mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-02-21 19:02:30 +00:00
virtio-devices: seccomp: Add seccomp filters for vhost_blk thread
This patch enables the seccomp filters for the vhost_blk worker thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen
Sebastien Boeuf
parent
4e0ea15075
commit
02d87833f0
@ -19,6 +19,7 @@ pub enum Thread {
|
||||
VirtioNetCtl,
|
||||
VirtioPmem,
|
||||
VirtioRng,
|
||||
VirtioVhostBlk,
|
||||
VirtioVhostFs,
|
||||
VirtioVhostNet,
|
||||
VirtioVhostNetCtl,
|
||||
@ -231,6 +232,27 @@ fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||
])
|
||||
}
|
||||
|
||||
fn virtio_vhost_blk_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||
Ok(vec![
|
||||
allow_syscall(libc::SYS_brk),
|
||||
allow_syscall(libc::SYS_close),
|
||||
allow_syscall(libc::SYS_dup),
|
||||
allow_syscall(libc::SYS_epoll_create1),
|
||||
allow_syscall(libc::SYS_epoll_ctl),
|
||||
allow_syscall(libc::SYS_epoll_pwait),
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
allow_syscall(libc::SYS_epoll_wait),
|
||||
allow_syscall(libc::SYS_exit),
|
||||
allow_syscall(libc::SYS_futex),
|
||||
allow_syscall(libc::SYS_madvise),
|
||||
allow_syscall(libc::SYS_munmap),
|
||||
allow_syscall(libc::SYS_read),
|
||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
||||
allow_syscall(libc::SYS_sigaltstack),
|
||||
allow_syscall(libc::SYS_write),
|
||||
])
|
||||
}
|
||||
|
||||
fn virtio_vhost_fs_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||
Ok(vec![
|
||||
allow_syscall(libc::SYS_brk),
|
||||
@ -295,6 +317,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules()?,
|
||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
|
||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
||||
@ -317,6 +340,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules()?,
|
||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
|
||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
||||
|
||||
@ -5,9 +5,11 @@ use super::super::{ActivateError, ActivateResult, Queue, VirtioDevice, VirtioDev
|
||||
use super::handler::*;
|
||||
use super::vu_common_ctrl::*;
|
||||
use super::{Error, Result};
|
||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||
use crate::VirtioInterrupt;
|
||||
use block_util::VirtioBlockConfig;
|
||||
use libc::EFD_NONBLOCK;
|
||||
use seccomp::{SeccompAction, SeccompFilter};
|
||||
use std::mem;
|
||||
use std::os::unix::io::AsRawFd;
|
||||
use std::result;
|
||||
@ -43,11 +45,12 @@ pub struct Blk {
|
||||
epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
|
||||
paused: Arc<AtomicBool>,
|
||||
paused_sync: Arc<Barrier>,
|
||||
seccomp_action: SeccompAction,
|
||||
}
|
||||
|
||||
impl Blk {
|
||||
/// Create a new vhost-user-blk device
|
||||
pub fn new(id: String, vu_cfg: VhostUserConfig) -> Result<Blk> {
|
||||
pub fn new(id: String, vu_cfg: VhostUserConfig, seccomp_action: SeccompAction) -> Result<Blk> {
|
||||
let mut vhost_user_blk = Master::connect(&vu_cfg.socket, vu_cfg.num_queues as u64)
|
||||
.map_err(Error::VhostUserCreateMaster)?;
|
||||
|
||||
@ -148,6 +151,7 @@ impl Blk {
|
||||
epoll_threads: None,
|
||||
paused: Arc::new(AtomicBool::new(false)),
|
||||
paused_sync: Arc::new(Barrier::new(vu_cfg.num_queues + 1)),
|
||||
seccomp_action,
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -274,10 +278,15 @@ impl VirtioDevice for Blk {
|
||||
|
||||
let paused = self.paused.clone();
|
||||
let paused_sync = self.paused_sync.clone();
|
||||
let virtio_vhost_blk_seccomp_filter =
|
||||
get_seccomp_filter(&self.seccomp_action, Thread::VirtioVhostBlk)
|
||||
.map_err(ActivateError::CreateSeccompFilter)?;
|
||||
thread::Builder::new()
|
||||
.name("vhost_user_blk".to_string())
|
||||
.name("vhost_blk".to_string())
|
||||
.spawn(move || {
|
||||
if let Err(e) = handler.run(paused, paused_sync) {
|
||||
if let Err(e) = SeccompFilter::apply(virtio_vhost_blk_seccomp_filter) {
|
||||
error!("Error applying seccomp filter: {:?}", e);
|
||||
} else if let Err(e) = handler.run(paused, paused_sync) {
|
||||
error!("Error running worker: {:?}", e);
|
||||
}
|
||||
})
|
||||
|
||||
@ -1642,8 +1642,12 @@ impl DeviceManager {
|
||||
queue_size: disk_cfg.queue_size,
|
||||
};
|
||||
let vhost_user_block_device = Arc::new(Mutex::new(
|
||||
virtio_devices::vhost_user::Blk::new(id.clone(), vu_cfg)
|
||||
.map_err(DeviceManagerError::CreateVhostUserBlk)?,
|
||||
virtio_devices::vhost_user::Blk::new(
|
||||
id.clone(),
|
||||
vu_cfg,
|
||||
self.seccomp_action.clone(),
|
||||
)
|
||||
.map_err(DeviceManagerError::CreateVhostUserBlk)?,
|
||||
));
|
||||
|
||||
// Fill the device tree with a new node. In case of restore, we
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user