From 2a70e217561e64f460e95d4d89d145fc615f12ec Mon Sep 17 00:00:00 2001 From: Qi Xi Date: Fri, 20 Aug 2021 15:43:00 +0800 Subject: [PATCH 6/8] syscall: add syscall "newfstatat" in x86_64-unknown-linux-gnu target When we run stratovirt, built with GNU toolchain on x86 platform, and use serial port for IO, it will be blocked. The bug is caused by when it is the first time for rtc device to call "libc::gmtime_r" after seccomp taking effect, it will use the syscall "newfstatat" which is not in the syscall whitelist. The bug is fixed by adding "newfstatat" to syscall whitelist with x86_64-unknown-linux-gnu target. Signed-off-by: Qi Xi --- docs/config_guidebook.md | 18 +++++++++++++++--- machine/src/micro_vm/syscall.rs | 4 +++- machine/src/standard_vm/x86_64/syscall.rs | 4 +++- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md index 6a5cda7..72b4c7e 100644 --- a/docs/config_guidebook.md +++ b/docs/config_guidebook.md @@ -679,10 +679,22 @@ And you can also restore StratoVirt's **pid number** to a file by: ### 4.2 Seccomp StratoVirt use [seccomp(2)](https://man7.org/linux/man-pages/man2/seccomp.2.html) to limit the syscalls -in StratoVirt process by default. StratoVirt use only 40 syscalls in x86_64 (39 syscalls in aarch64) after running. -It will make a slight influence on performance to StratoVirt. If you want to disable seccomp, you can -run StratoVirt with `-disable-seccomp`. +in StratoVirt process by default. It will make a slight influence on performance to StratoVirt. +* X86_64 +| Number of Syscalls | GNU Toolchain | MUSL Toolchain | +| :----------------: | :-----------: | :------------: | +| Micro_vm | 41 | 41 | +| Standard_vm | 46 | 43 | + +* AArch64 + +| Number of Syscalls | GNU Toolchain | MUSL Toolchain | +| :----------------: | :-----------: | :------------: | +| Micro_vm | 39 | 40 | +| Standard_vm | 43 | 42 | + +If you want to disable seccomp, you can run StratoVirt with `-disable-seccomp`. ```shell # cmdline -disable-seccomp diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs index eb52df6..ddc9023 100644 --- a/machine/src/micro_vm/syscall.rs +++ b/machine/src/micro_vm/syscall.rs @@ -92,7 +92,7 @@ ioctl_iowr_nr!(KVM_GET_REG_LIST, KVMIO, 0xb0, kvm_reg_list); /// /// # Notes /// This allowlist limit syscall with: -/// * x86_64-unknown-gnu: 40 syscalls +/// * x86_64-unknown-gnu: 41 syscalls /// * x86_64-unknown-musl: 41 syscalls /// * aarch64-unknown-gnu: 39 syscalls /// * aarch64-unknown-musl: 40 syscalls @@ -153,6 +153,8 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_statx), #[cfg(all(target_env = "musl", target_arch = "x86_64"))] BpfRule::new(libc::SYS_stat), + #[cfg(all(target_env = "gnu", target_arch = "x86_64"))] + BpfRule::new(libc::SYS_newfstatat), #[cfg(all(target_env = "musl", target_arch = "aarch64"))] BpfRule::new(libc::SYS_newfstatat), #[cfg(target_arch = "x86_64")] diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs index d794c78..dddeb8a 100644 --- a/machine/src/standard_vm/x86_64/syscall.rs +++ b/machine/src/standard_vm/x86_64/syscall.rs @@ -78,7 +78,7 @@ ioctl_iowr_nr!(KVM_GET_MSRS, KVMIO, 0x88, kvm_msrs); /// /// # Notes /// This allowlist limit syscall with: -/// * x86_64-unknown-gnu: 45 syscalls +/// * x86_64-unknown-gnu: 46 syscalls /// * x86_64-unknown-musl: 43 syscalls /// To reduce performance losses, the syscall rules is ordered by frequency. pub fn syscall_whitelist() -> Vec { @@ -132,6 +132,8 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_gettid), BpfRule::new(libc::SYS_getpid), BpfRule::new(libc::SYS_fstat), + #[cfg(all(target_env = "gnu"))] + BpfRule::new(libc::SYS_newfstatat), BpfRule::new(libc::SYS_pread64), BpfRule::new(libc::SYS_pwrite64), BpfRule::new(libc::SYS_statx), -- 2.25.1