On Fri, Apr 3, 2020 at 2:59 PM Richard Purdie
<[email protected]> wrote:
>
> Pseudo changes the syscall access patterns which makes it incompatible with
> seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
> seccomp was setup when in fact we do nothing. If we error as unsupported,
> utilities like file will exit with errors so we can't just disable it.
>
> This works around issues on platforms where seccomp is enabled in file
> (e.g. archlinux).
>
> Signed-off-by: Richard Purdie <[email protected]>
> ---
> .../pseudo/files/seccomp.patch | 124 ++++++++++++++++++
> meta/recipes-devtools/pseudo/pseudo_git.bb | 1 +
> 2 files changed, 125 insertions(+)
> create mode 100644 meta/recipes-devtools/pseudo/files/seccomp.patch
>
> diff --git a/meta/recipes-devtools/pseudo/files/seccomp.patch
> b/meta/recipes-devtools/pseudo/files/seccomp.patch
> new file mode 100644
> index 00000000000..dd4ba666a90
> --- /dev/null
> +++ b/meta/recipes-devtools/pseudo/files/seccomp.patch
> @@ -0,0 +1,124 @@
> +Pseudo changes the syscall access patterns which makes it incompatible with
> +seccomp. Therefore intercept the seccomp syscall and alter it, pretending
> that
> +seccomp was setup when in fact we do nothing. If we error as unsupported,
> +utilities like file will exit with errors so we can't just disable it.
> +
> +Upstream-Status: Pending
> +RP 2020/4/3
> +Signed-off-by: Richard Purdie <[email protected]>
> +
> +Index: git/ports/linux/pseudo_wrappers.c
> +===================================================================
> +--- git.orig/ports/linux/pseudo_wrappers.c
> ++++ git/ports/linux/pseudo_wrappers.c
> +@@ -57,6 +57,7 @@ int pseudo_capset(cap_user_header_t hdrp
> + long
> + syscall(long number, ...) {
> + long rc = -1;
> ++ va_list ap;
> +
> + if (!pseudo_check_wrappers() || !real_syscall) {
> + /* rc was initialized to the "failure" value */
> +@@ -77,6 +78,20 @@ syscall(long number, ...) {
> + (void) number;
> + #endif
> +
> ++#ifdef SYS_seccomp
> ++ /* pseudo and seccomp are incompatible as pseudo uses different
> syscalls
> ++ * so pretend to enable seccomp but really do nothing */
> ++ if (number == SYS_seccomp) {
> ++ unsigned long cmd;
> ++ va_start(ap, number);
> ++ cmd = va_arg(ap, unsigned long);
> ++ va_end(ap);
> ++ if (cmd == SECCOMP_SET_MODE_FILTER) {
> ++ return 0;
> ++ }
> ++ }
> ++#endif
> ++
> + /* gcc magic to attempt to just pass these args to syscall. we have to
> + * guess about the number of args; the docs discuss calling
> conventions
> + * up to 7, so let's try that?
> +@@ -92,3 +108,42 @@ static long wrap_syscall(long nr, va_lis
> + (void) ap;
> + return -1;
> + }
> ++
> ++int
> ++prctl(int option, ...) {
> ++ int rc = -1;
> ++ va_list ap;
> ++
> ++ if (!pseudo_check_wrappers() || !real_syscall) {
> ++ /* rc was initialized to the "failure" value */
> ++ pseudo_enosys("prctl");
> ++ return rc;
> ++ }
> ++
> ++ /* pseudo and seccomp are incompatible as pseudo uses different
> syscalls
> ++ * so pretend to enable seccomp but really do nothing */
> ++ if (option == PR_SET_SECCOMP) {
> ++ unsigned long cmd;
> ++ va_start(ap, option);
> ++ cmd = va_arg(ap, unsigned long);
> ++ va_end(ap);
> ++ if (cmd == SECCOMP_SET_MODE_FILTER) {
> ++ return 0;
> ++ }
> ++ }
> ++
> ++ /* gcc magic to attempt to just pass these args to syscall. we have to
Comment needs updating - you are calling prctl() here, not syscall().
> ++ * guess about the number of args; the docs discuss calling
> conventions
> ++ * up to 4, so let's try that?
The args for prctl() are option plus 4 additional arguments, so a
total of 5, not 4.
> ++ */
> ++ void *res = __builtin_apply((void (*)()) real_prctl,
> __builtin_apply_args(), sizeof(long) * 4);
> ++ __builtin_return(res);
> ++}
> ++
> ++/* unused.
> ++ */
> ++static int wrap_prctl(int option, va_list ap) {
> ++ (void) option;
> ++ (void) ap;
> ++ return -1;
> ++}
> +Index: git/ports/linux/guts/prctl.c
> +===================================================================
> +--- /dev/null
> ++++ git/ports/linux/guts/prctl.c
> +@@ -0,0 +1,15 @@
> ++/*
> ++ * Copyright (c) 2020 Richard Purdie
> ++ *
> ++ * SPDX-License-Identifier: LGPL-2.1-only
> ++ *
> ++ * int prctl(int option, ...)
> ++ * int rc = -1;
> ++ */
> ++
> ++ /* we should never get here, prctl is hand-wrapped */
> ++ rc = -1;
> ++
> ++/* return rc;
> ++ * }
> ++ */
> +Index: git/ports/linux/portdefs.h
> +===================================================================
> +--- git.orig/ports/linux/portdefs.h
> ++++ git/ports/linux/portdefs.h
> +@@ -32,3 +32,5 @@ GLIBC_COMPAT_SYMBOL(memcpy,2.0);
> +
> + #include <linux/capability.h>
> + #include <sys/syscall.h>
> ++#include <sys/prctl.h>
> ++#include <linux/seccomp.h>
> +Index: git/ports/linux/wrapfuncs.in
> +===================================================================
> +--- git.orig/ports/linux/wrapfuncs.in
> ++++ git/ports/linux/wrapfuncs.in
> +@@ -56,3 +56,4 @@ int getgrent_r(struct group *gbuf, char
> + int capset(cap_user_header_t hdrp, const cap_user_data_t datap); /*
> real_func=pseudo_capset */
> + long syscall(long nr, ...); /* hand_wrapped=1 */
> + int renameat2(int olddirfd, const char *oldpath, int newdirfd, const char
> *newpath, unsigned int flags); /* flags=AT_SYMLINK_NOFOLLOW */
> ++int prctl(int option, ...); /* hand_wrapped=1 */
> diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb
> b/meta/recipes-devtools/pseudo/pseudo_git.bb
> index d921d85a05c..89e43c59969 100644
> --- a/meta/recipes-devtools/pseudo/pseudo_git.bb
> +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
> @@ -10,6 +10,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo \
> file://0001-Add-statx.patch \
> file://0001-realpath.c-Remove-trailing-slashes.patch \
> file://0006-xattr-adjust-for-attr-2.4.48-release.patch \
> + file://seccomp.patch \
> "
>
> SRCREV = "060058bb29f70b244e685b3c704eb0641b736f73"
> --
> 2.25.1
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136997):
https://lists.openembedded.org/g/openembedded-core/message/136997
Mute This Topic: https://lists.openembedded.org/mt/72759808/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
