Merge branch 'main' into snapshot-latency-test

Author: roypat

CHANGELOG.md

@@ -10,6 +10,18 @@ and this project adheres to
 
 ### Added
 
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+## [1.11.0]
+
+### Added
+
 - [#4987](https://github.com/firecracker-microvm/firecracker/pull/4987): Reset
   physical counter register (`CNTPCT_EL0`) on VM startup. This avoids VM reading
   the host physical counter value. This is only possible on 6.4 and newer
@@ -64,6 +76,9 @@ and this project adheres to
 - [#5046](https://github.com/firecracker-microvm/firecracker/pull/5046): Retry
   KVM_CREATE_VM on EINTR that occasionally happen on heavily loaded hosts to
   improve reliability of microVM creation.
+- [#5052](https://github.com/firecracker-microvm/firecracker/pull/5052): Build
+  the empty seccomp policy as default for debug builds to avoid crashes on
+  syscalls introduced by debug assertions from Rust 1.80.0.
 
 ## [1.10.1]
 

docs/seccomp.md

@@ -11,8 +11,10 @@ follows:
 - API - right before launching the HTTP server;
 - VCPUs - right before executing guest code.
 
-**Note**: On experimental GNU targets, there are no default seccomp filters
-installed, since they are not intended for production use.
+> [!WARNING]
+>
+> On debug binaries and experimental GNU targets, there are no default seccomp
+> filters installed, since they are not intended for production use.
 
 Firecracker uses JSON files for expressing the filter rules and relies on the
 [seccompiler](seccompiler.md) tool for all the seccomp functionality.
@@ -58,6 +60,12 @@ Potential use cases:
 - Users of experimentally-supported targets (like GNU libc builds) may be able
   to use this feature to implement seccomp filters without needing to have a
   custom build of Firecracker.
+- Users of debug binaries who need to use a seccomp filter for any reason will
+  be able to use this feature to implement seccomp filters without needing to
+  have a custom build of Firecracker. Note: there may be some differences in
+  syscalls between `debug` and `release` builds. A non-comprehensive list is:
+  - `fcntl(F_GETFD)` is used by debug assertions to verify a dropped `fd` is
+    valid.
 - Faced with a _theoretical_ production issue, due to a syscall that was issued
   by the Firecracker process, but not allowed by the seccomp policy, one may use
   a custom filter in order to quickly mitigate the issue. This can speed up the

src/firecracker/build.rs

@@ -14,23 +14,34 @@ const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
 fn main() {
     // Target triple
     let target = std::env::var("TARGET").expect("Missing target.");
+    let debug: bool = std::env::var("DEBUG")
+        .expect("Missing debug.")
+        .parse()
+        .expect("Invalid env variable DEBUG");
     let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
     // Target arch (x86_64 / aarch64)
     let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
 
     let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
-    // If the current target doesn't have a default filter, use a default, empty filter.
+    // If the current target doesn't have a default filter, or if we're building a debug binary,
+    // use a default, empty filter.
     // This is to make sure that Firecracker builds even with libc toolchains for which we don't
     // provide a default filter. For example, GNU libc.
-    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
-        seccomp_json_path
-    } else {
+    let seccomp_json_path = if debug {
+        println!(
+            "cargo:warning=Using empty default seccomp policy for debug builds: \
+             `resources/seccomp/unimplemented.json`."
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    } else if !Path::new(&seccomp_json_path).exists() {
         println!(
             "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
              `resources/seccomp/unimplemented.json`.",
             target
         );
         format!("{}/unimplemented.json", JSON_DIR)
+    } else {
+        seccomp_json_path
     };
 
     // Retrigger the build script if the JSON file has changed.