diff --git a/src/firecracker/examples/uffd/uffd_utils.rs b/src/firecracker/examples/uffd/uffd_utils.rs index fc46adfefd5..b5f626bf403 100644 --- a/src/firecracker/examples/uffd/uffd_utils.rs +++ b/src/firecracker/examples/uffd/uffd_utils.rs @@ -334,7 +334,7 @@ impl UffdHandler { }; let bytes_written = match bytes_written { - -1 if vmm_sys_util::errno::Error::last().errno() == libc::ENOSPC => 0, + -1 if vmm_sys_util::errno::Error::last().errno() == libc::EEXIST => 0, written @ 0.. => written as usize, _ => panic!("{:?}", std::io::Error::last_os_error()), }; diff --git a/src/vmm/src/builder.rs b/src/vmm/src/builder.rs index e21be9c40d8..dfaa168a524 100644 --- a/src/vmm/src/builder.rs +++ b/src/vmm/src/builder.rs @@ -65,7 +65,10 @@ use crate::vstate::memory::{ #[cfg(target_arch = "aarch64")] use crate::vstate::resources::ResourceAllocator; use crate::vstate::vcpu::VcpuError; -use crate::vstate::vm::{GUEST_MEMFD_FLAG_MMAP, GUEST_MEMFD_FLAG_NO_DIRECT_MAP, Vm, VmError}; +use crate::vstate::vm::{ + GUEST_MEMFD_FLAG_INIT_SHARED, GUEST_MEMFD_FLAG_MMAP, GUEST_MEMFD_FLAG_NO_DIRECT_MAP, + GUEST_MEMFD_FLAG_WRITE, Vm, VmError, +}; use crate::{EventManager, Vmm, VmmError}; /// Errors associated with starting the instance. @@ -145,8 +148,7 @@ impl std::convert::From for StartMicrovmError { } } -const KVM_CAP_GUEST_MEMFD_MMAP: u32 = 244; -const KVM_CAP_GUEST_MEMFD_NO_DIRECT_MAP: u32 = 245; +const KVM_CAP_GUEST_MEMFD_FLAGS: u32 = 244; /// Builds and starts a microVM based on the current Firecracker VmResources configuration. /// @@ -183,8 +185,7 @@ pub fn build_microvm_for_boot( if secret_free { kvm_capabilities.push(KvmCapability::Add(Cap::GuestMemfd as u32)); - kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_MMAP)); - kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_NO_DIRECT_MAP)); + kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_FLAGS)); } let kvm = Kvm::new(kvm_capabilities)?; @@ -198,7 +199,9 @@ pub fn build_microvm_for_boot( true => Some(Arc::new( vm.create_guest_memfd( vm_resources.dram_memory_size() + vm_resources.hotplug_memory_size(), - GUEST_MEMFD_FLAG_MMAP | GUEST_MEMFD_FLAG_NO_DIRECT_MAP, + GUEST_MEMFD_FLAG_MMAP + | GUEST_MEMFD_FLAG_INIT_SHARED + | GUEST_MEMFD_FLAG_NO_DIRECT_MAP, ) .map_err(VmmError::Vm)?, )), @@ -574,7 +577,7 @@ pub fn build_microvm_from_snapshot( vm_resources: &mut VmResources, ) -> Result>, BuildMicrovmFromSnapshotError> { // TODO: take it from kvm-bindings when userfault support is merged upstream - const KVM_CAP_USERFAULT: u32 = 246; + const KVM_CAP_USERFAULT: u32 = 245; // Build Vmm. debug!("event_start: build microvm from snapshot"); @@ -583,8 +586,7 @@ pub fn build_microvm_from_snapshot( let mut kvm_capabilities = microvm_state.kvm_state.kvm_cap_modifiers.clone(); if secret_free { kvm_capabilities.push(KvmCapability::Add(Cap::GuestMemfd as u32)); - kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_MMAP)); - kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_NO_DIRECT_MAP)); + kvm_capabilities.push(KvmCapability::Add(KVM_CAP_GUEST_MEMFD_FLAGS)); kvm_capabilities.push(KvmCapability::Add(KVM_CAP_USERFAULT)); } @@ -602,7 +604,10 @@ pub fn build_microvm_from_snapshot( true => Some( vm.create_guest_memfd( memory_size_from_mem_state(µvm_state.vm_state.memory), - GUEST_MEMFD_FLAG_MMAP | GUEST_MEMFD_FLAG_NO_DIRECT_MAP, + GUEST_MEMFD_FLAG_MMAP + | GUEST_MEMFD_FLAG_INIT_SHARED + | GUEST_MEMFD_FLAG_NO_DIRECT_MAP + | GUEST_MEMFD_FLAG_WRITE, ) .map_err(VmmError::Vm)?, ), diff --git a/src/vmm/src/vstate/vm.rs b/src/vmm/src/vstate/vm.rs index d2882885b29..eec4144ef6e 100644 --- a/src/vmm/src/vstate/vm.rs +++ b/src/vmm/src/vstate/vm.rs @@ -44,7 +44,9 @@ use crate::vstate::vcpu::VcpuError; use crate::{DirtyBitmap, Vcpu, mem_size_mib}; pub(crate) const GUEST_MEMFD_FLAG_MMAP: u64 = 1; -pub(crate) const GUEST_MEMFD_FLAG_NO_DIRECT_MAP: u64 = 2; +pub(crate) const GUEST_MEMFD_FLAG_INIT_SHARED: u64 = 2; +pub(crate) const GUEST_MEMFD_FLAG_NO_DIRECT_MAP: u64 = 4; +pub(crate) const GUEST_MEMFD_FLAG_WRITE: u64 = 8; /// KVM userfault information #[derive(Copy, Clone, Default, Eq, PartialEq, Debug)] diff --git a/tests/integration_tests/security/test_sec_audit.py b/tests/integration_tests/security/test_sec_audit.py index e8265c3ae2a..ed14f5e0278 100644 --- a/tests/integration_tests/security/test_sec_audit.py +++ b/tests/integration_tests/security/test_sec_audit.py @@ -35,6 +35,6 @@ def set_of_vulnerabilities(output: CommandReturn): ) git_ab_test_host_command_if_pr( - "cargo audit --deny warnings -q --json", + "cargo install --locked cargo-audit && cargo audit --deny warnings -q --json", comparator=set_did_not_grow_comparator(set_of_vulnerabilities), ) diff --git a/tools/devctr/Dockerfile b/tools/devctr/Dockerfile index 3a161b8c387..92c1b0b7609 100644 --- a/tools/devctr/Dockerfile +++ b/tools/devctr/Dockerfile @@ -123,7 +123,7 @@ RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal --default-too && rustup target add x86_64-unknown-linux-musl \ && rustup target add aarch64-unknown-linux-musl \ && rustup component add llvm-tools-preview clippy rustfmt \ - && cargo install --locked cargo-audit grcov cargo-sort cargo-afl \ + && cargo install --locked grcov cargo-sort cargo-afl \ && cargo install --locked cargo-deny --version 0.17.0 \ && cargo install --locked kani-verifier --version 0.64.0 && cargo kani setup \ \