Disable seccomp for musl target

Signed-off-by: James Sturtevant <[email protected]>

Author: jsturtevant

src/hyperlight_host/build.rs

@@ -101,6 +101,7 @@ fn main() -> Result<()> {
         // the other features they want.
         mshv2: { all(feature = "mshv2", target_os = "linux") },
         mshv3: { all(feature = "mshv3", not(feature="mshv2"), target_os = "linux") },
+        seccomp: { all(feature = "seccomp", target_os = "linux", not(target_env = "musl")) },
     }
 
     #[cfg(feature = "build-metadata")]

src/hyperlight_host/src/error.rs

@@ -71,7 +71,7 @@ pub enum HyperlightError {
 
     /// A disallowed syscall was caught
     #[error("Seccomp filter trapped on disallowed syscall (check STDERR for offending syscall)")]
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     DisallowedSyscall,
 
     /// A generic error with a message
@@ -218,12 +218,12 @@ pub enum HyperlightError {
 
     /// a backend error occurred with seccomp filters
     #[error("Backend Error with Seccomp Filter {0:?}")]
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     SeccompFilterBackendError(#[from] seccompiler::BackendError),
 
     /// an error occurred with seccomp filters
     #[error("Error with Seccomp Filter {0:?}")]
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     SeccompFilterError(#[from] seccompiler::Error),
 
     /// Tried to restore snapshot to a sandbox that is not the same as the one the snapshot was taken from

src/hyperlight_host/src/func/host_functions.rs

@@ -35,7 +35,7 @@ pub trait Registerable {
     ) -> Result<()>;
     /// Register a primitive host function whose worker thread has
     /// extra permissive seccomp filters installed
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     fn register_host_function_with_syscalls<Args: ParameterTuple, Output: SupportedReturnType>(
         &mut self,
         name: &str,
@@ -63,7 +63,7 @@ impl Registerable for UninitializedSandbox {
 
         (*hfs).register_host_function(name.to_string(), entry, self.mgr.unwrap_mgr_mut())
     }
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     fn register_host_function_with_syscalls<Args: ParameterTuple, Output: SupportedReturnType>(
         &mut self,
         name: &str,

src/hyperlight_host/src/lib.rs

@@ -76,7 +76,7 @@ pub mod metrics;
 /// outside this file. Types from this module needed for public consumption are
 /// re-exported below.
 pub mod sandbox;
-#[cfg(all(feature = "seccomp", target_os = "linux"))]
+#[cfg(seccomp)]
 pub(crate) mod seccomp;
 /// Signal handling for Linux
 #[cfg(target_os = "linux")]

src/hyperlight_host/src/metrics/mod.rs

@@ -133,7 +133,7 @@ mod tests {
             if #[cfg(feature = "function_call_metrics")] {
                 use metrics::Label;
 
-                let expected_num_metrics = if cfg!(all(feature = "seccomp", target_os = "linux")) {
+                let expected_num_metrics = if cfg!(all(seccomp)) {
                     3 // if seccomp enabled, the host call duration metric is emitted on a separate thread which this local recorder doesn't capture
                 } else {
                     4
@@ -186,7 +186,7 @@ mod tests {
                     "Histogram metric does not match expected value"
                 );
 
-                if !cfg!(all(feature = "seccomp", target_os = "linux")) {
+                if !cfg!(all(seccomp)) {
                     // 4. Host call duration
                     let histogram_key = CompositeKey::new(
                         metrics_util::MetricKind::Histogram,

src/hyperlight_host/src/sandbox/host_funcs.rs

@@ -154,7 +154,7 @@ pub(super) fn default_writer_func(s: String) -> Result<i32> {
     }
 }
 
-#[cfg(all(feature = "seccomp", target_os = "linux"))]
+#[cfg(seccomp)]
 fn maybe_with_seccomp<T: Send>(
     name: &str,
     syscalls: Option<&[ExtraAllowedSyscall]>,
@@ -199,7 +199,7 @@ fn maybe_with_seccomp<T: Send>(
     })
 }
 
-#[cfg(not(all(feature = "seccomp", target_os = "linux")))]
+#[cfg(not(all(seccomp)))]
 fn maybe_with_seccomp<T: Send>(
     _name: &str,
     _syscalls: Option<&[ExtraAllowedSyscall]>,

src/hyperlight_host/src/sandbox/initialized_multi_use.rs

@@ -644,7 +644,7 @@ mod tests {
 
             let res: Result<u64> = sbox.call("ViolateSeccompFilters", ());
 
-            #[cfg(feature = "seccomp")]
+            #[cfg(seccomp)]
             match res {
                 Ok(_) => panic!("Expected to fail due to seccomp violation"),
                 Err(e) => match e {
@@ -653,15 +653,15 @@ mod tests {
                 },
             }
 
-            #[cfg(not(feature = "seccomp"))]
+            #[cfg(not(seccomp))]
             match res {
                 Ok(_) => (),
                 Err(e) => panic!("Expected to succeed without seccomp: {}", e),
             }
         }
 
         // Second, run with allowing `SYS_getpid`
-        #[cfg(feature = "seccomp")]
+        #[cfg(seccomp)]
         {
             let mut usbox = UninitializedSandbox::new(
                 GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
@@ -738,7 +738,7 @@ mod tests {
                 )
                 .expect("Expected to call host function that returns i64");
 
-            if cfg!(feature = "seccomp") {
+            if cfg!(seccomp) {
                 // If seccomp is enabled, we expect the syscall to return EACCES, as setup by our seccomp filter
                 assert_eq!(host_func_result, -libc::EACCES as i64);
             } else {
@@ -747,7 +747,7 @@ mod tests {
             }
         }
 
-        #[cfg(feature = "seccomp")]
+        #[cfg(seccomp)]
         {
             // Now let's make sure if we register the `openat` syscall as an extra allowed syscall, it will succeed
             let mut ubox = UninitializedSandbox::new(

src/hyperlight_host/src/sandbox/uninitialized.rs

@@ -36,7 +36,7 @@ use crate::mem::shared_mem::ExclusiveSharedMemory;
 use crate::sandbox::SandboxConfiguration;
 use crate::{MultiUseSandbox, Result, new_error};
 
-#[cfg(all(target_os = "linux", feature = "seccomp"))]
+#[cfg(seccomp)]
 const EXTRA_ALLOWED_SYSCALLS_FOR_WRITER_FUNC: &[super::ExtraAllowedSyscall] = &[
     // Fuzzing fails without `mmap` being an allowed syscall on our seccomp filter.
     // All fuzzing does is call `PrintOutput` (which calls `HostPrint` ). Thing is, `println!`
@@ -325,7 +325,7 @@ impl UninitializedSandbox {
     ///
     /// Unlike [`register`](Self::register), this variant allows specifying extra syscalls
     /// that will be permitted when the function handler runs.
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     pub fn register_with_extra_allowed_syscalls<
         Args: ParameterTuple,
         Output: SupportedReturnType,
@@ -348,10 +348,10 @@ impl UninitializedSandbox {
         &mut self,
         print_func: impl Into<HostFunction<i32, (String,)>>,
     ) -> Result<()> {
-        #[cfg(not(all(target_os = "linux", feature = "seccomp")))]
+        #[cfg(not(seccomp))]
         self.register("HostPrint", print_func)?;
 
-        #[cfg(all(target_os = "linux", feature = "seccomp"))]
+        #[cfg(seccomp)]
         self.register_with_extra_allowed_syscalls(
             "HostPrint",
             print_func,
@@ -365,13 +365,13 @@ impl UninitializedSandbox {
     ///
     /// Like [`register_print`](Self::register_print), but allows specifying extra syscalls
     /// that will be permitted during function execution.
-    #[cfg(all(feature = "seccomp", target_os = "linux"))]
+    #[cfg(seccomp)]
     pub fn register_print_with_extra_allowed_syscalls(
         &mut self,
         print_func: impl Into<HostFunction<i32, (String,)>>,
         extra_allowed_syscalls: impl IntoIterator<Item = crate::sandbox::ExtraAllowedSyscall>,
     ) -> Result<()> {
-        #[cfg(all(target_os = "linux", feature = "seccomp"))]
+        #[cfg(seccomp)]
         self.register_with_extra_allowed_syscalls(
             "HostPrint",
             print_func,

src/hyperlight_host/src/signal_handlers/mod.rs

@@ -18,7 +18,7 @@ use libc::c_int;
 
 use crate::sandbox::SandboxConfiguration;
 
-#[cfg(feature = "seccomp")]
+#[cfg(seccomp)]
 pub mod sigsys_signal_handler;
 
 pub(crate) fn setup_signal_handlers(config: &SandboxConfiguration) -> crate::Result<()> {
@@ -27,7 +27,7 @@ pub(crate) fn setup_signal_handlers(config: &SandboxConfiguration) -> crate::Res
     // Anything that performs memory allocations, locks, and others are non-async-signal-safe.
     // Hyperlight signal handlers are all designed to be async-signal-safe, so this function
     // should be safe to call.
-    #[cfg(feature = "seccomp")]
+    #[cfg(seccomp)]
     {
         use std::sync::Once;
 

src/hyperlight_host/src/signal_handlers/sigsys_signal_handler.rs

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#[cfg(feature = "seccomp")]
+#[cfg(seccomp)]
 pub(super) extern "C" fn handle_sigsys(
     signal: i32,
     info: *mut libc::siginfo_t,