vmm: Enable Landlock on vmm thread

Add file/dir paths from landlock-rules arguments to ruleset. Invoke apply_landlock on VmConfig to apply config specific rules to ruleset. Once done, any threads spawned by vmm thread will be automatically sandboxed with the ruleset in vmm thread. Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
2025-02-22 11:22:26 +00:00 · 2024-02-14 23:14:51 +00:00 · 2024-02-14 23:14:51 +00:00 · 249e362c70
commit 249e362c70
parent b3e5738b40
2 changed files with 22 additions and 0 deletions
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -675,6 +675,7 @@ impl Vmm {
        Ok(())
    }

+    #[allow(clippy::too_many_arguments)]
    fn new(
        vmm_version: VmmVersionInfo,
        api_evt: EventFd,
@ -1250,6 +1251,11 @@ impl Vmm {
    }
 }

+fn apply_landlock(vm_config: Arc<Mutex<VmConfig>>) -> result::Result<(), LandlockError> {
+    vm_config.lock().unwrap().apply_landlock()?;
+    Ok(())
+}
+
 impl RequestHandler for Vmm {
    fn vm_create(&mut self, config: Arc<Mutex<VmConfig>>) -> result::Result<(), VmError> {
        // We only store the passed VM config.
@ -1258,6 +1264,18 @@ impl RequestHandler for Vmm {
            self.vm_config = Some(config);
            self.console_info =
                Some(pre_create_console_devices(self).map_err(VmError::CreateConsoleDevices)?);
+
+            if self
+                .vm_config
+                .as_ref()
+                .unwrap()
+                .lock()
+                .unwrap()
+                .landlock_enable
+            {
+                apply_landlock(self.vm_config.as_ref().unwrap().clone())
+                    .map_err(VmError::ApplyLandlock)?;
+            }
            Ok(())
        } else {
            Err(VmError::VmAlreadyCreated)
--- a/vmm/src/vm.rs
+++ b/vmm/src/vm.rs
@ -28,6 +28,7 @@ use crate::device_tree::DeviceTree;
 use crate::gdb::{Debuggable, DebuggableError, GdbRequestPayload, GdbResponsePayload};
 #[cfg(feature = "igvm")]
 use crate::igvm::igvm_loader;
+use crate::landlock::LandlockError;
 use crate::memory_manager::{
    Error as MemoryManagerError, MemoryManager, MemoryManagerSnapshotData,
 };
@ -122,6 +123,9 @@ pub enum Error {
    #[error("Cannot load the kernel command line in memory: {0}")]
    LoadCmdLine(#[source] linux_loader::loader::Error),

+    #[error("Failed to apply landlock config during vm_create: {0}")]
+    ApplyLandlock(#[source] LandlockError),
+
    #[error("Cannot modify the kernel command line: {0}")]
    CmdLineInsertStr(#[source] linux_loader::cmdline::Error),