feat(seccomp): update seccompiler to use libseccomp

libseccomp provides better quality compiler for bpf seccomp programs than our current implementation. Signed-off-by: Egor Lazarchuk <[email protected]>
firecracker-microvm · Nov 25, 2024 · 224fdb4 · 224fdb4
1 parent 81cba86
commit 224fdb4
Show file tree

Hide file tree

Showing 14 changed files with 356 additions and 3,825 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/firecracker/Cargo.toml b/src/firecracker/Cargo.toml
@@ -42,13 +42,12 @@ serde = { version = "1.0.215", features = ["derive"] }
 userfaultfd = "0.8.1"
 
 [build-dependencies]
-bincode = "1.2.1"
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.215" }
 serde_json = "1.0.133"
 
 [features]
-tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
+tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
 gdb = ["vmm/gdb"]
 
 [lints]

diff --git a/src/firecracker/build.rs b/src/firecracker/build.rs
@@ -1,13 +1,8 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::collections::BTreeMap;
-use std::fs::File;
 use std::path::Path;
 
-use seccompiler::common::BpfProgram;
-use seccompiler::compiler::{Compiler, JsonFile};
-
 const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
 
 const JSON_DIR: &str = "../../resources/seccomp";
@@ -44,19 +39,7 @@ fn main() {
     // Also retrigger the build script on any seccompiler source code change.
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
-    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
-    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
-
-    let arch = target_arch.as_str().try_into().expect("Target");
-    let compiler = Compiler::new(arch);
-
-    // transform the IR into a Map of BPFPrograms
-    let bpf_data: BTreeMap<String, BpfProgram> = compiler
-        .compile_blob(filters.0, false)
-        .expect("Successfull compilation");
-
-    // serialize the BPF programs & output them to a file
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    let output_file = File::create(out_path).expect("Create seccompiler output path");
-    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+        .expect("Cannot compile seccomp filters");
 }
diff --git a/src/seccompiler/Cargo.toml b/src/seccompiler/Cargo.toml
@@ -12,25 +12,18 @@ bench = false
 
 [[bin]]
 name = "seccompiler-bin"
-path = "src/seccompiler_bin.rs"
+path = "src/bin.rs"
 bench = false
 
 [dependencies]
+clap = { version = "4.5.21", features = ["derive", "string"] }
 bincode = "1.2.1"
-displaydoc = "0.2.5"
 libc = "0.2.164"
-log-instrument = { path = "../log-instrument", optional = true }
+libseccomp = "0.3.0"
 serde = { version = "1.0.215", features = ["derive"] }
 serde_json = "1.0.133"
+displaydoc = "0.2.5"
 thiserror = "2.0.3"
 
-utils = { path = "../utils" }
-
-[dev-dependencies]
-vmm-sys-util = "0.12.1"
-
-[features]
-tracing = ["log-instrument", "utils/tracing"]
-
 [lints]
 workspace = true