diff --git a/Cargo.lock b/Cargo.lock index 73376f6c6..509a38a4d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -204,7 +204,7 @@ dependencies = [ "log", "net_util", "option_parser", - "seccomp", + "seccompiler", "serde_json", "signal-hook", "test_infra", @@ -873,9 +873,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] -name = "seccomp" +name = "seccompiler" version = "0.1.0" -source = "git+https://github.com/firecracker-microvm/firecracker?tag=v0.24.5#cd36c699f3cb3d531289aadee26c45c1306edcfc" +source = "git+https://github.com/rust-vmm/seccompiler#da5788d52f1ae8886d8ed4624199b7e9fa64ac04" dependencies = [ "libc", ] @@ -1223,7 +1223,7 @@ dependencies = [ "net_util", "pci", "rate_limiter", - "seccomp", + "seccompiler", "serde", "serde_derive", "serde_json", @@ -1337,7 +1337,7 @@ dependencies = [ "option_parser", "pci", "qcow", - "seccomp", + "seccompiler", "serde", "serde_derive", "serde_json", diff --git a/Cargo.toml b/Cargo.toml index f76862651..3a884932c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,7 +22,7 @@ hypervisor = { path = "hypervisor" } libc = "0.2.99" log = { version = "0.4.14", features = ["std"] } option_parser = { path = "option_parser" } -seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } +seccompiler = { git = "https://github.com/rust-vmm/seccompiler"} serde_json = "1.0.66" signal-hook = "0.3.9" thiserror = "1.0.26" diff --git a/src/main.rs b/src/main.rs index d2c7580eb..92217ee8a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -12,7 +12,7 @@ use clap::{App, Arg, ArgGroup, ArgMatches}; use libc::EFD_NONBLOCK; use log::LevelFilter; use option_parser::OptionParser; -use seccomp::SeccompAction; +use seccompiler::SeccompAction; use signal_hook::{ consts::SIGSYS, iterator::{exfiltrator::WithRawSiginfo, SignalsInfo}, diff --git a/virtio-devices/Cargo.toml b/virtio-devices/Cargo.toml index 95ea3002f..b7dd4e137 100644 --- a/virtio-devices/Cargo.toml +++ b/virtio-devices/Cargo.toml @@ -23,7 +23,7 @@ net_gen = { path = "../net_gen" } net_util = { path = "../net_util" } pci = { path = "../pci" } rate_limiter = { path = "../rate_limiter" } -seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } +seccompiler = { git = "https://github.com/rust-vmm/seccompiler"} serde = "1.0.127" serde_derive = "1.0.127" serde_json = "1.0.66" diff --git a/virtio-devices/src/balloon.rs b/virtio-devices/src/balloon.rs index ccd12bcdf..7d64b344b 100644 --- a/virtio-devices/src/balloon.rs +++ b/virtio-devices/src/balloon.rs @@ -20,7 +20,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::GuestMemoryMmap; use crate::{VirtioInterrupt, VirtioInterruptType}; use libc::EFD_NONBLOCK; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::io; use std::mem::size_of; use std::os::unix::io::AsRawFd; @@ -466,7 +466,7 @@ impl VirtioDevice for Balloon { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_balloon_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/block.rs b/virtio-devices/src/block.rs index 33e954620..a346a55d9 100644 --- a/virtio-devices/src/block.rs +++ b/virtio-devices/src/block.rs @@ -22,7 +22,7 @@ use block_util::{ RequestType, VirtioBlockConfig, }; use rate_limiter::{RateLimiter, TokenType}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::io; use std::num::Wrapping; use std::os::unix::io::AsRawFd; @@ -596,7 +596,7 @@ impl VirtioDevice for Block { thread::Builder::new() .name(format!("{}_q{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_block_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/console.rs b/virtio-devices/src/console.rs index 147bdfb64..586b862a2 100644 --- a/virtio-devices/src/console.rs +++ b/virtio-devices/src/console.rs @@ -11,7 +11,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::GuestMemoryMmap; use crate::VirtioInterrupt; use libc::EFD_NONBLOCK; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::cmp; use std::collections::VecDeque; use std::io; @@ -429,7 +429,7 @@ impl VirtioDevice for Console { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_console_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/iommu.rs b/virtio-devices/src/iommu.rs index 8d734f45d..df6c1a1f5 100644 --- a/virtio-devices/src/iommu.rs +++ b/virtio-devices/src/iommu.rs @@ -11,7 +11,7 @@ use super::{ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::GuestMemoryMmap; use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::collections::BTreeMap; use std::fmt::{self, Display}; use std::io; @@ -850,7 +850,7 @@ impl VirtioDevice for Iommu { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_iommu_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/lib.rs b/virtio-devices/src/lib.rs index 28995fa0f..35b3b9015 100644 --- a/virtio-devices/src/lib.rs +++ b/virtio-devices/src/lib.rs @@ -92,7 +92,7 @@ pub enum ActivateError { /// Failed to reset vhost-user daemon. VhostUserReset(vhost_user::Error), /// Cannot create seccomp filter - CreateSeccompFilter(seccomp::SeccompError), + CreateSeccompFilter(seccompiler::Error), /// Cannot create rate limiter CreateRateLimiter(std::io::Error), } @@ -109,7 +109,7 @@ pub enum Error { VhostUserAddMemoryRegion(vhost_user::Error), SetShmRegionsNotSupported, NetQueuePair(::net_util::NetQueuePairError), - ApplySeccompFilter(seccomp::Error), + ApplySeccompFilter(seccompiler::Error), } #[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)] diff --git a/virtio-devices/src/mem.rs b/virtio-devices/src/mem.rs index 1746ad7f3..2296403b9 100644 --- a/virtio-devices/src/mem.rs +++ b/virtio-devices/src/mem.rs @@ -23,7 +23,7 @@ use crate::{GuestMemoryMmap, GuestRegionMmap}; use crate::{VirtioInterrupt, VirtioInterruptType}; use anyhow::anyhow; use libc::EFD_NONBLOCK; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::collections::BTreeMap; use std::io; use std::mem::size_of; @@ -961,7 +961,7 @@ impl VirtioDevice for Mem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_mem_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/net.rs b/virtio-devices/src/net.rs index 15e1ebf0d..379f43775 100644 --- a/virtio-devices/src/net.rs +++ b/virtio-devices/src/net.rs @@ -20,7 +20,7 @@ use net_util::{ virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, Tap, TapError, TxVirtio, VirtioNetConfig, }; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::net::Ipv4Addr; use std::num::Wrapping; use std::os::unix::io::{AsRawFd, RawFd}; @@ -576,7 +576,7 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); @@ -659,7 +659,7 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_qp{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/pmem.rs b/virtio-devices/src/pmem.rs index 7ad366c84..6cb55c0af 100644 --- a/virtio-devices/src/pmem.rs +++ b/virtio-devices/src/pmem.rs @@ -15,7 +15,7 @@ use super::{ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::{GuestMemoryMmap, MmapRegion}; use crate::{VirtioInterrupt, VirtioInterruptType}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::fmt::{self, Display}; use std::fs::File; use std::io; @@ -397,7 +397,7 @@ impl VirtioDevice for Pmem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_pmem_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/rng.rs b/virtio-devices/src/rng.rs index 3662bfc17..81516a0ae 100644 --- a/virtio-devices/src/rng.rs +++ b/virtio-devices/src/rng.rs @@ -11,7 +11,7 @@ use super::{ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::GuestMemoryMmap; use crate::{VirtioInterrupt, VirtioInterruptType}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::fs::File; use std::io; use std::os::unix::io::AsRawFd; @@ -243,7 +243,7 @@ impl VirtioDevice for Rng { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_rng_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 1cbbb0c21..9418b715c 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -4,10 +4,9 @@ // // SPDX-License-Identifier: Apache-2.0 -use seccomp::{ - allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, - SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule, - SyscallRuleSet, +use seccompiler::{ + BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq, + SeccompCondition as Cond, SeccompFilter, SeccompRule, }; use std::convert::TryInto; @@ -30,12 +29,11 @@ pub enum Thread { /// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`. /// The rule will take the `Allow` action if _all_ the conditions are true. /// -/// [`Allow`]: enum.SeccompAction.html /// [`SeccompCondition`]: struct.SeccompCondition.html /// [`SeccompRule`]: struct.SeccompRule.html macro_rules! and { - ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)); - ($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)) + ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap()); + ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap()) } /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`. @@ -62,388 +60,388 @@ const TUNSETOFFLOAD: u64 = 0x4004_54d0; fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec { or![ - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], ] } fn create_virtio_mem_ioctl_seccomp_rule() -> Vec { or![ - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], ] } -fn virtio_balloon_thread_rules() -> Vec { +fn virtio_balloon_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_fallocate), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_fallocate, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_block_thread_rules() -> Vec { +fn virtio_block_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_fallocate), - allow_syscall(libc::SYS_fdatasync), - allow_syscall(libc::SYS_fsync), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_fallocate, vec![]), + (libc::SYS_fdatasync, vec![]), + (libc::SYS_fsync, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_ftruncate), + (libc::SYS_ftruncate, vec![]), #[cfg(target_arch = "aarch64")] // The definition of libc::SYS_ftruncate is missing on AArch64. // Use a hard-code number instead. - allow_syscall(46), - allow_syscall(libc::SYS_futex), - allow_syscall(SYS_IO_URING_ENTER), - allow_syscall(libc::SYS_lseek), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_openat), - allow_syscall(libc::SYS_prctl), - allow_syscall(libc::SYS_pread64), - allow_syscall(libc::SYS_preadv), - allow_syscall(libc::SYS_pwritev), - allow_syscall(libc::SYS_pwrite64), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sched_getaffinity), - allow_syscall(libc::SYS_set_robust_list), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_timerfd_settime), - allow_syscall(libc::SYS_write), + (46, vec![]), + (libc::SYS_futex, vec![]), + (SYS_IO_URING_ENTER, vec![]), + (libc::SYS_lseek, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_openat, vec![]), + (libc::SYS_prctl, vec![]), + (libc::SYS_pread64, vec![]), + (libc::SYS_preadv, vec![]), + (libc::SYS_pwritev, vec![]), + (libc::SYS_pwrite64, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sched_getaffinity, vec![]), + (libc::SYS_set_robust_list, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_timerfd_settime, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_console_thread_rules() -> Vec { +fn virtio_console_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_prctl), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sched_getaffinity), - allow_syscall(libc::SYS_set_robust_list), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sched_getaffinity, vec![]), + (libc::SYS_set_robust_list, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_iommu_thread_rules() -> Vec { +fn virtio_iommu_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall_if(libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_mem_thread_rules() -> Vec { +fn virtio_mem_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_fallocate), - allow_syscall(libc::SYS_futex), - allow_syscall_if(libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_fallocate, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_net_thread_rules() -> Vec { +fn virtio_net_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_openat), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_readv), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_timerfd_settime), - allow_syscall(libc::SYS_write), - allow_syscall(libc::SYS_writev), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_openat, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_readv, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_timerfd_settime, vec![]), + (libc::SYS_write, vec![]), + (libc::SYS_writev, vec![]), ] } -fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result, Error> { - Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],]) +fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Vec { + or![and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],] } -fn virtio_net_ctl_thread_rules() -> Result, Error> { - Ok(vec![ - allow_syscall(libc::SYS_brk), - #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), - #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall_if(libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()?), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), - ]) -} - -fn virtio_pmem_thread_rules() -> Vec { +fn virtio_net_ctl_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_fsync), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_rng_thread_rules() -> Vec { +fn virtio_pmem_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_prctl), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sched_getaffinity), - allow_syscall(libc::SYS_set_robust_list), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_fsync, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_vhost_fs_thread_rules() -> Vec { +fn virtio_rng_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_connect), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_nanosleep), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_recvmsg), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sendmsg), - allow_syscall(libc::SYS_sendto), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_socket), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sched_getaffinity, vec![]), + (libc::SYS_set_robust_list, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_vhost_net_ctl_thread_rules() -> Vec { +fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_connect, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_nanosleep, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_recvmsg, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sendmsg, vec![]), + (libc::SYS_sendto, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_socket, vec![]), + (libc::SYS_write, vec![]), + ] +} + +fn virtio_vhost_net_ctl_thread_rules() -> Vec<(i64, Vec)> { + vec![ + (libc::SYS_brk, vec![]), + #[cfg(feature = "mshv")] + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), + #[cfg(target_arch = "x86_64")] + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ] } fn create_vsock_ioctl_seccomp_rule() -> Vec { - or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],] + or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],] } -fn virtio_vsock_thread_rules() -> Vec { +fn virtio_vsock_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_accept4), - allow_syscall(libc::SYS_brk), + (libc::SYS_accept4, vec![]), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_connect), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_connect, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_recvfrom), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_socket), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_recvfrom, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_socket, vec![]), + (libc::SYS_write, vec![]), ] } -fn virtio_watchdog_thread_rules() -> Vec { +fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec)> { vec![ - allow_syscall(libc::SYS_brk), + (libc::SYS_brk, vec![]), #[cfg(feature = "mshv")] - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_prctl), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sched_getaffinity), - allow_syscall(libc::SYS_set_robust_list), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_timerfd_settime), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_prctl, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sched_getaffinity, vec![]), + (libc::SYS_set_robust_list, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_timerfd_settime, vec![]), + (libc::SYS_write, vec![]), ] } -fn get_seccomp_filter_trap(thread_type: Thread) -> Result { +fn get_seccomp_filter_trap(thread_type: Thread) -> Result { let rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules(), Thread::VirtioBlock => virtio_block_thread_rules(), @@ -451,7 +449,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result Thread::VirtioIommu => virtio_iommu_thread_rules(), Thread::VirtioMem => virtio_mem_thread_rules(), Thread::VirtioNet => virtio_net_thread_rules(), - Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, + Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), @@ -460,10 +458,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), }; - SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap) + SeccompFilter::new( + rules.into_iter().collect(), + SeccompAction::Trap, + SeccompAction::Allow, + std::env::consts::ARCH.try_into().unwrap(), + ) } -fn get_seccomp_filter_log(thread_type: Thread) -> Result { +fn get_seccomp_filter_log(thread_type: Thread) -> Result { let rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules(), Thread::VirtioBlock => virtio_block_thread_rules(), @@ -471,7 +474,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result { Thread::VirtioIommu => virtio_iommu_thread_rules(), Thread::VirtioMem => virtio_mem_thread_rules(), Thread::VirtioNet => virtio_net_thread_rules(), - Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, + Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), @@ -480,21 +483,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result { Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), }; - SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log) + SeccompFilter::new( + rules.into_iter().collect(), + SeccompAction::Log, + SeccompAction::Allow, + std::env::consts::ARCH.try_into().unwrap(), + ) } /// Generate a BPF program based on the seccomp_action value pub fn get_seccomp_filter( seccomp_action: &SeccompAction, thread_type: Thread, -) -> Result { +) -> Result { match seccomp_action { SeccompAction::Allow => Ok(vec![]), SeccompAction::Log => get_seccomp_filter_log(thread_type) .and_then(|filter| filter.try_into()) - .map_err(SeccompError::SeccompFilter), + .map_err(Error::Backend), _ => get_seccomp_filter_trap(thread_type) .and_then(|filter| filter.try_into()) - .map_err(SeccompError::SeccompFilter), + .map_err(Error::Backend), } } diff --git a/virtio-devices/src/vhost_user/fs.rs b/virtio-devices/src/vhost_user/fs.rs index a61cfc3fb..7855f6ee9 100644 --- a/virtio-devices/src/vhost_user/fs.rs +++ b/virtio-devices/src/vhost_user/fs.rs @@ -11,7 +11,7 @@ use crate::{ }; use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion}; use libc::{self, c_void, off64_t, pread64, pwrite64}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::io; use std::os::unix::io::AsRawFd; use std::result; @@ -556,7 +556,7 @@ impl VirtioDevice for Fs { thread::Builder::new() .name(self.id.to_string()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_vhost_fs_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running vhost-user-fs worker: {:?}", e); diff --git a/virtio-devices/src/vhost_user/net.rs b/virtio-devices/src/vhost_user/net.rs index b99eb1450..c1f79f70f 100644 --- a/virtio-devices/src/vhost_user/net.rs +++ b/virtio-devices/src/vhost_user/net.rs @@ -11,7 +11,7 @@ use crate::{ }; use crate::{GuestMemoryMmap, GuestRegionMmap}; use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::os::unix::io::AsRawFd; use std::result; use std::sync::atomic::AtomicBool; @@ -339,7 +339,7 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_vhost_net_ctl_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/vsock/device.rs b/virtio-devices/src/vsock/device.rs index e77d171b2..f5890fa23 100644 --- a/virtio-devices/src/vsock/device.rs +++ b/virtio-devices/src/vsock/device.rs @@ -38,7 +38,7 @@ use crate::{ VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1, }; use byteorder::{ByteOrder, LittleEndian}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::io; use std::os::unix::io::AsRawFd; use std::path::PathBuf; @@ -441,7 +441,7 @@ where thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_vsock_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/virtio-devices/src/vsock/mod.rs b/virtio-devices/src/vsock/mod.rs index 09d416d0b..b933f95db 100644 --- a/virtio-devices/src/vsock/mod.rs +++ b/virtio-devices/src/vsock/mod.rs @@ -274,7 +274,7 @@ mod tests { PathBuf::from("/test/sock"), TestBackend::new(), false, - seccomp::SeccompAction::Trap, + seccompiler::SeccompAction::Trap, ) .unwrap(), } diff --git a/virtio-devices/src/watchdog.rs b/virtio-devices/src/watchdog.rs index e7c4e718a..9e74fd4c8 100644 --- a/virtio-devices/src/watchdog.rs +++ b/virtio-devices/src/watchdog.rs @@ -14,7 +14,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::GuestMemoryMmap; use crate::{VirtioInterrupt, VirtioInterruptType}; use anyhow::anyhow; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use std::fs::File; use std::io::{self, Read}; use std::os::unix::io::{AsRawFd, FromRawFd, RawFd}; @@ -325,7 +325,7 @@ impl VirtioDevice for Watchdog { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(virtio_watchdog_seccomp_filter) { + if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { error!("Error applying seccomp filter: {:?}", e); } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); diff --git a/vmm/Cargo.toml b/vmm/Cargo.toml index 4a19757ac..171f7521c 100644 --- a/vmm/Cargo.toml +++ b/vmm/Cargo.toml @@ -35,7 +35,7 @@ net_util = { path = "../net_util" } option_parser = { path = "../option_parser" } pci = { path = "../pci" } qcow = { path = "../qcow" } -seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } +seccompiler = { git = "https://github.com/rust-vmm/seccompiler"} serde = { version = "1.0.127", features = ["rc"] } serde_derive = "1.0.127" serde_json = "1.0.66" diff --git a/vmm/src/api/http.rs b/vmm/src/api/http.rs index 3ce3e6147..f718884d6 100644 --- a/vmm/src/api/http.rs +++ b/vmm/src/api/http.rs @@ -8,7 +8,7 @@ use crate::api::{ApiError, ApiRequest, VmAction}; use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::{Error, Result}; use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use serde_json::Error as SerdeError; use std::collections::HashMap; use std::fs::File; @@ -276,7 +276,7 @@ fn start_http_thread( .name("http-server".to_string()) .spawn(move || { // Apply seccomp filter for API thread. - SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; server.start_server().unwrap(); loop { diff --git a/vmm/src/api/mod.rs b/vmm/src/api/mod.rs index f43296c0a..a394593b3 100644 --- a/vmm/src/api/mod.rs +++ b/vmm/src/api/mod.rs @@ -117,10 +117,10 @@ pub enum ApiError { VmRemoveDevice(VmError), /// Cannot create seccomp filter - CreateSeccompFilter(seccomp::SeccompError), + CreateSeccompFilter(seccompiler::Error), /// Cannot apply seccomp filter - ApplySeccompFilter(seccomp::Error), + ApplySeccompFilter(seccompiler::Error), /// The disk could not be added to the VM. VmAddDisk(VmError), diff --git a/vmm/src/cpu.rs b/vmm/src/cpu.rs index d28815b69..2bd7f42fc 100644 --- a/vmm/src/cpu.rs +++ b/vmm/src/cpu.rs @@ -32,7 +32,7 @@ use hypervisor::kvm::kvm_bindings; use hypervisor::CpuId; use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit}; use libc::{c_void, siginfo_t}; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; #[cfg(feature = "acpi")] use std::collections::BTreeMap; use std::os::unix::thread::JoinHandleExt; @@ -88,10 +88,10 @@ pub enum Error { DesiredVCpuCountExceedsMax, /// Cannot create seccomp filter - CreateSeccompFilter(seccomp::SeccompError), + CreateSeccompFilter(seccompiler::Error), /// Cannot apply seccomp filter - ApplySeccompFilter(seccomp::Error), + ApplySeccompFilter(seccompiler::Error), /// Error starting vCPU after restore StartRestoreVcpu(anyhow::Error), @@ -725,7 +725,7 @@ impl CpuManager { .spawn(move || { // Apply seccomp filter for vcpu thread. if let Err(e) = - SeccompFilter::apply(vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) + apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) { error!("Error applying seccomp filter: {:?}", e); return; diff --git a/vmm/src/device_manager.rs b/vmm/src/device_manager.rs index 7966552c9..00bc2fbd9 100644 --- a/vmm/src/device_manager.rs +++ b/vmm/src/device_manager.rs @@ -66,7 +66,7 @@ use pci::{ DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot, VfioUserPciDevice, VfioUserPciDeviceError, }; -use seccomp::SeccompAction; +use seccompiler::SeccompAction; use std::collections::HashMap; use std::convert::TryInto; use std::fs::{read_link, File, OpenOptions}; diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs index 6866f3749..354247438 100644 --- a/vmm/src/lib.rs +++ b/vmm/src/lib.rs @@ -28,7 +28,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::vm::{Error as VmError, Vm, VmState}; use anyhow::anyhow; use libc::EFD_NONBLOCK; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use serde::ser::{Serialize, SerializeStruct, Serializer}; use std::fs::File; use std::io; @@ -121,11 +121,11 @@ pub enum Error { /// Cannot create seccomp filter #[error("Error creating seccomp filter: {0}")] - CreateSeccompFilter(seccomp::SeccompError), + CreateSeccompFilter(seccompiler::Error), /// Cannot apply seccomp filter #[error("Error applying seccomp filter: {0}")] - ApplySeccompFilter(seccomp::Error), + ApplySeccompFilter(seccompiler::Error), /// Error activating virtio devices #[error("Error activating virtio devices: {0:?}")] @@ -263,7 +263,7 @@ pub fn start_vmm_thread( .name("vmm".to_string()) .spawn(move || { // Apply seccomp filter for VMM thread. - SeccompFilter::apply(vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; let mut vmm = Vmm::new( vmm_version.to_string(), diff --git a/vmm/src/seccomp_filters.rs b/vmm/src/seccomp_filters.rs index 55d54a283..e3371d981 100644 --- a/vmm/src/seccomp_filters.rs +++ b/vmm/src/seccomp_filters.rs @@ -4,10 +4,9 @@ // // SPDX-License-Identifier: Apache-2.0 -use seccomp::{ - allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, - SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule, - SyscallRuleSet, +use seccompiler::{ + BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq, + SeccompCondition as Cond, SeccompFilter, SeccompRule, }; use std::convert::TryInto; @@ -21,12 +20,11 @@ pub enum Thread { /// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`. /// The rule will take the `Allow` action if _all_ the conditions are true. /// -/// [`Allow`]: enum.SeccompAction.html /// [`SeccompCondition`]: struct.SeccompCondition.html /// [`SeccompRule`]: struct.SeccompRule.html macro_rules! and { - ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)); - ($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)) + ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap()); + ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap()) } /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`. @@ -149,66 +147,66 @@ mod mshv { use mshv::*; #[cfg(feature = "mshv")] -fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result, BackendError> { Ok(or![ - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_API_VERSION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VM)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VP)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_STATE)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_STATE)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_API_VERSION,)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VM)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VP)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_STATE)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_STATE)?], and![Cond::new( 1, - ArgLen::DWORD, + ArgLen::Dword, Eq, MSHV_SET_PARTITION_PROPERTY )?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_GPA_ACCESS_STATES)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_GPA_ACCESS_STATES)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?], ]) } #[cfg(feature = "kvm")] -fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result, BackendError> { Ok(or![ - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_DEVICE,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_IRQCHIP,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VCPU)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VM)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ENABLE_CAP)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_API_VERSION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DEVICE_ATTR,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DIRTY_LOG)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MP_STATE)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_ONE_REG)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REG_LIST)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SUPPORTED_CPUID,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_EVENTS,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_MMAP_SIZE,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_MEMORY_ENCRYPT_OP)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MP_STATE)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_ONE_REG)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_REGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_VCPU_EVENTS,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_DEVICE,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_IRQCHIP,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VCPU)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VM)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_ENABLE_CAP)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_API_VERSION,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DEVICE_ATTR,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DIRTY_LOG)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MP_STATE)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_ONE_REG)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REG_LIST)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SUPPORTED_CPUID,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_EVENTS,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_MMAP_SIZE,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_MEMORY_ENCRYPT_OP)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MP_STATE)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_ONE_REG)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_REGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_VCPU_EVENTS,)?], ]) } -fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result, BackendError> { #[cfg(feature = "kvm")] let rules = create_vmm_ioctl_seccomp_rule_common_kvm(); @@ -218,46 +216,46 @@ fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result, Error> rules } -fn create_vmm_ioctl_seccomp_rule_common() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_common() -> Result, BackendError> { let mut common_rules = or![ - and![Cond::new(1, ArgLen::DWORD, Eq, FIOCLEX)?], - and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFFLAGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFHWADDR)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFADDR)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFFLAGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFHWADDR)?], - and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFNETMASK)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TIOCSPTLCK)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGTPEER)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETFEATURES)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETIFF)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETIFF)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETVNETHDRSZ)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GET_API_VERSION)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_CHECK_EXTENSION)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_SET_IOMMU)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_STATUS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_SET_CONTAINER)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_DEVICE_FD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_INFO)?], + and![Cond::new(1, ArgLen::Dword, Eq, FIOCLEX)?], + and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFFLAGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFHWADDR)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFADDR)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFFLAGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFHWADDR)?], + and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFNETMASK)?], + and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?], + and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?], + and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?], + and![Cond::new(1, ArgLen::Dword, Eq, TIOCSPTLCK)?], + and![Cond::new(1, ArgLen::Dword, Eq, TIOCGTPEER)?], + and![Cond::new(1, ArgLen::Dword, Eq, TUNGETFEATURES)?], + and![Cond::new(1, ArgLen::Dword, Eq, TUNGETIFF)?], + and![Cond::new(1, ArgLen::Dword, Eq, TUNSETIFF)?], + and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD)?], + and![Cond::new(1, ArgLen::Dword, Eq, TUNSETVNETHDRSZ)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GET_API_VERSION)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_CHECK_EXTENSION)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_SET_IOMMU)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_STATUS)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_SET_CONTAINER)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_DEVICE_FD)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_INFO)?], and![Cond::new( 1, - ArgLen::DWORD, + ArgLen::Dword, Eq, VFIO_DEVICE_GET_REGION_INFO )?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_IRQ_INFO)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_RESET)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_IOEVENTFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_IRQ_INFO)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_RESET)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_IOEVENTFD)?], ]; let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?; @@ -268,7 +266,7 @@ fn create_vmm_ioctl_seccomp_rule_common() -> Result, Error> { } #[cfg(all(target_arch = "x86_64", feature = "kvm"))] -fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, BackendError> { const KVM_CREATE_PIT2: u64 = 0x4040_ae77; const KVM_GET_CLOCK: u64 = 0x8030_ae7c; const KVM_GET_CPUID2: u64 = 0xc008_ae91; @@ -292,26 +290,26 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, Error> { let common_rules = create_vmm_ioctl_seccomp_rule_common()?; let mut arch_rules = or![ - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_PIT2)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CLOCK,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CPUID2,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_FPU)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_LAPIC)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSR_INDEX_LIST)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSRS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SREGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XCRS,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XSAVE,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_KVMCLOCK_CTRL)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CLOCK)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CPUID2)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_FPU)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_LAPIC)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_SREGS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_TSS_ADDR,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MSRS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XCRS,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XSAVE,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_PIT2)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CLOCK,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CPUID2,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_FPU)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_LAPIC)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSR_INDEX_LIST)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSRS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SREGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XCRS,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XSAVE,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_KVMCLOCK_CTRL)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CLOCK)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CPUID2)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_FPU)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_LAPIC)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_SREGS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_TSS_ADDR,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MSRS)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XCRS,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XSAVE,)?], ]; arch_rules.extend(common_rules); @@ -319,14 +317,14 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, Error> { } #[cfg(all(target_arch = "aarch64", feature = "kvm"))] -fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, BackendError> { const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf; const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae; let common_rules = create_vmm_ioctl_seccomp_rule_common()?; let mut arch_rules = or![ - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_PREFERRED_TARGET,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_VCPU_INIT,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_PREFERRED_TARGET,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_VCPU_INIT,)?], ]; arch_rules.extend(common_rules); @@ -334,11 +332,11 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result, Error> { } #[cfg(all(target_arch = "x86_64", feature = "mshv"))] -fn create_vmm_ioctl_seccomp_rule_mshv() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule_mshv() -> Result, BackendError> { create_vmm_ioctl_seccomp_rule_common() } -fn create_vmm_ioctl_seccomp_rule() -> Result, Error> { +fn create_vmm_ioctl_seccomp_rule() -> Result, BackendError> { #[cfg(feature = "kvm")] let rules = create_vmm_ioctl_seccomp_rule_kvm(); @@ -348,182 +346,182 @@ fn create_vmm_ioctl_seccomp_rule() -> Result, Error> { rules } -fn create_api_ioctl_seccomp_rule() -> Result, Error> { - Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],]) +fn create_api_ioctl_seccomp_rule() -> Result, BackendError> { + Ok(or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?]]) } -fn create_signal_handler_ioctl_seccomp_rule() -> Result, Error> { +fn create_signal_handler_ioctl_seccomp_rule() -> Result, BackendError> { Ok(or![ - and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?], + and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?], + and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?], + and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?], ]) } -fn signal_handler_thread_rules() -> Result, Error> { +fn signal_handler_thread_rules() -> Result)>, BackendError> { Ok(vec![ - allow_syscall(libc::SYS_brk), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_exit_group), - allow_syscall(libc::SYS_futex), - allow_syscall_if(libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_recvfrom), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_sendto), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_brk, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_exit_group, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?), + (libc::SYS_madvise, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_recvfrom, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_sendto, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ]) } // The filter containing the white listed syscall rules required by the VMM to // function. -fn vmm_thread_rules() -> Result, Error> { +fn vmm_thread_rules() -> Result)>, BackendError> { Ok(vec![ - allow_syscall(libc::SYS_accept4), + (libc::SYS_accept4, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_access), + (libc::SYS_access, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_arch_prctl), - allow_syscall(libc::SYS_bind), - allow_syscall(libc::SYS_brk), - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_clock_nanosleep), - allow_syscall(libc::SYS_clone), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_connect), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_arch_prctl, vec![]), + (libc::SYS_bind, vec![]), + (libc::SYS_brk, vec![]), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_clock_nanosleep, vec![]), + (libc::SYS_clone, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_connect, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_eventfd2), - allow_syscall(libc::SYS_execve), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_exit_group), - allow_syscall(libc::SYS_fallocate), - allow_syscall(libc::SYS_fcntl), - allow_syscall(libc::SYS_fdatasync), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_eventfd2, vec![]), + (libc::SYS_execve, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_exit_group, vec![]), + (libc::SYS_fallocate, vec![]), + (libc::SYS_fcntl, vec![]), + (libc::SYS_fdatasync, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_fork), - allow_syscall(libc::SYS_fstat), - allow_syscall(libc::SYS_fsync), - allow_syscall(SYS_FTRUNCATE), + (libc::SYS_fork, vec![]), + (libc::SYS_fstat, vec![]), + (libc::SYS_fsync, vec![]), + (SYS_FTRUNCATE, vec![]), #[cfg(target_arch = "aarch64")] - allow_syscall(libc::SYS_faccessat), + (libc::SYS_faccessat, vec![]), #[cfg(target_arch = "aarch64")] - allow_syscall(libc::SYS_newfstatat), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_getpid), - allow_syscall(libc::SYS_getrandom), - allow_syscall(libc::SYS_gettid), - allow_syscall(libc::SYS_gettimeofday), - allow_syscall(libc::SYS_getuid), - allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?), - allow_syscall(SYS_IO_URING_ENTER), - allow_syscall(SYS_IO_URING_SETUP), - allow_syscall(SYS_IO_URING_REGISTER), - allow_syscall(libc::SYS_kill), - allow_syscall(libc::SYS_listen), - allow_syscall(libc::SYS_lseek), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mbind), - allow_syscall(libc::SYS_memfd_create), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_mremap), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_nanosleep), - allow_syscall(libc::SYS_newfstatat), + (libc::SYS_newfstatat, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_getpid, vec![]), + (libc::SYS_getrandom, vec![]), + (libc::SYS_gettid, vec![]), + (libc::SYS_gettimeofday, vec![]), + (libc::SYS_getuid, vec![]), + (libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?), + (SYS_IO_URING_ENTER, vec![]), + (SYS_IO_URING_SETUP, vec![]), + (SYS_IO_URING_REGISTER, vec![]), + (libc::SYS_kill, vec![]), + (libc::SYS_listen, vec![]), + (libc::SYS_lseek, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mbind, vec![]), + (libc::SYS_memfd_create, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_mremap, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_nanosleep, vec![]), + (libc::SYS_newfstatat, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_open), - allow_syscall(libc::SYS_openat), - allow_syscall(libc::SYS_pipe2), - allow_syscall(libc::SYS_prctl), - allow_syscall(libc::SYS_pread64), - allow_syscall(libc::SYS_preadv), - allow_syscall(libc::SYS_prlimit64), - allow_syscall(libc::SYS_pwrite64), - allow_syscall(libc::SYS_pwritev), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_readv), + (libc::SYS_open, vec![]), + (libc::SYS_openat, vec![]), + (libc::SYS_pipe2, vec![]), + (libc::SYS_prctl, vec![]), + (libc::SYS_pread64, vec![]), + (libc::SYS_preadv, vec![]), + (libc::SYS_prlimit64, vec![]), + (libc::SYS_pwrite64, vec![]), + (libc::SYS_pwritev, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_readv, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_readlink), + (libc::SYS_readlink, vec![]), #[cfg(target_arch = "aarch64")] - allow_syscall(libc::SYS_readlinkat), - allow_syscall(libc::SYS_recvfrom), - allow_syscall(libc::SYS_recvmsg), - allow_syscall(libc::SYS_restart_syscall), - allow_syscall(libc::SYS_rt_sigaction), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_rt_sigreturn), - allow_syscall(libc::SYS_sched_getaffinity), - allow_syscall(libc::SYS_sendmsg), - allow_syscall(libc::SYS_sendto), - allow_syscall(libc::SYS_set_robust_list), - allow_syscall(libc::SYS_set_tid_address), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall_if( + (libc::SYS_readlinkat, vec![]), + (libc::SYS_recvfrom, vec![]), + (libc::SYS_recvmsg, vec![]), + (libc::SYS_restart_syscall, vec![]), + (libc::SYS_rt_sigaction, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_rt_sigreturn, vec![]), + (libc::SYS_sched_getaffinity, vec![]), + (libc::SYS_sendmsg, vec![]), + (libc::SYS_sendto, vec![]), + (libc::SYS_set_robust_list, vec![]), + (libc::SYS_set_tid_address, vec![]), + (libc::SYS_sigaltstack, vec![]), + ( libc::SYS_socket, or![ - and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_UNIX as u64)?], - and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_INET as u64)?], + and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_UNIX as u64)?], + and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_INET as u64)?], ], ), - allow_syscall(libc::SYS_socketpair), + (libc::SYS_socketpair, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_stat), - allow_syscall(libc::SYS_statx), - allow_syscall(libc::SYS_tgkill), - allow_syscall(libc::SYS_timerfd_create), - allow_syscall(libc::SYS_timerfd_settime), - allow_syscall(libc::SYS_tkill), - allow_syscall_if( + (libc::SYS_stat, vec![]), + (libc::SYS_statx, vec![]), + (libc::SYS_tgkill, vec![]), + (libc::SYS_timerfd_create, vec![]), + (libc::SYS_timerfd_settime, vec![]), + (libc::SYS_tkill, vec![]), + ( libc::SYS_umask, - or![and![Cond::new(0, ArgLen::DWORD, Eq, 0o077)?]], + or![and![Cond::new(0, ArgLen::Dword, Eq, 0o077)?]], ), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_unlink), + (libc::SYS_unlink, vec![]), #[cfg(target_arch = "aarch64")] - allow_syscall(libc::SYS_unlinkat), - allow_syscall(libc::SYS_wait4), - allow_syscall(libc::SYS_write), - allow_syscall(libc::SYS_writev), + (libc::SYS_unlinkat, vec![]), + (libc::SYS_wait4, vec![]), + (libc::SYS_write, vec![]), + (libc::SYS_writev, vec![]), ]) } #[cfg(feature = "kvm")] -fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result, Error> { +fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result, BackendError> { Ok(or![ - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?], - and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?], + and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN,)?], ]) } #[cfg(feature = "mshv")] -fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result, Error> { +fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result, BackendError> { Ok(or![ - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?], - and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?], + and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?], ]) } -fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result, Error> { +fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result, BackendError> { #[cfg(feature = "kvm")] let rules = create_vcpu_ioctl_seccomp_rule_kvm(); @@ -533,11 +531,11 @@ fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result, Error rules } -fn create_vcpu_ioctl_seccomp_rule() -> Result, Error> { +fn create_vcpu_ioctl_seccomp_rule() -> Result, BackendError> { let mut rules = or![ - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?], - and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?], + and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?], ]; let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?; @@ -547,79 +545,79 @@ fn create_vcpu_ioctl_seccomp_rule() -> Result, Error> { Ok(rules) } -fn vcpu_thread_rules() -> Result, Error> { +fn vcpu_thread_rules() -> Result)>, BackendError> { Ok(vec![ - allow_syscall(libc::SYS_brk), - allow_syscall(libc::SYS_clock_gettime), - allow_syscall(libc::SYS_clock_nanosleep), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_fstat), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_getrandom), - allow_syscall(libc::SYS_getpid), - allow_syscall_if(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?), - allow_syscall(libc::SYS_lseek), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mmap), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_nanosleep), - allow_syscall(libc::SYS_newfstatat), + (libc::SYS_brk, vec![]), + (libc::SYS_clock_gettime, vec![]), + (libc::SYS_clock_nanosleep, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_fstat, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_getrandom, vec![]), + (libc::SYS_getpid, vec![]), + (libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?), + (libc::SYS_lseek, vec![]), + (libc::SYS_madvise, vec![]), + (libc::SYS_mmap, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_nanosleep, vec![]), + (libc::SYS_newfstatat, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_open), - allow_syscall(libc::SYS_openat), - allow_syscall(libc::SYS_pread64), - allow_syscall(libc::SYS_pwrite64), - allow_syscall(libc::SYS_read), - allow_syscall(libc::SYS_recvfrom), - allow_syscall(libc::SYS_recvmsg), - allow_syscall(libc::SYS_rt_sigaction), - allow_syscall(libc::SYS_rt_sigprocmask), - allow_syscall(libc::SYS_rt_sigreturn), - allow_syscall(libc::SYS_sendmsg), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_tgkill), - allow_syscall(libc::SYS_tkill), + (libc::SYS_open, vec![]), + (libc::SYS_openat, vec![]), + (libc::SYS_pread64, vec![]), + (libc::SYS_pwrite64, vec![]), + (libc::SYS_read, vec![]), + (libc::SYS_recvfrom, vec![]), + (libc::SYS_recvmsg, vec![]), + (libc::SYS_rt_sigaction, vec![]), + (libc::SYS_rt_sigprocmask, vec![]), + (libc::SYS_rt_sigreturn, vec![]), + (libc::SYS_sendmsg, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_tgkill, vec![]), + (libc::SYS_tkill, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_unlink), + (libc::SYS_unlink, vec![]), #[cfg(target_arch = "aarch64")] - allow_syscall(libc::SYS_unlinkat), - allow_syscall(libc::SYS_write), - allow_syscall(libc::SYS_writev), + (libc::SYS_unlinkat, vec![]), + (libc::SYS_write, vec![]), + (libc::SYS_writev, vec![]), ]) } // The filter containing the white listed syscall rules required by the API to // function. -fn api_thread_rules() -> Result, Error> { +fn api_thread_rules() -> Result)>, BackendError> { Ok(vec![ - allow_syscall(libc::SYS_accept4), - allow_syscall(libc::SYS_brk), - allow_syscall(libc::SYS_close), - allow_syscall(libc::SYS_dup), - allow_syscall(libc::SYS_epoll_create1), - allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_epoll_pwait), + (libc::SYS_accept4, vec![]), + (libc::SYS_brk, vec![]), + (libc::SYS_close, vec![]), + (libc::SYS_dup, vec![]), + (libc::SYS_epoll_create1, vec![]), + (libc::SYS_epoll_ctl, vec![]), + (libc::SYS_epoll_pwait, vec![]), #[cfg(target_arch = "x86_64")] - allow_syscall(libc::SYS_epoll_wait), - allow_syscall(libc::SYS_exit), - allow_syscall(libc::SYS_fcntl), - allow_syscall(libc::SYS_futex), - allow_syscall(libc::SYS_getrandom), - allow_syscall_if(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?), - allow_syscall(libc::SYS_madvise), - allow_syscall(libc::SYS_mprotect), - allow_syscall(libc::SYS_munmap), - allow_syscall(libc::SYS_recvfrom), - allow_syscall(libc::SYS_recvmsg), - allow_syscall(libc::SYS_sigaltstack), - allow_syscall(libc::SYS_write), + (libc::SYS_epoll_wait, vec![]), + (libc::SYS_exit, vec![]), + (libc::SYS_fcntl, vec![]), + (libc::SYS_futex, vec![]), + (libc::SYS_getrandom, vec![]), + (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?), + (libc::SYS_madvise, vec![]), + (libc::SYS_mprotect, vec![]), + (libc::SYS_munmap, vec![]), + (libc::SYS_recvfrom, vec![]), + (libc::SYS_recvmsg, vec![]), + (libc::SYS_sigaltstack, vec![]), + (libc::SYS_write, vec![]), ]) } -fn get_seccomp_filter_trap(thread_type: Thread) -> Result { +fn get_seccomp_filter_trap(thread_type: Thread) -> Result { let rules = match thread_type { Thread::Api => api_thread_rules()?, Thread::SignalHandler => signal_handler_thread_rules()?, @@ -627,10 +625,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result Thread::Vmm => vmm_thread_rules()?, }; - SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap) + SeccompFilter::new( + rules.into_iter().collect(), + SeccompAction::Trap, + SeccompAction::Allow, + std::env::consts::ARCH.try_into().unwrap(), + ) } -fn get_seccomp_filter_log(thread_type: Thread) -> Result { +fn get_seccomp_filter_log(thread_type: Thread) -> Result { let rules = match thread_type { Thread::Api => api_thread_rules()?, Thread::SignalHandler => signal_handler_thread_rules()?, @@ -638,21 +641,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result { Thread::Vmm => vmm_thread_rules()?, }; - SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log) + SeccompFilter::new( + rules.into_iter().collect(), + SeccompAction::Log, + SeccompAction::Allow, + std::env::consts::ARCH.try_into().unwrap(), + ) } /// Generate a BPF program based on the seccomp_action value pub fn get_seccomp_filter( seccomp_action: &SeccompAction, thread_type: Thread, -) -> Result { +) -> Result { match seccomp_action { SeccompAction::Allow => Ok(vec![]), SeccompAction::Log => get_seccomp_filter_log(thread_type) .and_then(|filter| filter.try_into()) - .map_err(SeccompError::SeccompFilter), + .map_err(Error::Backend), _ => get_seccomp_filter_trap(thread_type) .and_then(|filter| filter.try_into()) - .map_err(SeccompError::SeccompFilter), + .map_err(Error::Backend), } } diff --git a/vmm/src/vm.rs b/vmm/src/vm.rs index 60cf55460..c4c4d35d8 100644 --- a/vmm/src/vm.rs +++ b/vmm/src/vm.rs @@ -44,7 +44,7 @@ use linux_loader::loader::elf::PvhBootCapability::PvhEntryPresent; #[cfg(target_arch = "aarch64")] use linux_loader::loader::pe::Error::InvalidImageMagicNumber; use linux_loader::loader::KernelLoader; -use seccomp::{SeccompAction, SeccompFilter}; +use seccompiler::{apply_filter, SeccompAction}; use signal_hook::{ consts::{SIGINT, SIGTERM, SIGWINCH}, iterator::backend::Handle, @@ -216,10 +216,10 @@ pub enum Error { InvalidNumaConfig, /// Cannot create seccomp filter - CreateSeccompFilter(seccomp::SeccompError), + CreateSeccompFilter(seccompiler::Error), /// Cannot apply seccomp filter - ApplySeccompFilter(seccomp::Error), + ApplySeccompFilter(seccompiler::Error), /// Failed resizing a memory zone. ResizeZone, @@ -1880,7 +1880,7 @@ impl Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter) + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) .map_err(Error::ApplySeccompFilter) { error!("Error applying seccomp filter: {:?}", e); @@ -2442,7 +2442,7 @@ impl Snapshottable for Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter) + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) .map_err(Error::ApplySeccompFilter) { error!("Error applying seccomp filter: {:?}", e);