main, vmm: seccomp: Use SeccompAction instead of SeccompLevel

This patch replaces the usage of 'SeccompLevel' with 'SeccompAction', which is the first step to support the 'log' action over system calls that are not on the allowed list of seccomp filters. Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-02-22 03:12:27 +00:00 · 2020-07-30 14:21:58 -07:00 · 2020-07-30 14:21:58 -07:00 · b41884a406
commit b41884a406
parent bfc37bc8d3
4 changed files with 18 additions and 20 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -12,7 +12,7 @@ extern crate clap;
 use clap::{App, Arg, ArgGroup, ArgMatches};
 use libc::EFD_NONBLOCK;
 use log::LevelFilter;
-use seccomp::SeccompLevel;
+use seccomp::SeccompAction;
 use std::sync::mpsc::channel;
 use std::sync::{Arc, Mutex};
 use std::{env, process};
@ -288,18 +288,17 @@ fn start_vmm(cmd_arguments: ArgMatches) {
    let api_evt = EventFd::new(EFD_NONBLOCK).expect("Cannot create API EventFd");

    let http_sender = api_request_sender.clone();
-
-    let seccomp_level = if let Some(seccomp_value) = cmd_arguments.value_of("seccomp") {
+    let seccomp_action = if let Some(seccomp_value) = cmd_arguments.value_of("seccomp") {
        match seccomp_value {
-            "true" => SeccompLevel::Advanced,
-            "false" => SeccompLevel::None,
+            "true" => SeccompAction::Trap,
+            "false" => SeccompAction::Allow,
            _ => {
                eprintln!("Invalid parameter {} for \"--seccomp\" flag", seccomp_value);
                process::exit(1);
            }
        }
    } else {
-        SeccompLevel::Advanced
+        SeccompAction::Trap
    };
    let hypervisor = hypervisor::new().unwrap();
    let vmm_thread = match vmm::start_vmm_thread(
@ -308,7 +307,7 @@ fn start_vmm(cmd_arguments: ArgMatches) {
        api_evt.try_clone().unwrap(),
        http_sender,
        api_request_receiver,
-        &seccomp_level,
+        &seccomp_action,
        hypervisor,
    ) {
        Ok(t) => t,
--- a/vmm/src/api/http.rs
+++ b/vmm/src/api/http.rs
@ -8,7 +8,7 @@ use crate::api::{ApiError, ApiRequest, VmAction};
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::{Error, Result};
 use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
-use seccomp::{SeccompFilter, SeccompLevel};
+use seccomp::{SeccompAction, SeccompFilter};
 use serde_json::Error as SerdeError;
 use std::collections::HashMap;
 use std::path::PathBuf;
@ -241,14 +241,14 @@ pub fn start_http_thread(
    path: &str,
    api_notifier: EventFd,
    api_sender: Sender<ApiRequest>,
-    seccomp_level: &SeccompLevel,
+    seccomp_action: &SeccompAction,
 ) -> Result<thread::JoinHandle<Result<()>>> {
    std::fs::remove_file(path).unwrap_or_default();
    let socket_path = PathBuf::from(path);

    // Retrieve seccomp filter for API thread
    let api_seccomp_filter =
-        get_seccomp_filter(seccomp_level, Thread::Api).map_err(Error::CreateSeccompFilter)?;
+        get_seccomp_filter(seccomp_action, Thread::Api).map_err(Error::CreateSeccompFilter)?;

    thread::Builder::new()
        .name("http-server".to_string())
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -30,7 +30,7 @@ use crate::migration::{get_vm_snapshot, recv_vm_snapshot};
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::vm::{Error as VmError, Vm, VmState};
 use libc::EFD_NONBLOCK;
-use seccomp::{SeccompFilter, SeccompLevel};
+use seccomp::{SeccompAction, SeccompFilter};
 use serde::ser::{Serialize, SerializeStruct, Serializer};
 use std::fs::File;
 use std::io;
@ -214,14 +214,14 @@ pub fn start_vmm_thread(
    api_event: EventFd,
    api_sender: Sender<ApiRequest>,
    api_receiver: Receiver<ApiRequest>,
-    seccomp_level: &SeccompLevel,
+    seccomp_action: &SeccompAction,
    hypervisor: Arc<dyn hypervisor::Hypervisor>,
 ) -> Result<thread::JoinHandle<Result<()>>> {
    let http_api_event = api_event.try_clone().map_err(Error::EventFdClone)?;

    // Retrieve seccomp filter
    let vmm_seccomp_filter =
-        get_seccomp_filter(seccomp_level, Thread::Vmm).map_err(Error::CreateSeccompFilter)?;
+        get_seccomp_filter(seccomp_action, Thread::Vmm).map_err(Error::CreateSeccompFilter)?;

    // Find the path that the "/proc/<pid>/exe" symlink points to. Must be done before spawning
    // a thread as Rust does not put the child threads in the same thread group which prevents the
@ -242,7 +242,7 @@ pub fn start_vmm_thread(
        .map_err(Error::VmmThreadSpawn)?;

    // The VMM thread is started, we can start serving HTTP requests
-    api::start_http_thread(http_path, http_api_event, api_sender, seccomp_level)?;
+    api::start_http_thread(http_path, http_api_event, api_sender, seccomp_action)?;

    Ok(thread)
 }
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -6,8 +6,7 @@

 use seccomp::{
    allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
-    SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompLevel,
-    SeccompRule,
+    SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
 };
 use std::convert::TryInto;

@ -381,17 +380,17 @@ pub fn api_thread_filter() -> Result<SeccompFilter, Error> {
    )?)
 }

-/// Generate a BPF program based on a seccomp level value.
+/// Generate a BPF program based on the seccomp_action value
 pub fn get_seccomp_filter(
-    seccomp_level: &SeccompLevel,
+    seccomp_action: &SeccompAction,
    thread_type: Thread,
 ) -> Result<BpfProgram, SeccompError> {
    let filter = match thread_type {
        Thread::Vmm => vmm_thread_filter(),
        Thread::Api => api_thread_filter(),
    };
-    match *seccomp_level {
-        SeccompLevel::None => Ok(vec![]),
+    match seccomp_action {
+        SeccompAction::Allow => Ok(vec![]),
        _ => filter
            .and_then(|filter| filter.try_into())
            .map_err(SeccompError::SeccompFilter),