Merge branch 'main' into ssh-reuse2

DEPRECATED.md

@@ -19,3 +19,5 @@ a future major Firecracker release, in accordance with our
 - \[[#4428](https://github.com/firecracker-microvm/firecracker/pull/4428)\]
   Booting microVMs using MPTable and command line parameters for VirtIO devices.
   The functionality is substituted with ACPI.
+- \[[#2628](https://github.com/firecracker-microvm/firecracker/pull/2628)\] The
+  `--basic` parameter of `seccompiler-bin`.

tests/framework/http_api.py

@@ -3,8 +3,6 @@
 
 """A simple HTTP client for the Firecracker API"""
 
-# pylint:disable=too-few-public-methods
-
 import urllib
 from http import HTTPStatus
 

tests/framework/properties.py

@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # pylint:disable=broad-except
-# pylint:disable=too-few-public-methods
 
 """
 Metadata we want to attach to tests for further analysis and troubleshooting

tests/framework/state_machine.py

@@ -3,8 +3,6 @@
 """Defines a stream based string matcher and a generic state object."""
 
 
-# Too few public methods (1/2) (too-few-public-methods)
-# pylint: disable=R0903
 class MatchStaticString:
     """Match a static string versus input."""
 

tests/framework/utils.py

@@ -196,7 +196,6 @@ def __del__(self):
             self.proc.kill()
 
 
-# pylint: disable=too-few-public-methods
 class CpuMap:
     """Cpu map from real cpu cores to containers visible cores.
 

tests/host_tools/test_syscalls.c

@@ -0,0 +1,77 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// This is used by `test_seccomp_validate.py`
+
+#include <linux/types.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <fcntl.h>
+
+
+void install_bpf_filter(char *bpf_file) {
+    int fd = open(bpf_file, O_RDONLY);
+    if (fd == -1) {
+        perror("open");
+        exit(EXIT_FAILURE);
+    }
+    struct stat sb;
+    if (fstat(fd, &sb) == -1) {
+        perror("stat");
+        exit(EXIT_FAILURE);
+    }
+    size_t size = sb.st_size;
+    size_t insn_len = size / sizeof(struct sock_filter);
+    struct sock_filter *filterbuf = (struct sock_filter*)malloc(size);
+    if (read(fd, filterbuf, size) == -1) {
+        perror("read");
+        exit(EXIT_FAILURE);
+    }
+
+    /* Install seccomp filter */
+    struct sock_fprog prog = {
+        .len = (unsigned short)(insn_len),
+        .filter = filterbuf,
+    };
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        perror("prctl(NO_NEW_PRIVS)");
+        exit(EXIT_FAILURE);
+    }
+    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+        perror("prctl(SECCOMP)");
+        exit(EXIT_FAILURE);
+    }
+}
+
+
+int main(int argc, char **argv) {
+    /* parse arguments */
+    if (argc < 3) {
+        fprintf(stderr, "Usage: %s BPF_FILE ARG0..\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+    char *bpf_file = argv[1];
+    long syscall_id = atoi(argv[2]);
+    long arg0, arg1, arg2, arg3;
+    arg0 = arg1 = arg2 = arg3 = 0;
+    if (argc > 3) arg0 = atoi(argv[3]);
+    if (argc > 4) arg1 = atoi(argv[4]);
+    if (argc > 5) arg2 = atoi(argv[5]);
+    if (argc > 6) arg3 = atoi(argv[6]);
+
+    /* read seccomp filter from file */
+    if (strcmp(bpf_file, "/dev/null") != 0) {
+        install_bpf_filter(bpf_file);
+    }
+
+    long res = syscall(syscall_id, arg0, arg1, arg2, arg3);
+    printf("%ld\n", res);
+    return EXIT_SUCCESS;
+}

tests/integration_tests/functional/test_serial_io.py

@@ -16,7 +16,7 @@
 PLATFORM = platform.machine()
 
 
-class WaitTerminal(TestState):  # pylint: disable=too-few-public-methods
+class WaitTerminal(TestState):
     """Initial state when we wait for the login prompt."""
 
     def handle_input(self, serial, input_char) -> TestState:
@@ -27,7 +27,7 @@ def handle_input(self, serial, input_char) -> TestState:
         return self
 
 
-class WaitIDResult(TestState):  # pylint: disable=too-few-public-methods
+class WaitIDResult(TestState):
     """Wait for the console to show the result of the 'id' shell command."""
 
     def handle_input(self, unused_serial, input_char) -> TestState:
@@ -37,7 +37,7 @@ def handle_input(self, unused_serial, input_char) -> TestState:
         return self
 
 
-class TestFinished(TestState):  # pylint: disable=too-few-public-methods
+class TestFinished(TestState):
     """Test complete and successful."""
 
     def handle_input(self, unused_serial, _) -> TestState:

tests/integration_tests/security/conftest.py

@@ -0,0 +1,29 @@
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""Fixtures for security tests"""
+
+import json
+from pathlib import Path
+
+import pytest
+
+from host_tools.cargo_build import run_seccompiler_bin
+
+
+@pytest.fixture()
+def seccompiler(tmp_path):
+    "A seccompiler helper fixture"
+
+    class Seccompiler:
+        "A seccompiler helper class"
+
+        def compile(self, data: dict, basic=False) -> Path:
+            "Use seccompiler-bin to compile a filter from a dict"
+            inp = tmp_path / "input.json"
+            inp.write_text(json.dumps(data))
+            bpf = tmp_path / "output.bpfmap"
+            run_seccompiler_bin(bpf_path=bpf, json_path=inp, basic=basic)
+            return bpf
+
+    return Seccompiler()