mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-06 12:55:18 +00:00
virtio-devices, vmm: Fix the '--seccomp false' option
We are relying on applying empty 'seccomp' filters to support the '--seccomp false' option, which will be treated as an error with the updated 'seccompiler' crate. This patch fixes this issue by explicitly checking whether the 'seccomp' filter is empty before applying the filter. Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
2d2463ce04
commit
7d38a1848b
@ -466,9 +466,13 @@ impl VirtioDevice for Balloon {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_balloon_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -596,9 +596,13 @@ impl VirtioDevice for Block {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_q{}", self.id.clone(), i))
|
.name(format!("{}_q{}", self.id.clone(), i))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_block_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -429,9 +429,13 @@ impl VirtioDevice for Console {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_console_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -850,9 +850,14 @@ impl VirtioDevice for Iommu {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_iommu_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -961,9 +961,13 @@ impl VirtioDevice for Mem {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_mem_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -576,9 +576,13 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_ctrl", self.id))
|
.name(format!("{}_ctrl", self.id))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_net_ctl_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -659,9 +663,13 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_qp{}", self.id.clone(), i))
|
.name(format!("{}_qp{}", self.id.clone(), i))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_net_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -397,9 +397,13 @@ impl VirtioDevice for Pmem {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_pmem_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -243,9 +243,13 @@ impl VirtioDevice for Rng {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_rng_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -556,9 +556,13 @@ impl VirtioDevice for Fs {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.to_string())
|
.name(self.id.to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_vhost_fs_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running vhost-user-fs worker: {:?}", e);
|
error!("Error running vhost-user-fs worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -339,9 +339,13 @@ impl VirtioDevice for Net {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(format!("{}_ctrl", self.id))
|
.name(format!("{}_ctrl", self.id))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_vhost_net_ctl_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -441,9 +441,13 @@ where
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_vsock_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -325,9 +325,14 @@ impl VirtioDevice for Watchdog {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name(self.id.clone())
|
.name(self.id.clone())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !virtio_watchdog_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
|
if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
} else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
|
||||||
error!("Error running worker: {:?}", e);
|
error!("Error running worker: {:?}", e);
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -276,7 +276,9 @@ fn start_http_thread(
|
|||||||
.name("http-server".to_string())
|
.name("http-server".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for API thread.
|
// Apply seccomp filter for API thread.
|
||||||
|
if !api_seccomp_filter.is_empty() {
|
||||||
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
||||||
|
}
|
||||||
|
|
||||||
server.start_server().unwrap();
|
server.start_server().unwrap();
|
||||||
loop {
|
loop {
|
||||||
|
@ -724,12 +724,14 @@ impl CpuManager {
|
|||||||
.name(format!("vcpu{}", cpu_id))
|
.name(format!("vcpu{}", cpu_id))
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for vcpu thread.
|
// Apply seccomp filter for vcpu thread.
|
||||||
|
if !vcpu_seccomp_filter.is_empty() {
|
||||||
if let Err(e) =
|
if let Err(e) =
|
||||||
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
|
apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
|
extern "C" fn handle_signal(_: i32, _: *mut siginfo_t, _: *mut c_void) {}
|
||||||
// This uses an async signal safe handler to kill the vcpu handles.
|
// This uses an async signal safe handler to kill the vcpu handles.
|
||||||
register_signal_handler(SIGRTMIN(), handle_signal)
|
register_signal_handler(SIGRTMIN(), handle_signal)
|
||||||
|
@ -263,7 +263,9 @@ pub fn start_vmm_thread(
|
|||||||
.name("vmm".to_string())
|
.name("vmm".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
// Apply seccomp filter for VMM thread.
|
// Apply seccomp filter for VMM thread.
|
||||||
|
if !vmm_seccomp_filter.is_empty() {
|
||||||
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
||||||
|
}
|
||||||
|
|
||||||
let mut vmm = Vmm::new(
|
let mut vmm = Vmm::new(
|
||||||
vmm_version.to_string(),
|
vmm_version.to_string(),
|
||||||
|
@ -1880,12 +1880,14 @@ impl Vm {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("signal_handler".to_string())
|
.name("signal_handler".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !signal_handler_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
||||||
.map_err(Error::ApplySeccompFilter)
|
.map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Vm::os_signal_handler(signals, console, on_tty, exit_evt);
|
Vm::os_signal_handler(signals, console, on_tty, exit_evt);
|
||||||
})
|
})
|
||||||
@ -2442,12 +2444,14 @@ impl Snapshottable for Vm {
|
|||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("signal_handler".to_string())
|
.name("signal_handler".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
if !signal_handler_seccomp_filter.is_empty() {
|
||||||
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
|
||||||
.map_err(Error::ApplySeccompFilter)
|
.map_err(Error::ApplySeccompFilter)
|
||||||
{
|
{
|
||||||
error!("Error applying seccomp filter: {:?}", e);
|
error!("Error applying seccomp filter: {:?}", e);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Vm::os_signal_handler(signals, console, on_tty, exit_evt)
|
Vm::os_signal_handler(signals, console, on_tty, exit_evt)
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user