From ff7ed8f628185163f07a4fd67ee2c2e14e45d0a6 Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Thu, 30 Jul 2020 15:33:52 -0700
Subject: [PATCH] vmm: Propagate the SeccompAction value to the Vm struct
 constructor

This patch propagates the SeccompAction value from main to the
Vm struct constructor (i.e. Vm::new_from_memory_manager), so that we can
use it to construct the DeviceManager and CpuManager struct for
controlling the behavior of the seccomp filters for vcpu/virtio-device
worker threads.

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 vmm/src/lib.rs | 15 ++++++++++++++-
 vmm/src/vm.rs  |  7 +++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/vmm/src/lib.rs b/vmm/src/lib.rs
index 4f3a41494..4bf74ef24 100644
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@@ -229,13 +229,20 @@ pub fn start_vmm_thread(
     // alternative is to run always with CAP_SYS_PTRACE but that is not a good idea.
     let self_path = format!("/proc/{}/exe", std::process::id());
     let vmm_path = std::fs::read_link(PathBuf::from(self_path)).map_err(Error::ExePathReadLink)?;
+    let vmm_seccomp_action = seccomp_action.clone();
     let thread = thread::Builder::new()
         .name("vmm".to_string())
         .spawn(move || {
             // Apply seccomp filter for VMM thread.
             SeccompFilter::apply(vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
 
-            let mut vmm = Vmm::new(vmm_version.to_string(), api_event, vmm_path, hypervisor)?;
+            let mut vmm = Vmm::new(
+                vmm_version.to_string(),
+                api_event,
+                vmm_path,
+                vmm_seccomp_action,
+                hypervisor,
+            )?;
 
             vmm.control_loop(Arc::new(api_receiver))
         })
@@ -256,6 +263,7 @@ pub struct Vmm {
     vm: Option<Vm>,
     vm_config: Option<Arc<Mutex<VmConfig>>>,
     vmm_path: PathBuf,
+    seccomp_action: SeccompAction,
     hypervisor: Arc<dyn hypervisor::Hypervisor>,
 }
 
@@ -264,6 +272,7 @@ impl Vmm {
         vmm_version: String,
         api_evt: EventFd,
         vmm_path: PathBuf,
+        seccomp_action: SeccompAction,
         hypervisor: Arc<dyn hypervisor::Hypervisor>,
     ) -> Result<Self> {
         let mut epoll = EpollContext::new().map_err(Error::Epoll)?;
@@ -295,6 +304,7 @@ impl Vmm {
             vm: None,
             vm_config: None,
             vmm_path,
+            seccomp_action,
             hypervisor,
         })
     }
@@ -311,6 +321,7 @@ impl Vmm {
                     exit_evt,
                     reset_evt,
                     self.vmm_path.clone(),
+                    &self.seccomp_action,
                     self.hypervisor.clone(),
                 )?;
                 self.vm = Some(vm);
@@ -381,6 +392,7 @@ impl Vmm {
             self.vmm_path.clone(),
             source_url,
             restore_cfg.prefault,
+            &self.seccomp_action,
             self.hypervisor.clone(),
         )?;
         self.vm = Some(vm);
@@ -430,6 +442,7 @@ impl Vmm {
                 exit_evt,
                 reset_evt,
                 self.vmm_path.clone(),
+                &self.seccomp_action,
                 self.hypervisor.clone(),
             )?);
         }
diff --git a/vmm/src/vm.rs b/vmm/src/vm.rs
index 538e4ff4f..d7694885d 100644
--- a/vmm/src/vm.rs
+++ b/vmm/src/vm.rs
@@ -45,6 +45,7 @@ use linux_loader::loader::elf::Error::InvalidElfMagicNumber;
 #[cfg(target_arch = "x86_64")]
 use linux_loader::loader::elf::PvhBootCapability::PvhEntryPresent;
 use linux_loader::loader::KernelLoader;
+use seccomp::SeccompAction;
 use signal_hook::{iterator::Signals, SIGINT, SIGTERM, SIGWINCH};
 use std::collections::HashMap;
 use std::convert::TryInto;
@@ -267,6 +268,7 @@ impl Vm {
         exit_evt: EventFd,
         reset_evt: EventFd,
         vmm_path: PathBuf,
+        _seccomp_action: &SeccompAction,
         hypervisor: Arc<dyn hypervisor::Hypervisor>,
         _saved_clock: Option<hypervisor::ClockData>,
     ) -> Result<Self> {
@@ -332,6 +334,7 @@ impl Vm {
         exit_evt: EventFd,
         reset_evt: EventFd,
         vmm_path: PathBuf,
+        seccomp_action: &SeccompAction,
         hypervisor: Arc<dyn hypervisor::Hypervisor>,
     ) -> Result<Self> {
         #[cfg(target_arch = "x86_64")]
@@ -365,6 +368,7 @@ impl Vm {
             exit_evt,
             reset_evt,
             vmm_path,
+            seccomp_action,
             hypervisor,
             None,
         )?;
@@ -381,6 +385,7 @@ impl Vm {
         Ok(new_vm)
     }
 
+    #[allow(clippy::too_many_arguments)]
     pub fn new_from_snapshot(
         snapshot: &Snapshot,
         exit_evt: EventFd,
@@ -388,6 +393,7 @@ impl Vm {
         vmm_path: PathBuf,
         source_url: &str,
         prefault: bool,
+        seccomp_action: &SeccompAction,
         hypervisor: Arc<dyn hypervisor::Hypervisor>,
     ) -> Result<Self> {
         #[cfg(target_arch = "x86_64")]
@@ -422,6 +428,7 @@ impl Vm {
             exit_evt,
             reset_evt,
             vmm_path,
+            seccomp_action,
             hypervisor,
             #[cfg(target_arch = "x86_64")]
             vm_snapshot.clock,