diff options
author | Matt Delco <delco@chromium.org> | 2019-11-13 08:11:09 -0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-01-22 17:36:35 +0000 |
commit | 45caf91aaa80d2d37a63ed2bf99da69b4da0aafa (patch) | |
tree | 5c9648f6a34c359ff496bcb61d8f33951e4c5082 /src/plugin | |
parent | 425aaacad18166faf42075b0e49db6aa554d32ae (diff) | |
download | crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.gz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.bz2 crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.lz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.xz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.zst crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.zip |
crosvm: add support for bpf policy files
Change adds supports for providing pre-compiled bpf files as the policy file for jailing. In short it's more effient to compile once on the build machine than each time at runtime. Additionally libminijail's support for more efficient bpfs (which use a binary tree instead of a linear search) is currently only available via tools that are based around pre-compiled use. BUG=None TEST=Ran build_test and verified that tests can pass with both bpf and policy files (though the tests might only exercise the jail for the plugin). Change-Id: Idd93e3c802fc79da93850d6bad1db660576bc9ba Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1914416 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'src/plugin')
-rw-r--r-- | src/plugin/mod.rs | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index 3f6d704..adda9a3 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -287,14 +287,28 @@ fn create_plugin_jail(root: &Path, log_failures: bool, seccomp_policy: &Path) -> // Run in an empty network namespace. j.namespace_net(); j.no_new_privs(); - // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill - // the entire plugin process if a worker thread commits a seccomp violation. - j.set_seccomp_filter_tsync(); - if log_failures { - j.log_seccomp_filter_failures(); + // By default we'll prioritize using the pre-compiled .bpf over the .policy + // file (the .bpf is expected to be compiled using "trap" as the failure + // behavior instead of the default "kill" behavior). + // Refer to the code comment for the "seccomp-log-failures" + // command-line parameter for an explanation about why the |log_failures| + // flag forces the use of .policy files (and the build-time alternative to + // this run-time flag). + let bpf_policy_file = seccomp_policy.with_extension("bpf"); + if bpf_policy_file.exists() && !log_failures { + j.parse_seccomp_program(&bpf_policy_file) + .map_err(Error::ParseSeccomp)?; + } else { + // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, + // which will correctly kill the entire device process if a worker + // thread commits a seccomp violation. + j.set_seccomp_filter_tsync(); + if log_failures { + j.log_seccomp_filter_failures(); + } + j.parse_seccomp_filters(&seccomp_policy.with_extension("policy")) + .map_err(Error::ParseSeccomp)?; } - j.parse_seccomp_filters(seccomp_policy) - .map_err(Error::ParseSeccomp)?; j.use_seccomp_filter(); // Don't do init setup. j.run_as_init(); @@ -596,7 +610,7 @@ pub fn run_config(cfg: Config) -> Result<()> { return Err(Error::RootNotDir); } - let policy_path = cfg.seccomp_policy_dir.join("plugin.policy"); + let policy_path = cfg.seccomp_policy_dir.join("plugin"); let mut jail = create_plugin_jail(root_path, cfg.seccomp_log_failures, &policy_path)?; // Update gid map of the jail if caller provided supplemental groups. |