Skip to content

Update seccompiler to use libseccomp#4926

Merged
ShadowCurse merged 8 commits intofirecracker-microvm:mainfrom
ShadowCurse:seccomp2
Jan 16, 2025
Merged

Update seccompiler to use libseccomp#4926
ShadowCurse merged 8 commits intofirecracker-microvm:mainfrom
ShadowCurse:seccomp2

Conversation

@ShadowCurse
Copy link
Contributor

@ShadowCurse ShadowCurse commented Nov 25, 2024
edited
Loading

Changes

Replace our custom implementation of a seccompiler with libseccomp.
By out test, libseccomp produces ~65% smaller binaries which is very beneficial as we embed the combination of those into the Firecracker.

In order to interact with libseccomp we add custom bindings which contain only the needed set of methods, constants needed for our use case. This simplifies the maintenance and avoids adding dependencies.

Reason

libseccomp provides better quality compiler for BPF seccomp programs than our current implementation.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 13 times, most recently from 6bdce02 to b44d926 Compare November 28, 2024 10:24
@codecov
Copy link

codecov bot commented Nov 28, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 23.16602% with 199 lines in your changes missing coverage. Please review.

Project coverage is 83.07%. Comparing base (9ac6f3a) to head (81eff58).
Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
src/seccompiler/src/lib.rs 0.00% 92 Missing ⚠️
src/seccompiler/src/types.rs 0.00% 80 Missing ⚠️
src/seccompiler/src/bin.rs 0.00% 13 Missing ⚠️
src/vmm/src/seccomp.rs 89.06% 7 Missing ⚠️
src/seccompiler/src/bindings.rs 0.00% 6 Missing ⚠️
src/vmm/src/builder.rs 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4926      +/-   ##
==========================================
- Coverage   83.95%   83.07%   -0.89%     
==========================================
  Files         248      244       -4     
  Lines       27839    26634    -1205     
==========================================
- Hits        23371    22125    -1246     
- Misses       4468     4509      +41
Flag Coverage Δ
5.10-c5n.metal 83.59% <23.16%> (-0.94%) ⬇️
5.10-m5n.metal 83.57% <23.16%> (-0.94%) ⬇️
5.10-m6a.metal 82.78% <23.16%> (-1.02%) ⬇️
5.10-m6g.metal 79.44% <23.16%> (-1.20%) ⬇️
5.10-m6i.metal 83.56% <23.16%> (-0.95%) ⬇️
5.10-m7g.metal 79.44% <23.16%> (-1.20%) ⬇️
6.1-c5n.metal 83.58% <23.16%> (-0.94%) ⬇️
6.1-m5n.metal 83.57% <23.16%> (-0.95%) ⬇️
6.1-m6a.metal 82.79% <23.16%> (-1.02%) ⬇️
6.1-m6g.metal 79.43% <23.16%> (-1.20%) ⬇️
6.1-m6i.metal 83.56% <23.16%> (-0.95%) ⬇️
6.1-m7g.metal 79.44% <23.16%> (-1.19%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ShadowCurse ShadowCurse self-assigned this Nov 28, 2024
@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 5 times, most recently from 3fb90d6 to 4ef05b8 Compare November 28, 2024 13:40
roypat
roypat reviewed Nov 28, 2024
View reviewed changes
@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 2 times, most recently from 50ac4e6 to 919390b Compare November 28, 2024 14:12
@alindima
Copy link
Contributor

alindima commented Nov 28, 2024

libseccomp provides better quality compiler for
bpf seccomp programs than our current implementation.

I'm curious, what does this mean? and how was this evaluated?

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 5 times, most recently from 775c84f to 1b253fb Compare November 29, 2024 14:04
@roypat
Copy link
Contributor

roypat commented Dec 17, 2024

(just resolved merge conflict so there's a chance my approval will survive me going on vacation)

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 6 times, most recently from d4063b6 to d43dbdc Compare January 7, 2025 11:26
@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 4 times, most recently from 77e5fc0 to 09c331d Compare January 15, 2025 14:06
roypat
roypat previously approved these changes Jan 15, 2025
View reviewed changes
pb8o
pb8o previously approved these changes Jan 16, 2025
View reviewed changes
@ShadowCurse ShadowCurse dismissed stale reviews from pb8o and roypat via 75ef5ae January 16, 2025 10:11
ShadowCurse and others added 8 commits January 16, 2025 12:38
@ShadowCurse @pb8o
feat(seccomp): update seccompiler to use libseccomp
eb68fe9 
libseccomp provides a better quality compiler for
BPF seccomp programs than our current implementation. In our testing
it produces BPF code with ~65% less instructions which makes final
binaries smaller which in turn makes Firecracker binary smaller because
we include them into Firecracker at build time.

For this transition we create a minimal set of bindings for `libseccomp`
in order to simplify maintenance and avoid adding additional
dependencies.

The only tricky issue with this transition is the way `ioctl` and other
syscalls are checked with libseccomp. It always adds a check for the
high bits of the request to be 0. Unfortunately when we build with
`musl`, some syscalls like `ioctl` have upper bits set to 1. Because of
this, we replace `Eq` with `MaskedEq` with mask `0x00000000FFFFFFFF`
when the argument is 32bits.

This commit also removes dependency of firecracker and vmm
crates on the seccompiler crate.

Co-authored-by: Pablo Barbáchano <pablob@amazon.com>
Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@pb8o @ShadowCurse
devtool: remove obsolete commands
423ee2a 
Since we depend on libseccomp in the previous commit, these commands to
update the syscall table are no longer needed.

Signed-off-by: Pablo Barbáchano <pablob@amazon.com>
@ShadowCurse
refactor(seccomp): replace deprecated prctl with syscall
04f039e 
According to
https://www.man7.org/linux/man-pages/man2/PR_SET_SECCOMP.2const.html
using `prctl` for setting seccomp filer is deprecated, so switch to
using `syscall` instead.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse
refactor: use std::io::Error when setting seccomp
2f64b3d 
Replace __errno_location() with std::io::Error::last_os_error() as a
more standard of getting errno value.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse
refactor: replace DeserializationError with type alias
50eec0a 
The error enum had only 1 element and we can replace it with
alias for simplicity.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse
chore: add libseccomp update to CHANGELOG
f1a76ef 
Add a note about updating backend for seccompiler
to libseccomp.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse
chore: add additional path for libseccomp lib
6cb0e50 
Kani on x86 for some reason cannot find libseccomp by default,
so we add additional path to the build.rs

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse
chore: update NOTICE with info about libseccomp usage
81eff58 
Add a note about libseccomp usage in Firecracker
build process and in the seccomp-bin.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse ShadowCurse merged commit c182544 into firecracker-microvm:main Jan 16, 2025
4 of 7 checks passed
@ShadowCurse ShadowCurse deleted the seccomp2 branch January 16, 2025 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pb8o pb8o pb8o approved these changes

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx is a code owner

@kalyazin kalyazin Awaiting requested review from kalyazin kalyazin is a code owner

@Manciukic Manciukic Awaiting requested review from Manciukic Manciukic is a code owner

+1 more reviewer

@roypat roypat roypat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ShadowCurse ShadowCurse

Labels

Status: Awaiting review Indicates that a pull request is ready to be reviewed Type: Enhancement Indicates new feature requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ShadowCurse @alindima @pb8o @roypat