From 4692011120135105d686a05b276926745f3328a2 Mon Sep 17 00:00:00 2001 From: Jie Yang Date: Thu, 17 Feb 2022 21:49:41 +0800 Subject: [PATCH 5/5] standard_vm/syscall: Add new seccomp rules Fix VFIO hotplugging failure when seccomp is enabled if StratoVirt is compiled with musl toolchain. Signed-off-by: Jie Yang --- docs/config_guidebook.md | 2 +- docs/design.md | 2 +- machine/src/standard_vm/aarch64/syscall.rs | 19 +++++++++++++++---- machine/src/standard_vm/x86_64/syscall.rs | 4 +++- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md index e0b8bdc..1764f30 100644 --- a/docs/config_guidebook.md +++ b/docs/config_guidebook.md @@ -543,7 +543,7 @@ in StratoVirt process by default. It will make a slight influence on performance | Number of Syscalls | GNU Toolchain | MUSL Toolchain | | :----------------: | :-----------: | :------------: | | microvm | 46 | 46 | -| q35 | 49 | 50 | +| q35 | 49 | 51 | * aarch64 diff --git a/docs/design.md b/docs/design.md index 3223605..44ae335 100644 --- a/docs/design.md +++ b/docs/design.md @@ -38,7 +38,7 @@ in Kubernetes ecosystem perfectly; - Multi-platform support: Fully support for Intel and Arm platform; - Expansibility: StratoVirt reserves interface and design for importing more features, even expand to standard virtualization support; -- Security: less than 51 syscalls while running; +- Security: less than 52 syscalls while running; ## Implementation diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs index da663b9..e8ecdd5 100644 --- a/machine/src/standard_vm/aarch64/syscall.rs +++ b/machine/src/standard_vm/aarch64/syscall.rs @@ -114,10 +114,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_statx), BpfRule::new(libc::SYS_mkdirat), BpfRule::new(libc::SYS_unlinkat), - BpfRule::new(libc::SYS_madvise) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32), + madvise_rule(), BpfRule::new(libc::SYS_msync), BpfRule::new(libc::SYS_readlinkat), ] @@ -178,3 +175,17 @@ fn ioctl_allow_list() -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_ARM_VCPU_INIT() as u32) } + +fn madvise_rule() -> BpfRule { + #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32); + #[cfg(target_env = "gnu")] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32); +} diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs index 9836066..f39170a 100644 --- a/machine/src/standard_vm/x86_64/syscall.rs +++ b/machine/src/standard_vm/x86_64/syscall.rs @@ -54,7 +54,7 @@ const KVM_RUN: u32 = 0xae80; /// # Notes /// This allowlist limit syscall with: /// * x86_64-unknown-gnu: 46 syscalls -/// * x86_64-unknown-musl: 47 syscalls +/// * x86_64-unknown-musl: 48 syscalls /// To reduce performance losses, the syscall rules is ordered by frequency. pub fn syscall_whitelist() -> Vec { vec![ @@ -124,6 +124,8 @@ pub fn syscall_whitelist() -> Vec { .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32), BpfRule::new(libc::SYS_msync), BpfRule::new(libc::SYS_readlinkat), + #[cfg(target_env = "musl")] + BpfRule::new(libc::SYS_readlink), ] } -- 2.25.1