feat(seccomp): update seccompiler to use libseccomp

libseccomp provides better quality compiler for
bpf seccomp programs than our current implementation.

This commit removes dependency of firecracker and vmm
crates on the seccompiler crate.

Signed-off-by: Egor Lazarchuk <[email protected]>

Author: ShadowCurse

Cargo.lock

@@ -12,7 +12,7 @@ use std::sync::{Arc, Mutex};
 use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
 use vmm::cpu_config::templates::{CustomCpuTemplate, Numeric};
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::get_empty_filters;
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
 use vmm_sys_util::tempfile::TempFile;

src/cpu-template-helper/src/utils/mod.rs

@@ -22,7 +22,6 @@ libc = "0.2.164"
 log-instrument = { path = "../log-instrument", optional = true }
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.215", features = ["derive"] }
 serde_derive = "1.0.136"
 serde_json = "1.0.133"
@@ -42,13 +41,12 @@ serde = { version = "1.0.215", features = ["derive"] }
 userfaultfd = "0.8.1"
 
 [build-dependencies]
-bincode = "1.2.1"
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.215" }
 serde_json = "1.0.133"
 
 [features]
-tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
+tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
 gdb = ["vmm/gdb"]
 
 [lints]

src/firecracker/Cargo.toml

@@ -1,13 +1,8 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::collections::BTreeMap;
-use std::fs::File;
 use std::path::Path;
 
-use seccompiler::common::BpfProgram;
-use seccompiler::compiler::{Compiler, JsonFile};
-
 const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
 
 const JSON_DIR: &str = "../../resources/seccomp";
@@ -44,19 +39,7 @@ fn main() {
     // Also retrigger the build script on any seccompiler source code change.
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
-    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
-    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
-
-    let arch = target_arch.as_str().try_into().expect("Target");
-    let compiler = Compiler::new(arch);
-
-    // transform the IR into a Map of BPFPrograms
-    let bpf_data: BTreeMap<String, BpfProgram> = compiler
-        .compile_blob(filters.0, false)
-        .expect("Successfull compilation");
-
-    // serialize the BPF programs & output them to a file
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    let output_file = File::create(out_path).expect("Create seccompiler output path");
-    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+        .expect("Cannot compile seccomp filters");
 }

src/firecracker/build.rs

@@ -5,7 +5,7 @@ use std::fs::File;
 use std::os::unix::process::CommandExt;
 use std::process::{Command, Stdio};
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/jailer.rs

@@ -3,7 +3,7 @@
 use std::env::args;
 use std::fs::File;
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/panic.rs

@@ -14,13 +14,13 @@ use std::sync::mpsc;
 
 pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
 use parsed_request::{ParsedRequest, RequestAction};
-use seccompiler::BpfProgramRef;
 use serde_json::json;
 use utils::time::{get_time_us, ClockType};
 use vmm::logger::{
     debug, error, info, update_metric_with_elapsed_time, warn, ProcessTimeReporter, METRICS,
 };
 use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
+use vmm::seccomp::BpfProgramRef;
 use vmm::vmm_config::snapshot::SnapshotType;
 use vmm_sys_util::eventfd::EventFd;
 
@@ -78,7 +78,7 @@ impl ApiServer {
         // Load seccomp filters on the API thread.
         // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
         // altogether is the desired behaviour.
-        if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
+        if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
             panic!(
                 "Failed to set the requested seccomp filters on the API thread: {}",
                 err
@@ -208,7 +208,7 @@ mod tests {
     use vmm::builder::StartMicrovmError;
     use vmm::logger::StoreMetric;
     use vmm::rpc_interface::{VmmActionError, VmmData};
-    use vmm::seccomp_filters::get_empty_filters;
+    use vmm::seccomp::get_empty_filters;
     use vmm::vmm_config::instance_info::InstanceInfo;
     use vmm::vmm_config::snapshot::CreateSnapshotParams;
     use vmm_sys_util::tempfile::TempFile;

src/firecracker/src/api_server/mod.rs

@@ -8,13 +8,13 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use seccompiler::BpfThreadMap;
 use vmm::logger::{error, warn, ProcessTimeReporter};
 use vmm::resources::VmResources;
 use vmm::rpc_interface::{
     ApiRequest, ApiResponse, BuildMicrovmFromRequestsError, PrebootApiController,
     RuntimeApiController, VmmAction,
 };
+use vmm::seccomp::BpfThreadMap;
 use vmm::vmm_config::instance_info::InstanceInfo;
 use vmm::{EventManager, FcExitCode, Vmm};
 use vmm_sys_util::epoll::EventSet;

src/firecracker/src/api_server_adapter.rs

@@ -17,7 +17,6 @@ use std::{io, panic};
 use api_server_adapter::ApiServerError;
 use event_manager::SubscriberOps;
 use seccomp::FilterError;
-use seccompiler::BpfThreadMap;
 use utils::arg_parser::{ArgParser, Argument};
 use utils::validators::validate_instance_id;
 use vmm::builder::StartMicrovmError;
@@ -26,6 +25,7 @@ use vmm::logger::{
 };
 use vmm::persist::SNAPSHOT_VERSION;
 use vmm::resources::VmResources;
+use vmm::seccomp::BpfThreadMap;
 use vmm::signal_handler::register_signal_handlers;
 use vmm::snapshot::{Snapshot, SnapshotError};
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};

src/firecracker/src/main.rs

@@ -5,8 +5,7 @@ use std::fs::File;
 use std::io::{BufReader, Read};
 use std::path::Path;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::{deserialize_binary, get_empty_filters, BpfThreadMap, DeserializationError};
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -118,7 +117,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 mod tests {
     use std::sync::Arc;
 
-    use seccompiler::BpfThreadMap;
+    use vmm::seccomp::BpfThreadMap;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;

src/firecracker/src/seccomp.rs

@@ -12,25 +12,18 @@ bench = false
 
 [[bin]]
 name = "seccompiler-bin"
-path = "src/seccompiler_bin.rs"
+path = "src/bin.rs"
 bench = false
 
 [dependencies]
 bincode = "1.2.1"
+clap = { version = "4.5.21", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 libc = "0.2.164"
-log-instrument = { path = "../log-instrument", optional = true }
+libseccomp = "0.3.0"
 serde = { version = "1.0.215", features = ["derive"] }
 serde_json = "1.0.133"
 thiserror = "2.0.3"
 
-utils = { path = "../utils" }
-
-[dev-dependencies]
-vmm-sys-util = "0.12.1"
-
-[features]
-tracing = ["log-instrument", "utils/tracing"]
-
 [lints]
 workspace = true