Re: [libseccomp-discuss] [RFC PATCH 00/15] ARM and x32 support

Kees Cook Tue, 02 Apr 2013 14:01:56 -0700

On Tue, Apr 2, 2013 at 1:53 PM, Paul Moore <[email protected]> wrote:
> On Tuesday, April 02, 2013 11:52:04 AM Kees Cook wrote:
>> On Tue, Apr 2, 2013 at 7:12 AM, Paul Moore <[email protected]> wrote:
>> > On Monday, April 01, 2013 07:00:26 PM Kees Cook wrote:
>> >> On Thu, Mar 28, 2013 at 8:55 AM, Paul Moore <[email protected]> wrote:
>> >> > I've been fixing and sitting on these patches for some time now,
>> >> > waiting on upstream x32 kernel fixes (x32) and access to an ARM*
>> >> > system for verification.  Unfortunately, sitting on this large of
>> >> > a patchset results in merging problems whenever we add another
>> >> > patch to the repo.
>> >> >
>> >> > Therefore, I'm considering simply merging the following patches
>> >> > just to get them into repo and we can always fix up any problems
>> >> > that may appear during testing.  If I don't hear any objects in
>> >> > the next day or two I'll go ahead.
>> >> >
>> >> > * Does anyone have an ARM system running 3.8 that they would be
>> >> > willing to test?
>> >>
>> >> I can get a simulated system up running 3.8 tomorrow. I just have to
>> >> find my notes from doing the ARM seccomp porting work. :)
>> >
>> > If you can get it going without too much fuss that would be helpful.  All
>> > you would need to do is grab the latest repo, build it (with the python
>> > bindings too please) and do the following:
>>
>> $ ./configure --enable-python
>>  CONFIGURATION SUMMARY
>>   libseccomp version:   0.0.0
>>   installation base:    /usr/local
>>   library directory:    /usr/local/lib
>>   use system includes:  no
>>   python bindings:      yes
>>
>> Is there a reason for the 0.0.0 version in the tree? The tarballs
>> don't show that...
>
> Sorta, I keep the main dev branch set at 0.0.0 so it is easy for me to
> distinguish between dev and released code.
>
>> The Python bindings fail to build for me:
>>
>> Error compiling Cython file:
>> ------------------------------------------------------------
>> ...
>>             raise TypeError("Syscall must either be an int or str type")
>>         """ NOTE: the code below exists solely to deal with the varadic
>>         nature of seccomp_rule_add() function and the inability of Cython
>>         to handle this automatically """
>>         for i, arg in enumerate(args):
>>             c_arg[i] = arg.to_c()
>>                               ^
>> ------------------------------------------------------------
>>
>> seccomp.pyx:419:31: Cannot convert Python object to 'scmp_arg_cmp'
>> ...
>> seccomp.pyx:498:31: Cannot convert Python object to 'scmp_arg_cmp'
>
> Interesting.  What version of Cython do you have installed?  For reference I'm
> curently using Cython 0.17.4 ... although I just noticed that 0.18 is
> available.  Also, can I assume this is Ubuntu and/or Debian?


The disk image I got running was Debian wheezy. It has 0.15.1. :)

>
>> >  # cd tests
>> >  # ./regression -m c -m python
>>
>> Running "regression -m c" has some failures:
>>
>> Test 08-sim-subtree_checks%%022-00001 result:   FAILURE bpf_sim resulted in
>> KILL Test 12-sim-basic_masked_ops%%001-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%002-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%004-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%005-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%006-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%008-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%009-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%010-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> Test 12-sim-basic_masked_ops%%015-00001 result:   FAILURE bpf_sim
>> resulted in KILL
>> ...
>> Regression Test Summary
>>  tests run: 3950
>>  tests skipped: 55
>>  tests passed: 3940
>>  tests failed: 10
>>  tests errored: 0
>
> Hmm, bummer.  Can you post the output of the following:
>
>  # cd tests
>  # ./08-sim-subtree_checks

kees@debian:~/libseccomp/tests$ ./08-sim-subtree_checks
#
# pseudo filter code start
#
# filter for arch arm (1073741864)
if ($arch == 1073741864)
  # filter for syscall #1001 (priority: 65534)
  if ($syscall == 1001)
    if ($a1 == 1)
      action ALLOW;
  # filter for syscall #1000 (priority: 65534)
  if ($syscall == 1000)
    if ($a1 == 1)
      action ALLOW;
  # filter for syscall #1006 (priority: 65533)
  if ($syscall == 1006)
    if ($a1 == 1)
      if ($a2 == 2)
        action ALLOW;
    else
      action ALLOW;
  # filter for syscall #1003 (priority: 65533)
  if ($syscall == 1003)
    if ($a1 == 1)
      if ($a2 == 2)
        action ALLOW;
  # filter for syscall #1002 (priority: 65533)
  if ($syscall == 1002)
    if ($a1 == 1)
      if ($a2 == 2)
        action ALLOW;
  # filter for syscall #1007 (priority: 65532)
  if ($syscall == 1007)
    if ($a2 == 1)
      if ($a3 == 3)
        action TRAP;
    if ($a3 == 3)
    else
      action ALLOW;
  # filter for syscall #1005 (priority: 65531)
  if ($syscall == 1005)
    if ($a0 == 0)
      if ($a1 == 11)
        action ALLOW;
    if ($a1 == 1)
      if ($a2 == 2)
        action ALLOW;
  # filter for syscall #1004 (priority: 65531)
  if ($syscall == 1004)
    if ($a0 == 0)
      if ($a1 == 11)
        action ALLOW;
    if ($a1 == 1)
      if ($a2 == 2)
        action ALLOW;
  # default action
  action KILL;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#

>  # ./08-sim-subtree_checks -b | ../tools/bpf_disasm

kees@debian:~/libseccomp/tests$ ./08-sim-subtree_checks -b | ../tools/bpf_disasm
 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0x1c 0x40000028   jeq 1073741864 true:0002 false:0030
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x15 0x01 0x00 0x000003e8   jeq 1000 true:0005 false:0004
 0004: 0x15 0x00 0x02 0x000003e9   jeq 1001 true:0005 false:0007
 0005: 0x20 0x00 0x00 0x00000018   ld  $data[24]
 0006: 0x15 0x16 0x17 0x00000001   jeq 1    true:0029 false:0030
 0007: 0x15 0x11 0x00 0x000003ea   jeq 1002 true:0025 false:0008
 0008: 0x15 0x10 0x00 0x000003eb   jeq 1003 true:0025 false:0009
 0009: 0x15 0x00 0x02 0x000003ee   jeq 1006 true:0010 false:0012
 0010: 0x20 0x00 0x00 0x00000018   ld  $data[24]
 0011: 0x15 0x0f 0x11 0x00000001   jeq 1    true:0027 false:0029
 0012: 0x15 0x00 0x06 0x000003ef   jeq 1007 true:0013 false:0019
 0013: 0x20 0x00 0x00 0x00000020   ld  $data[32]
 0014: 0x15 0x00 0x01 0x00000001   jeq 1    true:0015 false:0016
 0015: 0x15 0x02 0x00 0x00000003   jeq 3    true:0018 false:0016
 0016: 0x20 0x00 0x00 0x00000028   ld  $data[40]
 0017: 0x15 0x0c 0x0b 0x00000003   jeq 3    true:0030 false:0029
 0018: 0x06 0x00 0x00 0x00030000   ret TRAP
 0019: 0x15 0x01 0x00 0x000003ec   jeq 1004 true:0021 false:0020
 0020: 0x15 0x00 0x09 0x000003ed   jeq 1005 true:0021 false:0030
 0021: 0x20 0x00 0x00 0x00000010   ld  $data[16]
 0022: 0x15 0x00 0x02 0x00000000   jeq 0    true:0023 false:0025
 0023: 0x20 0x00 0x00 0x00000018   ld  $data[24]
 0024: 0x15 0x04 0x00 0x0000000b   jeq 11   true:0029 false:0025
 0025: 0x20 0x00 0x00 0x00000018   ld  $data[24]
 0026: 0x15 0x00 0x03 0x00000001   jeq 1    true:0027 false:0030
 0027: 0x20 0x00 0x00 0x00000020   ld  $data[32]
 0028: 0x15 0x00 0x01 0x00000002   jeq 2    true:0029 false:0030
 0029: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
 0030: 0x06 0x00 0x00 0x00000000   ret KILL

>
>> >  # ./regression -m c -m python -T live
>>
>> Running "regression -m c -T live" passes:
>>
>> Test 20-live-basic_die%%001-00000 result:   SUCCESS
>> Test 20-live-basic_die%%002-00000 result:   SUCCESS
>> Test 20-live-basic_die%%003-00000 result:   SUCCESS
>> Test 21-live-basic_allow%%001-00000 result:   SUCCESS
>> Test 24-live-arg_allow%%001-00000 result:   SUCCESS
>> ...
>> Regression Test Summary
>>  tests run: 5
>>  tests skipped: 0
>>  tests passed: 5
>>  tests failed: 0
>>  tests errored: 0
>
> At least that worked okay.  That's good.
>
>> Are you on IRC anywhere normally?
>
> Yes and no; I'm on IRC in a few channels but you generally have to yell my
> name to get my attention, I don't really actively monitor any particular
> channel.  You can find me on freenode in #kvm and #selinux as pmoore; do you
> guys have a seccomp channel?

Cool, I'll idle in #kvm. I'm on a bunch, but #chromium-os has the most
people familiar with seccomp in it.

Now I just have to get an x32 environment...

-Kees

--
Kees Cook
Chrome OS Security

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss

Re: [libseccomp-discuss] [RFC PATCH 00/15] ARM and x32 support

Reply via email to