-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement json frontend #9
Changes from all commits
a8fc6fb
187eda1
58086fc
168e5de
84970f3
8af1e52
14c1460
392cf2d
354ad77
87ec6d3
32fc41e
12b8926
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{ | ||
"tests": [ | ||
{ | ||
"test_name": "build-gnu-json", | ||
"command": "RUSTFLAGS=\"-D warnings\" cargo build --release --features=json", | ||
"platform": [ | ||
"x86_64", | ||
"aarch64" | ||
] | ||
}, | ||
{ | ||
"test_name": "build-musl-json", | ||
"command": "RUSTFLAGS=\"-D warnings\" cargo build --release --features=json --target {target_platform}-unknown-linux-musl", | ||
"platform": [ | ||
"x86_64", | ||
"aarch64" | ||
] | ||
}, | ||
{ | ||
"test_name": "validate-syscall-tables", | ||
"command": "tools/generate_syscall_tables.sh --test", | ||
"platform": [ | ||
"x86_64" | ||
] | ||
} | ||
] | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -256,9 +256,12 @@ let filters: BpfMap = seccompiler::compile_from_json( | |
categories to BPF programs. | ||
|
||
```rust | ||
pub type BpfMap = HashMap<String, Arc<BpfProgram>>; | ||
pub type BpfMap = HashMap<String, BpfProgram>; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: can you add some details about what is changed in the documentation. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This type was not exported beforehand, it's introduced by this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I meant to add some details in the commit message, sorry about that. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
``` | ||
|
||
Note that, in order to use the JSON functionality, you need to add the `json` | ||
feature when importing the library. | ||
|
||
For **Rust filters**, it’s enough to perform a `try_into()` cast, from a | ||
`SeccompFilter` to a `BpfProgram`: | ||
|
||
|
@@ -284,8 +287,6 @@ seccompiler::apply_filter(&bpf_prog)?; | |
It’s interesting to note that installing the filter does not take ownership or | ||
invalidate the BPF program, thanks to the kernel which performs a | ||
`copy_from_user` on the program before installing it. | ||
This is why `BpfMap` entries map to `Arc<BpfProgram>`, so that they can | ||
be shared across threads of the same category, avoiding copies. | ||
|
||
## Seccomp best practices | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
{ | ||
"coverage_score": 0, | ||
"exclude_path": "tests/integration_tests.rs", | ||
"crate_features": "" | ||
"exclude_path": "tests/integration_tests.rs,tests/json.rs", | ||
"crate_features": "json" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
{ | ||
"coverage_score": 87.3, | ||
"exclude_path": "tests/integration_tests.rs", | ||
"crate_features": "" | ||
"coverage_score": 93.3, | ||
"exclude_path": "tests/integration_tests.rs,tests/json.rs", | ||
"crate_features": "json" | ||
} |
+25 −7 | .buildkite/autogenerate_pipeline.py | |
+1 −1 | .buildkite/test_description.json | |
+6 −6 | README.md | |
+3 −3 | integration_tests/test_benchmark.py | |
+2 −2 | integration_tests/test_commit_format.py | |
+17 −0 | test_run.py |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,6 +13,9 @@ pub use condition::SeccompCondition; | |
pub use filter::SeccompFilter; | ||
pub use rule::SeccompRule; | ||
|
||
#[cfg(feature = "json")] | ||
use serde::Deserialize; | ||
|
||
use core::fmt::Formatter; | ||
use std::convert::TryFrom; | ||
use std::fmt::Display; | ||
|
@@ -26,7 +29,7 @@ use bpf::{ | |
pub use bpf::{sock_filter, BpfProgram, BpfProgramRef}; | ||
|
||
/// Backend Result type. | ||
pub type Result<T> = std::result::Result<T, Error>; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is this now private? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Well it was not required to be public. |
||
type Result<T> = std::result::Result<T, Error>; | ||
|
||
/// Backend-related errors. | ||
#[derive(Debug, PartialEq)] | ||
|
@@ -43,6 +46,8 @@ pub enum Error { | |
InvalidTargetArch(String), | ||
} | ||
|
||
impl std::error::Error for Error {} | ||
|
||
impl Display for Error { | ||
fn fmt(&self, f: &mut Formatter) -> std::fmt::Result { | ||
use self::Error::*; | ||
|
@@ -101,6 +106,11 @@ impl TryFrom<&str> for TargetArch { | |
} | ||
|
||
/// Comparison to perform when matching a condition. | ||
#[cfg_attr( | ||
feature = "json", | ||
derive(Deserialize), | ||
serde(rename_all = "snake_case") | ||
)] | ||
#[derive(Clone, Debug, PartialEq)] | ||
pub enum SeccompCmpOp { | ||
/// Argument value is equal to the specified value. | ||
|
@@ -120,6 +130,7 @@ pub enum SeccompCmpOp { | |
} | ||
|
||
/// Seccomp argument value length. | ||
#[cfg_attr(feature = "json", derive(Deserialize), serde(rename_all = "lowercase"))] | ||
#[derive(Clone, Debug, PartialEq)] | ||
pub enum SeccompCmpArgLen { | ||
/// Argument value length is 4 bytes. | ||
|
@@ -129,6 +140,11 @@ pub enum SeccompCmpArgLen { | |
} | ||
|
||
/// Actions that a seccomp filter can return for a syscall. | ||
#[cfg_attr( | ||
feature = "json", | ||
derive(Deserialize), | ||
serde(rename_all = "snake_case") | ||
)] | ||
#[derive(Clone, Debug, PartialEq)] | ||
pub enum SeccompAction { | ||
/// Allows syscall. | ||
|
@@ -154,7 +170,7 @@ impl From<SeccompAction> for u32 { | |
/// | ||
/// * `action` - The [`SeccompAction`] that the kernel will take. | ||
/// | ||
/// [`SeccompAction`]: struct.SeccompAction.html | ||
/// [`SeccompAction`]: enum.SeccompAction.html | ||
fn from(action: SeccompAction) -> Self { | ||
match action { | ||
SeccompAction::Allow => SECCOMP_RET_ALLOW, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are too many ops related PRs otherwise. This is a change at the rust-vmm org level.