mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-02-22 11:22:26 +00:00
virtio-devices: seccomp: Add seccomp filters for iommu thread
This patch enables the seccomp filters for the iommu worker thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen
Sebastien Boeuf
parent
dc6c62af09
commit
4539236690
@ -8,9 +8,11 @@ use super::{
|
|||||||
EpollHelperHandler, Queue, VirtioDevice, VirtioDeviceType, EPOLL_HELPER_EVENT_LAST,
|
EpollHelperHandler, Queue, VirtioDevice, VirtioDeviceType, EPOLL_HELPER_EVENT_LAST,
|
||||||
VIRTIO_F_VERSION_1,
|
VIRTIO_F_VERSION_1,
|
||||||
};
|
};
|
||||||
|
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||||
use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
|
use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
use libc::EFD_NONBLOCK;
|
use libc::EFD_NONBLOCK;
|
||||||
|
use seccomp::{SeccompAction, SeccompFilter};
|
||||||
use std::collections::BTreeMap;
|
use std::collections::BTreeMap;
|
||||||
use std::fmt::{self, Display};
|
use std::fmt::{self, Display};
|
||||||
use std::io;
|
use std::io;
|
||||||
@ -748,6 +750,7 @@ pub struct Iommu {
|
|||||||
epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
|
epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
|
||||||
paused: Arc<AtomicBool>,
|
paused: Arc<AtomicBool>,
|
||||||
paused_sync: Arc<Barrier>,
|
paused_sync: Arc<Barrier>,
|
||||||
|
seccomp_action: SeccompAction,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Serialize, Deserialize)]
|
#[derive(Serialize, Deserialize)]
|
||||||
@ -759,7 +762,7 @@ struct IommuState {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl Iommu {
|
impl Iommu {
|
||||||
pub fn new(id: String) -> io::Result<(Self, Arc<IommuMapping>)> {
|
pub fn new(id: String, seccomp_action: SeccompAction) -> io::Result<(Self, Arc<IommuMapping>)> {
|
||||||
let config = VirtioIommuConfig {
|
let config = VirtioIommuConfig {
|
||||||
page_size_mask: VIRTIO_IOMMU_PAGE_SIZE_MASK,
|
page_size_mask: VIRTIO_IOMMU_PAGE_SIZE_MASK,
|
||||||
probe_size: PROBE_PROP_SIZE,
|
probe_size: PROBE_PROP_SIZE,
|
||||||
@ -789,6 +792,7 @@ impl Iommu {
|
|||||||
epoll_threads: None,
|
epoll_threads: None,
|
||||||
paused: Arc::new(AtomicBool::new(false)),
|
paused: Arc::new(AtomicBool::new(false)),
|
||||||
paused_sync: Arc::new(Barrier::new(2)),
|
paused_sync: Arc::new(Barrier::new(2)),
|
||||||
|
seccomp_action,
|
||||||
},
|
},
|
||||||
mapping,
|
mapping,
|
||||||
))
|
))
|
||||||
@ -963,10 +967,16 @@ impl VirtioDevice for Iommu {
|
|||||||
let paused = self.paused.clone();
|
let paused = self.paused.clone();
|
||||||
let paused_sync = self.paused_sync.clone();
|
let paused_sync = self.paused_sync.clone();
|
||||||
let mut epoll_threads = Vec::new();
|
let mut epoll_threads = Vec::new();
|
||||||
|
// Retrieve seccomp filter for virtio_iommu thread
|
||||||
|
let virtio_iommu_seccomp_filter =
|
||||||
|
get_seccomp_filter(&self.seccomp_action, Thread::VirtioIommu)
|
||||||
|
.map_err(ActivateError::CreateSeccompFilter)?;
|
||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("virtio_iommu".to_string())
|
.name("virtio_iommu".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = handler.run(paused, paused_sync) {
|
if let Err(e) = SeccompFilter::apply(virtio_iommu_seccomp_filter) {
|
||||||
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
|
} else if let Err(e) = handler.run(paused, paused_sync) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|||||||
@ -12,6 +12,7 @@ use std::convert::TryInto;
|
|||||||
pub enum Thread {
|
pub enum Thread {
|
||||||
VirtioBlk,
|
VirtioBlk,
|
||||||
VirtioConsole,
|
VirtioConsole,
|
||||||
|
VirtioIommu,
|
||||||
VirtioNet,
|
VirtioNet,
|
||||||
VirtioPmem,
|
VirtioPmem,
|
||||||
VirtioRng,
|
VirtioRng,
|
||||||
@ -81,6 +82,20 @@ fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
|
Ok(vec![
|
||||||
|
allow_syscall(libc::SYS_epoll_create1),
|
||||||
|
allow_syscall(libc::SYS_epoll_ctl),
|
||||||
|
allow_syscall(libc::SYS_dup),
|
||||||
|
allow_syscall(libc::SYS_epoll_pwait),
|
||||||
|
#[cfg(target_arch = "x86_64")]
|
||||||
|
allow_syscall(libc::SYS_epoll_wait),
|
||||||
|
allow_syscall(libc::SYS_futex),
|
||||||
|
allow_syscall(libc::SYS_read),
|
||||||
|
allow_syscall(libc::SYS_write),
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_close),
|
allow_syscall(libc::SYS_close),
|
||||||
@ -150,6 +165,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
||||||
|
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
||||||
Thread::VirtioNet => virtio_net_thread_rules()?,
|
Thread::VirtioNet => virtio_net_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
@ -165,6 +181,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
let rules = match thread_type {
|
let rules = match thread_type {
|
||||||
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
Thread::VirtioBlk => virtio_blk_thread_rules()?,
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
Thread::VirtioConsole => virtio_console_thread_rules()?,
|
||||||
|
Thread::VirtioIommu => virtio_iommu_thread_rules()?,
|
||||||
Thread::VirtioNet => virtio_net_thread_rules()?,
|
Thread::VirtioNet => virtio_net_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
|
|||||||
@ -1009,7 +1009,8 @@ impl DeviceManager {
|
|||||||
let iommu_id = String::from(IOMMU_DEVICE_NAME);
|
let iommu_id = String::from(IOMMU_DEVICE_NAME);
|
||||||
|
|
||||||
let (iommu_device, iommu_mapping) = if self.config.lock().unwrap().iommu {
|
let (iommu_device, iommu_mapping) = if self.config.lock().unwrap().iommu {
|
||||||
let (device, mapping) = virtio_devices::Iommu::new(iommu_id.clone())
|
let (device, mapping) =
|
||||||
|
virtio_devices::Iommu::new(iommu_id.clone(), self.seccomp_action.clone())
|
||||||
.map_err(DeviceManagerError::CreateVirtioIommu)?;
|
.map_err(DeviceManagerError::CreateVirtioIommu)?;
|
||||||
let device = Arc::new(Mutex::new(device));
|
let device = Arc::new(Mutex::new(device));
|
||||||
self.iommu_device = Some(Arc::clone(&device));
|
self.iommu_device = Some(Arc::clone(&device));
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user