dsg/cloud-hypervisor
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vmm: fix vsock with landlock

Browse source 
Without write access to the directory the socket will go in, it's not
possible to create the socket.

I've tested outgoing connections from the VM, and they don't seem to
need read permissions on that directory to connect to a socket on the
host.

Fixes: b3e5738b4 ("vmm: Introduce ApplyLandlock trait")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
This commit is contained in:
Alyssa Ross 2025-09-09 10:21:38 +02:00 committed by Rob Bradford
parent 3259234e58
commit 08b197bbc1
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
vmm/src/vm_config.rs
View file

@ -647,7 +647,12 @@ pub struct VsockConfig {
impl ApplyLandlock for VsockConfig {
fn apply_landlock(&self, landlock: &mut Landlock) -> LandlockResult<()> {
if let Some(parent) = self.socket.parent() {
landlock.add_rule_with_access(parent, "w")?;
}
landlock.add_rule_with_access(&self.socket, "rw")?;
Ok(())
}
}