feat(seccomp): update seccompiler to use libseccomp

libseccomp provides a better quality compiler for
BPF seccomp programs than our current implementation. In our testing
it produces BPF code with ~65% less instructions which makes final
binaries smaller which in turn makes Firecracker binary smaller because
we include them into Firecracker at build time.

For this transition we create a minimal set of bindings for `libseccomp`
in order to simplify maintenance and avoid adding additional
dependencies.

The only tricky issue with this transition is the way `ioctl` and other
syscalls are checked with libseccomp. It always adds a check for the
high bits of the request to be 0. Unfortunately when we build with
`musl`, some syscalls like `ioctl` have upper bits set to 1. Because of
this, we replace `Eq` with `MaskedEq` with mask `0x00000000FFFFFFFF`
when the argument is 32bits.

This commit also removes dependency of firecracker and vmm
crates on the seccompiler crate.

Co-authored-by: Pablo Barbáchano <[email protected]>
Signed-off-by: Egor Lazarchuk <[email protected]>

Author: ShadowCurse

Cargo.lock

@@ -12,7 +12,7 @@ use std::sync::{Arc, Mutex};
 use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
 use vmm::cpu_config::templates::{CustomCpuTemplate, Numeric};
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::get_empty_filters;
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
 use vmm_sys_util::tempfile::TempFile;

src/cpu-template-helper/src/utils/mod.rs

@@ -22,7 +22,6 @@ libc = "0.2.169"
 log-instrument = { path = "../log-instrument", optional = true }
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.217", features = ["derive"] }
 serde_derive = "1.0.136"
 serde_json = "1.0.135"
@@ -42,13 +41,12 @@ serde = { version = "1.0.217", features = ["derive"] }
 userfaultfd = "0.8.1"
 
 [build-dependencies]
-bincode = "1.2.1"
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.217" }
 serde_json = "1.0.135"
 
 [features]
-tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
+tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
 gdb = ["vmm/gdb"]
 
 [lints]

src/firecracker/Cargo.toml

@@ -1,13 +1,8 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::collections::BTreeMap;
-use std::fs::File;
 use std::path::Path;
 
-use seccompiler::common::BpfProgram;
-use seccompiler::compiler::{Compiler, JsonFile};
-
 const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
 
 const JSON_DIR: &str = "../../resources/seccomp";
@@ -44,19 +39,7 @@ fn main() {
     // Also retrigger the build script on any seccompiler source code change.
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
-    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
-    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
-
-    let arch = target_arch.as_str().try_into().expect("Target");
-    let compiler = Compiler::new(arch);
-
-    // transform the IR into a Map of BPFPrograms
-    let bpf_data: BTreeMap<String, BpfProgram> = compiler
-        .compile_blob(filters.0, false)
-        .expect("Successfull compilation");
-
-    // serialize the BPF programs & output them to a file
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    let output_file = File::create(out_path).expect("Create seccompiler output path");
-    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+        .expect("Cannot compile seccomp filters");
 }

src/firecracker/build.rs

@@ -5,7 +5,7 @@ use std::fs::File;
 use std::os::unix::process::CommandExt;
 use std::process::{Command, Stdio};
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/jailer.rs

@@ -3,7 +3,7 @@
 use std::env::args;
 use std::fs::File;
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/panic.rs

@@ -14,13 +14,13 @@ use std::sync::mpsc;
 
 pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
 use parsed_request::{ParsedRequest, RequestAction};
-use seccompiler::BpfProgramRef;
 use serde_json::json;
 use utils::time::{get_time_us, ClockType};
 use vmm::logger::{
     debug, error, info, update_metric_with_elapsed_time, warn, ProcessTimeReporter, METRICS,
 };
 use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
+use vmm::seccomp::BpfProgramRef;
 use vmm::vmm_config::snapshot::SnapshotType;
 use vmm_sys_util::eventfd::EventFd;
 
@@ -78,7 +78,7 @@ impl ApiServer {
         // Load seccomp filters on the API thread.
         // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
         // altogether is the desired behaviour.
-        if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
+        if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
             panic!(
                 "Failed to set the requested seccomp filters on the API thread: {}",
                 err
@@ -208,7 +208,7 @@ mod tests {
     use vmm::builder::StartMicrovmError;
     use vmm::logger::StoreMetric;
     use vmm::rpc_interface::{VmmActionError, VmmData};
-    use vmm::seccomp_filters::get_empty_filters;
+    use vmm::seccomp::get_empty_filters;
     use vmm::vmm_config::instance_info::InstanceInfo;
     use vmm::vmm_config::snapshot::CreateSnapshotParams;
     use vmm_sys_util::tempfile::TempFile;

src/firecracker/src/api_server/mod.rs

@@ -8,13 +8,13 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use seccompiler::BpfThreadMap;
 use vmm::logger::{error, warn, ProcessTimeReporter};
 use vmm::resources::VmResources;
 use vmm::rpc_interface::{
     ApiRequest, ApiResponse, BuildMicrovmFromRequestsError, PrebootApiController,
     RuntimeApiController, VmmAction,
 };
+use vmm::seccomp::BpfThreadMap;
 use vmm::vmm_config::instance_info::InstanceInfo;
 use vmm::{EventManager, FcExitCode, Vmm};
 use vmm_sys_util::epoll::EventSet;

src/firecracker/src/api_server_adapter.rs

@@ -17,7 +17,6 @@ use std::{io, panic};
 use api_server_adapter::ApiServerError;
 use event_manager::SubscriberOps;
 use seccomp::FilterError;
-use seccompiler::BpfThreadMap;
 use utils::arg_parser::{ArgParser, Argument};
 use utils::validators::validate_instance_id;
 use vmm::arch::host_page_size;
@@ -27,6 +26,7 @@ use vmm::logger::{
 };
 use vmm::persist::SNAPSHOT_VERSION;
 use vmm::resources::VmResources;
+use vmm::seccomp::BpfThreadMap;
 use vmm::signal_handler::register_signal_handlers;
 use vmm::snapshot::{Snapshot, SnapshotError};
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};

src/firecracker/src/main.rs

@@ -5,8 +5,7 @@ use std::fs::File;
 use std::io::{BufReader, Read};
 use std::path::Path;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::{deserialize_binary, get_empty_filters, BpfThreadMap, DeserializationError};
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -118,7 +117,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 mod tests {
     use std::sync::Arc;
 
-    use seccompiler::BpfThreadMap;
+    use vmm::seccomp::BpfThreadMap;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;