vmm/io_uring/
restriction.rs

1// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2// SPDX-License-Identifier: Apache-2.0
3
4//! Seccomp-like restrictions for the allowed operations on an IoUring instance.
5//!
6//! One can configure the restrictions to only allow certain operations and/or allow only ops on
7//! registered files.
8//! If passed to the [`IoUring`] constructor, they take effect immediately and can never be
9//! deactivated.
10//!
11//! [`IoUring`]: ../struct.IoUring.html
12
13use std::convert::From;
14
15use crate::io_uring::generated::{
16    io_uring_register_restriction_op, io_uring_restriction, io_uring_sqe_flags_bit,
17};
18use crate::io_uring::operation::OpCode;
19
20/// Adds support for restricting the operations allowed by io_uring.
21#[derive(Debug)]
22pub enum Restriction {
23    /// Allow an operation.
24    AllowOpCode(OpCode),
25    /// Only allow operations on pre-registered fds.
26    RequireFixedFds,
27}
28
29impl From<&Restriction> for io_uring_restriction {
30    fn from(restriction: &Restriction) -> Self {
31        use Restriction::*;
32
33        // SAFETY: Safe because it only contains integer values.
34        let mut instance: Self = unsafe { std::mem::zeroed() };
35
36        match restriction {
37            AllowOpCode(opcode) => {
38                instance.opcode =
39                    u16::try_from(io_uring_register_restriction_op::IORING_RESTRICTION_SQE_OP)
40                        .unwrap();
41                instance.__bindgen_anon_1.sqe_op = *opcode as u8;
42            }
43            RequireFixedFds => {
44                instance.opcode = u16::try_from(
45                    io_uring_register_restriction_op::IORING_RESTRICTION_SQE_FLAGS_REQUIRED,
46                )
47                .unwrap();
48                instance.__bindgen_anon_1.sqe_flags =
49                    1 << io_uring_sqe_flags_bit::IOSQE_FIXED_FILE_BIT;
50            }
51        };
52
53        instance
54    }
55}