virtio-devices: Add seccomp filter list for net worker thread

This patch adds the seccomp filter list for the virtio_net thread, while the list was already added for the virtio_net_ctl thread. Partially fixes: #925 Signed-off-by: Bo Chen <chen.bo@intel.com>
2024-10-04 04:25:45 +00:00 · 2020-08-14 14:55:53 -07:00 · 2020-08-14 14:55:53 -07:00 · c70ad27247
commit c70ad27247
parent 3d6d9ca4de
2 changed files with 30 additions and 1 deletions
--- a/virtio-devices/src/net.rs
+++ b/virtio-devices/src/net.rs
@ -490,10 +490,16 @@ impl VirtioDevice for Net {

                let paused = self.paused.clone();
                let paused_sync = self.paused_sync.clone();
+                // Retrieve seccomp filter for virtio_net thread
+                let virtio_net_seccomp_filter =
+                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
+                        .map_err(ActivateError::CreateSeccompFilter)?;
                thread::Builder::new()
                    .name("virtio_net".to_string())
                    .spawn(move || {
-                        if let Err(e) = handler.run(paused, paused_sync) {
+                        if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
+                            error!("Error applying seccomp filter: {:?}", e);
+                        } else if let Err(e) = handler.run(paused, paused_sync) {
                            error!("Error running worker: {:?}", e);
                        }
                    })
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -13,6 +13,7 @@ pub enum Thread {
    VirtioBlk,
    VirtioConsole,
    VirtioIommu,
+    VirtioNet,
    VirtioNetCtl,
    VirtioPmem,
    VirtioRng,
@ -96,6 +97,26 @@ fn virtio_iommu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    ])
 }

+fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+    Ok(vec![
+        allow_syscall(libc::SYS_close),
+        allow_syscall(libc::SYS_epoll_create1),
+        allow_syscall(libc::SYS_epoll_ctl),
+        allow_syscall(libc::SYS_dup),
+        allow_syscall(libc::SYS_epoll_pwait),
+        #[cfg(target_arch = "x86_64")]
+        allow_syscall(libc::SYS_epoll_wait),
+        allow_syscall(libc::SYS_exit),
+        allow_syscall(libc::SYS_futex),
+        allow_syscall(libc::SYS_madvise),
+        allow_syscall(libc::SYS_munmap),
+        allow_syscall(libc::SYS_read),
+        allow_syscall(libc::SYS_rt_sigprocmask),
+        allow_syscall(libc::SYS_sigaltstack),
+        allow_syscall(libc::SYS_write),
+    ])
+}
+
 fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
    Ok(vec![
        allow_syscall(libc::SYS_close),
@ -166,6 +187,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
+        Thread::VirtioNet => virtio_net_thread_rules()?,
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
        Thread::VirtioRng => virtio_rng_thread_rules()?,
@ -182,6 +204,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioBlk => virtio_blk_thread_rules()?,
        Thread::VirtioConsole => virtio_console_thread_rules()?,
        Thread::VirtioIommu => virtio_iommu_thread_rules()?,
+        Thread::VirtioNet => virtio_net_thread_rules()?,
        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
        Thread::VirtioPmem => virtio_pmem_thread_rules()?,
        Thread::VirtioRng => virtio_rng_thread_rules()?,