diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index df814a20e9..a128aea6a9 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -114,6 +114,9 @@ block_device_driver = "virtio-blk" # being allocated using huge pages. #enable_hugepages = true +# Disable the 'seccomp' feature from Cloud Hypervisor, default false +# disable_seccomp = true + # This option changes the default hypervisor and kernel parameters # to enable debug output where available. # diff --git a/src/runtime/pkg/katautils/config-settings.go.in b/src/runtime/pkg/katautils/config-settings.go.in index a6805729e8..66f30e073f 100644 --- a/src/runtime/pkg/katautils/config-settings.go.in +++ b/src/runtime/pkg/katautils/config-settings.go.in @@ -87,6 +87,7 @@ const defaultTxRateLimiterMaxRate = uint64(0) const defaultConfidentialGuest = false const defaultGuestSwap = false const defaultRootlessHypervisor = false +const defaultDisableSeccomp = false var defaultSGXEPCSize = int64(0) diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 8a96aa5043..93a870e8a0 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -135,6 +135,7 @@ type hypervisor struct { ConfidentialGuest bool `toml:"confidential_guest"` GuestSwap bool `toml:"enable_guest_swap"` Rootless bool `toml:"rootless"` + DisableSeccomp bool `toml:"disable_seccomp"` } type runtime struct { @@ -865,6 +866,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { VirtioFSExtraArgs: h.VirtioFSExtraArgs, SGXEPCSize: defaultSGXEPCSize, EnableAnnotations: h.EnableAnnotations, + DisableSeccomp: h.DisableSeccomp, }, nil } @@ -1056,6 +1058,7 @@ func GetDefaultHypervisorConfig() vc.HypervisorConfig { ConfidentialGuest: defaultConfidentialGuest, GuestSwap: defaultGuestSwap, Rootless: defaultRootlessHypervisor, + DisableSeccomp: defaultDisableSeccomp, } } diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 3afb06417c..b9c47988af 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -960,11 +960,11 @@ func (clh *cloudHypervisor) launchClh() (int, error) { args = append(args, "-v") } - // Disable the 'seccomp' option in clh for now. - // In this way, we can separate the periodic failures caused - // by incomplete `seccomp` filters from other failures. - // We will bring it back after completing the `seccomp` filter. - args = append(args, "--seccomp", "false") + // Enable the `seccomp` feature from Cloud Hypervisor by default + // Disable it only when requested by users for debugging purposes + if clh.config.DisableSeccomp { + args = append(args, "--seccomp", "false") + } clh.Logger().WithField("path", clhPath).Info() clh.Logger().WithField("args", strings.Join(args, " ")).Info() diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index d3ced85647..dc80bff616 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -508,6 +508,9 @@ type HypervisorConfig struct { // Rootless is used to enable rootless VMM process Rootless bool + + // Disable seccomp from the hypervisor process + DisableSeccomp bool } // vcpu mapping from vcpu number to thread number