virtio-devices, vmm: Fix the '--seccomp false' option

We are relying on applying empty 'seccomp' filters to support the
'--seccomp false' option, which will be treated as an error with the
updated 'seccompiler' crate. This patch fixes this issue by explicitly
checking whether the 'seccomp' filter is empty before applying the
filter.

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2021-08-16 17:20:11 -07:00 committed by Sebastien Boeuf
parent 2d2463ce04
commit 7d38a1848b
16 changed files with 120 additions and 56 deletions

View File

@ -466,9 +466,13 @@ impl VirtioDevice for Balloon {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_balloon_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) { if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -596,9 +596,13 @@ impl VirtioDevice for Block {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_q{}", self.id.clone(), i)) .name(format!("{}_q{}", self.id.clone(), i))
.spawn(move || { .spawn(move || {
if !virtio_block_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) { if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -429,9 +429,13 @@ impl VirtioDevice for Console {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_console_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) { if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -850,9 +850,14 @@ impl VirtioDevice for Iommu {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_iommu_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) { if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -961,9 +961,13 @@ impl VirtioDevice for Mem {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_mem_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) { if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -576,9 +576,13 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_ctrl", self.id)) .name(format!("{}_ctrl", self.id))
.spawn(move || { .spawn(move || {
if !virtio_net_ctl_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) { if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })
@ -659,9 +663,13 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_qp{}", self.id.clone(), i)) .name(format!("{}_qp{}", self.id.clone(), i))
.spawn(move || { .spawn(move || {
if !virtio_net_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) { if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -397,9 +397,13 @@ impl VirtioDevice for Pmem {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_pmem_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) { if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -243,9 +243,13 @@ impl VirtioDevice for Rng {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_rng_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) { if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -556,9 +556,13 @@ impl VirtioDevice for Fs {
thread::Builder::new() thread::Builder::new()
.name(self.id.to_string()) .name(self.id.to_string())
.spawn(move || { .spawn(move || {
if !virtio_vhost_fs_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running vhost-user-fs worker: {:?}", e); error!("Error running vhost-user-fs worker: {:?}", e);
} }
}) })

View File

@ -339,9 +339,13 @@ impl VirtioDevice for Net {
thread::Builder::new() thread::Builder::new()
.name(format!("{}_ctrl", self.id)) .name(format!("{}_ctrl", self.id))
.spawn(move || { .spawn(move || {
if !virtio_vhost_net_ctl_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -441,9 +441,13 @@ where
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_vsock_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) { if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -325,9 +325,14 @@ impl VirtioDevice for Watchdog {
thread::Builder::new() thread::Builder::new()
.name(self.id.clone()) .name(self.id.clone())
.spawn(move || { .spawn(move || {
if !virtio_watchdog_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) { if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) { return;
}
}
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
error!("Error running worker: {:?}", e); error!("Error running worker: {:?}", e);
} }
}) })

View File

@ -276,7 +276,9 @@ fn start_http_thread(
.name("http-server".to_string()) .name("http-server".to_string())
.spawn(move || { .spawn(move || {
// Apply seccomp filter for API thread. // Apply seccomp filter for API thread.
if !api_seccomp_filter.is_empty() {
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?; apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
}
server.start_server().unwrap(); server.start_server().unwrap();
loop { loop {

View File

@ -724,12 +724,14 @@ impl CpuManager {
.name(format!("vcpu{}", cpu_id)) .name(format!("vcpu{}", cpu_id))
.spawn(move || { .spawn(move || {
// Apply seccomp filter for vcpu thread. // Apply seccomp filter for vcpu thread.
if !vcpu_seccomp_filter.is_empty() {
if let Err(e) = if let Err(e) =
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter) apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
return; return;
} }
}
extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {} extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
// This uses an async signal safe handler to kill the vcpu handles. // This uses an async signal safe handler to kill the vcpu handles.
register_signal_handler(SIGRTMIN(), handle_signal) register_signal_handler(SIGRTMIN(), handle_signal)

View File

@ -263,7 +263,9 @@ pub fn start_vmm_thread(
.name("vmm".to_string()) .name("vmm".to_string())
.spawn(move || { .spawn(move || {
// Apply seccomp filter for VMM thread. // Apply seccomp filter for VMM thread.
if !vmm_seccomp_filter.is_empty() {
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?; apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
}
let mut vmm = Vmm::new( let mut vmm = Vmm::new(
vmm_version.to_string(), vmm_version.to_string(),

View File

@ -1880,12 +1880,14 @@ impl Vm {
thread::Builder::new() thread::Builder::new()
.name("signal_handler".to_string()) .name("signal_handler".to_string())
.spawn(move || { .spawn(move || {
if !signal_handler_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter) if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter) .map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
return; return;
} }
}
Vm::os_signal_handler(signals, console, on_tty, exit_evt); Vm::os_signal_handler(signals, console, on_tty, exit_evt);
}) })
@ -2442,12 +2444,14 @@ impl Snapshottable for Vm {
thread::Builder::new() thread::Builder::new()
.name("signal_handler".to_string()) .name("signal_handler".to_string())
.spawn(move || { .spawn(move || {
if !signal_handler_seccomp_filter.is_empty() {
if let Err(e) = apply_filter(&signal_handler_seccomp_filter) if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
.map_err(Error::ApplySeccompFilter) .map_err(Error::ApplySeccompFilter)
{ {
error!("Error applying seccomp filter: {:?}", e); error!("Error applying seccomp filter: {:?}", e);
return; return;
} }
}
Vm::os_signal_handler(signals, console, on_tty, exit_evt) Vm::os_signal_handler(signals, console, on_tty, exit_evt)
}) })