Commit 073d5ac

JamesC1305ShadowCurse

authored and

committed

Add seccomp filters to VMM

Add seccompiler filters as a field of the VMM. This is required to ensure that the newly created vCPU threads have the same filters as the currently existing vCPU threads Signed-off-by: James Curtis <jxcurtis@amazon.co.uk>

1 parent c3563f6 commit 073d5acCopy full SHA for 073d5ac

File tree

2 files changed

+79

-0

lines changed

src/vmm/src
- builder.rs
- lib.rs

2 files changed

+79

-0

lines changed

`‎src/vmm/src/builder.rs`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -145,13 +145,15 @@ impl std::convert::From<linux_loader::cmdline::Error> for StartMicrovmError {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`#[cfg_attr(target_arch = "aarch64", allow(unused))]`
	`148`	`+#[allow(clippy::too_many_arguments)]`
`148`	`149`	`fn create_vmm_and_vcpus(`
`149`	`150`	`instance_info: &InstanceInfo,`
`150`	`151`	`event_manager: &mut EventManager,`
`151`	`152`	`guest_memory: GuestMemoryMmap,`
`152`	`153`	`uffd: Option<Uffd>,`
`153`	`154`	`track_dirty_pages: bool,`
`154`	`155`	`vcpu_count: u8,`
	`156`	`+ #[cfg(target_arch = "x86_64")] seccomp_filters: BpfThreadMap,`
`155`	`157`	`kvm_capabilities: Vec<KvmCapability>,`
`156`	`158`	`) -> Result<(Vmm, Vec<Vcpu>), StartMicrovmError> {`
`157`	`159`	`use self::StartMicrovmError::*;`
`@@ -229,6 +231,8 @@ fn create_vmm_and_vcpus(`
`229`	`231`	`uffd,`
`230`	`232`	`vcpus_handles: Vec::new(),`
`231`	`233`	`vcpus_exit_evt,`
	`234`	`+ #[cfg(target_arch = "x86_64")]`
	`235`	`+ seccomp_filters,`
`232`	`236`	`resource_allocator,`
`233`	`237`	`mmio_device_manager,`
`234`	`238`	`#[cfg(target_arch = "x86_64")]`
`@@ -309,6 +313,8 @@ pub fn build_microvm_for_boot(`
`309`	`313`	`None,`
`310`	`314`	`track_dirty_pages,`
`311`	`315`	`vm_resources.vm_config.vcpu_count,`
	`316`	`+ #[cfg(target_arch = "x86_64")]`
	`317`	`+ seccomp_filters.clone(),`
`312`	`318`	`cpu_template.kvm_capabilities.clone(),`
`313`	`319`	`)?;`
`314`	`320`
`@@ -478,6 +484,8 @@ pub fn build_microvm_from_snapshot(`
`478`	`484`	`uffd,`
`479`	`485`	`vm_resources.vm_config.track_dirty_pages,`
`480`	`486`	`vm_resources.vm_config.vcpu_count,`
	`487`	`+ #[cfg(target_arch = "x86_64")]`
	`488`	`+ seccomp_filters.clone(),`
`481`	`489`	`microvm_state.vm_state.kvm_cap_modifiers.clone(),`
`482`	`490`	`)?;`
`483`	`491`
`@@ -1155,6 +1163,8 @@ pub mod tests {`
`1155`	`1163`	`uffd: None,`
`1156`	`1164`	`vcpus_handles: Vec::new(),`
`1157`	`1165`	`vcpus_exit_evt,`
	`1166`	`+ #[cfg(target_arch = "x86_64")]`
	`1167`	`+ seccomp_filters: crate::seccomp_filters::get_empty_filters(),`
`1158`	`1168`	`resource_allocator: ResourceAllocator::new().unwrap(),`
`1159`	`1169`	`mmio_device_manager,`
`1160`	`1170`	`#[cfg(target_arch = "x86_64")]`

`‎src/vmm/src/lib.rs`

Lines changed: 69 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -124,11 +124,17 @@ use device_manager::resources::ResourceAllocator;`
`124`	`124`	`use devices::acpi::vmgenid::VmGenIdError;`
`125`	`125`	`use event_manager::{EventManager as BaseEventManager, EventOps, Events, MutEventSubscriber};`
`126`	`126`	`use seccompiler::BpfProgram;`
	`127`	`+#[cfg(target_arch = "x86_64")]`
	`128`	`+use seccompiler::BpfThreadMap;`
`127`	`129`	`use userfaultfd::Uffd;`
`128`	`130`	`use utils::epoll::EventSet;`
`129`	`131`	`use utils::eventfd::EventFd;`
`130`	`132`	`use utils::terminal::Terminal;`
`131`	`133`	`use utils::u64_to_usize;`
	`134`	`+#[cfg(target_arch = "x86_64")]`
	`135`	`+use vmm_config::hotplug::{HotplugVcpuConfig, HotplugVcpuError};`
	`136`	`+#[cfg(target_arch = "x86_64")]`
	`137`	`+use vmm_config::machine_config::{MachineConfigUpdate, MAX_SUPPORTED_VCPUS};`
`132`	`138`	`use vstate::vcpu::{self, KvmVcpuConfigureError, StartThreadedError, VcpuSendEventError};`
`133`	`139`
`134`	`140`	`use crate::arch::DeviceType;`
`@@ -317,6 +323,9 @@ pub struct Vmm {`
`317`	`323`	`vcpus_handles: Vec<VcpuHandle>,`
`318`	`324`	`// Used by Vcpus and devices to initiate teardown; Vmm should never write here.`
`319`	`325`	`vcpus_exit_evt: EventFd,`
	`326`	`+ // seccomp_filters are only needed in VMM for hotplugging vCPUS.`
	`327`	`+ #[cfg(target_arch = "x86_64")]`
	`328`	`+ seccomp_filters: BpfThreadMap,`
`320`	`329`
`321`	`330`	`// Allocator for guest resrouces`
`322`	`331`	`resource_allocator: ResourceAllocator,`
`@@ -600,6 +609,66 @@ impl Vmm {`
`600`	`609`	`Ok(cpu_configs)`
`601`	`610`	`}`
`602`	`611`
	`612`	`+ /// Adds new vCPUs to VMM.`
	`613`	`+ #[cfg(target_arch = "x86_64")]`
	`614`	`+ pub fn hotplug_vcpus(`
	`615`	`+ &mut self,`
	`616`	`+ config: HotplugVcpuConfig,`
	`617`	`+ ) -> Result<MachineConfigUpdate, HotplugVcpuError> {`
	`618`	`+ use crate::logger::IncMetric;`
	`619`	`+ if config.vcpu_count < 1 {`
	`620`	`+ return Err(HotplugVcpuError::VcpuCountTooLow);`
	`621`	`+ } else if self`
	`622`	`+ .vcpus_handles`
	`623`	`+ .len()`
	`624`	`+ .checked_add(config.vcpu_count.into())`
	`625`	`+ .ok_or(HotplugVcpuError::VcpuCountTooHigh)?`
	`626`	`+ > MAX_SUPPORTED_VCPUS.into()`
	`627`	`+ {`
	`628`	`+ return Err(HotplugVcpuError::VcpuCountTooHigh);`
	`629`	`+ }`
	`630`	`+`
	`631`	`+ // Create and start new vcpus`
	`632`	`+ let mut vcpus = Vec::with_capacity(config.vcpu_count.into());`
	`633`	`+`
	`634`	`+ #[allow(clippy::cast_possible_truncation)]`
	`635`	`+ let start_idx = self.vcpus_handles.len().try_into().unwrap();`
	`636`	`+ for cpu_idx in start_idx..(start_idx + config.vcpu_count) {`
	`637`	`+ let exit_evt = self`
	`638`	`+ .vcpus_exit_evt`
	`639`	`+ .try_clone()`
	`640`	`+ .map_err(HotplugVcpuError::EventFd)?;`
	`641`	`+ let vcpu =`
	`642`	`+ Vcpu::new(cpu_idx, &self.vm, exit_evt).map_err(HotplugVcpuError::VcpuCreate)?;`
	`643`	`+ vcpus.push(vcpu);`
	`644`	`+ }`
	`645`	`+`
	`646`	`+ self.start_vcpus(`
	`647`	`+ vcpus,`
	`648`	`+ self.seccomp_filters`
	`649`	`+ .get("vcpu")`
	`650`	`+ .ok_or_else(\|\| HotplugVcpuError::MissingSeccompFilters("vcpu".to_string()))?`
	`651`	`+ .clone(),`
	`652`	`+ )`
	`653`	`+ .map_err(HotplugVcpuError::VcpuStart)?;`
	`654`	`+`
	`655`	`+ #[allow(clippy::cast_lossless)]`
	`656`	`+ METRICS.hotplug.vcpus_added.add(config.vcpu_count.into());`
	`657`	`+`
	`658`	`+ // Update VM config to reflect new CPUs added`
	`659`	`+ #[allow(clippy::cast_possible_truncation)]`
	`660`	`+ let new_machine_config = MachineConfigUpdate {`
	`661`	`+ vcpu_count: Some(self.vcpus_handles.len() as u8),`
	`662`	`+ mem_size_mib: None,`
	`663`	`+ smt: None,`
	`664`	`+ cpu_template: None,`
	`665`	`+ track_dirty_pages: None,`
	`666`	`+ huge_pages: None,`
	`667`	`+ };`
	`668`	`+`
	`669`	`+ Ok(new_machine_config)`
	`670`	`+ }`
	`671`	`+`
`603`	`672`	`/// Retrieves the KVM dirty bitmap for each of the guest's memory regions.`
`604`	`673`	`pub fn reset_dirty_bitmap(&self) {`
`605`	`674`	`self.guest_memory`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 073d5ac

File tree

2 files changed

2 files changed

`‎src/vmm/src/builder.rs`

`‎src/vmm/src/lib.rs`

0 commit comments