Update seccompiler to use libseccomp

CHANGELOG.md

@@ -16,6 +16,9 @@ and this project adheres to
   unnecessary fields (`max_connections` and `max_pending_resets`) from the
   snapshot format, bumping the snapshot version to 5.0.0. Users need to
   regenerate snapshots.
+- [#4926](https://github.com/firecracker-microvm/firecracker/pull/4926): Replace
+  underlying implementation for seccompiler from in house one in favor of
+  `libseccomp` which produces smaller and more optimized BPF code.
 
 ### Deprecated
 

src/cpu-template-helper/src/utils/mod.rs

@@ -12,7 +12,7 @@ use std::sync::{Arc, Mutex};
 use vmm::builder::{build_microvm_for_boot, StartMicrovmError};
 use vmm::cpu_config::templates::{CustomCpuTemplate, Numeric};
 use vmm::resources::VmResources;
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::get_empty_filters;
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};
 use vmm::{EventManager, Vmm, HTTP_MAX_PAYLOAD_SIZE};
 use vmm_sys_util::tempfile::TempFile;

src/firecracker/Cargo.toml

@@ -22,7 +22,6 @@ libc = "0.2.168"
 log-instrument = { path = "../log-instrument", optional = true }
 micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
-seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.216", features = ["derive"] }
 serde_derive = "1.0.136"
 serde_json = "1.0.133"
@@ -42,13 +41,12 @@ serde = { version = "1.0.216", features = ["derive"] }
 userfaultfd = "0.8.1"
 
 [build-dependencies]
-bincode = "1.2.1"
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.216" }
 serde_json = "1.0.133"
 
 [features]
-tracing = ["log-instrument", "seccompiler/tracing", "utils/tracing", "vmm/tracing"]
+tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]
 gdb = ["vmm/gdb"]
 
 [lints]

src/firecracker/build.rs

@@ -1,13 +1,8 @@
 // Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use std::collections::BTreeMap;
-use std::fs::File;
 use std::path::Path;
 
-use seccompiler::common::BpfProgram;
-use seccompiler::compiler::{Compiler, JsonFile};
-
 const ADVANCED_BINARY_FILTER_FILE_NAME: &str = "seccomp_filter.bpf";
 
 const JSON_DIR: &str = "../../resources/seccomp";
@@ -44,19 +39,7 @@ fn main() {
     // Also retrigger the build script on any seccompiler source code change.
     println!("cargo:rerun-if-changed={}", SECCOMPILER_SRC_DIR);
 
-    let input = std::fs::read_to_string(seccomp_json_path).expect("Correct input file");
-    let filters: JsonFile = serde_json::from_str(&input).expect("Input read");
-
-    let arch = target_arch.as_str().try_into().expect("Target");
-    let compiler = Compiler::new(arch);
-
-    // transform the IR into a Map of BPFPrograms
-    let bpf_data: BTreeMap<String, BpfProgram> = compiler
-        .compile_blob(filters.0, false)
-        .expect("Successfull compilation");
-
-    // serialize the BPF programs & output them to a file
     let out_path = format!("{}/{}", out_dir, ADVANCED_BINARY_FILTER_FILE_NAME);
-    let output_file = File::create(out_path).expect("Create seccompiler output path");
-    bincode::serialize_into(output_file, &bpf_data).expect("Seccompiler serialization");
+    seccompiler::compile_bpf(&seccomp_json_path, &target_arch, &out_path, false)
+        .expect("Cannot compile seccomp filters");
 }

src/firecracker/examples/seccomp/jailer.rs

@@ -5,7 +5,7 @@ use std::fs::File;
 use std::os::unix::process::CommandExt;
 use std::process::{Command, Stdio};
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/examples/seccomp/panic.rs

@@ -3,7 +3,7 @@
 use std::env::args;
 use std::fs::File;
 
-use seccompiler::{apply_filter, deserialize_binary};
+use vmm::seccomp::{apply_filter, deserialize_binary};
 
 fn main() {
     let args: Vec<String> = args().collect();

src/firecracker/src/api_server/mod.rs

@@ -14,13 +14,13 @@ use std::sync::mpsc;
 
 pub use micro_http::{Body, HttpServer, Request, Response, ServerError, StatusCode, Version};
 use parsed_request::{ParsedRequest, RequestAction};
-use seccompiler::BpfProgramRef;
 use serde_json::json;
 use utils::time::{get_time_us, ClockType};
 use vmm::logger::{
     debug, error, info, update_metric_with_elapsed_time, warn, ProcessTimeReporter, METRICS,
 };
 use vmm::rpc_interface::{ApiRequest, ApiResponse, VmmAction};
+use vmm::seccomp::BpfProgramRef;
 use vmm::vmm_config::snapshot::SnapshotType;
 use vmm_sys_util::eventfd::EventFd;
 
@@ -78,7 +78,7 @@ impl ApiServer {
         // Load seccomp filters on the API thread.
         // Execution panics if filters cannot be loaded, use --no-seccomp if skipping filters
         // altogether is the desired behaviour.
-        if let Err(err) = seccompiler::apply_filter(seccomp_filter) {
+        if let Err(err) = vmm::seccomp::apply_filter(seccomp_filter) {
             panic!(
                 "Failed to set the requested seccomp filters on the API thread: {}",
                 err
@@ -208,7 +208,7 @@ mod tests {
     use vmm::builder::StartMicrovmError;
     use vmm::logger::StoreMetric;
     use vmm::rpc_interface::{VmmActionError, VmmData};
-    use vmm::seccomp_filters::get_empty_filters;
+    use vmm::seccomp::get_empty_filters;
     use vmm::vmm_config::instance_info::InstanceInfo;
     use vmm::vmm_config::snapshot::CreateSnapshotParams;
     use vmm_sys_util::tempfile::TempFile;

src/firecracker/src/api_server_adapter.rs

@@ -8,13 +8,13 @@ use std::sync::{Arc, Mutex};
 use std::thread;
 
 use event_manager::{EventOps, Events, MutEventSubscriber, SubscriberOps};
-use seccompiler::BpfThreadMap;
 use vmm::logger::{error, warn, ProcessTimeReporter};
 use vmm::resources::VmResources;
 use vmm::rpc_interface::{
     ApiRequest, ApiResponse, BuildMicrovmFromRequestsError, PrebootApiController,
     RuntimeApiController, VmmAction,
 };
+use vmm::seccomp::BpfThreadMap;
 use vmm::vmm_config::instance_info::InstanceInfo;
 use vmm::{EventManager, FcExitCode, Vmm};
 use vmm_sys_util::epoll::EventSet;

src/firecracker/src/main.rs

@@ -17,7 +17,6 @@ use std::{io, panic};
 use api_server_adapter::ApiServerError;
 use event_manager::SubscriberOps;
 use seccomp::FilterError;
-use seccompiler::BpfThreadMap;
 use utils::arg_parser::{ArgParser, Argument};
 use utils::validators::validate_instance_id;
 use vmm::builder::StartMicrovmError;
@@ -26,6 +25,7 @@ use vmm::logger::{
 };
 use vmm::persist::SNAPSHOT_VERSION;
 use vmm::resources::VmResources;
+use vmm::seccomp::BpfThreadMap;
 use vmm::signal_handler::register_signal_handlers;
 use vmm::snapshot::{Snapshot, SnapshotError};
 use vmm::vmm_config::instance_info::{InstanceInfo, VmState};

src/firecracker/src/seccomp.rs

@@ -5,8 +5,7 @@ use std::fs::File;
 use std::io::{BufReader, Read};
 use std::path::Path;
 
-use seccompiler::{deserialize_binary, BpfThreadMap, DeserializationError};
-use vmm::seccomp_filters::get_empty_filters;
+use vmm::seccomp::{deserialize_binary, get_empty_filters, BpfThreadMap, DeserializationError};
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
@@ -118,7 +117,7 @@ fn filter_thread_categories(map: BpfThreadMap) -> Result<BpfThreadMap, FilterErr
 mod tests {
     use std::sync::Arc;
 
-    use seccompiler::BpfThreadMap;
+    use vmm::seccomp::BpfThreadMap;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;

src/seccompiler/Cargo.toml

@@ -12,25 +12,18 @@ bench = false
 
 [[bin]]
 name = "seccompiler-bin"
-path = "src/seccompiler_bin.rs"
+path = "src/bin.rs"
 bench = false
 
 [dependencies]
 bincode = "1.2.1"
+clap = { version = "4.5.21", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 libc = "0.2.168"
-log-instrument = { path = "../log-instrument", optional = true }
 serde = { version = "1.0.216", features = ["derive"] }
 serde_json = "1.0.133"
 thiserror = "2.0.7"
-
-utils = { path = "../utils" }
-
-[dev-dependencies]
-vmm-sys-util = "0.12.1"
-
-[features]
-tracing = ["log-instrument", "utils/tracing"]
+zerocopy = { version = "0.8.13" }
 
 [lints]
 workspace = true

src/seccompiler/build.rs

@@ -0,0 +1,7 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+fn main() {
+    println!("cargo::rustc-link-search=/usr/local/lib");
+    println!("cargo::rustc-link-lib=seccomp");
+}