mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-07-04 17:02:36 +00:00
vmm: api: Add seccomp to the HTTP API thread
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit is contained in:
parent
db62cb3f4d
commit
f1a23d712f
|
@ -7,8 +7,10 @@ use crate::api::http_endpoint::{
|
||||||
VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown,
|
VmActionHandler, VmAddDevice, VmCreate, VmInfo, VmRemoveDevice, VmResize, VmmPing, VmmShutdown,
|
||||||
};
|
};
|
||||||
use crate::api::{ApiRequest, VmAction};
|
use crate::api::{ApiRequest, VmAction};
|
||||||
|
use crate::seccomp_filters::get_seccomp_filter;
|
||||||
use crate::{Error, Result};
|
use crate::{Error, Result};
|
||||||
use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version};
|
use micro_http::{HttpServer, MediaType, Request, Response, StatusCode, Version};
|
||||||
|
use seccomp::{SeccompFilter, SeccompLevel};
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
use std::sync::mpsc::Sender;
|
use std::sync::mpsc::Sender;
|
||||||
|
@ -92,13 +94,21 @@ pub fn start_http_thread(
|
||||||
path: &str,
|
path: &str,
|
||||||
api_notifier: EventFd,
|
api_notifier: EventFd,
|
||||||
api_sender: Sender<ApiRequest>,
|
api_sender: Sender<ApiRequest>,
|
||||||
|
seccomp_level: &SeccompLevel,
|
||||||
) -> Result<thread::JoinHandle<Result<()>>> {
|
) -> Result<thread::JoinHandle<Result<()>>> {
|
||||||
std::fs::remove_file(path).unwrap_or_default();
|
std::fs::remove_file(path).unwrap_or_default();
|
||||||
let socket_path = PathBuf::from(path);
|
let socket_path = PathBuf::from(path);
|
||||||
|
|
||||||
|
// Retrieve seccomp filter for API thread
|
||||||
|
let api_seccomp_filter =
|
||||||
|
get_seccomp_filter(seccomp_level).map_err(Error::CreateSeccompFilter)?;
|
||||||
|
|
||||||
thread::Builder::new()
|
thread::Builder::new()
|
||||||
.name("http-server".to_string())
|
.name("http-server".to_string())
|
||||||
.spawn(move || {
|
.spawn(move || {
|
||||||
|
// Apply seccomp filter for API thread.
|
||||||
|
SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
|
||||||
|
|
||||||
let mut server = HttpServer::new(socket_path).unwrap();
|
let mut server = HttpServer::new(socket_path).unwrap();
|
||||||
server.start_server().unwrap();
|
server.start_server().unwrap();
|
||||||
loop {
|
loop {
|
||||||
|
|
|
@ -105,6 +105,12 @@ pub enum ApiError {
|
||||||
|
|
||||||
/// The device could not be removed from the VM.
|
/// The device could not be removed from the VM.
|
||||||
VmRemoveDevice(VmError),
|
VmRemoveDevice(VmError),
|
||||||
|
|
||||||
|
/// Cannot create seccomp filter
|
||||||
|
CreateSeccompFilter(seccomp::SeccompError),
|
||||||
|
|
||||||
|
/// Cannot apply seccomp filter
|
||||||
|
ApplySeccompFilter(seccomp::Error),
|
||||||
}
|
}
|
||||||
pub type ApiResult<T> = std::result::Result<T, ApiError>;
|
pub type ApiResult<T> = std::result::Result<T, ApiError>;
|
||||||
|
|
||||||
|
|
|
@ -197,7 +197,7 @@ pub fn start_vmm_thread(
|
||||||
.map_err(Error::VmmThreadSpawn)?;
|
.map_err(Error::VmmThreadSpawn)?;
|
||||||
|
|
||||||
// The VMM thread is started, we can start serving HTTP requests
|
// The VMM thread is started, we can start serving HTTP requests
|
||||||
api::start_http_thread(http_path, http_api_event, api_sender)?;
|
api::start_http_thread(http_path, http_api_event, api_sender, seccomp_level)?;
|
||||||
|
|
||||||
Ok(thread)
|
Ok(thread)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user