Make spt independent of libseccomp/"Tenderless" spt

[minad]

It seems libseccomp is quite restricted in contrast to what bpf provides. This also leads to the restriction of only one block size for solo5_block_write.

I experimented with writing a custom bpf filter in asm directly
https://gist.github.com/minad/c6f44a245f1ea481ded2535a96778be5#file-hv_seccomp_filter-asm-L3
Since solo5 has such a small API with only very syscalls, it is easy to write the filter by hand.
To compile the asm, I am using a patched bpfasm version for that right now such that $BLOCK_SIZE appear verbatim in the generated c code.

[ricarkol]

That's great @minad. I'm one of the interested in relaxing the solo5_block interface.

Any particular reason as to why you wrote it in asm?

[minad]

I have to say, I am no expert in BPF but I looked into various alternatives and this one seemed to be the easiest with the least tooling to setup (I am saying this despite patching bpfasm with a few lines). I also have to say that this whole BPF worlds seems to be badly documented, but I looked only for a few hours. There is also confusion about BPF (also called cBPF) and eBPF. Seccomp is still BPF it seems.

What is very important about the approach that I tried, is that the generated BPF bytecode must be patchable such that I don't have to include the BPF compiler in the resulting program. libseccomp takes the other approach and includes the BPF generator with the resulting program.

Alternatives I found:

• https://github.com/torvalds/linux/tree/master/tools/bpf (This one I used, can be easily build outside the kernel and I can patch it to pass the literals through). I can make a repo with the patched assembler if you like.
• https://github.com/google/kafel (looks nice, but not patchable?)
• https://github.com/iovisor/bcc (looks complicated, can probably do everything, I also did not find a seccomp example)
• bpfc (comes with netsniff-ng, like the kernel bpf but a bit more features it seems)
• llvm with bpf backend (I tried it quickly and I read bad things, such that it can generate code which won't run)

Do you have other suggestions?

Edit: Here is the minimal hypervisor shim I used for experimentation https://gist.github.com/minad/c6f44a245f1ea481ded2535a96778be5. But I would be happy to write some patches improving the solo5 seccomp sandbox. The downside of the ASM approach is that platform independence is lost if the syscalls differ between architectures. However since the syscall numbers etc are included as literals there might be no problem. And if there is one has to provide separate asm for x86_64 and aarch64.