diff --git a/0001-Micro-fix-the-ioctl-allow-for-aarch64.patch b/0001-Micro-fix-the-ioctl-allow-for-aarch64.patch index 072cf2075f2316fc06dfced8a86e40123ff08552..a863589c01d2b4af9cccea2b332bae6337468234 100644 --- a/0001-Micro-fix-the-ioctl-allow-for-aarch64.patch +++ b/0001-Micro-fix-the-ioctl-allow-for-aarch64.patch @@ -1,23 +1,8 @@ -From 090add698de7e3f2a23ad4f26a41628553d3c1ae Mon Sep 17 00:00:00 2001 -From: Jinyu Tang -Date: Mon, 5 Aug 2024 15:37:57 +0800 -Subject: [PATCH] Micro: fix the ioctl allow for aarch64 - -In micro mode, KVM_SET_VCPU_EVENTS and KVM_SET_ONE_REG are not -allowed by seccomp, but they are essential for vcpu init. The -guest can not run when use micro mode in aarch64 for this reason. -So fix it. ---- - machine/src/aarch64/micro.rs | 1 + - machine/src/micro_common/syscall.rs | 1 + - machine/src/x86_64/micro.rs | 1 - - 3 files changed, 2 insertions(+), 1 deletion(-) - diff --git a/machine/src/aarch64/micro.rs b/machine/src/aarch64/micro.rs -index e528da66..6afc15e2 100644 +index d7e1b1d..42e9171 100644 --- a/machine/src/aarch64/micro.rs +++ b/machine/src/aarch64/micro.rs -@@ -231,6 +231,7 @@ pub(crate) fn arch_ioctl_allow_list(bpf_rule: BpfRule) -> BpfRule { +@@ -235,6 +235,7 @@ pub(crate) fn arch_ioctl_allow_list(bpf_rule: BpfRule) -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_ONE_REG() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DEVICE_ATTR() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_REG_LIST() as u32) @@ -26,10 +11,18 @@ index e528da66..6afc15e2 100644 pub(crate) fn arch_syscall_whitelist() -> Vec { diff --git a/machine/src/micro_common/syscall.rs b/machine/src/micro_common/syscall.rs -index f3acec19..6ae9a56a 100644 +index fe03164..6ae9a56 100644 --- a/machine/src/micro_common/syscall.rs +++ b/machine/src/micro_common/syscall.rs -@@ -159,6 +159,7 @@ fn ioctl_allow_list() -> BpfRule { +@@ -86,6 +86,7 @@ pub fn syscall_whitelist() -> Vec { + BpfRule::new(libc::SYS_accept4), + BpfRule::new(libc::SYS_lseek), + futex_rule(), ++ BpfRule::new(libc::SYS_clone), + BpfRule::new(libc::SYS_exit), + BpfRule::new(libc::SYS_exit_group), + BpfRule::new(libc::SYS_rt_sigreturn), +@@ -158,6 +159,7 @@ fn ioctl_allow_list() -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_API_VERSION() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_MP_STATE() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MP_STATE() as u32) @@ -38,10 +31,10 @@ index f3acec19..6ae9a56a 100644 arch_ioctl_allow_list(bpf_rule) } diff --git a/machine/src/x86_64/micro.rs b/machine/src/x86_64/micro.rs -index c530633f..5747076a 100644 +index d8fb92e..7b4e08e 100644 --- a/machine/src/x86_64/micro.rs +++ b/machine/src/x86_64/micro.rs -@@ -235,7 +235,6 @@ pub(crate) fn arch_ioctl_allow_list(bpf_rule: BpfRule) -> BpfRule { +@@ -238,7 +238,6 @@ pub(crate) fn arch_ioctl_allow_list(bpf_rule: BpfRule) -> BpfRule { .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_LAPIC() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_MSRS() as u32) .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MSRS() as u32) @@ -49,6 +42,3 @@ index c530633f..5747076a 100644 .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_CPUID2() as u32) } --- -2.41.0 - diff --git a/stratovirt.spec b/stratovirt.spec index da181238aeb579a91d55dc4710f34b881735053f..b5b480e48b9e268127bae7cbcc86135c259bc4e0 100644 --- a/stratovirt.spec +++ b/stratovirt.spec @@ -6,14 +6,14 @@ Name: stratovirt Version: 2.4.0 -Release: 3 +Release: 4 Summary: StratoVirt is an opensource VMM(Virtual Machine Manager) which aims to perform next generation virtualization. License: MulanPSL-2.0 URL: https://gitee.com/openeuler/stratovirt Source0: https://gitee.com/openeuler/stratovirt/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch001: 0001-Micro-fix-the-ioctl-allow-for-aarch64.patch +Patch001:0001-Micro-fix-the-ioctl-allow-for-aarch64.patch ExclusiveArch: x86_64 aarch64 @@ -104,6 +104,10 @@ install -d %{buildroot}%{_libdir}/stratovirt/static install -D -m555 ./target/%{rust_musl_target}/release/stratovirt %{buildroot}%{_libdir}/stratovirt/static %changelog +* Thu Nov 21 2024 jinyihua - 2.4.0-4 +- Micro fix the ioctl allow for aarch64 +- Add the left missing whitelist + * Sat Sep 14 2024 Mingwang Li - 2.4.0-3 - Micro fix the ioctl allow for aarch64