rpms
/
systemd
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Rebase riscv seccomp patch 

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
This commit is contained in:
David Abdurachmanov 2022-06-10 16:01:09 +03:00
parent 4b1c1c812f
commit a056577af6
Signed by: davidlt
GPG Key ID: 8B7F1DA0E2C9FDBB
2 changed files with 75 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
systemd-seccomp-riscv64.patch → 0001-Add-riscv-SECCOMP-support.patch
View File

@ -1,8 +1,15 @@
From 6c7fa659b52a7f1645dba61aedea8a3d62a9ce39 Mon Sep 17 00:00:00 2001
From: David Abdurachmanov <davidlt@rivosinc.com>
Date: Fri, 10 Jun 2022 15:58:34 +0300
Subject: [PATCH] Add riscv SECCOMP support
Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
index 6d9b125..6586d58 100644
index fc79870..bebd440 100644
--- a/src/basic/missing_syscall.h
+++ b/src/basic/missing_syscall.h
@@ -59,6 +59,8 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
@@ -81,6 +81,8 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
# define __NR_memfd_create 356
# elif defined __arc__
# define __NR_memfd_create 279
@ -11,7 +18,7 @@ index 6d9b125..6586d58 100644
# else
# warning "__NR_memfd_create unknown for your architecture"
# endif
@@ -112,6 +114,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
@@ -134,6 +136,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
# endif
# elif defined(__arc__)
# define __NR_getrandom 278
@ -20,7 +27,25 @@ index 6d9b125..6586d58 100644
# else
# warning "__NR_getrandom unknown for your architecture"
# endif
@@ -253,6 +257,8 @@ static inline pid_t raw_getpid(void) {
@@ -179,6 +183,8 @@ static inline pid_t missing_gettid(void) {
# define __NR_name_to_handle_at 345
# elif defined(__arc__)
# define __NR_name_to_handle_at 264
+# elif defined(__riscv)
+# define __NR_name_to_handle_at 264
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_name_to_handle_at systemd_SC_arch_bias(339)
@@ -224,6 +230,8 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
# define __NR_setns 346
# elif defined(__arc__)
# define __NR_setns 268
+# elif defined(__riscv)
+# define __NR_setns 268
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_setns systemd_SC_arch_bias(344)
@@ -291,6 +299,8 @@ static inline pid_t raw_getpid(void) {
# define __NR_renameat2 347
# elif defined __arc__
# define __NR_renameat2 276
@ -29,25 +54,34 @@ index 6d9b125..6586d58 100644
# else
# warning "__NR_renameat2 unknown for your architecture"
# endif
@@ -344,6 +350,8 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
@@ -382,6 +392,8 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
# define __NR_copy_file_range 379
# elif defined __arc__
# define __NR_copy_file_range 285
+# elif defined __riscv
+# define __NR_copy_file_range 285
# else
# warning "__NR_copy_file_range not defined for your architecture"
# endif
@@ -386,6 +394,8 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_copy_file_range systemd_SC_arch_bias(360)
@@ -432,6 +444,8 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
# define __NR_bpf 351
# elif defined __tilegx__
# define __NR_bpf 280
+# elif defined __riscv
+# define __NR_bpf 280
# else
# warning "__NR_bpf not defined for your architecture"
# endif
@@ -435,6 +445,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_bpf systemd_SC_arch_bias(355)
@@ -479,6 +493,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
# define __NR_pkey_mprotect 386
# elif defined __s390__
# define __NR_pkey_mprotect 384
+# elif defined __riscv
+# define __NR_pkey_mprotect 288
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define __NR_pkey_mprotect 4363
@@ -489,6 +505,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define __NR_pkey_mprotect 5323
# endif
@ -56,17 +90,17 @@ index 6d9b125..6586d58 100644
# else
# warning "__NR_pkey_mprotect not defined for your architecture"
# endif
@@ -459,6 +471,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
@@ -513,6 +531,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
# define __NR_statx 383
# elif defined __sparc__
# define __NR_statx 360
# elif defined __x86_64__
# define __NR_statx 332
+# elif defined __riscv
+# if defined __riscv
+# define __NR_statx 291
# else
# warning "__NR_statx not defined for your architecture"
# endif
# elif defined __x86_64__
# define __NR_statx systemd_SC_arch_bias(332)
# elif defined _MIPS_SIM
diff --git a/src/basic/virt.c b/src/basic/virt.c
index 3be3852..72792f5 100644
index 35acc73..6da76d5 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -84,7 +84,7 @@ static int detect_vm_cpuid(void) {
@ -78,7 +112,7 @@ index 3be3852..72792f5 100644
_cleanup_free_ char *hvtype = NULL;
int r;
@@ -127,7 +127,7 @@ static int detect_vm_device_tree(void) {
@@ -134,7 +134,7 @@ static int detect_vm_device_tree(void) {
}
static int detect_vm_dmi(void) {
@ -88,7 +122,7 @@ index 3be3852..72792f5 100644
static const char *const dmi_vendors[] = {
"/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index acfe435..30615c2 100644
index 3f91b75..ab61915 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -90,6 +90,8 @@ const uint32_t seccomp_local_archs[] = {
@ -118,7 +152,7 @@ index acfe435..30615c2 100644
else
return -EINVAL;
@@ -1265,6 +1271,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
@@ -1339,6 +1345,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
case SCMP_ARCH_MIPS64N32:
case SCMP_ARCH_MIPSEL64:
case SCMP_ARCH_MIPS64:
@ -126,7 +160,7 @@ index acfe435..30615c2 100644
/* These we know we support (i.e. are the ones that do not use socketcall()) */
supported = true;
break;
@@ -1503,7 +1510,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
@@ -1579,7 +1586,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
}
/* For known architectures, check that syscalls are indeed defined or not. */
@ -135,13 +169,13 @@ index acfe435..30615c2 100644
assert_cc(SCMP_SYS(shmget) > 0);
assert_cc(SCMP_SYS(shmat) > 0);
assert_cc(SCMP_SYS(shmdt) > 0);
@@ -1548,13 +1555,14 @@ int seccomp_memory_deny_write_execute(void) {
@@ -1624,13 +1631,14 @@ int seccomp_memory_deny_write_execute(void) {
case SCMP_ARCH_X86_64:
case SCMP_ARCH_X32:
case SCMP_ARCH_AARCH64:
case SCMP_ARCH_S390X:
- filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, and arm64 have only mmap */
+ case SCMP_ARCH_RISCV64:
+ filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, arm64, and riscv64 have only mmap */
- filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */
+ case SCMP_ARCH_RISCV64:
+ filter_syscall = SCMP_SYS(mmap); /* amd64, x32. arm64 and riscv64 have only mmap */
shmat_syscall = SCMP_SYS(shmat);
break;
@ -153,10 +187,10 @@ index acfe435..30615c2 100644
#endif
}
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 435ab39..0aca8ae 100644
index 9ca0620..e673ea9 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -275,6 +275,9 @@ static void test_exec_personality(Manager *m) {
@@ -277,6 +277,9 @@ static void test_exec_personality(Manager *m) {
#elif defined(__aarch64__)
test(__func__, m, "exec-personality-aarch64.service", 0, CLD_EXITED);
@ -167,10 +201,10 @@ index 435ab39..0aca8ae 100644
test(__func__, m, "exec-personality-x86.service", 0, CLD_EXITED);
#else
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index a906070..e1b71dd 100644
index b685c2d..8647656 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -72,7 +72,8 @@ static void test_architecture_table(void) {
@@ -74,7 +74,8 @@ static void test_architecture_table(void) {
"ppc64\0"
"ppc64-le\0"
"s390\0"
@ -180,7 +214,7 @@ index a906070..e1b71dd 100644
uint32_t c;
assert_se(seccomp_arch_from_string(n, &c) >= 0);
@@ -489,7 +490,7 @@ static void test_memory_deny_write_execute_mmap(void) {
@@ -538,7 +539,7 @@ static void test_memory_deny_write_execute_mmap(void) {
assert_se(seccomp_memory_deny_write_execute() >= 0);
p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
@ -188,8 +222,8 @@ index a906070..e1b71dd 100644
+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
assert_se(p == MAP_FAILED);
assert_se(errno == EPERM);
#else /* unknown architectures */
@@ -552,7 +553,7 @@ static void test_memory_deny_write_execute_shmat(void) {
#endif
@@ -602,7 +603,7 @@ static void test_memory_deny_write_execute_shmat(void) {
p = shmat(shmid, NULL, SHM_EXEC);
log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m");
@ -211,3 +245,6 @@ index 0000000..ab20396
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "riscv64")'
+Type=oneshot
+Personality=riscv64
--
2.35.1

2
systemd.spec
View File

@ -80,7 +80,7 @@ Patch0007: 0001-Do-not-assert-in-test_add_acls_for_user.patch
Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
Patch0040: systemd-seccomp-riscv64.patch
Patch0040: 0001-Add-riscv-SECCOMP-support.patch
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1