util: Add mincore and clone3 to syscall sandbox #23255
pull MarcoFalke wants to merge 1 commits into bitcoin:master from MarcoFalke:2110-syscall changing 1 files +9 −0-
MarcoFalke commented at 2:09 pm on October 11, 2021: memberCloses #23248
-
in src/util/syscall_sandbox.cpp:124 in fa13c8ee24 outdated
114@@ -115,6 +115,9 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{ 115 {__NR_clock_nanosleep, "clock_nanosleep"}, 116 {__NR_clock_settime, "clock_settime"}, 117 {__NR_clone, "clone"}, 118+#ifdef __NR_clone3 119+ {__NR_clone3, "clone3"},
MarcoFalke commented at 2:12 pm on October 11, 2021:For reference, The clone3() system call first appeared in Linux 5.3.practicalswift commented at 2:15 pm on October 11, 2021: contributorConcept ACK
I think we need to
#define __NR_clone3
(if not defined) like we do forstatx
and other relatively recently introduced syscalls:0// Define system call numbers for x86_64 that are referenced in the system call profile 1// but not provided by the kernel headers used in the GUIX build. 2#ifndef __NR_statx 3#define __NR_statx 332 4#endif
MarcoFalke force-pushed on Oct 11, 2021MarcoFalke commented at 2:21 pm on October 11, 2021: memberHow do I find the number?laanwj commented at 2:22 pm on October 11, 2021: memberHow do I find the number?
Usually in
/usr/include/x86_64-linux-gnu/asm/unistd_64.h
for x86_64.util: Add mincore and clone3 to syscall sandbox fab40732a9MarcoFalke force-pushed on Oct 11, 2021MarcoFalke added the label DrahtBot Guix build requested on Oct 11, 2021MarcoFalke commented at 2:27 pm on October 11, 2021: memberThanks, added that to the comment in the file.practicalswift commented at 2:28 pm on October 11, 2021: contributorcr ACK fab40732a95711abadc22c3689f248753341a481
Thanks again for testing on diverse systems and filling in the gaps!
From the original syscall sandbox PR #20487 (comment): As have been noted in previous discussions above syscall sandboxing is a type of feature that needs experimentation and fine-tuning for different environments to catch potential diversity in syscall use across systems. Such experimentation was required when sandboxing using seccomp-bpf was introduced in projects such as Chromium, OpenSSH and Tor, and it will be required for Bitcoin Core too. There is really no way around it :)
laanwj commented at 3:47 pm on October 11, 2021: memberACK fab40732a95711abadc22c3689f248753341a481fanquake approvedfanquake commented at 0:45 am on October 12, 2021: memberACK fab40732a95711abadc22c3689f248753341a481
Guix build:
0bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum 1be71c62f9577549217817b2103ff7333910f61a107277193d2024b9744e99812 guix-build-fab40732a957/output/aarch64-linux-gnu/SHA256SUMS.part 2d3bb19a3705c58e35ba709b329d57cdc137c4c334b512d5799213b39a4e547f4 guix-build-fab40732a957/output/aarch64-linux-gnu/bitcoin-fab40732a957-aarch64-linux-gnu-debug.tar.gz 3f4f286269244aeb66a219abb98b3b2b860d76235a9741afbeae3478ec803d529 guix-build-fab40732a957/output/aarch64-linux-gnu/bitcoin-fab40732a957-aarch64-linux-gnu.tar.gz 45b5e0ef591e747e47473e2d575ba64dfab75f3bcd0f4585ef9f3dc858d90d4d4 guix-build-fab40732a957/output/arm-linux-gnueabihf/SHA256SUMS.part 573a9bb92ec0da0fcd13e6eff979977552ceaed06c3e0bc44f7b8145d6e19183a guix-build-fab40732a957/output/arm-linux-gnueabihf/bitcoin-fab40732a957-arm-linux-gnueabihf-debug.tar.gz 6bd0e170d39bae7827f2a4dd7e01d375eece5fee0ca8207fdb4ffd378e012c88a guix-build-fab40732a957/output/arm-linux-gnueabihf/bitcoin-fab40732a957-arm-linux-gnueabihf.tar.gz 75345db41cbf71ea03bb8de05ef81b9894446abdf0fbc95169ad0e7fb1c1bd93f guix-build-fab40732a957/output/dist-archive/bitcoin-fab40732a957.tar.gz 8b590fd5daa56fddd4736c8c5571a2c3125cf8742bdd2bd6673b331ba8ac28eb6 guix-build-fab40732a957/output/powerpc64-linux-gnu/SHA256SUMS.part 949f8a8816c32173220a5fc65500900419dd8e276597ea5279557dbe24a8933cd guix-build-fab40732a957/output/powerpc64-linux-gnu/bitcoin-fab40732a957-powerpc64-linux-gnu-debug.tar.gz 10b4bd4c7f7ed9c7545cc63324d9e8624b58a03238fb30b8ab1342d17b64f56c74 guix-build-fab40732a957/output/powerpc64-linux-gnu/bitcoin-fab40732a957-powerpc64-linux-gnu.tar.gz 11c41fc9a1dbfd1e640536dc7ffe073907dd3aa5d960efdfd11ec6c4fefccdd79c guix-build-fab40732a957/output/powerpc64le-linux-gnu/SHA256SUMS.part 1236a55d1d1f7345322e1f54c9f19c096c44dc488797c3533dafa91de6e6b9e12f guix-build-fab40732a957/output/powerpc64le-linux-gnu/bitcoin-fab40732a957-powerpc64le-linux-gnu-debug.tar.gz 1370f1f1dd54b6445722cc34a928d1195bfdd5e5138c058c7eea84e5f349aef9f8 guix-build-fab40732a957/output/powerpc64le-linux-gnu/bitcoin-fab40732a957-powerpc64le-linux-gnu.tar.gz 1443deaf7e784040af8e0213abb90531fa85756f20115ad507d7662afe45ccc5e8 guix-build-fab40732a957/output/riscv64-linux-gnu/SHA256SUMS.part 154c9b59c4c9bdebef98b89ebf6a01fdf1db150228cb43f8b43d08c9110fe55e8c guix-build-fab40732a957/output/riscv64-linux-gnu/bitcoin-fab40732a957-riscv64-linux-gnu-debug.tar.gz 16dc32beaf064b2f9302b01b5e58cea1678324059b49ad2fb51ea0af3adedc611e guix-build-fab40732a957/output/riscv64-linux-gnu/bitcoin-fab40732a957-riscv64-linux-gnu.tar.gz 17c5aade2a281f0e580f5894607ebd9199a070be45d456cfa79ca9e3fe9a2d8497 guix-build-fab40732a957/output/x86_64-apple-darwin19/SHA256SUMS.part 186c2fc38b66d3a4d726d3290b34de8bc194f3e0cf58fea55de16341f780b06548 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx-unsigned.dmg 190429a1e0876555eeca17d109de5dab440368d61966c03263bb2375d10dd5d171 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx-unsigned.tar.gz 20b36cc30649245295a6a06a837172c412baf6cc0fe6a4992f3c1cc39343226217 guix-build-fab40732a957/output/x86_64-apple-darwin19/bitcoin-fab40732a957-osx64.tar.gz 21480044c8a32c047540fdab4a93b4e9b583dd64a75334602c4fff235a0f88958c guix-build-fab40732a957/output/x86_64-linux-gnu/SHA256SUMS.part 22e3eb53986b47bb906e2696953e01328b7b3ba069c1b68900be77236289c594db guix-build-fab40732a957/output/x86_64-linux-gnu/bitcoin-fab40732a957-x86_64-linux-gnu-debug.tar.gz 23fc6dc4736252e3823d3ec5a8d02169ebd7f29061191298ee3924b007ac0f2f7b guix-build-fab40732a957/output/x86_64-linux-gnu/bitcoin-fab40732a957-x86_64-linux-gnu.tar.gz 24983eaa6efec0e9e68dca8e420a1cc3f2bbb203e0c92c9674c10e968b6bc081ab guix-build-fab40732a957/output/x86_64-w64-mingw32/SHA256SUMS.part 25a4ae386869bad65425f27696c538e91aa2c922dad75b95c616c97986ddd12fdb guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win-unsigned.tar.gz 2658a67cf5435ccdfec20f29cafc02882f4fb2d8751dd5c900c60ff798024eb64d guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64-debug.zip 27fae336c21c4196a0b94ef057dd636fef5c70aaa393c1bddeba49936a25b81040 guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64-setup-unsigned.exe 28a58ac20479b5c8fd43663786ecabe799dbc2086e8b60a98008e3fd07a4676872 guix-build-fab40732a957/output/x86_64-w64-mingw32/bitcoin-fab40732a957-win64.zip
fanquake merged this on Oct 12, 2021fanquake closed this on Oct 12, 2021
sidhujag referenced this in commit 2da5fde964 on Oct 12, 2021MarcoFalke deleted the branch on Oct 12, 2021MarcoFalke removed the label DrahtBot Guix build requested on Oct 12, 2021MarcoFalke added the label Utils/log/libs on Oct 12, 2021DrahtBot locked this on Oct 30, 2022
This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-04 13:12 UTC
More mirrored repositories can be found on mirror.b10c.me