From 639982129fb79cc8f175497cd5b091a6dfd3ec40 Mon Sep 17 00:00:00 2001 From: zhouli57 Date: Tue, 8 Mar 2022 15:42:13 +0800 Subject: [PATCH 5/8] machine: update seccomp rules Fix the problem of snapshot failure caused by compiling with a new version(1.57) of the compiler on openEuler 22.03 LTS. Signed-off-by: zhouli57 --- machine/src/micro_vm/syscall.rs | 46 ++++++++++++++++---- machine/src/standard_vm/aarch64/syscall.rs | 33 +++++++++++---- machine/src/standard_vm/x86_64/syscall.rs | 49 +++++++++++++++++----- 3 files changed, 102 insertions(+), 26 deletions(-) diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs index ff066a9..5e9c6d8 100644 --- a/machine/src/micro_vm/syscall.rs +++ b/machine/src/micro_vm/syscall.rs @@ -22,6 +22,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4; const FUTEX_WAKE_OP: u32 = 5; const FUTEX_WAIT_BITSET: u32 = 9; const FUTEX_PRIVATE_FLAG: u32 = 128; +const FUTEX_CLOCK_REALTIME: u32 = 256; const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG; const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG; const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG; @@ -88,12 +89,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_munmap), BpfRule::new(libc::SYS_accept4), BpfRule::new(libc::SYS_lseek), - BpfRule::new(libc::SYS_futex) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE), + futex_rule(), BpfRule::new(libc::SYS_exit), BpfRule::new(libc::SYS_exit_group), BpfRule::new(libc::SYS_rt_sigreturn), @@ -121,9 +117,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_mkdir), #[cfg(target_arch = "aarch64")] BpfRule::new(libc::SYS_mkdirat), - BpfRule::new(libc::SYS_madvise) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32), + madvise_rule(), ] } @@ -181,3 +175,37 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DEVICE_ATTR() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32) } + +fn madvise_rule() -> BpfRule { + #[cfg(all(target_env = "musl", target_arch = "x86_64"))] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32); + #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32); +} + +fn futex_rule() -> BpfRule { + #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_futex) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); + #[cfg(target_env = "gnu")] + return BpfRule::new(libc::SYS_futex) + .add_constraint( + SeccompCmpOpt::Eq, + 1, + FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME, + ) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); +} diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs index e8ecdd5..ed3140e 100644 --- a/machine/src/standard_vm/aarch64/syscall.rs +++ b/machine/src/standard_vm/aarch64/syscall.rs @@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4; const FUTEX_WAKE_OP: u32 = 5; const FUTEX_WAIT_BITSET: u32 = 9; const FUTEX_PRIVATE_FLAG: u32 = 128; +const FUTEX_CLOCK_REALTIME: u32 = 256; const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG; const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG; const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG; @@ -91,13 +92,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_munmap), BpfRule::new(libc::SYS_accept4), BpfRule::new(libc::SYS_lseek), - BpfRule::new(libc::SYS_futex) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE), + futex_rule(), BpfRule::new(libc::SYS_exit), BpfRule::new(libc::SYS_exit_group), BpfRule::new(libc::SYS_rt_sigreturn), @@ -189,3 +184,27 @@ fn madvise_rule() -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32); } + +fn futex_rule() -> BpfRule { + #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_futex) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); + #[cfg(target_env = "gnu")] + return BpfRule::new(libc::SYS_futex) + .add_constraint( + SeccompCmpOpt::Eq, + 1, + FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME, + ) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); +} diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs index f39170a..6f8e10d 100644 --- a/machine/src/standard_vm/x86_64/syscall.rs +++ b/machine/src/standard_vm/x86_64/syscall.rs @@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4; const FUTEX_WAKE_OP: u32 = 5; const FUTEX_WAIT_BITSET: u32 = 9; const FUTEX_PRIVATE_FLAG: u32 = 128; +const FUTEX_CLOCK_REALTIME: u32 = 256; const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG; const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG; const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG; @@ -94,12 +95,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_munmap), BpfRule::new(libc::SYS_accept4), BpfRule::new(libc::SYS_lseek), - BpfRule::new(libc::SYS_futex) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) - .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE), + futex_rule(), BpfRule::new(libc::SYS_exit), BpfRule::new(libc::SYS_exit_group), BpfRule::new(libc::SYS_rt_sigreturn), @@ -118,10 +114,7 @@ pub fn syscall_whitelist() -> Vec { BpfRule::new(libc::SYS_statx), BpfRule::new(libc::SYS_mkdir), BpfRule::new(libc::SYS_unlink), - BpfRule::new(libc::SYS_madvise) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) - .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32), + madvise_rule(), BpfRule::new(libc::SYS_msync), BpfRule::new(libc::SYS_readlinkat), #[cfg(target_env = "musl")] @@ -202,3 +195,39 @@ fn ioctl_allow_list() -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MSRS() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32) } + +fn madvise_rule() -> BpfRule { + #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32); + #[cfg(target_env = "gnu")] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32); +} + +fn futex_rule() -> BpfRule { + #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_futex) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); + #[cfg(target_env = "gnu")] + return BpfRule::new(libc::SYS_futex) + .add_constraint( + SeccompCmpOpt::Eq, + 1, + FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME, + ) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE) + .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE); +} -- 2.20.1