vmm: Enable Landlock on http-server thread

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
2025-03-03 15:43:49 +00:00 · 2024-02-15 21:53:11 +00:00 · 2024-02-15 21:53:11 +00:00 · 1dd53c3d24
commit 1dd53c3d24
parent 130c988380
2 changed files with 20 additions and 0 deletions
--- a/vmm/src/api/http/mod.rs
+++ b/vmm/src/api/http/mod.rs
@ -12,6 +12,7 @@ use crate::api::{
    VmReceiveMigration, VmRemoveDevice, VmResize, VmResizeZone, VmRestore, VmResume,
    VmSendMigration, VmShutdown, VmSnapshot,
 };
+use crate::landlock::Landlock;
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::{Error as VmmError, Result};
 use core::fmt;
@ -303,6 +304,7 @@ fn start_http_thread(
    seccomp_action: &SeccompAction,
    exit_evt: EventFd,
    hypervisor_type: HypervisorType,
+    landlock_enable: bool,
 ) -> Result<HttpApiHandle> {
    // Retrieve seccomp filter for API thread
    let api_seccomp_filter = get_seccomp_filter(seccomp_action, Thread::HttpApi, hypervisor_type)
@ -329,6 +331,18 @@ fn start_http_thread(
                    })?;
            }

+            if landlock_enable {
+                Landlock::new()
+                    .map_err(VmmError::CreateLandlock)?
+                    .restrict_self()
+                    .map_err(VmmError::ApplyLandlock)
+                    .map_err(|e| {
+                        error!("Error applying landlock to http-server thread: {:?}", e);
+                        exit_evt.write(1).ok();
+                        e
+                    })?;
+            }
+
            std::panic::catch_unwind(AssertUnwindSafe(move || {
                server.start_server().unwrap();
                loop {
@ -375,6 +389,7 @@ pub fn start_http_path_thread(
    seccomp_action: &SeccompAction,
    exit_evt: EventFd,
    hypervisor_type: HypervisorType,
+    landlock_enable: bool,
 ) -> Result<HttpApiHandle> {
    let socket_path = PathBuf::from(path);
    let socket_fd = UnixListener::bind(socket_path).map_err(VmmError::CreateApiServerSocket)?;
@ -389,6 +404,7 @@ pub fn start_http_path_thread(
        seccomp_action,
        exit_evt,
        hypervisor_type,
+        landlock_enable,
    )
 }

@ -399,6 +415,7 @@ pub fn start_http_fd_thread(
    seccomp_action: &SeccompAction,
    exit_evt: EventFd,
    hypervisor_type: HypervisorType,
+    landlock_enable: bool,
 ) -> Result<HttpApiHandle> {
    // SAFETY: Valid FD
    let server = unsafe { HttpServer::new_from_fd(fd) }.map_err(VmmError::CreateApiServer)?;
@ -409,6 +426,7 @@ pub fn start_http_fd_thread(
        seccomp_action,
        exit_evt,
        hypervisor_type,
+        landlock_enable,
    )
 }

--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -490,6 +490,7 @@ pub fn start_vmm_thread(
            seccomp_action,
            exit_event,
            hypervisor_type,
+            landlock_enable,
        )?)
    } else if let Some(http_fd) = http_fd {
        Some(api::start_http_fd_thread(
@ -499,6 +500,7 @@ pub fn start_vmm_thread(
            seccomp_action,
            exit_event,
            hypervisor_type,
+            landlock_enable,
        )?)
    } else {
        None