stratovirt/0020-machine-update-seccomp-rules.patch

From 639982129fb79cc8f175497cd5b091a6dfd3ec40 Mon Sep 17 00:00:00 2001
From: zhouli57 <zhouli57@huawei.com>
Date: Tue, 8 Mar 2022 15:42:13 +0800
Subject: [PATCH 5/8] machine: update seccomp rules

Fix the problem of snapshot failure caused by compiling with a new
version(1.57) of the compiler on openEuler 22.03 LTS.

Signed-off-by: zhouli57 <zhouli57@huawei.com>
---
 machine/src/micro_vm/syscall.rs            | 46 ++++++++++++++++----
 machine/src/standard_vm/aarch64/syscall.rs | 33 +++++++++++----
 machine/src/standard_vm/x86_64/syscall.rs  | 49 +++++++++++++++++-----
 3 files changed, 102 insertions(+), 26 deletions(-)

diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs
index ff066a9..5e9c6d8 100644
--- a/machine/src/micro_vm/syscall.rs
+++ b/machine/src/micro_vm/syscall.rs
@@ -22,6 +22,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
 const FUTEX_WAKE_OP: u32 = 5;
 const FUTEX_WAIT_BITSET: u32 = 9;
 const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
 const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
 const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
 const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -88,12 +89,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_munmap),
         BpfRule::new(libc::SYS_accept4),
         BpfRule::new(libc::SYS_lseek),
-        BpfRule::new(libc::SYS_futex)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+        futex_rule(),
         BpfRule::new(libc::SYS_exit),
         BpfRule::new(libc::SYS_exit_group),
         BpfRule::new(libc::SYS_rt_sigreturn),
@@ -121,9 +117,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_mkdir),
         #[cfg(target_arch = "aarch64")]
         BpfRule::new(libc::SYS_mkdirat),
-        BpfRule::new(libc::SYS_madvise)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32),
+        madvise_rule(),
     ]
 }
 
@@ -181,3 +175,37 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DEVICE_ATTR() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32)
 }
+
+fn madvise_rule() -> BpfRule {
+    #[cfg(all(target_env = "musl", target_arch = "x86_64"))]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+    #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+}
+
+fn futex_rule() -> BpfRule {
+    #[cfg(target_env = "musl")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+    #[cfg(target_env = "gnu")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(
+            SeccompCmpOpt::Eq,
+            1,
+            FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+        )
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs
index e8ecdd5..ed3140e 100644
--- a/machine/src/standard_vm/aarch64/syscall.rs
+++ b/machine/src/standard_vm/aarch64/syscall.rs
@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
 const FUTEX_WAKE_OP: u32 = 5;
 const FUTEX_WAIT_BITSET: u32 = 9;
 const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
 const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
 const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
 const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -91,13 +92,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_munmap),
         BpfRule::new(libc::SYS_accept4),
         BpfRule::new(libc::SYS_lseek),
-        BpfRule::new(libc::SYS_futex)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+        futex_rule(),
         BpfRule::new(libc::SYS_exit),
         BpfRule::new(libc::SYS_exit_group),
         BpfRule::new(libc::SYS_rt_sigreturn),
@@ -189,3 +184,27 @@ fn madvise_rule() -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
 }
+
+fn futex_rule() -> BpfRule {
+    #[cfg(target_env = "musl")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+    #[cfg(target_env = "gnu")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(
+            SeccompCmpOpt::Eq,
+            1,
+            FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+        )
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs
index f39170a..6f8e10d 100644
--- a/machine/src/standard_vm/x86_64/syscall.rs
+++ b/machine/src/standard_vm/x86_64/syscall.rs
@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
 const FUTEX_WAKE_OP: u32 = 5;
 const FUTEX_WAIT_BITSET: u32 = 9;
 const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
 const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
 const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
 const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -94,12 +95,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_munmap),
         BpfRule::new(libc::SYS_accept4),
         BpfRule::new(libc::SYS_lseek),
-        BpfRule::new(libc::SYS_futex)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
-            .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+        futex_rule(),
         BpfRule::new(libc::SYS_exit),
         BpfRule::new(libc::SYS_exit_group),
         BpfRule::new(libc::SYS_rt_sigreturn),
@@ -118,10 +114,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_statx),
         BpfRule::new(libc::SYS_mkdir),
         BpfRule::new(libc::SYS_unlink),
-        BpfRule::new(libc::SYS_madvise)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),
+        madvise_rule(),
         BpfRule::new(libc::SYS_msync),
         BpfRule::new(libc::SYS_readlinkat),
         #[cfg(target_env = "musl")]
@@ -202,3 +195,39 @@ fn ioctl_allow_list() -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MSRS() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32)
 }
+
+fn madvise_rule() -> BpfRule {
+    #[cfg(target_env = "musl")]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+    #[cfg(target_env = "gnu")]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+}
+
+fn futex_rule() -> BpfRule {
+    #[cfg(target_env = "musl")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+    #[cfg(target_env = "gnu")]
+    return BpfRule::new(libc::SYS_futex)
+        .add_constraint(
+            SeccompCmpOpt::Eq,
+            1,
+            FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+        )
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+        .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
-- 
2.20.1
Update version to 2.1.0-4 Signed-off-by: Jie Yang <yangjieyj.yang@huawei.com> (cherry picked from commit e9cfa81784d4a86efd4392a487c0294d440c03c0) 2022-03-13 11:28:58 +08:00			`From 639982129fb79cc8f175497cd5b091a6dfd3ec40 Mon Sep 17 00:00:00 2001`
			`From: zhouli57 <zhouli57@huawei.com>`
			`Date: Tue, 8 Mar 2022 15:42:13 +0800`
			`Subject: [PATCH 5/8] machine: update seccomp rules`

			`Fix the problem of snapshot failure caused by compiling with a new`
			`version(1.57) of the compiler on openEuler 22.03 LTS.`

			`Signed-off-by: zhouli57 <zhouli57@huawei.com>`
			`---`
			`machine/src/micro_vm/syscall.rs \| 46 ++++++++++++++++----`
			`machine/src/standard_vm/aarch64/syscall.rs \| 33 +++++++++++----`
			`machine/src/standard_vm/x86_64/syscall.rs \| 49 +++++++++++++++++-----`
			`3 files changed, 102 insertions(+), 26 deletions(-)`

			`diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs`
			`index ff066a9..5e9c6d8 100644`
			`--- a/machine/src/micro_vm/syscall.rs`
			`+++ b/machine/src/micro_vm/syscall.rs`
			`@@ -22,6 +22,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;`
			`const FUTEX_WAKE_OP: u32 = 5;`
			`const FUTEX_WAIT_BITSET: u32 = 9;`
			`const FUTEX_PRIVATE_FLAG: u32 = 128;`
			`+const FUTEX_CLOCK_REALTIME: u32 = 256;`
			`const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE \| FUTEX_PRIVATE_FLAG;`
			`@@ -88,12 +89,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_munmap),`
			`BpfRule::new(libc::SYS_accept4),`
			`BpfRule::new(libc::SYS_lseek),`
			`- BpfRule::new(libc::SYS_futex)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),`
			`+ futex_rule(),`
			`BpfRule::new(libc::SYS_exit),`
			`BpfRule::new(libc::SYS_exit_group),`
			`BpfRule::new(libc::SYS_rt_sigreturn),`
			`@@ -121,9 +117,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_mkdir),`
			`#[cfg(target_arch = "aarch64")]`
			`BpfRule::new(libc::SYS_mkdirat),`
			`- BpfRule::new(libc::SYS_madvise)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32),`
			`+ madvise_rule(),`
			`]`
			`}`

			`@@ -181,3 +175,37 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule {`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DEVICE_ATTR() as u32)`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32)`
			`}`
			`+`
			`+fn madvise_rule() -> BpfRule {`
			`+ #[cfg(all(target_env = "musl", target_arch = "x86_64"))]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);`
			`+ #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);`
			`+}`
			`+`
			`+fn futex_rule() -> BpfRule {`
			`+ #[cfg(target_env = "musl")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+ #[cfg(target_env = "gnu")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(`
			`+ SeccompCmpOpt::Eq,`
			`+ 1,`
			`+ FUTEX_WAIT_BITSET_PRIVATE \| FUTEX_CLOCK_REALTIME,`
			`+ )`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+}`
			`diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs`
			`index e8ecdd5..ed3140e 100644`
			`--- a/machine/src/standard_vm/aarch64/syscall.rs`
			`+++ b/machine/src/standard_vm/aarch64/syscall.rs`
			`@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;`
			`const FUTEX_WAKE_OP: u32 = 5;`
			`const FUTEX_WAIT_BITSET: u32 = 9;`
			`const FUTEX_PRIVATE_FLAG: u32 = 128;`
			`+const FUTEX_CLOCK_REALTIME: u32 = 256;`
			`const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE \| FUTEX_PRIVATE_FLAG;`
			`@@ -91,13 +92,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_munmap),`
			`BpfRule::new(libc::SYS_accept4),`
			`BpfRule::new(libc::SYS_lseek),`
			`- BpfRule::new(libc::SYS_futex)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),`
			`+ futex_rule(),`
			`BpfRule::new(libc::SYS_exit),`
			`BpfRule::new(libc::SYS_exit_group),`
			`BpfRule::new(libc::SYS_rt_sigreturn),`
			`@@ -189,3 +184,27 @@ fn madvise_rule() -> BpfRule {`
			`.add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`.add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);`
			`}`
			`+`
			`+fn futex_rule() -> BpfRule {`
			`+ #[cfg(target_env = "musl")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+ #[cfg(target_env = "gnu")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(`
			`+ SeccompCmpOpt::Eq,`
			`+ 1,`
			`+ FUTEX_WAIT_BITSET_PRIVATE \| FUTEX_CLOCK_REALTIME,`
			`+ )`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+}`
			`diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs`
			`index f39170a..6f8e10d 100644`
			`--- a/machine/src/standard_vm/x86_64/syscall.rs`
			`+++ b/machine/src/standard_vm/x86_64/syscall.rs`
			`@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;`
			`const FUTEX_WAKE_OP: u32 = 5;`
			`const FUTEX_WAIT_BITSET: u32 = 9;`
			`const FUTEX_PRIVATE_FLAG: u32 = 128;`
			`+const FUTEX_CLOCK_REALTIME: u32 = 256;`
			`const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE \| FUTEX_PRIVATE_FLAG;`
			`const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE \| FUTEX_PRIVATE_FLAG;`
			`@@ -94,12 +95,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_munmap),`
			`BpfRule::new(libc::SYS_accept4),`
			`BpfRule::new(libc::SYS_lseek),`
			`- BpfRule::new(libc::SYS_futex)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),`
			`+ futex_rule(),`
			`BpfRule::new(libc::SYS_exit),`
			`BpfRule::new(libc::SYS_exit_group),`
			`BpfRule::new(libc::SYS_rt_sigreturn),`
			`@@ -118,10 +114,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_statx),`
			`BpfRule::new(libc::SYS_mkdir),`
			`BpfRule::new(libc::SYS_unlink),`
			`- BpfRule::new(libc::SYS_madvise)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),`
			`+ madvise_rule(),`
			`BpfRule::new(libc::SYS_msync),`
			`BpfRule::new(libc::SYS_readlinkat),`
			`#[cfg(target_env = "musl")]`
			`@@ -202,3 +195,39 @@ fn ioctl_allow_list() -> BpfRule {`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MSRS() as u32)`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32)`
			`}`
			`+`
			`+fn madvise_rule() -> BpfRule {`
			`+ #[cfg(target_env = "musl")]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);`
			`+ #[cfg(target_env = "gnu")]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);`
			`+}`
			`+`
			`+fn futex_rule() -> BpfRule {`
			`+ #[cfg(target_env = "musl")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+ #[cfg(target_env = "gnu")]`
			`+ return BpfRule::new(libc::SYS_futex)`
			`+ .add_constraint(`
			`+ SeccompCmpOpt::Eq,`
			`+ 1,`
			`+ FUTEX_WAIT_BITSET_PRIVATE \| FUTEX_CLOCK_REALTIME,`
			`+ )`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);`
			`+}`
			`--`
			`2.20.1`