Move getcpu() to core filter list

Some versions of the Go runtime call getcpu(), so add it for compatibility. The
hostcpu package already uses getcpu() on arm64.

PiperOrigin-RevId: 355717757

3 files changed, 18 insertions, 2 deletions

diff --git a/pkg/sentry/platform/ptrace/filters.go b/pkg/sentry/platform/ptrace/filters.go
index b0970e356..20fc62acb 100644
--- a/pkg/sentry/platform/ptrace/filters.go
+++ b/pkg/sentry/platform/ptrace/filters.go
@@ -17,14 +17,12 @@ package ptrace
 import (
 	"syscall"
 
-	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
 // SyscallFilters returns syscalls made exclusively by the ptrace platform.
 func (*PTrace) SyscallFilters() seccomp.SyscallRules {
 	return seccomp.SyscallRules{
-		unix.SYS_GETCPU:    {},
 		syscall.SYS_PTRACE: {},
 		syscall.SYS_TGKILL: {},
 		syscall.SYS_WAIT4:  {},
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index eacd73531..2a8c916d5 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -100,6 +100,15 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.MatchAny{},
 		},
 	},
+	// getcpu is used by some versions of the Go runtime and by the hostcpu
+	// package on arm64.
+	unix.SYS_GETCPU: []seccomp.Rule{
+		{
+			seccomp.MatchAny{},
+			seccomp.EqualTo(0),
+			seccomp.EqualTo(0),
+		},
+	},
 	syscall.SYS_GETPID: {},
 	unix.SYS_GETRANDOM: {},
 	syscall.SYS_GETSOCKOPT: []seccomp.Rule{
diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
index 39b8a0b1e..f92e2f80e 100644
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@@ -107,6 +107,15 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.MatchAny{},
 		},
 	},
+	// getcpu is used by some versions of the Go runtime and by the hostcpu
+	// package on arm64.
+	unix.SYS_GETCPU: []seccomp.Rule{
+		{
+			seccomp.MatchAny{},
+			seccomp.EqualTo(0),
+			seccomp.EqualTo(0),
+		},
+	},
 	syscall.SYS_GETDENTS64:   {},
 	syscall.SYS_GETPID:       {},
 	unix.SYS_GETRANDOM:       {},