Implement json frontend #9
Conversation
alindima
force-pushed
the
json_frontend
branch
3 times, most recently
from
92c9c98
to
cf1da46
Compare
| @@ -256,7 +256,7 @@ let filters: BpfMap = seccompiler::compile_from_json( | |||
| categories to BPF programs. | |||
|
|
|||
| ```rust | |||
| pub type BpfMap = HashMap<String, Arc<BpfProgram>>; | |||
| pub type BpfMap = HashMap<String, BpfProgram>; | |||
There was a problem hiding this comment.
nit: can you add some details about what is changed in the documentation.
There was a problem hiding this comment.
This type was not exported beforehand, it's introduced by this PR.
It was using an Arc in the beginning as a leftover from the use case we have in Firecracker.
But it's actually an implementation detail that needs to be handled in Firecracker (i.e. Map the BpfProgram to an Arc), since it's usecase-specific.
There was a problem hiding this comment.
I meant to add some details in the commit message, sorry about that.
| @@ -26,7 +27,7 @@ use bpf::{ | |||
| pub use bpf::{sock_filter, BpfProgram, BpfProgramRef}; | |||
|
|
|||
| /// Backend Result type. | |||
| pub type Result<T> = std::result::Result<T, Error>; | |||
There was a problem hiding this comment.
Why is this now private?
There was a problem hiding this comment.
Well it was not required to be public.
Users of the library will not interact directly with the Backend and therefore do not need access to this type.
I think there should only be one Result type exported and that is the Result from src/lib.rs
src/backend/mod.rs
Outdated
| @@ -101,7 +102,8 @@ impl TryFrom<&str> for TargetArch { | |||
| } | |||
|
|
|||
| /// Comparison to perform when matching a condition. | |||
| #[derive(Clone, Debug, PartialEq)] | |||
| #[derive(Clone, Debug, PartialEq, Deserialize)] | |||
| #[serde(rename_all = "snake_case")] | |||
There was a problem hiding this comment.
Why? Can you also add the response to this question as a comment in the code?
There was a problem hiding this comment.
well it's just more idiomatic for JSON to name properties in snake_case format. That's the only reason, syntactic sugar. Do you still think it's worth adding this as a comment?
| #[serde(deny_unknown_fields)] | ||
| pub(crate) struct JsonCondition { | ||
| /// Index of the argument that is to be compared. | ||
| #[serde(rename = "index")] |
There was a problem hiding this comment.
What is the reason for the renames?
There was a problem hiding this comment.
In the JSON filter, a sycall rule object uses an args property for specifying a condition vector.
Therefore, the arg_* names in this case are a little redundant, since it's obvious that they refer to arguments.
For the other fields, they are usually abbreviations so that the filters are easier to read&write.
.buildkite/pipeline.yml
Outdated
|
|
||
| - label: "build-musl-arm-json" | ||
| commands: | ||
| - cargo build --release --features=json --target aarch64-unknown-linux-musl |
There was a problem hiding this comment.
We should also add a cargo check with the json feature on both platforms.
There was a problem hiding this comment.
well this is already done here, right? https://github.com/rust-vmm/rust-vmm-ci/blob/ae7db2d98a071f52de3d60af9c937204b1f087a4/.buildkite/pipeline.yml#L147
There was a problem hiding this comment.
Yes, what is not checked is the reversed I think, that there are no warnings with no features.
There was a problem hiding this comment.
I believe this should be done by adding the -D warnings flag to the cargo build command, in the default rust-vmm-ci pipeline. WDYT?
This way we'd make this a default in rust-vmm, instead of having a custom step
There was a problem hiding this comment.
Sounds good to me, do you want to open a PR with your suggestion?
There was a problem hiding this comment.
yep, will do that
There was a problem hiding this comment.
alindima
force-pushed
the
json_frontend
branch
2 times, most recently
from
a51dc7b
to
36b0d4d
Compare
Signed-off-by: alindima <alindima@amazon.com>
alindima
force-pushed
the
json_frontend
branch
from
cf51d0e
to
7755312
Compare
Also adds a test that validates that the committed syscall tables were not manually altered. Signed-off-by: alindima <alindima@amazon.com>
Also add a custom pipeline that runs the syscall table validations. Signed-off-by: alindima <alindima@amazon.com>
- Modify the type declaration of BpfMap to not be tied to `Arc` filter ownership, since this is consumer-specific. Also removed the associated documentation note. - Fix broken link in the SeccompFilter cargo docs. Signed-off-by: alindima <alindima@amazon.com>
This enables compiling BPF filters from JSON code as an alternative of expressing the filters. This is done via a new library method: compile_from_json. Signed-off-by: alindima <alindima@amazon.com>
Signed-off-by: alindima <alindima@amazon.com>
Signed-off-by: alindima <alindima@amazon.com>
Signed-off-by: alindima <alindima@amazon.com>
Signed-off-by: alindima <alindima@amazon.com>
Added a type that is used in the integration tests for expressing whether the last reported errno should be equal or not equal to a value or ignored. Signed-off-by: alindima <alindima@amazon.com>
Signed-off-by: alindima <alindima@amazon.com>
alindima
force-pushed
the
json_frontend
branch
from
7755312
to
32fc41e
Compare
| use std::collections::HashMap; | ||
|
|
||
| pub(crate) fn make_syscall_table() -> HashMap<&'static str, i64> { | ||
| vec
There was a problem hiding this comment.
Nit: I think these are easier to read in syscall number order.
There was a problem hiding this comment.
They're sorted alphabetically. I don't have strong feelings about doing this either way, I think it depends on preference
Cargo.toml
Outdated
| @@ -10,4 +10,6 @@ license = "Apache-2.0 OR BSD-3-Clause" | |||
| edition = "2018" | |||
|
|
|||
| [dependencies] | |||
| libc = ">=0.2.98" | |||
| libc = ">=0.2.39" | |||
| serde = { version = ">=1.0.27", features = ["derive"] } | |||
There was a problem hiding this comment.
This matches also version 2.0.0 or larger, I think you'd want to specify it as ^1.0.27, which is equivalent to >=1.0.27 <2.0.0, so at least the major version wouldn't change. Alternatively, you could specify it as ~1.0.27 or >=1.0.27 <1.1.0
There was a problem hiding this comment.
good call! will do
| // Need the 'newtype' pattern so that we can implement a custom deserializer. | ||
| pub(crate) struct JsonFilterMap(pub HashMap<String, JsonFilter>); | ||
|
|
||
| // Implement a custom deserializer, that returns an error for duplicate thread keys. |
There was a problem hiding this comment.
You can do this with serde_with: https://docs.rs/serde_with/1.10.0/serde_with/rust/maps_duplicate_key_is_error/index.html.
There was a problem hiding this comment.
I was also thinking about that, but serde_with pulls even more dependencies that we can otherwise avoid.
There was a problem hiding this comment.
yep, I considered that as well, but I think it's best to avoid dependencies that we can otherwise work around quite easily
| @@ -3,7 +3,7 @@ updates: | |||
| - package-ecosystem: cargo | |||
| directory: "/" | |||
| schedule: | |||
| interval: daily | |||
| interval: weekly | |||
There was a problem hiding this comment.
There are too many ops related PRs otherwise. This is a change at the rust-vmm org level.
Signed-off-by: alindima <alindima@amazon.com>
Adds the feature-guarded JSON frontend for compiling BPF filters.