firecracker-microvm · Manciukic · Feb 28, 2025 · Feb 28, 2025
diff --git a/docs/seccomp.md b/docs/seccomp.md
@@ -11,8 +11,8 @@ follows:
 - API - right before launching the HTTP server;
 - VCPUs - right before executing guest code.
 
-**Note**: On experimental GNU targets, there are no default seccomp filters
-installed, since they are not intended for production use.
+**Note**: On debug binaries and experimental GNU targets, there are no default
+seccomp filters installed, since they are not intended for production use.
 
 Firecracker uses JSON files for expressing the filter rules and relies on the
 [seccompiler](seccompiler.md) tool for all the seccomp functionality.
@@ -58,6 +58,12 @@ Potential use cases:
 - Users of experimentally-supported targets (like GNU libc builds) may be able
   to use this feature to implement seccomp filters without needing to have a
   custom build of Firecracker.
+- Users of debug binaries who need to use a seccomp filter for any reason will
+  be able to use this feature to implement seccomp filters without needing to
+  have a custom build of Firecracker. Note: there may be some differences in
+  syscalls between `debug` and `release` builds. A non-comprehensive list is:
+  - `fcntl(F_GETFD)` is used by debug assertions to verify a dropped `fd` is
+    valid.
 - Faced with a _theoretical_ production issue, due to a syscall that was issued
   by the Firecracker process, but not allowed by the seccomp policy, one may use
   a custom filter in order to quickly mitigate the issue. This can speed up the

diff --git a/src/firecracker/build.rs b/src/firecracker/build.rs
@@ -14,23 +14,34 @@ const SECCOMPILER_SRC_DIR: &str = "../seccompiler/src";
 fn main() {
     // Target triple
     let target = std::env::var("TARGET").expect("Missing target.");
+    let debug: bool = std::env::var("DEBUG")
+        .expect("Missing debug.")
+        .parse()
+        .expect("Invalid env variable DEBUG");
     let out_dir = std::env::var("OUT_DIR").expect("Missing build-level OUT_DIR.");
     // Target arch (x86_64 / aarch64)
     let target_arch = std::env::var("CARGO_CFG_TARGET_ARCH").expect("Missing target arch.");
 
     let seccomp_json_path = format!("{}/{}.json", JSON_DIR, target);
-    // If the current target doesn't have a default filter, use a default, empty filter.
+    // If the current target doesn't have a default filter, or if we're building a debug binary,
+    // use a default, empty filter.
     // This is to make sure that Firecracker builds even with libc toolchains for which we don't
     // provide a default filter. For example, GNU libc.
-    let seccomp_json_path = if Path::new(&seccomp_json_path).exists() {
-        seccomp_json_path
-    } else {
+    let seccomp_json_path = if debug {
+        println!(
+            "cargo:warning=Using empty default seccomp policy for debug builds: \
+             `resources/seccomp/unimplemented.json`."
+        );
+        format!("{}/unimplemented.json", JSON_DIR)
+    } else if !Path::new(&seccomp_json_path).exists() {
         println!(
             "cargo:warning=No default seccomp policy for target: {}. Defaulting to \
              `resources/seccomp/unimplemented.json`.",
             target
         );
         format!("{}/unimplemented.json", JSON_DIR)
+    } else {
+        seccomp_json_path
     };
 
     // Retrigger the build script if the JSON file has changed.