Merge vmm build script into firecracker build script

The build script invokes cargo, which breaks tooling such as miri when
attempting to run it on the vmm crate. With us currently moving all
other crates into a single library crate, this is starting to become
annoying.

This also moves the code that reads the compiled seccomp config and
includes it into the firecracker binary. Outside the firecracker binary
crate, the code in question was only used in unittests. Unittests that
used the production filters now use empty filters. This is okay because
we run our integration test suite with the production filters, and the
filters are out of scope for unittests anyway.

With moving the code to a binary crate, rustc's dead code analysis
kicked in, so some error variants are removed.

Signed-off-by: Patrick Roy <[email protected]>

Author: roypat

build.rs

@@ -1,12 +1,147 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// this build script is called on en every `devtool build`,
-// embedding the FIRECRACKER_VERSION directly in the resulting binary
+use std::path::{Path, PathBuf};
+use std::process::Command;
+use std::{env, fs};
+
+const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
+
+const JSON_DIR: &str = "../../resources/seccomp";
+const SECCOMPILER_BUILD_DIR: &str = "../../build/seccompiler";
+const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
+
+// This script is run on every modification in the target-specific JSON file in `resources/seccomp`.
+// It compiles the JSON seccomp policies into a serializable BPF format, using seccompiler-bin.
+// The generated binary code will get included in Firecracker's code, at compile-time.
 fn main() {
+    // this build script is called on every `devtool build`,
+    // embedding the FIRECRACKER_VERSION directly in the resulting binary
     let firecracker_version = env!("CARGO_PKG_VERSION").to_string();
     println!(
         "cargo:rustc-env=FIRECRACKER_VERSION={}",
         firecracker_version
     );
+
+    // Only compile the seccomp filters for the firecracker binary - otherwise
+    // we'll get stuck in an infinite loop as seccompiler-bin (which is invoked below)
+    // also executes this build script to set the firecracker version env variable.
+    if let Ok(package) = std::env::var("CARGO_MANIFEST_DIR") {
+        if !package.ends_with("firecracker") {
+            return;
+        }
+    }
+
+    cpuid();
+
+    let target = env::var("TARGET").expect("Missing target.");
+    let out_dir = env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
+
+    // Path to the JSON seccomp policy.
+    let mut json_path = PathBuf::from(JSON_DIR);
+    json_path.push(format!("{}.json", target));
+
+    // If the current target doesn't have a default filter, use a default, empty filter.
+    // This is to make sure that Firecracker builds even with libc toolchains for which we don't
+    // provide a default filter. For example, GNU libc.
+    if !json_path.exists() {
+        json_path.pop();
+        json_path.push("unimplemented.json");
+
+        println!(
+            "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
+             `resources/seccomp/unimplemented.json`.",
+            target
+        );
+    }
+
+    // Retrigger the build script if the JSON file has changed.
+    let json_path = json_path.to_str().expect("Invalid bytes");
+    println!("cargo:rerun-if-changed={}", json_path);
+
+    // Also retrigger the build script on any seccompiler source code change.
+    register_seccompiler_src_watchlist(Path::new(SECCOMPILER_SRC_DIR));
+
+    // Run seccompiler-bin, getting the default, advanced filter.
+    let mut bpf_out_path = PathBuf::from(&out_dir);
+    bpf_out_path.push(ADVANCED_BINARY_FILTER_FILE_NAME);
+    run_seccompiler_bin(json_path, bpf_out_path.to_str().expect("Invalid bytes."));
+}
+
+// Run seccompiler with the given arguments.
+fn run_seccompiler_bin(json_path: &str, out_path: &str) {
+    // We have a global `target` directive in our .cargo/config file specifying x86_64 architecture.
+    // However, seccompiler-bin has to be compiled for the host architecture. Without this, cargo
+    // would produce a x86_64 binary on aarch64 host, causing this compilation step to fail as such
+    // a binary would not be executable.
+    let host_arch = env::var("HOST").expect("Could not determine compilation host");
+    let target_arch = env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
+
+    // Command for running seccompiler-bin
+    let mut command = Command::new("cargo");
+    command.args([
+        "run",
+        "-p",
+        "seccompiler",
+        "--verbose",
+        "--target",
+        &host_arch,
+        // We need to specify a separate build directory for seccompiler-bin. Otherwise, cargo will
+        // deadlock waiting to acquire a lock on the build folder that the parent cargo process is
+        // holding.
+        "--target-dir",
+        SECCOMPILER_BUILD_DIR,
+        "--",
+        "--input-file",
+        json_path,
+        "--target-arch",
+        &target_arch,
+        "--output-file",
+        out_path,
+    ]);
+
+    match command.output() {
+        Err(error) => panic!("\nSeccompiler-bin error: {:?}\n", error),
+        Ok(result) if !result.status.success() => {
+            panic!(
+                "\nSeccompiler-bin returned non-zero exit code:\nstderr: {}\nstdout: {}\n",
+                String::from_utf8(result.stderr).unwrap(),
+                String::from_utf8(result.stdout).unwrap(),
+            );
+        }
+        Ok(_) => {}
+    }
+}
+
+// Recursively traverse the entire seccompiler source folder and trigger a re-run of this build
+// script on any modification of these files.
+fn register_seccompiler_src_watchlist(src_dir: &Path) {
+    let contents = fs::read_dir(src_dir).expect("Unable to read folder contents.");
+    for entry in contents {
+        let path = entry.unwrap().path();
+        let metadata = fs::metadata(&path).expect("Unable to read file/folder metadata.");
+
+        if metadata.is_file() {
+            // Watch all source files.
+            println!(
+                "cargo:rerun-if-changed={}",
+                path.to_str().expect("Invalid unicode bytes.")
+            );
+        } else if metadata.is_dir() {
+            // If is a folder, recurse.
+            register_seccompiler_src_watchlist(&path);
+        }
+    }
+}
+
+fn cpuid() {
+    // Sets a `--cfg` flag for conditional compilation.
+    //
+    // TODO: Use `core::arch::x86_64::has_cpuid`
+    // (https://github.com/firecracker-microvm/firecracker/issues/3271).
+    #[cfg(any(
+        all(target_arch = "x86", target_feature = "sse", not(target_env = "sgx")),
+        all(target_arch = "x86_64", not(target_env = "sgx"))
+    ))]
+    println!("cargo:rustc-cfg=cpuid");
 }

src/api_server/src/lib.rs

@@ -101,7 +101,7 @@ impl ApiServer {
     /// use utils::eventfd::EventFd;
     /// use utils::tempfile::TempFile;
     /// use vmm::rpc_interface::VmmData;
-    /// use vmm::seccomp_filters::{get_filters, SeccompConfig};
+    /// use vmm::seccomp_filters::get_empty_filters;
     /// use vmm::vmm_config::instance_info::InstanceInfo;
     /// use vmm::HTTP_MAX_PAYLOAD_SIZE;
     ///
@@ -113,7 +113,7 @@ impl ApiServer {
     /// let (api_request_sender, _from_api) = channel();
     /// let (to_api, vmm_response_receiver) = channel();
     /// let time_reporter = ProcessTimeReporter::new(Some(1), Some(1), Some(1));
-    /// let seccomp_filters = get_filters(SeccompConfig::None).unwrap();
+    /// let seccomp_filters = get_empty_filters();
     /// let payload_limit = HTTP_MAX_PAYLOAD_SIZE;
     /// let (socket_ready_sender, socket_ready_receiver): (Sender<bool>, Receiver<bool>) = channel();
     ///
@@ -315,7 +315,7 @@ mod tests {
     use utils::time::ClockType;
     use vmm::builder::StartMicrovmError;
     use vmm::rpc_interface::VmmActionError;
-    use vmm::seccomp_filters::{get_filters, SeccompConfig};
+    use vmm::seccomp_filters::get_empty_filters;
     use vmm::vmm_config::instance_info::InstanceInfo;
     use vmm::vmm_config::snapshot::CreateSnapshotParams;
 
@@ -490,7 +490,7 @@ mod tests {
         let to_vmm_fd = EventFd::new(libc::EFD_NONBLOCK).unwrap();
         let (api_request_sender, _from_api) = channel();
         let (to_api, vmm_response_receiver) = channel();
-        let seccomp_filters = get_filters(SeccompConfig::Advanced).unwrap();
+        let seccomp_filters = get_empty_filters();
         let (socket_ready_sender, socket_ready_receiver) = channel();
 
         thread::Builder::new()
@@ -538,7 +538,7 @@ mod tests {
         let to_vmm_fd = EventFd::new(libc::EFD_NONBLOCK).unwrap();
         let (api_request_sender, _from_api) = channel();
         let (_to_api, vmm_response_receiver) = channel();
-        let seccomp_filters = get_filters(SeccompConfig::Advanced).unwrap();
+        let seccomp_filters = get_empty_filters();
         let (socket_ready_sender, socket_ready_receiver) = channel();
 
         thread::Builder::new()

src/cpu-template-helper/src/utils/mod.rs

@@ -10,7 +10,7 @@ use std::sync::{Arc, Mutex};
 
 use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::{get_filters, SeccompConfig};
+use vmm::seccomp_filters::get_empty_filters;
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
 
@@ -100,7 +100,7 @@ pub fn build_microvm_from_config(config: &str) -> Result<(Arc<Mutex<Vmm>>, VmRes
     let vm_resources = VmResources::from_json(config, &instance_info, HTTP_MAX_PAYLOAD_SIZE, None)
         .map_err(Error::CreateVmResources)?;
     let mut event_manager = EventManager::new().unwrap();
-    let seccomp_filters = get_filters(SeccompConfig::None).unwrap();
+    let seccomp_filters = get_empty_filters();
 
     // Build a microVM.
     let vmm = build_microvm_for_boot(

src/firecracker/src/main.rs

@@ -3,6 +3,7 @@
 
 mod api_server_adapter;
 mod metrics;
+mod seccomp;
 
 use std::fs::{self, File};
 use std::path::PathBuf;
@@ -17,14 +18,15 @@ use utils::arg_parser::{ArgParser, Argument};
 use utils::terminal::Terminal;
 use utils::validators::validate_instance_id;
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::{get_filters, SeccompConfig};
 use vmm::signal_handler::register_signal_handlers;
 use vmm::version_map::{FC_VERSION_TO_SNAP_VERSION, VERSION_MAP};
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::vmm_config::logger::{init_logger, LoggerConfig, LoggerLevel};
 use vmm::vmm_config::metrics::{init_metrics, MetricsConfig};
 use vmm::{EventManager, FcExitCode, HTTP_MAX_PAYLOAD_SIZE};
 
+use crate::seccomp::SeccompConfig;
+
 // The reason we place default API socket under /run is that API socket is a
 // runtime file.
 // see https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html for more information.
@@ -317,7 +319,7 @@ fn main_exitable() -> FcExitCode {
         arguments.flag_present("no-seccomp"),
         arguments.single_value("seccomp-filter"),
     )
-    .and_then(get_filters)
+    .and_then(seccomp::get_filters)
     {
         Ok(filters) => filters,
         Err(err) => {

src/vmm/src/seccomp_filters/mod.rs renamed to src/firecracker/src/seccomp.rs

@@ -3,9 +3,9 @@
 use std::fmt;
 use std::fs::File;
 use std::io::{BufReader, Read};
-use std::sync::Arc;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError, InstallationError};
+use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
+use vmm::seccomp_filters::get_empty_filters;
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -18,16 +18,12 @@ const DESERIALIZATION_BYTES_LIMIT: Option<u64> = Some(100_000);
 /// Error retrieving seccomp filters.
 #[derive(fmt::Debug)]
 pub enum FilterError {
-    /// Invalid SeccompConfig.
-    SeccompConfig(String),
     /// Filter deserialitaion error.
     Deserialization(DeserializationError),
     /// Invalid thread categories.
     ThreadCategories(String),
     /// Missing Thread Category.
     MissingThreadCategory(String),
-    /// Filter installation error.
-    Install(InstallationError),
     /// File open error.
     FileOpen(std::io::Error),
 }
@@ -37,17 +33,13 @@ impl fmt::Display for FilterError {
         use self::FilterError::*;
 
         match *self {
-            SeccompConfig(ref message) => {
-                write!(f, "Invalid seccomp argument configuration: {}", message)
-            }
             Deserialization(ref err) => write!(f, "Filter deserialization failed: {}", err),
             ThreadCategories(ref categories) => {
                 write!(f, "Invalid thread categories: {}", categories)
             }
             MissingThreadCategory(ref category) => {
                 write!(f, "Missing thread category: {}", category)
             }
-            Install(ref err) => write!(f, "Filter installation error: {}", err),
             FileOpen(ref err) => write!(f, "Filter file open error: {}", err),
         }
     }
@@ -101,15 +93,6 @@ fn get_default_filters() -> Result<BpfThreadMap, FilterError> {
     filter_thread_categories(map)
 }
 
-/// Retrieve empty seccomp filters.
-fn get_empty_filters() -> BpfThreadMap {
-    let mut map = BpfThreadMap::new();
-    map.insert("vmm".to_string(), Arc::new(vec![]));
-    map.insert("api".to_string(), Arc::new(vec![]));
-    map.insert("vcpu".to_string(), Arc::new(vec![]));
-    map
-}
-
 /// Retrieve custom seccomp filters.
 fn get_custom_filters<R: Read>(reader: R) -> Result<BpfThreadMap, FilterError> {
     let map = deserialize_binary(BufReader::new(reader), DESERIALIZATION_BYTES_LIMIT)
@@ -148,6 +131,8 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 
 #[cfg(test)]
 mod tests {
+    use std::sync::Arc;
+
     use seccompiler::BpfThreadMap;
     use utils::tempfile::TempFile;