External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-07-02 16:02:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices, vmm: Move to the seccompiler crate

Browse Source 
Fixes: #2929

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2021-08-16 20:40:11 -07:00 committed by Sebastien Boeuf
parent c7f75f9d59
commit 08ac3405f5
27 changed files with 693 additions and 677 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Cargo.lock generated
View File

@ -204,7 +204,7 @@ dependencies = [
"log", "log",
"net_util", "net_util",
"option_parser", "option_parser",
"seccomp", "seccompiler",
"serde_json", "serde_json",
"signal-hook", "signal-hook",
"test_infra", "test_infra",
@ -873,9 +873,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]] [[package]]
name = "seccomp" name = "seccompiler"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/firecracker-microvm/firecracker?tag=v0.24.5#cd36c699f3cb3d531289aadee26c45c1306edcfc" source = "git+https://github.com/rust-vmm/seccompiler#da5788d52f1ae8886d8ed4624199b7e9fa64ac04"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@ -1223,7 +1223,7 @@ dependencies = [
"net_util", "net_util",
"pci", "pci",
"rate_limiter", "rate_limiter",
"seccomp", "seccompiler",
"serde", "serde",
"serde_derive", "serde_derive",
"serde_json", "serde_json",
@ -1337,7 +1337,7 @@ dependencies = [
"option_parser", "option_parser",
"pci", "pci",
"qcow", "qcow",
"seccomp", "seccompiler",
"serde", "serde",
"serde_derive", "serde_derive",
"serde_json", "serde_json",

2
Cargo.toml
View File

@ -22,7 +22,7 @@ hypervisor = { path = "hypervisor" }
libc = "0.2.99" libc = "0.2.99"
log = { version = "0.4.14", features = ["std"] } log = { version = "0.4.14", features = ["std"] }
option_parser = { path = "option_parser" } option_parser = { path = "option_parser" }
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
serde_json = "1.0.66" serde_json = "1.0.66"
signal-hook = "0.3.9" signal-hook = "0.3.9"
thiserror = "1.0.26" thiserror = "1.0.26"

2
src/main.rs
View File

@ -12,7 +12,7 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use log::LevelFilter; use log::LevelFilter;
use option_parser::OptionParser; use option_parser::OptionParser;
use seccomp::SeccompAction; use seccompiler::SeccompAction;
use signal_hook::{ use signal_hook::{
consts::SIGSYS, consts::SIGSYS,
iterator::{exfiltrator::WithRawSiginfo, SignalsInfo}, iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},

2
virtio-devices/Cargo.toml
View File

@ -23,7 +23,7 @@ net_gen = { path = "../net_gen" }
net_util = { path = "../net_util" } net_util = { path = "../net_util" }
pci = { path = "../pci" } pci = { path = "../pci" }
rate_limiter = { path = "../rate_limiter" } rate_limiter = { path = "../rate_limiter" }
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
serde = "1.0.127" serde = "1.0.127"
serde_derive = "1.0.127" serde_derive = "1.0.127"
serde_json = "1.0.66" serde_json = "1.0.66"

4
virtio-devices/src/balloon.rs
View File

@ -20,7 +20,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::GuestMemoryMmap; use crate::GuestMemoryMmap;
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::io; use std::io;
use std::mem::size_of; use std::mem::size_of;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
@ -466,7 +466,7 @@ impl VirtioDevice for Balloon {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_balloon_seccomp_filter) { if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/block.rs
View File

@ -22,7 +22,7 @@ use block_util::{
RequestType, VirtioBlockConfig, RequestType, VirtioBlockConfig,
}; };
use rate_limiter::{RateLimiter, TokenType}; use rate_limiter::{RateLimiter, TokenType};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::io; use std::io;
use std::num::Wrapping; use std::num::Wrapping;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
@ -596,7 +596,7 @@ impl VirtioDevice for Block {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_q{}", self.id.clone(), i)) .name(format!("{}_q{}", self.id.clone(), i))
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_block_seccomp_filter) { if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/console.rs
View File

@ -11,7 +11,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::GuestMemoryMmap; use crate::GuestMemoryMmap;
use crate::VirtioInterrupt; use crate::VirtioInterrupt;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::cmp; use std::cmp;
use std::collections::VecDeque; use std::collections::VecDeque;
use std::io; use std::io;
@ -429,7 +429,7 @@ impl VirtioDevice for Console {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_console_seccomp_filter) { if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/iommu.rs
View File

@ -11,7 +11,7 @@ use super::{
use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::GuestMemoryMmap; use crate::GuestMemoryMmap;
use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType}; use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::collections::BTreeMap; use std::collections::BTreeMap;
use std::fmt::{self, Display}; use std::fmt::{self, Display};
use std::io; use std::io;
@ -850,7 +850,7 @@ impl VirtioDevice for Iommu {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_iommu_seccomp_filter) { if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/lib.rs
View File

@ -92,7 +92,7 @@ pub enum ActivateError {
/// Failed to reset vhost-user daemon. /// Failed to reset vhost-user daemon.
VhostUserReset(vhost_user::Error), VhostUserReset(vhost_user::Error),
/// Cannot create seccomp filter /// Cannot create seccomp filter
CreateSeccompFilter(seccomp::SeccompError), CreateSeccompFilter(seccompiler::Error),
/// Cannot create rate limiter /// Cannot create rate limiter
CreateRateLimiter(std::io::Error), CreateRateLimiter(std::io::Error),
} }
@ -109,7 +109,7 @@ pub enum Error {
VhostUserAddMemoryRegion(vhost_user::Error), VhostUserAddMemoryRegion(vhost_user::Error),
SetShmRegionsNotSupported, SetShmRegionsNotSupported,
NetQueuePair(::net_util::NetQueuePairError), NetQueuePair(::net_util::NetQueuePairError),
ApplySeccompFilter(seccomp::Error), ApplySeccompFilter(seccompiler::Error),
} }
#[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)] #[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)]

4
virtio-devices/src/mem.rs
View File

@ -23,7 +23,7 @@ use crate::{GuestMemoryMmap, GuestRegionMmap};
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use anyhow::anyhow; use anyhow::anyhow;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::collections::BTreeMap; use std::collections::BTreeMap;
use std::io; use std::io;
use std::mem::size_of; use std::mem::size_of;
@ -961,7 +961,7 @@ impl VirtioDevice for Mem {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_mem_seccomp_filter) { if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

6
virtio-devices/src/net.rs
View File

@ -20,7 +20,7 @@ use net_util::{
virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio,
Tap, TapError, TxVirtio, VirtioNetConfig, Tap, TapError, TxVirtio, VirtioNetConfig,
}; };
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::net::Ipv4Addr; use std::net::Ipv4Addr;
use std::num::Wrapping; use std::num::Wrapping;
use std::os::unix::io::{AsRawFd, RawFd}; use std::os::unix::io::{AsRawFd, RawFd};
@ -576,7 +576,7 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_ctrl", self.id)) .name(format!("{}_ctrl", self.id))
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) { if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
@ -659,7 +659,7 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_qp{}", self.id.clone(), i)) .name(format!("{}_qp{}", self.id.clone(), i))
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) { if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/pmem.rs
View File

@ -15,7 +15,7 @@ use super::{
use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::{GuestMemoryMmap, MmapRegion}; use crate::{GuestMemoryMmap, MmapRegion};
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::fmt::{self, Display}; use std::fmt::{self, Display};
use std::fs::File; use std::fs::File;
use std::io; use std::io;
@ -397,7 +397,7 @@ impl VirtioDevice for Pmem {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_pmem_seccomp_filter) { if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/rng.rs
View File

@ -11,7 +11,7 @@ use super::{
use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::GuestMemoryMmap; use crate::GuestMemoryMmap;
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::fs::File; use std::fs::File;
use std::io; use std::io;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
@ -243,7 +243,7 @@ impl VirtioDevice for Rng {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_rng_seccomp_filter) { if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

624
virtio-devices/src/seccomp_filters.rs
View File

@ -4,10 +4,9 @@
// //
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
use seccomp::{ use seccompiler::{
allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule, SeccompCondition as Cond, SeccompFilter, SeccompRule,
SyscallRuleSet,
}; };
use std::convert::TryInto; use std::convert::TryInto;
@ -30,12 +29,11 @@ pub enum Thread {
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`. /// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
/// The rule will take the `Allow` action if _all_ the conditions are true. /// The rule will take the `Allow` action if _all_ the conditions are true.
/// ///
/// [`Allow`]: enum.SeccompAction.html
/// [`SeccompCondition`]: struct.SeccompCondition.html /// [`SeccompCondition`]: struct.SeccompCondition.html
/// [`SeccompRule`]: struct.SeccompRule.html /// [`SeccompRule`]: struct.SeccompRule.html
macro_rules! and { macro_rules! and {
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)); ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)) ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
} }
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`. /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
@ -62,388 +60,388 @@ const TUNSETOFFLOAD: u64 = 0x4004_54d0;
fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> { fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![ or![
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
] ]
} }
fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> { fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![ or![
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
] ]
} }
fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_balloon_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_fallocate), (libc::SYS_fallocate, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_fallocate), (libc::SYS_fallocate, vec![]),
allow_syscall(libc::SYS_fdatasync), (libc::SYS_fdatasync, vec![]),
allow_syscall(libc::SYS_fsync), (libc::SYS_fsync, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_ftruncate), (libc::SYS_ftruncate, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
// The definition of libc::SYS_ftruncate is missing on AArch64. // The definition of libc::SYS_ftruncate is missing on AArch64.
// Use a hard-code number instead. // Use a hard-code number instead.
allow_syscall(46), (46, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(SYS_IO_URING_ENTER), (SYS_IO_URING_ENTER, vec![]),
allow_syscall(libc::SYS_lseek), (libc::SYS_lseek, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_openat), (libc::SYS_openat, vec![]),
allow_syscall(libc::SYS_prctl), (libc::SYS_prctl, vec![]),
allow_syscall(libc::SYS_pread64), (libc::SYS_pread64, vec![]),
allow_syscall(libc::SYS_preadv), (libc::SYS_preadv, vec![]),
allow_syscall(libc::SYS_pwritev), (libc::SYS_pwritev, vec![]),
allow_syscall(libc::SYS_pwrite64), (libc::SYS_pwrite64, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sched_getaffinity), (libc::SYS_sched_getaffinity, vec![]),
allow_syscall(libc::SYS_set_robust_list), (libc::SYS_set_robust_list, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_timerfd_settime), (libc::SYS_timerfd_settime, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_console_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_prctl), (libc::SYS_prctl, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sched_getaffinity), (libc::SYS_sched_getaffinity, vec![]),
allow_syscall(libc::SYS_set_robust_list), (libc::SYS_set_robust_list, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_iommu_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()), (libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_mem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_fallocate), (libc::SYS_fallocate, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()), (libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_openat), (libc::SYS_openat, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_readv), (libc::SYS_readv, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_timerfd_settime), (libc::SYS_timerfd_settime, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
allow_syscall(libc::SYS_writev), (libc::SYS_writev, vec![]),
] ]
} }
fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> { fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Vec<SeccompRule> {
Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],]) or![and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],]
} }
fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
Ok(vec![
allow_syscall(libc::SYS_brk),
#[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex),
allow_syscall_if(libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()?),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_rt_sigprocmask),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
])
}
fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_fsync), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_pmem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_fsync, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_prctl), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_write, vec![]),
allow_syscall(libc::SYS_sched_getaffinity),
allow_syscall(libc::SYS_set_robust_list),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
] ]
} }
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_rng_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_connect), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_pwait, vec![]),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_nanosleep), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_prctl, vec![]),
allow_syscall(libc::SYS_recvmsg), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sendmsg), (libc::SYS_sched_getaffinity, vec![]),
allow_syscall(libc::SYS_sendto), (libc::SYS_set_robust_list, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_socket), (libc::SYS_write, vec![]),
allow_syscall(libc::SYS_write),
] ]
} }
fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_connect, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_ctl, vec![]),
(libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_nanosleep, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_recvmsg, vec![]),
(libc::SYS_rt_sigprocmask, vec![]),
(libc::SYS_sendmsg, vec![]),
(libc::SYS_sendto, vec![]),
(libc::SYS_sigaltstack, vec![]),
(libc::SYS_socket, vec![]),
(libc::SYS_write, vec![]),
]
}
fn virtio_vhost_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![
(libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")]
(libc::SYS_clock_gettime, vec![]),
(libc::SYS_close, vec![]),
(libc::SYS_dup, vec![]),
(libc::SYS_epoll_create1, vec![]),
(libc::SYS_epoll_ctl, vec![]),
(libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")]
(libc::SYS_epoll_wait, vec![]),
(libc::SYS_exit, vec![]),
(libc::SYS_futex, vec![]),
(libc::SYS_munmap, vec![]),
(libc::SYS_madvise, vec![]),
(libc::SYS_read, vec![]),
(libc::SYS_rt_sigprocmask, vec![]),
(libc::SYS_sigaltstack, vec![]),
(libc::SYS_write, vec![]),
] ]
} }
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> { fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],] or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],]
} }
fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_vsock_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_accept4), (libc::SYS_accept4, vec![]),
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_connect), (libc::SYS_connect, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()), (libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_recvfrom), (libc::SYS_recvfrom, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_socket), (libc::SYS_socket, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn virtio_watchdog_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_prctl), (libc::SYS_prctl, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sched_getaffinity), (libc::SYS_sched_getaffinity, vec![]),
allow_syscall(libc::SYS_set_robust_list), (libc::SYS_set_robust_list, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_timerfd_settime), (libc::SYS_timerfd_settime, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
] ]
} }
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> { fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBalloon => virtio_balloon_thread_rules(), Thread::VirtioBalloon => virtio_balloon_thread_rules(),
Thread::VirtioBlock => virtio_block_thread_rules(), Thread::VirtioBlock => virtio_block_thread_rules(),
@ -451,7 +449,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::VirtioIommu => virtio_iommu_thread_rules(), Thread::VirtioIommu => virtio_iommu_thread_rules(),
Thread::VirtioMem => virtio_mem_thread_rules(), Thread::VirtioMem => virtio_mem_thread_rules(),
Thread::VirtioNet => virtio_net_thread_rules(), Thread::VirtioNet => virtio_net_thread_rules(),
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(),
Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(),
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
@ -460,10 +458,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
}; };
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap) SeccompFilter::new(
rules.into_iter().collect(),
SeccompAction::Trap,
SeccompAction::Allow,
std::env::consts::ARCH.try_into().unwrap(),
)
} }
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> { fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBalloon => virtio_balloon_thread_rules(), Thread::VirtioBalloon => virtio_balloon_thread_rules(),
Thread::VirtioBlock => virtio_block_thread_rules(), Thread::VirtioBlock => virtio_block_thread_rules(),
@ -471,7 +474,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::VirtioIommu => virtio_iommu_thread_rules(), Thread::VirtioIommu => virtio_iommu_thread_rules(),
Thread::VirtioMem => virtio_mem_thread_rules(), Thread::VirtioMem => virtio_mem_thread_rules(),
Thread::VirtioNet => virtio_net_thread_rules(), Thread::VirtioNet => virtio_net_thread_rules(),
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(),
Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(),
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
@ -480,21 +483,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
}; };
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log) SeccompFilter::new(
rules.into_iter().collect(),
SeccompAction::Log,
SeccompAction::Allow,
std::env::consts::ARCH.try_into().unwrap(),
)
} }
/// Generate a BPF program based on the seccomp_action value /// Generate a BPF program based on the seccomp_action value
pub fn get_seccomp_filter( pub fn get_seccomp_filter(
seccomp_action: &SeccompAction, seccomp_action: &SeccompAction,
thread_type: Thread, thread_type: Thread,
) -> Result<BpfProgram, SeccompError> { ) -> Result<BpfProgram, Error> {
match seccomp_action { match seccomp_action {
SeccompAction::Allow => Ok(vec![]), SeccompAction::Allow => Ok(vec![]),
SeccompAction::Log => get_seccomp_filter_log(thread_type) SeccompAction::Log => get_seccomp_filter_log(thread_type)
.and_then(|filter| filter.try_into()) .and_then(|filter| filter.try_into())
.map_err(SeccompError::SeccompFilter), .map_err(Error::Backend),
_ => get_seccomp_filter_trap(thread_type) _ => get_seccomp_filter_trap(thread_type)
.and_then(|filter| filter.try_into()) .and_then(|filter| filter.try_into())
.map_err(SeccompError::SeccompFilter), .map_err(Error::Backend),
} }
} }

4
virtio-devices/src/vhost_user/fs.rs
View File

@ -11,7 +11,7 @@ use crate::{
}; };
use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion}; use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion};
use libc::{self, c_void, off64_t, pread64, pwrite64}; use libc::{self, c_void, off64_t, pread64, pwrite64};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::io; use std::io;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
use std::result; use std::result;
@ -556,7 +556,7 @@ impl VirtioDevice for Fs {
thread::Builder::new() thread::Builder::new()
.name(self.id.to_string()) .name(self.id.to_string())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_vhost_fs_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running vhost-user-fs worker: {:?}", e); error!("Error running vhost-user-fs worker: {:?}", e);

4
virtio-devices/src/vhost_user/net.rs
View File

@ -11,7 +11,7 @@ use crate::{
}; };
use crate::{GuestMemoryMmap, GuestRegionMmap}; use crate::{GuestMemoryMmap, GuestRegionMmap};
use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig}; use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
use std::result; use std::result;
use std::sync::atomic::AtomicBool; use std::sync::atomic::AtomicBool;
@ -339,7 +339,7 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_ctrl", self.id)) .name(format!("{}_ctrl", self.id))
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_vhost_net_ctl_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

4
virtio-devices/src/vsock/device.rs
View File

@ -38,7 +38,7 @@ use crate::{
VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1, VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1,
}; };
use byteorder::{ByteOrder, LittleEndian}; use byteorder::{ByteOrder, LittleEndian};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::io; use std::io;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
use std::path::PathBuf; use std::path::PathBuf;
@ -441,7 +441,7 @@ where
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_vsock_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

2
virtio-devices/src/vsock/mod.rs
View File

@ -274,7 +274,7 @@ mod tests {
PathBuf::from("/test/sock"), PathBuf::from("/test/sock"),
TestBackend::new(), TestBackend::new(),
false, false,
seccomp::SeccompAction::Trap, seccompiler::SeccompAction::Trap,
) )
.unwrap(), .unwrap(),
} }

4
virtio-devices/src/watchdog.rs
View File

@ -14,7 +14,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::GuestMemoryMmap; use crate::GuestMemoryMmap;
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use anyhow::anyhow; use anyhow::anyhow;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use std::fs::File; use std::fs::File;
use std::io::{self, Read}; use std::io::{self, Read};
use std::os::unix::io::{AsRawFd, FromRawFd, RawFd}; use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
@ -325,7 +325,7 @@ impl VirtioDevice for Watchdog {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(virtio_watchdog_seccomp_filter) { if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);

2
vmm/Cargo.toml
View File

@ -35,7 +35,7 @@ net_util = { path = "../net_util" }
option_parser = { path = "../option_parser" } option_parser = { path = "../option_parser" }
pci = { path = "../pci" } pci = { path = "../pci" }
qcow = { path = "../qcow" } qcow = { path = "../qcow" }
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" } seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
serde = { version = "1.0.127", features = ["rc"] } serde = { version = "1.0.127", features = ["rc"] }
serde_derive = "1.0.127" serde_derive = "1.0.127"
serde_json = "1.0.66" serde_json = "1.0.66"

4
vmm/src/api/http.rs
View File

@ -8,7 +8,7 @@ use crate::api::{ApiError, ApiRequest, VmAction};
use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::{Error, Result}; use crate::{Error, Result};
use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version}; use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use serde_json::Error as SerdeError; use serde_json::Error as SerdeError;
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::File; use std::fs::File;
@ -276,7 +276,7 @@ fn start_http_thread(
.name("http-server".to_string()) .name("http-server".to_string())
.spawn(move || { .spawn(move || {
// Apply seccomp filter for API thread. // Apply seccomp filter for API thread.
SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
server.start_server().unwrap(); server.start_server().unwrap();
loop { loop {

4
vmm/src/api/mod.rs
View File

@ -117,10 +117,10 @@ pub enum ApiError {
VmRemoveDevice(VmError), VmRemoveDevice(VmError),
/// Cannot create seccomp filter /// Cannot create seccomp filter
CreateSeccompFilter(seccomp::SeccompError), CreateSeccompFilter(seccompiler::Error),
/// Cannot apply seccomp filter /// Cannot apply seccomp filter
ApplySeccompFilter(seccomp::Error), ApplySeccompFilter(seccompiler::Error),
/// The disk could not be added to the VM. /// The disk could not be added to the VM.
VmAddDisk(VmError), VmAddDisk(VmError),

8
vmm/src/cpu.rs
View File

@ -32,7 +32,7 @@ use hypervisor::kvm::kvm_bindings;
use hypervisor::CpuId; use hypervisor::CpuId;
use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit}; use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit};
use libc::{c_void, siginfo_t}; use libc::{c_void, siginfo_t};
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
#[cfg(feature = "acpi")] #[cfg(feature = "acpi")]
use std::collections::BTreeMap; use std::collections::BTreeMap;
use std::os::unix::thread::JoinHandleExt; use std::os::unix::thread::JoinHandleExt;
@ -88,10 +88,10 @@ pub enum Error {
DesiredVCpuCountExceedsMax, DesiredVCpuCountExceedsMax,
/// Cannot create seccomp filter /// Cannot create seccomp filter
CreateSeccompFilter(seccomp::SeccompError), CreateSeccompFilter(seccompiler::Error),
/// Cannot apply seccomp filter /// Cannot apply seccomp filter
ApplySeccompFilter(seccomp::Error), ApplySeccompFilter(seccompiler::Error),
/// Error starting vCPU after restore /// Error starting vCPU after restore
StartRestoreVcpu(anyhow::Error), StartRestoreVcpu(anyhow::Error),
@ -725,7 +725,7 @@ impl CpuManager {
.spawn(move || { .spawn(move || {
// Apply seccomp filter for vcpu thread. // Apply seccomp filter for vcpu thread.
if let Err(e) = if let Err(e) =
SeccompFilter::apply(vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
return; return;

2
vmm/src/device_manager.rs
View File

@ -66,7 +66,7 @@ use pci::{
DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot, DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot,
VfioUserPciDevice, VfioUserPciDeviceError, VfioUserPciDevice, VfioUserPciDeviceError,
}; };
use seccomp::SeccompAction; use seccompiler::SeccompAction;
use std::collections::HashMap; use std::collections::HashMap;
use std::convert::TryInto; use std::convert::TryInto;
use std::fs::{read_link, File, OpenOptions}; use std::fs::{read_link, File, OpenOptions};

8
vmm/src/lib.rs
View File

@ -28,7 +28,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::vm::{Error as VmError, Vm, VmState}; use crate::vm::{Error as VmError, Vm, VmState};
use anyhow::anyhow; use anyhow::anyhow;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use serde::ser::{Serialize, SerializeStruct, Serializer}; use serde::ser::{Serialize, SerializeStruct, Serializer};
use std::fs::File; use std::fs::File;
use std::io; use std::io;
@ -121,11 +121,11 @@ pub enum Error {
/// Cannot create seccomp filter /// Cannot create seccomp filter
#[error("Error creating seccomp filter: {0}")] #[error("Error creating seccomp filter: {0}")]
CreateSeccompFilter(seccomp::SeccompError), CreateSeccompFilter(seccompiler::Error),
/// Cannot apply seccomp filter /// Cannot apply seccomp filter
#[error("Error applying seccomp filter: {0}")] #[error("Error applying seccomp filter: {0}")]
ApplySeccompFilter(seccomp::Error), ApplySeccompFilter(seccompiler::Error),
/// Error activating virtio devices /// Error activating virtio devices
#[error("Error activating virtio devices: {0:?}")] #[error("Error activating virtio devices: {0:?}")]
@ -263,7 +263,7 @@ pub fn start_vmm_thread(
.name("vmm".to_string()) .name("vmm".to_string())
.spawn(move || { .spawn(move || {
// Apply seccomp filter for VMM thread. // Apply seccomp filter for VMM thread.
SeccompFilter::apply(vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
let mut vmm = Vmm::new( let mut vmm = Vmm::new(
vmm_version.to_string(), vmm_version.to_string(),

636
vmm/src/seccomp_filters.rs
View File

@ -4,10 +4,9 @@
// //
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
use seccomp::{ use seccompiler::{
allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule, SeccompCondition as Cond, SeccompFilter, SeccompRule,
SyscallRuleSet,
}; };
use std::convert::TryInto; use std::convert::TryInto;
@ -21,12 +20,11 @@ pub enum Thread {
/// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`. /// Shorthand for chaining `SeccompCondition`s with the `and` operator in a `SeccompRule`.
/// The rule will take the `Allow` action if _all_ the conditions are true. /// The rule will take the `Allow` action if _all_ the conditions are true.
/// ///
/// [`Allow`]: enum.SeccompAction.html
/// [`SeccompCondition`]: struct.SeccompCondition.html /// [`SeccompCondition`]: struct.SeccompCondition.html
/// [`SeccompRule`]: struct.SeccompRule.html /// [`SeccompRule`]: struct.SeccompRule.html
macro_rules! and { macro_rules! and {
($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)); ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow)) ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
} }
/// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`. /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
@ -149,66 +147,66 @@ mod mshv {
use mshv::*; use mshv::*;
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![ Ok(or![
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_API_VERSION,)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_API_VERSION,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VM)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VM)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VP)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VP)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_STATE)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_STATE)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_STATE)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_STATE)?],
and![Cond::new( and![Cond::new(
1, 1,
ArgLen::DWORD, ArgLen::Dword,
Eq, Eq,
MSHV_SET_PARTITION_PROPERTY MSHV_SET_PARTITION_PROPERTY
)?], )?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_GPA_ACCESS_STATES)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_GPA_ACCESS_STATES)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
]) ])
} }
#[cfg(feature = "kvm")] #[cfg(feature = "kvm")]
fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![ Ok(or![
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_DEVICE,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_DEVICE,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_IRQCHIP,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_IRQCHIP,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VCPU)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VCPU)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VM)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VM)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ENABLE_CAP)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_ENABLE_CAP)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_API_VERSION,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_API_VERSION,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DEVICE_ATTR,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DEVICE_ATTR,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DIRTY_LOG)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DIRTY_LOG)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MP_STATE)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MP_STATE)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_ONE_REG)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_ONE_REG)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REGS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REG_LIST)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REG_LIST)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SUPPORTED_CPUID,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SUPPORTED_CPUID,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_EVENTS,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_EVENTS,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_MMAP_SIZE,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_MMAP_SIZE,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_MEMORY_ENCRYPT_OP)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_MEMORY_ENCRYPT_OP)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MP_STATE)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MP_STATE)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_ONE_REG)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_ONE_REG)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_REGS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_REGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_VCPU_EVENTS,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_VCPU_EVENTS,)?],
]) ])
} }
fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
#[cfg(feature = "kvm")] #[cfg(feature = "kvm")]
let rules = create_vmm_ioctl_seccomp_rule_common_kvm(); let rules = create_vmm_ioctl_seccomp_rule_common_kvm();
@ -218,46 +216,46 @@ fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error>
rules rules
} }
fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, BackendError> {
let mut common_rules = or![ let mut common_rules = or![
and![Cond::new(1, ArgLen::DWORD, Eq, FIOCLEX)?], and![Cond::new(1, ArgLen::Dword, Eq, FIOCLEX)?],
and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?], and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFFLAGS)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFFLAGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFHWADDR)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFHWADDR)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFADDR)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFADDR)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFFLAGS)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFFLAGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFHWADDR)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFHWADDR)?],
and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFNETMASK)?], and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFNETMASK)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?], and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?], and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?], and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCSPTLCK)?], and![Cond::new(1, ArgLen::Dword, Eq, TIOCSPTLCK)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGTPEER)?], and![Cond::new(1, ArgLen::Dword, Eq, TIOCGTPEER)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETFEATURES)?], and![Cond::new(1, ArgLen::Dword, Eq, TUNGETFEATURES)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETIFF)?], and![Cond::new(1, ArgLen::Dword, Eq, TUNGETIFF)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETIFF)?], and![Cond::new(1, ArgLen::Dword, Eq, TUNSETIFF)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?], and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETVNETHDRSZ)?], and![Cond::new(1, ArgLen::Dword, Eq, TUNSETVNETHDRSZ)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GET_API_VERSION)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GET_API_VERSION)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_CHECK_EXTENSION)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_CHECK_EXTENSION)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_SET_IOMMU)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_SET_IOMMU)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_STATUS)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_STATUS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_SET_CONTAINER)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_SET_CONTAINER)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_DEVICE_FD)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_DEVICE_FD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_INFO)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_INFO)?],
and![Cond::new( and![Cond::new(
1, 1,
ArgLen::DWORD, ArgLen::Dword,
Eq, Eq,
VFIO_DEVICE_GET_REGION_INFO VFIO_DEVICE_GET_REGION_INFO
)?], )?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_IRQ_INFO)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_IRQ_INFO)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_RESET)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_RESET)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_IOEVENTFD)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_IOEVENTFD)?],
]; ];
let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?; let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?;
@ -268,7 +266,7 @@ fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> {
} }
#[cfg(all(target_arch = "x86_64", feature = "kvm"))] #[cfg(all(target_arch = "x86_64", feature = "kvm"))]
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
const KVM_CREATE_PIT2: u64 = 0x4040_ae77; const KVM_CREATE_PIT2: u64 = 0x4040_ae77;
const KVM_GET_CLOCK: u64 = 0x8030_ae7c; const KVM_GET_CLOCK: u64 = 0x8030_ae7c;
const KVM_GET_CPUID2: u64 = 0xc008_ae91; const KVM_GET_CPUID2: u64 = 0xc008_ae91;
@ -292,26 +290,26 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
let common_rules = create_vmm_ioctl_seccomp_rule_common()?; let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
let mut arch_rules = or![ let mut arch_rules = or![
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_PIT2)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_PIT2)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CLOCK,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CLOCK,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CPUID2,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CPUID2,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_FPU)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_FPU)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_LAPIC)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_LAPIC)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSR_INDEX_LIST)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSR_INDEX_LIST)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSRS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSRS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SREGS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SREGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XCRS,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XCRS,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XSAVE,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XSAVE,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_KVMCLOCK_CTRL)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_KVMCLOCK_CTRL)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CLOCK)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CLOCK)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CPUID2)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CPUID2)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_FPU)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_FPU)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_LAPIC)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_LAPIC)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_SREGS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_SREGS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_TSS_ADDR,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_TSS_ADDR,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MSRS)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MSRS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XCRS,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XCRS,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XSAVE,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XSAVE,)?],
]; ];
arch_rules.extend(common_rules); arch_rules.extend(common_rules);
@ -319,14 +317,14 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
} }
#[cfg(all(target_arch = "aarch64", feature = "kvm"))] #[cfg(all(target_arch = "aarch64", feature = "kvm"))]
fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf; const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf;
const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae; const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae;
let common_rules = create_vmm_ioctl_seccomp_rule_common()?; let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
let mut arch_rules = or![ let mut arch_rules = or![
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_PREFERRED_TARGET,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_PREFERRED_TARGET,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_VCPU_INIT,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_VCPU_INIT,)?],
]; ];
arch_rules.extend(common_rules); arch_rules.extend(common_rules);
@ -334,11 +332,11 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
} }
#[cfg(all(target_arch = "x86_64", feature = "mshv"))] #[cfg(all(target_arch = "x86_64", feature = "mshv"))]
fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
create_vmm_ioctl_seccomp_rule_common() create_vmm_ioctl_seccomp_rule_common()
} }
fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> { fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
#[cfg(feature = "kvm")] #[cfg(feature = "kvm")]
let rules = create_vmm_ioctl_seccomp_rule_kvm(); let rules = create_vmm_ioctl_seccomp_rule_kvm();
@ -348,182 +346,182 @@ fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
rules rules
} }
fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> { fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],]) Ok(or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?]])
} }
fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> { fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![ Ok(or![
and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?], and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?], and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?], and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
]) ])
} }
fn signal_handler_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_exit_group), (libc::SYS_exit_group, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?), (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_recvfrom), (libc::SYS_recvfrom, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_sendto), (libc::SYS_sendto, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
]) ])
} }
// The filter containing the white listed syscall rules required by the VMM to // The filter containing the white listed syscall rules required by the VMM to
// function. // function.
fn vmm_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn vmm_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_accept4), (libc::SYS_accept4, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_access), (libc::SYS_access, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_arch_prctl), (libc::SYS_arch_prctl, vec![]),
allow_syscall(libc::SYS_bind), (libc::SYS_bind, vec![]),
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_clock_nanosleep), (libc::SYS_clock_nanosleep, vec![]),
allow_syscall(libc::SYS_clone), (libc::SYS_clone, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_connect), (libc::SYS_connect, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_eventfd2), (libc::SYS_eventfd2, vec![]),
allow_syscall(libc::SYS_execve), (libc::SYS_execve, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_exit_group), (libc::SYS_exit_group, vec![]),
allow_syscall(libc::SYS_fallocate), (libc::SYS_fallocate, vec![]),
allow_syscall(libc::SYS_fcntl), (libc::SYS_fcntl, vec![]),
allow_syscall(libc::SYS_fdatasync), (libc::SYS_fdatasync, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_fork), (libc::SYS_fork, vec![]),
allow_syscall(libc::SYS_fstat), (libc::SYS_fstat, vec![]),
allow_syscall(libc::SYS_fsync), (libc::SYS_fsync, vec![]),
allow_syscall(SYS_FTRUNCATE), (SYS_FTRUNCATE, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
allow_syscall(libc::SYS_faccessat), (libc::SYS_faccessat, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
allow_syscall(libc::SYS_newfstatat), (libc::SYS_newfstatat, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_getpid), (libc::SYS_getpid, vec![]),
allow_syscall(libc::SYS_getrandom), (libc::SYS_getrandom, vec![]),
allow_syscall(libc::SYS_gettid), (libc::SYS_gettid, vec![]),
allow_syscall(libc::SYS_gettimeofday), (libc::SYS_gettimeofday, vec![]),
allow_syscall(libc::SYS_getuid), (libc::SYS_getuid, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?), (libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
allow_syscall(SYS_IO_URING_ENTER), (SYS_IO_URING_ENTER, vec![]),
allow_syscall(SYS_IO_URING_SETUP), (SYS_IO_URING_SETUP, vec![]),
allow_syscall(SYS_IO_URING_REGISTER), (SYS_IO_URING_REGISTER, vec![]),
allow_syscall(libc::SYS_kill), (libc::SYS_kill, vec![]),
allow_syscall(libc::SYS_listen), (libc::SYS_listen, vec![]),
allow_syscall(libc::SYS_lseek), (libc::SYS_lseek, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mbind), (libc::SYS_mbind, vec![]),
allow_syscall(libc::SYS_memfd_create), (libc::SYS_memfd_create, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_mremap), (libc::SYS_mremap, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_nanosleep), (libc::SYS_nanosleep, vec![]),
allow_syscall(libc::SYS_newfstatat), (libc::SYS_newfstatat, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_open), (libc::SYS_open, vec![]),
allow_syscall(libc::SYS_openat), (libc::SYS_openat, vec![]),
allow_syscall(libc::SYS_pipe2), (libc::SYS_pipe2, vec![]),
allow_syscall(libc::SYS_prctl), (libc::SYS_prctl, vec![]),
allow_syscall(libc::SYS_pread64), (libc::SYS_pread64, vec![]),
allow_syscall(libc::SYS_preadv), (libc::SYS_preadv, vec![]),
allow_syscall(libc::SYS_prlimit64), (libc::SYS_prlimit64, vec![]),
allow_syscall(libc::SYS_pwrite64), (libc::SYS_pwrite64, vec![]),
allow_syscall(libc::SYS_pwritev), (libc::SYS_pwritev, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_readv), (libc::SYS_readv, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_readlink), (libc::SYS_readlink, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
allow_syscall(libc::SYS_readlinkat), (libc::SYS_readlinkat, vec![]),
allow_syscall(libc::SYS_recvfrom), (libc::SYS_recvfrom, vec![]),
allow_syscall(libc::SYS_recvmsg), (libc::SYS_recvmsg, vec![]),
allow_syscall(libc::SYS_restart_syscall), (libc::SYS_restart_syscall, vec![]),
allow_syscall(libc::SYS_rt_sigaction), (libc::SYS_rt_sigaction, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_rt_sigreturn), (libc::SYS_rt_sigreturn, vec![]),
allow_syscall(libc::SYS_sched_getaffinity), (libc::SYS_sched_getaffinity, vec![]),
allow_syscall(libc::SYS_sendmsg), (libc::SYS_sendmsg, vec![]),
allow_syscall(libc::SYS_sendto), (libc::SYS_sendto, vec![]),
allow_syscall(libc::SYS_set_robust_list), (libc::SYS_set_robust_list, vec![]),
allow_syscall(libc::SYS_set_tid_address), (libc::SYS_set_tid_address, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall_if( (
libc::SYS_socket, libc::SYS_socket,
or![ or![
and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_UNIX as u64)?], and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_UNIX as u64)?],
and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_INET as u64)?], and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_INET as u64)?],
], ],
), ),
allow_syscall(libc::SYS_socketpair), (libc::SYS_socketpair, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_stat), (libc::SYS_stat, vec![]),
allow_syscall(libc::SYS_statx), (libc::SYS_statx, vec![]),
allow_syscall(libc::SYS_tgkill), (libc::SYS_tgkill, vec![]),
allow_syscall(libc::SYS_timerfd_create), (libc::SYS_timerfd_create, vec![]),
allow_syscall(libc::SYS_timerfd_settime), (libc::SYS_timerfd_settime, vec![]),
allow_syscall(libc::SYS_tkill), (libc::SYS_tkill, vec![]),
allow_syscall_if( (
libc::SYS_umask, libc::SYS_umask,
or![and![Cond::new(0, ArgLen::DWORD, Eq, 0o077)?]], or![and![Cond::new(0, ArgLen::Dword, Eq, 0o077)?]],
), ),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_unlink), (libc::SYS_unlink, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
allow_syscall(libc::SYS_unlinkat), (libc::SYS_unlinkat, vec![]),
allow_syscall(libc::SYS_wait4), (libc::SYS_wait4, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
allow_syscall(libc::SYS_writev), (libc::SYS_writev, vec![]),
]) ])
} }
#[cfg(feature = "kvm")] #[cfg(feature = "kvm")]
fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> { fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![ Ok(or![
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN,)?], and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN,)?],
]) ])
} }
#[cfg(feature = "mshv")] #[cfg(feature = "mshv")]
fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> { fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
Ok(or![ Ok(or![
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?], and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
]) ])
} }
fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> { fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
#[cfg(feature = "kvm")] #[cfg(feature = "kvm")]
let rules = create_vcpu_ioctl_seccomp_rule_kvm(); let rules = create_vcpu_ioctl_seccomp_rule_kvm();
@ -533,11 +531,11 @@ fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error
rules rules
} }
fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> { fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
let mut rules = or![ let mut rules = or![
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?], and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
]; ];
let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?; let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?;
@ -547,79 +545,79 @@ fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
Ok(rules) Ok(rules)
} }
fn vcpu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn vcpu_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
allow_syscall(libc::SYS_clock_gettime), (libc::SYS_clock_gettime, vec![]),
allow_syscall(libc::SYS_clock_nanosleep), (libc::SYS_clock_nanosleep, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_fstat), (libc::SYS_fstat, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_getrandom), (libc::SYS_getrandom, vec![]),
allow_syscall(libc::SYS_getpid), (libc::SYS_getpid, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?), (libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
allow_syscall(libc::SYS_lseek), (libc::SYS_lseek, vec![]),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mmap), (libc::SYS_mmap, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_nanosleep), (libc::SYS_nanosleep, vec![]),
allow_syscall(libc::SYS_newfstatat), (libc::SYS_newfstatat, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_open), (libc::SYS_open, vec![]),
allow_syscall(libc::SYS_openat), (libc::SYS_openat, vec![]),
allow_syscall(libc::SYS_pread64), (libc::SYS_pread64, vec![]),
allow_syscall(libc::SYS_pwrite64), (libc::SYS_pwrite64, vec![]),
allow_syscall(libc::SYS_read), (libc::SYS_read, vec![]),
allow_syscall(libc::SYS_recvfrom), (libc::SYS_recvfrom, vec![]),
allow_syscall(libc::SYS_recvmsg), (libc::SYS_recvmsg, vec![]),
allow_syscall(libc::SYS_rt_sigaction), (libc::SYS_rt_sigaction, vec![]),
allow_syscall(libc::SYS_rt_sigprocmask), (libc::SYS_rt_sigprocmask, vec![]),
allow_syscall(libc::SYS_rt_sigreturn), (libc::SYS_rt_sigreturn, vec![]),
allow_syscall(libc::SYS_sendmsg), (libc::SYS_sendmsg, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_tgkill), (libc::SYS_tgkill, vec![]),
allow_syscall(libc::SYS_tkill), (libc::SYS_tkill, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_unlink), (libc::SYS_unlink, vec![]),
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
allow_syscall(libc::SYS_unlinkat), (libc::SYS_unlinkat, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
allow_syscall(libc::SYS_writev), (libc::SYS_writev, vec![]),
]) ])
} }
// The filter containing the white listed syscall rules required by the API to // The filter containing the white listed syscall rules required by the API to
// function. // function.
fn api_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_accept4), (libc::SYS_accept4, vec![]),
allow_syscall(libc::SYS_brk), (libc::SYS_brk, vec![]),
allow_syscall(libc::SYS_close), (libc::SYS_close, vec![]),
allow_syscall(libc::SYS_dup), (libc::SYS_dup, vec![]),
allow_syscall(libc::SYS_epoll_create1), (libc::SYS_epoll_create1, vec![]),
allow_syscall(libc::SYS_epoll_ctl), (libc::SYS_epoll_ctl, vec![]),
allow_syscall(libc::SYS_epoll_pwait), (libc::SYS_epoll_pwait, vec![]),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), (libc::SYS_epoll_wait, vec![]),
allow_syscall(libc::SYS_exit), (libc::SYS_exit, vec![]),
allow_syscall(libc::SYS_fcntl), (libc::SYS_fcntl, vec![]),
allow_syscall(libc::SYS_futex), (libc::SYS_futex, vec![]),
allow_syscall(libc::SYS_getrandom), (libc::SYS_getrandom, vec![]),
allow_syscall_if(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?), (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
allow_syscall(libc::SYS_madvise), (libc::SYS_madvise, vec![]),
allow_syscall(libc::SYS_mprotect), (libc::SYS_mprotect, vec![]),
allow_syscall(libc::SYS_munmap), (libc::SYS_munmap, vec![]),
allow_syscall(libc::SYS_recvfrom), (libc::SYS_recvfrom, vec![]),
allow_syscall(libc::SYS_recvmsg), (libc::SYS_recvmsg, vec![]),
allow_syscall(libc::SYS_sigaltstack), (libc::SYS_sigaltstack, vec![]),
allow_syscall(libc::SYS_write), (libc::SYS_write, vec![]),
]) ])
} }
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> { fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
let rules = match thread_type { let rules = match thread_type {
Thread::Api => api_thread_rules()?, Thread::Api => api_thread_rules()?,
Thread::SignalHandler => signal_handler_thread_rules()?, Thread::SignalHandler => signal_handler_thread_rules()?,
@ -627,10 +625,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::Vmm => vmm_thread_rules()?, Thread::Vmm => vmm_thread_rules()?,
}; };
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap) SeccompFilter::new(
rules.into_iter().collect(),
SeccompAction::Trap,
SeccompAction::Allow,
std::env::consts::ARCH.try_into().unwrap(),
)
} }
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> { fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
let rules = match thread_type { let rules = match thread_type {
Thread::Api => api_thread_rules()?, Thread::Api => api_thread_rules()?,
Thread::SignalHandler => signal_handler_thread_rules()?, Thread::SignalHandler => signal_handler_thread_rules()?,
@ -638,21 +641,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::Vmm => vmm_thread_rules()?, Thread::Vmm => vmm_thread_rules()?,
}; };
SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log) SeccompFilter::new(
rules.into_iter().collect(),
SeccompAction::Log,
SeccompAction::Allow,
std::env::consts::ARCH.try_into().unwrap(),
)
} }
/// Generate a BPF program based on the seccomp_action value /// Generate a BPF program based on the seccomp_action value
pub fn get_seccomp_filter( pub fn get_seccomp_filter(
seccomp_action: &SeccompAction, seccomp_action: &SeccompAction,
thread_type: Thread, thread_type: Thread,
) -> Result<BpfProgram, SeccompError> { ) -> Result<BpfProgram, Error> {
match seccomp_action { match seccomp_action {
SeccompAction::Allow => Ok(vec![]), SeccompAction::Allow => Ok(vec![]),
SeccompAction::Log => get_seccomp_filter_log(thread_type) SeccompAction::Log => get_seccomp_filter_log(thread_type)
.and_then(|filter| filter.try_into()) .and_then(|filter| filter.try_into())
.map_err(SeccompError::SeccompFilter), .map_err(Error::Backend),
_ => get_seccomp_filter_trap(thread_type) _ => get_seccomp_filter_trap(thread_type)
.and_then(|filter| filter.try_into()) .and_then(|filter| filter.try_into())
.map_err(SeccompError::SeccompFilter), .map_err(Error::Backend),
} }
} }

10
vmm/src/vm.rs
View File

@ -44,7 +44,7 @@ use linux_loader::loader::elf::PvhBootCapability::PvhEntryPresent;
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
use linux_loader::loader::pe::Error::InvalidImageMagicNumber; use linux_loader::loader::pe::Error::InvalidImageMagicNumber;
use linux_loader::loader::KernelLoader; use linux_loader::loader::KernelLoader;
use seccomp::{SeccompAction, SeccompFilter}; use seccompiler::{apply_filter, SeccompAction};
use signal_hook::{ use signal_hook::{
consts::{SIGINT, SIGTERM, SIGWINCH}, consts::{SIGINT, SIGTERM, SIGWINCH},
iterator::backend::Handle, iterator::backend::Handle,
@ -216,10 +216,10 @@ pub enum Error {
InvalidNumaConfig, InvalidNumaConfig,
/// Cannot create seccomp filter /// Cannot create seccomp filter
CreateSeccompFilter(seccomp::SeccompError), CreateSeccompFilter(seccompiler::Error),
/// Cannot apply seccomp filter /// Cannot apply seccomp filter
ApplySeccompFilter(seccomp::Error), ApplySeccompFilter(seccompiler::Error),
/// Failed resizing a memory zone. /// Failed resizing a memory zone.
ResizeZone, ResizeZone,
@ -1880,7 +1880,7 @@ impl Vm {
thread::Builder::new() thread::Builder::new()
.name("signal_handler".to_string()) .name("signal_handler".to_string())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter) if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter) .map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
@ -2442,7 +2442,7 @@ impl Snapshottable for Vm {
thread::Builder::new() thread::Builder::new()
.name("signal_handler".to_string()) .name("signal_handler".to_string())
.spawn(move || { .spawn(move || {
if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter) if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter) .map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);