crosvm

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-11-25 05:03:05 +00:00

History

Yuan Yao 54e5b6b204 device: vhost_user: Enable seccomp filter vhost-user-fs Vhost-user-fs currently lacks seccomp filter support, which cause security concerns to put into real usage. This change introduces virtio-fs device's seccomp policy filter to vhost-user-fs when sandbox is enabled. When specified path of socket does not exist for vhost-user device, the vhost-user device will call socketpair to create a socket. To support the syscall, the rule allowing socketpair is added to vhost_user.policy. Also, this CL adds disable-sandbox option for vhost-user-fs-device. The option is set to false by default, the vhost-user-fs will enter new mnt/user/pid/net namespace. If the this option is true, the vhost-user-fs device only create a new mount namespace. BUG=b:355159487 TEST=run manual tests TEST=run e2e test in chromium:5746575 Change-Id: I6c18386f690af7b0d2e1550c0b3881d444280a8b Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/5741356 Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org> Commit-Queue: Yuan Yao <yuanyaogoog@chromium.org>		2024-08-05 10:22:57 +00:00
..
seccomp	device: vhost_user: Enable seccomp filter vhost-user-fs	2024-08-05 10:22:57 +00:00
src	device: vhost_user: Enable seccomp filter vhost-user-fs	2024-08-05 10:22:57 +00:00
tests
build.rs
Cargo.toml