External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-02 01:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: seccomp: Add seccomp filters for blk_io_uring thread

Browse Source 
This patch enables the seccomp filters for the block_io_uring worker
thread.

Partially fixes: #925

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2020-08-17 17:10:03 -07:00 committed by Rob Bradford
parent 56b0c85578
commit 1175fa2bc7
3 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
virtio-devices/src/block_io_uring.rs
View File

@ -13,11 +13,13 @@ use super::{
ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue, ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue,
VirtioCommon, VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST, VirtioCommon, VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST,
}; };
use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::VirtioInterrupt; use crate::VirtioInterrupt;
use anyhow::anyhow; use anyhow::anyhow;
use block_util::{build_disk_image_id, Request, RequestType, VirtioBlockConfig}; use block_util::{build_disk_image_id, Request, RequestType, VirtioBlockConfig};
use io_uring::IoUring; use io_uring::IoUring;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter};
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::File; use std::fs::File;
use std::io::{self, Seek, SeekFrom}; use std::io::{self, Seek, SeekFrom};
@ -308,6 +310,7 @@ pub struct BlockIoUring {
config: VirtioBlockConfig, config: VirtioBlockConfig,
writeback: Arc<AtomicBool>, writeback: Arc<AtomicBool>,
counters: BlockCounters, counters: BlockCounters,
seccomp_action: SeccompAction,
} }
#[derive(Serialize, Deserialize)] #[derive(Serialize, Deserialize)]
@ -321,6 +324,7 @@ pub struct BlockState {
impl BlockIoUring { impl BlockIoUring {
/// Create a new virtio block device that operates on the given file. /// Create a new virtio block device that operates on the given file.
#[allow(clippy::too_many_arguments)]
pub fn new( pub fn new(
id: String, id: String,
mut disk_image: File, mut disk_image: File,
@ -329,6 +333,7 @@ impl BlockIoUring {
iommu: bool, iommu: bool,
num_queues: usize, num_queues: usize,
queue_size: u16, queue_size: u16,
seccomp_action: SeccompAction,
) -> io::Result<Self> { ) -> io::Result<Self> {
let disk_size = disk_image.seek(SeekFrom::End(0))? as u64; let disk_size = disk_image.seek(SeekFrom::End(0))? as u64;
if disk_size % SECTOR_SIZE != 0 { if disk_size % SECTOR_SIZE != 0 {
@ -378,6 +383,7 @@ impl BlockIoUring {
config, config,
writeback: Arc::new(AtomicBool::new(true)), writeback: Arc::new(AtomicBool::new(true)),
counters: BlockCounters::default(), counters: BlockCounters::default(),
seccomp_action,
}) })
} }
@ -545,10 +551,17 @@ impl VirtioDevice for BlockIoUring {
ActivateError::BadActivate ActivateError::BadActivate
})?; })?;
// Retrieve seccomp filter for virtio_blk_io_uring thread
let virtio_blk_io_uring_seccomp_filter =
get_seccomp_filter(&self.seccomp_action, Thread::VirtioBlkIoUring)
.map_err(ActivateError::CreateSeccompFilter)?;
thread::Builder::new() thread::Builder::new()
.name("virtio_blk".to_string()) .name("virtio_blk_io_uring".to_string())
.spawn(move || { .spawn(move || {
if let Err(e) = handler.run(paused, paused_sync.unwrap()) { if let Err(e) = SeccompFilter::apply(virtio_blk_io_uring_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

32
virtio-devices/src/seccomp_filters.rs
View File

@ -12,6 +12,7 @@ use std::convert::TryInto;
pub enum Thread { pub enum Thread {
VirtioBalloon, VirtioBalloon,
VirtioBlk, VirtioBlk,
VirtioBlkIoUring,
VirtioConsole, VirtioConsole,
VirtioIommu, VirtioIommu,
VirtioMem, VirtioMem,
@ -25,6 +26,9 @@ pub enum Thread {
VirtioVhostNetCtl, VirtioVhostNetCtl,
} }
// Define io_uring syscalls as they are not yet part of libc.
const SYS_IO_URING_ENTER: i64 = 426;
fn virtio_balloon_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_balloon_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
@ -85,6 +89,28 @@ fn virtio_blk_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
]) ])
} }
fn virtio_blk_io_uring_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![
allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex),
allow_syscall(SYS_IO_URING_ENTER),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_rt_sigprocmask),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
])
}
fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
@ -114,9 +140,9 @@ fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl), allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_pwait), allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), allow_syscall(libc::SYS_epoll_wait),
@ -147,9 +173,9 @@ fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close), allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1), allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl), allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_pwait), allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait), allow_syscall(libc::SYS_epoll_wait),
@ -327,6 +353,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBalloon => virtio_balloon_thread_rules()?, Thread::VirtioBalloon => virtio_balloon_thread_rules()?,
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioBlkIoUring => virtio_blk_io_uring_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioIommu => virtio_iommu_thread_rules()?, Thread::VirtioIommu => virtio_iommu_thread_rules()?,
Thread::VirtioMem => virtio_mem_thread_rules()?, Thread::VirtioMem => virtio_mem_thread_rules()?,
@ -350,6 +377,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBalloon => virtio_balloon_thread_rules()?, Thread::VirtioBalloon => virtio_balloon_thread_rules()?,
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioBlkIoUring => virtio_blk_io_uring_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioIommu => virtio_iommu_thread_rules()?, Thread::VirtioIommu => virtio_iommu_thread_rules()?,
Thread::VirtioMem => virtio_mem_thread_rules()?, Thread::VirtioMem => virtio_mem_thread_rules()?,

1
vmm/src/device_manager.rs
View File

@ -1705,6 +1705,7 @@ impl DeviceManager {
disk_cfg.iommu, disk_cfg.iommu,
disk_cfg.num_queues, disk_cfg.num_queues,
disk_cfg.queue_size, disk_cfg.queue_size,
self.seccomp_action.clone(),
) )
.map_err(DeviceManagerError::CreateVirtioBlock)?, .map_err(DeviceManagerError::CreateVirtioBlock)?,
)); ));