Rebase riscv seccomp patch
Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
This commit is contained in:
parent
4b1c1c812f
commit
a056577af6
|
@ -1,8 +1,15 @@
|
|||
From 6c7fa659b52a7f1645dba61aedea8a3d62a9ce39 Mon Sep 17 00:00:00 2001
|
||||
From: David Abdurachmanov <davidlt@rivosinc.com>
|
||||
Date: Fri, 10 Jun 2022 15:58:34 +0300
|
||||
Subject: [PATCH] Add riscv SECCOMP support
|
||||
|
||||
Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
|
||||
|
||||
diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
|
||||
index 6d9b125..6586d58 100644
|
||||
index fc79870..bebd440 100644
|
||||
--- a/src/basic/missing_syscall.h
|
||||
+++ b/src/basic/missing_syscall.h
|
||||
@@ -59,6 +59,8 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
|
||||
@@ -81,6 +81,8 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
|
||||
# define __NR_memfd_create 356
|
||||
# elif defined __arc__
|
||||
# define __NR_memfd_create 279
|
||||
|
@ -11,7 +18,7 @@ index 6d9b125..6586d58 100644
|
|||
# else
|
||||
# warning "__NR_memfd_create unknown for your architecture"
|
||||
# endif
|
||||
@@ -112,6 +114,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
|
||||
@@ -134,6 +136,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
|
||||
# endif
|
||||
# elif defined(__arc__)
|
||||
# define __NR_getrandom 278
|
||||
|
@ -20,7 +27,25 @@ index 6d9b125..6586d58 100644
|
|||
# else
|
||||
# warning "__NR_getrandom unknown for your architecture"
|
||||
# endif
|
||||
@@ -253,6 +257,8 @@ static inline pid_t raw_getpid(void) {
|
||||
@@ -179,6 +183,8 @@ static inline pid_t missing_gettid(void) {
|
||||
# define __NR_name_to_handle_at 345
|
||||
# elif defined(__arc__)
|
||||
# define __NR_name_to_handle_at 264
|
||||
+# elif defined(__riscv)
|
||||
+# define __NR_name_to_handle_at 264
|
||||
# elif defined _MIPS_SIM
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
# define systemd_NR_name_to_handle_at systemd_SC_arch_bias(339)
|
||||
@@ -224,6 +230,8 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
|
||||
# define __NR_setns 346
|
||||
# elif defined(__arc__)
|
||||
# define __NR_setns 268
|
||||
+# elif defined(__riscv)
|
||||
+# define __NR_setns 268
|
||||
# elif defined _MIPS_SIM
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
# define systemd_NR_setns systemd_SC_arch_bias(344)
|
||||
@@ -291,6 +299,8 @@ static inline pid_t raw_getpid(void) {
|
||||
# define __NR_renameat2 347
|
||||
# elif defined __arc__
|
||||
# define __NR_renameat2 276
|
||||
|
@ -29,25 +54,34 @@ index 6d9b125..6586d58 100644
|
|||
# else
|
||||
# warning "__NR_renameat2 unknown for your architecture"
|
||||
# endif
|
||||
@@ -344,6 +350,8 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
|
||||
@@ -382,6 +392,8 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
|
||||
# define __NR_copy_file_range 379
|
||||
# elif defined __arc__
|
||||
# define __NR_copy_file_range 285
|
||||
+# elif defined __riscv
|
||||
+# define __NR_copy_file_range 285
|
||||
# else
|
||||
# warning "__NR_copy_file_range not defined for your architecture"
|
||||
# endif
|
||||
@@ -386,6 +394,8 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
|
||||
# elif defined _MIPS_SIM
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
# define systemd_NR_copy_file_range systemd_SC_arch_bias(360)
|
||||
@@ -432,6 +444,8 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
|
||||
# define __NR_bpf 351
|
||||
# elif defined __tilegx__
|
||||
# define __NR_bpf 280
|
||||
+# elif defined __riscv
|
||||
+# define __NR_bpf 280
|
||||
# else
|
||||
# warning "__NR_bpf not defined for your architecture"
|
||||
# endif
|
||||
@@ -435,6 +445,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
||||
# elif defined _MIPS_SIM
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
# define systemd_NR_bpf systemd_SC_arch_bias(355)
|
||||
@@ -479,6 +493,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
||||
# define __NR_pkey_mprotect 386
|
||||
# elif defined __s390__
|
||||
# define __NR_pkey_mprotect 384
|
||||
+# elif defined __riscv
|
||||
+# define __NR_pkey_mprotect 288
|
||||
# elif defined _MIPS_SIM
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
# define __NR_pkey_mprotect 4363
|
||||
@@ -489,6 +505,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
||||
# if _MIPS_SIM == _MIPS_SIM_ABI64
|
||||
# define __NR_pkey_mprotect 5323
|
||||
# endif
|
||||
|
@ -56,17 +90,17 @@ index 6d9b125..6586d58 100644
|
|||
# else
|
||||
# warning "__NR_pkey_mprotect not defined for your architecture"
|
||||
# endif
|
||||
@@ -459,6 +471,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
||||
@@ -513,6 +531,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
||||
# define __NR_statx 383
|
||||
# elif defined __sparc__
|
||||
# define __NR_statx 360
|
||||
# elif defined __x86_64__
|
||||
# define __NR_statx 332
|
||||
+# elif defined __riscv
|
||||
+# if defined __riscv
|
||||
+# define __NR_statx 291
|
||||
# else
|
||||
# warning "__NR_statx not defined for your architecture"
|
||||
# endif
|
||||
# elif defined __x86_64__
|
||||
# define __NR_statx systemd_SC_arch_bias(332)
|
||||
# elif defined _MIPS_SIM
|
||||
diff --git a/src/basic/virt.c b/src/basic/virt.c
|
||||
index 3be3852..72792f5 100644
|
||||
index 35acc73..6da76d5 100644
|
||||
--- a/src/basic/virt.c
|
||||
+++ b/src/basic/virt.c
|
||||
@@ -84,7 +84,7 @@ static int detect_vm_cpuid(void) {
|
||||
|
@ -78,7 +112,7 @@ index 3be3852..72792f5 100644
|
|||
_cleanup_free_ char *hvtype = NULL;
|
||||
int r;
|
||||
|
||||
@@ -127,7 +127,7 @@ static int detect_vm_device_tree(void) {
|
||||
@@ -134,7 +134,7 @@ static int detect_vm_device_tree(void) {
|
||||
}
|
||||
|
||||
static int detect_vm_dmi(void) {
|
||||
|
@ -88,7 +122,7 @@ index 3be3852..72792f5 100644
|
|||
static const char *const dmi_vendors[] = {
|
||||
"/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */
|
||||
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
|
||||
index acfe435..30615c2 100644
|
||||
index 3f91b75..ab61915 100644
|
||||
--- a/src/shared/seccomp-util.c
|
||||
+++ b/src/shared/seccomp-util.c
|
||||
@@ -90,6 +90,8 @@ const uint32_t seccomp_local_archs[] = {
|
||||
|
@ -118,7 +152,7 @@ index acfe435..30615c2 100644
|
|||
else
|
||||
return -EINVAL;
|
||||
|
||||
@@ -1265,6 +1271,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
|
||||
@@ -1339,6 +1345,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||
case SCMP_ARCH_MIPS64N32:
|
||||
case SCMP_ARCH_MIPSEL64:
|
||||
case SCMP_ARCH_MIPS64:
|
||||
|
@ -126,7 +160,7 @@ index acfe435..30615c2 100644
|
|||
/* These we know we support (i.e. are the ones that do not use socketcall()) */
|
||||
supported = true;
|
||||
break;
|
||||
@@ -1503,7 +1510,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
|
||||
@@ -1579,7 +1586,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
|
||||
}
|
||||
|
||||
/* For known architectures, check that syscalls are indeed defined or not. */
|
||||
|
@ -135,13 +169,13 @@ index acfe435..30615c2 100644
|
|||
assert_cc(SCMP_SYS(shmget) > 0);
|
||||
assert_cc(SCMP_SYS(shmat) > 0);
|
||||
assert_cc(SCMP_SYS(shmdt) > 0);
|
||||
@@ -1548,13 +1555,14 @@ int seccomp_memory_deny_write_execute(void) {
|
||||
@@ -1624,13 +1631,14 @@ int seccomp_memory_deny_write_execute(void) {
|
||||
case SCMP_ARCH_X86_64:
|
||||
case SCMP_ARCH_X32:
|
||||
case SCMP_ARCH_AARCH64:
|
||||
case SCMP_ARCH_S390X:
|
||||
- filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, and arm64 have only mmap */
|
||||
+ case SCMP_ARCH_RISCV64:
|
||||
+ filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, arm64, and riscv64 have only mmap */
|
||||
- filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */
|
||||
+ case SCMP_ARCH_RISCV64:
|
||||
+ filter_syscall = SCMP_SYS(mmap); /* amd64, x32. arm64 and riscv64 have only mmap */
|
||||
shmat_syscall = SCMP_SYS(shmat);
|
||||
break;
|
||||
|
||||
|
@ -153,10 +187,10 @@ index acfe435..30615c2 100644
|
|||
#endif
|
||||
}
|
||||
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
|
||||
index 435ab39..0aca8ae 100644
|
||||
index 9ca0620..e673ea9 100644
|
||||
--- a/src/test/test-execute.c
|
||||
+++ b/src/test/test-execute.c
|
||||
@@ -275,6 +275,9 @@ static void test_exec_personality(Manager *m) {
|
||||
@@ -277,6 +277,9 @@ static void test_exec_personality(Manager *m) {
|
||||
#elif defined(__aarch64__)
|
||||
test(__func__, m, "exec-personality-aarch64.service", 0, CLD_EXITED);
|
||||
|
||||
|
@ -167,10 +201,10 @@ index 435ab39..0aca8ae 100644
|
|||
test(__func__, m, "exec-personality-x86.service", 0, CLD_EXITED);
|
||||
#else
|
||||
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
|
||||
index a906070..e1b71dd 100644
|
||||
index b685c2d..8647656 100644
|
||||
--- a/src/test/test-seccomp.c
|
||||
+++ b/src/test/test-seccomp.c
|
||||
@@ -72,7 +72,8 @@ static void test_architecture_table(void) {
|
||||
@@ -74,7 +74,8 @@ static void test_architecture_table(void) {
|
||||
"ppc64\0"
|
||||
"ppc64-le\0"
|
||||
"s390\0"
|
||||
|
@ -180,7 +214,7 @@ index a906070..e1b71dd 100644
|
|||
uint32_t c;
|
||||
|
||||
assert_se(seccomp_arch_from_string(n, &c) >= 0);
|
||||
@@ -489,7 +490,7 @@ static void test_memory_deny_write_execute_mmap(void) {
|
||||
@@ -538,7 +539,7 @@ static void test_memory_deny_write_execute_mmap(void) {
|
||||
assert_se(seccomp_memory_deny_write_execute() >= 0);
|
||||
|
||||
p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
|
||||
|
@ -188,8 +222,8 @@ index a906070..e1b71dd 100644
|
|||
+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
|
||||
assert_se(p == MAP_FAILED);
|
||||
assert_se(errno == EPERM);
|
||||
#else /* unknown architectures */
|
||||
@@ -552,7 +553,7 @@ static void test_memory_deny_write_execute_shmat(void) {
|
||||
#endif
|
||||
@@ -602,7 +603,7 @@ static void test_memory_deny_write_execute_shmat(void) {
|
||||
|
||||
p = shmat(shmid, NULL, SHM_EXEC);
|
||||
log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m");
|
||||
|
@ -211,3 +245,6 @@ index 0000000..ab20396
|
|||
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "riscv64")'
|
||||
+Type=oneshot
|
||||
+Personality=riscv64
|
||||
--
|
||||
2.35.1
|
||||
|
|
@ -80,7 +80,7 @@ Patch0007: 0001-Do-not-assert-in-test_add_acls_for_user.patch
|
|||
|
||||
Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
|
||||
|
||||
Patch0040: systemd-seccomp-riscv64.patch
|
||||
Patch0040: 0001-Add-riscv-SECCOMP-support.patch
|
||||
|
||||
%ifarch %{ix86} x86_64 aarch64
|
||||
%global have_gnu_efi 1
|
||||
|
|
Loading…
Reference in New Issue