diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afb5f26..c3166ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -95,7 +95,6 @@ jobs: arch: x86_64 libpath: usr/lib/x86_64-linux-gnu no-default-features: true - args: '-F seccomp-bpf' - os: ubuntu-24.04 os-arch: amd64 target: x86_64-unknown-linux-gnu diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d761c0b..c368a98 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,15 +62,14 @@ jobs: target: riscv64gc-unknown-linux-gnu arch: riscv64 libpath: usr/lib/riscv64-linux-gnu - no-default-features: true - features: ebpf,vendored-libbpf + no-default-features: false - os: ubuntu-24.04 os-arch: riscv64 target: riscv64gc-unknown-linux-gnu arch: riscv64 libpath: usr/lib/riscv64-linux-gnu - no-default-features: true - features: ebpf,static,vendored + no-default-features: false + features: static,vendored artifact-suffix: -static rust_flags: -C target-feature=+crt-static static_libseccomp: true diff --git a/Cargo.toml b/Cargo.toml index b0a2486..57feca7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -76,7 +76,7 @@ serde_json = "1.0.120" libbpf-rs = { version = "0.24.6", optional = true, default-features = false } # libbpf-sys exists here because we want to control its features libbpf-sys = { version = "1", optional = true, default-features = false } -libseccomp = { version = "0.3.0", optional = true } +libseccomp = "0.3.0" weak-table = { version = "0.3.2", default-features = false, features = ["ahash"] } rand = "0.8.5" hashbrown = "0.15.2" @@ -97,8 +97,7 @@ libbpf-cargo = { version = "0.24.6", default-features = false } [features] default = ["recommended", "vendored-libbpf"] -recommended = ["seccomp-bpf", "ebpf"] -seccomp-bpf = ["dep:libseccomp"] +recommended = ["ebpf"] ebpf = ["dep:libbpf-rs", "dep:libbpf-sys"] # The ebpf-debug feature is not meant for end users. # This feature also has a bug: diff --git a/src/cli/args.rs b/src/cli/args.rs index c74f94e..83d740f 100644 --- a/src/cli/args.rs +++ b/src/cli/args.rs @@ -11,7 +11,6 @@ use crate::{ tui::app::AppLayout, }; -#[cfg(feature = "seccomp-bpf")] use super::options::SeccompBpf; use super::{ config::{ @@ -22,7 +21,6 @@ use super::{ #[derive(Args, Debug, Default, Clone)] pub struct PtraceArgs { - #[cfg(feature = "seccomp-bpf")] #[clap(long, help = "Controls whether to enable seccomp-bpf optimization, which greatly improves performance", default_value_t = SeccompBpf::Auto)] pub seccomp_bpf: SeccompBpf, #[clap( @@ -62,7 +60,6 @@ pub struct ModifierArgs { impl PtraceArgs { pub fn merge_config(&mut self, config: PtraceConfig) { // seccomp-bpf - #[cfg(feature = "seccomp-bpf")] if let Some(setting) = config.seccomp_bpf { if self.seccomp_bpf == SeccompBpf::Auto { self.seccomp_bpf = setting; diff --git a/src/main.rs b/src/main.rs index c13f3c4..0cf355c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -29,7 +29,6 @@ mod proc; mod ptrace; mod pty; mod regex; -#[cfg(feature = "seccomp-bpf")] mod seccomp; mod tracee; mod tracer; diff --git a/src/ptrace/tracer.rs b/src/ptrace/tracer.rs index 9dabb31..6952e4e 100644 --- a/src/ptrace/tracer.rs +++ b/src/ptrace/tracer.rs @@ -13,7 +13,6 @@ use crate::{ tracee, tracer::{ExecData, ProcessExit, TracerBuilder, TracerMode}, }; -use cfg_if::cfg_if; use either::Either; use enumflags2::BitFlags; use inspect::{read_arcstr, read_output_msg_array}; @@ -65,12 +64,8 @@ use inspect::InspectError; use super::BreakPointHit; -cfg_if! { - if #[cfg(feature = "seccomp-bpf")] { - use crate::cli::options::SeccompBpf; - use crate::seccomp; - } -} +use crate::cli::options::SeccompBpf; +use crate::seccomp; pub struct Tracer { with_tty: bool, @@ -80,7 +75,6 @@ pub struct Tracer { modifier_args: ModifierArgs, filter: BitFlags, baseline: Arc, - #[cfg(feature = "seccomp-bpf")] seccomp_bpf: SeccompBpf, msg_tx: UnboundedSender, user: Option, @@ -98,7 +92,6 @@ pub struct SpawnToken { impl TracerBuilder { pub fn build_ptrace(self) -> color_eyre::Result<(Tracer, SpawnToken)> { - #[cfg(feature = "seccomp-bpf")] let seccomp_bpf = if self.seccomp_bpf == SeccompBpf::Auto { // TODO: check if the kernel supports seccomp-bpf // Let's just enable it for now and see if anyone complains @@ -121,7 +114,6 @@ impl TracerBuilder { Tracer { with_tty, store: RwLock::new(ProcessStateStore::new()), - #[cfg(feature = "seccomp-bpf")] seccomp_bpf, msg_tx: self.tx.expect("tracer_tx is required for ptrace tracer"), user: self.user, @@ -144,13 +136,11 @@ impl TracerBuilder { breakpoints: RwLock::new(BTreeMap::new()), req_tx: req_tx.clone(), delay: { - #[allow(clippy::useless_let_if_seq)] - let mut default = Duration::from_micros(1); - #[cfg(feature = "seccomp-bpf")] - #[allow(clippy::useless_let_if_seq)] - if seccomp_bpf == SeccompBpf::On { - default = Duration::from_micros(500); - } + let default = if seccomp_bpf == SeccompBpf::On { + Duration::from_micros(500) + } else { + Duration::from_micros(1) + }; self .ptrace_polling_delay .map(Duration::from_micros) @@ -170,7 +160,6 @@ pub enum PendingRequest { signal: Option, hid: u64, }, - #[cfg(feature = "seccomp-bpf")] SuspendSeccompBpf(Pid), } @@ -215,7 +204,6 @@ impl Tracer { cmd.args(args.iter().skip(1)); cmd.cwd(std::env::current_dir()?); - #[cfg(feature = "seccomp-bpf")] let seccomp_bpf = self.seccomp_bpf; let slave_pty = match &self.mode { TracerMode::Tui(tty) => tty.as_ref(), @@ -234,7 +222,6 @@ impl Tracer { let mut tracer_fd = unsafe { File::from_raw_fd(fds[1]) }; let tracee_raw_fd = tracee_fd.as_raw_fd(); let root_child = pty::spawn_command(slave_pty, cmd, move |program_path| { - #[cfg(feature = "seccomp-bpf")] if seccomp_bpf == SeccompBpf::On { seccomp::load_seccomp_filters()?; } @@ -343,7 +330,6 @@ impl Tracer { self.proprgate_operation_error(hit, false, self.detach_process_internal(state, None, hid, &mut pending_guards))?; } } - #[cfg(feature = "seccomp-bpf")] PendingRequest::SuspendSeccompBpf(pid) => { let _err = self.suspend_seccomp_bpf(pid).inspect_err(|e| { error!("Failed to suspend seccomp-bpf for {pid}: {e}"); @@ -1171,7 +1157,6 @@ impl Tracer { Ok(()) } - #[cfg(feature = "seccomp-bpf")] fn suspend_seccomp_bpf(&self, pid: Pid) -> Result<(), Errno> { use nix::libc::{PTRACE_O_SUSPEND_SECCOMP, PTRACE_SETOPTIONS, ptrace}; @@ -1190,7 +1175,6 @@ impl Tracer { Ok(()) } - #[cfg(feature = "seccomp-bpf")] pub fn request_suspend_seccomp_bpf(&self, pid: Pid) -> color_eyre::Result<()> { trace!("received request to suspend {pid}'s seccomp-bpf filter"); self.req_tx.send(PendingRequest::SuspendSeccompBpf(pid))?; @@ -1198,13 +1182,7 @@ impl Tracer { } pub fn seccomp_bpf(&self) -> bool { - cfg_if! { - if #[cfg(feature = "seccomp-bpf")] { - self.seccomp_bpf == SeccompBpf::On - } else { - false - } - } + self.seccomp_bpf == SeccompBpf::On } } diff --git a/src/ptrace/tracer/test.rs b/src/ptrace/tracer/test.rs index 469d8cd..591e00f 100644 --- a/src/ptrace/tracer/test.rs +++ b/src/ptrace/tracer/test.rs @@ -141,7 +141,9 @@ async fn tracer_decodes_proc_self_exe( #[file_serial] #[tokio::test] async fn tracer_emits_exec_event( - #[allow(unused)] #[case] seccomp_bpf: SeccompBpf, + #[allow(unused)] + #[case] + seccomp_bpf: SeccompBpf, #[with(Default::default(), seccomp_bpf)] tracer: TracerFixture, true_executable: PathBuf, ) { diff --git a/src/tui/hit_manager.rs b/src/tui/hit_manager.rs index 54069d5..d891867 100644 --- a/src/tui/hit_manager.rs +++ b/src/tui/hit_manager.rs @@ -502,7 +502,6 @@ impl HitManager { "syscall-exit(right after exec)".cyan().bold(), ". ".into(), ]), - #[cfg(feature = "seccomp-bpf")] Line::default().spans(vec![ "By default, tracexec uses seccomp-bpf to speed up ptrace operations so that there is minimal overhead \ when running programs inside tracexec. ".into(),