util: Add mincore and clone3 to syscall sandbox #23255
pull MarcoFalke wants to merge 1 commits into bitcoin:master from MarcoFalke:2110-syscall changing 1 files +9 −0-
MarcoFalke commented at 2:09 pm on October 11, 2021: memberCloses #23248
-
in src/util/syscall_sandbox.cpp:124 in fa13c8ee24 outdated
114@@ -115,6 +115,9 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{ 115 {__NR_clock_nanosleep, "clock_nanosleep"}, 116 {__NR_clock_settime, "clock_settime"}, 117 {__NR_clone, "clone"}, 118+#ifdef __NR_clone3 119+ {__NR_clone3, "clone3"},
MarcoFalke commented at 2:12 pm on October 11, 2021:For reference, The clone3() system call first appeared in Linux 5.3. -
practicalswift commented at 2:15 pm on October 11, 2021: contributor
Concept ACK
I think we need to
#define __NR_clone3
(if not defined) like we do forstatx
and other relatively recently introduced syscalls:0// Define system call numbers for x86_64 that are referenced in the system call profile 1// but not provided by the kernel headers used in the GUIX build. 2#ifndef __NR_statx 3#define __NR_statx 332 4#endif
-
MarcoFalke force-pushed on Oct 11, 2021
-
MarcoFalke commented at 2:21 pm on October 11, 2021: memberHow do I find the number?
-
laanwj commented at 2:22 pm on October 11, 2021: member
How do I find the number?
Usually in
/usr/include/x86_64-linux-gnu/asm/unistd_64.h
for x86_64. -
util: Add mincore and clone3 to syscall sandbox fab40732a9
-
MarcoFalke force-pushed on Oct 11, 2021
-
MarcoFalke added the label DrahtBot Guix build requested on Oct 11, 2021
-
MarcoFalke commented at 2:27 pm on October 11, 2021: memberThanks, added that to the comment in the file.
-
practicalswift commented at 2:28 pm on October 11, 2021: contributor
cr ACK fab40732a95711abadc22c3689f248753341a481
Thanks again for testing on diverse systems and filling in the gaps!
From the original syscall sandbox PR #20487 (comment): As have been noted in previous discussions above syscall sandboxing is a type of feature that needs experimentation and fine-tuning for different environments to catch potential diversity in syscall use across systems. Such experimentation was required when sandboxing using seccomp-bpf was introduced in projects such as Chromium, OpenSSH and Tor, and it will be required for Bitcoin Core too. There is really no way around it :)
-
laanwj commented at 3:47 pm on October 11, 2021: memberACK fab40732a95711abadc22c3689f248753341a481
-
fanquake approved
-
fanquake commented at 0:45 am on October 12, 2021: member
ACK fab40732a95711abadc22c3689f248753341a481
Guix build:
0bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum 1be71c62f9577549217817b2103ff7333910f61a107277193d2024b9744e99812 guix-build-fab40732a957/output/aarch64-linux-gnu/SHA256SUMS.part 2d3bb19a3705c58e35ba709b329d57cdc137c4c334b512d5799213b39a4e547f4 guix-build-fab40732a957/output/aarch64-linux-gnu/bitcoin-fab40732a957-aarch64-linux-gnu-debug.tar.gz 3f4f286269244aeb66a219abb98b3b2b860d76235a9741afbeae3478ec803d529 guix-build-fab40732a957/output/aarch64-linux-gnu/bitcoin-fab40732a957-aarch64-linux-gnu.tar.gz 45b5e0ef591e747e47473e2d575ba64dfab75f3bcd0f4585ef9f3dc858d90d4d4 guix-build-fab40732a957/output/arm-linux-gnueabihf/SHA256SUMS.part 573a9bb92ec0da0fcd13e6eff979977552ceaed06c3e0bc44f7b8145d6e19183a guix-build-fab40732a957/output/arm-linux-gnueabihf/bitcoin-fab40732a957-arm-linux-gnueabihf-debug.tar.gz 6bd0e170d39bae7827f2a4dd7e01d375eece5fee0ca8207fdb4ffd378e012c88a guix-build-fab40732a957/output/arm-linux-gnueabihf/bitcoin-fab40732a957-arm-linux-gnueabihf.tar.gz 75345db41cbf71ea03bb8de05ef81b9894446abdf0fbc95169ad0e7fb1c1bd93f guix-build-fab40732a957/output/dist-archive/bitcoin-fab40732a957.tar.gz 8b590fd5daa56fddd4736c8c5571a2c3125cf8742bdd2bd6673b331ba8ac28eb6 guix-build-fab40732a957/output/powerpc64-linux-gnu/SHA256SUMS.part 949f8a8816c32173220a5fc65500900419dd8e276597ea5279557dbe24a8933cd guix-build-fab40732a957/output/powerpc64-linux-gnu/bitcoin-fab40732a957-powerpc64-linux-gnu-debug.tar.gz 10b4bd4c7f7ed9c7545cc63324d9e8624b58a03238fb30b8ab1342d17b64f56c74 guix-build-fab40732a957/output/powerpc64-linux-gnu/bitcoin-fab40732a957-powerpc64-linux-gnu.tar.gz 11c41fc9a1dbfd1e640536dc7ffe073907dd3aa5d960efdfd11ec6c4fefccdd79c guix-build-fab40732a957/output/powerpc64le-linux-gnu/SHA256SUMS.part 1236a55d1d1f7345322e1f54c9f19c096c44dc488797c3533dafa91de6e6b9e12f guix-build-fab40732a957/output/powerpc64le-linux-gnu/bitcoin-fab40732a957-powerpc64le-linux-gnu-debug.tar.gz 1370f1f1dd54b6445722cc34a928d1195bfdd5e5138c058c7eea84e5f349aef9f8 guix-build-fab40732a957/output/powerpc64le-linux-gnu/bitcoin-fab40732a957-powerpc64le-linux-gnu.tar.gz 1443deaf7e784040af8e0213abb90531fa85756f20115ad507d7662afe45ccc5e8 guix-build-fab40732a957/output/riscv64-linux-gnu/SHA256SUMS.part 154c9b59c4c9bdebef98b89ebf6a01fdf1db150228cb43f8b43d08c9110fe55e8c guix-build-fab40732a957/output/riscv64-linux-gnu/bitcoin-fab40732a957-riscv64-linux-gnu-debug.tar.gz 16dc32beaf064b2f9302b01b5e58cea1678324059b49ad2fb51ea0af3adedc611e guix-build-fab40732a957/output/riscv64-linux-gnu/bitcoin-fab40732a957-riscv64-linux-gnu.tar.gz 17c5aade2a281f0e580f5894607ebd9199a070be45d456cfa79ca9e3fe9a2d8497 guix-build-fab40732a957/output/x86_64-apple-darwin19/SHA256SUMS.part 186c2fc38b66d3a4d726d3290b34de8bc194f3e0cf58fea55de16341f780b06548 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx-unsigned.dmg 190429a1e0876555eeca17d109de5dab440368d61966c03263bb2375d10dd5d171 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx-unsigned.tar.gz 20b36cc30649245295a6a06a837172c412baf6cc0fe6a4992f3c1cc39343226217 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx64.tar.gz 21480044c8a32c047540fdab4a93b4e9b583dd64a75334602c4fff235a0f88958c guix-build-fab40732a957/output/x86_64-linux-gnu/SHA256SUMS.part 22e3eb53986b47bb906e2696953e01328b7b3ba069c1b68900be77236289c594db guix-build-fab40732a957/output/x86_64-linux-gnu/bitcoin-fab40732a957-x86_64-linux-gnu-debug.tar.gz 23fc6dc4736252e3823d3ec5a8d02169ebd7f29061191298ee3924b007ac0f2f7b guix-build-fab40732a957/output/x86_64-linux-gnu/bitcoin-fab40732a957-x86_64-linux-gnu.tar.gz 24983eaa6efec0e9e68dca8e420a1cc3f2bbb203e0c92c9674c10e968b6bc081ab guix-build-fab40732a957/output/x86_64-w64-mingw32/SHA256SUMS.part 25a4ae386869bad65425f27696c538e91aa2c922dad75b95c616c97986ddd12fdb guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win-unsigned.tar.gz 2658a67cf5435ccdfec20f29cafc02882f4fb2d8751dd5c900c60ff798024eb64d guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64-debug.zip 27fae336c21c4196a0b94ef057dd636fef5c70aaa393c1bddeba49936a25b81040 guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64-setup-unsigned.exe 28a58ac20479b5c8fd43663786ecabe799dbc2086e8b60a98008e3fd07a4676872 guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64.zip
-
fanquake merged this on Oct 12, 2021
-
fanquake closed this on Oct 12, 2021
-
sidhujag referenced this in commit 2da5fde964 on Oct 12, 2021
-
MarcoFalke deleted the branch on Oct 12, 2021
-
MarcoFalke removed the label DrahtBot Guix build requested on Oct 12, 2021
-
MarcoFalke added the label Utils/log/libs on Oct 12, 2021
-
DrahtBot locked this on Oct 30, 2022