allow mprotect by default

jprendes · jprendes · commit a8d93c6eec76 · 2025-05-27T18:27:17.000+01:00
Signed-off-by: Jorge Prendes &lt;jorge.prendes@gmail.com&gt;
diff --git a/src/hyperlight_host/src/seccomp/guest.rs b/src/hyperlight_host/src/seccomp/guest.rs
@@ -57,6 +57,8 @@ fn syscalls_allowlist() -> Result<Vec<(i64, Vec<SeccompRule>)>> {
         // `sched_yield` is needed for many synchronization primitives that may be invoked
         // on the host function worker thread
         (libc::SYS_sched_yield, vec![]),
+        // `mprotect` is needed by malloc during memory allocation
+        (libc::SYS_mprotect, vec![]),
     ])
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ fn syscalls_allowlist() -> Result<Vec<(i64, Vec<SeccompRule>)>> {`
`57`	`57`	// `sched_yield` is needed for many synchronization primitives that may be invoked
`58`	`58`	`// on the host function worker thread`
`59`	`59`	`(libc::SYS_sched_yield, vec![]),`
	`60`	+ // `mprotect` is needed by malloc during memory allocation
	`61`	`+ (libc::SYS_mprotect, vec![]),`
`60`	`62`	`])`
`61`	`63`	`}`
`62`	`64`