vmm: seccomp: implement seccomp filtering for the event-monitor thread

Signed-off-by: Omer Faruk Bayram <omer.faruk@sartura.hr>

src/main.rs

@@ -555,8 +555,13 @@ fn start_vmm(toplevel: TopLevel) -> Result<Option<String>, Error> {
         };
 
         let monitor = event_monitor::set_monitor(file).map_err(Error::EventMonitorIo)?;
-        vmm::start_event_monitor_thread(monitor, exit_evt.try_clone().unwrap())
+        vmm::start_event_monitor_thread(
-            .map_err(Error::EventMonitorThread)?;
+            monitor,
+            &seccomp_action,
+            hypervisor.hypervisor_type(),
+            exit_evt.try_clone().unwrap(),
+        )
+        .map_err(Error::EventMonitorThread)?;
     }
 
     event!("vmm", "starting");

vmm/src/lib.rs

@@ -295,11 +295,28 @@ impl Serialize for PciDeviceInfo {
 
 pub fn start_event_monitor_thread(
     mut monitor: event_monitor::Monitor,
+    seccomp_action: &SeccompAction,
+    hypervisor_type: hypervisor::HypervisorType,
     exit_event: EventFd,
-) -> Result<()> {
+) -> Result<thread::JoinHandle<Result<()>>> {
+    // Retrieve seccomp filter
+    let seccomp_filter = get_seccomp_filter(seccomp_action, Thread::EventMonitor, hypervisor_type)
+        .map_err(Error::CreateSeccompFilter)?;
+
     thread::Builder::new()
         .name("event-monitor".to_owned())
         .spawn(move || {
+            // Apply seccomp filter
+            if !seccomp_filter.is_empty() {
+                apply_filter(&seccomp_filter)
+                    .map_err(Error::ApplySeccompFilter)
+                    .map_err(|e| {
+                        error!("Error applying seccomp filter: {:?}", e);
+                        exit_event.write(1).ok();
+                        e
+                    })?;
+            }
+
             std::panic::catch_unwind(AssertUnwindSafe(move || {
                 while let Ok(event) = monitor.rx.recv() {
                     monitor.file.write_all(event.as_bytes().as_ref()).ok();
@@ -310,8 +327,10 @@ pub fn start_event_monitor_thread(
                 error!("`event-monitor` thread panicked");
                 exit_event.write(1).ok();
             })
+            .ok();
+
+            Ok(())
         })
-        .map(|_| ())
         .map_err(Error::EventMonitorThreadSpawn)
 }
 

vmm/src/seccomp_filters.rs

@@ -15,6 +15,7 @@ pub enum Thread {
     HttpApi,
     #[cfg(feature = "dbus_api")]
     DBusApi,
+    EventMonitor,
     SignalHandler,
     Vcpu,
     Vmm,
@@ -817,6 +818,15 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
     ])
 }
 
+fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
+    Ok(vec![
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_write, vec![]),
+    ])
+}
+
 fn get_seccomp_rules(
     thread_type: Thread,
     hypervisor_type: HypervisorType,
@@ -825,6 +835,7 @@ fn get_seccomp_rules(
         Thread::HttpApi => Ok(http_api_thread_rules()?),
         #[cfg(feature = "dbus_api")]
         Thread::DBusApi => Ok(dbus_api_thread_rules()?),
+        Thread::EventMonitor => Ok(event_monitor_thread_rules()?),
         Thread::SignalHandler => Ok(signal_handler_thread_rules()?),
         Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?),
         Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?),