devices: block: fix seccomp failures from free()

It looks like free() will sometimes try to open
/proc/sys/vm/overcommit_memory in order to decide whether to return
freed heap memory to the kernel; change the seccomp filter to fail the
open syscalls with an error code (ENOENT) rather than killing the
process.

Also allow madvise to free memory for the same free() codepath.

BUG=chromium:888212
TEST=Run fio loop test on kevin

Change-Id: I1c27b265b822771f76b7d9572d9759476770000e
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1305756
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This commit is contained in:
Daniel Verkamp 2018-10-29 12:41:40 -07:00 committed by chrome-bot
parent eeebe63c43
commit 5656c124af
2 changed files with 8 additions and 2 deletions

View file

@ -18,6 +18,7 @@ _llseek: 1
# negation, thus the manually negated mask constant.
mmap2: arg2 in 0xfffffffb
mprotect: arg2 in 0xfffffffb
madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED
mremap: 1
munmap: 1
read: 1
@ -41,3 +42,6 @@ epoll_wait: 1
timerfd_create: 1
timerfd_gettime: 1
timerfd_settime: 1
# libc free() attempts to open /proc/sys/vm/overcommit_memory
open: return ENOENT
openat: return ENOENT

View file

@ -17,8 +17,7 @@ lseek: 1
# negation, thus the manually negated mask constant.
mmap: arg2 in 0xfffffffb
mprotect: arg2 in 0xfffffffb
# Allow MADV_DONTDUMP only.
madvise: arg2 == 0x00000010
madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED
mremap: 1
munmap: 1
read: 1
@ -42,3 +41,6 @@ epoll_wait: 1
timerfd_create: 1
timerfd_gettime: 1
timerfd_settime: 1
# libc free() attempts to open /proc/sys/vm/overcommit_memory
open: return ENOENT
openat: return ENOENT