Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PVF worker: Add CI job to check syscall lists #1652

Closed
mrcnski opened this issue Sep 20, 2023 · 0 comments · Fixed by #1663
Closed

PVF worker: Add CI job to check syscall lists #1652

mrcnski opened this issue Sep 20, 2023 · 0 comments · Fixed by #1663
Assignees
@altaua

Comments

@mrcnski
Copy link
Contributor

mrcnski commented Sep 20, 2023

Background

In order to sandbox the PVF workers, we want to use seccomp to block all unneeded syscalls. We can get the list of syscalls used by the processes with the list-syscalls.rb script. However, we need a CI job to keep this list up to date.

Requirements

  1. Add to the repo the list of syscalls detected by list-syscalls.rb.
    1. Let's call the lists prepare-worker-syscalls and execute-worker-syscalls.
  2. Add a CI job that:
    1. Builds the workers with LTO (production profile) and musl: SKIP_WASM_BUILD=1 cargo build --profile production --target x86_64-unknown-linux-musl --bin polkadot-execute-worker --bin polkadot-prepare-worker.
    2. Runs list-syscalls.rb on both workers and compares the output to prepare-worker-syscalls and execute-worker-syscalls.
    3. Any changes should be reviewed manually. (I don't expect changes to occur often.)
@mrcnski mrcnski mentioned this issue Sep 21, 2023
Merged
@altaua altaua self-assigned this Sep 21, 2023
altaua pushed a commit to paritytech/scripts that referenced this issue Sep 21, 2023
feat(ci-unified): install musl rust toolchain
2b7afad 
Will be used by paritytech/polkadot-sdk#1652
This was referenced Sep 21, 2023
Merged
Closed
@github-project-automation github-project-automation bot moved this from Todo to Done in PVF Security Hardening Oct 17, 2023
bkchr pushed a commit that referenced this issue Apr 10, 2024
@svyatonik @bkchr
New relayer rewards scheme integration (#1652)
2c5e2f0 
* relayer rewards integration: initial commit

* added refund-relayer-extension to the millau runtime

* spelling

* spelling again

* new -> Default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@altaua altaua

Labels
None yet
Projects
No open projects
PVF Security Hardening
Status: Done
Milestone
No milestone
2 participants
@mrcnski @altaua