mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-05 21:15:45 +00:00
virtio-devices: seccomp: Add seccomp filter for vhost_net thread
This patch enables the seccomp filters for the vhost_net worker thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
896b9a1d4b
commit
4e0ea15075
@ -20,6 +20,7 @@ pub enum Thread {
|
|||||||
VirtioPmem,
|
VirtioPmem,
|
||||||
VirtioRng,
|
VirtioRng,
|
||||||
VirtioVhostFs,
|
VirtioVhostFs,
|
||||||
|
VirtioVhostNet,
|
||||||
VirtioVhostNetCtl,
|
VirtioVhostNetCtl,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -254,6 +255,21 @@ fn virtio_vhost_fs_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn virtio_vhost_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
|
Ok(vec![
|
||||||
|
allow_syscall(libc::SYS_brk),
|
||||||
|
allow_syscall(libc::SYS_dup),
|
||||||
|
allow_syscall(libc::SYS_epoll_create1),
|
||||||
|
allow_syscall(libc::SYS_epoll_ctl),
|
||||||
|
allow_syscall(libc::SYS_epoll_pwait),
|
||||||
|
#[cfg(target_arch = "x86_64")]
|
||||||
|
allow_syscall(libc::SYS_epoll_wait),
|
||||||
|
allow_syscall(libc::SYS_futex),
|
||||||
|
allow_syscall(libc::SYS_read),
|
||||||
|
allow_syscall(libc::SYS_write),
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
fn virtio_vhost_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
fn virtio_vhost_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
|
||||||
Ok(vec![
|
Ok(vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
allow_syscall(libc::SYS_brk),
|
||||||
@ -280,6 +296,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||||
|
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
|
||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -301,6 +318,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
Thread::VirtioRng => virtio_rng_thread_rules()?,
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules()?,
|
||||||
|
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules()?,
|
||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules()?,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -318,10 +318,15 @@ impl VirtioDevice for Net {
|
|||||||
|
|
||||||
let paused = self.paused.clone();
|
let paused = self.paused.clone();
|
||||||
let paused_sync = self.paused_sync.clone();
|
let paused_sync = self.paused_sync.clone();
|
||||||
|
let virtio_vhost_net_seccomp_filter =
|
||||||
|
get_seccomp_filter(&self.seccomp_action, Thread::VirtioVhostNet)
|
||||||
|
.map_err(ActivateError::CreateSeccompFilter)?;
|
||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("vhost_user_net".to_string())
|
.name("vhost_net".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
if let Err(e) = handler.run(paused, paused_sync) {
|
if let Err(e) = SeccompFilter::apply(virtio_vhost_net_seccomp_filter) {
|
||||||
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
|
} else if let Err(e) = handler.run(paused, paused_sync) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user