Make the new syscall sandbox compilable with kernel 4.4.0.
This defines a further syscall constant __NR_copy_file_range to make sure all syscalls used in the profile are available even if not defined in the kernel headers.
Also, make a few syscalls optional in the syscall name table:
__NR_pkey_alloc__NR_pkey_free__NR_pkey_mprotect__NR_preadv2__NR_pwritev2
Kernel 4.4.0 doesn't define this.
Put these in `#ifdef` as they are newer syscalls that might not be
defined on all kernels:
__NR_pkey_alloc
__NR_pkey_free
__NR_pkey_mprotect
__NR_preadv2
__NR_pwritev2
Thanks to jamesob for reporting.Reported by jamesob on IRC, see https://gist.github.com/jamesob/c46513d41e355a3e6e69f4ff78167c92
I’m still thinking we might want to remove the syscall name table, and replace it with instructions how to look up the number (e.g. as argued here #20487 (review)). Having this list of syscall constants we don’t actually use, besides for error reporting, seems asking for more and more PRs like this.
(another options would be to #ifdef every single one, but this is very verbose… and would make it hard to find actual problems in it)
--with-seccomp check below a certain lower bound kernel header version (or easier to detect, when a certain syscall is not in the header).
cr ACK ac402e749c91d40ce7066993f72f426b67196bd7
Thanks for quickly addressing this!
This might be helpful to fellow reviewers:
0$ grep -E 'copy_file_range$' linux/arch/x86/entry/syscalls/syscall_64.tbl
1326 common copy_file_range sys_copy_file_range
Some syscall history:
The newest syscall in the LINUX_SYSCALLS map is arch_prctl which was introduced in Linux 4.12 (2017).
These syscalls were introduced from Linux 3.17 (2014) to Linux 4.12 (2017):
getrandom, kexec_file_load, membarrier, memfd_create, seccompbpfexecveatuserfaultfdmlock2copy_file_rangepreadv2, pwritev2pkey_alloc, pkey_free, pkey_mprotectstatxarch_prctlarch_prctl has been available for x64_64 since 2.6, x86 since 4.12)Source: https://man7.org/linux/man-pages/man2/syscalls.2.html
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Reviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.
Some additional review comments:
I’ve done some additional digging and Linux 4.4 (2016) is the oldest kernel that is not EOL.
Thus it should only be the syscalls introduced after Linux 4.4 that are part of the LINUX_SYSCALLS map that might cause compile-time errors due to __NR_<syscall> being undefined (on supported non-EOL systems).
This should be the complete list of such syscalls:
copy_file_rangepreadv2, pwritev2pkey_alloc, pkey_free, pkey_mprotectstatxLINUX_SYSCALLS. Note that LINUX_SYSCALLS is only used for friendly printing of syscall names, and thus it doesn’t need to be complete with the most recently introduced syscalls. If a syscall is not present in LINUX_SYSCALLS the syscall number will be printed in error messages, but not the syscall name.All the syscalls listed above are covered (either via #define or #ifdef) after the merge of this PR.
Thus we shouldn’t see any more compile-time issues on supported non-EOL systems after the merge of this PR :)
@practicalswift Whoa, thanks for doing some software archeology there.
Thus we shouldn’t see any more compile-time issues on supported non-EOL systems after the merge of this PR :)
I think the main users of EOL kernels are people stuck with the vendor kernel for some embedded board. But even if ARM would be supported for sandboxing, it’s always possible to disable it with configure, it’s not like this prevents compilation altogether.