diff --git a/virtio-devices/src/block_io_uring.rs b/virtio-devices/src/block_io_uring.rs index 861093ca4..2eaefa9db 100644 --- a/virtio-devices/src/block_io_uring.rs +++ b/virtio-devices/src/block_io_uring.rs @@ -13,11 +13,13 @@ use super::{ ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue, VirtioCommon, VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST, }; +use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::VirtioInterrupt; use anyhow::anyhow; use block_util::{build_disk_image_id, Request, RequestType, VirtioBlockConfig}; use io_uring::IoUring; use libc::EFD_NONBLOCK; +use seccomp::{SeccompAction, SeccompFilter}; use std::collections::HashMap; use std::fs::File; use std::io::{self, Seek, SeekFrom}; @@ -308,6 +310,7 @@ pub struct BlockIoUring { config: VirtioBlockConfig, writeback: Arc, counters: BlockCounters, + seccomp_action: SeccompAction, } #[derive(Serialize, Deserialize)] @@ -321,6 +324,7 @@ pub struct BlockState { impl BlockIoUring { /// Create a new virtio block device that operates on the given file. + #[allow(clippy::too_many_arguments)] pub fn new( id: String, mut disk_image: File, @@ -329,6 +333,7 @@ impl BlockIoUring { iommu: bool, num_queues: usize, queue_size: u16, + seccomp_action: SeccompAction, ) -> io::Result { let disk_size = disk_image.seek(SeekFrom::End(0))? as u64; if disk_size % SECTOR_SIZE != 0 { @@ -378,6 +383,7 @@ impl BlockIoUring { config, writeback: Arc::new(AtomicBool::new(true)), counters: BlockCounters::default(), + seccomp_action, }) } @@ -545,10 +551,17 @@ impl VirtioDevice for BlockIoUring { ActivateError::BadActivate })?; + // Retrieve seccomp filter for virtio_blk_io_uring thread + let virtio_blk_io_uring_seccomp_filter = + get_seccomp_filter(&self.seccomp_action, Thread::VirtioBlkIoUring) + .map_err(ActivateError::CreateSeccompFilter)?; + thread::Builder::new() - .name("virtio_blk".to_string()) + .name("virtio_blk_io_uring".to_string()) .spawn(move || { - if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if let Err(e) = SeccompFilter::apply(virtio_blk_io_uring_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index b7e4cd698..cbc2a58fd 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -12,6 +12,7 @@ use std::convert::TryInto; pub enum Thread { VirtioBalloon, VirtioBlk, + VirtioBlkIoUring, VirtioConsole, VirtioIommu, VirtioMem, @@ -25,6 +26,9 @@ pub enum Thread { VirtioVhostNetCtl, } +// Define io_uring syscalls as they are not yet part of libc. +const SYS_IO_URING_ENTER: i64 = 426; + fn virtio_balloon_thread_rules() -> Result, Error> { Ok(vec![ allow_syscall(libc::SYS_brk), @@ -85,6 +89,28 @@ fn virtio_blk_thread_rules() -> Result, Error> { ]) } +fn virtio_blk_io_uring_thread_rules() -> Result, Error> { + Ok(vec![ + allow_syscall(libc::SYS_brk), + allow_syscall(libc::SYS_close), + allow_syscall(libc::SYS_dup), + allow_syscall(libc::SYS_epoll_create1), + allow_syscall(libc::SYS_epoll_ctl), + allow_syscall(libc::SYS_epoll_pwait), + #[cfg(target_arch = "x86_64")] + allow_syscall(libc::SYS_epoll_wait), + allow_syscall(libc::SYS_exit), + allow_syscall(libc::SYS_futex), + allow_syscall(SYS_IO_URING_ENTER), + allow_syscall(libc::SYS_madvise), + allow_syscall(libc::SYS_munmap), + allow_syscall(libc::SYS_read), + allow_syscall(libc::SYS_rt_sigprocmask), + allow_syscall(libc::SYS_sigaltstack), + allow_syscall(libc::SYS_write), + ]) +} + fn virtio_console_thread_rules() -> Result, Error> { Ok(vec![ allow_syscall(libc::SYS_brk), @@ -114,9 +140,9 @@ fn virtio_console_thread_rules() -> Result, Error> { fn virtio_iommu_thread_rules() -> Result, Error> { Ok(vec![ allow_syscall(libc::SYS_brk), + allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_epoll_pwait), #[cfg(target_arch = "x86_64")] allow_syscall(libc::SYS_epoll_wait), @@ -147,9 +173,9 @@ fn virtio_net_thread_rules() -> Result, Error> { Ok(vec![ allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_close), + allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_ctl), - allow_syscall(libc::SYS_dup), allow_syscall(libc::SYS_epoll_pwait), #[cfg(target_arch = "x86_64")] allow_syscall(libc::SYS_epoll_wait), @@ -327,6 +353,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result let rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?, + Thread::VirtioBlkIoUring => virtio_blk_io_uring_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioIommu => virtio_iommu_thread_rules()?, Thread::VirtioMem => virtio_mem_thread_rules()?, @@ -350,6 +377,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result { let rules = match thread_type { Thread::VirtioBalloon => virtio_balloon_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?, + Thread::VirtioBlkIoUring => virtio_blk_io_uring_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioIommu => virtio_iommu_thread_rules()?, Thread::VirtioMem => virtio_mem_thread_rules()?, diff --git a/vmm/src/device_manager.rs b/vmm/src/device_manager.rs index 549e32fe6..a93ad5598 100644 --- a/vmm/src/device_manager.rs +++ b/vmm/src/device_manager.rs @@ -1705,6 +1705,7 @@ impl DeviceManager { disk_cfg.iommu, disk_cfg.num_queues, disk_cfg.queue_size, + self.seccomp_action.clone(), ) .map_err(DeviceManagerError::CreateVirtioBlock)?, ));