mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-03 20:15:45 +00:00
virtio-devices, vmm: Simplify 'get_seccomp_rules'
Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
parent
7d38a1848b
commit
864a5e4fe0
@ -5,7 +5,7 @@
|
|||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
use seccompiler::{
|
use seccompiler::{
|
||||||
BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
|
BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
|
||||||
SeccompCondition as Cond, SeccompFilter, SeccompRule,
|
SeccompCondition as Cond, SeccompFilter, SeccompRule,
|
||||||
};
|
};
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
@ -441,8 +441,8 @@ fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
fn get_seccomp_rules(thread_type: Thread) -> Vec<(i64, Vec<SeccompRule>)> {
|
||||||
let rules = match thread_type {
|
match thread_type {
|
||||||
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
||||||
Thread::VirtioBlock => virtio_block_thread_rules(),
|
Thread::VirtioBlock => virtio_block_thread_rules(),
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules(),
|
Thread::VirtioConsole => virtio_console_thread_rules(),
|
||||||
@ -456,39 +456,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Backend
|
|||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
||||||
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
||||||
};
|
}
|
||||||
|
|
||||||
SeccompFilter::new(
|
|
||||||
rules.into_iter().collect(),
|
|
||||||
SeccompAction::Trap,
|
|
||||||
SeccompAction::Allow,
|
|
||||||
std::env::consts::ARCH.try_into().unwrap(),
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
|
||||||
let rules = match thread_type {
|
|
||||||
Thread::VirtioBalloon => virtio_balloon_thread_rules(),
|
|
||||||
Thread::VirtioBlock => virtio_block_thread_rules(),
|
|
||||||
Thread::VirtioConsole => virtio_console_thread_rules(),
|
|
||||||
Thread::VirtioIommu => virtio_iommu_thread_rules(),
|
|
||||||
Thread::VirtioMem => virtio_mem_thread_rules(),
|
|
||||||
Thread::VirtioNet => virtio_net_thread_rules(),
|
|
||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
|
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules(),
|
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
|
||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
|
||||||
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
|
||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
|
||||||
};
|
|
||||||
|
|
||||||
SeccompFilter::new(
|
|
||||||
rules.into_iter().collect(),
|
|
||||||
SeccompAction::Log,
|
|
||||||
SeccompAction::Allow,
|
|
||||||
std::env::consts::ARCH.try_into().unwrap(),
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generate a BPF program based on the seccomp_action value
|
/// Generate a BPF program based on the seccomp_action value
|
||||||
@ -498,10 +466,20 @@ pub fn get_seccomp_filter(
|
|||||||
) -> Result<BpfProgram, Error> {
|
) -> Result<BpfProgram, Error> {
|
||||||
match seccomp_action {
|
match seccomp_action {
|
||||||
SeccompAction::Allow => Ok(vec![]),
|
SeccompAction::Allow => Ok(vec![]),
|
||||||
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
SeccompAction::Log => SeccompFilter::new(
|
||||||
|
get_seccomp_rules(thread_type).into_iter().collect(),
|
||||||
|
SeccompAction::Log,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(Error::Backend),
|
.map_err(Error::Backend),
|
||||||
_ => get_seccomp_filter_trap(thread_type)
|
_ => SeccompFilter::new(
|
||||||
|
get_seccomp_rules(thread_type).into_iter().collect(),
|
||||||
|
SeccompAction::Trap,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(Error::Backend),
|
.map_err(Error::Backend),
|
||||||
}
|
}
|
||||||
|
@ -617,36 +617,13 @@ fn api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
fn get_seccomp_rules(thread_type: Thread) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||||
let rules = match thread_type {
|
match thread_type {
|
||||||
Thread::Api => api_thread_rules()?,
|
Thread::Api => Ok(api_thread_rules()?),
|
||||||
Thread::SignalHandler => signal_handler_thread_rules()?,
|
Thread::SignalHandler => Ok(signal_handler_thread_rules()?),
|
||||||
Thread::Vcpu => vcpu_thread_rules()?,
|
Thread::Vcpu => Ok(vcpu_thread_rules()?),
|
||||||
Thread::Vmm => vmm_thread_rules()?,
|
Thread::Vmm => Ok(vmm_thread_rules()?),
|
||||||
};
|
}
|
||||||
|
|
||||||
SeccompFilter::new(
|
|
||||||
rules.into_iter().collect(),
|
|
||||||
SeccompAction::Trap,
|
|
||||||
SeccompAction::Allow,
|
|
||||||
std::env::consts::ARCH.try_into().unwrap(),
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
|
|
||||||
let rules = match thread_type {
|
|
||||||
Thread::Api => api_thread_rules()?,
|
|
||||||
Thread::SignalHandler => signal_handler_thread_rules()?,
|
|
||||||
Thread::Vcpu => vcpu_thread_rules()?,
|
|
||||||
Thread::Vmm => vmm_thread_rules()?,
|
|
||||||
};
|
|
||||||
|
|
||||||
SeccompFilter::new(
|
|
||||||
rules.into_iter().collect(),
|
|
||||||
SeccompAction::Log,
|
|
||||||
SeccompAction::Allow,
|
|
||||||
std::env::consts::ARCH.try_into().unwrap(),
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generate a BPF program based on the seccomp_action value
|
/// Generate a BPF program based on the seccomp_action value
|
||||||
@ -656,10 +633,26 @@ pub fn get_seccomp_filter(
|
|||||||
) -> Result<BpfProgram, Error> {
|
) -> Result<BpfProgram, Error> {
|
||||||
match seccomp_action {
|
match seccomp_action {
|
||||||
SeccompAction::Allow => Ok(vec![]),
|
SeccompAction::Allow => Ok(vec![]),
|
||||||
SeccompAction::Log => get_seccomp_filter_log(thread_type)
|
SeccompAction::Log => SeccompFilter::new(
|
||||||
|
get_seccomp_rules(thread_type)
|
||||||
|
.map_err(Error::Backend)?
|
||||||
|
.into_iter()
|
||||||
|
.collect(),
|
||||||
|
SeccompAction::Log,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(Error::Backend),
|
.map_err(Error::Backend),
|
||||||
_ => get_seccomp_filter_trap(thread_type)
|
_ => SeccompFilter::new(
|
||||||
|
get_seccomp_rules(thread_type)
|
||||||
|
.map_err(Error::Backend)?
|
||||||
|
.into_iter()
|
||||||
|
.collect(),
|
||||||
|
SeccompAction::Trap,
|
||||||
|
SeccompAction::Allow,
|
||||||
|
std::env::consts::ARCH.try_into().unwrap(),
|
||||||
|
)
|
||||||
.and_then(|filter| filter.try_into())
|
.and_then(|filter| filter.try_into())
|
||||||
.map_err(Error::Backend),
|
.map_err(Error::Backend),
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user