devices/vsock: selectively enable AF_UNIX in TSI

AF_UNIX transparency is only supported when running in a containerized
environment. We detect such case by checking we only have a single
virtio-fs device, and that device is pointing to "/", which is the
scenario when running under podman+crun.

In libkrun 2.x, the whole network configuration, including the TSI
features, should be exposed to the users explicitly.

Signed-off-by: Sergio Lopez <[email protected]>

Author: slp

src/devices/src/virtio/vsock/device.rs

@@ -53,6 +53,7 @@ impl Vsock {
         queues: Vec<VirtQueue>,
         unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
         enable_tsi: bool,
+        enable_tsi_unix: bool,
     ) -> super::Result<Vsock> {
         let mut queue_events = Vec::new();
         for _ in 0..queues.len() {
@@ -65,7 +66,13 @@ impl Vsock {
 
         Ok(Vsock {
             cid,
-            muxer: VsockMuxer::new(cid, host_port_map, unix_ipc_port_map, enable_tsi),
+            muxer: VsockMuxer::new(
+                cid,
+                host_port_map,
+                unix_ipc_port_map,
+                enable_tsi,
+                enable_tsi_unix,
+            ),
             queue_rx,
             queue_tx,
             queues,
@@ -84,12 +91,20 @@ impl Vsock {
         host_port_map: Option<HashMap<u16, u16>>,
         unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
         enable_tsi: bool,
+        enable_tsi_unix: bool,
     ) -> super::Result<Vsock> {
         let queues: Vec<VirtQueue> = defs::QUEUE_SIZES
             .iter()
             .map(|&max_size| VirtQueue::new(max_size))
             .collect();
-        Self::with_queues(cid, host_port_map, queues, unix_ipc_port_map, enable_tsi)
+        Self::with_queues(
+            cid,
+            host_port_map,
+            queues,
+            unix_ipc_port_map,
+            enable_tsi,
+            enable_tsi_unix,
+        )
     }
 
     pub fn id(&self) -> &str {

src/devices/src/virtio/vsock/muxer.rs

@@ -107,6 +107,7 @@ pub struct VsockMuxer {
     reaper_sender: Option<Sender<u64>>,
     unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
     enable_tsi: bool,
+    enable_tsi_unix: bool,
 }
 
 impl VsockMuxer {
@@ -115,6 +116,7 @@ impl VsockMuxer {
         host_port_map: Option<HashMap<u16, u16>>,
         unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
         enable_tsi: bool,
+        enable_tsi_unix: bool,
     ) -> Self {
         VsockMuxer {
             cid,
@@ -128,6 +130,7 @@ impl VsockMuxer {
             reaper_sender: None,
             unix_ipc_port_map,
             enable_tsi,
+            enable_tsi_unix,
         }
     }
 
@@ -282,6 +285,10 @@ impl VsockMuxer {
                 defs::SOCK_STREAM => {
                     debug!("vsock: proxy create stream");
                     let id = ((req.peer_port as u64) << 32) | (defs::TSI_PROXY_PORT as u64);
+                    if req.family as i32 == libc::AF_UNIX && !self.enable_tsi_unix {
+                        warn!("vsock: rejecting tcp unix proxy because tsi_unix is disabled");
+                        return;
+                    }
                     match TcpProxy::new(
                         id,
                         self.cid,
@@ -305,6 +312,10 @@ impl VsockMuxer {
                 defs::SOCK_DGRAM => {
                     debug!("vsock: proxy create dgram");
                     let id = ((req.peer_port as u64) << 32) | (defs::TSI_PROXY_PORT as u64);
+                    if req.family as i32 == libc::AF_UNIX && !self.enable_tsi_unix {
+                        warn!("vsock: rejecting udp unix proxy because tsi_unix is disabled");
+                        return;
+                    }
                     match UdpProxy::new(
                         id,
                         self.cid,

src/libkrun/src/lib.rs

@@ -2289,6 +2289,7 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
         host_port_map: None,
         unix_ipc_port_map: None,
         enable_tsi: false,
+        enable_tsi_unix: false,
     };
 
     #[cfg(feature = "net")]
@@ -2310,6 +2311,15 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     }
 
     if vsock_set {
+        if vsock_config.enable_tsi {
+            // We only support using TSI for AF_UNIX in a containerized context,
+            // so only enable it when we have a single virtio-fs device pointing
+            // to root.
+            #[cfg(not(feature = "tee"))]
+            if ctx_cfg.vmr.fs.len() == 1 && ctx_cfg.vmr.fs[0].shared_dir == "/" {
+                vsock_config.enable_tsi_unix = true;
+            }
+        }
         ctx_cfg.vmr.set_vsock_device(vsock_config).unwrap();
     }
 

src/vmm/src/vmm_config/vsock.rs

@@ -42,6 +42,8 @@ pub struct VsockDeviceConfig {
     pub unix_ipc_port_map: Option<HashMap<u32, (PathBuf, bool)>>,
     /// Whether to enable TSI
     pub enable_tsi: bool,
+    /// Whether to enable TSI for AF_UNIX
+    pub enable_tsi_unix: bool,
 }
 
 struct VsockWrapper {
@@ -81,6 +83,7 @@ impl VsockBuilder {
             cfg.host_port_map,
             cfg.unix_ipc_port_map,
             cfg.enable_tsi,
+            cfg.enable_tsi_unix,
         )
         .map_err(VsockConfigError::CreateVsockDevice)
     }
@@ -119,6 +122,7 @@ pub(crate) mod tests {
             host_port_map: None,
             unix_ipc_port_map: None,
             enable_tsi: false,
+            enable_tsi_unix: false,
         }
     }