mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-12-22 21:55:20 +00:00
vmm: return seccomp rules according to hypervisors
That requires stashing the hypervisor type into various places. Signed-off-by: Wei Liu <liuwe@microsoft.com>
This commit is contained in:
parent
9fc3379e8d
commit
ad33f7c5e6
@ -7,6 +7,7 @@ use crate::api::http_endpoint::{VmActionHandler, VmCreate, VmInfo, VmmPing, VmmS
|
||||
use crate::api::{ApiError, ApiRequest, VmAction};
|
||||
use crate::seccomp_filters::{get_seccomp_filter, Thread};
|
||||
use crate::{Error as VmmError, Result};
|
||||
use hypervisor::HypervisorType;
|
||||
use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
|
||||
use once_cell::sync::Lazy;
|
||||
use seccompiler::{apply_filter, SeccompAction};
|
||||
@ -278,10 +279,11 @@ fn start_http_thread(
|
||||
api_sender: Sender<ApiRequest>,
|
||||
seccomp_action: &SeccompAction,
|
||||
exit_evt: EventFd,
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<thread::JoinHandle<Result<()>>> {
|
||||
// Retrieve seccomp filter for API thread
|
||||
let api_seccomp_filter =
|
||||
get_seccomp_filter(seccomp_action, Thread::Api).map_err(VmmError::CreateSeccompFilter)?;
|
||||
let api_seccomp_filter = get_seccomp_filter(seccomp_action, Thread::Api, hypervisor_type)
|
||||
.map_err(VmmError::CreateSeccompFilter)?;
|
||||
|
||||
thread::Builder::new()
|
||||
.name("http-server".to_string())
|
||||
@ -336,12 +338,20 @@ pub fn start_http_path_thread(
|
||||
api_sender: Sender<ApiRequest>,
|
||||
seccomp_action: &SeccompAction,
|
||||
exit_evt: EventFd,
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<thread::JoinHandle<Result<()>>> {
|
||||
let socket_path = PathBuf::from(path);
|
||||
let socket_fd = UnixListener::bind(socket_path).map_err(VmmError::CreateApiServerSocket)?;
|
||||
let server =
|
||||
HttpServer::new_from_fd(socket_fd.into_raw_fd()).map_err(VmmError::CreateApiServer)?;
|
||||
start_http_thread(server, api_notifier, api_sender, seccomp_action, exit_evt)
|
||||
start_http_thread(
|
||||
server,
|
||||
api_notifier,
|
||||
api_sender,
|
||||
seccomp_action,
|
||||
exit_evt,
|
||||
hypervisor_type,
|
||||
)
|
||||
}
|
||||
|
||||
pub fn start_http_fd_thread(
|
||||
@ -350,7 +360,15 @@ pub fn start_http_fd_thread(
|
||||
api_sender: Sender<ApiRequest>,
|
||||
seccomp_action: &SeccompAction,
|
||||
exit_evt: EventFd,
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<thread::JoinHandle<Result<()>>> {
|
||||
let server = HttpServer::new_from_fd(fd).map_err(VmmError::CreateApiServer)?;
|
||||
start_http_thread(server, api_notifier, api_sender, seccomp_action, exit_evt)
|
||||
start_http_thread(
|
||||
server,
|
||||
api_notifier,
|
||||
api_sender,
|
||||
seccomp_action,
|
||||
exit_evt,
|
||||
hypervisor_type,
|
||||
)
|
||||
}
|
||||
|
@ -46,7 +46,7 @@ use hypervisor::arch::x86::{SpecialRegisters, StandardRegisters};
|
||||
use hypervisor::kvm::kvm_bindings;
|
||||
#[cfg(feature = "tdx")]
|
||||
use hypervisor::kvm::{TdxExitDetails, TdxExitStatus};
|
||||
use hypervisor::{CpuState, HypervisorCpuError, VmExit, VmOps};
|
||||
use hypervisor::{CpuState, HypervisorCpuError, HypervisorType, VmExit, VmOps};
|
||||
use libc::{c_void, siginfo_t};
|
||||
#[cfg(feature = "guest_debug")]
|
||||
use linux_loader::elf::Elf64_Nhdr;
|
||||
@ -412,6 +412,7 @@ impl Snapshottable for Vcpu {
|
||||
}
|
||||
|
||||
pub struct CpuManager {
|
||||
hypervisor_type: HypervisorType,
|
||||
config: CpusConfig,
|
||||
#[cfg_attr(target_arch = "aarch64", allow(dead_code))]
|
||||
interrupt_controller: Option<Arc<Mutex<dyn InterruptController>>>,
|
||||
@ -589,6 +590,7 @@ impl CpuManager {
|
||||
let guest_memory = memory_manager.lock().unwrap().guest_memory();
|
||||
let mut vcpu_states = Vec::with_capacity(usize::from(config.max_vcpus));
|
||||
vcpu_states.resize_with(usize::from(config.max_vcpus), VcpuState::default);
|
||||
let hypervisor_type = hypervisor.hypervisor_type();
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
let sgx_epc_sections = memory_manager
|
||||
@ -688,6 +690,7 @@ impl CpuManager {
|
||||
};
|
||||
|
||||
let cpu_manager = Arc::new(Mutex::new(CpuManager {
|
||||
hypervisor_type,
|
||||
config: config.clone(),
|
||||
interrupt_controller: device_manager.interrupt_controller().clone(),
|
||||
vm_memory: guest_memory,
|
||||
@ -836,7 +839,8 @@ impl CpuManager {
|
||||
});
|
||||
|
||||
// Retrieve seccomp filter for vcpu thread
|
||||
let vcpu_seccomp_filter = get_seccomp_filter(&self.seccomp_action, Thread::Vcpu)
|
||||
let vcpu_seccomp_filter =
|
||||
get_seccomp_filter(&self.seccomp_action, Thread::Vcpu, self.hypervisor_type)
|
||||
.map_err(Error::CreateSeccompFilter)?;
|
||||
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
|
@ -50,7 +50,7 @@ use devices::legacy::Serial;
|
||||
use devices::{
|
||||
interrupt_controller, interrupt_controller::InterruptController, AcpiNotificationFlags,
|
||||
};
|
||||
use hypervisor::{HypervisorVmError, IoEventAddress};
|
||||
use hypervisor::{HypervisorType, HypervisorVmError, IoEventAddress};
|
||||
use libc::{
|
||||
cfmakeraw, isatty, tcgetattr, tcsetattr, termios, MAP_NORESERVE, MAP_PRIVATE, MAP_SHARED,
|
||||
O_TMPFILE, PROT_READ, PROT_WRITE, TCSANOW,
|
||||
@ -807,6 +807,9 @@ struct MetaVirtioDevice {
|
||||
}
|
||||
|
||||
pub struct DeviceManager {
|
||||
// The underlying hypervisor
|
||||
hypervisor_type: HypervisorType,
|
||||
|
||||
// Manage address space related to devices
|
||||
address_manager: Arc<AddressManager>,
|
||||
|
||||
@ -945,6 +948,7 @@ pub struct DeviceManager {
|
||||
impl DeviceManager {
|
||||
#[allow(clippy::too_many_arguments)]
|
||||
pub fn new(
|
||||
hypervisor_type: HypervisorType,
|
||||
vm: Arc<dyn hypervisor::Vm>,
|
||||
config: Arc<Mutex<VmConfig>>,
|
||||
memory_manager: Arc<Mutex<MemoryManager>>,
|
||||
@ -1035,6 +1039,7 @@ impl DeviceManager {
|
||||
}
|
||||
|
||||
let device_manager = DeviceManager {
|
||||
hypervisor_type,
|
||||
address_manager: Arc::clone(&address_manager),
|
||||
console: Arc::new(Console::default()),
|
||||
interrupt_controller: None,
|
||||
@ -1803,8 +1808,12 @@ impl DeviceManager {
|
||||
}
|
||||
|
||||
fn listen_for_sigwinch_on_tty(&mut self, pty: &File) -> std::io::Result<()> {
|
||||
let seccomp_filter =
|
||||
get_seccomp_filter(&self.seccomp_action, Thread::PtyForeground).unwrap();
|
||||
let seccomp_filter = get_seccomp_filter(
|
||||
&self.seccomp_action,
|
||||
Thread::PtyForeground,
|
||||
self.hypervisor_type,
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
match start_sigwinch_listener(seccomp_filter, pty) {
|
||||
Ok(pipe) => {
|
||||
|
@ -280,10 +280,11 @@ pub fn start_vmm_thread(
|
||||
let gdb_vm_debug_event = vm_debug_event.try_clone().map_err(Error::EventFdClone)?;
|
||||
|
||||
let http_api_event = api_event.try_clone().map_err(Error::EventFdClone)?;
|
||||
let hypervisor_type = hypervisor.hypervisor_type();
|
||||
|
||||
// Retrieve seccomp filter
|
||||
let vmm_seccomp_filter =
|
||||
get_seccomp_filter(seccomp_action, Thread::Vmm).map_err(Error::CreateSeccompFilter)?;
|
||||
let vmm_seccomp_filter = get_seccomp_filter(seccomp_action, Thread::Vmm, hypervisor_type)
|
||||
.map_err(Error::CreateSeccompFilter)?;
|
||||
|
||||
let vmm_seccomp_action = seccomp_action.clone();
|
||||
let exit_evt = EventFd::new(EFD_NONBLOCK).map_err(Error::EventFdCreate)?;
|
||||
@ -328,6 +329,7 @@ pub fn start_vmm_thread(
|
||||
api_sender,
|
||||
seccomp_action,
|
||||
exit_evt,
|
||||
hypervisor_type,
|
||||
)?;
|
||||
} else if let Some(http_fd) = http_fd {
|
||||
api::start_http_fd_thread(
|
||||
@ -336,6 +338,7 @@ pub fn start_vmm_thread(
|
||||
api_sender,
|
||||
seccomp_action,
|
||||
exit_evt,
|
||||
hypervisor_type,
|
||||
)?;
|
||||
}
|
||||
|
||||
@ -413,8 +416,11 @@ impl Vmm {
|
||||
let exit_evt = self.exit_evt.try_clone().map_err(Error::EventFdClone)?;
|
||||
let on_tty = unsafe { libc::isatty(libc::STDIN_FILENO as i32) } != 0;
|
||||
|
||||
let signal_handler_seccomp_filter =
|
||||
get_seccomp_filter(&self.seccomp_action, Thread::SignalHandler)
|
||||
let signal_handler_seccomp_filter = get_seccomp_filter(
|
||||
&self.seccomp_action,
|
||||
Thread::SignalHandler,
|
||||
self.hypervisor.hypervisor_type(),
|
||||
)
|
||||
.map_err(Error::CreateSeccompFilter)?;
|
||||
self.threads.push(
|
||||
thread::Builder::new()
|
||||
|
@ -4,6 +4,7 @@
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
use hypervisor::HypervisorType;
|
||||
use seccompiler::{
|
||||
BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
|
||||
SeccompCondition as Cond, SeccompFilter, SeccompRule,
|
||||
@ -226,17 +227,22 @@ fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, Backen
|
||||
])
|
||||
}
|
||||
|
||||
fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
fn create_vmm_ioctl_seccomp_rule_hypervisor(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<SeccompRule>, BackendError> {
|
||||
match hypervisor_type {
|
||||
#[cfg(feature = "kvm")]
|
||||
let rules = create_vmm_ioctl_seccomp_rule_common_kvm();
|
||||
|
||||
HypervisorType::Kvm => create_vmm_ioctl_seccomp_rule_common_kvm(),
|
||||
#[cfg(feature = "mshv")]
|
||||
let rules = create_vmm_ioctl_seccomp_rule_common_mshv();
|
||||
|
||||
rules
|
||||
HypervisorType::Mshv => create_vmm_ioctl_seccomp_rule_common_mshv(),
|
||||
#[allow(unreachable_patterns)]
|
||||
_ => panic!("Invalid hypervisor {:?}", hypervisor_type),
|
||||
}
|
||||
}
|
||||
|
||||
fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
fn create_vmm_ioctl_seccomp_rule_common(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<SeccompRule>, BackendError> {
|
||||
let mut common_rules = or![
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, BLKSSZGET)?],
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, BLKPBSZGET)?],
|
||||
@ -308,7 +314,7 @@ fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, BackendErr
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, VHOST_VDPA_GET_IOVA_RANGE)?],
|
||||
];
|
||||
|
||||
let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?;
|
||||
let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor(hypervisor_type)?;
|
||||
|
||||
common_rules.extend(hypervisor_rules);
|
||||
|
||||
@ -341,7 +347,7 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError>
|
||||
const KVM_SET_GUEST_DEBUG: u64 = 0x4048_ae9b;
|
||||
const KVM_TRANSLATE: u64 = 0xc018_ae85;
|
||||
|
||||
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
||||
let common_rules = create_vmm_ioctl_seccomp_rule_common(HypervisorType::Kvm)?;
|
||||
let mut arch_rules = or![
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_PIT2)?],
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CLOCK,)?],
|
||||
@ -377,7 +383,7 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError>
|
||||
const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf;
|
||||
const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae;
|
||||
|
||||
let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
|
||||
let common_rules = create_vmm_ioctl_seccomp_rule_common(HypervisorType::Kvm)?;
|
||||
let mut arch_rules = or![
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_PREFERRED_TARGET,)?],
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_VCPU_INIT,)?],
|
||||
@ -389,17 +395,20 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError>
|
||||
|
||||
#[cfg(all(target_arch = "x86_64", feature = "mshv"))]
|
||||
fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
create_vmm_ioctl_seccomp_rule_common()
|
||||
create_vmm_ioctl_seccomp_rule_common(HypervisorType::Mshv)
|
||||
}
|
||||
|
||||
fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
fn create_vmm_ioctl_seccomp_rule(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<SeccompRule>, BackendError> {
|
||||
match hypervisor_type {
|
||||
#[cfg(feature = "kvm")]
|
||||
let rules = create_vmm_ioctl_seccomp_rule_kvm();
|
||||
|
||||
HypervisorType::Kvm => create_vmm_ioctl_seccomp_rule_kvm(),
|
||||
#[cfg(feature = "mshv")]
|
||||
let rules = create_vmm_ioctl_seccomp_rule_mshv();
|
||||
|
||||
rules
|
||||
HypervisorType::Mshv => create_vmm_ioctl_seccomp_rule_mshv(),
|
||||
#[allow(unreachable_patterns)]
|
||||
_ => panic!("Invalid hypervisor {:?}", hypervisor_type),
|
||||
}
|
||||
}
|
||||
|
||||
fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
@ -465,7 +474,9 @@ fn pty_foreground_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, Backend
|
||||
|
||||
// The filter containing the white listed syscall rules required by the VMM to
|
||||
// function.
|
||||
fn vmm_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
fn vmm_thread_rules(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
Ok(vec![
|
||||
(libc::SYS_accept4, vec![]),
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
@ -506,7 +517,10 @@ fn vmm_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
(libc::SYS_gettid, vec![]),
|
||||
(libc::SYS_gettimeofday, vec![]),
|
||||
(libc::SYS_getuid, vec![]),
|
||||
(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
|
||||
(
|
||||
libc::SYS_ioctl,
|
||||
create_vmm_ioctl_seccomp_rule(hypervisor_type)?,
|
||||
),
|
||||
(libc::SYS_io_uring_enter, vec![]),
|
||||
(libc::SYS_io_uring_setup, vec![]),
|
||||
(libc::SYS_io_uring_register, vec![]),
|
||||
@ -619,17 +633,22 @@ fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendErro
|
||||
])
|
||||
}
|
||||
|
||||
fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
fn create_vcpu_ioctl_seccomp_rule_hypervisor(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<SeccompRule>, BackendError> {
|
||||
match hypervisor_type {
|
||||
#[cfg(feature = "kvm")]
|
||||
let rules = create_vcpu_ioctl_seccomp_rule_kvm();
|
||||
|
||||
HypervisorType::Kvm => create_vcpu_ioctl_seccomp_rule_kvm(),
|
||||
#[cfg(feature = "mshv")]
|
||||
let rules = create_vcpu_ioctl_seccomp_rule_mshv();
|
||||
|
||||
rules
|
||||
HypervisorType::Mshv => create_vcpu_ioctl_seccomp_rule_mshv(),
|
||||
#[allow(unreachable_patterns)]
|
||||
_ => panic!("Invalid hypervisor {:?}", hypervisor_type),
|
||||
}
|
||||
}
|
||||
|
||||
fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
fn create_vcpu_ioctl_seccomp_rule(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<SeccompRule>, BackendError> {
|
||||
let mut rules = or![
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
|
||||
and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
|
||||
@ -645,14 +664,16 @@ fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
|
||||
)?],
|
||||
];
|
||||
|
||||
let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?;
|
||||
let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor(hypervisor_type)?;
|
||||
|
||||
rules.extend(hypervisor_rules);
|
||||
|
||||
Ok(rules)
|
||||
}
|
||||
|
||||
fn vcpu_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
fn vcpu_thread_rules(
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
Ok(vec![
|
||||
(libc::SYS_brk, vec![]),
|
||||
(libc::SYS_clock_gettime, vec![]),
|
||||
@ -665,7 +686,10 @@ fn vcpu_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
(libc::SYS_futex, vec![]),
|
||||
(libc::SYS_getrandom, vec![]),
|
||||
(libc::SYS_getpid, vec![]),
|
||||
(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
|
||||
(
|
||||
libc::SYS_ioctl,
|
||||
create_vcpu_ioctl_seccomp_rule(hypervisor_type)?,
|
||||
),
|
||||
(libc::SYS_lseek, vec![]),
|
||||
(libc::SYS_madvise, vec![]),
|
||||
(libc::SYS_mmap, vec![]),
|
||||
@ -727,12 +751,15 @@ fn api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
])
|
||||
}
|
||||
|
||||
fn get_seccomp_rules(thread_type: Thread) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
fn get_seccomp_rules(
|
||||
thread_type: Thread,
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
|
||||
match thread_type {
|
||||
Thread::Api => Ok(api_thread_rules()?),
|
||||
Thread::SignalHandler => Ok(signal_handler_thread_rules()?),
|
||||
Thread::Vcpu => Ok(vcpu_thread_rules()?),
|
||||
Thread::Vmm => Ok(vmm_thread_rules()?),
|
||||
Thread::Vcpu => Ok(vcpu_thread_rules(hypervisor_type)?),
|
||||
Thread::Vmm => Ok(vmm_thread_rules(hypervisor_type)?),
|
||||
Thread::PtyForeground => Ok(pty_foreground_thread_rules()?),
|
||||
}
|
||||
}
|
||||
@ -741,11 +768,12 @@ fn get_seccomp_rules(thread_type: Thread) -> Result<Vec<(i64, Vec<SeccompRule>)>
|
||||
pub fn get_seccomp_filter(
|
||||
seccomp_action: &SeccompAction,
|
||||
thread_type: Thread,
|
||||
hypervisor_type: HypervisorType,
|
||||
) -> Result<BpfProgram, Error> {
|
||||
match seccomp_action {
|
||||
SeccompAction::Allow => Ok(vec![]),
|
||||
SeccompAction::Log => SeccompFilter::new(
|
||||
get_seccomp_rules(thread_type)
|
||||
get_seccomp_rules(thread_type, hypervisor_type)
|
||||
.map_err(Error::Backend)?
|
||||
.into_iter()
|
||||
.collect(),
|
||||
@ -756,7 +784,7 @@ pub fn get_seccomp_filter(
|
||||
.and_then(|filter| filter.try_into())
|
||||
.map_err(Error::Backend),
|
||||
_ => SeccompFilter::new(
|
||||
get_seccomp_rules(thread_type)
|
||||
get_seccomp_rules(thread_type, hypervisor_type)
|
||||
.map_err(Error::Backend)?
|
||||
.into_iter()
|
||||
.collect(),
|
||||
|
@ -471,7 +471,6 @@ pub struct Vm {
|
||||
numa_nodes: NumaNodes,
|
||||
seccomp_action: SeccompAction,
|
||||
exit_evt: EventFd,
|
||||
#[cfg(all(feature = "kvm", target_arch = "x86_64"))]
|
||||
hypervisor: Arc<dyn hypervisor::Hypervisor>,
|
||||
stop_on_boot: bool,
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
@ -534,6 +533,7 @@ impl Vm {
|
||||
let stop_on_boot = false;
|
||||
|
||||
let device_manager = DeviceManager::new(
|
||||
hypervisor.hypervisor_type(),
|
||||
vm.clone(),
|
||||
config.clone(),
|
||||
memory_manager.clone(),
|
||||
@ -617,7 +617,6 @@ impl Vm {
|
||||
numa_nodes,
|
||||
seccomp_action: seccomp_action.clone(),
|
||||
exit_evt,
|
||||
#[cfg(all(feature = "kvm", target_arch = "x86_64"))]
|
||||
hypervisor,
|
||||
stop_on_boot,
|
||||
#[cfg(target_arch = "x86_64")]
|
||||
@ -1969,8 +1968,11 @@ impl Vm {
|
||||
Ok(signals) => {
|
||||
self.signals = Some(signals.handle());
|
||||
let exit_evt = self.exit_evt.try_clone().map_err(Error::EventFdClone)?;
|
||||
let signal_handler_seccomp_filter =
|
||||
get_seccomp_filter(&self.seccomp_action, Thread::SignalHandler)
|
||||
let signal_handler_seccomp_filter = get_seccomp_filter(
|
||||
&self.seccomp_action,
|
||||
Thread::SignalHandler,
|
||||
self.hypervisor.hypervisor_type(),
|
||||
)
|
||||
.map_err(Error::CreateSeccompFilter)?;
|
||||
self.threads.push(
|
||||
thread::Builder::new()
|
||||
|
Loading…
Reference in New Issue
Block a user