From 45caf91aaa80d2d37a63ed2bf99da69b4da0aafa Mon Sep 17 00:00:00 2001
From: Matt Delco <delco@chromium.org>
Date: Wed, 13 Nov 2019 08:11:09 -0800
Subject: crosvm: add support for bpf policy files

Change adds supports for providing pre-compiled bpf files as the policy
file for jailing.  In short it's more effient to compile once on the
build machine than each time at runtime. Additionally libminijail's
support for more efficient bpfs (which use a binary tree instead of
a linear search) is currently only available via tools that are based
around pre-compiled use.

BUG=None
TEST=Ran build_test and verified that tests can pass with both bpf and
policy files (though the tests might only exercise the jail for the
plugin).

Change-Id: Idd93e3c802fc79da93850d6bad1db660576bc9ba
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1914416
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
---
 src/main.rs | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'src/main.rs')

diff --git a/src/main.rs b/src/main.rs
index 017fb45..45efc0f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -827,6 +827,23 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::
             cfg.seccomp_policy_dir = PathBuf::from(value.unwrap());
         }
         "seccomp-log-failures" => {
+            // A side-effect of this flag is to force the use of .policy files
+            // instead of .bpf files (.bpf files are expected and assumed to be
+            // compiled to fail an unpermitted action with "trap").
+            // Normally crosvm will first attempt to use a .bpf file, and if
+            // not present it will then try to use a .policy file.  It's up
+            // to the build to decide which of these files is present for
+            // crosvm to use (for CrOS the build will use .bpf files for
+            // x64 builds and .policy files for arm/arm64 builds).
+            //
+            // This flag will likely work as expected for builds that use
+            // .policy files.  For builds that only use .bpf files the initial
+            // result when using this flag is likely to be a file-not-found
+            // error (since the .policy files are not present).
+            // For .bpf builds you can either 1) manually add the .policy files,
+            // or 2) do not use this command-line parameter and instead
+            // temporarily change the build by passing "log" rather than
+            // "trap" as the "--default-action" to compile_seccomp_policy.py.
             cfg.seccomp_log_failures = true;
         }
         "plugin" => {
-- 
cgit 1.4.1