virtcontainers: clh: Enable the seccomp feature

This patch enables the `seccomp` feature from Cloud Hypervisor which provides fine-grained allowed syscalls for each of its worker threads. It brings important security benefits, while would increase memory footprint. Fixes: #2782 Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-04-28 19:54:35 +00:00 · 2021-10-08 15:07:43 -07:00 · 2021-10-08 15:07:43 -07:00 · 98b7350a1b
commit 98b7350a1b
parent 0300e91cd0
1 changed files with 0 additions and 5 deletions
--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
@ -947,11 +947,6 @@ func (clh *cloudHypervisor) launchClh() (int, error) {
 		args = append(args, "-v")
 	}

-	// Disable the 'seccomp' option in clh for now.
-	// In this way, we can separate the periodic failures caused
-	// by incomplete `seccomp` filters from other failures.
-	// We will bring it back after completing the `seccomp` filter.
-	args = append(args, "--seccomp", "false")

 	clh.Logger().WithField("path", clhPath).Info()
 	clh.Logger().WithField("args", strings.Join(args, " ")).Info()