feat(guest): enable libseccomp in guest runtime#472
Merged
Conversation
Enables the libseccomp feature on libcontainer so seccomp profiles from the OCI spec are actually applied. Without this, the guest prints "seccomp not available" and runs workloads with no filter. The Rust libseccomp-sys crate needs libseccomp.a for the target triple (musl) plus Linux UAPI headers that brew's musl-cross doesn't ship. Add scripts/build/build-libseccomp.sh which builds libseccomp 2.5.5 statically using sabotage-linux/kernel-headers for the asm/linux includes, cached at ~/.cache/boxlite/. build-guest.sh sources the helper before cargo build. Add gperf to all four platform setup scripts. Verified on aarch64 (macOS) and x86_64 (Linux).
Cache was previously at $HOME/.cache/boxlite/{libseccomp,linux-headers}/.
Moving it under target/native/ makes it per-checkout, gitignored
automatically, and cleaned by `cargo clean` along with everything else.
Layout:
target/native/libseccomp/<target-triple>/<version>/{lib,include}/
target/native/linux-headers/<version>/<arch>/include/
The "native" subdir is intended as an umbrella for any future vendored
C deps we build outside cargo (e.g. libcap-static, libbpf-static), so
target/ doesn't end up cluttered with one top-level dir per dep.
The BOXLITE_CACHE env var still wins, so CI can centralize a shared
cache if it wants to.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
libseccompfeature so OCI seccomp profiles are actually applied. Today the guest printsWARN libcontainer::process::init::process: seccomp not available, unable to set seccomp privileges!and runs workloads with no filter.scripts/build/build-libseccomp.shthat vendors libseccomp 2.5.5 + sabotage-linux/kernel-headers, buildslibseccomp.astatically per target arch, cached under~/.cache/boxlite/.build-guest.sh; addgperf(libseccomp's build dep) to all four platform setup scripts (setup-macos.sh,setup-ubuntu.sh,setup-musllinux.sh,setup-manylinux.sh).Why
Without seccomp, BoxLite's "secure isolated execution environment" is missing a defense-in-depth layer the OCI spec already specifies. The fix is mechanical (one feature flag) but the cross-compile plumbing isn't —
brew install FiloSottile/musl-crossships musl libc headers but no Linux UAPI headers, so libseccomp's#include <asm/unistd.h>and<linux/audit.h>fail. Vendoring the sabotage-linux/kernel-headers tarball (~1.4 MB) gives a deterministic, portable header set across all platforms.Cache layout under
~/.cache/boxlite/:libseccomp/<target>/<version>/{lib,include}— built.aand headerslinux-headers/<version>/<arch>/include— sabotage UAPI exportIdempotent — re-runs hit cache in ~10 ms.
Test plan