Skip to content

Commit

Permalink
feat(seccomp): update seccompiler to use libseccomp
Browse files Browse the repository at this point in the history
libseccomp provides better quality compiler for
bpf seccomp programs than our current implementation.

This commit removes dependency of firecracker and vmm
crates on the seccompiler crate.

Signed-off-by: Egor Lazarchuk <[email protected]>
  • Loading branch information
ShadowCurse committed Nov 27, 2024
1 parent 4cc7c80 commit c595dd7
Show file tree
Hide file tree
Showing 32 changed files with 553 additions and 4,169 deletions.
31 changes: 26 additions & 5 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/cpu-template-helper/src/utils/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use std::sync::{Arc, Mutex};
use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
use vmm::cpu_config::templates::{CustomCpuTemplate, Numeric};
use vmm::resources::VmResources;
use vmm::seccomp_filters::get_empty_filters;
use vmm::seccomp::get_empty_filters;
use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
use vmm_sys_util::tempfile::TempFile;
Expand Down
4 changes: 1 addition & 3 deletions src/firecracker/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ libc = "0.2.164"
log-instrument = { path = "../log-instrument", optional = true }
micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }

seccompiler = { path = "../seccompiler" }
serde = { version = "1.0.215", features = ["derive"] }
serde_derive = "1.0.136"
serde_json = "1.0.133"
Expand All @@ -42,13 +41,12 @@ serde = { version = "1.0.215", features = ["derive"] }
userfaultfd = "0.8.1"

[build-dependencies]
bincode = "1.2.1"
seccompiler = { path = "../seccompiler" }
serde = { version = "1.0.215" }
serde_json = "1.0.133"

[features]
tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
gdb = ["vmm/gdb"]

[lints]
Expand Down
21 changes: 2 additions & 19 deletions src/firecracker/build.rs
Original file line number Diff line number Diff line change
@@ -1,13 +1,8 @@
// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

use std::collections::BTreeMap;
use std::fs::File;
use std::path::Path;

use seccompiler::common::BpfProgram;
use seccompiler::compiler::{Compiler, JsonFile};

const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";

const JSON_DIR: &str = "../../resources/seccomp";
Expand Down Expand Up @@ -44,19 +39,7 @@ fn main() {
// Also retrigger the build script on any seccompiler source code change.
println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);

let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
let filters: JsonFile = serde_json::from_str(&input).expect("Input read");

let arch = target_arch.as_str().try_into().expect("Target");
let compiler = Compiler::new(arch);

// transform the IR into a Map of BPFPrograms
let bpf_data: BTreeMap<String, BpfProgram> = compiler
.compile_blob(filters.0, false)
.expect("Successfull compilation");

// serialize the BPF programs & output them to a file
let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
let output_file = File::create(out_path).expect("Create seccompiler output path");
bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
.expect("Cannot compile seccomp filters");
}
2 changes: 1 addition & 1 deletion src/firecracker/examples/seccomp/jailer.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use std::fs::File;
use std::os::unix::process::CommandExt;
use std::process::{Command, Stdio};

use seccompiler::{apply_filter, deserialize_binary};
use vmm::seccomp::{apply_filter, deserialize_binary};

fn main() {
let args: Vec<String> = args().collect();
Expand Down
2 changes: 1 addition & 1 deletion src/firecracker/examples/seccomp/panic.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
use std::env::args;
use std::fs::File;

use seccompiler::{apply_filter, deserialize_binary};
use vmm::seccomp::{apply_filter, deserialize_binary};

fn main() {
let args: Vec<String> = args().collect();
Expand Down
6 changes: 3 additions & 3 deletions src/firecracker/src/api_server/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ use std::sync::mpsc;

pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
use parsed_request::{ParsedRequest, RequestAction};
use seccompiler::BpfProgramRef;
use serde_json::json;
use utils::time::{get_time_us, ClockType};
use vmm::logger::{
debug, error, info, update_metric_with_elapsed_time, warn, ProcessTimeReporter, METRICS,
};
use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
use vmm::seccomp::BpfProgramRef;
use vmm::vmm_config::snapshot::SnapshotType;
use vmm_sys_util::eventfd::EventFd;

Expand Down Expand Up @@ -78,7 +78,7 @@ impl ApiServer {
// Load seccomp filters on the API thread.
// Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
// altogether is the desired behaviour.
if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
panic!(
"Failed to set the requested seccomp filters on the API thread: {}",
err
Expand Down Expand Up @@ -208,7 +208,7 @@ mod tests {
use vmm::builder::StartMicrovmError;
use vmm::logger::StoreMetric;
use vmm::rpc_interface::{VmmActionError, VmmData};
use vmm::seccomp_filters::get_empty_filters;
use vmm::seccomp::get_empty_filters;
use vmm::vmm_config::instance_info::InstanceInfo;
use vmm::vmm_config::snapshot::CreateSnapshotParams;
use vmm_sys_util::tempfile::TempFile;
Expand Down
2 changes: 1 addition & 1 deletion src/firecracker/src/api_server_adapter.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ use std::sync::{Arc, Mutex};
use std::thread;

use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
use seccompiler::BpfThreadMap;
use vmm::seccomp::BpfThreadMap;
use vmm::logger::{error, warn, ProcessTimeReporter};
use vmm::resources::VmResources;
use vmm::rpc_interface::{
Expand Down
2 changes: 1 addition & 1 deletion src/firecracker/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ use std::{io, panic};
use api_server_adapter::ApiServerError;
use event_manager::SubscriberOps;
use seccomp::FilterError;
use seccompiler::BpfThreadMap;
use vmm::seccomp::BpfThreadMap;
use utils::arg_parser::{ArgParser, Argument};
use utils::validators::validate_instance_id;
use vmm::builder::StartMicrovmError;
Expand Down
6 changes: 3 additions & 3 deletions src/firecracker/src/seccomp.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ use std::fs::File;
use std::io::{BufReader, Read};
use std::path::Path;

use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
use vmm::seccomp_filters::get_empty_filters;
use vmm::seccomp::get_empty_filters;
use vmm::seccomp::{deserialize_binary, BpfThreadMap, DeserializationError};

const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];

Expand Down Expand Up @@ -118,7 +118,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
mod tests {
use std::sync::Arc;

use seccompiler::BpfThreadMap;
use vmm::seccomp::BpfThreadMap;
use vmm_sys_util::tempfile::TempFile;

use super::*;
Expand Down
15 changes: 4 additions & 11 deletions src/seccompiler/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,25 +12,18 @@ bench = false

[[bin]]
name = "seccompiler-bin"
path = "src/seccompiler_bin.rs"
path = "src/bin.rs"
bench = false

[dependencies]
clap = { version = "4.5.21", features = ["derive", "string"] }
bincode = "1.2.1"
displaydoc = "0.2.5"
libc = "0.2.164"
log-instrument = { path = "../log-instrument", optional = true }
libseccomp = "0.3.0"
serde = { version = "1.0.215", features = ["derive"] }
serde_json = "1.0.133"
displaydoc = "0.2.5"
thiserror = "2.0.3"

utils = { path = "../utils" }

[dev-dependencies]
vmm-sys-util = "0.12.1"

[features]
tracing = ["log-instrument", "utils/tracing"]

[lints]
workspace = true
Loading

0 comments on commit c595dd7

Please sign in to comment.