From 055073f11813a7b675cb19aa6c540a667cd746a5 Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@google.com>
Date: Wed, 24 Feb 2021 11:34:08 -0800
Subject: runsc/filters: permit clock_nanosleep for race

Syzkaller hosts contains many audit messages that runsc tries
to call the clock_nanosleep syscall.

PiperOrigin-RevId: 359331413
---
 runsc/boot/filter/extra_filters_race.go    | 1 +
 runsc/fsgofer/filter/extra_filters_race.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go
index 9ff80276a..5b99eb8cd 100644
--- a/runsc/boot/filter/extra_filters_race.go
+++ b/runsc/boot/filter/extra_filters_race.go
@@ -27,6 +27,7 @@ func instrumentationFilters() seccomp.SyscallRules {
 	Report("TSAN is enabled: syscall filters less restrictive!")
 	return seccomp.SyscallRules{
 		syscall.SYS_BRK:             {},
+		syscall.SYS_CLOCK_NANOSLEEP: {},
 		syscall.SYS_CLONE:           {},
 		syscall.SYS_FUTEX:           {},
 		syscall.SYS_MMAP:            {},
diff --git a/runsc/fsgofer/filter/extra_filters_race.go b/runsc/fsgofer/filter/extra_filters_race.go
index 20a0732be..cbd5c487e 100644
--- a/runsc/fsgofer/filter/extra_filters_race.go
+++ b/runsc/fsgofer/filter/extra_filters_race.go
@@ -28,6 +28,7 @@ func instrumentationFilters() seccomp.SyscallRules {
 	log.Warningf("*** SECCOMP WARNING: TSAN is enabled: syscall filters less restrictive!")
 	return seccomp.SyscallRules{
 		syscall.SYS_BRK:             {},
+		syscall.SYS_CLOCK_NANOSLEEP: {},
 		syscall.SYS_CLONE:           {},
 		syscall.SYS_FUTEX:           {},
 		syscall.SYS_MADVISE:         {},
-- 
cgit v1.2.3