From 1bf7817c401b3310e7331a5eec82dcf011811efb Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Fri, 14 Aug 2020 14:49:30 -0700
Subject: [PATCH] virtio-devices: seccomp: Distinguish viritio-net-ctl from
 virtio-net

The current seccomp filter for virtio-net is actually for the worker
thread 'virtio_net_ctl' (not the actual worker thread
'virtio_net'). This patch introduces changes to distinguish those two
worker threads and seccomp filters.

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 virtio-devices/src/net.rs             | 10 +++++-----
 virtio-devices/src/seccomp_filters.rs |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/virtio-devices/src/net.rs b/virtio-devices/src/net.rs
index 5cca455a3..edf3d721f 100644
--- a/virtio-devices/src/net.rs
+++ b/virtio-devices/src/net.rs
@@ -431,14 +431,14 @@ impl VirtioDevice for Net {
                 self.paused_sync = Arc::new(Barrier::new(taps.len() + 2));
                 let paused_sync = self.paused_sync.clone();
 
-                // Retrieve seccomp filter for virtio_net thread
-                let virtio_net_seccomp_filter =
-                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
+                // Retrieve seccomp filter for virtio_net_ctl thread
+                let virtio_net_ctl_seccomp_filter =
+                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNetCtl)
                         .map_err(ActivateError::CreateSeccompFilter)?;
                 thread::Builder::new()
-                    .name("virtio_net".to_string())
+                    .name("virtio_net_ctl".to_string())
                     .spawn(move || {
-                        if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
+                        if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) {
                             error!("Error applying seccomp filter: {:?}", e);
                         } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync) {
                             error!("Error running worker: {:?}", e);
diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs
index aac498a87..9adac5b08 100644
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@@ -13,7 +13,7 @@ pub enum Thread {
     VirtioBlk,
     VirtioConsole,
     VirtioIommu,
-    VirtioNet,
+    VirtioNetCtl,
     VirtioPmem,
     VirtioRng,
 }
@@ -96,7 +96,7 @@ fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
     ])
 }
 
-fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
     Ok(vec![
         allow_syscall(libc::SYS_close),
         allow_syscall(libc::SYS_dup),
@@ -166,7 +166,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
         Thread::VirtioBlk => virtio_blk_thread_rules()?,
         Thread::VirtioConsole => virtio_console_thread_rules()?,
         Thread::VirtioIommu => virtio_iommu_thread_rules()?,
-        Thread::VirtioNet => virtio_net_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
         Thread::VirtioPmem => virtio_pmem_thread_rules()?,
         Thread::VirtioRng => virtio_rng_thread_rules()?,
     };
@@ -182,7 +182,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
         Thread::VirtioBlk => virtio_blk_thread_rules()?,
         Thread::VirtioConsole => virtio_console_thread_rules()?,
         Thread::VirtioIommu => virtio_iommu_thread_rules()?,
-        Thread::VirtioNet => virtio_net_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
         Thread::VirtioPmem => virtio_pmem_thread_rules()?,
         Thread::VirtioRng => virtio_rng_thread_rules()?,
     };