mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-02 11:35:46 +00:00
virtio-devices, vmm: Move to the seccompiler crate
Fixes: #2929 Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
c7f75f9d59
commit
08ac3405f5
10
Cargo.lock
generated
10
Cargo.lock
generated
@ -204,7 +204,7 @@ dependencies = [
|
|||||||
"log",
|
"log",
|
||||||
"net_util",
|
"net_util",
|
||||||
"option_parser",
|
"option_parser",
|
||||||
"seccomp",
|
"seccompiler",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
"signal-hook",
|
"signal-hook",
|
||||||
"test_infra",
|
"test_infra",
|
||||||
@ -873,9 +873,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||||||
checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
|
checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "seccomp"
|
name = "seccompiler"
|
||||||
version = "0.1.0"
|
version = "0.1.0"
|
||||||
source = "git+https://github.com/firecracker-microvm/firecracker?tag=v0.24.5#cd36c699f3cb3d531289aadee26c45c1306edcfc"
|
source = "git+https://github.com/rust-vmm/seccompiler#da5788d52f1ae8886d8ed4624199b7e9fa64ac04"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"libc",
|
"libc",
|
||||||
]
|
]
|
||||||
@ -1223,7 +1223,7 @@ dependencies = [
|
|||||||
"net_util",
|
"net_util",
|
||||||
"pci",
|
"pci",
|
||||||
"rate_limiter",
|
"rate_limiter",
|
||||||
"seccomp",
|
"seccompiler",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_derive",
|
"serde_derive",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
@ -1337,7 +1337,7 @@ dependencies = [
|
|||||||
"option_parser",
|
"option_parser",
|
||||||
"pci",
|
"pci",
|
||||||
"qcow",
|
"qcow",
|
||||||
"seccomp",
|
"seccompiler",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_derive",
|
"serde_derive",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
|
@ -22,7 +22,7 @@ hypervisor = { path = "hypervisor" }
|
|||||||
libc = "0.2.99"
|
libc = "0.2.99"
|
||||||
log = { version = "0.4.14", features = ["std"] }
|
log = { version = "0.4.14", features = ["std"] }
|
||||||
option_parser = { path = "option_parser" }
|
option_parser = { path = "option_parser" }
|
||||||
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
|
seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
|
||||||
serde_json = "1.0.66"
|
serde_json = "1.0.66"
|
||||||
signal-hook = "0.3.9"
|
signal-hook = "0.3.9"
|
||||||
thiserror = "1.0.26"
|
thiserror = "1.0.26"
|
||||||
|
@ -12,7 +12,7 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
|
|||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use log::LevelFilter;
|
use log::LevelFilter;
|
||||||
use option_parser::OptionParser;
|
use option_parser::OptionParser;
|
||||||
use seccomp::SeccompAction;
|
use seccompiler::SeccompAction;
|
||||||
use signal_hook::{
|
use signal_hook::{
|
||||||
consts::SIGSYS,
|
consts::SIGSYS,
|
||||||
iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
|
iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
|
||||||
|
@ -23,7 +23,7 @@ net_gen = { path = "../net_gen" }
|
|||||||
net_util = { path = "../net_util" }
|
net_util = { path = "../net_util" }
|
||||||
pci = { path = "../pci" }
|
pci = { path = "../pci" }
|
||||||
rate_limiter = { path = "../rate_limiter" }
|
rate_limiter = { path = "../rate_limiter" }
|
||||||
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
|
seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
|
||||||
serde = "1.0.127"
|
serde = "1.0.127"
|
||||||
serde_derive = "1.0.127"
|
serde_derive = "1.0.127"
|
||||||
serde_json = "1.0.66"
|
serde_json = "1.0.66"
|
||||||
|
@ -20,7 +20,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
|||||||
use crate::GuestMemoryMmap;
|
use crate::GuestMemoryMmap;
|
||||||
use crate::{VirtioInterrupt, VirtioInterruptType};
|
use crate::{VirtioInterrupt, VirtioInterruptType};
|
||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::mem::size_of;
|
use std::mem::size_of;
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
@ -466,7 +466,7 @@ impl VirtioDevice for Balloon {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_balloon_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -22,7 +22,7 @@ use block_util::{
|
|||||||
RequestType, VirtioBlockConfig,
|
RequestType, VirtioBlockConfig,
|
||||||
};
|
};
|
||||||
use rate_limiter::{RateLimiter, TokenType};
|
use rate_limiter::{RateLimiter, TokenType};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::num::Wrapping;
|
use std::num::Wrapping;
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
@ -596,7 +596,7 @@ impl VirtioDevice for Block {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_q{}", self.id.clone(), i))
|
.name(format!("{}_q{}", self.id.clone(), i))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_block_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -11,7 +11,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
|||||||
use crate::GuestMemoryMmap;
|
use crate::GuestMemoryMmap;
|
||||||
use crate::VirtioInterrupt;
|
use crate::VirtioInterrupt;
|
||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::cmp;
|
use std::cmp;
|
||||||
use std::collections::VecDeque;
|
use std::collections::VecDeque;
|
||||||
use std::io;
|
use std::io;
|
||||||
@ -429,7 +429,7 @@ impl VirtioDevice for Console {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_console_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -11,7 +11,7 @@ use super::{
|
|||||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::GuestMemoryMmap;
|
use crate::GuestMemoryMmap;
|
||||||
use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
|
use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::collections::BTreeMap;
|
use std::collections::BTreeMap;
|
||||||
use std::fmt::{self, Display};
|
use std::fmt::{self, Display};
|
||||||
use std::io;
|
use std::io;
|
||||||
@ -850,7 +850,7 @@ impl VirtioDevice for Iommu {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_iommu_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -92,7 +92,7 @@ pub enum ActivateError {
|
|||||||
/// Failed to reset vhost-user daemon.
|
/// Failed to reset vhost-user daemon.
|
||||||
VhostUserReset(vhost_user::Error),
|
VhostUserReset(vhost_user::Error),
|
||||||
/// Cannot create seccomp filter
|
/// Cannot create seccomp filter
|
||||||
CreateSeccompFilter(seccomp::SeccompError),
|
CreateSeccompFilter(seccompiler::Error),
|
||||||
/// Cannot create rate limiter
|
/// Cannot create rate limiter
|
||||||
CreateRateLimiter(std::io::Error),
|
CreateRateLimiter(std::io::Error),
|
||||||
}
|
}
|
||||||
@ -109,7 +109,7 @@ pub enum Error {
|
|||||||
VhostUserAddMemoryRegion(vhost_user::Error),
|
VhostUserAddMemoryRegion(vhost_user::Error),
|
||||||
SetShmRegionsNotSupported,
|
SetShmRegionsNotSupported,
|
||||||
NetQueuePair(::net_util::NetQueuePairError),
|
NetQueuePair(::net_util::NetQueuePairError),
|
||||||
ApplySeccompFilter(seccomp::Error),
|
ApplySeccompFilter(seccompiler::Error),
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)]
|
#[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)]
|
||||||
|
@ -23,7 +23,7 @@ use crate::{GuestMemoryMmap, GuestRegionMmap};
|
|||||||
use crate::{VirtioInterrupt, VirtioInterruptType};
|
use crate::{VirtioInterrupt, VirtioInterruptType};
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::collections::BTreeMap;
|
use std::collections::BTreeMap;
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::mem::size_of;
|
use std::mem::size_of;
|
||||||
@ -961,7 +961,7 @@ impl VirtioDevice for Mem {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_mem_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -20,7 +20,7 @@ use net_util::{
|
|||||||
virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio,
|
virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio,
|
||||||
Tap, TapError, TxVirtio, VirtioNetConfig,
|
Tap, TapError, TxVirtio, VirtioNetConfig,
|
||||||
};
|
};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::net::Ipv4Addr;
|
use std::net::Ipv4Addr;
|
||||||
use std::num::Wrapping;
|
use std::num::Wrapping;
|
||||||
use std::os::unix::io::{AsRawFd, RawFd};
|
use std::os::unix::io::{AsRawFd, RawFd};
|
||||||
@ -576,7 +576,7 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_ctrl", self.id))
|
.name(format!("{}_ctrl", self.id))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
@ -659,7 +659,7 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_qp{}", self.id.clone(), i))
|
.name(format!("{}_qp{}", self.id.clone(), i))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -15,7 +15,7 @@ use super::{
|
|||||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::{GuestMemoryMmap, MmapRegion};
|
use crate::{GuestMemoryMmap, MmapRegion};
|
||||||
use crate::{VirtioInterrupt, VirtioInterruptType};
|
use crate::{VirtioInterrupt, VirtioInterruptType};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::fmt::{self, Display};
|
use std::fmt::{self, Display};
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io;
|
use std::io;
|
||||||
@ -397,7 +397,7 @@ impl VirtioDevice for Pmem {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_pmem_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -11,7 +11,7 @@ use super::{
|
|||||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::GuestMemoryMmap;
|
use crate::GuestMemoryMmap;
|
||||||
use crate::{VirtioInterrupt, VirtioInterruptType};
|
use crate::{VirtioInterrupt, VirtioInterruptType};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
@ -243,7 +243,7 @@ impl VirtioDevice for Rng {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_rng_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -4,10 +4,9 @@
|
|||||||
//
|
//
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
use seccomp::{
|
use seccompiler::{
|
||||||
allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
|
BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
|
||||||
SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
|
SeccompCondition as Cond, SeccompFilter, SeccompRule,
|
||||||
SyscallRuleSet,
|
|
||||||
};
|
};
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
|
|
||||||
@ -30,12 +29,11 @@ pub enum Thread {
|
|||||||
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
|
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
|
||||||
/// The rule will take the `Allow` action if _all_ the conditions are true.
|
/// The rule will take the `Allow` action if _all_ the conditions are true.
|
||||||
///
|
///
|
||||||
/// [`Allow`]: enum.SeccompAction.html
|
|
||||||
/// [`SeccompCondition`]: struct.SeccompCondition.html
|
/// [`SeccompCondition`]: struct.SeccompCondition.html
|
||||||
/// [`SeccompRule`]: struct.SeccompRule.html
|
/// [`SeccompRule`]: struct.SeccompRule.html
|
||||||
macro_rules! and {
|
macro_rules! and {
|
||||||
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow));
|
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
|
||||||
($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow))
|
($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
|
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
|
||||||
@ -62,388 +60,388 @@ const TUNSETOFFLOAD: u64 = 0x4004_54d0;
|
|||||||
|
|
||||||
fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
or![
|
or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
or![
|
or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_balloon_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_fallocate),
|
(libc::SYS_fallocate, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_fallocate),
|
(libc::SYS_fallocate, vec![]),
|
||||||
allow_syscall(libc::SYS_fdatasync),
|
(libc::SYS_fdatasync, vec![]),
|
||||||
allow_syscall(libc::SYS_fsync),
|
(libc::SYS_fsync, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_ftruncate),
|
(libc::SYS_ftruncate, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
// The definition of libc::SYS_ftruncate is missing on AArch64.
|
// The definition of libc::SYS_ftruncate is missing on AArch64.
|
||||||
// Use a hard-code number instead.
|
// Use a hard-code number instead.
|
||||||
allow_syscall(46),
|
(46, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(SYS_IO_URING_ENTER),
|
(SYS_IO_URING_ENTER, vec![]),
|
||||||
allow_syscall(libc::SYS_lseek),
|
(libc::SYS_lseek, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_openat),
|
(libc::SYS_openat, vec![]),
|
||||||
allow_syscall(libc::SYS_prctl),
|
(libc::SYS_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_pread64),
|
(libc::SYS_pread64, vec![]),
|
||||||
allow_syscall(libc::SYS_preadv),
|
(libc::SYS_preadv, vec![]),
|
||||||
allow_syscall(libc::SYS_pwritev),
|
(libc::SYS_pwritev, vec![]),
|
||||||
allow_syscall(libc::SYS_pwrite64),
|
(libc::SYS_pwrite64, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sched_getaffinity),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
allow_syscall(libc::SYS_set_robust_list),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_timerfd_settime),
|
(libc::SYS_timerfd_settime, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_console_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_prctl),
|
(libc::SYS_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sched_getaffinity),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
allow_syscall(libc::SYS_set_robust_list),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_iommu_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()),
|
(libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_mem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_fallocate),
|
(libc::SYS_fallocate, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()),
|
(libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_openat),
|
(libc::SYS_openat, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_readv),
|
(libc::SYS_readv, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_timerfd_settime),
|
(libc::SYS_timerfd_settime, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
allow_syscall(libc::SYS_writev),
|
(libc::SYS_writev, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],])
|
or![and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn virtio_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
Ok(vec![
|
|
||||||
allow_syscall(libc::SYS_brk),
|
|
||||||
#[cfg(feature = "mshv")]
|
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
|
||||||
allow_syscall(libc::SYS_close),
|
|
||||||
allow_syscall(libc::SYS_dup),
|
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
|
||||||
#[cfg(target_arch = "x86_64")]
|
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
|
||||||
allow_syscall(libc::SYS_exit),
|
|
||||||
allow_syscall(libc::SYS_futex),
|
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()?),
|
|
||||||
allow_syscall(libc::SYS_madvise),
|
|
||||||
allow_syscall(libc::SYS_munmap),
|
|
||||||
allow_syscall(libc::SYS_read),
|
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
])
|
|
||||||
}
|
|
||||||
|
|
||||||
fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
|
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_fsync),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_pmem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_fsync, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_prctl),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_write, vec![]),
|
||||||
allow_syscall(libc::SYS_sched_getaffinity),
|
|
||||||
allow_syscall(libc::SYS_set_robust_list),
|
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_rng_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_connect),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_nanosleep),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_recvmsg),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sendmsg),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
allow_syscall(libc::SYS_sendto),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_socket),
|
(libc::SYS_write, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_connect, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_nanosleep, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_recvmsg, vec![]),
|
||||||
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
|
(libc::SYS_sendmsg, vec![]),
|
||||||
|
(libc::SYS_sendto, vec![]),
|
||||||
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
|
(libc::SYS_socket, vec![]),
|
||||||
|
(libc::SYS_write, vec![]),
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
fn virtio_vhost_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
|
vec![
|
||||||
|
(libc::SYS_brk, vec![]),
|
||||||
|
#[cfg(feature = "mshv")]
|
||||||
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
|
(libc::SYS_close, vec![]),
|
||||||
|
(libc::SYS_dup, vec![]),
|
||||||
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
|
#[cfg(target_arch = "x86_64")]
|
||||||
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
|
(libc::SYS_exit, vec![]),
|
||||||
|
(libc::SYS_futex, vec![]),
|
||||||
|
(libc::SYS_munmap, vec![]),
|
||||||
|
(libc::SYS_madvise, vec![]),
|
||||||
|
(libc::SYS_read, vec![]),
|
||||||
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
|
or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_vsock_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_accept4),
|
(libc::SYS_accept4, vec![]),
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_connect),
|
(libc::SYS_connect, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
|
(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_recvfrom),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_socket),
|
(libc::SYS_socket, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_watchdog_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_prctl),
|
(libc::SYS_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sched_getaffinity),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
allow_syscall(libc::SYS_set_robust_list),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_timerfd_settime),
|
(libc::SYS_timerfd_settime, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
||||||
Thread::VirtioBlock => virtio_block_thread_rules(),
|
Thread::VirtioBlock => virtio_block_thread_rules(),
|
||||||
@ -451,7 +449,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
||||||
Thread::VirtioMem => virtio_mem_thread_rules(),
|
Thread::VirtioMem => virtio_mem_thread_rules(),
|
||||||
Thread::VirtioNet => virtio_net_thread_rules(),
|
Thread::VirtioNet => virtio_net_thread_rules(),
|
||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules(),
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
||||||
@ -460,10 +458,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
||||||
};
|
};
|
||||||
|
|
||||||
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap)
|
SeccompFilter::new(
|
||||||
|
rules.into_iter().collect(),
|
||||||
|
SeccompAction::Trap,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
||||||
Thread::VirtioBlock => virtio_block_thread_rules(),
|
Thread::VirtioBlock => virtio_block_thread_rules(),
|
||||||
@ -471,7 +474,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
||||||
Thread::VirtioMem => virtio_mem_thread_rules(),
|
Thread::VirtioMem => virtio_mem_thread_rules(),
|
||||||
Thread::VirtioNet => virtio_net_thread_rules(),
|
Thread::VirtioNet => virtio_net_thread_rules(),
|
||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules(),
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
||||||
@ -480,21 +483,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
||||||
};
|
};
|
||||||
|
|
||||||
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log)
|
SeccompFilter::new(
|
||||||
|
rules.into_iter().collect(),
|
||||||
|
SeccompAction::Log,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generate a BPF program based on the seccomp_action value
|
/// Generate a BPF program based on the seccomp_action value
|
||||||
pub fn get_seccomp_filter(
|
pub fn get_seccomp_filter(
|
||||||
seccomp_action: &SeccompAction,
|
seccomp_action: &SeccompAction,
|
||||||
thread_type: Thread,
|
thread_type: Thread,
|
||||||
) -> Result<BpfProgram, SeccompError> {
|
) -> Result<BpfProgram, Error> {
|
||||||
match seccomp_action {
|
match seccomp_action {
|
||||||
SeccompAction::Allow => Ok(vec![]),
|
SeccompAction::Allow => Ok(vec![]),
|
||||||
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(SeccompError::SeccompFilter),
|
.map_err(Error::Backend),
|
||||||
_ => get_seccomp_filter_trap(thread_type)
|
_ => get_seccomp_filter_trap(thread_type)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(SeccompError::SeccompFilter),
|
.map_err(Error::Backend),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -11,7 +11,7 @@ use crate::{
|
|||||||
};
|
};
|
||||||
use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion};
|
use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion};
|
||||||
use libc::{self, c_void, off64_t, pread64, pwrite64};
|
use libc::{self, c_void, off64_t, pread64, pwrite64};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
use std::result;
|
use std::result;
|
||||||
@ -556,7 +556,7 @@ impl VirtioDevice for Fs {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.to_string())
|
.name(self.id.to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_vhost_fs_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running vhost-user-fs worker: {:?}", e);
|
error!("Error running vhost-user-fs worker: {:?}", e);
|
||||||
|
@ -11,7 +11,7 @@ use crate::{
|
|||||||
};
|
};
|
||||||
use crate::{GuestMemoryMmap, GuestRegionMmap};
|
use crate::{GuestMemoryMmap, GuestRegionMmap};
|
||||||
use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig};
|
use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
use std::result;
|
use std::result;
|
||||||
use std::sync::atomic::AtomicBool;
|
use std::sync::atomic::AtomicBool;
|
||||||
@ -339,7 +339,7 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_ctrl", self.id))
|
.name(format!("{}_ctrl", self.id))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_vhost_net_ctl_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -38,7 +38,7 @@ use crate::{
|
|||||||
VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1,
|
VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1,
|
||||||
};
|
};
|
||||||
use byteorder::{ByteOrder, LittleEndian};
|
use byteorder::{ByteOrder, LittleEndian};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::io;
|
use std::io;
|
||||||
use std::os::unix::io::AsRawFd;
|
use std::os::unix::io::AsRawFd;
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
@ -441,7 +441,7 @@ where
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_vsock_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -274,7 +274,7 @@ mod tests {
|
|||||||
PathBuf::from("/test/sock"),
|
PathBuf::from("/test/sock"),
|
||||||
TestBackend::new(),
|
TestBackend::new(),
|
||||||
false,
|
false,
|
||||||
seccomp::SeccompAction::Trap,
|
seccompiler::SeccompAction::Trap,
|
||||||
)
|
)
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
}
|
}
|
||||||
|
@ -14,7 +14,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
|||||||
use crate::GuestMemoryMmap;
|
use crate::GuestMemoryMmap;
|
||||||
use crate::{VirtioInterrupt, VirtioInterruptType};
|
use crate::{VirtioInterrupt, VirtioInterruptType};
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io::{self, Read};
|
use std::io::{self, Read};
|
||||||
use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
|
use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
|
||||||
@ -325,7 +325,7 @@ impl VirtioDevice for Watchdog {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_watchdog_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -35,7 +35,7 @@ net_util = { path = "../net_util" }
|
|||||||
option_parser = { path = "../option_parser" }
|
option_parser = { path = "../option_parser" }
|
||||||
pci = { path = "../pci" }
|
pci = { path = "../pci" }
|
||||||
qcow = { path = "../qcow" }
|
qcow = { path = "../qcow" }
|
||||||
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
|
seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
|
||||||
serde = { version = "1.0.127", features = ["rc"] }
|
serde = { version = "1.0.127", features = ["rc"] }
|
||||||
serde_derive = "1.0.127"
|
serde_derive = "1.0.127"
|
||||||
serde_json = "1.0.66"
|
serde_json = "1.0.66"
|
||||||
|
@ -8,7 +8,7 @@ use crate::api::{ApiError, ApiRequest, VmAction};
|
|||||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::{Error, Result};
|
use crate::{Error, Result};
|
||||||
use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
|
use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use serde_json::Error as SerdeError;
|
use serde_json::Error as SerdeError;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
@ -276,7 +276,7 @@ fn start_http_thread(
|
|||||||
.name("http-server".to_string())
|
.name("http-server".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for API thread.
|
// Apply seccomp filter for API thread.
|
||||||
SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
||||||
|
|
||||||
server.start_server().unwrap();
|
server.start_server().unwrap();
|
||||||
loop {
|
loop {
|
||||||
|
@ -117,10 +117,10 @@ pub enum ApiError {
|
|||||||
VmRemoveDevice(VmError),
|
VmRemoveDevice(VmError),
|
||||||
|
|
||||||
/// Cannot create seccomp filter
|
/// Cannot create seccomp filter
|
||||||
CreateSeccompFilter(seccomp::SeccompError),
|
CreateSeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Cannot apply seccomp filter
|
/// Cannot apply seccomp filter
|
||||||
ApplySeccompFilter(seccomp::Error),
|
ApplySeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// The disk could not be added to the VM.
|
/// The disk could not be added to the VM.
|
||||||
VmAddDisk(VmError),
|
VmAddDisk(VmError),
|
||||||
|
@ -32,7 +32,7 @@ use hypervisor::kvm::kvm_bindings;
|
|||||||
use hypervisor::CpuId;
|
use hypervisor::CpuId;
|
||||||
use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit};
|
use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit};
|
||||||
use libc::{c_void, siginfo_t};
|
use libc::{c_void, siginfo_t};
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
#[cfg(feature = "acpi")]
|
#[cfg(feature = "acpi")]
|
||||||
use std::collections::BTreeMap;
|
use std::collections::BTreeMap;
|
||||||
use std::os::unix::thread::JoinHandleExt;
|
use std::os::unix::thread::JoinHandleExt;
|
||||||
@ -88,10 +88,10 @@ pub enum Error {
|
|||||||
DesiredVCpuCountExceedsMax,
|
DesiredVCpuCountExceedsMax,
|
||||||
|
|
||||||
/// Cannot create seccomp filter
|
/// Cannot create seccomp filter
|
||||||
CreateSeccompFilter(seccomp::SeccompError),
|
CreateSeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Cannot apply seccomp filter
|
/// Cannot apply seccomp filter
|
||||||
ApplySeccompFilter(seccomp::Error),
|
ApplySeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Error starting vCPU after restore
|
/// Error starting vCPU after restore
|
||||||
StartRestoreVcpu(anyhow::Error),
|
StartRestoreVcpu(anyhow::Error),
|
||||||
@ -725,7 +725,7 @@ impl CpuManager {
|
|||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for vcpu thread.
|
// Apply seccomp filter for vcpu thread.
|
||||||
if let Err(e) =
|
if let Err(e) =
|
||||||
SeccompFilter::apply(vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
|
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
return;
|
return;
|
||||||
|
@ -66,7 +66,7 @@ use pci::{
|
|||||||
DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot,
|
DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot,
|
||||||
VfioUserPciDevice, VfioUserPciDeviceError,
|
VfioUserPciDevice, VfioUserPciDeviceError,
|
||||||
};
|
};
|
||||||
use seccomp::SeccompAction;
|
use seccompiler::SeccompAction;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
use std::fs::{read_link, File, OpenOptions};
|
use std::fs::{read_link, File, OpenOptions};
|
||||||
|
@ -28,7 +28,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
|||||||
use crate::vm::{Error as VmError, Vm, VmState};
|
use crate::vm::{Error as VmError, Vm, VmState};
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use serde::ser::{Serialize, SerializeStruct, Serializer};
|
use serde::ser::{Serialize, SerializeStruct, Serializer};
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io;
|
use std::io;
|
||||||
@ -121,11 +121,11 @@ pub enum Error {
|
|||||||
|
|
||||||
/// Cannot create seccomp filter
|
/// Cannot create seccomp filter
|
||||||
#[error("Error creating seccomp filter: {0}")]
|
#[error("Error creating seccomp filter: {0}")]
|
||||||
CreateSeccompFilter(seccomp::SeccompError),
|
CreateSeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Cannot apply seccomp filter
|
/// Cannot apply seccomp filter
|
||||||
#[error("Error applying seccomp filter: {0}")]
|
#[error("Error applying seccomp filter: {0}")]
|
||||||
ApplySeccompFilter(seccomp::Error),
|
ApplySeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Error activating virtio devices
|
/// Error activating virtio devices
|
||||||
#[error("Error activating virtio devices: {0:?}")]
|
#[error("Error activating virtio devices: {0:?}")]
|
||||||
@ -263,7 +263,7 @@ pub fn start_vmm_thread(
|
|||||||
.name("vmm".to_string())
|
.name("vmm".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for VMM thread.
|
// Apply seccomp filter for VMM thread.
|
||||||
SeccompFilter::apply(vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
||||||
|
|
||||||
let mut vmm = Vmm::new(
|
let mut vmm = Vmm::new(
|
||||||
vmm_version.to_string(),
|
vmm_version.to_string(),
|
||||||
|
@ -4,10 +4,9 @@
|
|||||||
//
|
//
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
use seccomp::{
|
use seccompiler::{
|
||||||
allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
|
BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
|
||||||
SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
|
SeccompCondition as Cond, SeccompFilter, SeccompRule,
|
||||||
SyscallRuleSet,
|
|
||||||
};
|
};
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
|
|
||||||
@ -21,12 +20,11 @@ pub enum Thread {
|
|||||||
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
|
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
|
||||||
/// The rule will take the `Allow` action if _all_ the conditions are true.
|
/// The rule will take the `Allow` action if _all_ the conditions are true.
|
||||||
///
|
///
|
||||||
/// [`Allow`]: enum.SeccompAction.html
|
|
||||||
/// [`SeccompCondition`]: struct.SeccompCondition.html
|
/// [`SeccompCondition`]: struct.SeccompCondition.html
|
||||||
/// [`SeccompRule`]: struct.SeccompRule.html
|
/// [`SeccompRule`]: struct.SeccompRule.html
|
||||||
macro_rules! and {
|
macro_rules! and {
|
||||||
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow));
|
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
|
||||||
($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow))
|
($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
|
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
|
||||||
@ -149,66 +147,66 @@ mod mshv {
|
|||||||
use mshv::*;
|
use mshv::*;
|
||||||
|
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![
|
Ok(or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_API_VERSION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_API_VERSION,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VM)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VM)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VP)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VP)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_STATE)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_STATE)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_STATE)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_STATE)?],
|
||||||
and![Cond::new(
|
and![Cond::new(
|
||||||
1,
|
1,
|
||||||
ArgLen::DWORD,
|
ArgLen::Dword,
|
||||||
Eq,
|
Eq,
|
||||||
MSHV_SET_PARTITION_PROPERTY
|
MSHV_SET_PARTITION_PROPERTY
|
||||||
)?],
|
)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_GPA_ACCESS_STATES)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_GPA_ACCESS_STATES)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(feature = "kvm")]
|
#[cfg(feature = "kvm")]
|
||||||
fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![
|
Ok(or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_DEVICE,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_DEVICE,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_IRQCHIP,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_IRQCHIP,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VCPU)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VCPU)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VM)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VM)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ENABLE_CAP)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_ENABLE_CAP)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_API_VERSION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_API_VERSION,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DEVICE_ATTR,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DEVICE_ATTR,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DIRTY_LOG)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DIRTY_LOG)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MP_STATE)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MP_STATE)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_ONE_REG)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_ONE_REG)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REG_LIST)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REG_LIST)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SUPPORTED_CPUID,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SUPPORTED_CPUID,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_EVENTS,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_EVENTS,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_MMAP_SIZE,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_MMAP_SIZE,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_MEMORY_ENCRYPT_OP)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_MEMORY_ENCRYPT_OP)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MP_STATE)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MP_STATE)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_ONE_REG)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_ONE_REG)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_REGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_REGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_VCPU_EVENTS,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_VCPU_EVENTS,)?],
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
#[cfg(feature = "kvm")]
|
#[cfg(feature = "kvm")]
|
||||||
let rules = create_vmm_ioctl_seccomp_rule_common_kvm();
|
let rules = create_vmm_ioctl_seccomp_rule_common_kvm();
|
||||||
|
|
||||||
@ -218,46 +216,46 @@ fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error>
|
|||||||
rules
|
rules
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
let mut common_rules = or![
|
let mut common_rules = or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, FIOCLEX)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, FIOCLEX)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFFLAGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFFLAGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFHWADDR)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFHWADDR)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFADDR)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFADDR)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFFLAGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFFLAGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFHWADDR)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFHWADDR)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFNETMASK)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFNETMASK)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCSPTLCK)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TIOCSPTLCK)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGTPEER)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TIOCGTPEER)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETFEATURES)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TUNGETFEATURES)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETIFF)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TUNGETIFF)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETIFF)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TUNSETIFF)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETVNETHDRSZ)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TUNSETVNETHDRSZ)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GET_API_VERSION)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GET_API_VERSION)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_CHECK_EXTENSION)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_CHECK_EXTENSION)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_SET_IOMMU)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_SET_IOMMU)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_STATUS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_STATUS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_SET_CONTAINER)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_SET_CONTAINER)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_DEVICE_FD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_DEVICE_FD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_INFO)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_INFO)?],
|
||||||
and![Cond::new(
|
and![Cond::new(
|
||||||
1,
|
1,
|
||||||
ArgLen::DWORD,
|
ArgLen::Dword,
|
||||||
Eq,
|
Eq,
|
||||||
VFIO_DEVICE_GET_REGION_INFO
|
VFIO_DEVICE_GET_REGION_INFO
|
||||||
)?],
|
)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_IRQ_INFO)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_IRQ_INFO)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_RESET)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_RESET)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_IOEVENTFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_IOEVENTFD)?],
|
||||||
];
|
];
|
||||||
|
|
||||||
let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?;
|
let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?;
|
||||||
@ -268,7 +266,7 @@ fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(all(target_arch = "x86_64", feature = "kvm"))]
|
#[cfg(all(target_arch = "x86_64", feature = "kvm"))]
|
||||||
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
const KVM_CREATE_PIT2: u64 = 0x4040_ae77;
|
const KVM_CREATE_PIT2: u64 = 0x4040_ae77;
|
||||||
const KVM_GET_CLOCK: u64 = 0x8030_ae7c;
|
const KVM_GET_CLOCK: u64 = 0x8030_ae7c;
|
||||||
const KVM_GET_CPUID2: u64 = 0xc008_ae91;
|
const KVM_GET_CPUID2: u64 = 0xc008_ae91;
|
||||||
@ -292,26 +290,26 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
|
|
||||||
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
||||||
let mut arch_rules = or![
|
let mut arch_rules = or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_PIT2)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_PIT2)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CLOCK,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CLOCK,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CPUID2,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CPUID2,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_FPU)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_FPU)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_LAPIC)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_LAPIC)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSR_INDEX_LIST)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSR_INDEX_LIST)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSRS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSRS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SREGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SREGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XCRS,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XCRS,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XSAVE,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XSAVE,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_KVMCLOCK_CTRL)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_KVMCLOCK_CTRL)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CLOCK)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CLOCK)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CPUID2)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CPUID2)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_FPU)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_FPU)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_LAPIC)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_LAPIC)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_SREGS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_SREGS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_TSS_ADDR,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_TSS_ADDR,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MSRS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MSRS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XCRS,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XCRS,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XSAVE,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XSAVE,)?],
|
||||||
];
|
];
|
||||||
arch_rules.extend(common_rules);
|
arch_rules.extend(common_rules);
|
||||||
|
|
||||||
@ -319,14 +317,14 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(all(target_arch = "aarch64", feature = "kvm"))]
|
#[cfg(all(target_arch = "aarch64", feature = "kvm"))]
|
||||||
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf;
|
const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf;
|
||||||
const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae;
|
const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae;
|
||||||
|
|
||||||
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
||||||
let mut arch_rules = or![
|
let mut arch_rules = or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_PREFERRED_TARGET,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_PREFERRED_TARGET,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_VCPU_INIT,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_VCPU_INIT,)?],
|
||||||
];
|
];
|
||||||
arch_rules.extend(common_rules);
|
arch_rules.extend(common_rules);
|
||||||
|
|
||||||
@ -334,11 +332,11 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(all(target_arch = "x86_64", feature = "mshv"))]
|
#[cfg(all(target_arch = "x86_64", feature = "mshv"))]
|
||||||
fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
create_vmm_ioctl_seccomp_rule_common()
|
create_vmm_ioctl_seccomp_rule_common()
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
#[cfg(feature = "kvm")]
|
#[cfg(feature = "kvm")]
|
||||||
let rules = create_vmm_ioctl_seccomp_rule_kvm();
|
let rules = create_vmm_ioctl_seccomp_rule_kvm();
|
||||||
|
|
||||||
@ -348,182 +346,182 @@ fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
rules
|
rules
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],])
|
Ok(or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?]])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![
|
Ok(or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn signal_handler_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_exit_group),
|
(libc::SYS_exit_group, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
|
(libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_recvfrom),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_sendto),
|
(libc::SYS_sendto, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
// The filter containing the white listed syscall rules required by the VMM to
|
// The filter containing the white listed syscall rules required by the VMM to
|
||||||
// function.
|
// function.
|
||||||
fn vmm_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn vmm_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_accept4),
|
(libc::SYS_accept4, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_access),
|
(libc::SYS_access, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_arch_prctl),
|
(libc::SYS_arch_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_bind),
|
(libc::SYS_bind, vec![]),
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_clock_nanosleep),
|
(libc::SYS_clock_nanosleep, vec![]),
|
||||||
allow_syscall(libc::SYS_clone),
|
(libc::SYS_clone, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_connect),
|
(libc::SYS_connect, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_eventfd2),
|
(libc::SYS_eventfd2, vec![]),
|
||||||
allow_syscall(libc::SYS_execve),
|
(libc::SYS_execve, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_exit_group),
|
(libc::SYS_exit_group, vec![]),
|
||||||
allow_syscall(libc::SYS_fallocate),
|
(libc::SYS_fallocate, vec![]),
|
||||||
allow_syscall(libc::SYS_fcntl),
|
(libc::SYS_fcntl, vec![]),
|
||||||
allow_syscall(libc::SYS_fdatasync),
|
(libc::SYS_fdatasync, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_fork),
|
(libc::SYS_fork, vec![]),
|
||||||
allow_syscall(libc::SYS_fstat),
|
(libc::SYS_fstat, vec![]),
|
||||||
allow_syscall(libc::SYS_fsync),
|
(libc::SYS_fsync, vec![]),
|
||||||
allow_syscall(SYS_FTRUNCATE),
|
(SYS_FTRUNCATE, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
allow_syscall(libc::SYS_faccessat),
|
(libc::SYS_faccessat, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
allow_syscall(libc::SYS_newfstatat),
|
(libc::SYS_newfstatat, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_getpid),
|
(libc::SYS_getpid, vec![]),
|
||||||
allow_syscall(libc::SYS_getrandom),
|
(libc::SYS_getrandom, vec![]),
|
||||||
allow_syscall(libc::SYS_gettid),
|
(libc::SYS_gettid, vec![]),
|
||||||
allow_syscall(libc::SYS_gettimeofday),
|
(libc::SYS_gettimeofday, vec![]),
|
||||||
allow_syscall(libc::SYS_getuid),
|
(libc::SYS_getuid, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
|
(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
|
||||||
allow_syscall(SYS_IO_URING_ENTER),
|
(SYS_IO_URING_ENTER, vec![]),
|
||||||
allow_syscall(SYS_IO_URING_SETUP),
|
(SYS_IO_URING_SETUP, vec![]),
|
||||||
allow_syscall(SYS_IO_URING_REGISTER),
|
(SYS_IO_URING_REGISTER, vec![]),
|
||||||
allow_syscall(libc::SYS_kill),
|
(libc::SYS_kill, vec![]),
|
||||||
allow_syscall(libc::SYS_listen),
|
(libc::SYS_listen, vec![]),
|
||||||
allow_syscall(libc::SYS_lseek),
|
(libc::SYS_lseek, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mbind),
|
(libc::SYS_mbind, vec![]),
|
||||||
allow_syscall(libc::SYS_memfd_create),
|
(libc::SYS_memfd_create, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_mremap),
|
(libc::SYS_mremap, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_nanosleep),
|
(libc::SYS_nanosleep, vec![]),
|
||||||
allow_syscall(libc::SYS_newfstatat),
|
(libc::SYS_newfstatat, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_open),
|
(libc::SYS_open, vec![]),
|
||||||
allow_syscall(libc::SYS_openat),
|
(libc::SYS_openat, vec![]),
|
||||||
allow_syscall(libc::SYS_pipe2),
|
(libc::SYS_pipe2, vec![]),
|
||||||
allow_syscall(libc::SYS_prctl),
|
(libc::SYS_prctl, vec![]),
|
||||||
allow_syscall(libc::SYS_pread64),
|
(libc::SYS_pread64, vec![]),
|
||||||
allow_syscall(libc::SYS_preadv),
|
(libc::SYS_preadv, vec![]),
|
||||||
allow_syscall(libc::SYS_prlimit64),
|
(libc::SYS_prlimit64, vec![]),
|
||||||
allow_syscall(libc::SYS_pwrite64),
|
(libc::SYS_pwrite64, vec![]),
|
||||||
allow_syscall(libc::SYS_pwritev),
|
(libc::SYS_pwritev, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_readv),
|
(libc::SYS_readv, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_readlink),
|
(libc::SYS_readlink, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
allow_syscall(libc::SYS_readlinkat),
|
(libc::SYS_readlinkat, vec![]),
|
||||||
allow_syscall(libc::SYS_recvfrom),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
allow_syscall(libc::SYS_recvmsg),
|
(libc::SYS_recvmsg, vec![]),
|
||||||
allow_syscall(libc::SYS_restart_syscall),
|
(libc::SYS_restart_syscall, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigaction),
|
(libc::SYS_rt_sigaction, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigreturn),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
allow_syscall(libc::SYS_sched_getaffinity),
|
(libc::SYS_sched_getaffinity, vec![]),
|
||||||
allow_syscall(libc::SYS_sendmsg),
|
(libc::SYS_sendmsg, vec![]),
|
||||||
allow_syscall(libc::SYS_sendto),
|
(libc::SYS_sendto, vec![]),
|
||||||
allow_syscall(libc::SYS_set_robust_list),
|
(libc::SYS_set_robust_list, vec![]),
|
||||||
allow_syscall(libc::SYS_set_tid_address),
|
(libc::SYS_set_tid_address, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall_if(
|
(
|
||||||
libc::SYS_socket,
|
libc::SYS_socket,
|
||||||
or![
|
or![
|
||||||
and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_UNIX as u64)?],
|
and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_UNIX as u64)?],
|
||||||
and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_INET as u64)?],
|
and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_INET as u64)?],
|
||||||
],
|
],
|
||||||
),
|
),
|
||||||
allow_syscall(libc::SYS_socketpair),
|
(libc::SYS_socketpair, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_stat),
|
(libc::SYS_stat, vec![]),
|
||||||
allow_syscall(libc::SYS_statx),
|
(libc::SYS_statx, vec![]),
|
||||||
allow_syscall(libc::SYS_tgkill),
|
(libc::SYS_tgkill, vec![]),
|
||||||
allow_syscall(libc::SYS_timerfd_create),
|
(libc::SYS_timerfd_create, vec![]),
|
||||||
allow_syscall(libc::SYS_timerfd_settime),
|
(libc::SYS_timerfd_settime, vec![]),
|
||||||
allow_syscall(libc::SYS_tkill),
|
(libc::SYS_tkill, vec![]),
|
||||||
allow_syscall_if(
|
(
|
||||||
libc::SYS_umask,
|
libc::SYS_umask,
|
||||||
or![and![Cond::new(0, ArgLen::DWORD, Eq, 0o077)?]],
|
or![and![Cond::new(0, ArgLen::Dword, Eq, 0o077)?]],
|
||||||
),
|
),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_unlink),
|
(libc::SYS_unlink, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
allow_syscall(libc::SYS_unlinkat),
|
(libc::SYS_unlinkat, vec![]),
|
||||||
allow_syscall(libc::SYS_wait4),
|
(libc::SYS_wait4, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
allow_syscall(libc::SYS_writev),
|
(libc::SYS_writev, vec![]),
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(feature = "kvm")]
|
#[cfg(feature = "kvm")]
|
||||||
fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![
|
Ok(or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN,)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN,)?],
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(feature = "mshv")]
|
#[cfg(feature = "mshv")]
|
||||||
fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
Ok(or![
|
Ok(or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
#[cfg(feature = "kvm")]
|
#[cfg(feature = "kvm")]
|
||||||
let rules = create_vcpu_ioctl_seccomp_rule_kvm();
|
let rules = create_vcpu_ioctl_seccomp_rule_kvm();
|
||||||
|
|
||||||
@ -533,11 +531,11 @@ fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error
|
|||||||
rules
|
rules
|
||||||
}
|
}
|
||||||
|
|
||||||
fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||||
let mut rules = or![
|
let mut rules = or![
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
|
||||||
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?],
|
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
|
||||||
];
|
];
|
||||||
|
|
||||||
let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?;
|
let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?;
|
||||||
@ -547,79 +545,79 @@ fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
|
|||||||
Ok(rules)
|
Ok(rules)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn vcpu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn vcpu_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
allow_syscall(libc::SYS_clock_gettime),
|
(libc::SYS_clock_gettime, vec![]),
|
||||||
allow_syscall(libc::SYS_clock_nanosleep),
|
(libc::SYS_clock_nanosleep, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_fstat),
|
(libc::SYS_fstat, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_getrandom),
|
(libc::SYS_getrandom, vec![]),
|
||||||
allow_syscall(libc::SYS_getpid),
|
(libc::SYS_getpid, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
|
(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
|
||||||
allow_syscall(libc::SYS_lseek),
|
(libc::SYS_lseek, vec![]),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mmap),
|
(libc::SYS_mmap, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_nanosleep),
|
(libc::SYS_nanosleep, vec![]),
|
||||||
allow_syscall(libc::SYS_newfstatat),
|
(libc::SYS_newfstatat, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_open),
|
(libc::SYS_open, vec![]),
|
||||||
allow_syscall(libc::SYS_openat),
|
(libc::SYS_openat, vec![]),
|
||||||
allow_syscall(libc::SYS_pread64),
|
(libc::SYS_pread64, vec![]),
|
||||||
allow_syscall(libc::SYS_pwrite64),
|
(libc::SYS_pwrite64, vec![]),
|
||||||
allow_syscall(libc::SYS_read),
|
(libc::SYS_read, vec![]),
|
||||||
allow_syscall(libc::SYS_recvfrom),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
allow_syscall(libc::SYS_recvmsg),
|
(libc::SYS_recvmsg, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigaction),
|
(libc::SYS_rt_sigaction, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
(libc::SYS_rt_sigprocmask, vec![]),
|
||||||
allow_syscall(libc::SYS_rt_sigreturn),
|
(libc::SYS_rt_sigreturn, vec![]),
|
||||||
allow_syscall(libc::SYS_sendmsg),
|
(libc::SYS_sendmsg, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_tgkill),
|
(libc::SYS_tgkill, vec![]),
|
||||||
allow_syscall(libc::SYS_tkill),
|
(libc::SYS_tkill, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_unlink),
|
(libc::SYS_unlink, vec![]),
|
||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
allow_syscall(libc::SYS_unlinkat),
|
(libc::SYS_unlinkat, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
allow_syscall(libc::SYS_writev),
|
(libc::SYS_writev, vec![]),
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
// The filter containing the white listed syscall rules required by the API to
|
// The filter containing the white listed syscall rules required by the API to
|
||||||
// function.
|
// function.
|
||||||
fn api_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_accept4),
|
(libc::SYS_accept4, vec![]),
|
||||||
allow_syscall(libc::SYS_brk),
|
(libc::SYS_brk, vec![]),
|
||||||
allow_syscall(libc::SYS_close),
|
(libc::SYS_close, vec![]),
|
||||||
allow_syscall(libc::SYS_dup),
|
(libc::SYS_dup, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
(libc::SYS_epoll_create1, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
(libc::SYS_epoll_ctl, vec![]),
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
(libc::SYS_epoll_pwait, vec![]),
|
||||||
#[cfg(target_arch = "x86_64")]
|
#[cfg(target_arch = "x86_64")]
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
allow_syscall(libc::SYS_exit),
|
(libc::SYS_exit, vec![]),
|
||||||
allow_syscall(libc::SYS_fcntl),
|
(libc::SYS_fcntl, vec![]),
|
||||||
allow_syscall(libc::SYS_futex),
|
(libc::SYS_futex, vec![]),
|
||||||
allow_syscall(libc::SYS_getrandom),
|
(libc::SYS_getrandom, vec![]),
|
||||||
allow_syscall_if(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
|
(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
|
||||||
allow_syscall(libc::SYS_madvise),
|
(libc::SYS_madvise, vec![]),
|
||||||
allow_syscall(libc::SYS_mprotect),
|
(libc::SYS_mprotect, vec![]),
|
||||||
allow_syscall(libc::SYS_munmap),
|
(libc::SYS_munmap, vec![]),
|
||||||
allow_syscall(libc::SYS_recvfrom),
|
(libc::SYS_recvfrom, vec![]),
|
||||||
allow_syscall(libc::SYS_recvmsg),
|
(libc::SYS_recvmsg, vec![]),
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
(libc::SYS_sigaltstack, vec![]),
|
||||||
allow_syscall(libc::SYS_write),
|
(libc::SYS_write, vec![]),
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::Api => api_thread_rules()?,
|
Thread::Api => api_thread_rules()?,
|
||||||
Thread::SignalHandler => signal_handler_thread_rules()?,
|
Thread::SignalHandler => signal_handler_thread_rules()?,
|
||||||
@ -627,10 +625,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::Vmm => vmm_thread_rules()?,
|
Thread::Vmm => vmm_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap)
|
SeccompFilter::new(
|
||||||
|
rules.into_iter().collect(),
|
||||||
|
SeccompAction::Trap,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::Api => api_thread_rules()?,
|
Thread::Api => api_thread_rules()?,
|
||||||
Thread::SignalHandler => signal_handler_thread_rules()?,
|
Thread::SignalHandler => signal_handler_thread_rules()?,
|
||||||
@ -638,21 +641,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::Vmm => vmm_thread_rules()?,
|
Thread::Vmm => vmm_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log)
|
SeccompFilter::new(
|
||||||
|
rules.into_iter().collect(),
|
||||||
|
SeccompAction::Log,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generate a BPF program based on the seccomp_action value
|
/// Generate a BPF program based on the seccomp_action value
|
||||||
pub fn get_seccomp_filter(
|
pub fn get_seccomp_filter(
|
||||||
seccomp_action: &SeccompAction,
|
seccomp_action: &SeccompAction,
|
||||||
thread_type: Thread,
|
thread_type: Thread,
|
||||||
) -> Result<BpfProgram, SeccompError> {
|
) -> Result<BpfProgram, Error> {
|
||||||
match seccomp_action {
|
match seccomp_action {
|
||||||
SeccompAction::Allow => Ok(vec![]),
|
SeccompAction::Allow => Ok(vec![]),
|
||||||
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(SeccompError::SeccompFilter),
|
.map_err(Error::Backend),
|
||||||
_ => get_seccomp_filter_trap(thread_type)
|
_ => get_seccomp_filter_trap(thread_type)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(SeccompError::SeccompFilter),
|
.map_err(Error::Backend),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -44,7 +44,7 @@ use linux_loader::loader::elf::PvhBootCapability::PvhEntryPresent;
|
|||||||
#[cfg(target_arch = "aarch64")]
|
#[cfg(target_arch = "aarch64")]
|
||||||
use linux_loader::loader::pe::Error::InvalidImageMagicNumber;
|
use linux_loader::loader::pe::Error::InvalidImageMagicNumber;
|
||||||
use linux_loader::loader::KernelLoader;
|
use linux_loader::loader::KernelLoader;
|
||||||
use seccomp::{SeccompAction, SeccompFilter};
|
use seccompiler::{apply_filter, SeccompAction};
|
||||||
use signal_hook::{
|
use signal_hook::{
|
||||||
consts::{SIGINT, SIGTERM, SIGWINCH},
|
consts::{SIGINT, SIGTERM, SIGWINCH},
|
||||||
iterator::backend::Handle,
|
iterator::backend::Handle,
|
||||||
@ -216,10 +216,10 @@ pub enum Error {
|
|||||||
InvalidNumaConfig,
|
InvalidNumaConfig,
|
||||||
|
|
||||||
/// Cannot create seccomp filter
|
/// Cannot create seccomp filter
|
||||||
CreateSeccompFilter(seccomp::SeccompError),
|
CreateSeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Cannot apply seccomp filter
|
/// Cannot apply seccomp filter
|
||||||
ApplySeccompFilter(seccomp::Error),
|
ApplySeccompFilter(seccompiler::Error),
|
||||||
|
|
||||||
/// Failed resizing a memory zone.
|
/// Failed resizing a memory zone.
|
||||||
ResizeZone,
|
ResizeZone,
|
||||||
@ -1880,7 +1880,7 @@ impl Vm {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("signal_handler".to_string())
|
.name("signal_handler".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter)
|
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
||||||
.map_err(Error::ApplySeccompFilter)
|
.map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
@ -2442,7 +2442,7 @@ impl Snapshottable for Vm {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("signal_handler".to_string())
|
.name("signal_handler".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter)
|
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
||||||
.map_err(Error::ApplySeccompFilter)
|
.map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
|
Loading…
Reference in New Issue
Block a user