External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-22 03:12:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

vmm: Enable Landlock on signal-handler thread

Browse Source 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
This commit is contained in:
Praveen K Paladugu 2024-02-13 19:12:51 +00:00 committed by Liu Wei
parent 8c76a3e4b5
commit 130c988380
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/main.rs
View File

@ -749,6 +749,7 @@ fn start_vmm(cmd_arguments: ArgMatches) -> Result<Option<String>, Error> {
exit_evt.try_clone().unwrap(),
&seccomp_action,
hypervisor,
landlock_enable,
)
.map_err(Error::StartVmmThread)?;

20
vmm/src/lib.rs
View File

@ -412,6 +412,7 @@ pub fn start_vmm_thread(
exit_event: EventFd,
seccomp_action: &SeccompAction,
hypervisor: Arc<dyn hypervisor::Hypervisor>,
landlock_enable: bool,
) -> Result<VmmThreadHandle> {
#[cfg(feature = "guest_debug")]
let gdb_hw_breakpoints = hypervisor.get_guest_debug_hw_bps();
@ -452,7 +453,7 @@ pub fn start_vmm_thread(
exit_event,
)?;
vmm.setup_signal_handler()?;
vmm.setup_signal_handler(landlock_enable)?;
vmm.control_loop(
Rc::new(api_receiver),
@ -613,7 +614,7 @@ impl Vmm {
}
}
fn setup_signal_handler(&mut self) -> Result<()> {
fn setup_signal_handler(&mut self, landlock_enable: bool) -> Result<()> {
let signals = Signals::new(Self::HANDLED_SIGNALS);
match signals {
Ok(signals) => {
@ -640,6 +641,21 @@ impl Vmm {
return;
}
}
if landlock_enable{
match Landlock::new() {
Ok(landlock) => {
let _ = landlock.restrict_self().map_err(Error::ApplyLandlock).map_err(|e| {
error!("Error applying Landlock to signal handler thread: {:?}", e);
exit_evt.write(1).ok();
});
}
Err(e) => {
error!("Error creating Landlock object: {:?}", e);
exit_evt.write(1).ok();
}
};
}
std::panic::catch_unwind(AssertUnwindSafe(|| {
Vmm::signal_handler(signals, original_termios_opt, &exit_evt);
}))