-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update seccompiler to use libseccomp #4926
base: main
Are you sure you want to change the base?
Conversation
6bdce02
to
b44d926
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4926 +/- ##
==========================================
- Coverage 83.93% 83.07% -0.86%
==========================================
Files 248 247 -1
Lines 27791 26684 -1107
==========================================
- Hits 23326 22169 -1157
- Misses 4465 4515 +50
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
b44d926
to
6c5f77b
Compare
3fb90d6
to
4ef05b8
Compare
50ac4e6
to
919390b
Compare
I'm curious, what does this mean? and how was this evaluated? |
775c84f
to
1b253fb
Compare
Hi @alindima! We found this while revisiting seccomp recently:
|
@@ -0,0 +1,169 @@ | |||
// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were those generated by bindgen? If no, why wasn't that feasible?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are some mix of https://github.com/libseccomp-rs/libseccomp-rs/blob/main/libseccomp-sys/src/lib.rs and new rust syntax (the unsafe extern
and safe
keyword). I did not auto generate them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should fix the ioctl syscall id getting resolved at build time instead of at runtime.
1fc051b
to
c411a78
Compare
0e3f083
to
93cc0a2
Compare
7b1ef1c
to
42787fa
Compare
libseccomp provides a better quality compiler for BPF seccomp programs than our current implementation. In our testing it produces BPF code with ~65% less instructions which makes final binaries smaller which in turn makes Firecracker binary smaller because we include them into Firecracker at build time. For this transition we create a minimal set of bindings for `libseccomp` in order to simplify maintenance and avoid adding additional dependencies. The only tricky issue with this transition is the way `ioctl` and other syscalls are checked with libseccomp. It always adds a check for the high bits of the request to be 0. Unfortunately when we build with `musl`, some syscalls like `ioctl` have upper bits set to 1. Because of this, we replace `Eq` with `MaskedEq` with mask `0x00000000FFFFFFFF` when the argument is 32bits. This commit also removes dependency of firecracker and vmm crates on the seccompiler crate. Co-authored-by: Pablo Barbáchano <pablob@amazon.com> Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Since we depend on libseccomp in the previous commit, these commands to update the syscall table are no longer needed. Signed-off-by: Pablo Barbáchano <pablob@amazon.com>
According to https://www.man7.org/linux/man-pages/man2/PR_SET_SECCOMP.2const.html using `prctl` for setting seccomp filer is deprecated, so switch to using `syscall` instead. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Replace __errno_location() with std::io::Error::last_os_error() as a more standard of getting errno value. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
The error enum had only 1 element and we can replace it with alias for simplicity. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Add a note about updating backend for seccompiler to libseccomp. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
We need to compile it from source because version provided by the distribution is not compiled with musl-gcc. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Kani on x86 for some reason cannot find libseccomp by default, so we add additional path to the build.rs Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
(just resolved merge conflict so there's a chance my approval will survive me going on vacation) |
Changes
Replace our custom implementation of a seccompiler with libseccomp.
By out test,
libseccomp
produces ~65% smaller binaries which is very beneficial as we embed the combination of those into the Firecracker.In order to interact with
libseccomp
we add custom bindings which contain only the needed set of methods, constants needed for our use case. This simplifies the maintenance and avoids adding dependencies.Reason
libseccomp
provides better quality compiler for BPF seccomp programs than our current implementation.License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md
.PR Checklist
tools/devtool checkstyle
to verify that the PR passes theautomated style checks.
how they are solving the problem in a clear and encompassing way.
in the PR.
CHANGELOG.md
.Runbook for Firecracker API changes.
integration tests.
TODO
.rust-vmm
.