240 },
+#ifdef HAVE_CACHEFLUSH
+    { SCMP_SYS(cacheflush), 240 },
+#endif
+    { SCMP_SYS(sysinfo), 240 },
 };
 
 int seccomp_start(void)