Skip to content

Commit

Permalink
PVF worker: Add seccomp restrictions (restrict networking) (#2009)
Browse files Browse the repository at this point in the history
  • Loading branch information
mrcnski authored Oct 31, 2023
1 parent 2d9426f commit 9faea38
Show file tree
Hide file tree
Showing 27 changed files with 1,376 additions and 714 deletions.
63 changes: 50 additions & 13 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion polkadot/node/core/candidate-validation/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,8 @@ async fn run<Context>(
exec_worker_path,
),
pvf_metrics,
);
)
.await;
ctx.spawn_blocking("pvf-validation-host", task.boxed())?;

loop {
Expand Down
5 changes: 5 additions & 0 deletions polkadot/node/core/pvf/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ polkadot-node-core-pvf-execute-worker = { path = "execute-worker", optional = tr
assert_matches = "1.4.0"
criterion = { version = "0.4.0", default-features = false, features = ["cargo_bench_support", "async_tokio"] }
hex-literal = "0.4.1"

polkadot-node-core-pvf-common = { path = "common", features = ["test-utils"] }
# For benches and integration tests, depend on ourselves with the test-utils
# feature.
Expand All @@ -48,6 +49,10 @@ rococo-runtime = { path = "../../../runtime/rococo" }
adder = { package = "test-parachain-adder", path = "../../../parachain/test-parachains/adder" }
halt = { package = "test-parachain-halt", path = "../../../parachain/test-parachains/halt" }

[target.'cfg(target_os = "linux")'.dev-dependencies]
procfs = "0.16.0"
rusty-fork = "0.3.0"

[[bench]]
name = "host_prepare_rococo_runtime"
harness = false
Expand Down
18 changes: 9 additions & 9 deletions polkadot/node/core/pvf/benches/host_prepare_rococo_runtime.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,26 +17,23 @@
//! Benchmarks for preparation through the host. We use a real PVF to get realistic results.
use criterion::{criterion_group, criterion_main, BatchSize, Criterion, SamplingMode};
use parity_scale_codec::Encode;
use polkadot_node_core_pvf::{
start, testing, Config, Metrics, PrepareError, PrepareJobKind, PrepareStats, PvfPrepData,
ValidationError, ValidationHost,
ValidationHost,
};
use polkadot_parachain_primitives::primitives::{BlockData, ValidationParams, ValidationResult};
use polkadot_primitives::ExecutorParams;
use rococo_runtime::WASM_BINARY;
use std::time::Duration;
use tokio::{runtime::Handle, sync::Mutex};

const TEST_EXECUTION_TIMEOUT: Duration = Duration::from_secs(3);
const TEST_PREPARATION_TIMEOUT: Duration = Duration::from_secs(30);

struct TestHost {
host: Mutex<ValidationHost>,
}

impl TestHost {
fn new_with_config<F>(handle: &Handle, f: F) -> Self
async fn new_with_config<F>(handle: &Handle, f: F) -> Self
where
F: FnOnce(&mut Config),
{
Expand All @@ -50,7 +47,7 @@ impl TestHost {
execute_worker_path,
);
f(&mut config);
let (host, task) = start(config, Metrics::default());
let (host, task) = start(config, Metrics::default()).await;
let _ = handle.spawn(task);
Self { host: Mutex::new(host) }
}
Expand Down Expand Up @@ -107,15 +104,18 @@ fn host_prepare_rococo_runtime(c: &mut Criterion) {
group.measurement_time(Duration::from_secs(240));
group.bench_function("host: prepare Rococo runtime", |b| {
b.to_async(&rt).iter_batched(
|| {
|| async {
(
TestHost::new_with_config(rt.handle(), |cfg| {
cfg.prepare_workers_hard_max_num = 1;
}),
})
.await,
pvf.clone().code(),
)
},
|(host, pvf_code)| async move {
|result| async move {
let (host, pvf_code) = result.await;

// `PvfPrepData` is designed to be cheap to clone, so cloning shouldn't affect the
// benchmark accuracy.
let _stats = host.precheck_pvf(&pvf_code, Default::default()).await.unwrap();
Expand Down
3 changes: 2 additions & 1 deletion polkadot/node/core/pvf/common/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ cpu-time = "1.0.0"
futures = "0.3.21"
gum = { package = "tracing-gum", path = "../../../gum" }
libc = "0.2.139"
tokio = { version = "1.24.2", features = ["fs", "process", "io-util"] }

parity-scale-codec = { version = "3.6.1", default-features = false, features = ["derive"] }

Expand All @@ -30,6 +29,8 @@ sp-tracing = { path = "../../../../../substrate/primitives/tracing" }

[target.'cfg(target_os = "linux")'.dependencies]
landlock = "0.3.0"
seccompiler = "0.4.0"
thiserror = "1.0.31"

[dev-dependencies]
assert_matches = "1.4.0"
Expand Down
5 changes: 3 additions & 2 deletions polkadot/node/core/pvf/common/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,9 @@ pub use sp_tracing;
const LOG_TARGET: &str = "parachain::pvf-common";

use std::{
io::{Read, Write},
io::{self, Read, Write},
mem,
};
use tokio::io;

#[cfg(feature = "test-utils")]
pub mod tests {
Expand All @@ -50,6 +49,8 @@ pub mod tests {
pub struct SecurityStatus {
/// Whether the landlock features we use are fully available on this system.
pub can_enable_landlock: bool,
/// Whether the seccomp features we use are fully available on this system.
pub can_enable_seccomp: bool,
// Whether we are able to unshare the user namespace and change the filesystem root.
pub can_unshare_user_namespace_and_change_root: bool,
}
Expand Down
Loading

0 comments on commit 9faea38

Please sign in to comment.