diff --git a/virtio-devices/src/net.rs b/virtio-devices/src/net.rs index b8183d9c4..5db93bafa 100644 --- a/virtio-devices/src/net.rs +++ b/virtio-devices/src/net.rs @@ -14,12 +14,14 @@ use super::{ ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue, VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST, }; +use crate::seccomp_filters::{get_seccomp_filter, Thread}; use crate::VirtioInterrupt; use anyhow::anyhow; use libc::EFD_NONBLOCK; use net_util::{ open_tap, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, Tap, TxVirtio, }; +use seccomp::{SeccompAction, SeccompFilter}; use std::collections::HashMap; use std::net::Ipv4Addr; use std::num::Wrapping; @@ -204,6 +206,7 @@ pub struct Net { paused: Arc, queue_size: Vec, counters: NetCounters, + seccomp_action: SeccompAction, } #[derive(Serialize, Deserialize)] @@ -223,6 +226,7 @@ impl Net { iommu: bool, num_queues: usize, queue_size: u16, + seccomp_action: SeccompAction, ) -> Result { let mut avail_features = 1 << VIRTIO_NET_F_GUEST_CSUM | 1 << VIRTIO_NET_F_CSUM @@ -262,6 +266,7 @@ impl Net { paused: Arc::new(AtomicBool::new(false)), queue_size: vec![queue_size; queue_num], counters: NetCounters::default(), + seccomp_action, }) } @@ -278,11 +283,20 @@ impl Net { iommu: bool, num_queues: usize, queue_size: u16, + seccomp_action: SeccompAction, ) -> Result { let taps = open_tap(if_name, ip_addr, netmask, host_mac, num_queues / 2) .map_err(Error::OpenTap)?; - Self::new_with_tap(id, taps, guest_mac, iommu, num_queues, queue_size) + Self::new_with_tap( + id, + taps, + guest_mac, + iommu, + num_queues, + queue_size, + seccomp_action, + ) } fn state(&self) -> NetState { @@ -404,9 +418,18 @@ impl VirtioDevice for Net { }; let paused = self.paused.clone(); + // Retrieve seccomp filter for virtio_net thread + let virtio_net_seccomp_filter = + get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet) + .map_err(ActivateError::CreateSeccompFilter)?; thread::Builder::new() .name("virtio_net".to_string()) - .spawn(move || ctrl_handler.run_ctrl(paused)) + .spawn(move || { + SeccompFilter::apply(virtio_net_seccomp_filter) + .map_err(DeviceError::ApplySeccompFilter)?; + + ctrl_handler.run_ctrl(paused) + }) .map(|thread| self.ctrl_queue_epoll_thread = Some(thread)) .map_err(|e| { error!("failed to clone queue EventFd: {}", e); diff --git a/virtio-devices/src/seccomp_filters.rs b/virtio-devices/src/seccomp_filters.rs index 8ab3f9b95..252542145 100644 --- a/virtio-devices/src/seccomp_filters.rs +++ b/virtio-devices/src/seccomp_filters.rs @@ -12,6 +12,7 @@ use std::convert::TryInto; pub enum Thread { VirtioBlk, VirtioConsole, + VirtioNet, VirtioRng, } @@ -78,6 +79,24 @@ fn virtio_console_thread_rules() -> Result, Error> { ]) } +fn virtio_net_thread_rules() -> Result, Error> { + Ok(vec![ + allow_syscall(libc::SYS_close), + allow_syscall(libc::SYS_epoll_create1), + allow_syscall(libc::SYS_epoll_ctl), + allow_syscall(libc::SYS_epoll_pwait), + #[cfg(target_arch = "x86_64")] + allow_syscall(libc::SYS_epoll_wait), + allow_syscall(libc::SYS_exit), + allow_syscall(libc::SYS_futex), + allow_syscall(libc::SYS_madvise), + allow_syscall(libc::SYS_munmap), + allow_syscall(libc::SYS_read), + allow_syscall(libc::SYS_rt_sigprocmask), + allow_syscall(libc::SYS_sigaltstack), + ]) +} + fn virtio_rng_thread_rules() -> Result, Error> { Ok(vec![ allow_syscall(libc::SYS_close), @@ -106,6 +125,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result let rules = match thread_type { Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?, + Thread::VirtioNet => virtio_net_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?, }; @@ -119,6 +139,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result { let rules = match thread_type { Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?, + Thread::VirtioNet => virtio_net_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?, }; diff --git a/vmm/src/device_manager.rs b/vmm/src/device_manager.rs index 75b884756..8beb5137b 100644 --- a/vmm/src/device_manager.rs +++ b/vmm/src/device_manager.rs @@ -1903,6 +1903,7 @@ impl DeviceManager { net_cfg.iommu, net_cfg.num_queues, net_cfg.queue_size, + self.seccomp_action.clone(), ) .map_err(DeviceManagerError::CreateVirtioNet)?, )) @@ -1918,6 +1919,7 @@ impl DeviceManager { net_cfg.iommu, net_cfg.num_queues, net_cfg.queue_size, + self.seccomp_action.clone(), ) .map_err(DeviceManagerError::CreateVirtioNet)?, ))