Skip to content

Commit c484aee

Browse files
acatangiusandreim
acatangiu
authored and
sandreim
committed
seccomp: remove timerfd_create from allow-list
`TimerFd`s are used by rate-limiters, metrics, and balloon device. All of them are created before boot, thus before seccomp filters are applied. This means we don't need `timerfd_create` syscall on our allow-list, and can be removed to tighten it. Signed-off-by: Adrian Catangiu <[email protected]>
1 parent 9a9f933 commit c484aee

File tree

2 files changed

+0
-40
lines changed

2 files changed

+0
-40
lines changed

resources/seccomp/aarch64-unknown-linux-musl.json

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -237,26 +237,6 @@
237237
}
238238
]
239239
},
240-
{
241-
"syscall": "timerfd_create",
242-
"comment": "Needed for rate limiting and metrics",
243-
"args": [
244-
{
245-
"arg_index": 0,
246-
"arg_type": "dword",
247-
"op": "eq",
248-
"val": 1,
249-
"comment": "libc::CLOCK_MONOTONIC"
250-
},
251-
{
252-
"arg_index": 1,
253-
"arg_type": "dword",
254-
"op": "eq",
255-
"val": 526336,
256-
"comment": "libc::TFD_CLOEXEC | libc::TFD_NONBLOCK"
257-
}
258-
]
259-
},
260240
{
261241
"syscall": "timerfd_settime",
262242
"comment": "Needed for rate limiting and metrics",

resources/seccomp/x86_64-unknown-linux-musl.json

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -237,26 +237,6 @@
237237
}
238238
]
239239
},
240-
{
241-
"syscall": "timerfd_create",
242-
"comment": "Needed for rate limiting and metrics",
243-
"args": [
244-
{
245-
"arg_index": 0,
246-
"arg_type": "dword",
247-
"op": "eq",
248-
"val": 1,
249-
"comment": "libc::CLOCK_MONOTONIC"
250-
},
251-
{
252-
"arg_index": 1,
253-
"arg_type": "dword",
254-
"op": "eq",
255-
"val": 526336,
256-
"comment": "libc::TFD_CLOEXEC | libc::TFD_NONBLOCK"
257-
}
258-
]
259-
},
260240
{
261241
"syscall": "timerfd_settime",
262242
"comment": "Needed for rate limiting and metrics",

0 commit comments

Comments
 (0)