diff --git a/virtio-devices/src/balloon.rs b/virtio-devices/src/balloon.rs index 7d64b344b..84dd0f5f7 100644 --- a/virtio-devices/src/balloon.rs +++ b/virtio-devices/src/balloon.rs @@ -466,9 +466,13 @@ impl VirtioDevice for Balloon { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_balloon_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/block.rs b/virtio-devices/src/block.rs index a346a55d9..dcad38a65 100644 --- a/virtio-devices/src/block.rs +++ b/virtio-devices/src/block.rs @@ -596,9 +596,13 @@ impl VirtioDevice for Block { thread::Builder::new() .name(format!("{}_q{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_block_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/console.rs b/virtio-devices/src/console.rs index 586b862a2..ad6fb0de0 100644 --- a/virtio-devices/src/console.rs +++ b/virtio-devices/src/console.rs @@ -429,9 +429,13 @@ impl VirtioDevice for Console { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_console_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/iommu.rs b/virtio-devices/src/iommu.rs index df6c1a1f5..f750e326b 100644 --- a/virtio-devices/src/iommu.rs +++ b/virtio-devices/src/iommu.rs @@ -850,9 +850,14 @@ impl VirtioDevice for Iommu { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_iommu_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/mem.rs b/virtio-devices/src/mem.rs index 2296403b9..960566f87 100644 --- a/virtio-devices/src/mem.rs +++ b/virtio-devices/src/mem.rs @@ -961,9 +961,13 @@ impl VirtioDevice for Mem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_mem_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/net.rs b/virtio-devices/src/net.rs index 379f43775..b973977ad 100644 --- a/virtio-devices/src/net.rs +++ b/virtio-devices/src/net.rs @@ -576,9 +576,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { + if !virtio_net_ctl_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) @@ -659,9 +663,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_qp{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_net_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/pmem.rs b/virtio-devices/src/pmem.rs index 6cb55c0af..5bd4c0df3 100644 --- a/virtio-devices/src/pmem.rs +++ b/virtio-devices/src/pmem.rs @@ -397,9 +397,13 @@ impl VirtioDevice for Pmem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_pmem_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/rng.rs b/virtio-devices/src/rng.rs index 81516a0ae..0b89af4c6 100644 --- a/virtio-devices/src/rng.rs +++ b/virtio-devices/src/rng.rs @@ -243,9 +243,13 @@ impl VirtioDevice for Rng { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_rng_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/vhost_user/fs.rs b/virtio-devices/src/vhost_user/fs.rs index 7855f6ee9..f2e3d4c8c 100644 --- a/virtio-devices/src/vhost_user/fs.rs +++ b/virtio-devices/src/vhost_user/fs.rs @@ -556,9 +556,13 @@ impl VirtioDevice for Fs { thread::Builder::new() .name(self.id.to_string()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_vhost_fs_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running vhost-user-fs worker: {:?}", e); } }) diff --git a/virtio-devices/src/vhost_user/net.rs b/virtio-devices/src/vhost_user/net.rs index c1f79f70f..9313e1e5d 100644 --- a/virtio-devices/src/vhost_user/net.rs +++ b/virtio-devices/src/vhost_user/net.rs @@ -339,9 +339,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { + if !virtio_vhost_net_ctl_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/vsock/device.rs b/virtio-devices/src/vsock/device.rs index f5890fa23..53ac0a1d4 100644 --- a/virtio-devices/src/vsock/device.rs +++ b/virtio-devices/src/vsock/device.rs @@ -441,9 +441,13 @@ where thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_vsock_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/watchdog.rs b/virtio-devices/src/watchdog.rs index 9e74fd4c8..b23bfe53b 100644 --- a/virtio-devices/src/watchdog.rs +++ b/virtio-devices/src/watchdog.rs @@ -325,9 +325,14 @@ impl VirtioDevice for Watchdog { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_watchdog_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/vmm/src/api/http.rs b/vmm/src/api/http.rs index f718884d6..f4580440b 100644 --- a/vmm/src/api/http.rs +++ b/vmm/src/api/http.rs @@ -276,7 +276,9 @@ fn start_http_thread( .name("http-server".to_string()) .spawn(move || { // Apply seccomp filter for API thread. - apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + if !api_seccomp_filter.is_empty() { + apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + } server.start_server().unwrap(); loop { diff --git a/vmm/src/cpu.rs b/vmm/src/cpu.rs index 2bd7f42fc..6161fc6cb 100644 --- a/vmm/src/cpu.rs +++ b/vmm/src/cpu.rs @@ -724,11 +724,13 @@ impl CpuManager { .name(format!("vcpu{}", cpu_id)) .spawn(move || { // Apply seccomp filter for vcpu thread. - if let Err(e) = - apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !vcpu_seccomp_filter.is_empty() { + if let Err(e) = + apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {} // This uses an async signal safe handler to kill the vcpu handles. diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs index 354247438..627cebe6d 100644 --- a/vmm/src/lib.rs +++ b/vmm/src/lib.rs @@ -263,7 +263,9 @@ pub fn start_vmm_thread( .name("vmm".to_string()) .spawn(move || { // Apply seccomp filter for VMM thread. - apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + if !vmm_seccomp_filter.is_empty() { + apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + } let mut vmm = Vmm::new( vmm_version.to_string(), diff --git a/vmm/src/vm.rs b/vmm/src/vm.rs index c4c4d35d8..b2d274ba4 100644 --- a/vmm/src/vm.rs +++ b/vmm/src/vm.rs @@ -1880,11 +1880,13 @@ impl Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = apply_filter(&signal_handler_seccomp_filter) - .map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !signal_handler_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) + .map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } Vm::os_signal_handler(signals, console, on_tty, exit_evt); @@ -2442,11 +2444,13 @@ impl Snapshottable for Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = apply_filter(&signal_handler_seccomp_filter) - .map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !signal_handler_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) + .map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } Vm::os_signal_handler(signals, console, on_tty, exit_evt)