Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Enable landlock in cloud-hypervisor #6214

Draft
wants to merge 16 commits into
base: main
Choose a base branch
from
Draft

[WIP] Enable landlock in cloud-hypervisor #6214

wants to merge 16 commits into from

Conversation

praveen-pk
Copy link
Contributor

@praveen-pk praveen-pk commented Feb 20, 2024
edited

I am sending this PR for some early feedback on my current approach for enabling Landlock in Cloud-Hypervisor.

Approach

I explicitly enable landlock in event-monitor, http-server, signal-handler as these threads are spawned before vmm thread. By the time these 3 threads are spawned, all the necessary FDs these threads need have already been opened. So, I just create landlock object and invoke restrict_self to sandbox these threads.

In the vmm thread, I enable landlock in vm_create method. Doing this will allow us to support both the invocation modes:

  1. All the vm params are passed directly at cmdline
  2. guest is started with a socket interface and vm_create request is sent at a later time.

All the paths from VMConfig and LandlockConfig are appended to ruleset before the vmm thread is sandboxed. Rest of the threads (serial-manager, vcpu*, _disk*, _net*, __rng) are all spawned by vmm thread. So, they will automatically inherit the ruleset applied in vmm thread.

Known TODOs:

Current Testing

Step1

./target/debug/cloud-hypervisor \
    --api-socket /tmp/ch-socket \
    --kernel ${FW_IMAGE} \
        --disk path=${DISK_IMAGE1}  path=${DISK_IMAGE2} \
        --cpus boot=2 \
        --memory size=1024M \
        --serial tty \
        --console off \
        --landlock true

To this VM if a new disk is hot-added with:

 curl --unix-socket  /tmp/ch-socket  -i \
     -X PUT 'http://localhost/api/v1/vm.add-disk'  \
     -H 'Accept: application/json'               \
     -H 'Content-Type: application/json'         \
     -d '{
         "path":"/tmp/test.img"
         }'
HTTP/1.1 500
Server: Cloud Hypervisor API
Connection: keep-alive
Content-Type: application/json
Content-Length: 102

Error from device manager: Disk(Os { code: 13, kind: PermissionDenied, message: "Permission denied" })

Step2

./target/debug/cloud-hypervisor \
    --api-socket /tmp/ch-socket \
    --kernel ${FW_IMAGE} \
        --disk path=${DISK_IMAGE1}  path=${DISK_IMAGE2} \
        --cpus boot=2 \
        --memory size=1024M \
        --serial tty \
        --console off \
        --landlock true \
        --landlock-rules path=/tmp/test.img,flags=rw

By passing the additional landlock-rules argument, hot-add request now passes:

$ curl --unix-socket  /tmp/ch-socket  -i      -X PUT 'http://localhost/api/v1/vm.add-disk'       -H 'Accept: application/json'
  -H 'Content-Type: application/json'              -d '{
         "path":"/tmp/test.img"
         }'
HTTP/1.1 200
Server: Cloud Hypervisor API
Connection: keep-alive
Content-Type: application/json
Content-Length: 36

{"id":"_disk2","bdf":"0000:00:04.0"}

@praveen-pk praveen-pk requested a review from a team as a code owner February 20, 2024 18:08
@praveen-pk praveen-pk marked this pull request as draft February 20, 2024 18:09
@liuw liuw changed the title Enable landlock in cloud-hypervisor [WIP] Enable landlock in cloud-hypervisor Feb 20, 2024
@liuw
Copy link
Member

liuw commented Feb 20, 2024

Changing this to WIP so CI runs are skipped.

liuw
liuw reviewed Feb 20, 2024
View reviewed changes
vmm/src/lib.rs Outdated Show resolved Hide resolved
vmm/src/lib.rs Outdated Show resolved Hide resolved
vmm/src/lib.rs Outdated Show resolved Hide resolved
vmm/src/lib.rs Outdated Show resolved Hide resolved
src/main.rs Outdated Show resolved Hide resolved
vmm/src/lib.rs Outdated Show resolved Hide resolved
vmm/src/lib.rs Outdated
let _ = Landlock::new().unwrap().restrict_self().map_err(Error::ApplyLandlock).map_err(|e| {
error!("Error applying landlock to signal handler thread: {:?}", e);
exit_evt.write(1).ok();
return;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the logic correct here? The error from this closure is ignored, but you also write 1 to exit_evt which causes the thread to exit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the same logic as the seccomp filter failure above. I will double check this.

vmm/src/vm_config.rs
@@ -547,6 +547,12 @@ pub struct TpmConfig {
pub socket: PathBuf,
}

#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
pub struct LandlockConfig {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also needs to be exposed via the http endpoint so that Kata and other orchestration layer can use it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I have to figure how I can order this correctly. Meaning, I need to accept LandlockConfigs sent before vm_create and ignore configs sent after vm_create.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, I don't see a lot of value in exposing this via http endpoint. Almost all the config specific rules are self-generated and handled. The only additional rules users have to pass are those for hot-adds.

The Orchestration layer, can only pass landlock-rules before vm_create. It seems fair to let users start cloud-hypervisor with proper --landlock-rules and not worry about receiving additional rules via http endpoint.

Thoughts?

russell-islam
russell-islam reviewed Feb 23, 2024
View reviewed changes
src/main.rs Show resolved Hide resolved
src/main.rs Outdated Show resolved Hide resolved
@russell-islam
Copy link
Contributor

@praveen-pk Any plan to write documentation for this feature?

@l0kod
Copy link

l0kod commented Feb 23, 2024

Instead of the landlock-rules argument which is orthogonal to CH's configuration, would it be possible to have a name dedicated to a directory of dynamic disk images instead? Using a Landlock-specific option could surprise and maybe make users reluctant to use it because they don't know the goal of this option (e.g. "Should I make it rwx or just rw?"), whereas they would know the meaning of an image-directory or hotplug-directory argument for instance. Such a clear semantic could also help for the documentation. Another advantage would be to not have a sub-argument/parsing dedicated to access rights (that will grow over time), which would also simplify the code. Because the semantic would be clear (i.e. read and write a disk image), we could also take advantage of future Landlock access rights in a best-effort way to protect users as much as possible (e.g. if the running kernel supports it, restrict truncate, ioctl...).

@praveen-pk
Copy link
Contributor Author

advantage of future Landlock access

disk-images is just one of the arguments that takes file paths. There are 13 other arguments that take file paths. So, I kept this argument generic to allow users passing a dir/file path that will be used in any of the other arguments.

@praveen-pk
Copy link
Contributor Author

@praveen-pk Any plan to write documentation for this feature?

Yes. Once the implementation is complete.

@praveen-pk praveen-pk force-pushed the landlock_draft branch 2 times, most recently from 577f855 to 5180e82 Compare February 23, 2024 22:42
@praveen-pk
Copy link
Contributor Author

With the latest version:

@praveen-pk praveen-pk force-pushed the landlock_draft branch 2 times, most recently from fe67cc1 to 5bcbabb Compare March 8, 2024 23:59
@praveen-pk
Copy link
Contributor Author

With today's push:

@liuw
Copy link
Member

liuw commented Mar 11, 2024

With today's push:

ARM64 tests are failing.

@praveen-pk
Copy link
Contributor Author

Can someone help re-trigger the failing ARM tests? On my local Raspberry pi 4, I see

$ scripts/dev_cli.sh tests --unit --libc musl
20240229-0: Pulling from cloud-hypervisor/cloud-hypervisor
Digest: sha256:a459b28e7129e8c55113183b7f7ae8a075e6143df0e97165953b7267113e5c06
Status: Image is up to date for ghcr.io/cloud-hypervisor/cloud-hypervisor:20240229-0
ghcr.io/cloud-hypervisor/cloud-hypervisor:20240229-0
[Cloud Hypervisor] Running unit tests for aarch64-unknown-linux-musl...
   Compiling proc-macro2 v1.0.78
   Compiling unicode-ident v1.0.12
   Compiling libc v0.2.153
   Compiling serde v1.0.196
   Compiling bitflags v1.3.2
   Compiling thiserror v1.0.52
   Compiling bitflags v2.4.2
   Compiling log v0.4.20
   Compiling arc-swap v1.6.0
   Compiling cfg-if v1.0.0
   Compiling syn v1.0.109
   Compiling quote v1.0.35
   Compiling byteorder v1.4.3
   Compiling syn v2.0.48
   Compiling getrandom v0.2.11
   Compiling crc64 v2.0.0
   Compiling serde_json v1.0.109
   Compiling itoa v1.0.9
   Compiling ryu v1.0.15
   Compiling anyhow v1.0.79
   Compiling memchr v2.5.0
   Compiling ident_case v1.0.1
   Compiling fnv v1.0.7
   Compiling strsim v0.10.0
   Compiling kvm-ioctls v0.16.0
   Compiling virtio-bindings v0.2.2
   Compiling autocfg v1.1.0
   Compiling uuid v1.3.4
   Compiling lock_api v0.4.10
   Compiling epoll v4.3.3
   Compiling rustix v0.38.25
   Compiling scopeguard v1.2.0
   Compiling linux-raw-sys v0.4.13
   Compiling darling_core v0.20.6
   Compiling smallvec v1.13.1
   Compiling cc v1.0.83
   Compiling once_cell v1.19.0
   Compiling pkg-config v0.3.30
   Compiling utf8parse v0.2.1
   Compiling anstyle-parse v0.2.1
   Compiling vm-fdt v0.2.0 (https://github.com/rust-vmm/vm-fdt?branch=main#77212bd0)
   Compiling vcpkg v0.2.15
   Compiling serde_derive v1.0.196
   Compiling thiserror-impl v1.0.52
   Compiling versionize_derive v0.1.6 (https://github.com/cloud-hypervisor/versionize_derive?branch=ch-0.1.6#7906da99)
   Compiling darling_macro v0.20.6
   Compiling fdt v0.1.5
   Compiling colorchoice v1.0.0
   Compiling darling v0.20.6
   Compiling serde_with_macros v3.4.0
   Compiling anstyle-query v1.0.2
   Compiling anstyle v1.0.6
   Compiling anstream v0.6.13
   Compiling vm-memory v0.14.0
   Compiling terminal_size v0.3.0
   Compiling clap_lex v0.7.0
   Compiling io-uring v0.6.2
   Compiling linux-loader v0.11.0
   Compiling strsim v0.11.0
   Compiling pin-project-internal v1.1.4
   Compiling clap_builder v4.5.1
   Compiling debug-helper v0.3.13
   Compiling crc-any v2.4.4
   Compiling pin-project v1.1.4
   Compiling remain v0.2.11
   Compiling openssl-src v300.1.5+3.1.3
   Compiling spin v0.9.8
   Compiling nanorand v0.7.0
   Compiling clap v4.5.1
   Compiling futures-sink v0.3.30
   Compiling futures-core v0.3.30
   Compiling flume v0.10.14
   Compiling openssl-sys v0.9.99
   Compiling aho-corasick v1.0.2
   Compiling libz-sys v1.1.15
   Compiling option_parser v0.1.0 (/cloud-hypervisor/option_parser)
   Compiling regex-syntax v0.7.5
   Compiling vmm-sys-util v0.12.1
   Compiling bincode v1.3.3
   Compiling versionize v0.2.0
   Compiling vfio-bindings v0.4.0 (https://github.com/rust-vmm/vfio?branch=main#0daff4d4)
   Compiling kvm-bindings v0.7.0 (https://github.com/cloud-hypervisor/kvm-bindings?branch=ch-v0.7.0#2dcf85d4)
   Compiling virtio-queue v0.11.0
   Compiling serde_with v3.4.0
   Compiling vfio-ioctls v0.2.0 (https://github.com/rust-vmm/vfio?branch=main#0daff4d4)
   Compiling vm-virtio v0.1.0 (/cloud-hypervisor/vm-virtio)
   Compiling net_gen v0.1.0 (/cloud-hypervisor/net_gen)
   Compiling vm-migration v0.1.0 (/cloud-hypervisor/vm-migration)
   Compiling vhost v0.10.0
   Compiling hypervisor v0.1.0 (/cloud-hypervisor/hypervisor)
   Compiling rate_limiter v0.1.0 (/cloud-hypervisor/rate_limiter)
   Compiling vfio_user v0.1.0 (https://github.com/rust-vmm/vfio-user?branch=main#a1f6e528)
   Compiling net_util v0.1.0 (/cloud-hypervisor/net_util)
   Compiling arch v0.1.0 (/cloud-hypervisor/arch)
   Compiling vm-device v0.1.0 (/cloud-hypervisor/vm-device)
   Compiling block v0.1.0 (/cloud-hypervisor/block)
   Compiling vm-allocator v0.1.0 (/cloud-hypervisor/vm-allocator)
   Compiling regex-automata v0.3.7
   Compiling parking_lot_core v0.8.6
   Compiling pci v0.1.0 (/cloud-hypervisor/pci)
   Compiling regex v1.9.4
   Compiling event_monitor v0.1.0 (/cloud-hypervisor/event_monitor)
   Compiling zerocopy-derive v0.7.32
   Compiling libssh2-sys v0.3.0
   Compiling is-terminal v0.4.9
   Compiling instant v0.1.12
   Compiling humantime v2.1.0
   Compiling termcolor v1.2.0
   Compiling env_logger v0.10.1
   Compiling zerocopy v0.7.32
   Compiling no-std-net v0.6.0
   Compiling option-ext v0.2.0
   Compiling dirs-sys v0.4.1
   Compiling pnet_base v0.34.0
   Compiling acpi_tables v0.1.0 (https://github.com/rust-vmm/acpi_tables?branch=main#76e8552f)
   Compiling parking_lot v0.11.2
   Compiling vhost-user-backend v0.13.1
   Compiling tpm v0.1.0 (/cloud-hypervisor/tpm)
   Compiling enumflags2_derive v0.7.8
   Compiling seccompiler v0.4.0
   Compiling serial_buffer v0.1.0 (/cloud-hypervisor/serial_buffer)
   Compiling micro_http v0.1.0 (https://github.com/firecracker-microvm/micro-http?branch=main#e75dfa1e)
   Compiling signal-hook v0.3.17
   Compiling enumflags2 v0.7.8
   Compiling dirs v5.0.1
   Compiling signal-hook-registry v1.4.1
   Compiling wait-timeout v0.2.0
   Compiling landlock v0.3.0
   Compiling virtio-devices v0.1.0 (/cloud-hypervisor/virtio-devices)
   Compiling devices v0.1.0 (/cloud-hypervisor/devices)
   Compiling pnet_macros v0.34.0
   Compiling pnet_macros_support v0.34.0
   Compiling tracer v0.1.0 (/cloud-hypervisor/tracer)
   Compiling pnet_sys v0.34.0
   Compiling vhost_user_block v0.1.0 (/cloud-hypervisor/vhost_user_block)
   Compiling vhost_user_net v0.1.0 (/cloud-hypervisor/vhost_user_net)
   Compiling ipnetwork v0.20.0
   Compiling pnet v0.34.0
   Compiling cloud-hypervisor v38.0.0 (/cloud-hypervisor)
   Compiling pnet_packet v0.34.0
   Compiling pnet_datalink v0.34.0
   Compiling vmm v0.1.0 (/cloud-hypervisor/vmm)
   Compiling pnet_transport v0.34.0
   Compiling api_client v0.1.0 (/cloud-hypervisor/api_client)
   Compiling performance-metrics v0.1.0 (/cloud-hypervisor/performance-metrics)
    Compiling ssh2 v0.9.4
   Compiling test_infra v0.1.0 (/cloud-hypervisor/test_infra)
    Finished test [unoptimized + debuginfo] target(s) in 11m 10s
     Running unittests src/lib.rs (target/aarch64-unknown-linux-musl/debug/deps/api_client-0cb4984772b73665)

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

     Running unittests src/lib.rs (target/aarch64-unknown-linux-musl/debug/deps/arch-7181766c950348f5)

running 1 test
test aarch64::tests::test_arch_memory_regions_dram ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

     Running unittests src/lib.rs (target/aarch64-unknown-linux-musl/debug/deps/block-23edb28dd45c3200)

running 36 tests
test qcow::tests::default_header_v3 ... ok
test qcow::tests::header_read ... ok
test qcow::tests::header_v2_with_backing ... ok
test qcow::tests::header_v3_with_backing ... ok
test qcow::tests::invalid_cluster_bits ... ok
test qcow::tests::invalid_magic ... ok
test qcow::tests::invalid_refcount_order ... ok
test qcow::tests::default_header_v2 ... ok
test qcow::tests::read_small_buffer ... ok
test qcow::tests::offset_write_read ... ok
test qcow::tests::rebuild_refcounts ... ok
test qcow::tests::seek_data ... ok
test qcow::tests::seek_data_direct ... ok
test qcow::tests::seek_hole ... ok
test qcow::tests::replay_ext4 ... ok
test qcow::tests::seek_hole_direct ... ok
test qcow::tests::test_header ... ok
test qcow::tests::test_header_1_tb_file_min_cluster ... ok
test qcow::tests::test_header_crazy_file_size_rejected ... ok
test qcow::tests::test_header_huge_file ... ok
test qcow::tests::test_header_huge_num_refcounts ... ok
test qcow::tests::test_header_huge_refcount_offset ... ok
test qcow::tests::test_huge_l1_table ... ok
test qcow::tests::write_read_start ... ok
test qcow::tests::test_header_1_tb_file ... ok
test qcow::tests::write_read_start_backing_overlap ... ok
test qcow::tests::combo_write_read ... ok
test qcow::tests::combo_write_read_direct ... ok
test qcow::tests::write_read_start_backing_v3 ... ok
test qcow::vec_cache::tests::evicts_when_full ... ok
test vhd::tests::test_check_vhd_footer ... ok
test vhd::tests::test_is_fixed_vhd ... ok
test vhd::tests::test_is_not_fixed_vhd ... ok
test qcow::tests::write_read_start_backing_v2 ... ok
test qcow::tests::write_zeroes_full_cluster ... ok
test qcow::tests::write_zeroes_read ... ok

gets past build and gets to running unit tests. Also the failure reported doesn't seem to be related the PR.

liuw
liuw reviewed Mar 15, 2024
View reviewed changes
vmm/src/api/http/mod.rs Outdated Show resolved Hide resolved
l0kod
l0kod reviewed Mar 19, 2024
View reviewed changes
Copy link

@l0kod l0kod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like the way Landlock is applied with all the *Config::landlock_apply()

vmm/src/landlock.rs
pub const EXECUTE: u8 = 1 << 2;

#[derive(Debug, Error)]
pub enum LandlockError {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this new error type? RulesetError should already contain the required information/types.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the most part, the errors here map to ones in RulesetError. The only case that doesn't have an error in RulesetError is when the ruleset is empty. Such a case doesn't map to a proper error in RulesetError.

If you can add such an error case, I will drop LandlockError here.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only case that doesn't have an error in RulesetError is when the ruleset is empty. Such a case doesn't map to a proper error in RulesetError.

If you can add such an error case, I will drop LandlockError here.

An empty ruleset is not an error because it can be used to just drop a set of access rights (without exception), for instance when only using inherited file descriptors.

vmm/src/landlock.rs Show resolved Hide resolved
vmm/src/landlock.rs Outdated Show resolved Hide resolved
vmm/src/landlock.rs Outdated Show resolved Hide resolved
vmm/src/landlock.rs Outdated Show resolved Hide resolved
@praveen-pk praveen-pk force-pushed the landlock_draft branch 2 times, most recently from ce09f1c to 1eac396 Compare March 20, 2024 22:18
l0kod
l0kod reviewed Mar 21, 2024
View reviewed changes
vmm/src/config.rs Show resolved Hide resolved
vmm/src/landlock.rs Outdated Show resolved Hide resolved
@praveen-pk praveen-pk force-pushed the landlock_draft branch 4 times, most recently from 429ff3c to 7c4b483 Compare March 27, 2024 21:05
praveen-pk
praveen-pk commented Mar 27, 2024
View reviewed changes
vmm/src/vm_config.rs Outdated Show resolved Hide resolved
liuw
liuw reviewed Mar 28, 2024
View reviewed changes
vmm/src/vm_config.rs Outdated Show resolved Hide resolved
@praveen-pk
vmm: Add seccomp rules to allow landlock syscalls
766cb9b 
landlock syscalls are required by event_monitor, signal_handler,
http-server and vmm threads. Rest of the threads are spawned by the vmm
thread and they automatically inherit the ruleset from the vmm thread.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Introduce landlock cmdline parameter
1ca9891 
Users can use this cmdline option to enable/disable Landlock LSM while
starting cloud-hypervisor.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Introduce landlock-rules cmdline param
f938cd1 
Users can use this parameter to pass extra paths that 'vmm' and its
child threads can use at runtime.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Introduce Landlock module
80c629d 
This module introduces methods to apply Landlock LSM to cloud-hypervisor
threads.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Enable Landlock on event-monitor thread
1a5919c 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Enable Landlock on signal-handler thread
7463249 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Enable Landlock on http-server thread
f19c492 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Introduce apply_landlock to vm_config objects
7c51498 
vm_config structs with PathBuf elements now have apply_landlock method.
These methods will be used to add config specific rules to landlock
ruleset.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Enable Landlock on vmm thread
885e69e 
Add file/dir paths from landlock-rules arguments to ruleset. Invoke
apply_landlock on VmConfig to apply config specific rules to ruleset.

Once done, any threads spawned by vmm thread will be automatically
sandboxed with the ruleset in vmm thread.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Enable Landlock in restore path
57c9124 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
tests: Enable landlock in pmem_hotplug test
ab0f103 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
tests: Enable landlock in test_console_file
5021aa0 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
tests: Enable landlock in test_disk_hotplug
69a4cda 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
tests: Enable landlock in test_iommu_segments
bc545f3 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
tests: Enable landlock in test_net_hotplug
cca8088 
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
vmm: Move pty creation to vm_create
5cb47f6 
Pty devices are created during vm_boot. To enable Landlock in VMs with
pty devices, the devices have to be created during vm_create itself.
This commit moves creation of pty devices to vm_create and saves the
device info in relevant Configs.

During vm_boot, device_manager retrieves the saved device info and
uses them as required. With this change Landlock works in VMs with pty
devices enabled.

Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
@praveen-pk
Copy link
Contributor Author

With the latest version:

  • Addressed all the pending comments
  • Introduced a fix to support Landlock while using pty devices
  • Fixed a couple of integration tests to run with landlock enabled

Next:

  • I still have a few integration tests failing with Landlock enabled. I will fix the rest in my next update.

liuw
liuw reviewed Apr 4, 2024
View reviewed changes
vmm/src/lib.rs
@@ -1202,12 +1243,58 @@ impl Vmm {
}
}

/* Create ptys here and add the slave paths to Serial, Console and DebugConsole
configs. This allows apply_landlok to add the slave paths to landlock rules
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong comment style.

vmm/src/lib.rs
later.
*/
fn create_ptys(config: Arc<Mutex<VmConfig>>) -> result::Result<(), LandlockError> {
if config.lock().unwrap().console.mode == ConsoleOutputMode::Pty {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can do let config = config.lock().unwrap() once at the start of the function.

vmm/src/vm_config.rs
@@ -115,7 +121,15 @@ pub struct MemoryZoneConfig {
#[serde(default)]
pub prefault: bool,
}

impl MemoryZoneConfig {
pub fn apply_landlock(self, landlock: &mut Landlock) -> LandlockResult<()> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first parameter should be &self. There is no need to consume the structure.

vmm/src/vm_config.rs

if let Some(mem_zones) = self.memory.zones.as_ref() {
for zone in mem_zones.iter() {
zone.clone().apply_landlock(&mut landlock)?;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please drop all the clones. See my other comment about &self.

@praveen-pk
Copy link
Contributor Author

#6403 is required to pre-create console devices before vm_create. This is required to enable Landlock while using console devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liuw liuw liuw left review comments

@rbradford rbradford rbradford left review comments

@l0kod l0kod l0kod left review comments

@russell-islam russell-islam russell-islam left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@praveen-pk @liuw @russell-islam @l0kod @rbradford