External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-08-24 08:51:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: seccomp: Add seccomp filter for vhost_net thread

Browse Source 
This patch enables the seccomp filters for the vhost_net worker thread.

Partially fixes: #925

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2020-08-17 21:53:08 -07:00 committed by Sebastien Boeuf
parent 896b9a1d4b
commit 4e0ea15075
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
virtio-devices/src/seccomp_filters.rs
View File

@ -20,6 +20,7 @@ pub enum Thread {
VirtioPmem, VirtioPmem,
VirtioRng, VirtioRng,
VirtioVhostFs, VirtioVhostFs,
VirtioVhostNet,
VirtioVhostNetCtl, VirtioVhostNetCtl,
} }
@ -254,6 +255,21 @@ fn virtio_vhost_fs_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
]) ])
} }
fn virtio_vhost_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![
allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_write),
])
}
fn virtio_vhost_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_vhost_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
@ -280,6 +296,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::VirtioPmem => virtio_pmem_thread_rules()?, Thread::VirtioPmem => virtio_pmem_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?, Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?, Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
}; };
@ -301,6 +318,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::VirtioPmem => virtio_pmem_thread_rules()?, Thread::VirtioPmem => virtio_pmem_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?, Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?, Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
}; };

9
virtio-devices/src/vhost_user/net.rs
View File

@ -318,10 +318,15 @@ impl VirtioDevice for Net {
let paused = self.paused.clone(); let paused = self.paused.clone();
let paused_sync = self.paused_sync.clone(); let paused_sync = self.paused_sync.clone();
let virtio_vhost_net_seccomp_filter =
get_seccomp_filter(&self.seccomp_action, Thread::VirtioVhostNet)
.map_err(ActivateError::CreateSeccompFilter)?;
thread::Builder::new() thread::Builder::new()
.name("vhost_user_net".to_string()) .name("vhost_net".to_string())
.spawn(move || { .spawn(move || {
if let Err(e) = handler.run(paused, paused_sync) { if let Err(e) = SeccompFilter::apply(virtio_vhost_net_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })