laanwj
commented at 5:40 pm on October 5, 2021:
member
Make the new syscall sandbox compilable with kernel 4.4.0.
This defines a further syscall constant __NR_copy_file_range to make sure all syscalls used in the profile are available even if not defined in the kernel headers.
Also, make a few syscalls optional in the syscall name table:
__NR_pkey_alloc
__NR_pkey_free
__NR_pkey_mprotect
__NR_preadv2
__NR_pwritev2
util: Add __NR_copy_file_range syscall constant for sandbox
Kernel 4.4.0 doesn't define this.
64085b37f8
util: Conditionalize some syscalls in syscall name table
Put these in `#ifdef` as they are newer syscalls that might not be
defined on all kernels:
__NR_pkey_alloc
__NR_pkey_free
__NR_pkey_mprotect
__NR_preadv2
__NR_pwritev2
Thanks to jamesob for reporting.
ac402e749c
laanwj added the label
Utils/log/libs
on Oct 5, 2021
laanwj
commented at 5:43 pm on October 5, 2021:
member
I’m still thinking we might want to remove the syscall name table, and replace it with instructions how to look up the number (e.g. as argued here #20487 (review)). Having this list of syscall constants we don’t actually use, besides for error reporting, seems asking for more and more PRs like this.
(another options would be to #ifdef every single one, but this is very verbose… and would make it hard to find actual problems in it)
jamesob
commented at 5:50 pm on October 5, 2021:
member
Concept ACK
laanwj
commented at 6:11 pm on October 5, 2021:
member
What we also could do is add an autoconf test, and fail the --with-seccomp check below a certain lower bound kernel header version (or easier to detect, when a certain syscall is not in the header).
practicalswift
commented at 9:07 am on October 6, 2021:
contributor
cr ACKac402e749c91d40ce7066993f72f426b67196bd7
Thanks for quickly addressing this!
This might be helpful to fellow reviewers:
0$ grep -E 'copy_file_range$' linux/arch/x86/entry/syscalls/syscall_64.tbl
1326 common copy_file_range sys_copy_file_range
MarcoFalke added the label
DrahtBot Guix build requested
on Oct 6, 2021
practicalswift
commented at 11:43 am on October 6, 2021:
contributor
Some syscall history:
The newest syscall in the LINUX_SYSCALLS map is arch_prctl which was introduced in Linux 4.12 (2017).
These syscalls were introduced from Linux 3.17 (2014) to Linux 4.12 (2017):
Linux 3.17 (2014): getrandom, kexec_file_load, membarrier, memfd_create, seccomp
Linux 3.18 (2014): bpf
Linux 3.19 (2014): execveat
Linux 4.0 (2015): -
Linux 4.1 (2015): -
Linux 4.2 (2015): -
Linux 4.3 (2015): userfaultfd
Linux 4.4 (2016): mlock2
Linux 4.5 (2016): copy_file_range
Linux 4.6 (2016): preadv2, pwritev2
Linux 4.7 (2016): -
Linux 4.8 (2016): pkey_alloc, pkey_free, pkey_mprotect
Linux 4.9 (2016): -
Linux 4.10 (2017): -
Linux 4.11 (2017): statx
Linux 4.12 (2017): arch_prctl (arch_prctl has been available for x64_64 since 2.6, x86 since 4.12)
DrahtBot
commented at 11:44 am on October 6, 2021:
member
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Conflicts
Reviewers, this pull request conflicts with the following ones:
#23198 (build: Parse version information in msvc-autogen.py by CallMeMisterOwl)
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.
DrahtBot
commented at 8:24 am on October 7, 2021:
member
DrahtBot removed the label
DrahtBot Guix build requested
on Oct 7, 2021
practicalswift
commented at 12:05 pm on October 7, 2021:
contributor
Some additional review comments:
I’ve done some additional digging and Linux 4.4 (2016) is the oldest kernel that is not EOL.
Thus it should only be the syscalls introduced after Linux 4.4 that are part of the LINUX_SYSCALLS map that might cause compile-time errors due to __NR_<syscall> being undefined (on supported non-EOL systems).
This should be the complete list of such syscalls:
Linux 4.5 (2016): copy_file_range
Linux 4.6 (2016): preadv2, pwritev2
Linux 4.8 (2016): pkey_alloc, pkey_free, pkey_mprotect
Linux 4.11 (2017): statx
Newer syscalls are not included as part of LINUX_SYSCALLS. Note that LINUX_SYSCALLS is only used for friendly printing of syscall names, and thus it doesn’t need to be complete with the most recently introduced syscalls. If a syscall is not present in LINUX_SYSCALLS the syscall number will be printed in error messages, but not the syscall name.
All the syscalls listed above are covered (either via #define or #ifdef) after the merge of this PR.
Thus we shouldn’t see any more compile-time issues on supported non-EOL systems after the merge of this PR :)
laanwj
commented at 12:29 pm on October 7, 2021:
member
@practicalswift Whoa, thanks for doing some software archeology there.
Thus we shouldn’t see any more compile-time issues on supported non-EOL systems after the merge of this PR :)
I think the main users of EOL kernels are people stuck with the vendor kernel for some embedded board. But even if ARM would be supported for sandboxing, it’s always possible to disable it with configure, it’s not like this prevents compilation altogether.
laanwj merged this
on Oct 7, 2021
laanwj closed this
on Oct 7, 2021
sidhujag referenced this in commit
2811606542
on Oct 7, 2021
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-22 03:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me