-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into drop_snapshot_forward_compatibility
- Loading branch information
Showing
23 changed files
with
105 additions
and
185 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,6 @@ name = "cpu-template-helper" | |
version = "1.5.0-dev" | ||
authors = ["Amazon Firecracker team <[email protected]>"] | ||
edition = "2021" | ||
build = "../../build.rs" | ||
license = "Apache-2.0" | ||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ name = "firecracker" | |
version = "1.5.0-dev" | ||
authors = ["Amazon Firecracker team <[email protected]>"] | ||
edition = "2021" | ||
build = "../../build.rs" | ||
build = "build.rs" | ||
description = "Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers." | ||
homepage = "https://firecracker-microvm.github.io/" | ||
license = "Apache-2.0" | ||
|
@@ -36,6 +36,12 @@ regex = { version = "1.9.5", default-features = false, features = ["std", "unico | |
serde = { version = "1.0.188", features = ["derive"] } | ||
userfaultfd = "0.6.1" | ||
|
||
[build-dependencies] | ||
bincode = "1.2.1" | ||
seccompiler = { path = "../seccompiler" } | ||
serde = { version = "1.0.188" } | ||
serde_json = "1.0.107" | ||
|
||
[[example]] | ||
name = "uffd_malicious_handler" | ||
path = "examples/uffd/malicious_handler.rs" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
use std::collections::BTreeMap; | ||
use std::fs::File; | ||
use std::path::Path; | ||
|
||
use seccompiler::common::BpfProgram; | ||
use seccompiler::compiler::{Compiler, JsonFile}; | ||
|
||
const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf"; | ||
|
||
const JSON_DIR: &str = "../../resources/seccomp"; | ||
const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src"; | ||
|
||
// This script is run on every modification in the target-specific JSON file in `resources/seccomp`. | ||
// It compiles the JSON seccomp policies into a serializable BPF format, using seccompiler-bin. | ||
// The generated binary code will get included in Firecracker's code, at compile-time. | ||
fn main() { | ||
// Target triple | ||
let target = std::env::var("TARGET").expect("Missing target."); | ||
let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR."); | ||
// Target arch (x86_64 / aarch64) | ||
let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch."); | ||
|
||
let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target); | ||
// If the current target doesn't have a default filter, use a default, empty filter. | ||
// This is to make sure that Firecracker builds even with libc toolchains for which we don't | ||
// provide a default filter. For example, GNU libc. | ||
let seccomp_json_path = if Path::new(&seccomp_json_path).exists() { | ||
seccomp_json_path | ||
} else { | ||
println!( | ||
"cargo:warning=No default seccomp policy for target: {}. Defaulting to \ | ||
`resources/seccomp/unimplemented.json`.", | ||
target | ||
); | ||
format!("{}/unimplemented.json", JSON_DIR) | ||
}; | ||
|
||
// Retrigger the build script if the JSON file has changed. | ||
// let json_path = json_path.to_str().expect("Invalid bytes"); | ||
println!("cargo:rerun-if-changed={}", seccomp_json_path); | ||
// Also retrigger the build script on any seccompiler source code change. | ||
println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR); | ||
|
||
let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file"); | ||
let filters: JsonFile = serde_json::from_str(&input).expect("Input read"); | ||
|
||
let arch = target_arch.as_str().try_into().expect("Target"); | ||
let compiler = Compiler::new(arch); | ||
|
||
// transform the IR into a Map of BPFPrograms | ||
let bpf_data: BTreeMap<String, BpfProgram> = compiler | ||
.compile_blob(filters.0, false) | ||
.expect("Successfull compilation"); | ||
|
||
// serialize the BPF programs & output them to a file | ||
let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME); | ||
let output_file = File::create(out_path).expect("Create seccompiler output path"); | ||
bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization"); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,6 @@ name = "jailer" | |
version = "1.5.0-dev" | ||
authors = ["Amazon Firecracker team <[email protected]>"] | ||
edition = "2021" | ||
build = "../../build.rs" | ||
description = "Process for starting Firecracker in production scenarios; applies a cgroup/namespace isolation barrier and then drops privileges." | ||
homepage = "https://firecracker-microvm.github.io/" | ||
license = "Apache-2.0" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,6 @@ name = "rebase-snap" | |
version = "1.5.0-dev" | ||
authors = ["Amazon Firecracker team <[email protected]>"] | ||
edition = "2021" | ||
build = "../../build.rs" | ||
license = "Apache-2.0" | ||
|
||
[[bin]] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,6 @@ name = "seccompiler" | |
version = "1.5.0-dev" | ||
authors = ["Amazon Firecracker team <[email protected]>"] | ||
edition = "2021" | ||
build = "../../build.rs" | ||
description = "Program that compiles multi-threaded seccomp-bpf filters expressed as JSON into raw BPF programs, serializing them and outputting them to a file." | ||
homepage = "https://firecracker-microvm.github.io/" | ||
license = "Apache-2.0" | ||
|
Oops, something went wrong.