External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-12-22 13:45:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: seccomp: add vhost-user syscalls

Browse Source 
Cloud Hypervisor's vhost-user implementation will reconnect if it gets
disconnected from the backend.  That means connections happen inside
the vhost-user seccomp sandbox, so all syscalls used in reconnecting
have to be allowed in that sandbox.

clock_nanosleep is used by Glibc, and nanosleep is used by musl.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
This commit is contained in:
Alyssa Ross 2023-03-30 21:24:55 +00:00 committed by Bo Chen
parent 499e8433c3
commit 0aa858c266
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
virtio-devices/src/seccomp_filters.rs
View File

@ -151,6 +151,7 @@ fn virtio_rng_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> { fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
(libc::SYS_clock_nanosleep, vec![]),
(libc::SYS_connect, vec![]), (libc::SYS_connect, vec![]),
(libc::SYS_nanosleep, vec![]), (libc::SYS_nanosleep, vec![]),
(libc::SYS_pread64, vec![]), (libc::SYS_pread64, vec![]),
@ -170,8 +171,11 @@ fn virtio_vhost_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![ vec![
(libc::SYS_accept4, vec![]), (libc::SYS_accept4, vec![]),
(libc::SYS_bind, vec![]), (libc::SYS_bind, vec![]),
(libc::SYS_clock_nanosleep, vec![]),
(libc::SYS_connect, vec![]),
(libc::SYS_getcwd, vec![]), (libc::SYS_getcwd, vec![]),
(libc::SYS_listen, vec![]), (libc::SYS_listen, vec![]),
(libc::SYS_nanosleep, vec![]),
(libc::SYS_recvmsg, vec![]), (libc::SYS_recvmsg, vec![]),
(libc::SYS_sendmsg, vec![]), (libc::SYS_sendmsg, vec![]),
(libc::SYS_sendto, vec![]), (libc::SYS_sendto, vec![]),
@ -184,7 +188,14 @@ fn virtio_vhost_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
} }
fn virtio_vhost_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> { fn virtio_vhost_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
vec![] vec![
(libc::SYS_clock_nanosleep, vec![]),
(libc::SYS_connect, vec![]),
(libc::SYS_nanosleep, vec![]),
(libc::SYS_recvmsg, vec![]),
(libc::SYS_sendmsg, vec![]),
(libc::SYS_socket, vec![]),
]
} }
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> { fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {