github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-14 14:14:15 +00:00
Code Issues Projects Releases Wiki Activity

Merge 6395ff83db into 9379a18c8a

Browse Source
This commit is contained in:
wang xinge 2025-08-12 08:05:41 +00:00 committed by GitHub
commit a8db105b5b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libs/kata-types/src/config/hypervisor/mod.rs
View File

@ -934,6 +934,14 @@ pub struct SecurityInfo {
rename = "tdx_quote_generation_service_socket_port" rename = "tdx_quote_generation_service_socket_port"
)] )]
pub qgs_port: u32, pub qgs_port: u32,
/// Qemu seccomp sandbox feature
/// comma-separated list of seccomp sandbox features to control the syscall access.
/// For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
/// Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
/// Another note: enabling this feature may reduce performance, you may enable
/// /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
pub seccompsandbox: Option<String>,
} }
fn default_qgs_port() -> u32 { fn default_qgs_port() -> u32 {

33
src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
View File

@ -2182,6 +2182,14 @@ impl<'a> QemuCmdLine<'a> {
qemu_cmd_line.add_virtio_balloon(); qemu_cmd_line.add_virtio_balloon();
} }
if let Some(seccomp_sandbox) = &config
.security_info
.seccompsandbox
.as_ref()
.filter(|s| !s.is_empty())
{
qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
}
Ok(qemu_cmd_line) Ok(qemu_cmd_line)
} }
@ -2620,6 +2628,11 @@ impl<'a> QemuCmdLine<'a> {
Ok(()) Ok(())
} }
pub fn add_seccomp_sandbox(&mut self, param: &str) {
let seccomp_sandbox = SeccompSandbox::new(param);
self.devices.push(Box::new(seccomp_sandbox));
}
pub async fn build(&self) -> Result<Vec<String>> { pub async fn build(&self) -> Result<Vec<String>> {
let mut result = Vec::new(); let mut result = Vec::new();
@ -2706,3 +2719,23 @@ impl ToQemuParams for DeviceVirtioBalloon {
]) ])
} }
} }
#[derive(Debug)]
struct SeccompSandbox {
param: String,
}
impl SeccompSandbox {
fn new(param: &str) -> Self {
SeccompSandbox {
param: param.to_owned(),
}
}
}
#[async_trait]
impl ToQemuParams for SeccompSandbox {
async fn qemu_params(&self) -> Result<Vec<String>> {
Ok(vec!["-sandbox".to_owned(), self.param.clone()])
}
}