mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-10-18 10:59:16 +00:00
virtio-devices: Fix seccomp rules for SevSnp guest
With commit1e967697c
("vmm: pass AccessPlatform implementation for SEV-SNP guest"), we started performing one additional ioctl to gain access to the guest memory before accessing those regions inside virtio-device emulation code path. This additional ioctl is not part of the current seccomp filter, which is causing the SevSnp guest to crash in this scenario with seccomp violation. Fixes:1e967697c
("vmm: pass AccessPlatform implementation for SEV-SNP guest") Signed-off-by: Jinank Jain <jinankjain@microsoft.com>
This commit is contained in:
parent
a4cf175b8e
commit
cd0cdac0ed
1
Cargo.lock
generated
1
Cargo.lock
generated
@ -2368,6 +2368,7 @@ dependencies = [
|
|||||||
"event_monitor",
|
"event_monitor",
|
||||||
"libc",
|
"libc",
|
||||||
"log",
|
"log",
|
||||||
|
"mshv-ioctls",
|
||||||
"net_gen",
|
"net_gen",
|
||||||
"net_util",
|
"net_util",
|
||||||
"pci",
|
"pci",
|
||||||
|
@ -6,7 +6,7 @@ version = "0.1.0"
|
|||||||
|
|
||||||
[features]
|
[features]
|
||||||
default = []
|
default = []
|
||||||
sev_snp = []
|
sev_snp = ["mshv-ioctls"]
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
anyhow = "1.0.86"
|
anyhow = "1.0.86"
|
||||||
@ -17,6 +17,7 @@ epoll = "4.3.3"
|
|||||||
event_monitor = { path = "../event_monitor" }
|
event_monitor = { path = "../event_monitor" }
|
||||||
libc = "0.2.155"
|
libc = "0.2.155"
|
||||||
log = "0.4.22"
|
log = "0.4.22"
|
||||||
|
mshv-ioctls = { git = "https://github.com/rust-vmm/mshv", tag = "v0.2.0", optional = true }
|
||||||
net_gen = { path = "../net_gen" }
|
net_gen = { path = "../net_gen" }
|
||||||
net_util = { path = "../net_util" }
|
net_util = { path = "../net_util" }
|
||||||
pci = { path = "../pci" }
|
pci = { path = "../pci" }
|
||||||
|
@ -56,6 +56,17 @@ const VFIO_IOMMU_UNMAP_DMA: u64 = 0x3b72;
|
|||||||
// See include/uapi/linux/if_tun.h in the kernel code.
|
// See include/uapi/linux/if_tun.h in the kernel code.
|
||||||
const TUNSETOFFLOAD: u64 = 0x4004_54d0;
|
const TUNSETOFFLOAD: u64 = 0x4004_54d0;
|
||||||
|
|
||||||
|
#[cfg(feature = "sev_snp")]
|
||||||
|
fn create_mshv_sev_snp_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
|
or![and![Cond::new(
|
||||||
|
1,
|
||||||
|
ArgLen::Dword,
|
||||||
|
Eq,
|
||||||
|
mshv_ioctls::MSHV_MODIFY_GPA_HOST_ACCESS()
|
||||||
|
)
|
||||||
|
.unwrap()]]
|
||||||
|
}
|
||||||
|
|
||||||
fn create_virtio_console_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
fn create_virtio_console_ioctl_seccomp_rule() -> Vec<SeccompRule> {
|
||||||
or![and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()]]
|
or![and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()]]
|
||||||
}
|
}
|
||||||
@ -259,6 +270,8 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
|
|||||||
(libc::SYS_epoll_wait, vec![]),
|
(libc::SYS_epoll_wait, vec![]),
|
||||||
(libc::SYS_exit, vec![]),
|
(libc::SYS_exit, vec![]),
|
||||||
(libc::SYS_futex, vec![]),
|
(libc::SYS_futex, vec![]),
|
||||||
|
#[cfg(feature = "sev_snp")]
|
||||||
|
(libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
|
||||||
(libc::SYS_madvise, vec![]),
|
(libc::SYS_madvise, vec![]),
|
||||||
(libc::SYS_mmap, vec![]),
|
(libc::SYS_mmap, vec![]),
|
||||||
(libc::SYS_mprotect, vec![]),
|
(libc::SYS_mprotect, vec![]),
|
||||||
|
Loading…
Reference in New Issue
Block a user