External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-11-04 19:11:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices, vmm: Fix the '--seccomp false' option

Browse Source 
We are relying on applying empty 'seccomp' filters to support the
'--seccomp false' option, which will be treated as an error with the
updated 'seccompiler' crate. This patch fixes this issue by explicitly
checking whether the 'seccomp' filter is empty before applying the
filter.

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2021-08-16 17:20:11 -07:00 committed by Sebastien Boeuf
parent 2d2463ce04
commit 7d38a1848b
16 changed files with 120 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
virtio-devices/src/balloon.rs
View File

@ -466,9 +466,13 @@ impl VirtioDevice for Balloon {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_balloon_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/block.rs
View File

@ -596,9 +596,13 @@ impl VirtioDevice for Block {
thread::Builder::new()
.name(format!("{}_q{}", self.id.clone(), i))
.spawn(move || {
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_block_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/console.rs
View File

@ -429,9 +429,13 @@ impl VirtioDevice for Console {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_console_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

11
virtio-devices/src/iommu.rs
View File

@ -850,9 +850,14 @@ impl VirtioDevice for Iommu {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_iommu_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/mem.rs
View File

@ -961,9 +961,13 @@ impl VirtioDevice for Mem {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_mem_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

20
virtio-devices/src/net.rs
View File

@ -576,9 +576,13 @@ impl VirtioDevice for Net {
thread::Builder::new()
.name(format!("{}_ctrl", self.id))
.spawn(move || {
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
if !virtio_net_ctl_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})
@ -659,9 +663,13 @@ impl VirtioDevice for Net {
thread::Builder::new()
.name(format!("{}_qp{}", self.id.clone(), i))
.spawn(move || {
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_net_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/pmem.rs
View File

@ -397,9 +397,13 @@ impl VirtioDevice for Pmem {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_pmem_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/rng.rs
View File

@ -243,9 +243,13 @@ impl VirtioDevice for Rng {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_rng_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/vhost_user/fs.rs
View File

@ -556,9 +556,13 @@ impl VirtioDevice for Fs {
thread::Builder::new()
.name(self.id.to_string())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_vhost_fs_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running vhost-user-fs worker: {:?}", e);
}
})

10
virtio-devices/src/vhost_user/net.rs
View File

@ -339,9 +339,13 @@ impl VirtioDevice for Net {
thread::Builder::new()
.name(format!("{}_ctrl", self.id))
.spawn(move || {
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
if !virtio_vhost_net_ctl_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

10
virtio-devices/src/vsock/device.rs
View File

@ -441,9 +441,13 @@ where
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_vsock_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

11
virtio-devices/src/watchdog.rs
View File

@ -325,9 +325,14 @@ impl VirtioDevice for Watchdog {
thread::Builder::new()
.name(self.id.clone())
.spawn(move || {
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
if !virtio_watchdog_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e);
}
})

4
vmm/src/api/http.rs
View File

@ -276,7 +276,9 @@ fn start_http_thread(
.name("http-server".to_string())
.spawn(move || {
// Apply seccomp filter for API thread.
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
if !api_seccomp_filter.is_empty() {
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
}
server.start_server().unwrap();
loop {

12
vmm/src/cpu.rs
View File

@ -724,11 +724,13 @@ impl CpuManager {
.name(format!("vcpu{}", cpu_id))
.spawn(move || {
// Apply seccomp filter for vcpu thread.
if let Err(e) =
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
if !vcpu_seccomp_filter.is_empty() {
if let Err(e) =
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
// This uses an async signal safe handler to kill the vcpu handles.

4
vmm/src/lib.rs
View File

@ -263,7 +263,9 @@ pub fn start_vmm_thread(
.name("vmm".to_string())
.spawn(move || {
// Apply seccomp filter for VMM thread.
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
if !vmm_seccomp_filter.is_empty() {
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
}
let mut vmm = Vmm::new(
vmm_version.to_string(),

24
vmm/src/vm.rs
View File

@ -1880,11 +1880,13 @@ impl Vm {
thread::Builder::new()
.name("signal_handler".to_string())
.spawn(move || {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
if !signal_handler_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
Vm::os_signal_handler(signals, console, on_tty, exit_evt);
@ -2442,11 +2444,13 @@ impl Snapshottable for Vm {
thread::Builder::new()
.name("signal_handler".to_string())
.spawn(move || {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
if !signal_handler_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter)
{
error!("Error applying seccomp filter: {:?}", e);
return;
}
}
Vm::os_signal_handler(signals, console, on_tty, exit_evt)