main: Add seccomp support

This change introduces a new CLI option --seccomp. This allows the user to enable/disable the seccomp filters when needed. Because the user now has the possibility to disable the seccomp filters, and because the Cloud-Hypervisor project wants to enforce the maximum security by default, the seccomp filters are now applied by default. Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2024-07-04 17:02:36 +00:00 · 2020-03-20 16:11:45 +01:00 · 2020-03-20 16:11:45 +01:00 · 5120c275a2
commit 5120c275a2
parent f1a23d712f
1 changed files with 22 additions and 1 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -262,6 +262,13 @@ fn create_app<'a, 'b>(
                .conflicts_with_all(&["net-backend", "kernel"])
                .min_values(1),
        )
+        .arg(
+            Arg::with_name("seccomp")
+                .long("seccomp")
+                .takes_value(true)
+                .possible_values(&["true", "false"])
+                .default_value("true"),
+        )
 }

 fn start_vmm(cmd_arguments: ArgMatches) {
@ -293,13 +300,27 @@ fn start_vmm(cmd_arguments: ArgMatches) {
    let api_evt = EventFd::new(EFD_NONBLOCK).expect("Cannot create API EventFd");

    let http_sender = api_request_sender.clone();
+
+    let seccomp_level = if let Some(seccomp_value) = cmd_arguments.value_of("seccomp") {
+        match seccomp_value {
+            "true" => SeccompLevel::Advanced,
+            "false" => SeccompLevel::None,
+            _ => {
+                eprintln!("Invalid parameter {} for \"--seccomp\" flag", seccomp_value);
+                process::exit(1);
+            }
+        }
+    } else {
+        SeccompLevel::Advanced
+    };
+
    let vmm_thread = match vmm::start_vmm_thread(
        env!("CARGO_PKG_VERSION").to_string(),
        api_socket_path,
        api_evt.try_clone().unwrap(),
        http_sender,
        api_request_receiver,
-        &SeccompLevel::None,
+        &seccomp_level,
    ) {
        Ok(t) => t,
        Err(e) => {