mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-07-07 18:25:44 +00:00
4120a7dee9
Implement seccomp; we use one filter for all threads.
The syscall list comes from the C daemon with syscalls added
as I hit them.
The default behaviour is to kill the process, this normally gets
audit logged.
--seccomp none disables seccomp
log Just logs violations but doesn't stop it
trap causes a signal to be be sent that can be trapped.
If you suspect you're hitting a seccomp action then you can
check the audit log; you could also switch to running with 'log'
to collect a bunch of calls to report.
To see where the syscalls are coming from use 'trap' with a debugger
or coredump to backtrace it.
This can be improved for some syscalls to restrict the parameters
to some syscalls to make them more restrictive.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
17 lines
508 B
TOML
17 lines
508 B
TOML
[package]
|
|
name = "vhost_user_fs"
|
|
version = "0.1.0"
|
|
authors = ["The Cloud Hypervisor Authors"]
|
|
edition = "2018"
|
|
|
|
[dependencies]
|
|
bitflags = "1.1.0"
|
|
libc = "0.2.70"
|
|
log = "0.4.8"
|
|
# Match the version in vmm
|
|
seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.21.1" }
|
|
tempdir= "0.3.7"
|
|
vm-memory = "0.2.0"
|
|
vm-virtio = { path = "../vm-virtio" }
|
|
vhost_rs = { git = "https://github.com/cloud-hypervisor/vhost", branch = "dragonball", package = "vhost", features = ["vhost-user-slave"] }
|