mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-03 03:15:20 +00:00
vmm: make landlock configs VMM-level config
This requires stashing the config values in `struct Vmm`. The configs should be validated before before creating the VMM thread. Refactor the code and update documentation where necessary. The place where the rules are applied remain the same. Signed-off-by: Wei Liu <liuwe@microsoft.com>
This commit is contained in:
parent
8452edfcc7
commit
94929889ac
@ -30,10 +30,7 @@ Linux kernel confirms Landlock support with above message in dmesg.
|
||||
## Implementation Details
|
||||
|
||||
To enable Landlock, Cloud-Hypervisor process needs the full list of files it
|
||||
needs to access over its lifetime. Most of these files are received as VM
|
||||
Configuration (`struct VmConfig`). Landlock is enabled in `vm_create` stage, as
|
||||
this is the earliest stage in guest boot sequence which has access to guest's
|
||||
VM Configuration.
|
||||
needs to access over its lifetime. Landlock is enabled in the `vm_create` stage.
|
||||
|
||||
## Enable Landlock
|
||||
|
||||
|
@ -190,8 +190,6 @@ impl RequestHandler for StubApiRequestHandler {
|
||||
platform: None,
|
||||
tpm: None,
|
||||
preserved_fds: None,
|
||||
landlock_enable: false,
|
||||
landlock_config: None,
|
||||
})),
|
||||
state: VmState::Running,
|
||||
memory_actual_size: 0,
|
||||
|
31
src/main.rs
31
src/main.rs
@ -285,14 +285,14 @@ fn create_app(default_vcpus: String, default_memory: String, default_rng: String
|
||||
)
|
||||
.action(ArgAction::SetTrue)
|
||||
.default_value("false")
|
||||
.group("vm-config"),
|
||||
.group("vmm-config"),
|
||||
)
|
||||
.arg(
|
||||
Arg::new("landlock-rules")
|
||||
.long("landlock-rules")
|
||||
.help(config::LandlockConfig::SYNTAX)
|
||||
.num_args(1..)
|
||||
.group("vm-config"),
|
||||
.group("vmm-config"),
|
||||
)
|
||||
.arg(
|
||||
Arg::new("net")
|
||||
@ -657,7 +657,31 @@ fn start_vmm(cmd_arguments: ArgMatches) -> Result<Option<String>, Error> {
|
||||
let vm_debug_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::CreateDebugEventFd)?;
|
||||
|
||||
let exit_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::CreateExitEventFd)?;
|
||||
|
||||
let landlock_enable = cmd_arguments.get_flag("landlock");
|
||||
let landlock_config_str_vec: Option<Vec<&str>> = cmd_arguments
|
||||
.get_many::<String>("landlock-rules")
|
||||
.map(|x| x.map(|y| y as &str).collect());
|
||||
|
||||
let landlock_config = if let Some(str_vec) = landlock_config_str_vec {
|
||||
Some(
|
||||
str_vec
|
||||
.into_iter()
|
||||
.map(config::LandlockConfig::parse)
|
||||
.collect::<config::Result<Vec<config::LandlockConfig>>>()
|
||||
.map_err(Error::ParsingConfig)?,
|
||||
)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
if let Some(lc) = landlock_config.as_ref() {
|
||||
for c in lc.iter() {
|
||||
c.validate()
|
||||
.map_err(config::Error::Validation)
|
||||
.map_err(Error::ParsingConfig)?;
|
||||
}
|
||||
}
|
||||
|
||||
#[allow(unused_mut)]
|
||||
let mut event_monitor = cmd_arguments
|
||||
@ -755,6 +779,7 @@ fn start_vmm(cmd_arguments: ArgMatches) -> Result<Option<String>, Error> {
|
||||
&seccomp_action,
|
||||
hypervisor,
|
||||
landlock_enable,
|
||||
landlock_config,
|
||||
)
|
||||
.map_err(Error::StartVmmThread)?;
|
||||
|
||||
@ -1065,8 +1090,6 @@ mod unit_tests {
|
||||
platform: None,
|
||||
tpm: None,
|
||||
preserved_fds: None,
|
||||
landlock_enable: false,
|
||||
landlock_config: None,
|
||||
};
|
||||
|
||||
assert_eq!(expected_vm_config, result_vm_config);
|
||||
|
@ -496,8 +496,6 @@ pub struct VmParams<'a> {
|
||||
pub igvm: Option<&'a str>,
|
||||
#[cfg(feature = "sev_snp")]
|
||||
pub host_data: Option<&'a str>,
|
||||
pub landlock_enable: bool,
|
||||
pub landlock_config: Option<Vec<&'a str>>,
|
||||
}
|
||||
|
||||
impl<'a> VmParams<'a> {
|
||||
@ -563,10 +561,6 @@ impl<'a> VmParams<'a> {
|
||||
let igvm = args.get_one::<String>("igvm").map(|x| x as &str);
|
||||
#[cfg(feature = "sev_snp")]
|
||||
let host_data = args.get_one::<String>("host-data").map(|x| x as &str);
|
||||
let landlock_enable = args.get_flag("landlock");
|
||||
let landlock_config: Option<Vec<&str>> = args
|
||||
.get_many::<String>("landlock-rules")
|
||||
.map(|x| x.map(|y| y as &str).collect());
|
||||
|
||||
VmParams {
|
||||
cpus,
|
||||
@ -605,8 +599,6 @@ impl<'a> VmParams<'a> {
|
||||
igvm,
|
||||
#[cfg(feature = "sev_snp")]
|
||||
host_data,
|
||||
landlock_enable,
|
||||
landlock_config,
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -2334,6 +2326,12 @@ impl TpmConfig {
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct LandlockConfig {
|
||||
pub path: PathBuf,
|
||||
pub access: String,
|
||||
}
|
||||
|
||||
impl LandlockConfig {
|
||||
pub const SYNTAX: &'static str = "Landlock parameters \
|
||||
\"path=<path/to/{file/dir}>,access=[rw]\"";
|
||||
@ -2725,12 +2723,6 @@ impl VmConfig {
|
||||
.map(|p| p.iommu_segments.is_some())
|
||||
.unwrap_or_default();
|
||||
|
||||
if let Some(landlock_configs) = &self.landlock_config {
|
||||
for landlock_config in landlock_configs {
|
||||
landlock_config.validate()?;
|
||||
}
|
||||
}
|
||||
|
||||
Ok(id_list)
|
||||
}
|
||||
|
||||
@ -2901,16 +2893,6 @@ impl VmConfig {
|
||||
#[cfg(feature = "guest_debug")]
|
||||
let gdb = vm_params.gdb;
|
||||
|
||||
let mut landlock_config: Option<Vec<LandlockConfig>> = None;
|
||||
if let Some(ll_config) = vm_params.landlock_config {
|
||||
landlock_config = Some(
|
||||
ll_config
|
||||
.iter()
|
||||
.map(|rule| LandlockConfig::parse(rule))
|
||||
.collect::<Result<Vec<LandlockConfig>>>()?,
|
||||
);
|
||||
}
|
||||
|
||||
let mut config = VmConfig {
|
||||
cpus: CpusConfig::parse(vm_params.cpus)?,
|
||||
memory: MemoryConfig::parse(vm_params.memory, vm_params.memory_zones)?,
|
||||
@ -2942,8 +2924,6 @@ impl VmConfig {
|
||||
platform,
|
||||
tpm,
|
||||
preserved_fds: None,
|
||||
landlock_enable: vm_params.landlock_enable,
|
||||
landlock_config,
|
||||
};
|
||||
config.validate().map_err(Error::Validation)?;
|
||||
Ok(config)
|
||||
@ -3070,7 +3050,6 @@ impl Clone for VmConfig {
|
||||
.as_ref()
|
||||
// SAFETY: FFI call with valid FDs
|
||||
.map(|fds| fds.iter().map(|fd| unsafe { libc::dup(*fd) }).collect()),
|
||||
landlock_config: self.landlock_config.clone(),
|
||||
..*self
|
||||
}
|
||||
}
|
||||
@ -3869,8 +3848,6 @@ mod tests {
|
||||
..net_fixture()
|
||||
},
|
||||
]),
|
||||
landlock_enable: false,
|
||||
landlock_config: None,
|
||||
};
|
||||
|
||||
let valid_config = RestoreConfig {
|
||||
@ -4059,8 +4036,6 @@ mod tests {
|
||||
platform: None,
|
||||
tpm: None,
|
||||
preserved_fds: None,
|
||||
landlock_enable: false,
|
||||
landlock_config: None,
|
||||
};
|
||||
|
||||
assert!(valid_config.validate().is_ok());
|
||||
|
294
vmm/src/lib.rs
294
vmm/src/lib.rs
@ -12,8 +12,11 @@ use crate::api::{
|
||||
ApiRequest, ApiResponse, RequestHandler, VmInfoResponse, VmReceiveMigrationData,
|
||||
VmSendMigrationData, VmmPingResponse,
|
||||
};
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
use crate::config::DebugConsoleConfig;
|
||||
use crate::config::{
|
||||
add_to_config, DeviceConfig, DiskConfig, FsConfig, NetConfig, PmemConfig, RestoreConfig,
|
||||
add_to_config, ConsoleConfig, DeviceConfig, DiskConfig, FsConfig, LandlockConfig,
|
||||
MemoryZoneConfig, NetConfig, PayloadConfig, PmemConfig, RestoreConfig, RngConfig, TpmConfig,
|
||||
UserDeviceConfig, VdpaConfig, VmConfig, VsockConfig,
|
||||
};
|
||||
#[cfg(all(target_arch = "x86_64", feature = "guest_debug"))]
|
||||
@ -39,6 +42,7 @@ use serde::ser::{SerializeStruct, Serializer};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use signal_hook::iterator::{Handle, Signals};
|
||||
use std::collections::HashMap;
|
||||
use std::fs;
|
||||
use std::fs::File;
|
||||
use std::io;
|
||||
use std::io::{stdout, Read, Write};
|
||||
@ -413,6 +417,7 @@ pub fn start_vmm_thread(
|
||||
seccomp_action: &SeccompAction,
|
||||
hypervisor: Arc<dyn hypervisor::Hypervisor>,
|
||||
landlock_enable: bool,
|
||||
landlock_config: Option<Vec<LandlockConfig>>,
|
||||
) -> Result<VmmThreadHandle> {
|
||||
#[cfg(feature = "guest_debug")]
|
||||
let gdb_hw_breakpoints = hypervisor.get_guest_debug_hw_bps();
|
||||
@ -451,6 +456,8 @@ pub fn start_vmm_thread(
|
||||
vmm_seccomp_action,
|
||||
hypervisor,
|
||||
exit_event,
|
||||
landlock_enable,
|
||||
landlock_config,
|
||||
)?;
|
||||
|
||||
vmm.setup_signal_handler(landlock_enable)?;
|
||||
@ -578,6 +585,8 @@ pub struct Vmm {
|
||||
original_termios_opt: Arc<Mutex<Option<termios>>>,
|
||||
console_resize_pipe: Option<File>,
|
||||
console_info: Option<ConsoleInfo>,
|
||||
landlock_enable: bool,
|
||||
landlock_config: Option<Vec<LandlockConfig>>,
|
||||
}
|
||||
|
||||
impl Vmm {
|
||||
@ -684,6 +693,8 @@ impl Vmm {
|
||||
seccomp_action: SeccompAction,
|
||||
hypervisor: Arc<dyn hypervisor::Hypervisor>,
|
||||
exit_evt: EventFd,
|
||||
landlock_enable: bool,
|
||||
landlock_config: Option<Vec<LandlockConfig>>,
|
||||
) -> Result<Self> {
|
||||
let mut epoll = EpollContext::new().map_err(Error::Epoll)?;
|
||||
let reset_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::EventFdCreate)?;
|
||||
@ -730,6 +741,8 @@ impl Vmm {
|
||||
original_termios_opt: Arc::new(Mutex::new(None)),
|
||||
console_resize_pipe: None,
|
||||
console_info: None,
|
||||
landlock_enable,
|
||||
landlock_config,
|
||||
})
|
||||
}
|
||||
|
||||
@ -766,15 +779,12 @@ impl Vmm {
|
||||
MigratableError::MigrateReceive(anyhow!("Error creating console devices: {:?}", e))
|
||||
})?);
|
||||
|
||||
if self
|
||||
.vm_config
|
||||
.as_ref()
|
||||
.unwrap()
|
||||
.lock()
|
||||
.unwrap()
|
||||
.landlock_enable
|
||||
{
|
||||
apply_landlock(self.vm_config.as_ref().unwrap().clone()).map_err(|e| {
|
||||
if self.landlock_enable {
|
||||
apply_landlock(
|
||||
&self.vm_config.as_ref().unwrap().clone(),
|
||||
&self.landlock_config,
|
||||
)
|
||||
.map_err(|e| {
|
||||
MigratableError::MigrateReceive(anyhow!("Error applying landlock: {:?}", e))
|
||||
})?;
|
||||
}
|
||||
@ -1264,8 +1274,236 @@ impl Vmm {
|
||||
}
|
||||
}
|
||||
|
||||
fn apply_landlock(vm_config: Arc<Mutex<VmConfig>>) -> result::Result<(), LandlockError> {
|
||||
vm_config.lock().unwrap().apply_landlock()?;
|
||||
pub type LandlockResult<T> = result::Result<T, LandlockError>;
|
||||
/// Trait to apply Landlock on VmConfig elements
|
||||
pub(crate) trait ApplyLandlock {
|
||||
/// Apply Landlock rules to file paths
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()>;
|
||||
}
|
||||
|
||||
impl ApplyLandlock for MemoryZoneConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for DiskConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(path) = &self.path {
|
||||
landlock.add_rule_with_access(path.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for RngConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
// Rng Path only need read access
|
||||
landlock.add_rule_with_access(self.src.to_path_buf(), "r")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for FsConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for PmemConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.file.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for ConsoleConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
if let Some(socket) = &self.socket {
|
||||
landlock.add_rule_with_access(socket.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
impl ApplyLandlock for DebugConsoleConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for DeviceConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
let device_path = fs::read_link(self.path.as_path()).map_err(LandlockError::OpenPath)?;
|
||||
let iommu_group = device_path.file_name();
|
||||
let iommu_group_str = iommu_group
|
||||
.ok_or(LandlockError::InvalidPath)?
|
||||
.to_str()
|
||||
.ok_or(LandlockError::InvalidPath)?;
|
||||
|
||||
let vfio_group_path = "/dev/vfio/".to_owned() + iommu_group_str;
|
||||
landlock.add_rule_with_access(vfio_group_path.into(), "rw")?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for UserDeviceConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for VdpaConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.path.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for VsockConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for PayloadConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
// Payload only needs read access
|
||||
if let Some(firmware) = &self.firmware {
|
||||
landlock.add_rule_with_access(firmware.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
if let Some(kernel) = &self.kernel {
|
||||
landlock.add_rule_with_access(kernel.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
if let Some(initramfs) = &self.initramfs {
|
||||
landlock.add_rule_with_access(initramfs.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
#[cfg(feature = "igvm")]
|
||||
if let Some(igvm) = &self.igvm {
|
||||
landlock.add_rule_with_access(igvm.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for TpmConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for LandlockConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.path.to_path_buf(), self.access.clone().as_str())?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
fn apply_landlock(
|
||||
vm_config: &Arc<Mutex<VmConfig>>,
|
||||
landlock_config: &Option<Vec<LandlockConfig>>,
|
||||
) -> LandlockResult<()> {
|
||||
let vm_config = vm_config.lock().unwrap();
|
||||
let mut landlock = Landlock::new()?;
|
||||
|
||||
if let Some(mem_zones) = &vm_config.memory.zones {
|
||||
for zone in mem_zones.iter() {
|
||||
zone.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
let disks = &vm_config.disks;
|
||||
if let Some(disks) = disks {
|
||||
for disk in disks.iter() {
|
||||
disk.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
vm_config.rng.apply_landlock(&mut landlock)?;
|
||||
|
||||
if let Some(fs_configs) = &vm_config.fs {
|
||||
for fs_config in fs_configs.iter() {
|
||||
fs_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(pmem_configs) = &vm_config.pmem {
|
||||
for pmem_config in pmem_configs.iter() {
|
||||
pmem_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
vm_config.console.apply_landlock(&mut landlock)?;
|
||||
vm_config.serial.apply_landlock(&mut landlock)?;
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
{
|
||||
vm_config.debug_console.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(devices) = &vm_config.devices {
|
||||
landlock.add_rule_with_access("/dev/vfio/vfio".into(), "rw")?;
|
||||
|
||||
for device in devices.iter() {
|
||||
device.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(user_devices) = &vm_config.user_devices {
|
||||
for user_devices in user_devices.iter() {
|
||||
user_devices.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(vdpa_configs) = &vm_config.vdpa {
|
||||
for vdpa_config in vdpa_configs.iter() {
|
||||
vdpa_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(vsock_config) = &vm_config.vsock {
|
||||
vsock_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(payload) = &vm_config.payload {
|
||||
payload.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(tpm_config) = &vm_config.tpm {
|
||||
tpm_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if vm_config.net.is_some() {
|
||||
landlock.add_rule_with_access("/dev/net/tun".into(), "rw")?;
|
||||
}
|
||||
|
||||
if let Some(landlock_configs) = landlock_config {
|
||||
for landlock_config in landlock_configs.iter() {
|
||||
landlock_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
landlock.restrict_self()?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@ -1278,15 +1516,11 @@ impl RequestHandler for Vmm {
|
||||
self.console_info =
|
||||
Some(pre_create_console_devices(self).map_err(VmError::CreateConsoleDevices)?);
|
||||
|
||||
if self
|
||||
.vm_config
|
||||
.as_ref()
|
||||
.unwrap()
|
||||
.lock()
|
||||
.unwrap()
|
||||
.landlock_enable
|
||||
{
|
||||
apply_landlock(self.vm_config.as_ref().unwrap().clone())
|
||||
if self.landlock_enable {
|
||||
apply_landlock(
|
||||
&self.vm_config.as_ref().unwrap().clone(),
|
||||
&self.landlock_config,
|
||||
)
|
||||
.map_err(VmError::ApplyLandlock)?;
|
||||
}
|
||||
Ok(())
|
||||
@ -1472,15 +1706,11 @@ impl RequestHandler for Vmm {
|
||||
)?;
|
||||
self.vm = Some(vm);
|
||||
|
||||
if self
|
||||
.vm_config
|
||||
.as_ref()
|
||||
.unwrap()
|
||||
.lock()
|
||||
.unwrap()
|
||||
.landlock_enable
|
||||
{
|
||||
apply_landlock(self.vm_config.as_ref().unwrap().clone())
|
||||
if self.landlock_enable {
|
||||
apply_landlock(
|
||||
&self.vm_config.as_ref().unwrap().clone(),
|
||||
&self.landlock_config,
|
||||
)
|
||||
.map_err(VmError::ApplyLandlock)?;
|
||||
}
|
||||
|
||||
@ -2195,6 +2425,8 @@ mod unit_tests {
|
||||
SeccompAction::Allow,
|
||||
hypervisor::new().unwrap(),
|
||||
EventFd::new(EFD_NONBLOCK).unwrap(),
|
||||
false,
|
||||
None,
|
||||
)
|
||||
.unwrap()
|
||||
}
|
||||
@ -2273,8 +2505,6 @@ mod unit_tests {
|
||||
platform: None,
|
||||
tpm: None,
|
||||
preserved_fds: None,
|
||||
landlock_enable: false,
|
||||
landlock_config: None,
|
||||
}))
|
||||
}
|
||||
|
||||
|
@ -2,20 +2,11 @@
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
//
|
||||
use crate::{landlock::LandlockError, Landlock};
|
||||
use net_util::MacAddr;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use std::{fs, net::Ipv4Addr, path::PathBuf, result};
|
||||
use std::{net::Ipv4Addr, path::PathBuf};
|
||||
use virtio_devices::RateLimiterConfig;
|
||||
|
||||
pub type LandlockResult<T> = result::Result<T, LandlockError>;
|
||||
|
||||
/// Trait to apply Landlock on VmConfig elements
|
||||
pub(crate) trait ApplyLandlock {
|
||||
/// Apply Landlock rules to file paths
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()>;
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct CpuAffinity {
|
||||
pub vcpu: u8,
|
||||
@ -141,15 +132,6 @@ pub struct MemoryZoneConfig {
|
||||
pub prefault: bool,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for MemoryZoneConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
|
||||
pub enum HotplugMethod {
|
||||
#[default]
|
||||
@ -263,15 +245,6 @@ pub struct DiskConfig {
|
||||
pub queue_affinity: Option<Vec<VirtQueueAffinity>>,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for DiskConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(path) = &self.path {
|
||||
landlock.add_rule_with_access(path.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
pub const DEFAULT_DISK_NUM_QUEUES: usize = 1;
|
||||
|
||||
pub fn default_diskconfig_num_queues() -> usize {
|
||||
@ -405,14 +378,6 @@ impl Default for RngConfig {
|
||||
}
|
||||
}
|
||||
|
||||
impl ApplyLandlock for RngConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
// Rng Path only need read access
|
||||
landlock.add_rule_with_access(self.src.to_path_buf(), "r")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct BalloonConfig {
|
||||
pub size: u64,
|
||||
@ -446,13 +411,6 @@ pub fn default_fsconfig_queue_size() -> u16 {
|
||||
1024
|
||||
}
|
||||
|
||||
impl ApplyLandlock for FsConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct PmemConfig {
|
||||
pub file: PathBuf,
|
||||
@ -468,13 +426,6 @@ pub struct PmemConfig {
|
||||
pub pci_segment: u16,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for PmemConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.file.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub enum ConsoleOutputMode {
|
||||
Off,
|
||||
@ -499,18 +450,6 @@ pub fn default_consoleconfig_file() -> Option<PathBuf> {
|
||||
None
|
||||
}
|
||||
|
||||
impl ApplyLandlock for ConsoleConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
if let Some(socket) = &self.socket {
|
||||
landlock.add_rule_with_access(socket.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct DebugConsoleConfig {
|
||||
@ -531,15 +470,6 @@ impl Default for DebugConsoleConfig {
|
||||
}
|
||||
}
|
||||
}
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
impl ApplyLandlock for DebugConsoleConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
if let Some(file) = &self.file {
|
||||
landlock.add_rule_with_access(file.to_path_buf(), "rw")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct DeviceConfig {
|
||||
@ -554,22 +484,6 @@ pub struct DeviceConfig {
|
||||
pub x_nv_gpudirect_clique: Option<u8>,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for DeviceConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
let device_path = fs::read_link(self.path.as_path()).map_err(LandlockError::OpenPath)?;
|
||||
let iommu_group = device_path.file_name();
|
||||
let iommu_group_str = iommu_group
|
||||
.ok_or(LandlockError::InvalidPath)?
|
||||
.to_str()
|
||||
.ok_or(LandlockError::InvalidPath)?;
|
||||
|
||||
let vfio_group_path = "/dev/vfio/".to_owned() + iommu_group_str;
|
||||
landlock.add_rule_with_access(vfio_group_path.into(), "rw")?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct UserDeviceConfig {
|
||||
pub socket: PathBuf,
|
||||
@ -579,13 +493,6 @@ pub struct UserDeviceConfig {
|
||||
pub pci_segment: u16,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for UserDeviceConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct VdpaConfig {
|
||||
pub path: PathBuf,
|
||||
@ -603,13 +510,6 @@ pub fn default_vdpaconfig_num_queues() -> usize {
|
||||
1
|
||||
}
|
||||
|
||||
impl ApplyLandlock for VdpaConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.path.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct VsockConfig {
|
||||
pub cid: u32,
|
||||
@ -622,13 +522,6 @@ pub struct VsockConfig {
|
||||
pub pci_segment: u16,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for VsockConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct SgxEpcConfig {
|
||||
@ -682,30 +575,6 @@ pub struct PayloadConfig {
|
||||
pub host_data: Option<String>,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for PayloadConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
// Payload only needs read access
|
||||
if let Some(firmware) = &self.firmware {
|
||||
landlock.add_rule_with_access(firmware.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
if let Some(kernel) = &self.kernel {
|
||||
landlock.add_rule_with_access(kernel.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
if let Some(initramfs) = &self.initramfs {
|
||||
landlock.add_rule_with_access(initramfs.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
#[cfg(feature = "igvm")]
|
||||
if let Some(igvm) = &self.igvm {
|
||||
landlock.add_rule_with_access(igvm.to_path_buf(), "r")?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
pub fn default_serial() -> ConsoleConfig {
|
||||
ConsoleConfig {
|
||||
file: None,
|
||||
@ -729,26 +598,6 @@ pub struct TpmConfig {
|
||||
pub socket: PathBuf,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for TpmConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.socket.to_path_buf(), "rw")?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct LandlockConfig {
|
||||
pub path: PathBuf,
|
||||
pub access: String,
|
||||
}
|
||||
|
||||
impl ApplyLandlock for LandlockConfig {
|
||||
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
|
||||
landlock.add_rule_with_access(self.path.to_path_buf(), self.access.clone().as_str())?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
pub struct VmConfig {
|
||||
#[serde(default)]
|
||||
@ -796,94 +645,4 @@ pub struct VmConfig {
|
||||
// valid, and will be closed when the holding VmConfig instance is destroyed.
|
||||
#[serde(skip)]
|
||||
pub preserved_fds: Option<Vec<i32>>,
|
||||
#[serde(default)]
|
||||
pub landlock_enable: bool,
|
||||
pub landlock_config: Option<Vec<LandlockConfig>>,
|
||||
}
|
||||
|
||||
impl VmConfig {
|
||||
pub(crate) fn apply_landlock(&self) -> LandlockResult<()> {
|
||||
let mut landlock = Landlock::new()?;
|
||||
|
||||
if let Some(mem_zones) = &self.memory.zones {
|
||||
for zone in mem_zones.iter() {
|
||||
zone.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
let disks = &self.disks;
|
||||
if let Some(disks) = disks {
|
||||
for disk in disks.iter() {
|
||||
disk.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
self.rng.apply_landlock(&mut landlock)?;
|
||||
|
||||
if let Some(fs_configs) = &self.fs {
|
||||
for fs_config in fs_configs.iter() {
|
||||
fs_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(pmem_configs) = &self.pmem {
|
||||
for pmem_config in pmem_configs.iter() {
|
||||
pmem_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
self.console.apply_landlock(&mut landlock)?;
|
||||
self.serial.apply_landlock(&mut landlock)?;
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
{
|
||||
self.debug_console.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(devices) = &self.devices {
|
||||
landlock.add_rule_with_access("/dev/vfio/vfio".into(), "rw")?;
|
||||
|
||||
for device in devices.iter() {
|
||||
device.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(user_devices) = &self.user_devices {
|
||||
for user_devices in user_devices.iter() {
|
||||
user_devices.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(vdpa_configs) = &self.vdpa {
|
||||
for vdpa_config in vdpa_configs.iter() {
|
||||
vdpa_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
if let Some(vsock_config) = &self.vsock {
|
||||
vsock_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(payload) = &self.payload {
|
||||
payload.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if let Some(tpm_config) = &self.tpm {
|
||||
tpm_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
|
||||
if self.net.is_some() {
|
||||
landlock.add_rule_with_access("/dev/net/tun".into(), "rw")?;
|
||||
}
|
||||
|
||||
if let Some(landlock_configs) = &self.landlock_config {
|
||||
for landlock_config in landlock_configs.iter() {
|
||||
landlock_config.apply_landlock(&mut landlock)?;
|
||||
}
|
||||
}
|
||||
|
||||
landlock.restrict_self()?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user