From 7d38a1848b2eda4e81c6d7af15d120dad39e975c Mon Sep 17 00:00:00 2001 From: Bo Chen Date: Mon, 16 Aug 2021 17:20:11 -0700 Subject: [PATCH] virtio-devices, vmm: Fix the '--seccomp false' option We are relying on applying empty 'seccomp' filters to support the '--seccomp false' option, which will be treated as an error with the updated 'seccompiler' crate. This patch fixes this issue by explicitly checking whether the 'seccomp' filter is empty before applying the filter. Signed-off-by: Bo Chen --- virtio-devices/src/balloon.rs | 10 +++++++--- virtio-devices/src/block.rs | 10 +++++++--- virtio-devices/src/console.rs | 10 +++++++--- virtio-devices/src/iommu.rs | 11 ++++++++--- virtio-devices/src/mem.rs | 10 +++++++--- virtio-devices/src/net.rs | 20 ++++++++++++++------ virtio-devices/src/pmem.rs | 10 +++++++--- virtio-devices/src/rng.rs | 10 +++++++--- virtio-devices/src/vhost_user/fs.rs | 10 +++++++--- virtio-devices/src/vhost_user/net.rs | 10 +++++++--- virtio-devices/src/vsock/device.rs | 10 +++++++--- virtio-devices/src/watchdog.rs | 11 ++++++++--- vmm/src/api/http.rs | 4 +++- vmm/src/cpu.rs | 12 +++++++----- vmm/src/lib.rs | 4 +++- vmm/src/vm.rs | 24 ++++++++++++++---------- 16 files changed, 120 insertions(+), 56 deletions(-) diff --git a/virtio-devices/src/balloon.rs b/virtio-devices/src/balloon.rs index 7d64b344b..84dd0f5f7 100644 --- a/virtio-devices/src/balloon.rs +++ b/virtio-devices/src/balloon.rs @@ -466,9 +466,13 @@ impl VirtioDevice for Balloon { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_balloon_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/block.rs b/virtio-devices/src/block.rs index a346a55d9..dcad38a65 100644 --- a/virtio-devices/src/block.rs +++ b/virtio-devices/src/block.rs @@ -596,9 +596,13 @@ impl VirtioDevice for Block { thread::Builder::new() .name(format!("{}_q{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_block_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/console.rs b/virtio-devices/src/console.rs index 586b862a2..ad6fb0de0 100644 --- a/virtio-devices/src/console.rs +++ b/virtio-devices/src/console.rs @@ -429,9 +429,13 @@ impl VirtioDevice for Console { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_console_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/iommu.rs b/virtio-devices/src/iommu.rs index df6c1a1f5..f750e326b 100644 --- a/virtio-devices/src/iommu.rs +++ b/virtio-devices/src/iommu.rs @@ -850,9 +850,14 @@ impl VirtioDevice for Iommu { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_iommu_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/mem.rs b/virtio-devices/src/mem.rs index 2296403b9..960566f87 100644 --- a/virtio-devices/src/mem.rs +++ b/virtio-devices/src/mem.rs @@ -961,9 +961,13 @@ impl VirtioDevice for Mem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_mem_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/net.rs b/virtio-devices/src/net.rs index 379f43775..b973977ad 100644 --- a/virtio-devices/src/net.rs +++ b/virtio-devices/src/net.rs @@ -576,9 +576,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { + if !virtio_net_ctl_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) @@ -659,9 +663,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_qp{}", self.id.clone(), i)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_net_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/pmem.rs b/virtio-devices/src/pmem.rs index 6cb55c0af..5bd4c0df3 100644 --- a/virtio-devices/src/pmem.rs +++ b/virtio-devices/src/pmem.rs @@ -397,9 +397,13 @@ impl VirtioDevice for Pmem { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_pmem_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/rng.rs b/virtio-devices/src/rng.rs index 81516a0ae..0b89af4c6 100644 --- a/virtio-devices/src/rng.rs +++ b/virtio-devices/src/rng.rs @@ -243,9 +243,13 @@ impl VirtioDevice for Rng { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_rng_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/vhost_user/fs.rs b/virtio-devices/src/vhost_user/fs.rs index 7855f6ee9..f2e3d4c8c 100644 --- a/virtio-devices/src/vhost_user/fs.rs +++ b/virtio-devices/src/vhost_user/fs.rs @@ -556,9 +556,13 @@ impl VirtioDevice for Fs { thread::Builder::new() .name(self.id.to_string()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_vhost_fs_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running vhost-user-fs worker: {:?}", e); } }) diff --git a/virtio-devices/src/vhost_user/net.rs b/virtio-devices/src/vhost_user/net.rs index c1f79f70f..9313e1e5d 100644 --- a/virtio-devices/src/vhost_user/net.rs +++ b/virtio-devices/src/vhost_user/net.rs @@ -339,9 +339,13 @@ impl VirtioDevice for Net { thread::Builder::new() .name(format!("{}_ctrl", self.id)) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { + if !virtio_vhost_net_ctl_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/vsock/device.rs b/virtio-devices/src/vsock/device.rs index f5890fa23..53ac0a1d4 100644 --- a/virtio-devices/src/vsock/device.rs +++ b/virtio-devices/src/vsock/device.rs @@ -441,9 +441,13 @@ where thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_vsock_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/virtio-devices/src/watchdog.rs b/virtio-devices/src/watchdog.rs index 9e74fd4c8..b23bfe53b 100644 --- a/virtio-devices/src/watchdog.rs +++ b/virtio-devices/src/watchdog.rs @@ -325,9 +325,14 @@ impl VirtioDevice for Watchdog { thread::Builder::new() .name(self.id.clone()) .spawn(move || { - if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { - error!("Error applying seccomp filter: {:?}", e); - } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { + if !virtio_watchdog_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { + error!("Error applying seccomp filter: {:?}", e); + return; + } + } + + if let Err(e) = handler.run(paused, paused_sync.unwrap()) { error!("Error running worker: {:?}", e); } }) diff --git a/vmm/src/api/http.rs b/vmm/src/api/http.rs index f718884d6..f4580440b 100644 --- a/vmm/src/api/http.rs +++ b/vmm/src/api/http.rs @@ -276,7 +276,9 @@ fn start_http_thread( .name("http-server".to_string()) .spawn(move || { // Apply seccomp filter for API thread. - apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + if !api_seccomp_filter.is_empty() { + apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + } server.start_server().unwrap(); loop { diff --git a/vmm/src/cpu.rs b/vmm/src/cpu.rs index 2bd7f42fc..6161fc6cb 100644 --- a/vmm/src/cpu.rs +++ b/vmm/src/cpu.rs @@ -724,11 +724,13 @@ impl CpuManager { .name(format!("vcpu{}", cpu_id)) .spawn(move || { // Apply seccomp filter for vcpu thread. - if let Err(e) = - apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !vcpu_seccomp_filter.is_empty() { + if let Err(e) = + apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {} // This uses an async signal safe handler to kill the vcpu handles. diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs index 354247438..627cebe6d 100644 --- a/vmm/src/lib.rs +++ b/vmm/src/lib.rs @@ -263,7 +263,9 @@ pub fn start_vmm_thread( .name("vmm".to_string()) .spawn(move || { // Apply seccomp filter for VMM thread. - apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + if !vmm_seccomp_filter.is_empty() { + apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; + } let mut vmm = Vmm::new( vmm_version.to_string(), diff --git a/vmm/src/vm.rs b/vmm/src/vm.rs index c4c4d35d8..b2d274ba4 100644 --- a/vmm/src/vm.rs +++ b/vmm/src/vm.rs @@ -1880,11 +1880,13 @@ impl Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = apply_filter(&signal_handler_seccomp_filter) - .map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !signal_handler_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) + .map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } Vm::os_signal_handler(signals, console, on_tty, exit_evt); @@ -2442,11 +2444,13 @@ impl Snapshottable for Vm { thread::Builder::new() .name("signal_handler".to_string()) .spawn(move || { - if let Err(e) = apply_filter(&signal_handler_seccomp_filter) - .map_err(Error::ApplySeccompFilter) - { - error!("Error applying seccomp filter: {:?}", e); - return; + if !signal_handler_seccomp_filter.is_empty() { + if let Err(e) = apply_filter(&signal_handler_seccomp_filter) + .map_err(Error::ApplySeccompFilter) + { + error!("Error applying seccomp filter: {:?}", e); + return; + } } Vm::os_signal_handler(signals, console, on_tty, exit_evt)