diff --git a/Cargo.lock b/Cargo.lock index bcd714187..5e0bee929 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2368,6 +2368,7 @@ dependencies = [ "event_monitor", "libc", "log", + "mshv-ioctls", "net_gen", "net_util", "pci", diff --git a/virtio-devices/Cargo.toml b/virtio-devices/Cargo.toml index a96c71bd3..692803206 100644 --- a/virtio-devices/Cargo.toml +++ b/virtio-devices/Cargo.toml @@ -6,7 +6,7 @@ version = "0.1.0" [features] default = [] -sev_snp = [] +sev_snp = ["mshv-ioctls"] [dependencies] anyhow = "1.0.86" @@ -17,6 +17,7 @@ epoll = "4.3.3" event_monitor = { path = "../event_monitor" } libc = "0.2.155" log = "0.4.22" +mshv-ioctls = { git = "https://github.com/rust-vmm/mshv", tag = "v0.2.0", optional = true } net_gen = { path = "../net_gen" } net_util = { path = "../net_util" } pci = { path = "../pci" } diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 2bdfebb37..7ff27f90a 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -56,6 +56,17 @@ const VFIO_IOMMU_UNMAP_DMA: u64 = 0x3b72; // See include/uapi/linux/if_tun.h in the kernel code. const TUNSETOFFLOAD: u64 = 0x4004_54d0; +#[cfg(feature = "sev_snp")] +fn create_mshv_sev_snp_ioctl_seccomp_rule() -> Vec { + or![and![Cond::new( + 1, + ArgLen::Dword, + Eq, + mshv_ioctls::MSHV_MODIFY_GPA_HOST_ACCESS() + ) + .unwrap()]] +} + fn create_virtio_console_ioctl_seccomp_rule() -> Vec { or![and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()]] } @@ -259,6 +270,8 @@ fn virtio_thread_common() -> Vec<(i64, Vec)> { (libc::SYS_epoll_wait, vec![]), (libc::SYS_exit, vec![]), (libc::SYS_futex, vec![]), + #[cfg(feature = "sev_snp")] + (libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()), (libc::SYS_madvise, vec![]), (libc::SYS_mmap, vec![]), (libc::SYS_mprotect, vec![]),