seccomp: add support for riscv64 by mbiebl · Pull Request #15176 · systemd/systemd

mbiebl · 2020-03-20T18:18:53Z

This patch adds seccomp support to the riscv64 architecture. seccomp
support is available in the riscv64 kernel since version 5.5, and it
has just been added to the libseccomp library.

riscv64 uses generic syscalls like aarch64, so I used that architecture
as a reference to find which code has to be modified.

With this patch, the testsuite passes successfully, including the
test-seccomp test. The system boots and works fine with kernel 5.4 (i.e.
without seccomp support) and kernel 5.5 (i.e. with seccomp support). I
have also verified that the "SystemCallFilter=~socket" option prevents a
service to use the ping utility when running on kernel 5.5.

Patch courtesy of Aurelien Jarno [email protected]

This patch adds seccomp support to the riscv64 architecture. seccomp support is available in the riscv64 kernel since version 5.5, and it has just been added to the libseccomp library. riscv64 uses generic syscalls like aarch64, so I used that architecture as a reference to find which code has to be modified. With this patch, the testsuite passes successfully, including the test-seccomp test. The system boots and works fine with kernel 5.4 (i.e. without seccomp support) and kernel 5.5 (i.e. with seccomp support). I have also verified that the "SystemCallFilter=~socket" option prevents a service to use the ping utility when running on kernel 5.5.

mbiebl · 2020-03-20T18:46:36Z

seccomp/libseccomp@5b03588

keszybz · 2020-03-24T09:52:52Z

semaphoreci:

../src/basic/macro.h:494:73: note: in definition of macro ‘IN_SET’
                 static const long double __assert_in_set[] _unused_ = { __VA_ARGS__ }; \
                                                                         ^~~~~~~~~~~
../src/shared/seccomp-util.c: In function ‘seccomp_restrict_address_families’:
../src/shared/seccomp-util.c:1346:22: error: ‘SCMP_ARCH_RISCV64’ undeclared (first use in this function); did you mean ‘SCMP_ARCH_PARISC64’?
                 case SCMP_ARCH_RISCV64:
                      ^~~~~~~~~~~~~~~~~
                      SCMP_ARCH_PARISC64
../src/shared/seccomp-util.c: In function ‘seccomp_memory_deny_write_execute’:
../src/shared/seccomp-util.c:1630:22: error: ‘SCMP_ARCH_RISCV64’ undeclared (first use in this function); did you mean ‘SCMP_ARCH_PARISC64’?
                 case SCMP_ARCH_RISCV64:
                      ^~~~~~~~~~~~~~~~~
                      SCMP_ARCH_PARISC64

azure and centos ci fail similarly.

mbiebl · 2020-03-24T14:32:08Z

This needs the above commit in libseccomp. Afaics there is no official release yet of libseccomp with that commit though (in Debian it was cherry-picked).
Once that happens, I assume the min version in meson.build would have to be bumped as well.

keszybz · 2020-03-24T15:08:16Z

If this is too be merged anytime soon, it'll have to be amended to not break with older libseccomp and kernels.

mbiebl · 2020-03-24T18:41:37Z

@aurel32 ^

mbiebl · 2020-04-10T09:47:53Z

Let's postpone this until we have a libseccomp upstream release support riscv64. I hope it's ok to leave this PR open.

poettering · 2020-05-14T16:00:46Z

where are we with this?

SNiTEBoBy

Pull requested

poettering · 2020-08-18T14:33:52Z

so an uptsream libseccomp version has long been released. Either way this patch requires some ifdeffery so that we don't use the definition if it isn't there. We have similar ifdeffery for PARISC, it's not difficult to add to RISCV too.

Dropping the "postponed" flag, since it's not really about that anymore. The patch just needs some ifdeffery now.

poettering · 2020-08-18T14:36:47Z

/cc @aurel32

aurel32 · 2020-08-19T17:41:03Z

It appears that support for PARISC is limited to src/nspawn/nspawn-oci.c. I guess Ie should use the same #ifdef strategy in the other parts of the code.

aurel32 · 2020-08-19T20:49:45Z

I have just done that there: aurel32@f81ee95

As I am not the creator of this PR, not sure how to continue further. Should I just create a new one?

keszybz · 2020-08-20T07:49:38Z

Yes, please create a new PR.

aurel32 · 2020-08-20T16:50:32Z

Yes, please create a new PR.

Done, it's PR #16807. Please close this one.

anitazha added the seccomp label Mar 23, 2020

keszybz added the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label Mar 24, 2020

poettering added the postponed label Apr 10, 2020

SNiTEBoBy suggested changes Jun 10, 2020

View reviewed changes

poettering added reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks and removed postponed labels Aug 18, 2020

aurel32 mentioned this pull request Aug 20, 2020

seccomp: add support for riscv64 #16807

Merged

keszybz added the replaced-by-newer-pr label Aug 20, 2020

keszybz closed this Aug 20, 2020

Uh oh!

Conversation

mbiebl commented Mar 20, 2020

Uh oh!

mbiebl commented Mar 20, 2020

Uh oh!

keszybz commented Mar 24, 2020

Uh oh!

mbiebl commented Mar 24, 2020

Uh oh!

keszybz commented Mar 24, 2020

Uh oh!

mbiebl commented Mar 24, 2020

Uh oh!

mbiebl commented Apr 10, 2020

Uh oh!

poettering commented May 14, 2020

Uh oh!

SNiTEBoBy left a comment

Choose a reason for hiding this comment

Uh oh!

poettering commented Aug 18, 2020

Uh oh!

poettering commented Aug 18, 2020

Uh oh!

aurel32 commented Aug 19, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aurel32 commented Aug 19, 2020

Uh oh!

keszybz commented Aug 20, 2020

Uh oh!

aurel32 commented Aug 20, 2020

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

6 participants

aurel32 commented Aug 19, 2020 •

edited

Loading