You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`bzImage` is the path to linux kernel bzImage. The bzImage file is in a specific format,
50
50
containing concatenated `bootsect.o + setup.o + misc.o + piggy.o`. `initrd` is the path to
51
51
initial RAM disk image, which is an optional argument.
52
52
`disk-image` is the path to disk image which can be mounted as a block device via virtio. For the reference Linux guest, ext4 filesystem is used for disk image.
53
53
54
+
`--seccomp` is an opt-in defense-in-depth flag that installs a seccomp BPF
55
+
allowlist over the steady-state KVM_RUN loop. Once active, only the
56
+
syscalls that the vcpu, virtio-blk, virtio-net, and serial workers need
57
+
are permitted; anything else (including a memory-corruption RCE in
58
+
device emulation pivoting to `execve`, `open`, or `socket`) terminates
59
+
the process with `SIGSYS`. The filter is applied via `seccomp(2)` with
60
+
`SECCOMP_FILTER_FLAG_TSYNC` so already-running worker threads inherit
61
+
it. The flag is off by default so existing test and development
62
+
workflows are unaffected. CI exercises both paths
63
+
(`.github/workflows/main.yml`).
64
+
65
+
To run `make check` with the filter enabled:
66
+
67
+
```shell
68
+
$ make KVM_HOST_FLAGS=--seccomp check
69
+
```
70
+
54
71
### Exit Emulator
55
72
56
73
To exit kvm-host, press "Ctrl-A", release both keys, and then press "x".
0 commit comments