External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-07-04 17:02:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

vmm: api: Add seccomp to the HTTP API thread

Browse Source 
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit is contained in:
Sebastien Boeuf 2020-03-20 17:31:15 +01:00
parent db62cb3f4d
commit f1a23d712f
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
vmm/src/api/http.rs
View File

@ -7,8 +7,10 @@ use crate::api::http_endpoint::{
VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown, VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown,
}; };
use crate::api::{ApiRequest, VmAction}; use crate::api::{ApiRequest, VmAction};
use crate::seccomp_filters::get_seccomp_filter;
use crate::{Error, Result}; use crate::{Error, Result};
use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version}; use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version};
use seccomp::{SeccompFilter, SeccompLevel};
use std::collections::HashMap; use std::collections::HashMap;
use std::path::PathBuf; use std::path::PathBuf;
use std::sync::mpsc::Sender; use std::sync::mpsc::Sender;
@ -92,13 +94,21 @@ pub fn start_http_thread(
path: &str, path: &str,
api_notifier: EventFd, api_notifier: EventFd,
api_sender: Sender<ApiRequest>, api_sender: Sender<ApiRequest>,
seccomp_level: &SeccompLevel,
) -> Result<thread::JoinHandle<Result<()>>> { ) -> Result<thread::JoinHandle<Result<()>>> {
std::fs::remove_file(path).unwrap_or_default(); std::fs::remove_file(path).unwrap_or_default();
let socket_path = PathBuf::from(path); let socket_path = PathBuf::from(path);
// Retrieve seccomp filter for API thread
let api_seccomp_filter =
get_seccomp_filter(seccomp_level).map_err(Error::CreateSeccompFilter)?;
thread::Builder::new() thread::Builder::new()
.name("http-server".to_string()) .name("http-server".to_string())
.spawn(move || { .spawn(move || {
// Apply seccomp filter for API thread.
SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
let mut server = HttpServer::new(socket_path).unwrap(); let mut server = HttpServer::new(socket_path).unwrap();
server.start_server().unwrap(); server.start_server().unwrap();
loop { loop {

6
vmm/src/api/mod.rs
View File

@ -105,6 +105,12 @@ pub enum ApiError {
/// The device could not be removed from the VM. /// The device could not be removed from the VM.
VmRemoveDevice(VmError), VmRemoveDevice(VmError),
/// Cannot create seccomp filter
CreateSeccompFilter(seccomp::SeccompError),
/// Cannot apply seccomp filter
ApplySeccompFilter(seccomp::Error),
} }
pub type ApiResult<T> = std::result::Result<T, ApiError>; pub type ApiResult<T> = std::result::Result<T, ApiError>;

2
vmm/src/lib.rs
View File

@ -197,7 +197,7 @@ pub fn start_vmm_thread(
.map_err(Error::VmmThreadSpawn)?; .map_err(Error::VmmThreadSpawn)?;
// The VMM thread is started, we can start serving HTTP requests // The VMM thread is started, we can start serving HTTP requests
api::start_http_thread(http_path, http_api_event, api_sender)?; api::start_http_thread(http_path, http_api_event, api_sender, seccomp_level)?;
Ok(thread) Ok(thread)
} }