vmm: seccomp: add new seccomp filter for the DBusApi thread

Signed-off-by: Omer Faruk Bayram <omer.faruk@sartura.hr>
2024-12-22 13:45:20 +00:00 · 2023-05-20 12:42:34 +03:00 · 2023-05-20 12:42:34 +03:00 · 0664647109
commit 0664647109
parent f2c813e1cf
2 changed files with 40 additions and 1 deletions
--- a/vmm/src/api/dbus/mod.rs
+++ b/vmm/src/api/dbus/mod.rs
@ -276,7 +276,6 @@ impl DBusApi {
    }
 }

-// TODO: add another field to the `seccomp_filters::Thread` enum for the D-Bus API
 // TODO: add command line arguments to make this configurable
 pub fn start_dbus_thread(
    api_notifier: EventFd,
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -13,6 +13,8 @@ use std::convert::TryInto;

 pub enum Thread {
    HttpApi,
+    #[cfg(feature = "dbus_api")]
+    DBusApi,
    SignalHandler,
    Vcpu,
    Vmm,
@ -772,12 +774,50 @@ fn http_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
    ])
 }

+// The filter containing the white listed syscall rules required by the D-Bus API
+// to function.
+#[cfg(feature = "dbus_api")]
+fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
+    Ok(vec![
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_clone, vec![]),
+        (libc::SYS_clone3, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_getrandom, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_recvmsg, vec![]),
+        // musl is missing this constant
+        // (libc::SYS_rseq, vec![]),
+        #[cfg(target_arch = "x86_64")]
+        (334, vec![]),
+        #[cfg(target_arch = "aarch64")]
+        (293, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_sendmsg, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
+    ])
+}
+
 fn get_seccomp_rules(
    thread_type: Thread,
    hypervisor_type: HypervisorType,
 ) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
    match thread_type {
        Thread::HttpApi => Ok(http_api_thread_rules()?),
+        #[cfg(feature = "dbus_api")]
+        Thread::DBusApi => Ok(dbus_api_thread_rules()?),
        Thread::SignalHandler => Ok(signal_handler_thread_rules()?),
        Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?),
        Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?),