virtio-devices: seccomp: Cleanup unused seccomp filter entries

The threads in question are no longer created and so no longer need seccomp rules for them. Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2024-10-03 20:15:45 +00:00 · 2021-05-18 17:12:05 +01:00 · 2021-05-18 17:12:05 +01:00 · c05010887f
commit c05010887f
parent 334aa8c941
1 changed files with 0 additions and 70 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -21,10 +21,7 @@ pub enum Thread {
    VirtioNetCtl,
    VirtioPmem,
    VirtioRng,
-    VirtioVhostBlk,
    VirtioVhostFs,
-    VirtioVhostNet,
-    VirtioVhostNetCtl,
    VirtioVsock,
    VirtioWatchdog,
 }
@ -311,27 +308,6 @@ fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
    ]
 }

-fn virtio_vhost_blk_thread_rules() -> Vec<SyscallRuleSet> {
-    vec![
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
-        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
-    ]
-}
-
 fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
    vec![
        allow_syscall(libc::SYS_brk),
@ -356,46 +332,6 @@ fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
    ]
 }

-fn virtio_vhost_net_thread_rules() -> Vec<SyscallRuleSet> {
-    vec![
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
-        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_write),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_exit),
-    ]
-}
-
-fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
-    vec![
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
-        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
-    ]
-}
-
 fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
    or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
 }
@ -462,10 +398,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules(),
        Thread::VirtioRng => virtio_rng_thread_rules(),
-        Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
        Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
-        Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
-        Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
        Thread::VirtioVsock => virtio_vsock_thread_rules(),
        Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
    };
@ -484,10 +417,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules(),
        Thread::VirtioRng => virtio_rng_thread_rules(),
-        Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
        Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
-        Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
-        Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
        Thread::VirtioVsock => virtio_vsock_thread_rules(),
        Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
    };