Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update seccompiler to use libseccomp #4926

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Update seccompiler to use libseccomp #4926

wants to merge 8 commits into from
+849 −4,300

Conversation

ShadowCurse
Copy link
Contributor

@ShadowCurse ShadowCurse commented Nov 25, 2024
edited
Loading

Changes

Replace our custom implementation of a seccompiler with libseccomp.
By out test, libseccomp produces ~65% smaller binaries which is very beneficial as we embed the combination of those into the Firecracker.

In order to interact with libseccomp we add custom bindings which contain only the needed set of methods, constants needed for our use case. This simplifies the maintenance and avoids adding dependencies.

Reason

libseccomp provides better quality compiler for BPF seccomp programs than our current implementation.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 13 times, most recently from 6bdce02 to b44d926 Compare November 28, 2024 10:24
@codecov Codecov
Copy link

codecov bot commented Nov 28, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 23.16602% with 199 lines in your changes missing coverage. Please review.

Project coverage is 83.07%. Comparing base (7b01bdc) to head (d4063b6).

Files with missing lines Patch % Lines
src/seccompiler/src/lib.rs 0.00% 92 Missing ⚠️
src/seccompiler/src/types.rs 0.00% 80 Missing ⚠️
src/seccompiler/src/bin.rs 0.00% 13 Missing ⚠️
src/vmm/src/seccomp.rs 89.06% 7 Missing ⚠️
src/seccompiler/src/bindings.rs 0.00% 6 Missing ⚠️
src/vmm/src/builder.rs 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4926      +/-   ##
==========================================
- Coverage   83.95%   83.07%   -0.89%     
==========================================
  Files         248      244       -4     
  Lines       27839    26634    -1205     
==========================================
- Hits        23371    22125    -1246     
- Misses       4468     4509      +41
Flag Coverage Δ
5.10-c5n.metal 83.59% <23.16%> (-0.94%) ⬇️
5.10-m5n.metal 83.57% <23.16%> (-0.94%) ⬇️
5.10-m6a.metal 82.78% <23.16%> (-1.02%) ⬇️
5.10-m6g.metal 79.44% <23.16%> (-1.20%) ⬇️
5.10-m6i.metal 83.56% <23.16%> (-0.94%) ⬇️
5.10-m7g.metal 79.44% <23.16%> (-1.20%) ⬇️
6.1-c5n.metal 83.59% <23.16%> (?)
6.1-m5n.metal 83.57% <23.16%> (-0.94%) ⬇️
6.1-m6a.metal 82.78% <23.16%> (-1.02%) ⬇️
6.1-m6g.metal 79.44% <23.16%> (-1.20%) ⬇️
6.1-m6i.metal 83.56% <23.16%> (-0.95%) ⬇️
6.1-m7g.metal 79.44% <23.16%> (-1.20%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ShadowCurse ShadowCurse self-assigned this Nov 28, 2024
@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 5 times, most recently from 3fb90d6 to 4ef05b8 Compare November 28, 2024 13:40
roypat
roypat reviewed Nov 28, 2024
View reviewed changes
Cargo.toml Outdated Show resolved Hide resolved
@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 2 times, most recently from 50ac4e6 to 919390b Compare November 28, 2024 14:12
@alindima
Copy link
Contributor

libseccomp provides better quality compiler for
bpf seccomp programs than our current implementation.

I'm curious, what does this mean? and how was this evaluated?

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 5 times, most recently from 775c84f to 1b253fb Compare November 29, 2024 14:04
pb8o
pb8o reviewed Dec 12, 2024
View reviewed changes
src/seccompiler/src/types.rs Outdated Show resolved Hide resolved
pb8o
pb8o previously approved these changes Dec 12, 2024
View reviewed changes
@pb8o pb8o self-requested a review December 12, 2024 10:32
@pb8o pb8o force-pushed the seccomp2 branch 3 times, most recently from 0e3f083 to 93cc0a2 Compare December 16, 2024 16:32
roypat
roypat previously approved these changes Dec 16, 2024
View reviewed changes
@pb8o pb8o force-pushed the seccomp2 branch 3 times, most recently from 7b1ef1c to 42787fa Compare December 16, 2024 17:01
roypat
roypat previously approved these changes Dec 17, 2024
View reviewed changes
@roypat
Copy link
Contributor

roypat commented Dec 17, 2024

(just resolved merge conflict so there's a chance my approval will survive me going on vacation)

@ShadowCurse ShadowCurse force-pushed the seccomp2 branch 4 times, most recently from ea82c60 to c334e39 Compare January 2, 2025 10:53
ShadowCurse and others added 8 commits January 6, 2025 11:39
@ShadowCurse @pb8o
feat(seccomp): update seccompiler to use libseccomp
5e437d9 
libseccomp provides a better quality compiler for
BPF seccomp programs than our current implementation. In our testing
it produces BPF code with ~65% less instructions which makes final
binaries smaller which in turn makes Firecracker binary smaller because
we include them into Firecracker at build time.

For this transition we create a minimal set of bindings for `libseccomp`
in order to simplify maintenance and avoid adding additional
dependencies.

The only tricky issue with this transition is the way `ioctl` and other
syscalls are checked with libseccomp. It always adds a check for the
high bits of the request to be 0. Unfortunately when we build with
`musl`, some syscalls like `ioctl` have upper bits set to 1. Because of
this, we replace `Eq` with `MaskedEq` with mask `0x00000000FFFFFFFF`
when the argument is 32bits.

This commit also removes dependency of firecracker and vmm
crates on the seccompiler crate.

Co-authored-by: Pablo Barbáchano <[email protected]>
Signed-off-by: Egor Lazarchuk <[email protected]>
@pb8o @ShadowCurse
devtool: remove obsolete commands
7a5ead9 
Since we depend on libseccomp in the previous commit, these commands to
update the syscall table are no longer needed.

Signed-off-by: Pablo Barbáchano <[email protected]>
@ShadowCurse
refactor(seccomp): replace deprecated prctl with syscall
0a48181 
According to
https://www.man7.org/linux/man-pages/man2/PR_SET_SECCOMP.2const.html
using `prctl` for setting seccomp filer is deprecated, so switch to
using `syscall` instead.

Signed-off-by: Egor Lazarchuk <[email protected]>
@ShadowCurse
refactor: use std::io::Error when setting seccomp
1b3c204 
Replace __errno_location() with std::io::Error::last_os_error() as a
more standard of getting errno value.

Signed-off-by: Egor Lazarchuk <[email protected]>
@ShadowCurse
refactor: replace DeserializationError with type alias
661604a 
The error enum had only 1 element and we can replace it with
alias for simplicity.

Signed-off-by: Egor Lazarchuk <[email protected]>
@ShadowCurse
chore: add libseccomp update to CHANGELOG
72a70d3 
Add a note about updating backend for seccompiler
to libseccomp.

Signed-off-by: Egor Lazarchuk <[email protected]>
@ShadowCurse
chore: add a note about compiling libseccomp from scratch
bf3f95d 
We need to compile it from source because version provided by the
distribution is not compiled with musl-gcc.

Signed-off-by: Egor Lazarchuk <[email protected]>
@ShadowCurse
chore: add additional path for libseccomp lib
d4063b6 
Kani on x86 for some reason cannot find libseccomp by default,
so we add additional path to the build.rs

Signed-off-by: Egor Lazarchuk <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roypat roypat roypat left review comments

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx is a code owner

@kalyazin kalyazin Awaiting requested review from kalyazin kalyazin is a code owner

@Manciukic Manciukic Awaiting requested review from Manciukic Manciukic is a code owner

@pb8o pb8o Awaiting requested review from pb8o pb8o is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@ShadowCurse ShadowCurse

Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed Type: Enhancement Indicates new feature requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ShadowCurse @alindima @pb8o @roypat