Implement json frontend

.buildkite/custom-tests.json

@@ -0,0 +1,27 @@
+{
+    "tests": [
+        {
+            "test_name": "build-gnu-json",
+            "command": "RUSTFLAGS=\"-D warnings\" cargo build --release --features=json",
+            "platform": [
+                "x86_64",
+                "aarch64"
+            ]
+        },
+        {
+            "test_name": "build-musl-json",
+            "command": "RUSTFLAGS=\"-D warnings\" cargo build --release --features=json --target {target_platform}-unknown-linux-musl",
+            "platform": [
+                "x86_64",
+                "aarch64"
+            ]
+        },
+        {
+            "test_name": "validate-syscall-tables",
+            "command": "tools/generate_syscall_tables.sh --test",
+            "platform": [
+                "x86_64"
+            ]
+        }
+    ]
+}

.github/dependabot.yml

@@ -3,7 +3,7 @@ updates:
 - package-ecosystem: cargo
   directory: "/"
   schedule:
-    interval: daily
+    interval: weekly
   open-pull-requests-limit: 10
 - package-ecosystem: gitsubmodule
   directory: "/"

Cargo.toml

@@ -9,5 +9,10 @@ keywords = ["seccomp", "jail", "sandbox"]
 license = "Apache-2.0 OR BSD-3-Clause"
 edition = "2018"
 
+[features]
+json = ["serde", "serde_json"]
+
 [dependencies]
-libc = ">=0.2.98"
+libc = "^0.2.39"
+serde = { version = "^1.0.27", features = ["derive"], optional = true}
+serde_json = {version = "^1.0.9", optional = true}

README.md

@@ -256,9 +256,12 @@ let filters: BpfMap = seccompiler::compile_from_json(
 categories to BPF programs.
 
 ```rust
-pub type BpfMap = HashMap<String, Arc<BpfProgram>>;
+pub type BpfMap = HashMap<String, BpfProgram>;
 ```
 
+Note that, in order to use the JSON functionality, you need to add the `json`
+feature when importing the library.
+
 For **Rust filters**, it’s enough to perform a `try_into()` cast, from a
 `SeccompFilter` to a `BpfProgram`:
 
@@ -284,8 +287,6 @@ seccompiler::apply_filter(&bpf_prog)?;
 It’s interesting to note that installing the filter does not take ownership or
 invalidate the BPF program, thanks to the kernel which performs a
 `copy_from_user` on the program before installing it.
-This is why `BpfMap` entries map to `Arc<BpfProgram>`, so that they can
-be shared across threads of the same category, avoiding copies.
 
 ## Seccomp best practices
 

coverage_config_aarch64.json

@@ -1,5 +1,5 @@
 {
     "coverage_score": 0,
-    "exclude_path": "tests/integration_tests.rs",
-    "crate_features": ""
+    "exclude_path": "tests/integration_tests.rs,tests/json.rs",
+    "crate_features": "json"
 }

coverage_config_x86_64.json

@@ -1,5 +1,5 @@
 {
-    "coverage_score": 87.3,
-    "exclude_path": "tests/integration_tests.rs",
-    "crate_features": ""
+    "coverage_score": 93.3,
+    "exclude_path": "tests/integration_tests.rs,tests/json.rs",
+    "crate_features": "json"
 }

src/backend/filter.rs

@@ -78,7 +78,7 @@ impl SeccompFilter {
     /// ```
     ///
     /// [`SeccompRule`]: struct.SeccompRule.html
-    /// [`SeccompAction`]: struct.SeccompAction.html
+    /// [`SeccompAction`]: enum.SeccompAction.html
     pub fn new(
         rules: BTreeMap<i64, Vec<SeccompRule>>,
         mismatch_action: SeccompAction,

src/backend/mod.rs

@@ -13,6 +13,9 @@ pub use condition::SeccompCondition;
 pub use filter::SeccompFilter;
 pub use rule::SeccompRule;
 
+#[cfg(feature = "json")]
+use serde::Deserialize;
+
 use core::fmt::Formatter;
 use std::convert::TryFrom;
 use std::fmt::Display;
@@ -26,7 +29,7 @@ use bpf::{
 pub use bpf::{sock_filter, BpfProgram, BpfProgramRef};
 
 /// Backend Result type.
-pub type Result<T> = std::result::Result<T, Error>;
+type Result<T> = std::result::Result<T, Error>;
 
 /// Backend-related errors.
 #[derive(Debug, PartialEq)]
@@ -43,6 +46,8 @@ pub enum Error {
     InvalidTargetArch(String),
 }
 
+impl std::error::Error for Error {}
+
 impl Display for Error {
     fn fmt(&self, f: &mut Formatter) -> std::fmt::Result {
         use self::Error::*;
@@ -101,6 +106,11 @@ impl TryFrom<&str> for TargetArch {
 }
 
 /// Comparison to perform when matching a condition.
+#[cfg_attr(
+    feature = "json",
+    derive(Deserialize),
+    serde(rename_all = "snake_case")
+)]
 #[derive(Clone, Debug, PartialEq)]
 pub enum SeccompCmpOp {
     /// Argument value is equal to the specified value.
@@ -120,6 +130,7 @@ pub enum SeccompCmpOp {
 }
 
 /// Seccomp argument value length.
+#[cfg_attr(feature = "json", derive(Deserialize), serde(rename_all = "lowercase"))]
 #[derive(Clone, Debug, PartialEq)]
 pub enum SeccompCmpArgLen {
     /// Argument value length is 4 bytes.
@@ -129,6 +140,11 @@ pub enum SeccompCmpArgLen {
 }
 
 /// Actions that a seccomp filter can return for a syscall.
+#[cfg_attr(
+    feature = "json",
+    derive(Deserialize),
+    serde(rename_all = "snake_case")
+)]
 #[derive(Clone, Debug, PartialEq)]
 pub enum SeccompAction {
     /// Allows syscall.
@@ -154,7 +170,7 @@ impl From<SeccompAction> for u32 {
     ///
     /// * `action` - The [`SeccompAction`] that the kernel will take.
     ///
-    /// [`SeccompAction`]: struct.SeccompAction.html
+    /// [`SeccompAction`]: enum.SeccompAction.html
     fn from(action: SeccompAction) -> Self {
         match action {
             SeccompAction::Allow => SECCOMP_RET_ALLOW,

src/backend/rule.rs

@@ -71,7 +71,7 @@ impl SeccompRule {
     ) {
         // Tries to detect whether prepending the current condition will produce an unjumpable
         // offset (since BPF conditional jumps are a maximum of 255 instructions, which is
-        // std::u8::MAX).
+        // u8::MAX).
         if offset.checked_add(CONDITION_MAX_LEN + 1).is_none() {
             // If that is the case, three additional helper jumps are prepended and the offset
             // is reset to 1.