From f1a23d712f8bd86016d1c5f114c83137452fb6d1 Mon Sep 17 00:00:00 2001
From: Sebastien Boeuf <sebastien.boeuf@intel.com>
Date: Fri, 20 Mar 2020 17:31:15 +0100
Subject: [PATCH] vmm: api: Add seccomp to the HTTP API thread

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
---
 vmm/src/api/http.rs | 10 ++++++++++
 vmm/src/api/mod.rs  |  6 ++++++
 vmm/src/lib.rs      |  2 +-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/vmm/src/api/http.rs b/vmm/src/api/http.rs
index ecdd47959..a6e4d8ab7 100644
--- a/vmm/src/api/http.rs
+++ b/vmm/src/api/http.rs
@@ -7,8 +7,10 @@ use crate::api::http_endpoint::{
     VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown,
 };
 use crate::api::{ApiRequest, VmAction};
+use crate::seccomp_filters::get_seccomp_filter;
 use crate::{Error, Result};
 use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version};
+use seccomp::{SeccompFilter, SeccompLevel};
 use std::collections::HashMap;
 use std::path::PathBuf;
 use std::sync::mpsc::Sender;
@@ -92,13 +94,21 @@ pub fn start_http_thread(
     path: &str,
     api_notifier: EventFd,
     api_sender: Sender<ApiRequest>,
+    seccomp_level: &SeccompLevel,
 ) -> Result<thread::JoinHandle<Result<()>>> {
     std::fs::remove_file(path).unwrap_or_default();
     let socket_path = PathBuf::from(path);
 
+    // Retrieve seccomp filter for API thread
+    let api_seccomp_filter =
+        get_seccomp_filter(seccomp_level).map_err(Error::CreateSeccompFilter)?;
+
     thread::Builder::new()
         .name("http-server".to_string())
         .spawn(move || {
+            // Apply seccomp filter for API thread.
+            SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
+
             let mut server = HttpServer::new(socket_path).unwrap();
             server.start_server().unwrap();
             loop {
diff --git a/vmm/src/api/mod.rs b/vmm/src/api/mod.rs
index 24a48e9c0..7a6d3ba7a 100644
--- a/vmm/src/api/mod.rs
+++ b/vmm/src/api/mod.rs
@@ -105,6 +105,12 @@ pub enum ApiError {
 
     /// The device could not be removed from the VM.
     VmRemoveDevice(VmError),
+
+    /// Cannot create seccomp filter
+    CreateSeccompFilter(seccomp::SeccompError),
+
+    /// Cannot apply seccomp filter
+    ApplySeccompFilter(seccomp::Error),
 }
 pub type ApiResult<T> = std::result::Result<T, ApiError>;
 
diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs
index 58f2e2fa6..91f3b4dc2 100644
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@@ -197,7 +197,7 @@ pub fn start_vmm_thread(
         .map_err(Error::VmmThreadSpawn)?;
 
     // The VMM thread is started, we can start serving HTTP requests
-    api::start_http_thread(http_path, http_api_event, api_sender)?;
+    api::start_http_thread(http_path, http_api_event, api_sender, seccomp_level)?;
 
     Ok(thread)
 }