vmm: Introduce landlock cmdline parameter

Users can use this cmdline option to enable/disable Landlock based sandboxing while running cloud-hypervisor. Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
2025-02-22 11:22:26 +00:00 · 2024-02-13 18:47:37 +00:00 · 2024-02-13 18:47:37 +00:00 · 287dbd4fc9
commit 287dbd4fc9
parent c50ea2c708
5 changed files with 22 additions and 0 deletions
--- a/fuzz/fuzz_targets/http_api.rs
+++ b/fuzz/fuzz_targets/http_api.rs
@ -190,6 +190,7 @@ impl RequestHandler for StubApiRequestHandler {
                platform: None,
                tpm: None,
                preserved_fds: None,
+                landlock_enable: false,
            })),
            state: VmState::Running,
            memory_actual_size: 0,
--- a/src/main.rs
+++ b/src/main.rs
@ -271,6 +271,17 @@ fn create_app(default_vcpus: String, default_memory: String, default_rng: String
                .num_args(1..)
                .group("vm-config"),
        )
+        .arg(
+            Arg::new("landlock")
+                .long("landlock")
+                .num_args(0)
+                .help(
+                    "enable/disable Landlock.",
+                )
+                .action(ArgAction::SetTrue)
+                .default_value("false")
+                .group("vm-config"),
+        )
        .arg(
            Arg::new("net")
                .long("net")
@ -1032,6 +1043,7 @@ mod unit_tests {
            platform: None,
            tpm: None,
            preserved_fds: None,
+            landlock_enable: false,
        };

        assert_eq!(expected_vm_config, result_vm_config);
--- a/vmm/src/config.rs
+++ b/vmm/src/config.rs
@ -472,6 +472,7 @@ pub struct VmParams<'a> {
    pub igvm: Option<&'a str>,
    #[cfg(feature = "sev_snp")]
    pub host_data: Option<&'a str>,
+    pub landlock_enable: bool,
 }

 impl<'a> VmParams<'a> {
@ -537,6 +538,7 @@ impl<'a> VmParams<'a> {
        let igvm = args.get_one::<String>("igvm").map(|x| x as &str);
        #[cfg(feature = "sev_snp")]
        let host_data = args.get_one::<String>("host-data").map(|x| x as &str);
+        let landlock_enable = args.get_flag("landlock");
        VmParams {
            cpus,
            memory,
@ -574,6 +576,7 @@ impl<'a> VmParams<'a> {
            igvm,
            #[cfg(feature = "sev_snp")]
            host_data,
+            landlock_enable,
        }
    }
 }
@ -2854,6 +2857,7 @@ impl VmConfig {
            platform,
            tpm,
            preserved_fds: None,
+            landlock_enable: vm_params.landlock_enable,
        };
        config.validate().map_err(Error::Validation)?;
        Ok(config)
@ -3778,6 +3782,7 @@ mod tests {
                    ..net_fixture()
                },
            ]),
+            landlock_enable: false,
        };

        let valid_config = RestoreConfig {
@ -3966,6 +3971,7 @@ mod tests {
            platform: None,
            tpm: None,
            preserved_fds: None,
+            landlock_enable: false,
        };

        assert!(valid_config.validate().is_ok());
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -2189,6 +2189,7 @@ mod unit_tests {
            platform: None,
            tpm: None,
            preserved_fds: None,
+            landlock_enable: false,
        }))
    }

--- a/vmm/src/vm_config.rs
+++ b/vmm/src/vm_config.rs
@ -645,4 +645,6 @@ pub struct VmConfig {
    // valid, and will be closed when the holding VmConfig instance is destroyed.
    #[serde(skip)]
    pub preserved_fds: Option<Vec<i32>>,
+    #[serde(default)]
+    pub landlock_enable: bool,
 }