External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-10-18 10:59:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: Fix seccomp rules for SevSnp guest

Browse Source 
With commit 1e967697c ("vmm: pass AccessPlatform implementation for
SEV-SNP guest"), we started performing one additional ioctl to gain
access to the guest memory before accessing those regions inside
virtio-device emulation code path. This additional ioctl is not part of
the current seccomp filter, which is causing the SevSnp guest to crash
in this scenario with seccomp violation.

Fixes: 1e967697c ("vmm: pass AccessPlatform implementation for SEV-SNP
guest")
Signed-off-by: Jinank Jain <jinankjain@microsoft.com>
This commit is contained in:
Jinank Jain 2024-08-28 14:04:50 +05:30 committed by Bo Chen
parent a4cf175b8e
commit cd0cdac0ed
3 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@ -2368,6 +2368,7 @@ dependencies = [
"event_monitor",
"libc",
"log",
"mshv-ioctls",
"net_gen",
"net_util",
"pci",

3
virtio-devices/Cargo.toml
View File

@ -6,7 +6,7 @@ version = "0.1.0"
[features]
default = []
sev_snp = []
sev_snp = ["mshv-ioctls"]
[dependencies]
anyhow = "1.0.86"
@ -17,6 +17,7 @@ epoll = "4.3.3"
event_monitor = { path = "../event_monitor" }
libc = "0.2.155"
log = "0.4.22"
mshv-ioctls = { git = "https://github.com/rust-vmm/mshv", tag = "v0.2.0", optional = true }
net_gen = { path = "../net_gen" }
net_util = { path = "../net_util" }
pci = { path = "../pci" }

13
virtio-devices/src/seccomp_filters.rs
View File

@ -56,6 +56,17 @@ const VFIO_IOMMU_UNMAP_DMA: u64 = 0x3b72;
// See include/uapi/linux/if_tun.h in the kernel code.
const TUNSETOFFLOAD: u64 = 0x4004_54d0;
#[cfg(feature = "sev_snp")]
fn create_mshv_sev_snp_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![and![Cond::new(
1,
ArgLen::Dword,
Eq,
mshv_ioctls::MSHV_MODIFY_GPA_HOST_ACCESS()
)
.unwrap()]]
}
fn create_virtio_console_ioctl_seccomp_rule() -> Vec<SeccompRule> {
or![and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()]]
}
@ -259,6 +270,8 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
(libc::SYS_epoll_wait, vec![]),
(libc::SYS_exit, vec![]),
(libc::SYS_futex, vec![]),
#[cfg(feature = "sev_snp")]
(libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
(libc::SYS_madvise, vec![]),
(libc::SYS_mmap, vec![]),
(libc::SYS_mprotect, vec![]),