micro_vm: update seccomp rules

When you run the query-cpus QMP command in the ARM of the micro vm, a bad system call is displayed. Signed-off-by: Xinle.Guo <guoxinle1@huawei.com> Signed-off-by: zhouli57 <zhouli57@huawei.com> (cherry picked from commit b8d9e5a78e2034de0c641bedb8a98fbb3b6f5830)
2022-11-29 15:24:18 +08:00 · 2022-11-29 15:24:18 +08:00 · 90c0c26525
commit 90c0c26525
parent b82980990b
2 changed files with 72 additions and 1 deletions
--- a/0025-micro_vm-update-seccomp-rules.patch
+++ b/0025-micro_vm-update-seccomp-rules.patch
@ -0,0 +1,67 @@
+From 024d5c4070df66913e1bf12e5f21eaa090ea2f68 Mon Sep 17 00:00:00 2001
+From: zhouli57 <zhouli57@huawei.com>
+Date: Tue, 12 Jul 2022 20:53:15 +0800
+Subject: [PATCH] micro_vm: update seccomp rules
+
+When you run the query-cpus QMP command in the ARM of the micro vm, a bad
+system call is displayed.
+
+Signed-off-by: zhouli57 <zhouli57@huawei.com>
+---
+ docs/config_guidebook.md        | 2 +-
+ machine/src/micro_vm/syscall.rs | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md
+index a8e010a..2146f49 100644
+--- a/docs/config_guidebook.md
+++ b/docs/config_guidebook.md
+@@ -557,7 +557,7 @@ in StratoVirt process by default. It will make a slight influence on performance
+ 
+ | Number of Syscalls | GNU Toolchain | MUSL Toolchain |
+ | :----------------: | :-----------: | :------------: |
+-|      microvm       |      44       |       45       |
+|      microvm       |      45       |       45       |
+ |        virt        |      48       |       47       |
+ 
+ If you want to disable seccomp, you can run StratoVirt with `-disable-seccomp`.
+diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs
+index 81637a3..bdd232d 100644
+--- a/machine/src/micro_vm/syscall.rs
+++ b/machine/src/micro_vm/syscall.rs
+@@ -50,7 +50,7 @@ const KVM_RUN: u32 = 0xae80;
+ /// This allowlist limit syscall with:
+ /// * x86_64-unknown-gnu: 43 syscalls
+ /// * x86_64-unknown-musl: 43 syscalls
+-/// * aarch64-unknown-gnu: 41 syscalls
+/// * aarch64-unknown-gnu: 42 syscalls
+ /// * aarch64-unknown-musl: 42 syscalls
+ /// To reduce performance losses, the syscall rules is ordered by frequency.
+ pub fn syscall_whitelist() -> Vec<BpfRule> {
+@@ -108,7 +108,7 @@ pub fn syscall_whitelist() -> Vec<BpfRule> {
+         BpfRule::new(libc::SYS_stat),
+         #[cfg(all(target_env = "gnu", target_arch = "x86_64"))]
+         BpfRule::new(libc::SYS_newfstatat),
+-        #[cfg(all(target_env = "musl", target_arch = "aarch64"))]
+        #[cfg(target_arch = "aarch64")]
+         BpfRule::new(libc::SYS_newfstatat),
+         #[cfg(target_arch = "x86_64")]
+         BpfRule::new(libc::SYS_unlink),
+@@ -178,12 +178,12 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule {
+ }
+ 
+ fn madvise_rule() -> BpfRule {
+-    #[cfg(all(target_env = "musl", target_arch = "x86_64"))]
+    #[cfg(target_env = "musl")]
+     return BpfRule::new(libc::SYS_madvise)
+         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32)
+         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+-    #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))]
+    #[cfg(not(target_env = "musl"))]
+     return BpfRule::new(libc::SYS_madvise)
+         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32)
+         .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32);
+-- 
+2.27.0
+
--- a/stratovirt.spec
+++ b/stratovirt.spec
@ -6,7 +6,7 @@

 Name:           stratovirt
 Version:        2.1.0
-Release:        7
+Release:        8
 Summary:        StratoVirt is an opensource VMM(Virtual Machine Manager) which aims to perform next generation virtualization.

 License:        MulanPSL-2.0
@ -37,6 +37,7 @@ Patch021: 0021-console-fix-the-bug-of-delete-park-fd.patch
 Patch022: 0022-docs-add-the-description-of-hot-plug-of-PCI-devices.patch
 Patch023: 0023-Modify-cargo-cllippy-warning-when-compiling-cargo-cl.patch
 Patch024: 0024-machine-clear-some-warnings.patch
+Patch025: 0025-micro_vm-update-seccomp-rules.patch

 ExclusiveArch:  x86_64 aarch64

@ -91,6 +92,9 @@ chmod 555 ${RPM_BUILD_ROOT}/usr/bin/stratovirt
 chmod 555 ${RPM_BUILD_ROOT}/usr/bin/ozone

 %changelog
+* Tue Nov 29 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-8
+- Add micro vm seccomp rules
+
 * Thu Nov 24 2022 yezengruan <yezengruan@huawei.com> - 2.1.0-7
 - Update stratovirt download url