packages/stratovirt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
stratovirt/0020-machine-update-seccomp-rules.patch
Jie Yang c98bb6b512 Update version to 2.1.0-4 
Signed-off-by: Jie Yang <yangjieyj.yang@huawei.com>
(cherry picked from commit e9cfa81784d4a86efd4392a487c0294d440c03c0)
2022-03-13 12:08:05 +08:00

227 lines
11 KiB
Diff
Raw Blame History

From 639982129fb79cc8f175497cd5b091a6dfd3ec40 Mon Sep 17 00:00:00 2001
From: zhouli57 <zhouli57@huawei.com>
Date: Tue, 8 Mar 2022 15:42:13 +0800
Subject: [PATCH 5/8] machine: update seccomp rules
Fix the problem of snapshot failure caused by compiling with a new
version(1.57) of the compiler on openEuler 22.03 LTS.
Signed-off-by: zhouli57 <zhouli57@huawei.com>
---
machine/src/micro_vm/syscall.rs | 46 ++++++++++++++++----
machine/src/standard_vm/aarch64/syscall.rs | 33 +++++++++++----
machine/src/standard_vm/x86_64/syscall.rs | 49 +++++++++++++++++-----
3 files changed, 102 insertions(+), 26 deletions(-)
diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs
index ff066a9..5e9c6d8 100644
--- a/machine/src/micro_vm/syscall.rs
+++ b/machine/src/micro_vm/syscall.rs
@@ -22,6 +22,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
const FUTEX_WAKE_OP: u32 = 5;
const FUTEX_WAIT_BITSET: u32 = 9;
const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -88,12 +89,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
BpfRule::new(libc::SYS_munmap),
BpfRule::new(libc::SYS_accept4),
BpfRule::new(libc::SYS_lseek),
- BpfRule::new(libc::SYS_futex)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+ futex_rule(),
BpfRule::new(libc::SYS_exit),
BpfRule::new(libc::SYS_exit_group),
BpfRule::new(libc::SYS_rt_sigreturn),
@@ -121,9 +117,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
BpfRule::new(libc::SYS_mkdir),
#[cfg(target_arch = "aarch64")]
BpfRule::new(libc::SYS_mkdirat),
- BpfRule::new(libc::SYS_madvise)
- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32),
+ madvise_rule(),
]
}
@@ -181,3 +175,37 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule {
.add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DEVICE_ATTR() as u32)
.add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32)
}
+
+fn madvise_rule() -> BpfRule {
+ #[cfg(all(target_env = "musl", target_arch = "x86_64"))]
+ return BpfRule::new(libc::SYS_madvise)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+ #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))]
+ return BpfRule::new(libc::SYS_madvise)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+}
+
+fn futex_rule() -> BpfRule {
+ #[cfg(target_env = "musl")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+ #[cfg(target_env = "gnu")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(
+ SeccompCmpOpt::Eq,
+ 1,
+ FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+ )
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
diff --git a/machine/src/standard_vm/aarch64/syscall.rs b/machine/src/standard_vm/aarch64/syscall.rs
index e8ecdd5..ed3140e 100644
--- a/machine/src/standard_vm/aarch64/syscall.rs
+++ b/machine/src/standard_vm/aarch64/syscall.rs
@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
const FUTEX_WAKE_OP: u32 = 5;
const FUTEX_WAIT_BITSET: u32 = 9;
const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -91,13 +92,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
BpfRule::new(libc::SYS_munmap),
BpfRule::new(libc::SYS_accept4),
BpfRule::new(libc::SYS_lseek),
- BpfRule::new(libc::SYS_futex)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+ futex_rule(),
BpfRule::new(libc::SYS_exit),
BpfRule::new(libc::SYS_exit_group),
BpfRule::new(libc::SYS_rt_sigreturn),
@@ -189,3 +184,27 @@ fn madvise_rule() -> BpfRule {
.add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
.add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
}
+
+fn futex_rule() -> BpfRule {
+ #[cfg(target_env = "musl")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+ #[cfg(target_env = "gnu")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(
+ SeccompCmpOpt::Eq,
+ 1,
+ FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+ )
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
diff --git a/machine/src/standard_vm/x86_64/syscall.rs b/machine/src/standard_vm/x86_64/syscall.rs
index f39170a..6f8e10d 100644
--- a/machine/src/standard_vm/x86_64/syscall.rs
+++ b/machine/src/standard_vm/x86_64/syscall.rs
@@ -28,6 +28,7 @@ const FUTEX_CMP_REQUEUE: u32 = 4;
const FUTEX_WAKE_OP: u32 = 5;
const FUTEX_WAIT_BITSET: u32 = 9;
const FUTEX_PRIVATE_FLAG: u32 = 128;
+const FUTEX_CLOCK_REALTIME: u32 = 256;
const FUTEX_WAIT_PRIVATE: u32 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
const FUTEX_WAKE_PRIVATE: u32 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
const FUTEX_CMP_REQUEUE_PRIVATE: u32 = FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG;
@@ -94,12 +95,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
BpfRule::new(libc::SYS_munmap),
BpfRule::new(libc::SYS_accept4),
BpfRule::new(libc::SYS_lseek),
- BpfRule::new(libc::SYS_futex)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
- .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE),
+ futex_rule(),
BpfRule::new(libc::SYS_exit),
BpfRule::new(libc::SYS_exit_group),
BpfRule::new(libc::SYS_rt_sigreturn),
@@ -118,10 +114,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
BpfRule::new(libc::SYS_statx),
BpfRule::new(libc::SYS_mkdir),
BpfRule::new(libc::SYS_unlink),
- BpfRule::new(libc::SYS_madvise)
- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
- .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32),
+ madvise_rule(),
BpfRule::new(libc::SYS_msync),
BpfRule::new(libc::SYS_readlinkat),
#[cfg(target_env = "musl")]
@@ -202,3 +195,39 @@ fn ioctl_allow_list() -> BpfRule {
.add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MSRS() as u32)
.add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32)
}
+
+fn madvise_rule() -> BpfRule {
+ #[cfg(target_env = "musl")]
+ return BpfRule::new(libc::SYS_madvise)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+ #[cfg(target_env = "gnu")]
+ return BpfRule::new(libc::SYS_madvise)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32)
+ .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTDUMP as u32);
+}
+
+fn futex_rule() -> BpfRule {
+ #[cfg(target_env = "musl")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+ #[cfg(target_env = "gnu")]
+ return BpfRule::new(libc::SYS_futex)
+ .add_constraint(
+ SeccompCmpOpt::Eq,
+ 1,
+ FUTEX_WAIT_BITSET_PRIVATE | FUTEX_CLOCK_REALTIME,
+ )
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_CMP_REQUEUE_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAKE_OP_PRIVATE)
+ .add_constraint(SeccompCmpOpt::Eq, 1, FUTEX_WAIT_BITSET_PRIVATE);
+}
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink