mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-09 14:25:21 +00:00
virtio-devices: seccomp: Cleanup unused seccomp filter entries
The threads in question are no longer created and so no longer need seccomp rules for them. Signed-off-by: Rob Bradford <robert.bradford@intel.com>
This commit is contained in:
parent
334aa8c941
commit
c05010887f
@ -21,10 +21,7 @@ pub enum Thread {
|
|||||||
VirtioNetCtl,
|
VirtioNetCtl,
|
||||||
VirtioPmem,
|
VirtioPmem,
|
||||||
VirtioRng,
|
VirtioRng,
|
||||||
VirtioVhostBlk,
|
|
||||||
VirtioVhostFs,
|
VirtioVhostFs,
|
||||||
VirtioVhostNet,
|
|
||||||
VirtioVhostNetCtl,
|
|
||||||
VirtioVsock,
|
VirtioVsock,
|
||||||
VirtioWatchdog,
|
VirtioWatchdog,
|
||||||
}
|
}
|
||||||
@ -311,27 +308,6 @@ fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_vhost_blk_thread_rules() -> Vec<SyscallRuleSet> {
|
|
||||||
vec![
|
|
||||||
allow_syscall(libc::SYS_brk),
|
|
||||||
allow_syscall(libc::SYS_close),
|
|
||||||
allow_syscall(libc::SYS_dup),
|
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
|
||||||
#[cfg(target_arch = "x86_64")]
|
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
|
||||||
allow_syscall(libc::SYS_exit),
|
|
||||||
allow_syscall(libc::SYS_futex),
|
|
||||||
allow_syscall(libc::SYS_madvise),
|
|
||||||
allow_syscall(libc::SYS_munmap),
|
|
||||||
allow_syscall(libc::SYS_read),
|
|
||||||
allow_syscall(libc::SYS_rt_sigprocmask),
|
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
|
fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
|
||||||
vec![
|
vec![
|
||||||
allow_syscall(libc::SYS_brk),
|
allow_syscall(libc::SYS_brk),
|
||||||
@ -356,46 +332,6 @@ fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
fn virtio_vhost_net_thread_rules() -> Vec<SyscallRuleSet> {
|
|
||||||
vec![
|
|
||||||
allow_syscall(libc::SYS_brk),
|
|
||||||
allow_syscall(libc::SYS_close),
|
|
||||||
allow_syscall(libc::SYS_dup),
|
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
|
||||||
#[cfg(target_arch = "x86_64")]
|
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
|
||||||
allow_syscall(libc::SYS_futex),
|
|
||||||
allow_syscall(libc::SYS_read),
|
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
|
||||||
allow_syscall(libc::SYS_munmap),
|
|
||||||
allow_syscall(libc::SYS_madvise),
|
|
||||||
allow_syscall(libc::SYS_exit),
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
|
|
||||||
vec![
|
|
||||||
allow_syscall(libc::SYS_brk),
|
|
||||||
allow_syscall(libc::SYS_close),
|
|
||||||
allow_syscall(libc::SYS_dup),
|
|
||||||
allow_syscall(libc::SYS_epoll_create1),
|
|
||||||
allow_syscall(libc::SYS_epoll_ctl),
|
|
||||||
allow_syscall(libc::SYS_epoll_pwait),
|
|
||||||
#[cfg(target_arch = "x86_64")]
|
|
||||||
allow_syscall(libc::SYS_epoll_wait),
|
|
||||||
allow_syscall(libc::SYS_exit),
|
|
||||||
allow_syscall(libc::SYS_futex),
|
|
||||||
allow_syscall(libc::SYS_munmap),
|
|
||||||
allow_syscall(libc::SYS_madvise),
|
|
||||||
allow_syscall(libc::SYS_read),
|
|
||||||
allow_syscall(libc::SYS_sigaltstack),
|
|
||||||
allow_syscall(libc::SYS_write),
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
|
or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
|
||||||
}
|
}
|
||||||
@ -462,10 +398,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
|
|||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules(),
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
||||||
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
|
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
||||||
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
|
|
||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
|
||||||
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
||||||
};
|
};
|
||||||
@ -484,10 +417,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
|
|||||||
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
|
||||||
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
Thread::VirtioPmem => virtio_pmem_thread_rules(),
|
||||||
Thread::VirtioRng => virtio_rng_thread_rules(),
|
Thread::VirtioRng => virtio_rng_thread_rules(),
|
||||||
Thread::VirtioVhostBlk => virtio_vhost_blk_thread_rules(),
|
|
||||||
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
|
||||||
Thread::VirtioVhostNet => virtio_vhost_net_thread_rules(),
|
|
||||||
Thread::VirtioVhostNetCtl => virtio_vhost_net_ctl_thread_rules(),
|
|
||||||
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
Thread::VirtioVsock => virtio_vsock_thread_rules(),
|
||||||
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user