vmm: seccomp: implement seccomp filtering for the event-monitor thread

Signed-off-by: Omer Faruk Bayram <omer.faruk@sartura.hr>
2025-01-18 10:35:23 +00:00 · 2023-08-06 22:23:15 +03:00 · 2023-08-06 22:23:15 +03:00 · a0c8bf4f9f
commit a0c8bf4f9f
parent 02e1c54426
3 changed files with 39 additions and 4 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -555,8 +555,13 @@ fn start_vmm(toplevel: TopLevel) -> Result<Option<String>, Error> {
        };

        let monitor = event_monitor::set_monitor(file).map_err(Error::EventMonitorIo)?;
-        vmm::start_event_monitor_thread(monitor, exit_evt.try_clone().unwrap())
-            .map_err(Error::EventMonitorThread)?;
+        vmm::start_event_monitor_thread(
+            monitor,
+            &seccomp_action,
+            hypervisor.hypervisor_type(),
+            exit_evt.try_clone().unwrap(),
+        )
+        .map_err(Error::EventMonitorThread)?;
    }

    event!("vmm", "starting");
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -295,11 +295,28 @@ impl Serialize for PciDeviceInfo {

 pub fn start_event_monitor_thread(
    mut monitor: event_monitor::Monitor,
+    seccomp_action: &SeccompAction,
+    hypervisor_type: hypervisor::HypervisorType,
    exit_event: EventFd,
-) -> Result<()> {
+) -> Result<thread::JoinHandle<Result<()>>> {
+    // Retrieve seccomp filter
+    let seccomp_filter = get_seccomp_filter(seccomp_action, Thread::EventMonitor, hypervisor_type)
+        .map_err(Error::CreateSeccompFilter)?;
+
    thread::Builder::new()
        .name("event-monitor".to_owned())
        .spawn(move || {
+            // Apply seccomp filter
+            if !seccomp_filter.is_empty() {
+                apply_filter(&seccomp_filter)
+                    .map_err(Error::ApplySeccompFilter)
+                    .map_err(|e| {
+                        error!("Error applying seccomp filter: {:?}", e);
+                        exit_event.write(1).ok();
+                        e
+                    })?;
+            }
+
            std::panic::catch_unwind(AssertUnwindSafe(move || {
                while let Ok(event) = monitor.rx.recv() {
                    monitor.file.write_all(event.as_bytes().as_ref()).ok();
@ -310,8 +327,10 @@ pub fn start_event_monitor_thread(
                error!("`event-monitor` thread panicked");
                exit_event.write(1).ok();
            })
+            .ok();
+
+            Ok(())
        })
-        .map(|_| ())
        .map_err(Error::EventMonitorThreadSpawn)
 }

--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -15,6 +15,7 @@ pub enum Thread {
    HttpApi,
    #[cfg(feature = "dbus_api")]
    DBusApi,
+    EventMonitor,
    SignalHandler,
    Vcpu,
    Vmm,
@ -817,6 +818,15 @@ fn dbus_api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError>
    ])
 }

+fn event_monitor_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
+    Ok(vec![
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_write, vec![]),
+    ])
+}
+
 fn get_seccomp_rules(
    thread_type: Thread,
    hypervisor_type: HypervisorType,
@ -825,6 +835,7 @@ fn get_seccomp_rules(
        Thread::HttpApi => Ok(http_api_thread_rules()?),
        #[cfg(feature = "dbus_api")]
        Thread::DBusApi => Ok(dbus_api_thread_rules()?),
+        Thread::EventMonitor => Ok(event_monitor_thread_rules()?),
        Thread::SignalHandler => Ok(signal_handler_thread_rules()?),
        Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?),
        Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?),