mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-01 11:05:46 +00:00
virtio-devices: seccomp: Add seccomp filters for vhost_fs thread
This patch enables the seccomp filters for the vhost_fs worker thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
c82ded8afa
commit
02d63149fe
@ -19,6 +19,7 @@ pub enum Thread {
|
|||||||
VirtioNetCtl,
|
VirtioNetCtl,
|
||||||
VirtioPmem,
|
VirtioPmem,
|
||||||
VirtioRng,
|
VirtioRng,
|
||||||
|
VirtioVhostFs,
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_balloon_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn virtio_balloon_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
@ -228,6 +229,30 @@ fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn virtio_vhost_fs_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
|
Ok(vec![
|
||||||
|
allow_syscall(libc::SYS_brk),
|
||||||
|
allow_syscall(libc::SYS_close),
|
||||||
|
allow_syscall(libc::SYS_dup),
|
||||||
|
allow_syscall(libc::SYS_epoll_create1),
|
||||||
|
allow_syscall(libc::SYS_epoll_ctl),
|
||||||
|
allow_syscall(libc::SYS_epoll_pwait),
|
||||||
|
#[cfg(target_arch = "x86_64")]
|
||||||
|
allow_syscall(libc::SYS_epoll_wait),
|
||||||
|
allow_syscall(libc::SYS_exit),
|
||||||
|
allow_syscall(libc::SYS_futex),
|
||||||
|
allow_syscall(libc::SYS_madvise),
|
||||||
|
allow_syscall(libc::SYS_mmap),
|
||||||
|
allow_syscall(libc::SYS_munmap),
|
||||||
|
allow_syscall(libc::SYS_read),
|
||||||
|
allow_syscall(libc::SYS_recvmsg),
|
||||||
|
allow_syscall(libc::SYS_rt_sigprocmask),
|
||||||
|
allow_syscall(libc::SYS_sendmsg),
|
||||||
|
allow_syscall(libc::SYS_sigaltstack),
|
||||||
|
allow_syscall(libc::SYS_write),
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::VirtioBalloon => virtio_balloon_thread_rules()?,
|
Thread::VirtioBalloon => virtio_balloon_thread_rules()?,
|
||||||
@ -239,6 +264,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(SeccompFilter::new(
|
Ok(SeccompFilter::new(
|
||||||
@ -258,6 +284,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(SeccompFilter::new(
|
Ok(SeccompFilter::new(
|
||||||
|
@ -3,12 +3,14 @@
|
|||||||
|
|
||||||
use super::vu_common_ctrl::{reset_vhost_user, setup_vhost_user, update_mem_table};
|
use super::vu_common_ctrl::{reset_vhost_user, setup_vhost_user, update_mem_table};
|
||||||
use super::{Error, Result};
|
use super::{Error, Result};
|
||||||
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::vhost_user::handler::{VhostUserEpollConfig, VhostUserEpollHandler};
|
use crate::vhost_user::handler::{VhostUserEpollConfig, VhostUserEpollHandler};
|
||||||
use crate::{
|
use crate::{
|
||||||
ActivateError, ActivateResult, Queue, UserspaceMapping, VirtioDevice, VirtioDeviceType,
|
ActivateError, ActivateResult, Queue, UserspaceMapping, VirtioDevice, VirtioDeviceType,
|
||||||
VirtioInterrupt, VirtioSharedMemoryList, VIRTIO_F_VERSION_1,
|
VirtioInterrupt, VirtioSharedMemoryList, VIRTIO_F_VERSION_1,
|
||||||
};
|
};
|
||||||
use libc::{self, c_void, off64_t, pread64, pwrite64, EFD_NONBLOCK};
|
use libc::{self, c_void, off64_t, pread64, pwrite64, EFD_NONBLOCK};
|
||||||
|
use seccomp::{SeccompAction, SeccompFilter};
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::os::unix::io::{AsRawFd, RawFd};
|
use std::os::unix::io::{AsRawFd, RawFd};
|
||||||
use std::result;
|
use std::result;
|
||||||
@ -281,6 +283,7 @@ pub struct Fs {
|
|||||||
epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
|
epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
|
||||||
paused: Arc<AtomicBool>,
|
paused: Arc<AtomicBool>,
|
||||||
paused_sync: Arc<Barrier>,
|
paused_sync: Arc<Barrier>,
|
||||||
|
seccomp_action: SeccompAction,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Fs {
|
impl Fs {
|
||||||
@ -292,6 +295,7 @@ impl Fs {
|
|||||||
req_num_queues: usize,
|
req_num_queues: usize,
|
||||||
queue_size: u16,
|
queue_size: u16,
|
||||||
cache: Option<(VirtioSharedMemoryList, MmapRegion)>,
|
cache: Option<(VirtioSharedMemoryList, MmapRegion)>,
|
||||||
|
seccomp_action: SeccompAction,
|
||||||
) -> Result<Fs> {
|
) -> Result<Fs> {
|
||||||
let mut slave_req_support = false;
|
let mut slave_req_support = false;
|
||||||
|
|
||||||
@ -367,6 +371,7 @@ impl Fs {
|
|||||||
epoll_threads: None,
|
epoll_threads: None,
|
||||||
paused: Arc::new(AtomicBool::new(false)),
|
paused: Arc::new(AtomicBool::new(false)),
|
||||||
paused_sync: Arc::new(Barrier::new(2)),
|
paused_sync: Arc::new(Barrier::new(2)),
|
||||||
|
seccomp_action,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -504,10 +509,15 @@ impl VirtioDevice for Fs {
|
|||||||
let paused = self.paused.clone();
|
let paused = self.paused.clone();
|
||||||
let paused_sync = self.paused_sync.clone();
|
let paused_sync = self.paused_sync.clone();
|
||||||
let mut epoll_threads = Vec::new();
|
let mut epoll_threads = Vec::new();
|
||||||
|
let virtio_vhost_fs_seccomp_filter =
|
||||||
|
get_seccomp_filter(&self.seccomp_action, Thread::VirtioVhostFs)
|
||||||
|
.map_err(ActivateError::CreateSeccompFilter)?;
|
||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("virtio_fs".to_string())
|
.name("vhost_fs".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = handler.run(paused, paused_sync) {
|
if let Err(e) = SeccompFilter::apply(virtio_vhost_fs_seccomp_filter) {
|
||||||
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
|
} else if let Err(e) = handler.run(paused, paused_sync) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -2121,6 +2121,7 @@ impl DeviceManager {
|
|||||||
fs_cfg.num_queues,
|
fs_cfg.num_queues,
|
||||||
fs_cfg.queue_size,
|
fs_cfg.queue_size,
|
||||||
cache,
|
cache,
|
||||||
|
self.seccomp_action.clone(),
|
||||||
)
|
)
|
||||||
.map_err(DeviceManagerError::CreateVirtioFs)?,
|
.map_err(DeviceManagerError::CreateVirtioFs)?,
|
||||||
));
|
));
|
||||||
|
Loading…
Reference in New Issue
Block a user