External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-10-01 11:05:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: seccomp: Add seccomp filters for pmem thread

Browse Source 
This patch enables the seccomp filters for the pmem worker thread.

Partially fixes: #925

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2020-08-04 12:25:06 -07:00 committed by Rob Bradford
parent d77977536d
commit dc71d2765a
3 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
virtio-devices/src/pmem.rs
View File

@ -12,9 +12,11 @@ use super::{
EpollHelperHandler, Queue, UserspaceMapping, VirtioDevice, VirtioDeviceType, EpollHelperHandler, Queue, UserspaceMapping, VirtioDevice, VirtioDeviceType,
EPOLL_HELPER_EVENT_LAST, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1, EPOLL_HELPER_EVENT_LAST, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1,
}; };
use crate::seccomp_filters::{get_seccomp_filter, Thread};
use crate::{VirtioInterrupt, VirtioInterruptType}; use crate::{VirtioInterrupt, VirtioInterruptType};
use anyhow::anyhow; use anyhow::anyhow;
use libc::EFD_NONBLOCK; use libc::EFD_NONBLOCK;
use seccomp::{SeccompAction, SeccompFilter};
use serde::ser::{Serialize, SerializeStruct, Serializer}; use serde::ser::{Serialize, SerializeStruct, Serializer};
use std::fmt::{self, Display}; use std::fmt::{self, Display};
use std::fs::File; use std::fs::File;
@ -286,6 +288,7 @@ pub struct Pmem {
epoll_threads: Option<Vec<thread::JoinHandle<result::Result<(), EpollHelperError>>>>, epoll_threads: Option<Vec<thread::JoinHandle<result::Result<(), EpollHelperError>>>>,
paused: Arc<AtomicBool>, paused: Arc<AtomicBool>,
mapping: UserspaceMapping, mapping: UserspaceMapping,
seccomp_action: SeccompAction,
// Hold ownership of the memory that is allocated for the device // Hold ownership of the memory that is allocated for the device
// which will be automatically dropped when the device is dropped // which will be automatically dropped when the device is dropped
@ -307,6 +310,7 @@ impl Pmem {
mapping: UserspaceMapping, mapping: UserspaceMapping,
_region: MmapRegion, _region: MmapRegion,
iommu: bool, iommu: bool,
seccomp_action: SeccompAction,
) -> io::Result<Pmem> { ) -> io::Result<Pmem> {
let config = VirtioPmemConfig { let config = VirtioPmemConfig {
start: addr.raw_value().to_le(), start: addr.raw_value().to_le(),
@ -332,6 +336,7 @@ impl Pmem {
epoll_threads: None, epoll_threads: None,
paused: Arc::new(AtomicBool::new(false)), paused: Arc::new(AtomicBool::new(false)),
mapping, mapping,
seccomp_action,
_region, _region,
}) })
} }
@ -456,9 +461,18 @@ impl VirtioDevice for Pmem {
let paused = self.paused.clone(); let paused = self.paused.clone();
let mut epoll_threads = Vec::new(); let mut epoll_threads = Vec::new();
// Retrieve seccomp filter for virtio_pmem thread
let virtio_pmem_seccomp_filter =
get_seccomp_filter(&self.seccomp_action, Thread::VirtioPmem)
.map_err(ActivateError::CreateSeccompFilter)?;
thread::Builder::new() thread::Builder::new()
.name("virtio_pmem".to_string()) .name("virtio_pmem".to_string())
.spawn(move || handler.run(paused)) .spawn(move || {
SeccompFilter::apply(virtio_pmem_seccomp_filter)
.map_err(DeviceError::ApplySeccompFilter)?;
handler.run(paused)
})
.map(|thread| epoll_threads.push(thread)) .map(|thread| epoll_threads.push(thread))
.map_err(|e| { .map_err(|e| {
error!("failed to clone virtio-pmem epoll thread: {}", e); error!("failed to clone virtio-pmem epoll thread: {}", e);

23
virtio-devices/src/seccomp_filters.rs
View File

@ -13,6 +13,7 @@ pub enum Thread {
VirtioBlk, VirtioBlk,
VirtioConsole, VirtioConsole,
VirtioNet, VirtioNet,
VirtioPmem,
VirtioRng, VirtioRng,
} }
@ -97,6 +98,26 @@ fn virtio_net_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
]) ])
} }
fn virtio_pmem_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![
allow_syscall(libc::SYS_close),
allow_syscall(libc::SYS_epoll_create1),
allow_syscall(libc::SYS_epoll_ctl),
allow_syscall(libc::SYS_epoll_pwait),
#[cfg(target_arch = "x86_64")]
allow_syscall(libc::SYS_epoll_wait),
allow_syscall(libc::SYS_exit),
allow_syscall(libc::SYS_fsync),
allow_syscall(libc::SYS_futex),
allow_syscall(libc::SYS_madvise),
allow_syscall(libc::SYS_munmap),
allow_syscall(libc::SYS_read),
allow_syscall(libc::SYS_rt_sigprocmask),
allow_syscall(libc::SYS_sigaltstack),
allow_syscall(libc::SYS_write),
])
}
fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> { fn virtio_rng_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
Ok(vec![ Ok(vec![
allow_syscall(libc::SYS_close), allow_syscall(libc::SYS_close),
@ -126,6 +147,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioNet => virtio_net_thread_rules()?, Thread::VirtioNet => virtio_net_thread_rules()?,
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
}; };
@ -140,6 +162,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
Thread::VirtioBlk => virtio_blk_thread_rules()?, Thread::VirtioBlk => virtio_blk_thread_rules()?,
Thread::VirtioConsole => virtio_console_thread_rules()?, Thread::VirtioConsole => virtio_console_thread_rules()?,
Thread::VirtioNet => virtio_net_thread_rules()?, Thread::VirtioNet => virtio_net_thread_rules()?,
Thread::VirtioPmem => virtio_pmem_thread_rules()?,
Thread::VirtioRng => virtio_rng_thread_rules()?, Thread::VirtioRng => virtio_rng_thread_rules()?,
}; };

1
vmm/src/device_manager.rs
View File

@ -2302,6 +2302,7 @@ impl DeviceManager {
mapping, mapping,
mmap_region, mmap_region,
pmem_cfg.iommu, pmem_cfg.iommu,
self.seccomp_action.clone(),
) )
.map_err(DeviceManagerError::CreateVirtioPmem)?, .map_err(DeviceManagerError::CreateVirtioPmem)?,
)); ));