fix(fspy): improve seccomp_unotify ipc (#255)

# Fix seccomp filter IPC and add static executable support

This PR improves the seccomp filter IPC mechanism by using path-based Unix domain sockets instead of directly passing file descriptors. This approach is consistent with #234 and eliminates the need for pre-exec handling.

Key changes:

- Replace direct fd passing with Unix domain socket communication
- Fix handling of path overflow in CStrPtr by returning a boolean success indicator
- Add support for tracking static executables with tests
- Add a test binary crate that can be included as a static binary for testing
- Implement proper handling of the `open` syscall on x86_64 architecture
- Enable typeaware linting test on Linux

The PR also includes various code improvements and cleanup, such as better error handling and more robust syscall tracking.

Author: branchseer

.devcontainer/devcontainer.json

@@ -5,16 +5,13 @@
   // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
   "image": "mcr.microsoft.com/vscode/devcontainers/base:ubuntu-22.04",
   "updateContentCommand": {
-    "systemPackages": "sudo apt-get update -y && sudo apt-get install -y pkg-config libssl-dev",
-    "rustToolchain": "rustup show",
-    "mise": "mise trust && mise install && mkdir -p ~/.config/fish && echo 'mise activate fish --shims | source' >> ~/.config/fish/config.fish"
+    "rustToolchain": "rustup show"
   },
   "containerEnv": {
     "CARGO_TARGET_DIR": "/tmp/target"
   },
   "features": {
     "ghcr.io/devcontainers/features/rust:1": {},
-    "ghcr.io/devcontainers-extra/features/mise:1": {},
     "ghcr.io/devcontainers-extra/features/fish-apt-get:1": {}
   },
   "customizations": {

.github/workflows/ci.yml

@@ -49,6 +49,9 @@ jobs:
           save-cache: ${{ github.ref_name == 'main' }}
           cache-key: test
 
+      - run: rustup target add x86_64-unknown-linux-musl
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+
       - run: cargo check --all-targets --all-features
         env:
           RUSTFLAGS: '-D warnings --cfg tokio_unstable' # also update .cargo/config.toml

Cargo.lock

@@ -55,6 +55,12 @@ csv-async = { workspace = true }
 ctor = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros", "fs", "io-std"] }
 
+[target.'cfg(all(target_os = "linux", target_arch = "aarch64"))'.dev-dependencies]
+fspy_test_bin = { path = "../fspy_test_bin", artifact = "bin", target = "aarch64-unknown-linux-musl" }
+
+[target.'cfg(all(target_os = "linux", target_arch = "x86_64"))'.dev-dependencies]
+fspy_test_bin = { path = "../fspy_test_bin", artifact = "bin", target = "x86_64-unknown-linux-musl" }
+
 [build-dependencies]
 anyhow = { workspace = true }
 attohttpc = { workspace = true }

crates/fspy/Cargo.toml

@@ -85,9 +85,6 @@ pub(crate) async fn spawn_impl(mut command: Command) -> io::Result<TrackedChild>
     #[cfg(target_os = "linux")]
     let supervisor = supervise::<SyscallHandler>()?;
 
-    #[cfg(target_os = "linux")]
-    let supervisor_pre_exec = supervisor.pre_exec;
-
     let (ipc_channel_conf, ipc_receiver) = channel(SHM_CAPACITY)?;
 
     let payload = Payload {
@@ -99,7 +96,7 @@ pub(crate) async fn spawn_impl(mut command: Command) -> io::Result<TrackedChild>
         preload_path: command.spy_inner.preload_path.clone(),
 
         #[cfg(target_os = "linux")]
-        seccomp_payload: supervisor.payload,
+        seccomp_payload: supervisor.payload().clone(),
     };
 
     let encoded_payload = encode_payload(payload);
@@ -120,8 +117,6 @@ pub(crate) async fn spawn_impl(mut command: Command) -> io::Result<TrackedChild>
 
     unsafe {
         tokio_command.pre_exec(move || {
-            #[cfg(target_os = "linux")]
-            supervisor_pre_exec.run()?;
             if let Some(pre_exec) = pre_exec.as_ref() {
                 pre_exec.run()?;
             }
@@ -137,7 +132,7 @@ pub(crate) async fn spawn_impl(mut command: Command) -> io::Result<TrackedChild>
         let arenas = std::iter::once(exec_resolve_accesses);
         #[cfg(target_os = "linux")]
         let arenas =
-            arenas.chain(supervisor.handling_loop.await?.into_iter().map(|handler| handler.arena));
+            arenas.chain(supervisor.stop().await?.into_iter().map(|handler| handler.arena));
         io::Result::Ok(arenas.collect::<Vec<_>>())
     };
 

crates/fspy/src/unix/mod.rs

@@ -16,15 +16,28 @@ pub struct SyscallHandler {
 }
 
 impl SyscallHandler {
-    fn openat(&mut self, (_, path): (Ignored, CStrPtr)) -> io::Result<()> {
+    fn handle_open(&mut self, path: CStrPtr) -> io::Result<()> {
         path.read_with_buf::<PATH_MAX, _, _>(|path| {
+            let Some(path) = path else {
+                // Ignore paths that are too long to fit in PATH_MAX
+                return Ok(());
+            };
             self.arena
                 .add(PathAccess { mode: AccessMode::Read, path: NativeStr::from_bytes(path) });
             Ok(())
         })?;
         Ok(())
     }
 
+    #[cfg(target_arch = "x86_64")]
+    fn open(&mut self, (path,): (CStrPtr,)) -> io::Result<()> {
+        self.handle_open(path)
+    }
+
+    fn openat(&mut self, (_, path): (Ignored, CStrPtr)) -> io::Result<()> {
+        self.handle_open(path)
+    }
+
     fn getdents64(&mut self, (fd,): (Fd,)) -> io::Result<()> {
         let path = fd.get_path()?;
         self.arena.add(PathAccess {
@@ -36,7 +49,8 @@ impl SyscallHandler {
 }
 
 impl_handler!(
-    SyscallHandler,
-    openat
-    getdents64
+    SyscallHandler:
+    #[cfg(target_arch = "x86_64")] open,
+    openat,
+    getdents64,
 );

crates/fspy/src/unix/syscall_handler/mod.rs

@@ -0,0 +1,53 @@
+#![cfg(target_os = "linux")]
+
+use std::{
+    fs::{self, Permissions},
+    os::unix::fs::PermissionsExt as _,
+    path::{Path, PathBuf},
+    sync::LazyLock,
+};
+
+use fspy::PathAccessIterable;
+use fspy_shared_unix::is_dynamically_linked_to_libc;
+
+use crate::test_utils::assert_contains;
+
+mod test_utils;
+
+const TEST_BIN_CONTENT: &[u8] = include_bytes!(env!("CARGO_BIN_FILE_FSPY_TEST_BIN"));
+
+fn test_bin_path() -> &'static Path {
+    static TEST_BIN_PATH: LazyLock<PathBuf> = LazyLock::new(|| {
+        assert_eq!(
+            is_dynamically_linked_to_libc(&TEST_BIN_CONTENT),
+            Ok(false),
+            "Test binary is not a static executable"
+        );
+
+        let tmp_dir = env!("CARGO_TARGET_TMPDIR");
+        let test_bin_path = PathBuf::from(tmp_dir).join("fspy-test-bin");
+        fs::write(&test_bin_path, TEST_BIN_CONTENT).expect("failed to write test binary");
+        fs::set_permissions(&test_bin_path, Permissions::from_mode(0o755))
+            .expect("failed to set permissions on test binary");
+
+        test_bin_path
+    });
+    TEST_BIN_PATH.as_path()
+}
+
+async fn track_test_bin(args: &[&str]) -> PathAccessIterable {
+    let mut cmd = fspy::Spy::global().unwrap().new_command(test_bin_path());
+    cmd.args(args);
+    let mut tracked_child = cmd.spawn().await.unwrap();
+
+    let output = tracked_child.tokio_child.wait().await.unwrap();
+    assert!(output.success());
+
+    tracked_child.accesses_future.await.unwrap()
+}
+
+#[tokio::test]
+async fn open_read() {
+    let accesses = track_test_bin(&["open_read", "/hello"]).await;
+    assert_contains(&accesses, Path::new("/hello"), fspy::AccessMode::Read);
+}

crates/fspy/tests/static_executable.rs

@@ -11,20 +11,25 @@ pub fn assert_contains(
     expected_path: &Path,
     expected_mode: AccessMode,
 ) {
-    accesses
-        .iter()
-        .find(|access| {
-            let Ok(stripped) =
-                access.path.strip_path_prefix::<_, Result<PathBuf, StripPrefixError>, _>(
-                    expected_path,
-                    |strip_result| strip_result.map(Path::to_path_buf),
-                )
-            else {
-                return false;
-            };
-            stripped.as_os_str().is_empty() && access.mode == expected_mode
-        })
-        .unwrap();
+    let found = accesses.iter().any(|access| {
+        let Ok(stripped) =
+            access.path.strip_path_prefix::<_, Result<PathBuf, StripPrefixError>, _>(
+                expected_path,
+                |strip_result| strip_result.map(Path::to_path_buf),
+            )
+        else {
+            return false;
+        };
+        stripped.as_os_str().is_empty() && access.mode == expected_mode
+    });
+    if !found {
+        panic!(
+            "Expected to find access to path {:?} with mode {:?}, but it was not found in: {:?}",
+            expected_path,
+            expected_mode,
+            accesses.iter().collect::<Vec<_>>()
+        );
+    }
 }
 
 #[macro_export]

crates/fspy/tests/test_utils.rs

@@ -13,8 +13,10 @@ nix = { workspace = true, features = ["process", "fs", "poll", "socket", "uio"]
 passfd = { workspace = true, default-features = false, optional = true }
 seccompiler = { workspace = true }
 syscalls = { workspace = true, features = ["std"] }
-tokio = { workspace = true, features = ["net", "process", "io-util", "rt"] }
+tokio = { workspace = true, features = ["net", "process", "io-util", "rt", "sync"] }
 tracing = { workspace = true }
+tempfile = { workspace = true }
+futures-util = { workspace = true }
 
 [target.'cfg(target_os = "linux")'.dev-dependencies]
 assertables = { workspace = true }

crates/fspy_seccomp_unotify/Cargo.toml

@@ -1,10 +1,9 @@
-use std::os::fd::RawFd;
 mod filter;
 use bincode::{Decode, Encode};
 pub use filter::Filter;
 
 #[derive(Debug, Encode, Decode, Clone)]
 pub struct SeccompPayload {
-    pub(crate) ipc_fd: RawFd,
+    pub(crate) ipc_path: Vec<u8>,
     pub(crate) filter: Filter,
 }