Merge c9f523bc82 into 9379a18c8a

2025-08-15 06:34:03 +00:00 · 2025-08-12 09:30:24 +00:00 · 2025-08-12 09:30:24 +00:00 · eb3f0d9232
commit eb3f0d9232
parent 9379a18c8a c9f523bc82
11 changed files with 89 additions and 10 deletions
--- a/src/dragonball/Cargo.lock
+++ b/src/dragonball/Cargo.lock
@ -1810,9 +1810,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
 "libc",
 ]
--- a/src/dragonball/Cargo.toml
+++ b/src/dragonball/Cargo.toml
@ -33,7 +33,7 @@ event-manager = "0.2.1"
 kvm-bindings = "0.6.0"
 kvm-ioctls = "0.12.0"
 linux-loader = "0.8.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 vfio-bindings = "0.3.0"
 vfio-ioctls = "0.1.0"
 virtio-bindings = "0.1.0"
--- a/src/runtime-rs/Cargo.lock
+++ b/src/runtime-rs/Cargo.lock
@ -4143,9 +4143,9 @@ checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"

 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
 "libc",
 ]
--- a/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in
+++ b/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in
@ -195,6 +195,9 @@ block_device_driver = "virtio-blk-pci"
 # result in memory pre allocation
 #enable_hugepages = true

+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.
 #
--- a/src/runtime-rs/config/configuration-dragonball.toml.in
+++ b/src/runtime-rs/config/configuration-dragonball.toml.in
@ -219,6 +219,9 @@ virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
 # result in memory pre allocation
 #enable_hugepages = true

+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # Enable swap in the guest. Default false.
 # When enable_guest_swap is enabled, insert a raw file to the guest as the swap device.
 #enable_guest_swap = true
--- a/src/runtime-rs/config/configuration-rs-fc.toml.in
+++ b/src/runtime-rs/config/configuration-rs-fc.toml.in
@ -145,6 +145,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
 # result in memory pre allocation
 #enable_hugepages = true

+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+# disable_seccomp = true
+
 # Enable vIOMMU, default false
 # Enabling this will result in the VM having a vIOMMU device
 # This will also add the following options to the kernel's
--- a/src/runtime-rs/crates/hypervisor/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/Cargo.toml
@ -15,7 +15,7 @@ go-flag = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 rust-ini = "0.18.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 serde = { workspace = true }
 serde_json = { workspace = true }
 slog = { workspace = true }
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_hypervisor.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_hypervisor.rs
@ -16,6 +16,7 @@ use super::inner::DragonballInner;
 use crate::{
    utils::{self, get_hvsock_path, get_jailer_root, get_sandbox_path},
    VcpuThreadIds, VmmState,
+    dragonball::seccomp::{ThreadType, get_seccomp_filter},
 };

 impl DragonballInner {
@ -27,6 +28,21 @@ impl DragonballInner {
        self.jailer_root = get_jailer_root(id);
        self.netns = netns;
        
+        if !self.config.security_info.disable_seccomp {
+            let seccomp = HashMap::from([
+                (
+                    ThreadType::Vmm,
+                    get_seccomp_filter(&ThreadType::Vmm),
+                ),
+                (
+                    ThreadType::Vcpu,
+                    get_seccomp_filter(&ThreadType::Vcpu),
+                ),
+            ]);
+
+            self.vmm_instance.set_seccomp(seccomp);
+        }
+
        Ok(())
    }

--- a/src/runtime-rs/crates/hypervisor/src/dragonball/mod.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/mod.rs
@ -11,6 +11,7 @@ use super::HypervisorState;
 use inner::DragonballInner;
 use persist::sandbox_persist::Persist;
 pub mod vmm_instance;
+mod seccomp;

 use std::collections::HashMap;
 use std::sync::Arc;
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs
@ -0,0 +1,40 @@
+// Copyright (c) 2019-2022 Alibaba Cloud
+// Copyright (c) 2019-2022 Ant Group
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use seccompiler::{BpfProgram, SeccompAction, SeccompFilter};
+use std::convert::TryInto;
+
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub enum ThreadType {
+    Vcpu,
+    Vmm,
+}
+
+pub fn get_seccomp_filter(thread_type: &ThreadType) -> BpfProgram {
+    let rules = match thread_type {
+        ThreadType::Vcpu => get_vcpu_seccomp_rules(),
+        ThreadType::Vmm => get_vmm_seccomp_rules(),
+    };
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        // TODO: modify the action after determining the action needed for dragonball
+        SeccompAction::Allow,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
+    .and_then(|f| f.try_into())
+    .unwrap_or_default()
+}
+
+pub fn get_vcpu_seccomp_rules() -> Vec<(i64, Vec<seccompiler::SeccompRule>)> {
+    // TODO: add vcpu seccomp rules
+    vec![]
+}
+
+pub fn get_vmm_seccomp_rules() -> Vec<(i64, Vec<seccompiler::SeccompRule>)> {
+    // TODO: add vmm seccomp rules
+    vec![]
+}
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/vmm_instance.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/vmm_instance.rs
@ -5,6 +5,7 @@
 //

 use std::{
+    collections::HashMap,
    fs::{File, OpenOptions},
    os::unix::{io::IntoRawFd, prelude::AsRawFd},
    sync::{Arc, Mutex, RwLock},
@ -34,6 +35,8 @@ use vmm_sys_util::eventfd::EventFd;

 use crate::ShareFsMountOperation;

+use crate::dragonball::seccomp::ThreadType;
+
 pub enum Request {
    Sync(VmmAction),
 }
@ -49,7 +52,7 @@ pub struct VmmInstance {
    to_vmm: Option<Sender<VmmRequest>>,
    from_vmm: Option<Receiver<VmmResponse>>,
    to_vmm_fd: EventFd,
-    seccomp: BpfProgram,
+    seccomp: HashMap<ThreadType, BpfProgram>,
    vmm_thread: Option<thread::JoinHandle<Result<i32>>>,
    exit_notify: Option<mpsc::Sender<i32>>,
 }
@ -69,7 +72,7 @@ impl VmmInstance {
            to_vmm: None,
            from_vmm: None,
            to_vmm_fd,
-            seccomp: vec![],
+            seccomp: HashMap::new(),
            vmm_thread: None,
            exit_notify: Some(exit_notify),
        }
@ -103,6 +106,10 @@ impl VmmInstance {
        result
    }

+    pub fn set_seccomp(&mut self, seccomp: HashMap<ThreadType, BpfProgram>) {
+        self.seccomp = seccomp;
+    }
+
    pub fn run_vmm_server(&mut self, id: &str, netns: Option<String>) -> Result<()> {
        let kvm = OpenOptions::new().read(true).write(true).open(KVM_DEVICE)?;

@ -120,8 +127,14 @@ impl VmmInstance {
        let vmm = Vmm::new(
            self.vmm_shared_info.clone(),
            api_event_fd2,
-            self.seccomp.clone(),
-            self.seccomp.clone(),
+            self.seccomp
+                .get(&ThreadType::Vmm)
+                .unwrap_or(&vec![])
+                .clone(),
+            self.seccomp
+                .get(&ThreadType::Vcpu)
+                .unwrap_or(&vec![])
+                .clone(),
            Some(kvm.into_raw_fd()),
        )
        .expect("Failed to start vmm");