seccomp: Add gettid() to all seccomp filters

DemiMarie · likebreath · commit 079d94ecaeb6 · 2026-01-10T19:18:04.000Z
It should always succeed and is apparently implicitly called by libc or
some dependency somewhere.

Signed-off-by: Demi Marie Obenour &lt;demiobenour@gmail.com&gt;
diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs
@@ -293,6 +293,7 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
         (libc::SYS_epoll_wait, vec![]),
         (libc::SYS_exit, vec![]),
         (libc::SYS_futex, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_madvise, vec![]),
         (libc::SYS_mmap, vec![]),
         (libc::SYS_mprotect, vec![]),
diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs
@@ -497,6 +497,7 @@ fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
         (libc::SYS_mmap, vec![]),
         (libc::SYS_munmap, vec![]),
         (libc::SYS_prctl, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_recvfrom, vec![]),
         (libc::SYS_rt_sigprocmask, vec![]),
         (libc::SYS_rt_sigreturn, vec![]),
@@ -536,6 +537,7 @@ fn pty_foreground_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
         (libc::SYS_rt_sigreturn, vec![]),
         (libc::SYS_sched_yield, vec![]),
         (libc::SYS_setsid, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_sigaltstack, vec![]),
         (libc::SYS_write, vec![]),
         #[cfg(debug_assertions)]
@@ -787,6 +789,7 @@ fn vcpu_thread_rules(
         (libc::SYS_exit, vec![]),
         (libc::SYS_epoll_ctl, vec![]),
         (libc::SYS_fstat, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_futex, vec![]),
         (libc::SYS_getrandom, vec![]),
         (libc::SYS_getpid, vec![]),
@@ -847,6 +850,7 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
         (libc::SYS_epoll_wait, vec![]),
         (libc::SYS_exit, vec![]),
         (libc::SYS_fcntl, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_futex, vec![]),
         (libc::SYS_getrandom, vec![]),
         (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
@@ -881,6 +885,7 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
         (libc::SYS_dup, vec![]),
         (libc::SYS_epoll_ctl, vec![]),
         (libc::SYS_exit, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_futex, vec![]),
         (libc::SYS_getrandom, vec![]),
         (libc::SYS_madvise, vec![]),
@@ -905,6 +910,7 @@ fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendE
     Ok(vec![
         (libc::SYS_brk, vec![]),
         (libc::SYS_close, vec![]),
+        (libc::SYS_gettid, vec![]),
         (libc::SYS_futex, vec![]),
         (libc::SYS_landlock_create_ruleset, vec![]),
         (libc::SYS_landlock_restrict_self, vec![]),
