feat(seccomp): moved call to seccomp

Previously seccomp was called in `build.rs` in root directory. This setup was confusing and required some workarounds to work. (`build.rs` was called recursively) Also it was causing problems for cross compilation. This commit moves call for seccomp from `build.rs` in root into `build.rs` in `firecracker`. It also does calls to the seccompiler directly, rather than calling seccomp binary. Signed-off-by: Egor Lazarchuk <[email protected]>
firecracker-microvm · Sep 21, 2023 · db4095d · db4095d
1 parent c9f62fb
commit db4095d
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 133 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/build.rs b/build.rs
@@ -1,16 +1,6 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::path::{Path, PathBuf};
-use std::process::Command;
-use std::{env, fs};
-
-const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
-
-const JSON_DIR: &str = "../../resources/seccomp";
-const SECCOMPILER_BUILD_DIR: &str = "../../build/seccompiler";
-const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
-
 // This script is run on every modification in the target-specific JSON file in `resources/seccomp`.
 // It compiles the JSON seccomp policies into a serializable BPF format, using seccompiler-bin.
 // The generated binary code will get included in Firecracker's code, at compile-time.
@@ -22,126 +12,4 @@ fn main() {
         "cargo:rustc-env=FIRECRACKER_VERSION={}",
         firecracker_version
     );
-
-    // Only compile the seccomp filters for the firecracker binary - otherwise
-    // we'll get stuck in an infinite loop as seccompiler-bin (which is invoked below)
-    // also executes this build script to set the firecracker version env variable.
-    if let Ok(package) = std::env::var("CARGO_MANIFEST_DIR") {
-        if !package.ends_with("firecracker") {
-            return;
-        }
-    }
-
-    cpuid();
-
-    let target = env::var("TARGET").expect("Missing target.");
-    let out_dir = env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
-
-    // Path to the JSON seccomp policy.
-    let mut json_path = PathBuf::from(JSON_DIR);
-    json_path.push(format!("{}.json", target));
-
-    // If the current target doesn't have a default filter, use a default, empty filter.
-    // This is to make sure that Firecracker builds even with libc toolchains for which we don't
-    // provide a default filter. For example, GNU libc.
-    if !json_path.exists() {
-        json_path.pop();
-        json_path.push("unimplemented.json");
-
-        println!(
-            "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
-             `resources/seccomp/unimplemented.json`.",
-            target
-        );
-    }
-
-    // Retrigger the build script if the JSON file has changed.
-    let json_path = json_path.to_str().expect("Invalid bytes");
-    println!("cargo:rerun-if-changed={}", json_path);
-
-    // Also retrigger the build script on any seccompiler source code change.
-    register_seccompiler_src_watchlist(Path::new(SECCOMPILER_SRC_DIR));
-
-    // Run seccompiler-bin, getting the default, advanced filter.
-    let mut bpf_out_path = PathBuf::from(&out_dir);
-    bpf_out_path.push(ADVANCED_BINARY_FILTER_FILE_NAME);
-    run_seccompiler_bin(json_path, bpf_out_path.to_str().expect("Invalid bytes."));
-}
-
-// Run seccompiler with the given arguments.
-fn run_seccompiler_bin(json_path: &str, out_path: &str) {
-    // We have a global `target` directive in our .cargo/config file specifying x86_64 architecture.
-    // However, seccompiler-bin has to be compiled for the host architecture. Without this, cargo
-    // would produce a x86_64 binary on aarch64 host, causing this compilation step to fail as such
-    // a binary would not be executable.
-    let host_arch = env::var("HOST").expect("Could not determine compilation host");
-    let target_arch = env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
-
-    // Command for running seccompiler-bin
-    let mut command = Command::new("cargo");
-    command.args([
-        "run",
-        "-p",
-        "seccompiler",
-        "--verbose",
-        "--target",
-        &host_arch,
-        // We need to specify a separate build directory for seccompiler-bin. Otherwise, cargo will
-        // deadlock waiting to acquire a lock on the build folder that the parent cargo process is
-        // holding.
-        "--target-dir",
-        SECCOMPILER_BUILD_DIR,
-        "--",
-        "--input-file",
-        json_path,
-        "--target-arch",
-        &target_arch,
-        "--output-file",
-        out_path,
-    ]);
-
-    match command.output() {
-        Err(error) => panic!("\nSeccompiler-bin error: {:?}\n", error),
-        Ok(result) if !result.status.success() => {
-            panic!(
-                "\nSeccompiler-bin returned non-zero exit code:\nstderr: {}\nstdout: {}\n",
-                String::from_utf8(result.stderr).unwrap(),
-                String::from_utf8(result.stdout).unwrap(),
-            );
-        }
-        Ok(_) => {}
-    }
-}
-
-// Recursively traverse the entire seccompiler source folder and trigger a re-run of this build
-// script on any modification of these files.
-fn register_seccompiler_src_watchlist(src_dir: &Path) {
-    let contents = fs::read_dir(src_dir).expect("Unable to read folder contents.");
-    for entry in contents {
-        let path = entry.unwrap().path();
-        let metadata = fs::metadata(&path).expect("Unable to read file/folder metadata.");
-
-        if metadata.is_file() {
-            // Watch all source files.
-            println!(
-                "cargo:rerun-if-changed={}",
-                path.to_str().expect("Invalid unicode bytes.")
-            );
-        } else if metadata.is_dir() {
-            // If is a folder, recurse.
-            register_seccompiler_src_watchlist(&path);
-        }
-    }
-}
-
-fn cpuid() {
-    // Sets a `--cfg` flag for conditional compilation.
-    //
-    // TODO: Use `core::arch::x86_64::has_cpuid`
-    // (https://github.com/firecracker-microvm/firecracker/issues/3271).
-    #[cfg(any(
-        all(target_arch = "x86", target_feature = "sse", not(target_env = "sgx")),
-        all(target_arch = "x86_64", not(target_env = "sgx"))
-    ))]
-    println!("cargo:rustc-cfg=cpuid");
 }
diff --git a/src/firecracker/Cargo.toml b/src/firecracker/Cargo.toml
@@ -3,7 +3,7 @@ name = "firecracker"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
+build = "build.rs"
 description = "Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers."
 homepage = "https://firecracker-microvm.github.io/"
 license = "Apache-2.0"
@@ -36,6 +36,13 @@ regex = { version = "1.9.5", default-features = false, features = ["std", "unico
 serde = { version = "1.0.188", features = ["derive"] }
 userfaultfd = "0.6.1"
 
+[build-dependencies]
+# Dev-Dependencies for build.rs
+seccompiler = { path = "../seccompiler" }
+serde = { version = "1.0.188", features = ["derive"] }
+serde_json = "1.0.107"
+bincode = "1.2.1"
+
 [[example]]
 name = "uffd_malicious_handler"
 path = "examples/uffd/malicious_handler.rs"

diff --git a/src/firecracker/build.rs b/src/firecracker/build.rs
@@ -0,0 +1,102 @@
+// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use std::collections::BTreeMap;
+use std::fs::File;
+use std::path::Path;
+
+use seccompiler::{
+    common::BpfProgram,
+    compiler::{Compiler, JsonFile},
+};
+const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
+
+const JSON_DIR: &str = "../../resources/seccomp";
+const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
+
+// This script is run on every modification in the target-specific JSON file in `resources/seccomp`.
+// It compiles the JSON seccomp policies into a serializable BPF format, using seccompiler-bin.
+// The generated binary code will get included in Firecracker's code, at compile-time.
+fn main() {
+    let firecracker_version = env!("CARGO_PKG_VERSION").to_string();
+    println!(
+        "cargo:rustc-env=FIRECRACKER_VERSION={}",
+        firecracker_version
+    );
+
+    // Target triple
+    let target = std::env::var("TARGET").expect("Missing target.");
+    let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
+    // Target arch (x86_64 / aarch64)
+    let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
+
+    // println!(
+    //     "cargo:warning=target: {}, out_dir: {}, target_arch: {}",
+    //     target, out_dir, target_arch
+    // );
+
+    let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
+    // If the current target doesn't have a default filter, use a default, empty filter.
+    // This is to make sure that Firecracker builds even with libc toolchains for which we don't
+    // provide a default filter. For example, GNU libc.
+    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
+        seccomp_json_path
+    } else {
+        println!(
+            "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
+             `resources/seccomp/unimplemented.json`.",
+            target
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    };
+
+    // Retrigger the build script if the JSON file has changed.
+    // let json_path = json_path.to_str().expect("Invalid bytes");
+    println!("cargo:rerun-if-changed={}", &seccomp_json_path);
+    // Also retrigger the build script on any seccompiler source code change.
+    register_seccompiler_src_watchlist(SECCOMPILER_SRC_DIR);
+
+    let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
+
+    // Run seccompiler-bin, getting the default, advanced filter.
+    run_seccompiler_bin(&target_arch, &seccomp_json_path, &out_path);
+}
+
+// Run seccompiler with the given arguments.
+fn run_seccompiler_bin(arch: &str, input_path: &str, out_path: &str) {
+    let input = std::fs::read_to_string(input_path).expect("Correct input file");
+    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
+
+    let arch = arch.try_into().expect("Target");
+    let compiler = Compiler::new(arch);
+
+    // transform the IR into a Map of BPFPrograms
+    let bpf_data: BTreeMap<String, BpfProgram> = compiler
+        .compile_blob(filters.0, false)
+        .expect("Successfull compilation");
+
+    // serialize the BPF programs & output them to a file
+    let output_file = File::create(out_path).expect("Create seccompiler output path");
+    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+}
+
+// Recursively traverse the entire seccompiler source folder and trigger a re-run of this build
+// script on any modification of these files.
+fn register_seccompiler_src_watchlist<P: AsRef<Path>>(src_dir: P) {
+    let contents = std::fs::read_dir(src_dir).expect("Unable to read folder contents.");
+    for entry in contents {
+        let path = entry.unwrap().path();
+        let metadata = std::fs::metadata(&path).expect("Unable to read file/folder metadata.");
+
+        if metadata.is_file() {
+            // Watch all source files.
+            println!(
+                "cargo:rerun-if-changed={}",
+                path.to_str().expect("Invalid unicode bytes.")
+            );
+        } else if metadata.is_dir() {
+            // If is a folder, recurse.
+            register_seccompiler_src_watchlist(&path);
+        }
+    }
+}