virtio-devices: seccomp: Add seccomp filters for mem thread

This patch enables the seccomp filters for the mem worker thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-01-21 20:15:21 +00:00 · 2020-08-17 18:48:52 -07:00 · 2020-08-17 18:48:52 -07:00 · c460178723
commit c460178723
parent c30ff62a7a
3 changed files with 37 additions and 2 deletions
--- a/virtio-devices/src/mem.rs
+++ b/virtio-devices/src/mem.rs
@ -19,8 +19,10 @@ use super::{
    VIRTIO_F_VERSION_1,
 };

+use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::{VirtioInterrupt, VirtioInterruptType};
 use libc::EFD_NONBLOCK;
+use seccomp::{SeccompAction, SeccompFilter};
 use std::cmp;
 use std::io;
 use std::mem::size_of;
@ -692,11 +694,17 @@ pub struct Mem {
    epoll_threads: Option<Vec<thread::JoinHandle<()>>>,
    paused: Arc<AtomicBool>,
    paused_sync: Arc<Barrier>,
+    seccomp_action: SeccompAction,
 }

 impl Mem {
    // Create a new virtio-mem device.
-    pub fn new(id: String, region: &Arc<GuestRegionMmap>, resize: Resize) -> io::Result<Mem> {
+    pub fn new(
+        id: String,
+        region: &Arc<GuestRegionMmap>,
+        resize: Resize,
+        seccomp_action: SeccompAction,
+    ) -> io::Result<Mem> {
        let region_len = region.len();

        if region_len != region_len / VIRTIO_MEM_DEFAULT_BLOCK_SIZE * VIRTIO_MEM_DEFAULT_BLOCK_SIZE
@ -743,6 +751,7 @@ impl Mem {
            epoll_threads: None,
            paused: Arc::new(AtomicBool::new(false)),
            paused_sync: Arc::new(Barrier::new(2)),
+            seccomp_action,
        })
    }
 }
@ -852,10 +861,15 @@ impl VirtioDevice for Mem {
        let paused = self.paused.clone();
        let paused_sync = self.paused_sync.clone();
        let mut epoll_threads = Vec::new();
+        // Retrieve seccomp filter for virtio_mem thread
+        let virtio_mem_seccomp_filter = get_seccomp_filter(&self.seccomp_action, Thread::VirtioMem)
+            .map_err(ActivateError::CreateSeccompFilter)?;
        thread::Builder::new()
            .name("virtio_mem".to_string())
            .spawn(move || {
-                if let Err(e) = handler.run(paused, paused_sync) {
+                if let Err(e) = SeccompFilter::apply(virtio_mem_seccomp_filter) {
+                    error!("Error applying seccomp filter: {:?}", e);
+                } else if let Err(e) = handler.run(paused, paused_sync) {
                    error!("Error running worker: {:?}", e);
                }
            })
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -13,6 +13,7 @@ pub enum Thread {
    VirtioBlk,
    VirtioConsole,
    VirtioIommu,
+    VirtioMem,
    VirtioNet,
    VirtioNetCtl,
    VirtioPmem,
@ -99,6 +100,23 @@ fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    ])
 }

+fn virtio_mem_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+    Ok(vec![
+        allow_syscall(libc::SYS_brk),
+        allow_syscall(libc::SYS_dup),
+        allow_syscall(libc::SYS_epoll_create1),
+        allow_syscall(libc::SYS_epoll_ctl),
+        allow_syscall(libc::SYS_epoll_pwait),
+        #[cfg(target_arch = "x86_64")]
+        allow_syscall(libc::SYS_epoll_wait),
+        allow_syscall(libc::SYS_fallocate),
+        allow_syscall(libc::SYS_futex),
+        allow_syscall(libc::SYS_madvise),
+        allow_syscall(libc::SYS_read),
+        allow_syscall(libc::SYS_write),
+    ])
+}
+
 fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    Ok(vec![
        allow_syscall(libc::SYS_brk),
@ -193,6 +211,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
+        Thread::VirtioMem => virtio_mem_thread_rules()?,
        Thread::VirtioNet => virtio_net_thread_rules()?,
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
@ -210,6 +229,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
+        Thread::VirtioMem => virtio_mem_thread_rules()?,
        Thread::VirtioNet => virtio_net_thread_rules()?,
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
--- a/vmm/src/device_manager.rs
+++ b/vmm/src/device_manager.rs
@ -2417,6 +2417,7 @@ impl DeviceManager {
                    resize
                        .try_clone()
                        .map_err(DeviceManagerError::TryCloneVirtioMemResize)?,
+                    self.seccomp_action.clone(),
                )
                .map_err(DeviceManagerError::CreateVirtioMem)?,
            ));