mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-07-16 14:17:16 +00:00
virtio-devices: seccomp: Distinguish viritio-net-ctl from virtio-net
The current seccomp filter for virtio-net is actually for the worker thread 'virtio_net_ctl' (not the actual worker thread 'virtio_net'). This patch introduces changes to distinguish those two worker threads and seccomp filters. Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
4539236690
commit
1bf7817c40
@ -431,14 +431,14 @@ impl VirtioDevice for Net {
|
|||||||
self.paused_sync = Arc::new(Barrier::new(taps.len() + 2));
|
self.paused_sync = Arc::new(Barrier::new(taps.len() + 2));
|
||||||
let paused_sync = self.paused_sync.clone();
|
let paused_sync = self.paused_sync.clone();
|
||||||
|
|
||||||
// Retrieve seccomp filter for virtio_net thread
|
// Retrieve seccomp filter for virtio_net_ctl thread
|
||||||
let virtio_net_seccomp_filter =
|
let virtio_net_ctl_seccomp_filter =
|
||||||
get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
|
get_seccomp_filter(&self.seccomp_action, Thread::VirtioNetCtl)
|
||||||
.map_err(ActivateError::CreateSeccompFilter)?;
|
.map_err(ActivateError::CreateSeccompFilter)?;
|
||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("virtio_net".to_string())
|
.name("virtio_net_ctl".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
|
if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync) {
|
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
|
@ -13,7 +13,7 @@ pub enum Thread {
|
|||||||
VirtioBlk,
|
VirtioBlk,
|
||||||
VirtioConsole,
|
VirtioConsole,
|
||||||
VirtioIommu,
|
VirtioIommu,
|
||||||
VirtioNet,
|
VirtioNetCtl,
|
||||||
VirtioPmem,
|
VirtioPmem,
|
||||||
VirtioRng,
|
VirtioRng,
|
||||||
}
|
}
|
||||||
@ -96,7 +96,7 @@ fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_close),
|
allow_syscall(libc::SYS_close),
|
||||||
allow_syscall(libc::SYS_dup),
|
allow_syscall(libc::SYS_dup),
|
||||||
@ -166,7 +166,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
||||||
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
||||||
Thread::VirtioNet => virtio_net_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
};
|
};
|
||||||
@ -182,7 +182,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
||||||
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
||||||
Thread::VirtioNet => virtio_net_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user