Merge c9f523bc82 into 9379a18c8a

src/dragonball/Cargo.lock

@@ -1810,9 +1810,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
  "libc",
 ]

src/dragonball/Cargo.toml

@@ -33,7 +33,7 @@ event-manager = "0.2.1"
 kvm-bindings = "0.6.0"
 kvm-ioctls = "0.12.0"
 linux-loader = "0.8.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 vfio-bindings = "0.3.0"
 vfio-ioctls = "0.1.0"
 virtio-bindings = "0.1.0"

src/runtime-rs/Cargo.lock

@@ -4143,9 +4143,9 @@ checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
 
 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
  "libc",
 ]

src/runtime-rs/config/configuration-cloud-hypervisor.toml.in

@@ -195,6 +195,9 @@ block_device_driver = "virtio-blk-pci"
 # result in memory pre allocation
 #enable_hugepages = true
 
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.
 #

src/runtime-rs/config/configuration-dragonball.toml.in

@@ -219,6 +219,9 @@ virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
 # result in memory pre allocation
 #enable_hugepages = true
 
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # Enable swap in the guest. Default false.
 # When enable_guest_swap is enabled, insert a raw file to the guest as the swap device.
 #enable_guest_swap = true

src/runtime-rs/config/configuration-rs-fc.toml.in

@@ -145,6 +145,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
 # result in memory pre allocation
 #enable_hugepages = true
 
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # Enable vIOMMU, default false
 # Enabling this will result in the VM having a vIOMMU device
 # This will also add the following options to the kernel's

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -15,7 +15,7 @@ go-flag = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 rust-ini = "0.18.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 serde = { workspace = true }
 serde_json = { workspace = true }
 slog = { workspace = true }

src/runtime-rs/crates/hypervisor/src/dragonball/inner_hypervisor.rs

@@ -16,6 +16,7 @@ use super::inner::DragonballInner;
 use crate::{
     utils::{self, get_hvsock_path, get_jailer_root, get_sandbox_path},
     VcpuThreadIds, VmmState,
+    dragonball::seccomp::{ThreadType, get_seccomp_filter},
 };
 
 impl DragonballInner {
@@ -27,6 +28,21 @@ impl DragonballInner {
         self.jailer_root = get_jailer_root(id);
         self.netns = netns;
         
+        if !self.config.security_info.disable_seccomp {
+            let seccomp = HashMap::from([
+                (
+                    ThreadType::Vmm,
+                    get_seccomp_filter(&ThreadType::Vmm),
+                ),
+                (
+                    ThreadType::Vcpu,
+                    get_seccomp_filter(&ThreadType::Vcpu),
+                ),
+            ]);
+
+            self.vmm_instance.set_seccomp(seccomp);
+        }
+
         Ok(())
     }
 

src/runtime-rs/crates/hypervisor/src/dragonball/mod.rs

@@ -11,6 +11,7 @@ use super::HypervisorState;
 use inner::DragonballInner;
 use persist::sandbox_persist::Persist;
 pub mod vmm_instance;
+mod seccomp;
 
 use std::collections::HashMap;
 use std::sync::Arc;

src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs

@@ -0,0 +1,40 @@
+// Copyright (c) 2019-2022 Alibaba Cloud
+// Copyright (c) 2019-2022 Ant Group
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use seccompiler::{BpfProgram, SeccompAction, SeccompFilter};
+use std::convert::TryInto;
+
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub enum ThreadType {
+    Vcpu,
+    Vmm,
+}
+
+pub fn get_seccomp_filter(thread_type: &ThreadType) -> BpfProgram {
+    let rules = match thread_type {
+        ThreadType::Vcpu => get_vcpu_seccomp_rules(),
+        ThreadType::Vmm => get_vmm_seccomp_rules(),
+    };
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        // TODO: modify the action after determining the action needed for dragonball
+        SeccompAction::Allow,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
+    .and_then(|f| f.try_into())
+    .unwrap_or_default()
+}
+
+pub fn get_vcpu_seccomp_rules() -> Vec<(i64, Vec<seccompiler::SeccompRule>)> {
+    // TODO: add vcpu seccomp rules
+    vec![]
+}
+
+pub fn get_vmm_seccomp_rules() -> Vec<(i64, Vec<seccompiler::SeccompRule>)> {
+    // TODO: add vmm seccomp rules
+    vec![]
+}

src/runtime-rs/crates/hypervisor/src/dragonball/vmm_instance.rs

@@ -5,6 +5,7 @@
 //
 
 use std::{
+    collections::HashMap,
     fs::{File, OpenOptions},
     os::unix::{io::IntoRawFd, prelude::AsRawFd},
     sync::{Arc, Mutex, RwLock},
@@ -34,6 +35,8 @@ use vmm_sys_util::eventfd::EventFd;
 
 use crate::ShareFsMountOperation;
 
+use crate::dragonball::seccomp::ThreadType;
+
 pub enum Request {
     Sync(VmmAction),
 }
@@ -49,7 +52,7 @@ pub struct VmmInstance {
     to_vmm: Option<Sender<VmmRequest>>,
     from_vmm: Option<Receiver<VmmResponse>>,
     to_vmm_fd: EventFd,
-    seccomp: BpfProgram,
+    seccomp: HashMap<ThreadType, BpfProgram>,
     vmm_thread: Option<thread::JoinHandle<Result<i32>>>,
     exit_notify: Option<mpsc::Sender<i32>>,
 }
@@ -69,7 +72,7 @@ impl VmmInstance {
             to_vmm: None,
             from_vmm: None,
             to_vmm_fd,
-            seccomp: vec![],
+            seccomp: HashMap::new(),
             vmm_thread: None,
             exit_notify: Some(exit_notify),
         }
@@ -103,6 +106,10 @@ impl VmmInstance {
         result
     }
 
+    pub fn set_seccomp(&mut self, seccomp: HashMap<ThreadType, BpfProgram>) {
+        self.seccomp = seccomp;
+    }
+
     pub fn run_vmm_server(&mut self, id: &str, netns: Option<String>) -> Result<()> {
         let kvm = OpenOptions::new().read(true).write(true).open(KVM_DEVICE)?;
 
@@ -120,8 +127,14 @@ impl VmmInstance {
         let vmm = Vmm::new(
             self.vmm_shared_info.clone(),
             api_event_fd2,
-            self.seccomp.clone(),
+            self.seccomp
-            self.seccomp.clone(),
+                .get(&ThreadType::Vmm)
+                .unwrap_or(&vec![])
+                .clone(),
+            self.seccomp
+                .get(&ThreadType::Vcpu)
+                .unwrap_or(&vec![])
+                .clone(),
             Some(kvm.into_raw_fd()),
         )
         .expect("Failed to start vmm");