vmm: api: Add seccomp to the HTTP API thread

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2025-01-22 12:35:19 +00:00 · 2020-03-20 17:31:15 +01:00 · 2020-03-20 17:31:15 +01:00 · f1a23d712f
commit f1a23d712f
parent db62cb3f4d
3 changed files with 17 additions and 1 deletions
--- a/vmm/src/api/http.rs
+++ b/vmm/src/api/http.rs
@ -7,8 +7,10 @@ use crate::api::http_endpoint::{
    VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown,
 };
 use crate::api::{ApiRequest, VmAction};
+use crate::seccomp_filters::get_seccomp_filter;
 use crate::{Error, Result};
 use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version};
+use seccomp::{SeccompFilter, SeccompLevel};
 use std::collections::HashMap;
 use std::path::PathBuf;
 use std::sync::mpsc::Sender;
@ -92,13 +94,21 @@ pub fn start_http_thread(
    path: &str,
    api_notifier: EventFd,
    api_sender: Sender<ApiRequest>,
+    seccomp_level: &SeccompLevel,
 ) -> Result<thread::JoinHandle<Result<()>>> {
    std::fs::remove_file(path).unwrap_or_default();
    let socket_path = PathBuf::from(path);

+    // Retrieve seccomp filter for API thread
+    let api_seccomp_filter =
+        get_seccomp_filter(seccomp_level).map_err(Error::CreateSeccompFilter)?;
+
    thread::Builder::new()
        .name("http-server".to_string())
        .spawn(move || {
+            // Apply seccomp filter for API thread.
+            SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
+
            let mut server = HttpServer::new(socket_path).unwrap();
            server.start_server().unwrap();
            loop {
--- a/vmm/src/api/mod.rs
+++ b/vmm/src/api/mod.rs
@ -105,6 +105,12 @@ pub enum ApiError {

    /// The device could not be removed from the VM.
    VmRemoveDevice(VmError),
+
+    /// Cannot create seccomp filter
+    CreateSeccompFilter(seccomp::SeccompError),
+
+    /// Cannot apply seccomp filter
+    ApplySeccompFilter(seccomp::Error),
 }
 pub type ApiResult<T> = std::result::Result<T, ApiError>;

--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -197,7 +197,7 @@ pub fn start_vmm_thread(
        .map_err(Error::VmmThreadSpawn)?;

    // The VMM thread is started, we can start serving HTTP requests
-    api::start_http_thread(http_path, http_api_event, api_sender)?;
+    api::start_http_thread(http_path, http_api_event, api_sender, seccomp_level)?;

    Ok(thread)
 }