vmm: Enable Landlock on event-monitor thread

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
2024-11-09 21:30:07 +00:00 · 2024-02-12 19:18:08 +00:00 · 2024-02-12 19:18:08 +00:00 · 8c76a3e4b5
commit 8c76a3e4b5
parent af5a9677c8
2 changed files with 24 additions and 0 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -652,6 +652,7 @@ fn start_vmm(cmd_arguments: ArgMatches) -> Result<Option<String>, Error> {
    let vm_debug_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::CreateDebugEventFd)?;

    let exit_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::CreateExitEventFd)?;
+    let landlock_enable = cmd_arguments.get_flag("landlock");

    #[allow(unused_mut)]
    let mut event_monitor = cmd_arguments
@ -721,6 +722,7 @@ fn start_vmm(cmd_arguments: ArgMatches) -> Result<Option<String>, Error> {
        vmm::start_event_monitor_thread(
            monitor,
            &seccomp_action,
+            landlock_enable,
            hypervisor.hypervisor_type(),
            exit_evt.try_clone().unwrap(),
        )
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -18,6 +18,7 @@ use crate::config::{
 };
 #[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
 use crate::coredump::GuestDebuggable;
+use crate::landlock::Landlock;
 use crate::memory_manager::MemoryManager;
 #[cfg(all(feature = "kvm", target_arch = "x86_64"))]
 use crate::migration::get_vm_snapshot;
@ -29,6 +30,7 @@ use anyhow::anyhow;
 use api::dbus::{DBusApiOptions, DBusApiShutdownChannels};
 use api::http::HttpApiHandle;
 use console_devices::{pre_create_console_devices, ConsoleInfo};
+use landlock::LandlockError;
 use libc::{tcsetattr, termios, EFD_NONBLOCK, SIGINT, SIGTERM, TCSANOW};
 use memory_manager::MemoryManagerSnapshotData;
 use pci::PciBdf;
@ -196,6 +198,14 @@ pub enum Error {

    #[error("Failed to join on threads: {0:?}")]
    ThreadCleanup(std::boxed::Box<dyn std::any::Any + std::marker::Send>),
+
+    /// Cannot create Landlock object
+    #[error("Error creating landlock object: {0}")]
+    CreateLandlock(LandlockError),
+
+    /// Cannot apply landlock based sandboxing
+    #[error("Error applying landlock: {0}")]
+    ApplyLandlock(LandlockError),
 }
 pub type Result<T> = result::Result<T, Error>;

@ -328,6 +338,7 @@ pub fn feature_list() -> Vec<String> {
 pub fn start_event_monitor_thread(
    mut monitor: event_monitor::Monitor,
    seccomp_action: &SeccompAction,
+    landlock_enable: bool,
    hypervisor_type: hypervisor::HypervisorType,
    exit_event: EventFd,
 ) -> Result<thread::JoinHandle<Result<()>>> {
@ -348,6 +359,17 @@ pub fn start_event_monitor_thread(
                        e
                    })?;
            }
+            if landlock_enable {
+                Landlock::new()
+                    .map_err(Error::CreateLandlock)?
+                    .restrict_self()
+                    .map_err(Error::ApplyLandlock)
+                    .map_err(|e| {
+                        error!("Error applying landlock to event monitor thread: {:?}", e);
+                        exit_event.write(1).ok();
+                        e
+                    })?;
+            }

            std::panic::catch_unwind(AssertUnwindSafe(move || {
                while let Ok(event) = monitor.rx.recv() {