stratovirt/0005-standard_vm-syscall-Add-new-seccomp-rules.patch

From 4692011120135105d686a05b276926745f3328a2 Mon Sep 17 00:00:00 2001
From: Jie Yang <yangjieyj.yang@huawei.com>
Date: Thu, 17 Feb 2022 21:49:41 +0800
Subject: [PATCH 5/5] standard_vm/syscall: Add new seccomp rules

Fix VFIO hotplugging failure when seccomp is enabled if StratoVirt is
compiled with musl toolchain.

Signed-off-by: Jie Yang <yangjieyj.yang@huawei.com>
---
 docs/config_guidebook.md                   |  2 +-
 docs/design.md                             |  2 +-
 machine/src/standard_vm/aarch64/syscall.rs | 19 +++++++++++++++----
 machine/src/standard_vm/x86_64/syscall.rs  |  4 +++-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md
index e0b8bdc..1764f30 100644
--- a/docs/config_guidebook.md
+++ b/docs/config_guidebook.md
@@ -543,7 +543,7 @@ in StratoVirt process by default. It will make a slight influence on performance
 | Number of Syscalls | GNU Toolchain | MUSL Toolchain |
 | :----------------: | :-----------: | :------------: |
 |      microvm       |      46       |       46       |
-|        q35         |      49       |       50       |
+|        q35         |      49       |       51       |
 
 * aarch64
 
diff --git a/docs/design.md b/docs/design.md
index 3223605..44ae335 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -38,7 +38,7 @@ in Kubernetes ecosystem perfectly;
 - Multi-platform support: Fully support for Intel and Arm platform;
 - Expansibility: StratoVirt reserves interface and design for importing more features,
 even expand to standard virtualization support;
-- Security: less than 51 syscalls while running;
+- Security: less than 52 syscalls while running;
 
 ## Implementation
 
diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs
index da663b9..e8ecdd5 100644
--- a/machine/src/standard_vm/aarch64/syscall.rs
+++ b/machine/src/standard_vm/aarch64/syscall.rs
@@ -114,10 +114,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
         BpfRule::new(libc::SYS_statx),
         BpfRule::new(libc::SYS_mkdirat),
         BpfRule::new(libc::SYS_unlinkat),
-        BpfRule::new(libc::SYS_madvise)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
-            .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),
+        madvise_rule(),
         BpfRule::new(libc::SYS_msync),
         BpfRule::new(libc::SYS_readlinkat),
     ]
@@ -178,3 +175,17 @@ fn ioctl_allow_list() -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, KVM_ARM_VCPU_INIT() as u32)
 }
+
+fn madvise_rule() -> BpfRule {
+    #[cfg(target_env = "musl")]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+    #[cfg(target_env = "gnu")]
+    return BpfRule::new(libc::SYS_madvise)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+}
diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs
index 9836066..f39170a 100644
--- a/machine/src/standard_vm/x86_64/syscall.rs
+++ b/machine/src/standard_vm/x86_64/syscall.rs
@@ -54,7 +54,7 @@ const KVM_RUN: u32 = 0xae80;
 /// # Notes
 /// This allowlist limit syscall with:
 /// * x86_64-unknown-gnu: 46 syscalls
-/// * x86_64-unknown-musl: 47 syscalls
+/// * x86_64-unknown-musl: 48 syscalls
 /// To reduce performance losses, the syscall rules is ordered by frequency.
 pub fn syscall_whitelist() -> Vec<BpfRule> {
     vec![
@@ -124,6 +124,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
             .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),
         BpfRule::new(libc::SYS_msync),
         BpfRule::new(libc::SYS_readlinkat),
+        #[cfg(target_env = "musl")]
+        BpfRule::new(libc::SYS_readlink),
     ]
 }
 
-- 
2.25.1
Update version to 2.1.0-2 Signed-off-by: Jie Yang <yangjieyj.yang@huawei.com> (cherry picked from commit c7db0977213860987bf1883895ee02025e0aa3c6) 2022-02-18 10:45:00 +08:00			`From 4692011120135105d686a05b276926745f3328a2 Mon Sep 17 00:00:00 2001`
			`From: Jie Yang <yangjieyj.yang@huawei.com>`
			`Date: Thu, 17 Feb 2022 21:49:41 +0800`
			`Subject: [PATCH 5/5] standard_vm/syscall: Add new seccomp rules`

			`Fix VFIO hotplugging failure when seccomp is enabled if StratoVirt is`
			`compiled with musl toolchain.`

			`Signed-off-by: Jie Yang <yangjieyj.yang@huawei.com>`
			`---`
			`docs/config_guidebook.md \| 2 +-`
			`docs/design.md \| 2 +-`
			`machine/src/standard_vm/aarch64/syscall.rs \| 19 +++++++++++++++----`
			`machine/src/standard_vm/x86_64/syscall.rs \| 4 +++-`
			`4 files changed, 20 insertions(+), 7 deletions(-)`

			`diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md`
			`index e0b8bdc..1764f30 100644`
			`--- a/docs/config_guidebook.md`
			`+++ b/docs/config_guidebook.md`
			`@@ -543,7 +543,7 @@ in StratoVirt process by default. It will make a slight influence on performance`
			`\| Number of Syscalls \| GNU Toolchain \| MUSL Toolchain \|`
			`\| :----------------: \| :-----------: \| :------------: \|`
			`\| microvm \| 46 \| 46 \|`
			`-\| q35 \| 49 \| 50 \|`
			`+\| q35 \| 49 \| 51 \|`

			`* aarch64`

			`diff --git a/docs/design.md b/docs/design.md`
			`index 3223605..44ae335 100644`
			`--- a/docs/design.md`
			`+++ b/docs/design.md`
			`@@ -38,7 +38,7 @@ in Kubernetes ecosystem perfectly;`
			`- Multi-platform support: Fully support for Intel and Arm platform;`
			`- Expansibility: StratoVirt reserves interface and design for importing more features,`
			`even expand to standard virtualization support;`
			`-- Security: less than 51 syscalls while running;`
			`+- Security: less than 52 syscalls while running;`

			`## Implementation`

			`diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs`
			`index da663b9..e8ecdd5 100644`
			`--- a/machine/src/standard_vm/aarch64/syscall.rs`
			`+++ b/machine/src/standard_vm/aarch64/syscall.rs`
			`@@ -114,10 +114,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`BpfRule::new(libc::SYS_statx),`
			`BpfRule::new(libc::SYS_mkdirat),`
			`BpfRule::new(libc::SYS_unlinkat),`
			`- BpfRule::new(libc::SYS_madvise)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),`
			`+ madvise_rule(),`
			`BpfRule::new(libc::SYS_msync),`
			`BpfRule::new(libc::SYS_readlinkat),`
			`]`
			`@@ -178,3 +175,17 @@ fn ioctl_allow_list() -> BpfRule {`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32)`
			`.add_constraint(SeccompCmpOpt::Eq, 1, KVM_ARM_VCPU_INIT() as u32)`
			`}`
			`+`
			`+fn madvise_rule() -> BpfRule {`
			`+ #[cfg(target_env = "musl")]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);`
			`+ #[cfg(target_env = "gnu")]`
			`+ return BpfRule::new(libc::SYS_madvise)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)`
			`+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);`
			`+}`
			`diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs`
			`index 9836066..f39170a 100644`
			`--- a/machine/src/standard_vm/x86_64/syscall.rs`
			`+++ b/machine/src/standard_vm/x86_64/syscall.rs`
			`@@ -54,7 +54,7 @@ const KVM_RUN: u32 = 0xae80;`
			`/// # Notes`
			`/// This allowlist limit syscall with:`
			`/// * x86_64-unknown-gnu: 46 syscalls`
			`-/// * x86_64-unknown-musl: 47 syscalls`
			`+/// * x86_64-unknown-musl: 48 syscalls`
			`/// To reduce performance losses, the syscall rules is ordered by frequency.`
			`pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`vec![`
			`@@ -124,6 +124,8 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {`
			`.add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),`
			`BpfRule::new(libc::SYS_msync),`
			`BpfRule::new(libc::SYS_readlinkat),`
			`+ #[cfg(target_env = "musl")]`
			`+ BpfRule::new(libc::SYS_readlink),`
			`]`
			`}`

			`--`
			`2.25.1`