External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-07-15 13:47:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
4120a7dee9
cloud-hypervisor/vhost_user_fs
History
Dr. David Alan Gilbert 4120a7dee9 vhost_user_fs: Add seccomp 
Implement seccomp; we use one filter for all threads.
The syscall list comes from the C daemon with syscalls added
as I hit them.

The default behaviour is to kill the process, this normally gets
audit logged.

--seccomp none  disables seccomp
          log   Just logs violations but doesn't stop it
          trap  causes a signal to be be sent that can be trapped.

If you suspect you're hitting a seccomp action then you can
check the audit log;  you could also switch to running with 'log'
to collect a bunch of calls to report.
To see where the syscalls are coming from use 'trap' with a debugger
or coredump to backtrace it.

This can be improved for some syscalls to restrict the parameters
to some syscalls to make them more restrictive.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2020-05-14 18:56:19 +02:00
..
src vhost_user_fs: Add seccomp 2020-05-14 18:56:19 +02:00
Cargo.toml vhost_user_fs: Add seccomp 2020-05-14 18:56:19 +02:00