mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-16 14:28:35 +00:00
runtime-rs: add seccomp support for qemu
This commit support the seccomp_sandbox option from the configuration.toml file and add the logic for appending command-line arguments based on this new configuration parameter. Fixes: #11524 Signed-off-by: wangxinge <wangxinge@bupt.edu.cn>
This commit is contained in:
wangxinge
@@ -934,6 +934,14 @@ pub struct SecurityInfo {
|
|||||||
rename = "tdx_quote_generation_service_socket_port"
|
rename = "tdx_quote_generation_service_socket_port"
|
||||||
)]
|
)]
|
||||||
pub qgs_port: u32,
|
pub qgs_port: u32,
|
||||||
|
|
||||||
|
/// Qemu seccomp sandbox feature
|
||||||
|
/// comma-separated list of seccomp sandbox features to control the syscall access.
|
||||||
|
/// For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
|
||||||
|
/// Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
|
||||||
|
/// Another note: enabling this feature may reduce performance, you may enable
|
||||||
|
/// /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
|
||||||
|
pub seccomp_sandbox: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
fn default_qgs_port() -> u32 {
|
fn default_qgs_port() -> u32 {
|
||||||
|
|||||||
@@ -2182,6 +2182,14 @@ impl<'a> QemuCmdLine<'a> {
|
|||||||
qemu_cmd_line.add_virtio_balloon();
|
qemu_cmd_line.add_virtio_balloon();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if let Some(seccomp_sandbox) = &config
|
||||||
|
.security_info
|
||||||
|
.seccomp_sandbox
|
||||||
|
.as_ref()
|
||||||
|
.filter(|s| !s.is_empty())
|
||||||
|
{
|
||||||
|
qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
|
||||||
|
}
|
||||||
Ok(qemu_cmd_line)
|
Ok(qemu_cmd_line)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2620,6 +2628,11 @@ impl<'a> QemuCmdLine<'a> {
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn add_seccomp_sandbox(&mut self, param: &str) {
|
||||||
|
let seccomp_sandbox = SeccompSandbox::new(param);
|
||||||
|
self.devices.push(Box::new(seccomp_sandbox));
|
||||||
|
}
|
||||||
|
|
||||||
pub async fn build(&self) -> Result<Vec<String>> {
|
pub async fn build(&self) -> Result<Vec<String>> {
|
||||||
let mut result = Vec::new();
|
let mut result = Vec::new();
|
||||||
|
|
||||||
@@ -2706,3 +2719,23 @@ impl ToQemuParams for DeviceVirtioBalloon {
|
|||||||
])
|
])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
struct SeccompSandbox {
|
||||||
|
param: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl SeccompSandbox {
|
||||||
|
fn new(param: &str) -> Self {
|
||||||
|
SeccompSandbox {
|
||||||
|
param: param.to_owned(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[async_trait]
|
||||||
|
impl ToQemuParams for SeccompSandbox {
|
||||||
|
async fn qemu_params(&self) -> Result<Vec<String>> {
|
||||||
|
Ok(vec!["-sandbox".to_owned(), self.param.clone()])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user