Handle gofer blocking opens of host named pipes in VFS2.

Using tee instead of read to detect when a O_RDONLY|O_NONBLOCK pipe FD has a writer circumvents the problem of what to do with the byte read from the pipe, avoiding much of the complexity of the fdpipe package. PiperOrigin-RevId: 314216146
author: Jamie Liu <jamieliu@google.com> 2020-06-01 15:31:59 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-06-01 15:33:30 -0700
commit: 3a987160aa09f814a8459ed3f6192ce741b701a3 (patch)
tree: c0e58a968a2b49f6c44587badecc288fd617fdda /runsc/boot
parent: 6ef5924725812f5885880cf57821fe2cd49b808d (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 98cdd90dd..60e33425f 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -288,6 +288,14 @@ var allowedSyscalls = seccomp.SyscallRules{
 	syscall.SYS_SIGALTSTACK:     {},
 	unix.SYS_STATX:              {},
 	syscall.SYS_SYNC_FILE_RANGE: {},
+	syscall.SYS_TEE: []seccomp.Rule{
+		{
+			seccomp.AllowAny{},
+			seccomp.AllowAny{},
+			seccomp.AllowValue(1),                      /* len */
+			seccomp.AllowValue(unix.SPLICE_F_NONBLOCK), /* flags */
+		},
+	},
 	syscall.SYS_TGKILL: []seccomp.Rule{
 		{
 			seccomp.AllowValue(uint64(os.Getpid())),
author	Jamie Liu <jamieliu@google.com>	2020-06-01 15:31:59 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-06-01 15:33:30 -0700
commit	3a987160aa09f814a8459ed3f6192ce741b701a3 (patch)
tree	c0e58a968a2b49f6c44587badecc288fd617fdda /runsc/boot
parent	6ef5924725812f5885880cf57821fe2cd49b808d (diff)