From 1dd53c3d24375ad237f23353d8cdd65c53317c63 Mon Sep 17 00:00:00 2001 From: Praveen K Paladugu Date: Thu, 15 Feb 2024 21:53:11 +0000 Subject: [PATCH] vmm: Enable Landlock on http-server thread Signed-off-by: Praveen K Paladugu --- vmm/src/api/http/mod.rs | 18 ++++++++++++++++++ vmm/src/lib.rs | 2 ++ 2 files changed, 20 insertions(+) diff --git a/vmm/src/api/http/mod.rs b/vmm/src/api/http/mod.rs index dee4118c4..bfa347d37 100644 --- a/vmm/src/api/http/mod.rs +++ b/vmm/src/api/http/mod.rs @@ -12,6 +12,7 @@ use crate::api::{ VmReceiveMigration, VmRemoveDevice, VmResize, VmResizeZone, VmRestore, VmResume, VmSendMigration, VmShutdown, VmSnapshot, }; +use crate::landlock::Landlock; use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::{Error as VmmError, Result}; use core::fmt; @@ -303,6 +304,7 @@ fn start_http_thread( seccomp_action: &SeccompAction, exit_evt: EventFd, hypervisor_type: HypervisorType, + landlock_enable: bool, ) -> Result { // Retrieve seccomp filter for API thread let api_seccomp_filter = get_seccomp_filter(seccomp_action, Thread::HttpApi, hypervisor_type) @@ -329,6 +331,18 @@ fn start_http_thread( })?; } + if landlock_enable { + Landlock::new() + .map_err(VmmError::CreateLandlock)? + .restrict_self() + .map_err(VmmError::ApplyLandlock) + .map_err(|e| { + error!("Error applying landlock to http-server thread: {:?}", e); + exit_evt.write(1).ok(); + e + })?; + } + std::panic::catch_unwind(AssertUnwindSafe(move || { server.start_server().unwrap(); loop { @@ -375,6 +389,7 @@ pub fn start_http_path_thread( seccomp_action: &SeccompAction, exit_evt: EventFd, hypervisor_type: HypervisorType, + landlock_enable: bool, ) -> Result { let socket_path = PathBuf::from(path); let socket_fd = UnixListener::bind(socket_path).map_err(VmmError::CreateApiServerSocket)?; @@ -389,6 +404,7 @@ pub fn start_http_path_thread( seccomp_action, exit_evt, hypervisor_type, + landlock_enable, ) } @@ -399,6 +415,7 @@ pub fn start_http_fd_thread( seccomp_action: &SeccompAction, exit_evt: EventFd, hypervisor_type: HypervisorType, + landlock_enable: bool, ) -> Result { // SAFETY: Valid FD let server = unsafe { HttpServer::new_from_fd(fd) }.map_err(VmmError::CreateApiServer)?; @@ -409,6 +426,7 @@ pub fn start_http_fd_thread( seccomp_action, exit_evt, hypervisor_type, + landlock_enable, ) } diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs index c4ed48fc4..b3f34ccd9 100644 --- a/vmm/src/lib.rs +++ b/vmm/src/lib.rs @@ -490,6 +490,7 @@ pub fn start_vmm_thread( seccomp_action, exit_event, hypervisor_type, + landlock_enable, )?) } else if let Some(http_fd) = http_fd { Some(api::start_http_fd_thread( @@ -499,6 +500,7 @@ pub fn start_vmm_thread( seccomp_action, exit_event, hypervisor_type, + landlock_enable, )?) } else { None