virtio-devices: seccomp: Add seccomp filters for net thread

This patch enables the seccomp filters for the net worker thread.

Partially fixes: #925

Signed-off-by: Bo Chen <chen.bo@intel.com>

virtio-devices/src/net.rs

@@ -14,12 +14,14 @@ use super::{
     ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue,
     VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST,
 };
+use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::VirtioInterrupt;
 use anyhow::anyhow;
 use libc::EFD_NONBLOCK;
 use net_util::{
     open_tap, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, Tap, TxVirtio,
 };
+use seccomp::{SeccompAction, SeccompFilter};
 use std::collections::HashMap;
 use std::net::Ipv4Addr;
 use std::num::Wrapping;
@@ -204,6 +206,7 @@ pub struct Net {
     paused: Arc<AtomicBool>,
     queue_size: Vec<u16>,
     counters: NetCounters,
+    seccomp_action: SeccompAction,
 }
 
 #[derive(Serialize, Deserialize)]
@@ -223,6 +226,7 @@ impl Net {
         iommu: bool,
         num_queues: usize,
         queue_size: u16,
+        seccomp_action: SeccompAction,
     ) -> Result<Self> {
         let mut avail_features = 1 << VIRTIO_NET_F_GUEST_CSUM
             | 1 << VIRTIO_NET_F_CSUM
@@ -262,6 +266,7 @@ impl Net {
             paused: Arc::new(AtomicBool::new(false)),
             queue_size: vec![queue_size; queue_num],
             counters: NetCounters::default(),
+            seccomp_action,
         })
     }
 
@@ -278,11 +283,20 @@ impl Net {
         iommu: bool,
         num_queues: usize,
         queue_size: u16,
+        seccomp_action: SeccompAction,
     ) -> Result<Self> {
         let taps = open_tap(if_name, ip_addr, netmask, host_mac, num_queues / 2)
             .map_err(Error::OpenTap)?;
 
-        Self::new_with_tap(id, taps, guest_mac, iommu, num_queues, queue_size)
+        Self::new_with_tap(
+            id,
+            taps,
+            guest_mac,
+            iommu,
+            num_queues,
+            queue_size,
+            seccomp_action,
+        )
     }
 
     fn state(&self) -> NetState {
@@ -404,9 +418,18 @@ impl VirtioDevice for Net {
                 };
 
                 let paused = self.paused.clone();
+                // Retrieve seccomp filter for virtio_net thread
+                let virtio_net_seccomp_filter =
+                    get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
+                        .map_err(ActivateError::CreateSeccompFilter)?;
                 thread::Builder::new()
                     .name("virtio_net".to_string())
-                    .spawn(move || ctrl_handler.run_ctrl(paused))
+                    .spawn(move || {
+                        SeccompFilter::apply(virtio_net_seccomp_filter)
+                            .map_err(DeviceError::ApplySeccompFilter)?;
+
+                        ctrl_handler.run_ctrl(paused)
+                    })
                     .map(|thread| self.ctrl_queue_epoll_thread = Some(thread))
                     .map_err(|e| {
                         error!("failed to clone queue EventFd: {}", e);

virtio-devices/src/seccomp_filters.rs

@@ -12,6 +12,7 @@ use std::convert::TryInto;
 pub enum Thread {
     VirtioBlk,
     VirtioConsole,
+    VirtioNet,
     VirtioRng,
 }
 
@@ -78,6 +79,24 @@ fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
     ])
 }
 
+fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+    Ok(vec![
+        allow_syscall(libc::SYS_close),
+        allow_syscall(libc::SYS_epoll_create1),
+        allow_syscall(libc::SYS_epoll_ctl),
+        allow_syscall(libc::SYS_epoll_pwait),
+        #[cfg(target_arch = "x86_64")]
+        allow_syscall(libc::SYS_epoll_wait),
+        allow_syscall(libc::SYS_exit),
+        allow_syscall(libc::SYS_futex),
+        allow_syscall(libc::SYS_madvise),
+        allow_syscall(libc::SYS_munmap),
+        allow_syscall(libc::SYS_read),
+        allow_syscall(libc::SYS_rt_sigprocmask),
+        allow_syscall(libc::SYS_sigaltstack),
+    ])
+}
+
 fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
     Ok(vec![
         allow_syscall(libc::SYS_close),
@@ -106,6 +125,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
     let rules = match thread_type {
         Thread::VirtioBlk => virtio_blk_thread_rules()?,
         Thread::VirtioConsole => virtio_console_thread_rules()?,
+        Thread::VirtioNet => virtio_net_thread_rules()?,
         Thread::VirtioRng => virtio_rng_thread_rules()?,
     };
 
@@ -119,6 +139,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
     let rules = match thread_type {
         Thread::VirtioBlk => virtio_blk_thread_rules()?,
         Thread::VirtioConsole => virtio_console_thread_rules()?,
+        Thread::VirtioNet => virtio_net_thread_rules()?,
         Thread::VirtioRng => virtio_rng_thread_rules()?,
     };
 

vmm/src/device_manager.rs

@@ -1903,6 +1903,7 @@ impl DeviceManager {
                         net_cfg.iommu,
                         net_cfg.num_queues,
                         net_cfg.queue_size,
+                        self.seccomp_action.clone(),
                     )
                     .map_err(DeviceManagerError::CreateVirtioNet)?,
                 ))
@@ -1918,6 +1919,7 @@ impl DeviceManager {
                         net_cfg.iommu,
                         net_cfg.num_queues,
                         net_cfg.queue_size,
+                        self.seccomp_action.clone(),
                     )
                     .map_err(DeviceManagerError::CreateVirtioNet)?,
                 ))