runtime: Add option "disable_seccomp" to config hypervisor.clh

This patch adds an option "disable_seccomp" to the config hypervisor.clh, from which users can disable the `seccomp` feature from Cloud Hypervisor when needed (for debugging purposes). Fixes: #2782 Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-06-25 15:02:45 +00:00 · 2021-10-08 15:10:30 -07:00 · 2021-10-08 15:10:30 -07:00 · 51cbe14584
commit 51cbe14584
parent 98b7350a1b
5 changed files with 15 additions and 0 deletions
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@ -114,6 +114,9 @@ block_device_driver = "virtio-blk"
 # being allocated using huge pages.
 #enable_hugepages = true

+# Disable the 'seccomp' feature from Cloud Hypervisor, default false
+# disable_seccomp = true
+
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.
 #
--- a/src/runtime/pkg/katautils/config-settings.go.in
+++ b/src/runtime/pkg/katautils/config-settings.go.in
@ -87,6 +87,7 @@ const defaultTxRateLimiterMaxRate = uint64(0)
 const defaultConfidentialGuest = false
 const defaultGuestSwap = false
 const defaultRootlessHypervisor = false
+const defaultDisableSeccomp = false

 var defaultSGXEPCSize = int64(0)

--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -135,6 +135,7 @@ type hypervisor struct {
 	ConfidentialGuest       bool     `toml:"confidential_guest"`
 	GuestSwap               bool     `toml:"enable_guest_swap"`
 	Rootless                bool     `toml:"rootless"`
+	DisableSeccomp          bool     `toml:"disable_seccomp"`
 }

 type runtime struct {
@ -875,6 +876,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		VirtioFSExtraArgs:       h.VirtioFSExtraArgs,
 		SGXEPCSize:              defaultSGXEPCSize,
 		EnableAnnotations:       h.EnableAnnotations,
+		DisableSeccomp:          h.DisableSeccomp,
 	}, nil
 }

@ -1072,6 +1074,7 @@ func GetDefaultHypervisorConfig() vc.HypervisorConfig {
 		ConfidentialGuest:       defaultConfidentialGuest,
 		GuestSwap:               defaultGuestSwap,
 		Rootless:                defaultRootlessHypervisor,
+		DisableSeccomp:          defaultDisableSeccomp,
 	}
 }

--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
@ -947,6 +947,11 @@ func (clh *cloudHypervisor) launchClh() (int, error) {
 		args = append(args, "-v")
 	}

+	// Enable the `seccomp` feature from Cloud Hypervisor by default
+	// Disable it only when requested by users for debugging purposes
+	if clh.config.DisableSeccomp {
+		args = append(args, "--seccomp", "false")
+	}

 	clh.Logger().WithField("path", clhPath).Info()
 	clh.Logger().WithField("args", strings.Join(args, " ")).Info()
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@ -473,6 +473,9 @@ type HypervisorConfig struct {

 	// Rootless is used to enable rootless VMM process
 	Rootless bool
+
+	// Disable seccomp from the hypervisor process
+	DisableSeccomp bool
 }

 // vcpu mapping from vcpu number to thread number