test: move seccomp things into vmm

Signed-off-by: Egor Lazarchuk <[email protected]>

Author: ShadowCurse

Cargo.lock

@@ -22,7 +22,6 @@ libc = "0.2.164"
 log-instrument = { path = "../log-instrument", optional = true }
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.215", features = ["derive"] }
 serde_derive = "1.0.136"
 serde_json = "1.0.133"

src/firecracker/Cargo.toml

@@ -14,7 +14,7 @@ use std::sync::mpsc;
 
 pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
 use parsed_request::{ParsedRequest, RequestAction};
-use seccompiler::BpfProgramRef;
+use vmm::seccomp::BpfProgramRef;
 use serde_json::json;
 use utils::time::{get_time_us, ClockType};
 use vmm::logger::{
@@ -78,7 +78,7 @@ impl ApiServer {
         // Load seccomp filters on the API thread.
         // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
         // altogether is the desired behaviour.
-        if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
+        if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
             panic!(
                 "Failed to set the requested seccomp filters on the API thread: {}",
                 err

src/firecracker/src/api_server/mod.rs

@@ -8,7 +8,7 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use seccompiler::BpfThreadMap;
+use vmm::seccomp::BpfThreadMap;
 use vmm::logger::{error, warn, ProcessTimeReporter};
 use vmm::resources::VmResources;
 use vmm::rpc_interface::{

src/firecracker/src/api_server_adapter.rs

@@ -17,7 +17,7 @@ use std::{io, panic};
 use api_server_adapter::ApiServerError;
 use event_manager::SubscriberOps;
 use seccomp::FilterError;
-use seccompiler::BpfThreadMap;
+use vmm::seccomp::BpfThreadMap;
 use utils::arg_parser::{ArgParser, Argument};
 use utils::validators::validate_instance_id;
 use vmm::builder::StartMicrovmError;

src/firecracker/src/main.rs

@@ -5,8 +5,8 @@ use std::fs::File;
 use std::io::{BufReader, Read};
 use std::path::Path;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::get_empty_filters;
+use vmm::seccomp::{deserialize_binary, BpfThreadMap, DeserializationError};
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -118,7 +118,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 mod tests {
     use std::sync::Arc;
 
-    use seccompiler::BpfThreadMap;
+    use vmm::seccomp::BpfThreadMap;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;

src/firecracker/src/seccomp.rs

@@ -1,12 +1,11 @@
 // Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
-use std::collections::{BTreeMap, HashMap};
+use std::collections::BTreeMap;
 use std::fs::File;
 use std::io::Read;
 use std::os::fd::FromRawFd;
-use std::sync::Arc;
 
-use bincode::{DefaultOptions, Error as BincodeError, Options};
+use bincode::Error as BincodeError;
 use libseccomp::*;
 
 pub mod types;
@@ -125,208 +124,3 @@ pub fn compile_bpf(
     bincode::serialize_into(output_file, &bpf_map).map_err(CompilationError::BincodeSerialize)?;
     Ok(())
 }
-
-/// Binary filter deserialization errors.
-#[derive(Debug, thiserror::Error, displaydoc::Display)]
-pub enum DeserializationError {
-    /// Bincode deserialization failed: {0}
-    Bincode(BincodeError),
-}
-
-pub fn deserialize_binary<R: Read>(
-    reader: R,
-    bytes_limit: Option<u64>,
-) -> Result<BpfThreadMap, DeserializationError> {
-    let result = match bytes_limit {
-        Some(limit) => DefaultOptions::new()
-            .with_fixint_encoding()
-            .allow_trailing_bytes()
-            .with_limit(limit)
-            .deserialize_from::<R, HashMap<String, BpfProgram>>(reader),
-        // No limit is the default.
-        None => bincode::deserialize_from::<R, HashMap<String, BpfProgram>>(reader),
-    }
-    .map_err(DeserializationError::Bincode)?;
-
-    Ok(result
-        .into_iter()
-        .map(|(k, v)| (k.to_lowercase(), Arc::new(v)))
-        .collect())
-}
-
-/// Filter installation errors.
-#[derive(Debug, PartialEq, Eq, thiserror::Error, displaydoc::Display)]
-pub enum InstallationError {
-    /// Filter length exceeds the maximum size of {BPF_MAX_LEN:} instructions
-    FilterTooLarge,
-    /// prctl` syscall failed with error code: {0}
-    Prctl(i32),
-}
-
-/// The maximum seccomp-BPF program length allowed by the linux kernel.
-pub const BPF_MAX_LEN: usize = 4096;
-
-// BPF structure definition for filter array.
-// See /usr/include/linux/filter.h .
-#[repr(C)]
-#[derive(Debug)]
-pub struct SockFprog {
-    pub len: u16,
-    pub filter: *const u8,
-}
-
-pub fn apply_filter(bpf_filter: BpfProgramRef) -> Result<(), InstallationError> {
-    // If the program is empty, don't install the filter.
-    if bpf_filter.is_empty() {
-        return Ok(());
-    }
-
-    // If the program length is greater than the limit allowed by the kernel,
-    // fail quickly. Otherwise, `prctl` will give a more cryptic error code.
-    if BPF_MAX_LEN < bpf_filter.len() {
-        return Err(InstallationError::FilterTooLarge);
-    }
-
-    let bpf_filter_len =
-        u16::try_from(bpf_filter.len()).map_err(|_| InstallationError::FilterTooLarge)?;
-
-    // SAFETY: Safe because the parameters are valid.
-    unsafe {
-        {
-            let rc = libc::prctl(libc::PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-            if rc != 0 {
-                return Err(InstallationError::Prctl(*libc::__errno_location()));
-            }
-        }
-
-        let bpf_prog = SockFprog {
-            len: bpf_filter_len,
-            filter: bpf_filter.as_ptr(),
-        };
-        let bpf_prog_ptr = &bpf_prog as *const SockFprog;
-        {
-            let rc = libc::prctl(
-                libc::PR_SET_SECCOMP,
-                libc::SECCOMP_MODE_FILTER,
-                bpf_prog_ptr,
-            );
-            if rc != 0 {
-                return Err(InstallationError::Prctl(*libc::__errno_location()));
-            }
-        }
-    }
-
-    Ok(())
-}
-
-#[cfg(test)]
-mod tests {
-    #![allow(clippy::undocumented_unsafe_blocks)]
-
-    use std::collections::HashMap;
-    use std::sync::Arc;
-    use std::thread;
-
-    use super::*;
-
-    #[test]
-    fn test_deserialize_binary() {
-        // Malformed bincode binary.
-        {
-            let data = "adassafvc".to_string();
-            deserialize_binary(data.as_bytes(), None).unwrap_err();
-        }
-
-        // Test that the binary deserialization is correct, and that the thread keys
-        // have been lowercased.
-        {
-            let bpf_prog = vec![0; 32];
-            let mut filter_map: HashMap<String, BpfProgram> = HashMap::new();
-            filter_map.insert("VcpU".to_string(), bpf_prog.clone());
-            let bytes = bincode::serialize(&filter_map).unwrap();
-
-            let mut expected_res = BpfThreadMap::new();
-            expected_res.insert("vcpu".to_string(), Arc::new(bpf_prog));
-            assert_eq!(deserialize_binary(&bytes[..], None).unwrap(), expected_res);
-        }
-
-        // Test deserialization with binary_limit.
-        {
-            let bpf_prog = vec![0; 32];
-
-            let mut filter_map: HashMap<String, BpfProgram> = HashMap::new();
-            filter_map.insert("t1".to_string(), bpf_prog.clone());
-
-            let bytes = bincode::serialize(&filter_map).unwrap();
-
-            // Binary limit too low.
-            assert!(matches!(
-                deserialize_binary(&bytes[..], Some(16)).unwrap_err(),
-                DeserializationError::Bincode(error)
-                    if error.to_string() == "the size limit has been reached"
-            ));
-
-            let mut expected_res = BpfThreadMap::new();
-            expected_res.insert("t1".to_string(), Arc::new(bpf_prog));
-
-            // Correct binary limit.
-            assert_eq!(
-                deserialize_binary(&bytes[..], Some(64)).unwrap(),
-                expected_res
-            );
-        }
-    }
-
-    #[test]
-    fn test_filter_apply() {
-        // Test filter too large.
-        thread::spawn(|| {
-            let filter: BpfProgram = vec![0; 4096 * 2];
-
-            // Apply seccomp filter.
-            assert_eq!(
-                apply_filter(&filter).unwrap_err(),
-                InstallationError::FilterTooLarge
-            );
-        })
-        .join()
-        .unwrap();
-
-        // Test empty filter.
-        thread::spawn(|| {
-            let filter: BpfProgram = vec![];
-
-            assert_eq!(filter.len(), 0);
-
-            let seccomp_level = unsafe { libc::prctl(libc::PR_GET_SECCOMP) };
-            assert_eq!(seccomp_level, 0);
-
-            apply_filter(&filter).unwrap();
-
-            // test that seccomp level remains 0 on failure.
-            let seccomp_level = unsafe { libc::prctl(libc::PR_GET_SECCOMP) };
-            assert_eq!(seccomp_level, 0);
-        })
-        .join()
-        .unwrap();
-
-        // Test invalid BPF code.
-        thread::spawn(|| {
-            let filter = vec![0xFF; 32];
-
-            let seccomp_level = unsafe { libc::prctl(libc::PR_GET_SECCOMP) };
-            assert_eq!(seccomp_level, 0);
-
-            assert_eq!(
-                apply_filter(&filter).unwrap_err(),
-                InstallationError::Prctl(22)
-            );
-
-            // test that seccomp level remains 0 on failure.
-            let seccomp_level = unsafe { libc::prctl(libc::PR_GET_SECCOMP) };
-            assert_eq!(seccomp_level, 0);
-        })
-        .join()
-        .unwrap();
-    }
-}

src/seccompiler/src/lib.rs

@@ -1,7 +1,6 @@
 // Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
-use std::collections::{BTreeMap, HashMap};
-use std::sync::Arc;
+use std::collections::BTreeMap;
 
 use libseccomp::{ScmpAction, ScmpArch, ScmpCompareOp};
 use serde::*;
@@ -91,15 +90,6 @@ pub struct Filter {
 #[derive(Debug, Deserialize)]
 pub struct BpfJson(pub BTreeMap<String, Filter>);
 
-/// Program made up of a sequence of BPF instructions.
-pub type BpfProgram = Vec<u8>;
-
-/// Reference to program made up of a sequence of BPF instructions.
-pub type BpfProgramRef<'a> = &'a [u8];
-
-/// Type that associates a thread category to a BPF program.
-pub type BpfThreadMap = HashMap<String, Arc<BpfProgram>>;
-
 /// Supported target architectures.
 #[derive(Debug)]
 pub enum TargetArch {

src/seccompiler/src/types.rs

@@ -32,7 +32,6 @@ log-instrument = { path = "../log-instrument", optional = true }
 memfd = "0.6.3"
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 semver = { version = "1.0.23", features = ["serde"] }
 serde = { version = "1.0.215", features = ["derive", "rc"] }
 serde_json = "1.0.133"

src/vmm/Cargo.toml

@@ -19,7 +19,7 @@ use linux_loader::loader::elf::Elf as Loader;
 #[cfg(target_arch = "aarch64")]
 use linux_loader::loader::pe::PE as Loader;
 use linux_loader::loader::KernelLoader;
-use seccompiler::BpfThreadMap;
+use crate::seccomp::BpfThreadMap;
 use userfaultfd::Uffd;
 use utils::time::TimestampUs;
 use vm_memory::ReadVolatile;
@@ -372,7 +372,7 @@ pub fn build_microvm_for_boot(
     // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
     // altogether is the desired behaviour.
     // Keep this as the last step before resuming vcpus.
-    seccompiler::apply_filter(
+    crate::seccomp::apply_filter(
         seccomp_filters
             .get("vmm")
             .ok_or_else(|| MissingSeccompFilters("vmm".to_string()))?,
@@ -443,7 +443,7 @@ pub enum BuildMicrovmFromSnapshotError {
     /// Failed to apply VMM secccomp filter as none found.
     MissingVmmSeccompFilters,
     /// Failed to apply VMM secccomp filter: {0}
-    SeccompFiltersInternal(#[from] seccompiler::InstallationError),
+    SeccompFiltersInternal(#[from] crate::seccomp::InstallationError),
     /// Failed to restore ACPI device manager: {0}
     ACPIDeviManager(#[from] ACPIDeviceManagerRestoreError),
     /// VMGenID update failed: {0}
@@ -559,7 +559,7 @@ pub fn build_microvm_from_snapshot(
 
     // Load seccomp filters for the VMM thread.
     // Keep this as the last step of the building process.
-    seccompiler::apply_filter(
+    crate::seccomp::apply_filter(
         seccomp_filters
             .get("vmm")
             .ok_or(BuildMicrovmFromSnapshotError::MissingVmmSeccompFilters)?,