Merge pull request #481 from Dstack-TEE/fix/host-api-vsock-only

kvinwang · web-flow · commit f49f228adf03 · 2026-01-28T11:15:31.000+08:00
fix(vmm): Forbid host API listening on non-vsock addresses
diff --git a/vmm/src/config.rs b/vmm/src/config.rs
@@ -409,6 +409,22 @@ pub struct HostApiConfig {
     pub port: u32,
 }
 
+impl HostApiConfig {
+    /// Validate that the host API address is a vsock address.
+    /// The host API must only listen on vsock for security reasons.
+    /// TCP/Unix socket listening is not supported.
+    pub fn validate(&self) -> Result<()> {
+        if !self.address.starts_with("vsock:") {
+            anyhow::bail!(
+                "Host API address must be a vsock address (e.g., 'vsock:2'), got: '{}'. \
+                TCP/Unix socket listening is not supported for the host API.",
+                self.address
+            );
+        }
+        Ok(())
+    }
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct KeyProviderConfig {
     pub enabled: bool,
diff --git a/vmm/src/main.rs b/vmm/src/main.rs
@@ -15,7 +15,6 @@ use path_absolutize::Absolutize;
 use rocket::{
     fairing::AdHoc,
     figment::{providers::Serialized, Figment},
-    listener::{Bind, DefaultListener},
 };
 use rocket_apitoken::ApiToken;
 use rocket_vsock_listener::VsockListener;
@@ -119,22 +118,13 @@ async fn run_host_api(app: App, figment: Figment) -> Result<()> {
         .ignite()
         .await
         .map_err(|err| anyhow!("Failed to ignite rocket: {err}"))?;
-    if DefaultListener::bind_endpoint(&ignite).is_ok() {
-        let listener = DefaultListener::bind(&ignite)
-            .await
-            .map_err(|err| anyhow!("Failed to bind host API : {err}"))?;
-        ignite
-            .launch_on(listener)
-            .await
-            .map_err(|err| anyhow!(err.to_string()))?;
-    } else {
-        let listener = VsockListener::bind_rocket(&ignite)
-            .map_err(|err| anyhow!("Failed to bind host API : {err}"))?;
-        ignite
-            .launch_on(listener)
-            .await
-            .map_err(|err| anyhow!(err.to_string()))?;
-    }
+    // Host API only supports vsock listener (validated at startup)
+    let listener = VsockListener::bind_rocket(&ignite)
+        .map_err(|err| anyhow!("Failed to bind host API: {err}"))?;
+    ignite
+        .launch_on(listener)
+        .await
+        .map_err(|err| anyhow!(err.to_string()))?;
     Ok(())
 }
 
@@ -166,6 +156,12 @@ async fn main() -> Result<()> {
     let figment = config::load_config_figment(args.config.as_deref());
     let config = Config::extract_or_default(&figment)?.abs_path()?;
 
+    // Validate host API configuration
+    config
+        .host_api
+        .validate()
+        .context("Invalid host_api configuration")?;
+
     // Handle commands
     match args.command.unwrap_or_default() {
         Command::Run(run_args) => {
