2020-08-04 02:45:53 +00:00
|
|
|
// Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
|
|
//
|
|
|
|
// Copyright © 2020 Intel Corporation
|
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
use seccomp::{
|
2020-09-09 02:35:03 +00:00
|
|
|
allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
|
|
|
|
SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
|
|
|
|
SyscallRuleSet,
|
2020-08-04 02:45:53 +00:00
|
|
|
};
|
|
|
|
use std::convert::TryInto;
|
|
|
|
|
|
|
|
pub enum Thread {
|
2020-08-18 02:58:13 +00:00
|
|
|
VirtioBalloon,
|
2021-01-22 10:15:13 +00:00
|
|
|
VirtioBlock,
|
2020-08-04 18:12:05 +00:00
|
|
|
VirtioConsole,
|
2020-08-14 21:37:01 +00:00
|
|
|
VirtioIommu,
|
2020-08-18 01:48:52 +00:00
|
|
|
VirtioMem,
|
2020-08-14 21:55:53 +00:00
|
|
|
VirtioNet,
|
2020-08-14 21:49:30 +00:00
|
|
|
VirtioNetCtl,
|
2020-08-04 19:25:06 +00:00
|
|
|
VirtioPmem,
|
2020-08-04 17:46:49 +00:00
|
|
|
VirtioRng,
|
2020-08-18 04:59:27 +00:00
|
|
|
VirtioVhostBlk,
|
2020-08-18 04:30:53 +00:00
|
|
|
VirtioVhostFs,
|
2020-08-18 04:53:08 +00:00
|
|
|
VirtioVhostNet,
|
2020-08-18 04:44:51 +00:00
|
|
|
VirtioVhostNetCtl,
|
2020-09-09 02:35:03 +00:00
|
|
|
VirtioVsock,
|
2020-09-25 09:35:13 +00:00
|
|
|
VirtioWatchdog,
|
2020-09-09 02:35:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
|
|
|
|
/// The rule will take the `Allow` action if _all_ the conditions are true.
|
|
|
|
///
|
|
|
|
/// [`Allow`]: enum.SeccompAction.html
|
|
|
|
/// [`SeccompCondition`]: struct.SeccompCondition.html
|
|
|
|
/// [`SeccompRule`]: struct.SeccompRule.html
|
|
|
|
macro_rules! and {
|
|
|
|
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow));
|
|
|
|
($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow))
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
|
|
|
|
///
|
|
|
|
/// [`SeccompFilter`]: struct.SeccompFilter.html
|
|
|
|
/// [`SeccompRule`]: struct.SeccompRule.html
|
|
|
|
macro_rules! or {
|
|
|
|
($($x:expr,)*) => (vec![$($x),*]);
|
|
|
|
($($x:expr),*) => (vec![$($x),*])
|
2020-08-04 02:45:53 +00:00
|
|
|
}
|
|
|
|
|
2020-08-18 00:10:03 +00:00
|
|
|
// Define io_uring syscalls as they are not yet part of libc.
|
|
|
|
const SYS_IO_URING_ENTER: i64 = 426;
|
|
|
|
|
2020-09-09 02:35:03 +00:00
|
|
|
// See include/uapi/asm-generic/ioctls.h in the kernel code.
|
|
|
|
const FIONBIO: u64 = 0x5421;
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 02:58:13 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 02:58:13 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-04 02:45:53 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_fallocate),
|
|
|
|
allow_syscall(libc::SYS_fdatasync),
|
|
|
|
allow_syscall(libc::SYS_fsync),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_ftruncate),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
// The definition of libc::SYS_ftruncate is missing on AArch64.
|
|
|
|
// Use a hard-code number instead.
|
|
|
|
allow_syscall(46),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
2021-01-22 09:51:27 +00:00
|
|
|
allow_syscall(SYS_IO_URING_ENTER),
|
2020-08-04 02:45:53 +00:00
|
|
|
allow_syscall(libc::SYS_lseek),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_mprotect),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_openat),
|
|
|
|
allow_syscall(libc::SYS_prctl),
|
2021-01-28 08:11:25 +00:00
|
|
|
allow_syscall(libc::SYS_pread64),
|
2021-01-28 16:29:33 +00:00
|
|
|
allow_syscall(libc::SYS_preadv),
|
|
|
|
allow_syscall(libc::SYS_pwritev),
|
2021-02-25 16:53:46 +00:00
|
|
|
allow_syscall(libc::SYS_pwrite64),
|
2020-08-04 02:45:53 +00:00
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sched_getaffinity),
|
|
|
|
allow_syscall(libc::SYS_set_robust_list),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-04 02:45:53 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-17 17:12:02 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-08-04 18:12:05 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-11 16:42:55 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-04 18:12:05 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_mprotect),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_prctl),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sched_getaffinity),
|
|
|
|
allow_syscall(libc::SYS_set_robust_list),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-04 18:12:05 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-17 17:12:02 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-10-14 15:19:12 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-18 00:10:03 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-14 21:37:01 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
2020-10-14 15:19:12 +00:00
|
|
|
allow_syscall(libc::SYS_exit),
|
2020-08-14 21:37:01 +00:00
|
|
|
allow_syscall(libc::SYS_futex),
|
2020-10-14 15:19:12 +00:00
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_mprotect),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
2020-08-14 21:37:01 +00:00
|
|
|
allow_syscall(libc::SYS_read),
|
2020-10-14 15:19:12 +00:00
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
2020-08-14 21:37:01 +00:00
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-14 21:37:01 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 01:48:52 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-18 01:48:52 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_exit),
|
2020-08-18 01:48:52 +00:00
|
|
|
allow_syscall(libc::SYS_fallocate),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_munmap),
|
2020-08-18 01:48:52 +00:00
|
|
|
allow_syscall(libc::SYS_read),
|
2020-09-15 14:24:21 +00:00
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
2020-08-18 01:48:52 +00:00
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 01:48:52 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-17 17:12:02 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-08-14 21:55:53 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-18 00:10:03 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-14 21:55:53 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
2021-01-08 10:29:39 +00:00
|
|
|
allow_syscall(libc::SYS_openat),
|
2020-08-14 21:55:53 +00:00
|
|
|
allow_syscall(libc::SYS_read),
|
2021-02-16 21:17:37 +00:00
|
|
|
allow_syscall(libc::SYS_readv),
|
2020-08-14 21:55:53 +00:00
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-16 21:17:37 +00:00
|
|
|
allow_syscall(libc::SYS_writev),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-14 21:55:53 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-17 17:12:02 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-08-04 18:27:17 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-12 13:46:52 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-04 18:27:17 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
2020-08-19 09:23:41 +00:00
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-04 18:27:17 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-17 17:12:02 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-08-04 19:25:06 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-05 08:59:46 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-04 19:25:06 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_fsync),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-04 19:25:06 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-14 23:16:13 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-08-04 17:46:49 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-05 08:59:46 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
2020-08-04 17:46:49 +00:00
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_mprotect),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_prctl),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sched_getaffinity),
|
|
|
|
allow_syscall(libc::SYS_set_robust_list),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-04 17:46:49 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_vhost_blk_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 04:59:27 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 04:59:27 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 04:30:53 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_recvmsg),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sendmsg),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 04:30:53 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_vhost_net_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 04:53:08 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-18 04:53:08 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2020-08-26 04:57:07 +00:00
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_exit),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 04:53:08 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-08-18 04:44:51 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-09-10 17:41:11 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
2020-08-18 04:44:51 +00:00
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_read),
|
2020-08-26 04:57:07 +00:00
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
#[cfg(target_arch = "aarch64")]
|
|
|
|
allow_syscall(libc::SYS_exit),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-08-18 04:44:51 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
|
|
|
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
|
2020-09-09 02:35:03 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-09-09 02:35:03 +00:00
|
|
|
allow_syscall(libc::SYS_accept4),
|
2020-09-10 23:59:25 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
2020-09-09 02:35:03 +00:00
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
2021-02-11 16:00:53 +00:00
|
|
|
allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
|
2020-09-09 02:35:03 +00:00
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_recvfrom),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-09-09 02:35:03 +00:00
|
|
|
}
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
fn virtio_watchdog_thread_rules() -> Vec<SyscallRuleSet> {
|
|
|
|
vec![
|
2020-09-25 09:35:13 +00:00
|
|
|
allow_syscall(libc::SYS_brk),
|
|
|
|
allow_syscall(libc::SYS_close),
|
|
|
|
allow_syscall(libc::SYS_dup),
|
|
|
|
allow_syscall(libc::SYS_epoll_create1),
|
|
|
|
allow_syscall(libc::SYS_epoll_ctl),
|
|
|
|
allow_syscall(libc::SYS_epoll_pwait),
|
|
|
|
#[cfg(target_arch = "x86_64")]
|
|
|
|
allow_syscall(libc::SYS_epoll_wait),
|
|
|
|
allow_syscall(libc::SYS_exit),
|
|
|
|
allow_syscall(libc::SYS_futex),
|
|
|
|
allow_syscall(libc::SYS_madvise),
|
|
|
|
allow_syscall(libc::SYS_mmap),
|
|
|
|
allow_syscall(libc::SYS_mprotect),
|
|
|
|
allow_syscall(libc::SYS_munmap),
|
|
|
|
allow_syscall(libc::SYS_prctl),
|
|
|
|
allow_syscall(libc::SYS_read),
|
|
|
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
|
|
allow_syscall(libc::SYS_sched_getaffinity),
|
|
|
|
allow_syscall(libc::SYS_set_robust_list),
|
|
|
|
allow_syscall(libc::SYS_sigaltstack),
|
|
|
|
allow_syscall(libc::SYS_timerfd_settime),
|
|
|
|
allow_syscall(libc::SYS_write),
|
2021-02-11 16:00:53 +00:00
|
|
|
]
|
2020-09-25 09:35:13 +00:00
|
|
|
}
|
|
|
|
|
2020-08-04 02:45:53 +00:00
|
|
|
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|
|
|
let rules = match thread_type {
|
2021-02-11 16:00:53 +00:00
|
|
|
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
|
|
|
Thread::VirtioBlock => virtio_block_thread_rules(),
|
|
|
|
Thread::VirtioConsole => virtio_console_thread_rules(),
|
|
|
|
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
|
|
|
Thread::VirtioMem => virtio_mem_thread_rules(),
|
|
|
|
Thread::VirtioNet => virtio_net_thread_rules(),
|
|
|
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
|
|
|
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
|
|
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
|
|
|
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
|
|
|
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
|
|
|
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
|
|
|
|
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
|
|
|
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
|
|
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
2020-08-04 02:45:53 +00:00
|
|
|
};
|
|
|
|
|
2021-02-11 16:00:53 +00:00
|
|
|
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap)
|
2020-08-04 02:45:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|
|
|
let rules = match thread_type {
|
2021-02-11 16:00:53 +00:00
|
|
|
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
|
|
|
Thread::VirtioBlock => virtio_block_thread_rules(),
|
|
|
|
Thread::VirtioConsole => virtio_console_thread_rules(),
|
|
|
|
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
|
|
|
Thread::VirtioMem => virtio_mem_thread_rules(),
|
|
|
|
Thread::VirtioNet => virtio_net_thread_rules(),
|
|
|
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
|
|
|
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
|
|
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
|
|
|
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
|
|
|
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
|
|
|
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
|
|
|
|
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
|
|
|
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
|
|
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
2020-08-04 02:45:53 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
Ok(SeccompFilter::new(
|
|
|
|
rules.into_iter().collect(),
|
|
|
|
SeccompAction::Log,
|
|
|
|
)?)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Generate a BPF program based on the seccomp_action value
|
|
|
|
pub fn get_seccomp_filter(
|
|
|
|
seccomp_action: &SeccompAction,
|
|
|
|
thread_type: Thread,
|
|
|
|
) -> Result<BpfProgram, SeccompError> {
|
|
|
|
match seccomp_action {
|
|
|
|
SeccompAction::Allow => Ok(vec![]),
|
|
|
|
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
|
|
|
.and_then(|filter| filter.try_into())
|
|
|
|
.map_err(SeccompError::SeccompFilter),
|
|
|
|
_ => get_seccomp_filter_trap(thread_type)
|
|
|
|
.and_then(|filter| filter.try_into())
|
|
|
|
.map_err(SeccompError::SeccompFilter),
|
|
|
|
}
|
|
|
|
}
|