Merge pull request #11525 from was-saw/qemu-seccomp

runtime-rs: add seccomp support for qemu
2025-09-17 14:58:16 +00:00 · 2025-08-14 12:35:32 -04:00
parent 65a9fe0063 d147e2491b
commit dcb62a7f91
2 changed files with 41 additions and 0 deletions
--- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
@@ -2182,6 +2182,14 @@ impl<'a> QemuCmdLine<'a> {
            qemu_cmd_line.add_virtio_balloon();
        }

+        if let Some(seccomp_sandbox) = &config
+            .security_info
+            .seccomp_sandbox
+            .as_ref()
+            .filter(|s| !s.is_empty())
+        {
+            qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
+        }
        Ok(qemu_cmd_line)
    }

@@ -2620,6 +2628,11 @@ impl<'a> QemuCmdLine<'a> {
        Ok(())
    }

+    pub fn add_seccomp_sandbox(&mut self, param: &str) {
+        let seccomp_sandbox = SeccompSandbox::new(param);
+        self.devices.push(Box::new(seccomp_sandbox));
+    }
+
    pub async fn build(&self) -> Result<Vec<String>> {
        let mut result = Vec::new();

@@ -2706,3 +2719,23 @@ impl ToQemuParams for DeviceVirtioBalloon {
        ])
    }
 }
+
+#[derive(Debug)]
+struct SeccompSandbox {
+    param: String,
+}
+
+impl SeccompSandbox {
+    fn new(param: &str) -> Self {
+        SeccompSandbox {
+            param: param.to_owned(),
+        }
+    }
+}
+
+#[async_trait]
+impl ToQemuParams for SeccompSandbox {
+    async fn qemu_params(&self) -> Result<Vec<String>> {
+        Ok(vec!["-sandbox".to_owned(), self.param.clone()])
+    }
+}