virtio-devices: Fix seccomp rules for SevSnp

With cd0cdac ("virtio-devices: Fix seccomp rules for SevSnp guest"), the sys_ioctl rule that was applied in virtio_thread_common, would override previously specified sys_ioctl rules for individual thread type. This causes the SevSnp guest to crash with seccomp violation. Fixes: cd0cdac ("virtio-devices: Fix seccomp rules for SevSnp guest") Signed-off-by: Purna Pavan Chandra <paekkaladevi@microsoft.com>
2024-10-18 19:09:15 +00:00 · 2024-09-06 16:03:32 +00:00 · 2024-09-06 16:03:32 +00:00 · d10f6ca714
commit d10f6ca714
parent 1b816a358d
1 changed files with 29 additions and 8 deletions
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -57,18 +57,27 @@ const VFIO_IOMMU_UNMAP_DMA: u64 = 0x3b72;
 const TUNSETOFFLOAD: u64 = 0x4004_54d0;
 #[cfg(feature = "sev_snp")]
-fn create_mshv_sev_snp_ioctl_seccomp_rule() -> Vec<SeccompRule> {
+fn mshv_sev_snp_ioctl_seccomp_rule() -> SeccompRule {
-    or![and![Cond::new(
+    and![Cond::new(
        1,
        ArgLen::Dword,
        Eq,
        mshv_ioctls::MSHV_MODIFY_GPA_HOST_ACCESS()
    )
-    .unwrap()]]
+    .unwrap()]
 }
 #[cfg(feature = "sev_snp")]
 fn create_mshv_sev_snp_ioctl_seccomp_rule() -> Vec<SeccompRule> {
    or![mshv_sev_snp_ioctl_seccomp_rule()]
 }
 fn create_virtio_console_ioctl_seccomp_rule() -> Vec<SeccompRule> {
-    or![and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()]]
+    or![
        and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ).unwrap()],
        #[cfg(feature = "sev_snp")]
        mshv_sev_snp_ioctl_seccomp_rule(),
    ]
 }
 fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> {
@ -96,6 +105,8 @@ fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_fsync, vec![]),
        (libc::SYS_ftruncate, vec![]),
        (libc::SYS_getrandom, vec![]),
        #[cfg(feature = "sev_snp")]
        (libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
        (libc::SYS_io_destroy, vec![]),
        (libc::SYS_io_getevents, vec![]),
        (libc::SYS_io_submit, vec![]),
@ -138,11 +149,17 @@ fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_readv, vec![]),
        (libc::SYS_timerfd_settime, vec![]),
        (libc::SYS_writev, vec![]),
        #[cfg(feature = "sev_snp")]
        (libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
    ]
 }
 fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Vec<SeccompRule> {
-    or![and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],]
+    or![
        and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],
        #[cfg(feature = "sev_snp")]
        mshv_sev_snp_ioctl_seccomp_rule(),
    ]
 }
 fn virtio_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
@ -157,6 +174,8 @@ fn virtio_rng_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
        (libc::SYS_sched_getaffinity, vec![]),
        (libc::SYS_set_robust_list, vec![]),
        #[cfg(feature = "sev_snp")]
        (libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
    ]
 }
@ -210,7 +229,11 @@ fn virtio_vhost_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
 }
 fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
-    or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],]
+    or![
        and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],
        #[cfg(feature = "sev_snp")]
        mshv_sev_snp_ioctl_seccomp_rule(),
    ]
 }
 fn virtio_vsock_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
@ -270,8 +293,6 @@ fn virtio_thread_common() -> Vec<(i64, Vec<SeccompRule>)> {
        (libc::SYS_epoll_wait, vec![]),
        (libc::SYS_exit, vec![]),
        (libc::SYS_futex, vec![]),
        #[cfg(feature = "sev_snp")]
        (libc::SYS_ioctl, create_mshv_sev_snp_ioctl_seccomp_rule()),
        (libc::SYS_madvise, vec![]),
        (libc::SYS_mmap, vec![]),
        (libc::SYS_mprotect, vec![]),