Merge branch 'main' into tiny-test-fixes

Author: roypat

CHANGELOG.md

@@ -10,6 +10,18 @@ and this project adheres to
 
 ### Added
 
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+## [1.11.0]
+
+### Added
+
 - [#4987](https://github.com/firecracker-microvm/firecracker/pull/4987): Reset
   physical counter register (`CNTPCT_EL0`) on VM startup. This avoids VM reading
   the host physical counter value. This is only possible on 6.4 and newer
@@ -64,6 +76,9 @@ and this project adheres to
 - [#5046](https://github.com/firecracker-microvm/firecracker/pull/5046): Retry
   KVM_CREATE_VM on EINTR that occasionally happen on heavily loaded hosts to
   improve reliability of microVM creation.
+- [#5052](https://github.com/firecracker-microvm/firecracker/pull/5052): Build
+  the empty seccomp policy as default for debug builds to avoid crashes on
+  syscalls introduced by debug assertions from Rust 1.80.0.
 
 ## [1.10.1]
 

docs/seccomp.md

@@ -11,8 +11,10 @@ follows:
 - API - right before launching the HTTP server;
 - VCPUs - right before executing guest code.
 
-**Note**: On experimental GNU targets, there are no default seccomp filters
-installed, since they are not intended for production use.
+> [!WARNING]
+>
+> On debug binaries and experimental GNU targets, there are no default seccomp
+> filters installed, since they are not intended for production use.
 
 Firecracker uses JSON files for expressing the filter rules and relies on the
 [seccompiler](seccompiler.md) tool for all the seccomp functionality.
@@ -58,6 +60,12 @@ Potential use cases:
 - Users of experimentally-supported targets (like GNU libc builds) may be able
   to use this feature to implement seccomp filters without needing to have a
   custom build of Firecracker.
+- Users of debug binaries who need to use a seccomp filter for any reason will
+  be able to use this feature to implement seccomp filters without needing to
+  have a custom build of Firecracker. Note: there may be some differences in
+  syscalls between `debug` and `release` builds. A non-comprehensive list is:
+  - `fcntl(F_GETFD)` is used by debug assertions to verify a dropped `fd` is
+    valid.
 - Faced with a _theoretical_ production issue, due to a syscall that was issued
   by the Firecracker process, but not allowed by the seccomp policy, one may use
   a custom filter in order to quickly mitigate the issue. This can speed up the

resources/guest_configs/ci.config

@@ -5,3 +5,10 @@ CONFIG_SQUASHFS_ZSTD=y
 # aarch64 only TBD split into a separate file
 CONFIG_DEVMEM=y
 # CONFIG_ARM64_ERRATUM_3194386 is not set
+# Needed for CTRL+ALT+DEL support
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_LIBPS2=y
+CONFIG_SERIO_GSCPS2=y
+CONFIG_KEYBOARD_ATKBD=y
+CONFIG_INPUT_KEYBOARD=y

resources/overlay/usr/local/bin/fast_page_fault_helper.c

@@ -20,22 +20,27 @@
 int main(int argc, char *const argv[]) {
     sigset_t set;
     int signal;
+    void *ptr;
 
     sigemptyset(&set);
-    if(sigaddset(&set, SIGUSR1) == -1) {
+    if (sigaddset(&set, SIGUSR1) == -1) {
         perror("sigaddset");
-        return -1;
+        return 1;
+    }
+    if (sigprocmask(SIG_BLOCK, &set, NULL) == -1)  {
+        perror("sigprocmask");
+        return 1;
     }
 
-    void *ptr = mmap(NULL, MEM_SIZE_MIB, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
-
-    memset(ptr, 1, MEM_SIZE_MIB);
+    ptr = mmap(NULL, MEM_SIZE_MIB, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
 
-    if(MAP_FAILED == ptr) {
+    if (MAP_FAILED == ptr) {
         perror("mmap");
-        return -1;
+        return 1;
     }
 
+    memset(ptr, 1, MEM_SIZE_MIB);
+
     sigwait(&set, &signal);
 
     memset(ptr, 2, MEM_SIZE_MIB);

resources/rebuild.sh

@@ -120,7 +120,7 @@ EOF
 }
 
 function clone_amazon_linux_repo {
-    [ -d linux ] || git clone https://github.com/amazonlinux/linux linux
+    [ -d linux ] || git clone --no-checkout --filter=tree:0 https://github.com/amazonlinux/linux
 }
 
 # prints the git tag corresponding to the newest and best matching the provided kernel version $1
@@ -145,7 +145,8 @@ function build_al_kernel {
     local KERNEL_VERSION=$(echo $KERNEL_CFG | grep -Po "microvm-kernel-ci-$ARCH-\K(\d+\.\d+)")
 
     pushd linux
-    make distclean
+    # fails immediately after clone because nothing is checked out
+    make distclean || true
 
     git checkout $(get_tag $KERNEL_VERSION)
 

src/firecracker/build.rs

@@ -14,23 +14,34 @@ const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
 fn main() {
     // Target triple
     let target = std::env::var("TARGET").expect("Missing target.");
+    let debug: bool = std::env::var("DEBUG")
+        .expect("Missing debug.")
+        .parse()
+        .expect("Invalid env variable DEBUG");
     let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
     // Target arch (x86_64 / aarch64)
     let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
 
     let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
-    // If the current target doesn't have a default filter, use a default, empty filter.
+    // If the current target doesn't have a default filter, or if we're building a debug binary,
+    // use a default, empty filter.
     // This is to make sure that Firecracker builds even with libc toolchains for which we don't
     // provide a default filter. For example, GNU libc.
-    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
-        seccomp_json_path
-    } else {
+    let seccomp_json_path = if debug {
+        println!(
+            "cargo:warning=Using empty default seccomp policy for debug builds: \
+             `resources/seccomp/unimplemented.json`."
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    } else if !Path::new(&seccomp_json_path).exists() {
         println!(
             "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
              `resources/seccomp/unimplemented.json`.",
             target
         );
         format!("{}/unimplemented.json", JSON_DIR)
+    } else {
+        seccomp_json_path
     };
 
     // Retrigger the build script if the JSON file has changed.

tests/conftest.py

@@ -252,16 +252,6 @@ def bin_seccomp_paths():
     yield demos
 
 
-@pytest.fixture
-def uffd_handler_paths():
-    """Build UFFD handler binaries."""
-    handlers = {
-        f"{handler}_handler": build_tools.get_example(f"uffd_{handler}_handler")
-        for handler in ["malicious", "valid", "fault_all"]
-    }
-    yield handlers
-
-
 @pytest.fixture(scope="session")
 def netns_factory(worker_id):
     """A network namespace factory

tests/framework/utils.py

@@ -10,7 +10,6 @@
 import re
 import select
 import signal
-import stat
 import subprocess
 import time
 import typing
@@ -131,69 +130,6 @@ def chroot(path):
         os.chdir(working_dir)
 
 
-class UffdHandler:
-    """Describe the UFFD page fault handler process."""
-
-    def __init__(self, name, socket_path, mem_file, chroot_path, log_file_name):
-        """Instantiate the handler process with arguments."""
-        self._proc = None
-        self._handler_name = name
-        self._socket_path = socket_path
-        self._mem_file = mem_file
-        self._chroot = chroot_path
-        self._log_file = log_file_name
-
-    def spawn(self, uid, gid):
-        """Spawn handler process using arguments provided."""
-
-        with chroot(self._chroot):
-            st = os.stat(self._handler_name)
-            os.chmod(self._handler_name, st.st_mode | stat.S_IEXEC)
-
-            chroot_log_file = Path("/") / self._log_file
-            with open(chroot_log_file, "w", encoding="utf-8") as logfile:
-                args = [f"/{self._handler_name}", self._socket_path, self._mem_file]
-                self._proc = subprocess.Popen(
-                    args, stdout=logfile, stderr=subprocess.STDOUT
-                )
-
-            # Give it time start and fail, if it really has too (bad things happen).
-            time.sleep(1)
-            if not self.is_running():
-                print(chroot_log_file.read_text(encoding="utf-8"))
-                assert False, "Could not start PF handler!"
-
-            # The page fault handler will create the socket path with root rights.
-            # Change rights to the jailer's.
-            os.chown(self._socket_path, uid, gid)
-
-    @property
-    def proc(self):
-        """Return UFFD handler process."""
-        return self._proc
-
-    def is_running(self):
-        """Check if UFFD process is running"""
-        return self.proc is not None and self.proc.poll() is None
-
-    @property
-    def log_file(self):
-        """Return the path to the UFFD handler's log file"""
-        return Path(self._chroot) / Path(self._log_file)
-
-    @property
-    def log_data(self):
-        """Return the log data of the UFFD handler"""
-        if self.log_file is None:
-            return ""
-        return self.log_file.read_text(encoding="utf-8")
-
-    def __del__(self):
-        """Tear down the UFFD handler process."""
-        if self.proc is not None:
-            self.proc.kill()
-
-
 class CpuMap:
     """Cpu map from real cpu cores to containers visible cores.
 

tests/framework/utils_cpuid.py

@@ -28,6 +28,7 @@ class CpuModel(str, Enum):
     AMD_GENOA = "AMD_GENOA"
     ARM_NEOVERSE_N1 = "ARM_NEOVERSE_N1"
     ARM_NEOVERSE_V1 = "ARM_NEOVERSE_V1"
+    ARM_NEOVERSE_V2 = "ARM_NEOVERSE_V2"
     INTEL_SKYLAKE = "INTEL_SKYLAKE"
     INTEL_CASCADELAKE = "INTEL_CASCADELAKE"
     INTEL_ICELAKE = "INTEL_ICELAKE"
@@ -41,7 +42,11 @@ class CpuModel(str, Enum):
         "Intel(R) Xeon(R) Platinum 8375C CPU": "INTEL_ICELAKE",
     },
     CpuVendor.AMD: {"AMD EPYC 7R13": "AMD_MILAN", "AMD EPYC 9R14": "AMD_GENOA"},
-    CpuVendor.ARM: {"0xd0c": "ARM_NEOVERSE_N1", "0xd40": "ARM_NEOVERSE_V1"},
+    CpuVendor.ARM: {
+        "0xd0c": "ARM_NEOVERSE_N1",
+        "0xd40": "ARM_NEOVERSE_V1",
+        "0xd4f": "ARM_NEOVERSE_V2",
+    },
 }
 
 

tests/framework/utils_uffd.py

@@ -0,0 +1,98 @@
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""UFFD related utility functions"""
+
+import os
+import stat
+import subprocess
+import time
+from pathlib import Path
+
+from framework.utils import chroot
+from host_tools import cargo_build
+
+SOCKET_PATH = "/firecracker-uffd.sock"
+
+
+class UffdHandler:
+    """Describe the UFFD page fault handler process."""
+
+    def __init__(self, name, socket_path, mem_file, chroot_path, log_file_name):
+        """Instantiate the handler process with arguments."""
+        self._proc = None
+        self._handler_name = name
+        self._socket_path = socket_path
+        self._mem_file = mem_file
+        self._chroot = chroot_path
+        self._log_file = log_file_name
+
+    def spawn(self, uid, gid):
+        """Spawn handler process using arguments provided."""
+
+        with chroot(self._chroot):
+            st = os.stat(self._handler_name)
+            os.chmod(self._handler_name, st.st_mode | stat.S_IEXEC)
+
+            chroot_log_file = Path("/") / self._log_file
+            with open(chroot_log_file, "w", encoding="utf-8") as logfile:
+                args = [f"/{self._handler_name}", self._socket_path, self._mem_file]
+                self._proc = subprocess.Popen(
+                    args, stdout=logfile, stderr=subprocess.STDOUT
+                )
+
+            # Give it time start and fail, if it really has too (bad things happen).
+            time.sleep(1)
+            if not self.is_running():
+                print(chroot_log_file.read_text(encoding="utf-8"))
+                assert False, "Could not start PF handler!"
+
+            # The page fault handler will create the socket path with root rights.
+            # Change rights to the jailer's.
+            os.chown(self._socket_path, uid, gid)
+
+    @property
+    def proc(self):
+        """Return UFFD handler process."""
+        return self._proc
+
+    def is_running(self):
+        """Check if UFFD process is running"""
+        return self.proc is not None and self.proc.poll() is None
+
+    @property
+    def log_file(self):
+        """Return the path to the UFFD handler's log file"""
+        return Path(self._chroot) / Path(self._log_file)
+
+    @property
+    def log_data(self):
+        """Return the log data of the UFFD handler"""
+        if self.log_file is None:
+            return ""
+        return self.log_file.read_text(encoding="utf-8")
+
+    def __del__(self):
+        """Tear down the UFFD handler process."""
+        if self.proc is not None:
+            self.proc.kill()
+
+
+def spawn_pf_handler(vm, handler_path, mem_path):
+    """Spawn page fault handler process."""
+    # Copy snapshot memory file into chroot of microVM.
+    jailed_mem = vm.create_jailed_resource(mem_path)
+    # Copy the valid page fault binary into chroot of microVM.
+    jailed_handler = vm.create_jailed_resource(handler_path)
+    handler_name = os.path.basename(jailed_handler)
+
+    uffd_handler = UffdHandler(
+        handler_name, SOCKET_PATH, jailed_mem, vm.chroot(), "uffd.log"
+    )
+    uffd_handler.spawn(vm.jailer.uid, vm.jailer.gid)
+
+    return uffd_handler
+
+
+def uffd_handler(handler_name):
+    """Retrieves the uffd handler with the given name"""
+    return cargo_build.get_example(f"uffd_{handler_name}_handler")