clh: Complete the 'seccomp' filter list based on the workload from Kata's CI

[likebreath]

Which feature do you think can be improved?

As discussed in the issue #2899, the incomplete list of seccomp filter from cloud-hypervisor can introduce (random) failures in our CI jobs. As a workaround, the seccomp option of clh is temporarily disabled in kata.

How can it be improved?

We should collect the missing syscall triggered by Kata's CI workload, and added them to clh's seccomp filter list. Once we have a complete list (for kata's CI workload), we should bring the seccomp option of clh back to kata, so that we can leverage this security feature from clh.

[likebreath]

As a first run of my local VM on the failing tests reported by the CI (e.g. CPU update constrains), I see the following missing syscall: brk. This syscall also contributed to the instability of cloud-hypervisor's CI. It was added to all worker threads of clh (after release v0.9.0).

[likebreath]

/cc @jcvenegas @amshinde

[jodh-intel]

@likebreath - I think we can close this issue now?

[likebreath]

@jodh-intel Let's keep this one before I do more experiments on whether the seccomp filter is now sufficient to run all the workload from kata's CI jobs. Also, as @amshinde advises, we will also provide an option for users to enable and disable the seccomp filter.

[jodh-intel]

Hi @likebreath - can we close now?