fix: do not build debug a default seccomp policy in debug binaries

Manciukic · Manciukic · commit 0ec23adbcbdf · 2025-03-03T12:33:47.000Z
Rust 1.80.0 added a debug assertion that uses fcntl(F_GETFD) to ensure
the fd is still valid when it gets dropped, which broke debug builds of
firecracker.

This made us rethink on whether we'd want any default seccomp policy in
debug builds, and we decided that in most cases we don't need them and
in some cases they get in the way of prororyping and debugging.

This patch changes the default seccomp policy in debug builds to empty.

Signed-off-by: Riccardo Mancini &lt;mancio@amazon.com&gt;
diff --git a/src/firecracker/build.rs b/src/firecracker/build.rs
@@ -14,23 +14,34 @@ const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
 fn main() {
     // Target triple
     let target = std::env::var("TARGET").expect("Missing target.");
+    let debug: bool = std::env::var("DEBUG")
+        .expect("Missing debug.")
+        .parse()
+        .expect("Invalid env variable DEBUG");
     let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
     // Target arch (x86_64 / aarch64)
     let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
 
     let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
-    // If the current target doesn't have a default filter, use a default, empty filter.
+    // If the current target doesn't have a default filter, or if we're building a debug binary,
+    // use a default, empty filter.
     // This is to make sure that Firecracker builds even with libc toolchains for which we don't
     // provide a default filter. For example, GNU libc.
-    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
-        seccomp_json_path
-    } else {
+    let seccomp_json_path = if debug {
+        println!(
+            "cargo:warning=Using empty default seccomp policy for debug builds: \
+             `resources/seccomp/unimplemented.json`."
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    } else if !Path::new(&seccomp_json_path).exists() {
         println!(
             "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
              `resources/seccomp/unimplemented.json`.",
             target
         );
         format!("{}/unimplemented.json", JSON_DIR)
+    } else {
+        seccomp_json_path
     };
 
     // Retrigger the build script if the JSON file has changed.
