diff --git a/0025-micro_vm-update-seccomp-rules.patch b/0025-micro_vm-update-seccomp-rules.patch new file mode 100644 index 0000000000000000000000000000000000000000..c8ab3bf19a52f18a508c51f6b29314d6e278cf0a --- /dev/null +++ b/0025-micro_vm-update-seccomp-rules.patch @@ -0,0 +1,67 @@ +From 024d5c4070df66913e1bf12e5f21eaa090ea2f68 Mon Sep 17 00:00:00 2001 +From: zhouli57 +Date: Tue, 12 Jul 2022 20:53:15 +0800 +Subject: [PATCH] micro_vm: update seccomp rules + +When you run the query-cpus QMP command in the ARM of the micro vm, a bad +system call is displayed. + +Signed-off-by: zhouli57 +--- + docs/config_guidebook.md | 2 +- + machine/src/micro_vm/syscall.rs | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/docs/config_guidebook.md b/docs/config_guidebook.md +index a8e010a..2146f49 100644 +--- a/docs/config_guidebook.md ++++ b/docs/config_guidebook.md +@@ -557,7 +557,7 @@ in StratoVirt process by default. It will make a slight influence on performance + + | Number of Syscalls | GNU Toolchain | MUSL Toolchain | + | :----------------: | :-----------: | :------------: | +-| microvm | 44 | 45 | ++| microvm | 45 | 45 | + | virt | 48 | 47 | + + If you want to disable seccomp, you can run StratoVirt with `-disable-seccomp`. +diff --git a/machine/src/micro_vm/syscall.rs b/machine/src/micro_vm/syscall.rs +index 81637a3..bdd232d 100644 +--- a/machine/src/micro_vm/syscall.rs ++++ b/machine/src/micro_vm/syscall.rs +@@ -50,7 +50,7 @@ const KVM_RUN: u32 = 0xae80; + /// This allowlist limit syscall with: + /// * x86_64-unknown-gnu: 43 syscalls + /// * x86_64-unknown-musl: 43 syscalls +-/// * aarch64-unknown-gnu: 41 syscalls ++/// * aarch64-unknown-gnu: 42 syscalls + /// * aarch64-unknown-musl: 42 syscalls + /// To reduce performance losses, the syscall rules is ordered by frequency. + pub fn syscall_whitelist() -> Vec { +@@ -108,7 +108,7 @@ pub fn syscall_whitelist() -> Vec { + BpfRule::new(libc::SYS_stat), + #[cfg(all(target_env = "gnu", target_arch = "x86_64"))] + BpfRule::new(libc::SYS_newfstatat), +- #[cfg(all(target_env = "musl", target_arch = "aarch64"))] ++ #[cfg(target_arch = "aarch64")] + BpfRule::new(libc::SYS_newfstatat), + #[cfg(target_arch = "x86_64")] + BpfRule::new(libc::SYS_unlink), +@@ -178,12 +178,12 @@ fn ioctl_arch_allow_list(bpf_rule: BpfRule) -> BpfRule { + } + + fn madvise_rule() -> BpfRule { +- #[cfg(all(target_env = "musl", target_arch = "x86_64"))] ++ #[cfg(target_env = "musl")] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_FREE as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32); +- #[cfg(not(all(target_env = "musl", target_arch = "x86_64")))] ++ #[cfg(not(target_env = "musl"))] + return BpfRule::new(libc::SYS_madvise) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_DONTNEED as u32) + .add_constraint(SeccompCmpOpt::Eq, 2, libc::MADV_WILLNEED as u32); +-- +2.27.0 + diff --git a/stratovirt.spec b/stratovirt.spec index 8922d81faee5669332f229c922741a3eca151e77..a46063dfe361cf147fb1b8468564f5bf48f0db42 100644 --- a/stratovirt.spec +++ b/stratovirt.spec @@ -6,7 +6,7 @@ Name: stratovirt Version: 2.1.0 -Release: 7 +Release: 8 Summary: StratoVirt is an opensource VMM(Virtual Machine Manager) which aims to perform next generation virtualization. License: MulanPSL-2.0 @@ -37,6 +37,7 @@ Patch021: 0021-console-fix-the-bug-of-delete-park-fd.patch Patch022: 0022-docs-add-the-description-of-hot-plug-of-PCI-devices.patch Patch023: 0023-Modify-cargo-cllippy-warning-when-compiling-cargo-cl.patch Patch024: 0024-machine-clear-some-warnings.patch +Patch025: 0025-micro_vm-update-seccomp-rules.patch ExclusiveArch: x86_64 aarch64 @@ -91,6 +92,9 @@ chmod 555 ${RPM_BUILD_ROOT}/usr/bin/stratovirt chmod 555 ${RPM_BUILD_ROOT}/usr/bin/ozone %changelog +* Tue Nov 29 2022 Xinle.Guo - 2.1.0-8 +- Add micro vm seccomp rules + * Thu Nov 24 2022 yezengruan - 2.1.0-7 - Update stratovirt download url