virtio-devices: seccomp: Cleanup unused seccomp filter entries

The threads in question are no longer created and so no longer need
seccomp rules for them.

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
This commit is contained in:
Rob Bradford 2021-05-18 17:12:05 +01:00 committed by Sebastien Boeuf
parent 334aa8c941
commit c05010887f

View File

@ -21,10 +21,7 @@ pub enum Thread {
VirtioNetCtl, VirtioNetCtl,
VirtioPmem, VirtioPmem,
VirtioRng, VirtioRng,
VirtioVhostBlk,
VirtioVhostFs, VirtioVhostFs,
VirtioVhostNet,
VirtioVhostNetCtl,
VirtioVsock, VirtioVsock,
VirtioWatchdog, VirtioWatchdog,
} }
@ -311,27 +308,6 @@ fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
] ]
} }
fn virtio_vhost_blk_thread_rules() -> Vec<SyscallRuleSet> {
vec![
allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_rt_sigprocmask),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
]
}
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> { fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
vec![ vec![
allow_syscall(libc::SYS_brk), allow_syscall(libc::SYS_brk),
@ -356,46 +332,6 @@ fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
] ]
} }
fn virtio_vhost_net_thread_rules() -> Vec<SyscallRuleSet> {
vec![
allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_write),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_exit),
]
}
fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
vec![
allow_syscall(libc::SYS_brk),
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_dup),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
]
}
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> { fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],] or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
} }
@ -462,10 +398,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(),
Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(),
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
Thread::VirtioVsock => virtio_vsock_thread_rules(), Thread::VirtioVsock => virtio_vsock_thread_rules(),
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
}; };
@ -484,10 +417,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?, Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
Thread::VirtioPmem => virtio_pmem_thread_rules(), Thread::VirtioPmem => virtio_pmem_thread_rules(),
Thread::VirtioRng => virtio_rng_thread_rules(), Thread::VirtioRng => virtio_rng_thread_rules(),
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(), Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
Thread::VirtioVsock => virtio_vsock_thread_rules(), Thread::VirtioVsock => virtio_vsock_thread_rules(),
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(), Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
}; };