251 lines
10 KiB
Diff
251 lines
10 KiB
Diff
From 5231b108f5d5924381e58182f8fd2592d1077caf Mon Sep 17 00:00:00 2001
|
|
From: David Abdurachmanov <davidlt@rivosinc.com>
|
|
Date: Fri, 10 Jun 2022 15:58:34 +0300
|
|
Subject: [PATCH] Add riscv SECCOMP support
|
|
|
|
Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
|
|
|
|
diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
|
|
index fc79870..e4daadc 100644
|
|
--- a/src/basic/missing_syscall.h
|
|
+++ b/src/basic/missing_syscall.h
|
|
@@ -81,6 +81,8 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
|
|
# define __NR_memfd_create 356
|
|
# elif defined __arc__
|
|
# define __NR_memfd_create 279
|
|
+# elif defined __riscv
|
|
+# define __NR_memfd_create 279
|
|
# else
|
|
# warning "__NR_memfd_create unknown for your architecture"
|
|
# endif
|
|
@@ -134,6 +136,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
|
|
# endif
|
|
# elif defined(__arc__)
|
|
# define __NR_getrandom 278
|
|
+# elif defined(__riscv)
|
|
+# define __NR_getrandom 278
|
|
# else
|
|
# warning "__NR_getrandom unknown for your architecture"
|
|
# endif
|
|
@@ -179,6 +183,8 @@ static inline pid_t missing_gettid(void) {
|
|
# define __NR_name_to_handle_at 345
|
|
# elif defined(__arc__)
|
|
# define __NR_name_to_handle_at 264
|
|
+# elif defined(__riscv)
|
|
+# define __NR_name_to_handle_at 264
|
|
# elif defined _MIPS_SIM
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
|
# define systemd_NR_name_to_handle_at systemd_SC_arch_bias(339)
|
|
@@ -224,6 +230,8 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
|
|
# define __NR_setns 346
|
|
# elif defined(__arc__)
|
|
# define __NR_setns 268
|
|
+# elif defined(__riscv)
|
|
+# define __NR_setns 268
|
|
# elif defined _MIPS_SIM
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
|
# define systemd_NR_setns systemd_SC_arch_bias(344)
|
|
@@ -291,6 +299,8 @@ static inline pid_t raw_getpid(void) {
|
|
# define __NR_renameat2 347
|
|
# elif defined __arc__
|
|
# define __NR_renameat2 276
|
|
+# elif defined __riscv
|
|
+# define __NR_renameat2 276
|
|
# else
|
|
# warning "__NR_renameat2 unknown for your architecture"
|
|
# endif
|
|
@@ -382,6 +392,8 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
|
|
# define __NR_copy_file_range 379
|
|
# elif defined __arc__
|
|
# define __NR_copy_file_range 285
|
|
+# elif defined __riscv
|
|
+# define __NR_copy_file_range 285
|
|
# elif defined _MIPS_SIM
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
|
# define systemd_NR_copy_file_range systemd_SC_arch_bias(360)
|
|
@@ -432,6 +444,8 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
|
|
# define __NR_bpf 351
|
|
# elif defined __tilegx__
|
|
# define __NR_bpf 280
|
|
+# elif defined __riscv
|
|
+# define __NR_bpf 280
|
|
# elif defined _MIPS_SIM
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
|
# define systemd_NR_bpf systemd_SC_arch_bias(355)
|
|
@@ -479,6 +493,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
|
# define __NR_pkey_mprotect 386
|
|
# elif defined __s390__
|
|
# define __NR_pkey_mprotect 384
|
|
+# elif defined __riscv
|
|
+# define __NR_pkey_mprotect 288
|
|
# elif defined _MIPS_SIM
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI32
|
|
# define __NR_pkey_mprotect 4363
|
|
@@ -489,6 +505,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
|
# if _MIPS_SIM == _MIPS_SIM_ABI64
|
|
# define __NR_pkey_mprotect 5323
|
|
# endif
|
|
+# elif defined __riscv
|
|
+# define __NR_pkey_mprotect 288
|
|
# else
|
|
# warning "__NR_pkey_mprotect not defined for your architecture"
|
|
# endif
|
|
@@ -513,6 +531,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
|
|
# define __NR_statx 383
|
|
# elif defined __sparc__
|
|
# define __NR_statx 360
|
|
+# elif defined __riscv
|
|
+# define __NR_statx 291
|
|
# elif defined __x86_64__
|
|
# define __NR_statx systemd_SC_arch_bias(332)
|
|
# elif defined _MIPS_SIM
|
|
diff --git a/src/basic/virt.c b/src/basic/virt.c
|
|
index 35acc73..6da76d5 100644
|
|
--- a/src/basic/virt.c
|
|
+++ b/src/basic/virt.c
|
|
@@ -84,7 +84,7 @@ static int detect_vm_cpuid(void) {
|
|
}
|
|
|
|
static int detect_vm_device_tree(void) {
|
|
-#if defined(__arm__) || defined(__aarch64__) || defined(__powerpc__) || defined(__powerpc64__)
|
|
+#if defined(__arm__) || defined(__aarch64__) || defined(__powerpc__) || defined(__powerpc64__) || defined(__riscv)
|
|
_cleanup_free_ char *hvtype = NULL;
|
|
int r;
|
|
|
|
@@ -134,7 +134,7 @@ static int detect_vm_device_tree(void) {
|
|
}
|
|
|
|
static int detect_vm_dmi(void) {
|
|
-#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
|
|
+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
|
|
|
|
static const char *const dmi_vendors[] = {
|
|
"/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */
|
|
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
|
|
index 3f91b75..ab61915 100644
|
|
--- a/src/shared/seccomp-util.c
|
|
+++ b/src/shared/seccomp-util.c
|
|
@@ -90,6 +90,8 @@ const uint32_t seccomp_local_archs[] = {
|
|
SCMP_ARCH_S390X, /* native */
|
|
#elif defined(__s390__)
|
|
SCMP_ARCH_S390,
|
|
+#elif defined(__riscv) && __riscv_xlen == 64
|
|
+ SCMP_ARCH_RISCV64, /* native */
|
|
#endif
|
|
(uint32_t) -1
|
|
};
|
|
@@ -135,6 +137,8 @@ const char* seccomp_arch_to_string(uint32_t c) {
|
|
return "s390";
|
|
case SCMP_ARCH_S390X:
|
|
return "s390x";
|
|
+ case SCMP_ARCH_RISCV64:
|
|
+ return "riscv64";
|
|
default:
|
|
return NULL;
|
|
}
|
|
@@ -180,6 +184,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
|
|
*ret = SCMP_ARCH_S390;
|
|
else if (streq(n, "s390x"))
|
|
*ret = SCMP_ARCH_S390X;
|
|
+ else if (streq(n, "riscv64"))
|
|
+ *ret = SCMP_ARCH_RISCV64;
|
|
else
|
|
return -EINVAL;
|
|
|
|
@@ -1339,6 +1345,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
|
case SCMP_ARCH_MIPS64N32:
|
|
case SCMP_ARCH_MIPSEL64:
|
|
case SCMP_ARCH_MIPS64:
|
|
+ case SCMP_ARCH_RISCV64:
|
|
/* These we know we support (i.e. are the ones that do not use socketcall()) */
|
|
supported = true;
|
|
break;
|
|
@@ -1579,7 +1586,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
|
|
}
|
|
|
|
/* For known architectures, check that syscalls are indeed defined or not. */
|
|
-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
|
|
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
|
|
assert_cc(SCMP_SYS(shmget) > 0);
|
|
assert_cc(SCMP_SYS(shmat) > 0);
|
|
assert_cc(SCMP_SYS(shmdt) > 0);
|
|
@@ -1624,13 +1631,14 @@ int seccomp_memory_deny_write_execute(void) {
|
|
case SCMP_ARCH_X86_64:
|
|
case SCMP_ARCH_X32:
|
|
case SCMP_ARCH_AARCH64:
|
|
- filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */
|
|
+ case SCMP_ARCH_RISCV64:
|
|
+ filter_syscall = SCMP_SYS(mmap); /* amd64, x32. arm64 and riscv64 have only mmap */
|
|
shmat_syscall = SCMP_SYS(shmat);
|
|
break;
|
|
|
|
/* Please add more definitions here, if you port systemd to other architectures! */
|
|
|
|
-#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__s390__) && !defined(__s390x__)
|
|
+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__s390__) && !defined(__s390x__) && !defined(__riscv)
|
|
#warning "Consider adding the right mmap() syscall definitions here!"
|
|
#endif
|
|
}
|
|
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
|
|
index 9ca0620..e673ea9 100644
|
|
--- a/src/test/test-execute.c
|
|
+++ b/src/test/test-execute.c
|
|
@@ -277,6 +277,9 @@ static void test_exec_personality(Manager *m) {
|
|
#elif defined(__aarch64__)
|
|
test(__func__, m, "exec-personality-aarch64.service", 0, CLD_EXITED);
|
|
|
|
+#elif defined(__riscv__) && __riscv_xlen == 64
|
|
+ test(__func__, m, "exec-personality-riscv64.service", 0, CLD_EXITED);
|
|
+
|
|
#elif defined(__i386__)
|
|
test(__func__, m, "exec-personality-x86.service", 0, CLD_EXITED);
|
|
#else
|
|
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
|
|
index b685c2d..8647656 100644
|
|
--- a/src/test/test-seccomp.c
|
|
+++ b/src/test/test-seccomp.c
|
|
@@ -74,7 +74,8 @@ static void test_architecture_table(void) {
|
|
"ppc64\0"
|
|
"ppc64-le\0"
|
|
"s390\0"
|
|
- "s390x\0") {
|
|
+ "s390x\0"
|
|
+ "riscv64\0") {
|
|
uint32_t c;
|
|
|
|
assert_se(seccomp_arch_from_string(n, &c) >= 0);
|
|
@@ -538,7 +539,7 @@ static void test_memory_deny_write_execute_mmap(void) {
|
|
assert_se(seccomp_memory_deny_write_execute() >= 0);
|
|
|
|
p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
|
|
-#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
|
|
+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
|
|
assert_se(p == MAP_FAILED);
|
|
assert_se(errno == EPERM);
|
|
#endif
|
|
@@ -602,7 +603,7 @@ static void test_memory_deny_write_execute_shmat(void) {
|
|
|
|
p = shmat(shmid, NULL, SHM_EXEC);
|
|
log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m");
|
|
-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
|
|
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__riscv)
|
|
assert_se(p == MAP_FAILED);
|
|
assert_se(errno == EPERM);
|
|
#endif
|
|
diff --git a/test/test-execute/exec-personality-riscv64.service b/test/test-execute/exec-personality-riscv64.service
|
|
new file mode 100644
|
|
index 0000000..ab20396
|
|
--- /dev/null
|
|
+++ b/test/test-execute/exec-personality-riscv64.service
|
|
@@ -0,0 +1,7 @@
|
|
+[Unit]
|
|
+Description=Test for Personality=riscv64
|
|
+
|
|
+[Service]
|
|
+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "riscv64")'
|
|
+Type=oneshot
|
|
+Personality=riscv64
|
|
--
|
|
2.35.1
|
|
|