Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: introduce flag for debug-only rules and fix debug binary #5052

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

seccomp: introduce flag for debug-only rules and fix debug binary #5052

wants to merge 2 commits into from
+23 −6

Conversation

Manciukic
Copy link
Contributor

@Manciukic Manciukic commented Feb 26, 2025
edited
Loading

Changes

  • RFC for debug-only seccomp rules
  • testing for debug builds in CI

TODO

  • missing integ tests
  • remove "hack" commit used to spin a debug buildkite

Reason

TODO

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov Codecov
Copy link

codecov bot commented Feb 26, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.19%. Comparing base (a8f38cb) to head (a4cd0cb).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5052   +/-   ##
=======================================
  Coverage   83.19%   83.19%           
=======================================
  Files         247      247           
  Lines       26641    26641           
=======================================
  Hits        22163    22163           
  Misses       4478     4478
Flag Coverage Δ
5.10-c5n.metal 83.67% <ø> (ø)
5.10-m5n.metal 83.66% <ø> (+<0.01%) ⬆️
5.10-m6a.metal 82.86% <ø> (+<0.01%) ⬆️
5.10-m6g.metal 79.66% <ø> (ø)
5.10-m6i.metal 83.65% <ø> (ø)
5.10-m7g.metal 79.66% <ø> (ø)
6.1-c5n.metal 83.67% <ø> (ø)
6.1-m5n.metal 83.65% <ø> (ø)
6.1-m6a.metal 82.86% <ø> (ø)
6.1-m6g.metal 79.66% <ø> (ø)
6.1-m6i.metal 83.65% <ø> (ø)
6.1-m7g.metal 79.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Manciukic
fix: do not build debug a default seccomp policy in debug binaries
3dbbe35 
Rust 1.80.0 added a debug assertion that uses fcntl(F_GETFD) to ensure
the fd is still valid when it gets dropped, which broke debug builds of
firecracker.

This made us rethink on whether we'd want any default seccomp policy in
debug builds, and we decided that in most cases we don't need them and
in some cases they get in the way of prororyping and debugging.

This patch changes the default seccomp policy in debug builds to empty.

Signed-off-by: Riccardo Mancini <[email protected]>
@Manciukic
doc(seccomp): mention that debug builds don't have a default seccomp
a4cd0cb 
Following the previous commit, this patch mentions in the docs that
debug builds don't have a default seccomp policy and which different
syscalls are present in debug builds versus release.

Signed-off-by: Riccardo Mancini <[email protected]>
@Manciukic Manciukic force-pushed the debug-seccomp branch 2 times, most recently from 6fdc014 to a4cd0cb Compare February 28, 2025 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Manciukic