firecracker-microvm · ShadowCurse · Sep 21, 2023 · Sep 21, 2023 · Sep 21, 2023 · Sep 21, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/build.rs b/build.rs
diff --git a/src/cpu-template-helper/Cargo.toml b/src/cpu-template-helper/Cargo.toml
@@ -3,7 +3,6 @@ name = "cpu-template-helper"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
 license = "Apache-2.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

diff --git a/src/cpu-template-helper/src/utils/mod.rs b/src/cpu-template-helper/src/utils/mod.rs
@@ -19,7 +19,7 @@ pub mod aarch64;
 #[cfg(target_arch = "x86_64")]
 pub mod x86_64;
 
-pub const CPU_TEMPLATE_HELPER_VERSION: &str = env!("FIRECRACKER_VERSION");
+pub const CPU_TEMPLATE_HELPER_VERSION: &str = env!("CARGO_PKG_VERSION");
 
 /// Trait for key of `HashMap`-based modifier.
 ///

diff --git a/src/firecracker/Cargo.toml b/src/firecracker/Cargo.toml
@@ -3,7 +3,7 @@ name = "firecracker"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
+build = "build.rs"
 description = "Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers."
 homepage = "https://firecracker-microvm.github.io/"
 license = "Apache-2.0"
@@ -36,6 +36,12 @@ regex = { version = "1.9.5", default-features = false, features = ["std", "unico
 serde = { version = "1.0.188", features = ["derive"] }
 userfaultfd = "0.6.1"
 
+[build-dependencies]
+bincode = "1.2.1"
+seccompiler = { path = "../seccompiler" }
+serde = { version = "1.0.188" }
+serde_json = "1.0.107"
+
 [[example]]
 name = "uffd_malicious_handler"
 path = "examples/uffd/malicious_handler.rs"

diff --git a/src/firecracker/build.rs b/src/firecracker/build.rs
@@ -0,0 +1,62 @@
+// Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use std::collections::BTreeMap;
+use std::fs::File;
+use std::path::Path;
+
+use seccompiler::common::BpfProgram;
+use seccompiler::compiler::{Compiler, JsonFile};
+
+const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
+
+const JSON_DIR: &str = "../../resources/seccomp";
+const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
+
+// This script is run on every modification in the target-specific JSON file in `resources/seccomp`.
+// It compiles the JSON seccomp policies into a serializable BPF format, using seccompiler-bin.
+// The generated binary code will get included in Firecracker's code, at compile-time.
+fn main() {
+    // Target triple
+    let target = std::env::var("TARGET").expect("Missing target.");
+    let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
+    // Target arch (x86_64 / aarch64)
+    let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
+
+    let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
+    // If the current target doesn't have a default filter, use a default, empty filter.
+    // This is to make sure that Firecracker builds even with libc toolchains for which we don't
+    // provide a default filter. For example, GNU libc.
+    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
+        seccomp_json_path
+    } else {
+        println!(
+            "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
+             `resources/seccomp/unimplemented.json`.",
+            target
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    };
+
+    // Retrigger the build script if the JSON file has changed.
+    // let json_path = json_path.to_str().expect("Invalid bytes");
+    println!("cargo:rerun-if-changed={}", seccomp_json_path);
+    // Also retrigger the build script on any seccompiler source code change.
+    println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
+
+    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
+    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
+
+    let arch = target_arch.as_str().try_into().expect("Target");
+    let compiler = Compiler::new(arch);
+
+    // transform the IR into a Map of BPFPrograms
+    let bpf_data: BTreeMap<String, BpfProgram> = compiler
+        .compile_blob(filters.0, false)
+        .expect("Successfull compilation");
+
+    // serialize the BPF programs & output them to a file
+    let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
+    let output_file = File::create(out_path).expect("Create seccompiler output path");
+    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+}
diff --git a/src/firecracker/src/main.rs b/src/firecracker/src/main.rs
@@ -36,7 +36,7 @@ use crate::seccomp::SeccompConfig;
 // see https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html for more information.
 const DEFAULT_API_SOCK_PATH: &str = "/run/firecracker.socket";
 const DEFAULT_INSTANCE_ID: &str = "anonymous-instance";
-const FIRECRACKER_VERSION: &str = env!("FIRECRACKER_VERSION");
+const FIRECRACKER_VERSION: &str = env!("CARGO_PKG_VERSION");
 const MMDS_CONTENT_ARG: &str = "metadata";
 
 #[derive(Debug, thiserror::Error, displaydoc::Display)]

diff --git a/src/jailer/Cargo.toml b/src/jailer/Cargo.toml
@@ -3,7 +3,6 @@ name = "jailer"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
 description = "Process for starting Firecracker in production scenarios; applies a cgroup/namespace isolation barrier and then drops privileges."
 homepage = "https://firecracker-microvm.github.io/"
 license = "Apache-2.0"

diff --git a/src/jailer/src/main.rs b/src/jailer/src/main.rs
@@ -18,7 +18,7 @@ mod chroot;
 mod env;
 mod resource_limits;
 
-const JAILER_VERSION: &str = env!("FIRECRACKER_VERSION");
+const JAILER_VERSION: &str = env!("CARGO_PKG_VERSION");
 
 #[derive(Debug, thiserror::Error)]
 pub enum JailerError {

diff --git a/src/rebase-snap/Cargo.toml b/src/rebase-snap/Cargo.toml
@@ -3,7 +3,6 @@ name = "rebase-snap"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
 license = "Apache-2.0"
 
 [[bin]]

diff --git a/src/rebase-snap/src/main.rs b/src/rebase-snap/src/main.rs
@@ -9,7 +9,7 @@ use std::os::unix::io::AsRawFd;
 use utils::arg_parser::{ArgParser, Argument, Arguments, Error as ArgError};
 use utils::seek_hole::SeekHole;
 
-const REBASE_SNAP_VERSION: &str = env!("FIRECRACKER_VERSION");
+const REBASE_SNAP_VERSION: &str = env!("CARGO_PKG_VERSION");
 const BASE_FILE: &str = "base-file";
 const DIFF_FILE: &str = "diff-file";
 

diff --git a/src/seccompiler/Cargo.toml b/src/seccompiler/Cargo.toml
@@ -3,7 +3,6 @@ name = "seccompiler"
 version = "1.5.0-dev"
 authors = ["Amazon Firecracker team <[email protected]>"]
 edition = "2021"
-build = "../../build.rs"
 description = "Program that compiles multi-threaded seccomp-bpf filters expressed as JSON into raw BPF programs, serializing them and outputting them to a file."
 homepage = "https://firecracker-microvm.github.io/"
 license = "Apache-2.0"