Drop compile-time seccomp-bpf feature gate

.github/workflows/ci.yml

@@ -95,7 +95,6 @@ jobs:
             arch: x86_64
             libpath: usr/lib/x86_64-linux-gnu
             no-default-features: true
-            args: '-F seccomp-bpf'
           - os: ubuntu-24.04
             os-arch: amd64
             target: x86_64-unknown-linux-gnu

.github/workflows/release.yml

@@ -62,15 +62,14 @@ jobs:
             target: riscv64gc-unknown-linux-gnu
             arch: riscv64
             libpath: usr/lib/riscv64-linux-gnu
-            no-default-features: true
-            features: ebpf,vendored-libbpf
+            no-default-features: false
           - os: ubuntu-24.04
             os-arch: riscv64
             target: riscv64gc-unknown-linux-gnu
             arch: riscv64
             libpath: usr/lib/riscv64-linux-gnu
-            no-default-features: true
-            features: ebpf,static,vendored
+            no-default-features: false
+            features: static,vendored
             artifact-suffix: -static
             rust_flags: -C target-feature=+crt-static
             static_libseccomp: true

Cargo.toml

@@ -76,7 +76,7 @@ serde_json = "1.0.120"
 libbpf-rs = { version = "0.24.6", optional = true, default-features = false }
 # libbpf-sys exists here because we want to control its features
 libbpf-sys = { version = "1", optional = true, default-features = false }
-libseccomp = { version = "0.3.0", optional = true }
+libseccomp = "0.3.0"
 weak-table = { version = "0.3.2", default-features = false, features = ["ahash"] }
 rand = "0.8.5"
 hashbrown = "0.15.2"
@@ -97,8 +97,7 @@ libbpf-cargo = { version = "0.24.6", default-features = false }
 
 [features]
 default = ["recommended", "vendored-libbpf"]
-recommended = ["seccomp-bpf", "ebpf"]
-seccomp-bpf = ["dep:libseccomp"]
+recommended = ["ebpf"]
 ebpf = ["dep:libbpf-rs", "dep:libbpf-sys"]
 # The ebpf-debug feature is not meant for end users.
 # This feature also has a bug:

src/cli/args.rs

@@ -11,7 +11,6 @@ use crate::{
   tui::app::AppLayout,
 };
 
-#[cfg(feature = "seccomp-bpf")]
 use super::options::SeccompBpf;
 use super::{
   config::{
@@ -22,7 +21,6 @@ use super::{
 
 #[derive(Args, Debug, Default, Clone)]
 pub struct PtraceArgs {
-  #[cfg(feature = "seccomp-bpf")]
   #[clap(long, help = "Controls whether to enable seccomp-bpf optimization, which greatly improves performance", default_value_t = SeccompBpf::Auto)]
   pub seccomp_bpf: SeccompBpf,
   #[clap(
@@ -62,7 +60,6 @@ pub struct ModifierArgs {
 impl PtraceArgs {
   pub fn merge_config(&mut self, config: PtraceConfig) {
     // seccomp-bpf
-    #[cfg(feature = "seccomp-bpf")]
     if let Some(setting) = config.seccomp_bpf {
       if self.seccomp_bpf == SeccompBpf::Auto {
         self.seccomp_bpf = setting;

src/main.rs

@@ -29,7 +29,6 @@ mod proc;
 mod ptrace;
 mod pty;
 mod regex;
-#[cfg(feature = "seccomp-bpf")]
 mod seccomp;
 mod tracee;
 mod tracer;

src/ptrace/tracer.rs

@@ -13,7 +13,6 @@ use crate::{
   tracee,
   tracer::{ExecData, ProcessExit, TracerBuilder, TracerMode},
 };
-use cfg_if::cfg_if;
 use either::Either;
 use enumflags2::BitFlags;
 use inspect::{read_arcstr, read_output_msg_array};
@@ -65,12 +64,8 @@ use inspect::InspectError;
 
 use super::BreakPointHit;
 
-cfg_if! {
-  if #[cfg(feature = "seccomp-bpf")] {
-    use crate::cli::options::SeccompBpf;
-    use crate::seccomp;
-  }
-}
+use crate::cli::options::SeccompBpf;
+use crate::seccomp;
 
 pub struct Tracer {
   with_tty: bool,
@@ -80,7 +75,6 @@ pub struct Tracer {
   modifier_args: ModifierArgs,
   filter: BitFlags<TracerEventDetailsKind>,
   baseline: Arc<BaselineInfo>,
-  #[cfg(feature = "seccomp-bpf")]
   seccomp_bpf: SeccompBpf,
   msg_tx: UnboundedSender<TracerMessage>,
   user: Option<User>,
@@ -98,7 +92,6 @@ pub struct SpawnToken {
 
 impl TracerBuilder {
   pub fn build_ptrace(self) -> color_eyre::Result<(Tracer, SpawnToken)> {
-    #[cfg(feature = "seccomp-bpf")]
     let seccomp_bpf = if self.seccomp_bpf == SeccompBpf::Auto {
       // TODO: check if the kernel supports seccomp-bpf
       // Let's just enable it for now and see if anyone complains
@@ -121,7 +114,6 @@ impl TracerBuilder {
       Tracer {
         with_tty,
         store: RwLock::new(ProcessStateStore::new()),
-        #[cfg(feature = "seccomp-bpf")]
         seccomp_bpf,
         msg_tx: self.tx.expect("tracer_tx is required for ptrace tracer"),
         user: self.user,
@@ -144,13 +136,11 @@ impl TracerBuilder {
         breakpoints: RwLock::new(BTreeMap::new()),
         req_tx: req_tx.clone(),
         delay: {
-          #[allow(clippy::useless_let_if_seq)]
-          let mut default = Duration::from_micros(1);
-          #[cfg(feature = "seccomp-bpf")]
-          #[allow(clippy::useless_let_if_seq)]
-          if seccomp_bpf == SeccompBpf::On {
-            default = Duration::from_micros(500);
-          }
+          let default = if seccomp_bpf == SeccompBpf::On {
+            Duration::from_micros(500)
+          } else {
+            Duration::from_micros(1)
+          };
           self
             .ptrace_polling_delay
             .map(Duration::from_micros)
@@ -170,7 +160,6 @@ pub enum PendingRequest {
     signal: Option<Signal>,
     hid: u64,
   },
-  #[cfg(feature = "seccomp-bpf")]
   SuspendSeccompBpf(Pid),
 }
 
@@ -215,7 +204,6 @@ impl Tracer {
     cmd.args(args.iter().skip(1));
     cmd.cwd(std::env::current_dir()?);
 
-    #[cfg(feature = "seccomp-bpf")]
     let seccomp_bpf = self.seccomp_bpf;
     let slave_pty = match &self.mode {
       TracerMode::Tui(tty) => tty.as_ref(),
@@ -234,7 +222,6 @@ impl Tracer {
     let mut tracer_fd = unsafe { File::from_raw_fd(fds[1]) };
     let tracee_raw_fd = tracee_fd.as_raw_fd();
     let root_child = pty::spawn_command(slave_pty, cmd, move |program_path| {
-      #[cfg(feature = "seccomp-bpf")]
       if seccomp_bpf == SeccompBpf::On {
         seccomp::load_seccomp_filters()?;
       }
@@ -343,7 +330,6 @@ impl Tracer {
                 self.proprgate_operation_error(hit, false, self.detach_process_internal(state, None, hid, &mut pending_guards))?;
               }
             }
-            #[cfg(feature = "seccomp-bpf")]
             PendingRequest::SuspendSeccompBpf(pid) => {
               let _err = self.suspend_seccomp_bpf(pid).inspect_err(|e| {
                 error!("Failed to suspend seccomp-bpf for {pid}: {e}");
@@ -1171,7 +1157,6 @@ impl Tracer {
     Ok(())
   }
 
-  #[cfg(feature = "seccomp-bpf")]
   fn suspend_seccomp_bpf(&self, pid: Pid) -> Result<(), Errno> {
     use nix::libc::{PTRACE_O_SUSPEND_SECCOMP, PTRACE_SETOPTIONS, ptrace};
 
@@ -1190,21 +1175,14 @@ impl Tracer {
     Ok(())
   }
 
-  #[cfg(feature = "seccomp-bpf")]
   pub fn request_suspend_seccomp_bpf(&self, pid: Pid) -> color_eyre::Result<()> {
     trace!("received request to suspend {pid}'s seccomp-bpf filter");
     self.req_tx.send(PendingRequest::SuspendSeccompBpf(pid))?;
     Ok(())
   }
 
   pub fn seccomp_bpf(&self) -> bool {
-    cfg_if! {
-      if #[cfg(feature = "seccomp-bpf")] {
-        self.seccomp_bpf == SeccompBpf::On
-      } else {
-        false
-      }
-    }
+    self.seccomp_bpf == SeccompBpf::On
   }
 }
 

src/ptrace/tracer/test.rs

@@ -141,7 +141,9 @@ async fn tracer_decodes_proc_self_exe(
 #[file_serial]
 #[tokio::test]
 async fn tracer_emits_exec_event(
-  #[allow(unused)] #[case] seccomp_bpf: SeccompBpf,
+  #[allow(unused)]
+  #[case]
+  seccomp_bpf: SeccompBpf,
   #[with(Default::default(), seccomp_bpf)] tracer: TracerFixture,
   true_executable: PathBuf,
 ) {

src/tui/hit_manager.rs

@@ -502,7 +502,6 @@ impl HitManager {
           "syscall-exit(right after exec)".cyan().bold(),
           ". ".into(),
         ]),
-        #[cfg(feature = "seccomp-bpf")]
         Line::default().spans(vec![
           "By default, tracexec uses seccomp-bpf to speed up ptrace operations so that there is minimal overhead \
           when running programs inside tracexec. ".into(),