virtio-devices: seccomp: Distinguish viritio-net-ctl from virtio-net

The current seccomp filter for virtio-net is actually for the worker thread 'virtio_net_ctl' (not the actual worker thread 'virtio_net'). This patch introduces changes to distinguish those two worker threads and seccomp filters. Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-01-21 20:15:21 +00:00 · 2020-08-14 14:49:30 -07:00 · 2020-08-14 14:49:30 -07:00 · 1bf7817c40
commit 1bf7817c40
parent 4539236690
2 changed files with 9 additions and 9 deletions
--- a/virtio-devices/src/net.rs
+++ b/virtio-devices/src/net.rs
@ -431,14 +431,14 @@ impl VirtioDevice for Net {
                self.paused_sync = Arc::new(Barrier::new(taps.len() + 2));
                let paused_sync = self.paused_sync.clone();

-                // Retrieve seccomp filter for virtio_net thread
-                let virtio_net_seccomp_filter =
-                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
+                // Retrieve seccomp filter for virtio_net_ctl thread
+                let virtio_net_ctl_seccomp_filter =
+                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNetCtl)
                        .map_err(ActivateError::CreateSeccompFilter)?;
                thread::Builder::new()
-                    .name("virtio_net".to_string())
+                    .name("virtio_net_ctl".to_string())
                    .spawn(move || {
-                        if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
+                        if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) {
                            error!("Error applying seccomp filter: {:?}", e);
                        } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync) {
                            error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -13,7 +13,7 @@ pub enum Thread {
    VirtioBlk,
    VirtioConsole,
    VirtioIommu,
-    VirtioNet,
+    VirtioNetCtl,
    VirtioPmem,
    VirtioRng,
 }
@ -96,7 +96,7 @@ fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    ])
 }

-fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    Ok(vec![
        allow_syscall(libc::SYS_close),
        allow_syscall(libc::SYS_dup),
@ -166,7 +166,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
-        Thread::VirtioNet => virtio_net_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
        Thread::VirtioRng => virtio_rng_thread_rules()?,
    };
@ -182,7 +182,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
-        Thread::VirtioNet => virtio_net_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
        Thread::VirtioRng => virtio_rng_thread_rules()?,
    };