Merge 6395ff83db into 9379a18c8a

2025-08-13 13:46:46 +00:00 · 2025-08-12 08:05:41 +00:00 · 2025-08-12 08:05:41 +00:00 · a8db105b5b
commit a8db105b5b
parent 9379a18c8a 6395ff83db
2 changed files with 41 additions and 0 deletions
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@ -934,6 +934,14 @@ pub struct SecurityInfo {
        rename = "tdx_quote_generation_service_socket_port"
    )]
    pub qgs_port: u32,
+
+    /// Qemu seccomp sandbox feature
+    /// comma-separated list of seccomp sandbox features to control the syscall access.
+    /// For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
+    /// Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
+    /// Another note: enabling this feature may reduce performance, you may enable
+    /// /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
+    pub seccompsandbox: Option<String>,
 }

 fn default_qgs_port() -> u32 {
--- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
@ -2182,6 +2182,14 @@ impl<'a> QemuCmdLine<'a> {
            qemu_cmd_line.add_virtio_balloon();
        }

+        if let Some(seccomp_sandbox) = &config
+            .security_info
+            .seccompsandbox
+            .as_ref()
+            .filter(|s| !s.is_empty())
+        {
+            qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
+        }
        Ok(qemu_cmd_line)
    }

@ -2620,6 +2628,11 @@ impl<'a> QemuCmdLine<'a> {
        Ok(())
    }

+    pub fn add_seccomp_sandbox(&mut self, param: &str) {
+        let seccomp_sandbox = SeccompSandbox::new(param);
+        self.devices.push(Box::new(seccomp_sandbox));
+    }
+
    pub async fn build(&self) -> Result<Vec<String>> {
        let mut result = Vec::new();

@ -2706,3 +2719,23 @@ impl ToQemuParams for DeviceVirtioBalloon {
        ])
    }
 }
+
+#[derive(Debug)]
+struct SeccompSandbox {
+    param: String,
+}
+
+impl SeccompSandbox {
+    fn new(param: &str) -> Self {
+        SeccompSandbox {
+            param: param.to_owned(),
+        }
+    }
+}
+
+#[async_trait]
+impl ToQemuParams for SeccompSandbox {
+    async fn qemu_params(&self) -> Result<Vec<String>> {
+        Ok(vec!["-sandbox".to_owned(), self.param.clone()])
+    }
+}