laanwj
commented at 10:11 pm on October 4, 2021:
member
Looks like we’ve broke the GUIX build in #20487. This attempts to fix it:
Define __NR_statx__NR_getrandom__NR_membarrier as some kernel headers lack them, and it’s important to have the same profile independent on what kernel is used for building.
Define SECCOMP_RET_KILL_PROCESS as it isn’t defined in the headers.
laanwj added the label
Build system
on Oct 4, 2021
laanwj added the label
Utils/log/libs
on Oct 4, 2021
laanwj requested review from practicalswift
on Oct 4, 2021
laanwj requested review from dongcarl
on Oct 4, 2021
laanwj
commented at 10:21 pm on October 4, 2021:
member
Thinking of it, I’m not sure this is the right solution. statx is not directly used by us, but by libc. What if the resulting binary is run against a more recent version of libc (remember, we link libc dynamically), it will use the system call but not be allowed to, so fail?
laanwj
commented at 12:02 pm on October 5, 2021:
member
Can remove this line now?
I’m still not decided what I want to do with that table, but i i’s supposed to be more or less platform-independent (see also discussion here: #20487 (review) ). I left the conditional like this for platforms that really don’t have the getrandom/membarrier call.
util: Make sure syscall numbers used in profile are defined
Define the following syscall numbers for x86_64, so that the profile
will be the same no matter what kernel is built against, including
kernels that don't have `__NR_statx`:
```c++
#define __NR_statx 332
#define __NR_getrandom 318
#define __NR_membarrier 324
```
2d0279987e
laanwj force-pushed
on Oct 5, 2021
laanwj
commented at 12:43 pm on October 5, 2021:
member
Anyhow, removed them and force-pushed. I agree it’s also somewhat confusing and they can always be added again.
practicalswift
commented at 12:56 pm on October 5, 2021:
contributor
cr ACK2d0279987ef04edda5f61c171768b9527cc936cc
Thanks for quickly resolving this!
practicalswift
commented at 2:15 pm on October 5, 2021:
contributor
FWIW this is how minijail (a sandboxing and containment tool used in Chrome OS and Android) handles this:
0/* Ideally minijail is compiled against a modern libc, which has modern copies
1* of Linux uapi for ioctls, and unistd.h for syscalls. However, sometimes this
2* isn't possible - such as when building with the Android host toolchain - so 3* locally define the system calls in use in active seccomp policy files. 4* This UAPI is taken from sanitized bionic headers. 5*/ 6 7#ifndef __NR_copy_file_range 8#ifdef __x86_64__ 9#define __NR_copy_file_range 32610#elif __i386__11#define __NR_copy_file_range 37712#elif __arm64__13#define __NR_copy_file_range 28514#endif15#endif /* __NR_copy_file_range */16…
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-22 03:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me