chore(rust): update seccomp filters

ShadowCurse · ShadowCurse · commit 92b59b8de73d · 2026-02-03T15:06:04.000Z
New rust version brought new syscalls: This commit: 426ab142507fca8704d934da556f1c96b0fd61b2 which updated `write` function for unix sockets to use `sendto` syscall. - Added `sendto` to API and VMM filters And this PR: rust-lang/rust#115746 which added call to `gettid` during panic. - Added `gettid` to API, VMM and VCPU filters Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
diff --git a/resources/seccomp/aarch64-unknown-linux-musl.json b/resources/seccomp/aarch64-unknown-linux-musl.json
@@ -65,6 +65,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
@@ -319,6 +323,10 @@
                     }
                 ]
             },
+            {
+                "syscall": "sendto",
+                "comment": "Rust std uses it to write to unix socket"
+            },
             {
                 "syscall": "tkill",
                 "comment": "tkill is used by libc::abort during a panic to raise SIGABRT",
@@ -511,6 +519,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
@@ -729,6 +741,10 @@
                     }
                 ]
             },
+            {
+                "syscall": "sendto",
+                "comment": "Rust std uses it to write to unix socket"
+            },
             {
                 "syscall": "tkill",
                 "comment": "tkill is used by libc::abort during a panic to raise SIGABRT",
@@ -792,6 +808,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
diff --git a/resources/seccomp/x86_64-unknown-linux-musl.json b/resources/seccomp/x86_64-unknown-linux-musl.json
@@ -65,6 +65,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
@@ -319,6 +323,10 @@
                     }
                 ]
             },
+            {
+                "syscall": "sendto",
+                "comment": "Rust std uses it to write to unix socket"
+            },
             {
                 "syscall": "tkill",
                 "comment": "tkill is used by libc::abort during a panic to raise SIGABRT",
@@ -523,6 +531,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
@@ -741,6 +753,10 @@
                     }
                 ]
             },
+            {
+                "syscall": "sendto",
+                "comment": "Rust std uses it to write to unix socket"
+            },
             {
                 "syscall": "tkill",
                 "comment": "tkill is used by libc::abort during a panic to raise SIGABRT",
@@ -804,6 +820,10 @@
                 "syscall": "brk",
                 "comment": "Called for expanding the heap"
             },
+            {
+                "syscall": "gettid",
+                "comment": "Rust std uses it during panic to print the thread id."
+            },
             {
                 "syscall": "clock_gettime",
                 "comment": "Used for metrics and logging, via the helpers in utils/src/time.rs. It's not called on some platforms, because of vdso optimisations."
