Remove `SYS_futex`, `SYS_write`, `SYS_close`, and `SYS_mmap` from list of default allowed syscalls for seccomp on Linux

[danbugs]

Currently, we allow SYS_futex, SYS_write, SYS_close, and SYS_mmap (

hyperlight/src/hyperlight_host/src/seccomp/guest.rs

Line 56 in b9c67fb

(libc::SYS_futex, vec![]),

) by default beause they are needed by some writer functions we have. Writer functions are not registered like normal host functions. Instead, they are passed in as a parameter to UninitializedSandbox::new (

hyperlight/src/hyperlight_host/src/sandbox/uninitialized.rs

Line 125 in b9c67fb

host_print_writer: Option<&dyn HostFunction1<String, i32>>,

) and, so, allowing extra syscalls to it is a bit cumbersome. We should consider refactoring UninitializedSandbox::new to leverage a builder pattern.

[jprendes]

I think we can go ahead with removing the syscalls from the default.
Now the print writer is registered like any other function.
It does have a dedicated registration function to simplify some things (signature checking, using the correct name, and adding the extra syscalls we add for printing), but that one also comes with the extra syscalls flavor.

[syntactically]

Is removing mmap() entirely from the hypervisor thread safe? I would imagine there are some scenarios where the allocator will mmap(MAP_ANONYMOUS) to get a chunk of heap memory. I would also think we should be quite careful about removing futexes, as those are used all over the place.

[dblnz]

@danbugs I think this no longer applies since we have merged #970 , is that right?

[danbugs]

@dblnz ~ you're right! Closing this.