crosvm: precompile seccomp policy files

This saves crosvm having to compile them at runtime, and allows us to catch more errors at build time.
2022-07-16 14:35:52 +00:00 · 2022-07-16 14:35:52 +00:00 · ad7f06781b
commit ad7f06781b
parent eb38d95b8a
1 changed files with 10 additions and 5 deletions
--- a/pkgs/applications/virtualization/crosvm/default.nix
+++ b/pkgs/applications/virtualization/crosvm/default.nix
@ -1,5 +1,5 @@
 { stdenv, lib, rustPlatform, fetchgit
-, pkg-config, wayland-scanner
+, minijail-tools, pkg-config, wayland-scanner
 , libcap, libdrm, libepoxy, minijail, virglrenderer, wayland, wayland-protocols
 , linux
 }:
@ -29,7 +29,7 @@ in

    cargoLock.lockFile = ./Cargo.lock;

-    nativeBuildInputs = [ pkg-config wayland-scanner ];
+    nativeBuildInputs = [ minijail-tools pkg-config wayland-scanner ];

    buildInputs = [
      libcap libdrm libepoxy minijail virglrenderer wayland wayland-protocols
@ -37,19 +37,24 @@ in

    postPatch = ''
      cp ${./Cargo.lock} Cargo.lock
-      sed -i "s|/usr/share/policy/crosvm/|$out/share/policy/|g" \
-             seccomp/*/*.policy
+      sed -i "s|/usr/share/policy/crosvm/|$PWD/seccomp/${arch}/|g" \
+          seccomp/${arch}/*.policy
    '';

    preBuild = ''
      export DEFAULT_SECCOMP_POLICY_DIR=$out/share/policy
+
+      for policy in seccomp/${arch}/*.policy; do
+          compile_seccomp_policy \
+              --default-action trap $policy ''${policy%.policy}.bpf
+      done
    '';

    buildFeatures = [ "default" "virgl_renderer" "virgl_renderer_next" ];

    postInstall = ''
      mkdir -p $out/share/policy/
-      cp seccomp/${arch}/* $out/share/policy/
+      cp -v seccomp/${arch}/*.bpf $out/share/policy/
    '';

    CROSVM_CARGO_TEST_KERNEL_BINARY =