External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-22 11:22:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: seccomp: Add seccomp filters for net thread

Browse Source 
This patch enables the seccomp filters for the net worker thread.

Partially fixes: #925

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2020-08-04 11:27:17 -07:00 committed by Rob Bradford
parent 276df6b71c
commit d77977536d
3 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
virtio-devices/src/net.rs
View File

@ -14,12 +14,14 @@ use super::{
ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue, ActivateError, ActivateResult, EpollHelper, EpollHelperError, EpollHelperHandler, Queue,
VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST, VirtioDevice, VirtioDeviceType, VirtioInterruptType, EPOLL_HELPER_EVENT_LAST,
}; };
use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::VirtioInterrupt; use crate::VirtioInterrupt;
use anyhow::anyhow; use anyhow::anyhow;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use net_util::{ use net_util::{
open_tap, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, Tap, TxVirtio, open_tap, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio, Tap, TxVirtio,
}; };
use seccomp::{SeccompAction, SeccompFilter};
use std::collections::HashMap; use std::collections::HashMap;
use std::net::Ipv4Addr; use std::net::Ipv4Addr;
use std::num::Wrapping; use std::num::Wrapping;
@ -204,6 +206,7 @@ pub struct Net {
paused: Arc<AtomicBool>, paused: Arc<AtomicBool>,
queue_size: Vec<u16>, queue_size: Vec<u16>,
counters: NetCounters, counters: NetCounters,
seccomp_action: SeccompAction,
} }
#[derive(Serialize, Deserialize)] #[derive(Serialize, Deserialize)]
@ -223,6 +226,7 @@ impl Net {
iommu: bool, iommu: bool,
num_queues: usize, num_queues: usize,
queue_size: u16, queue_size: u16,
seccomp_action: SeccompAction,
) -> Result<Self> { ) -> Result<Self> {
let mut avail_features = 1 << VIRTIO_NET_F_GUEST_CSUM let mut avail_features = 1 << VIRTIO_NET_F_GUEST_CSUM
| 1 << VIRTIO_NET_F_CSUM | 1 << VIRTIO_NET_F_CSUM
@ -262,6 +266,7 @@ impl Net {
paused: Arc::new(AtomicBool::new(false)), paused: Arc::new(AtomicBool::new(false)),
queue_size: vec![queue_size; queue_num], queue_size: vec![queue_size; queue_num],
counters: NetCounters::default(), counters: NetCounters::default(),
seccomp_action,
}) })
} }
@ -278,11 +283,20 @@ impl Net {
iommu: bool, iommu: bool,
num_queues: usize, num_queues: usize,
queue_size: u16, queue_size: u16,
seccomp_action: SeccompAction,
) -> Result<Self> { ) -> Result<Self> {
let taps = open_tap(if_name, ip_addr, netmask, host_mac, num_queues / 2) let taps = open_tap(if_name, ip_addr, netmask, host_mac, num_queues / 2)
.map_err(Error::OpenTap)?; .map_err(Error::OpenTap)?;
Self::new_with_tap(id, taps, guest_mac, iommu, num_queues, queue_size) Self::new_with_tap(
id,
taps,
guest_mac,
iommu,
num_queues,
queue_size,
seccomp_action,
)
} }
fn state(&self) -> NetState { fn state(&self) -> NetState {
@ -404,9 +418,18 @@ impl VirtioDevice for Net {
}; };
let paused = self.paused.clone(); let paused = self.paused.clone();
// Retrieve seccomp filter for virtio_net thread
let virtio_net_seccomp_filter =
get_seccomp_filter(&self.seccomp_action, Thread::VirtioNet)
.map_err(ActivateError::CreateSeccompFilter)?;
thread::Builder::new() thread::Builder::new()
.name("virtio_net".to_string()) .name("virtio_net".to_string())
.spawn(move || ctrl_handler.run_ctrl(paused)) .spawn(move || {
SeccompFilter::apply(virtio_net_seccomp_filter)
.map_err(DeviceError::ApplySeccompFilter)?;
ctrl_handler.run_ctrl(paused)
})
.map(|thread| self.ctrl_queue_epoll_thread = Some(thread)) .map(|thread| self.ctrl_queue_epoll_thread = Some(thread))
.map_err(|e| { .map_err(|e| {
error!("failed to clone queue EventFd: {}", e); error!("failed to clone queue EventFd: {}", e);

21
virtio-devices/src/seccomp_filters.rs
View File

@ -12,6 +12,7 @@ use std::convert::TryInto;
pub enum Thread { pub enum Thread {
VirtioBlk, VirtioBlk,
VirtioConsole, VirtioConsole,
VirtioNet,
VirtioRng, VirtioRng,
} }
@ -78,6 +79,24 @@ fn virtio_console_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
]) ])
} }
fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_rt_sigprocmask),
allow_syscall(libc::SYS_sigaltstack),
])
}
fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_close), allow_syscall(libc::SYS_close),
@ -106,6 +125,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioNet => virtio_net_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
}; };
@ -119,6 +139,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
let rules = match thread_type { let rules = match thread_type {
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioNet => virtio_net_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
}; };

2
vmm/src/device_manager.rs
View File

@ -1903,6 +1903,7 @@ impl DeviceManager {
net_cfg.iommu, net_cfg.iommu,
net_cfg.num_queues, net_cfg.num_queues,
net_cfg.queue_size, net_cfg.queue_size,
self.seccomp_action.clone(),
) )
.map_err(DeviceManagerError::CreateVirtioNet)?, .map_err(DeviceManagerError::CreateVirtioNet)?,
)) ))
@ -1918,6 +1919,7 @@ impl DeviceManager {
net_cfg.iommu, net_cfg.iommu,
net_cfg.num_queues, net_cfg.num_queues,
net_cfg.queue_size, net_cfg.queue_size,
self.seccomp_action.clone(),
) )
.map_err(DeviceManagerError::CreateVirtioNet)?, .map_err(DeviceManagerError::CreateVirtioNet)?,
)) ))