vmm: label allowed syscalls as per architecture

libc syscalls are dependent on the architecture.
Thus, defaul_syscalls is now a module that conditionally compiles
allowed syscalls depending on target architecture.

Signed-off-by: Diana Popa <[email protected]>

Author: dianpopa

vmm/src/default_syscalls/aarch64.rs

@@ -0,0 +1,13 @@
+// Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use seccomp::{Error, SeccompFilterContext};
+
+pub const ALLOWED_SYSCALLS: &[i64] = &[];
+
+pub fn default_context() -> Result<SeccompFilterContext, Error> {
+    Ok(seccomp::SeccompFilterContext::new(
+        vec![].into_iter().collect(),
+        seccomp::SeccompAction::Trap,
+    ).unwrap())
+}

vmm/src/default_syscalls/mod.rs

@@ -0,0 +1,13 @@
+// Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+#[cfg(target_arch = "x86_64")]
+mod x86_64;
+
+#[cfg(target_arch = "aarch64")]
+mod aarch64;
+
+#[cfg(target_arch = "aarch64")]
+pub use self::aarch64::{default_context, ALLOWED_SYSCALLS};
+#[cfg(target_arch = "x86_64")]
+pub use self::x86_64::{default_context, ALLOWED_SYSCALLS};

vmm/src/default_syscalls.rs renamed to vmm/src/default_syscalls/x86_64.rs

@@ -1,13 +1,12 @@
 // Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-extern crate libc;
-
 use seccomp::{
     Error, SeccompAction, SeccompCmpOp, SeccompCondition, SeccompFilterContext, SeccompRule,
 };
 
-/// List of allowed syscalls, necessary for Firecracker to function correctly.
+/// List of allowed syscalls necessary for correct functioning on x86_64 architectures.
+/// Taken from the musl repo (i.e arch/x86_64/bits/syscall.h).
 pub const ALLOWED_SYSCALLS: &[i64] = &[
     libc::SYS_read,
     libc::SYS_write,
@@ -52,11 +51,11 @@ pub const ALLOWED_SYSCALLS: &[i64] = &[
     libc::SYS_getrandom,
 ];
 
-// See /usr/include/x86_64-linux-gnu/sys/epoll.h
+// See include/uapi/linux/eventpoll.h in the kernel code.
 const EPOLL_CTL_ADD: u64 = 1;
 const EPOLL_CTL_DEL: u64 = 2;
 
-// See /usr/include/x86_64-linux-gnu/bits/fcntl-linux.h
+// See include/uapi/asm-generic/fcntl.h in the kernel code.
 const O_RDONLY: u64 = 0x00000000;
 const O_RDWR: u64 = 0x00000002;
 const O_NONBLOCK: u64 = 0x00004000;
@@ -66,7 +65,7 @@ const F_SETFD: u64 = 2;
 const F_SETFL: u64 = 4;
 const FD_CLOEXEC: u64 = 1;
 
-// See /usr/include/linux/futex.h
+// See include/uapi/linux/futex.h in the kernel code.
 const FUTEX_WAIT: u64 = 0;
 const FUTEX_WAKE: u64 = 1;
 const FUTEX_REQUEUE: u64 = 3;
@@ -75,14 +74,14 @@ const FUTEX_WAIT_PRIVATE: u64 = FUTEX_WAIT | FUTEX_PRIVATE_FLAG;
 const FUTEX_WAKE_PRIVATE: u64 = FUTEX_WAKE | FUTEX_PRIVATE_FLAG;
 const FUTEX_REQUEUE_PRIVATE: u64 = FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG;
 
-// See /usr/include/asm-generic/ioctls.h
+// See include/uapi/asm-generic/ioctls.h in the kernel code.
 const TCGETS: u64 = 0x5401;
 const TCSETS: u64 = 0x5402;
 const TIOCGWINSZ: u64 = 0x5413;
 const FIOCLEX: u64 = 0x5451;
 const FIONBIO: u64 = 0x5421;
 
-// See /usr/include/linux/kvm.h
+// See include/uapi/linux/if_tun.h in the kernel code.
 const KVM_GET_API_VERSION: u64 = 0xae00;
 const KVM_CREATE_VM: u64 = 0xae01;
 const KVM_CHECK_EXTENSION: u64 = 0xae03;
@@ -105,21 +104,23 @@ const KVM_GET_SREGS: u64 = 0x8138ae83;
 const KVM_GET_LAPIC: u64 = 0x8400ae8e;
 const KVM_GET_SUPPORTED_CPUID: u64 = 0xc008ae05;
 
-// See /usr/include/linux/if_tun.h
+// See include/uapi/linux/if_tun.h in the kernel code.
 const TUNSETIFF: u64 = 0x400454ca;
 const TUNSETOFFLOAD: u64 = 0x400454d0;
 const TUNSETVNETHDRSZ: u64 = 0x400454d8;
 
-// See /usr/include/asm-generic/mman-common.h and /usr/include/asm-generic/mman.h
+// See include/uapi/asm-generic/mman-common.h in the kernel code.
 const PROT_NONE: u64 = 0x0;
 const PROT_READ: u64 = 0x1;
 const PROT_WRITE: u64 = 0x2;
+
+// See include/uapi/asm-generic/mman.h in the kernel code.
 const MAP_SHARED: u64 = 0x01;
 const MAP_PRIVATE: u64 = 0x02;
 const MAP_ANONYMOUS: u64 = 0x20;
 const MAP_NORESERVE: u64 = 0x4000;
 
-// See /usr/include/x86_64-linux-gnu/bits/socket.h
+// See include/linux/socket.h in the kernel code.
 const PF_LOCAL: u64 = 1;
 
 /// The default context containing the white listed syscall rules required by `Firecracker` to

vmm/src/lib.rs

@@ -85,12 +85,12 @@ use vmm_config::net::{NetworkInterfaceConfig, NetworkInterfaceConfigs, NetworkIn
 use vmm_config::vsock::{VsockDeviceConfig, VsockDeviceConfigs, VsockError};
 use vstate::{Vcpu, Vm};
 
+const DEFAULT_KERNEL_CMDLINE: &str = "reboot=k panic=1 pci=off nomodules 8250.nr_uarts=0";
 const MAGIC_IOPORT_SIGNAL_GUEST_BOOT_COMPLETE: u16 = 0x03f0;
 const MAGIC_VALUE_SIGNAL_GUEST_BOOT_COMPLETE: u8 = 123;
-
-const DEFAULT_KERNEL_CMDLINE: &str = "reboot=k panic=1 pci=off nomodules 8250.nr_uarts=0";
 const VCPU_RTSIG_OFFSET: i32 = 0;
 const WRITE_METRICS_PERIOD_SECONDS: u64 = 60;
+
 static START_INSTANCE_REQUEST_TS: AtomicUsize = ATOMIC_USIZE_INIT;
 static START_INSTANCE_REQUEST_CPU_TS: AtomicUsize = ATOMIC_USIZE_INIT;