stratovirt/syscall-add-syscall-newfstatat-in-x86_64-unknown-lin.patch

From 2a70e217561e64f460e95d4d89d145fc615f12ec Mon Sep 17 00:00:00 2001
From: Qi Xi <xiqi1@huawei.com>
Date: Fri, 20 Aug 2021 15:43:00 +0800
Subject: [PATCH 6/8] syscall: add syscall "newfstatat" in
 x86_64-unknown-linux-gnu target

When we run stratovirt, built with GNU toolchain on x86 platform, and
use serial port for IO, it will be blocked. The bug is caused by when
it is the first time for rtc device to call "libc::gmtime_r" after
seccomp taking effect, it will use the syscall "newfstatat" which is
not in the syscall whitelist.

The bug is fixed by adding "newfstatat" to syscall whitelist with
x86_64-unknown-linux-gnu target.

Signed-off-by: Qi Xi <xiqi1@huawei.com>
---
 docs/config_guidebook.md                  | 18 +++++++++++++++---
 machine/src/micro_vm/syscall.rs           |  4 +++-
 machine/src/standard_vm/x86_64/syscall.rs |  4 +++-
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md
index 6a5cda7..72b4c7e 100644
--- a/docs/config_guidebook.md
+++ b/docs/config_guidebook.md
@@ -679,10 +679,22 @@ And you can also restore StratoVirt's **pid number** to a file by:
 ### 4.2 Seccomp
 
 StratoVirt use [seccomp(2)](https://man7.org/linux/man-pages/man2/seccomp.2.html) to limit the syscalls
-in StratoVirt process by default. StratoVirt use only 40 syscalls in x86_64 (39 syscalls in aarch64) after running.
-It will make a slight influence on performance to StratoVirt. If you want to disable seccomp, you can
-run StratoVirt with `-disable-seccomp`.
+in StratoVirt process by default. It will make a slight influence on performance to StratoVirt. 
+* X86_64
 
+| Number of Syscalls | GNU Toolchain | MUSL Toolchain |
+| :----------------: | :-----------: | :------------: |
+|      Micro_vm      |      41       |       41       |
+|    Standard_vm     |      46       |       43       |
+
+* AArch64
+
+| Number of Syscalls | GNU Toolchain | MUSL Toolchain |
+| :----------------: | :-----------: | :------------: |
+|      Micro_vm      |      39       |       40       |
+|    Standard_vm     |      43       |       42       |
+
+If you want to disable seccomp, you can run StratoVirt with `-disable-seccomp`.
 ```shell
 # cmdline
 -disable-seccomp
diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs
index eb52df6..ddc9023 100644
--- a/machine/src/micro_vm/syscall.rs
+++ b/machine/src/micro_vm/syscall.rs
@@ -92,7 +92,7 @@ ioctl_iowr_nr!(KVM_GET_REG_LIST, KVMIO, 0xb0, kvm_reg_list);
 ///
 /// # Notes
 /// This allowlist limit syscall with:
-/// * x86_64-unknown-gnu: 40 syscalls
+/// * x86_64-unknown-gnu: 41 syscalls
 /// * x86_64-unknown-musl: 41 syscalls
 /// * aarch64-unknown-gnu: 39 syscalls
 /// * aarch64-unknown-musl: 40 syscalls
@@ -153,6 +153,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_statx),
         #[cfg(all(target_env = "musl", target_arch = "x86_64"))]
         BpfRule::new(libc::SYS_stat),
+        #[cfg(all(target_env = "gnu", target_arch = "x86_64"))]
+        BpfRule::new(libc::SYS_newfstatat),
         #[cfg(all(target_env = "musl", target_arch = "aarch64"))]
         BpfRule::new(libc::SYS_newfstatat),
         #[cfg(target_arch = "x86_64")]
diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs
index d794c78..dddeb8a 100644
--- a/machine/src/standard_vm/x86_64/syscall.rs
+++ b/machine/src/standard_vm/x86_64/syscall.rs
@@ -78,7 +78,7 @@ ioctl_iowr_nr!(KVM_GET_MSRS, KVMIO, 0x88, kvm_msrs);
 ///
 /// # Notes
 /// This allowlist limit syscall with:
-/// * x86_64-unknown-gnu: 45 syscalls
+/// * x86_64-unknown-gnu: 46 syscalls
 /// * x86_64-unknown-musl: 43 syscalls
 /// To reduce performance losses, the syscall rules is ordered by frequency.
 pub fn syscall_whitelist() -> Vec<BpfRule> {
@@ -132,6 +132,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_gettid),
         BpfRule::new(libc::SYS_getpid),
         BpfRule::new(libc::SYS_fstat),
+        #[cfg(all(target_env = "gnu"))]
+        BpfRule::new(libc::SYS_newfstatat),
         BpfRule::new(libc::SYS_pread64),
         BpfRule::new(libc::SYS_pwrite64),
         BpfRule::new(libc::SYS_statx),
-- 
2.25.1
Update version to 2.0.0-3 virtio: fix dev_id initialization for virtio-pci and vfio device on aarch64 platform vfio: fix the problem of dma mapping failed syscall: add syscall "newfstatat" in x86_64-unknown-linux-gnu target kernel_config: update kernel config 5.10 on aarch64 platform machine/standard_vm: fix inappropriate file open permissions migration: fix an errors during the PL011 device state restore migration: fix an error during migration interface on aarch64 fix spelling errors in project (cherry picked from commit a12a13829fa5d788667e11b886c254760e6a4579) 2021-08-20 21:59:20 +08:00			`From 2a70e217561e64f460e95d4d89d145fc615f12ec Mon Sep 17 00:00:00 2001`
			`From: Qi Xi <xiqi1@huawei.com>`
			`Date: Fri, 20 Aug 2021 15:43:00 +0800`
			`Subject: [PATCH 6/8] syscall: add syscall "newfstatat" in`
			`x86_64-unknown-linux-gnu target`

			`When we run stratovirt, built with GNU toolchain on x86 platform, and`
			`use serial port for IO, it will be blocked. The bug is caused by when`
			`it is the first time for rtc device to call "libc::gmtime_r" after`
			`seccomp taking effect, it will use the syscall "newfstatat" which is`
			`not in the syscall whitelist.`

			`The bug is fixed by adding "newfstatat" to syscall whitelist with`
			`x86_64-unknown-linux-gnu target.`

			`Signed-off-by: Qi Xi <xiqi1@huawei.com>`
			`---`
			`docs/config_guidebook.md \| 18 +++++++++++++++---`
			`machine/src/micro_vm/syscall.rs \| 4 +++-`
			`machine/src/standard_vm/x86_64/syscall.rs \| 4 +++-`
			`3 files changed, 21 insertions(+), 5 deletions(-)`

			`diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md`
			`index 6a5cda7..72b4c7e 100644`
			`--- a/docs/config_guidebook.md`
			`+++ b/docs/config_guidebook.md`
			`@@ -679,10 +679,22 @@ And you can also restore StratoVirt's pid number to a file by:`
			`### 4.2 Seccomp`

			`StratoVirt use [seccomp(2)](https://man7.org/linux/man-pages/man2/seccomp.2.html) to limit the syscalls`
			`-in StratoVirt process by default. StratoVirt use only 40 syscalls in x86_64 (39 syscalls in aarch64) after running.`
			`-It will make a slight influence on performance to StratoVirt. If you want to disable seccomp, you can`
			-run StratoVirt with `-disable-seccomp`.
			`+in StratoVirt process by default. It will make a slight influence on performance to StratoVirt.`
			`+* X86_64`

			`+\| Number of Syscalls \| GNU Toolchain \| MUSL Toolchain \|`
			`+\| :----------------: \| :-----------: \| :------------: \|`
			`+\| Micro_vm \| 41 \| 41 \|`
			`+\| Standard_vm \| 46 \| 43 \|`
			`+`
			`+* AArch64`
			`+`
			`+\| Number of Syscalls \| GNU Toolchain \| MUSL Toolchain \|`
			`+\| :----------------: \| :-----------: \| :------------: \|`
			`+\| Micro_vm \| 39 \| 40 \|`
			`+\| Standard_vm \| 43 \| 42 \|`
			`+`
			+If you want to disable seccomp, you can run StratoVirt with `-disable-seccomp`.
			```shell
			`# cmdline`
			`-disable-seccomp`
			`diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs`
			`index eb52df6..ddc9023 100644`
			`--- a/machine/src/micro_vm/syscall.rs`
			`+++ b/machine/src/micro_vm/syscall.rs`
			`@@ -92,7 +92,7 @@ ioctl_iowr_nr!(KVM_GET_REG_LIST, KVMIO, 0xb0, kvm_reg_list);`
			`///`
			`/// # Notes`
			`/// This allowlist limit syscall with:`
			`-/// * x86_64-unknown-gnu: 40 syscalls`
			`+/// * x86_64-unknown-gnu: 41 syscalls`
			`/// * x86_64-unknown-musl: 41 syscalls`
			`/// * aarch64-unknown-gnu: 39 syscalls`
			`/// * aarch64-unknown-musl: 40 syscalls`
			`@@ -153,6 +153,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_statx),`
			`#[cfg(all(target_env = "musl", target_arch = "x86_64"))]`
			`BpfRule::new(libc::SYS_stat),`
			`+ #[cfg(all(target_env = "gnu", target_arch = "x86_64"))]`
			`+ BpfRule::new(libc::SYS_newfstatat),`
			`#[cfg(all(target_env = "musl", target_arch = "aarch64"))]`
			`BpfRule::new(libc::SYS_newfstatat),`
			`#[cfg(target_arch = "x86_64")]`
			`diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs`
			`index d794c78..dddeb8a 100644`
			`--- a/machine/src/standard_vm/x86_64/syscall.rs`
			`+++ b/machine/src/standard_vm/x86_64/syscall.rs`
			`@@ -78,7 +78,7 @@ ioctl_iowr_nr!(KVM_GET_MSRS, KVMIO, 0x88, kvm_msrs);`
			`///`
			`/// # Notes`
			`/// This allowlist limit syscall with:`
			`-/// * x86_64-unknown-gnu: 45 syscalls`
			`+/// * x86_64-unknown-gnu: 46 syscalls`
			`/// * x86_64-unknown-musl: 43 syscalls`
			`/// To reduce performance losses, the syscall rules is ordered by frequency.`
			`pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`@@ -132,6 +132,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_gettid),`
			`BpfRule::new(libc::SYS_getpid),`
			`BpfRule::new(libc::SYS_fstat),`
			`+ #[cfg(all(target_env = "gnu"))]`
			`+ BpfRule::new(libc::SYS_newfstatat),`
			`BpfRule::new(libc::SYS_pread64),`
			`BpfRule::new(libc::SYS_pwrite64),`
			`BpfRule::new(libc::SYS_statx),`
			`--`
			`2.25.1`