summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-03 12:55:12 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-06 15:45:11 (GMT)
commitf4c7f9ebae9f4afc16a1ca31290665a6e7f4f83f (patch)
treeb20569f215e00dc74e367bbe6a12854b20434711
parent40407d28f0ec70563c8c87adf85b60ef1f5c0b80 (diff)
downloadpoky-f4c7f9ebae9f4afc16a1ca31290665a6e7f4f83f.tar.gz
pseudo: Force seccomp to return success when in fact doing nothing
Pseudo changes the syscall access patterns which makes it incompatible with seccomp. Therefore intercept the seccomp syscall and alter it, pretending that seccomp was setup when in fact we do nothing. If we error as unsupported, utilities like file will exit with errors so we can't just disable it. This works around issues on platforms where seccomp is enabled in file (e.g. archlinux). (From OE-Core rev: bc895522eb940539a0e3cb6192c4a64f13ca8d6a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/pseudo/files/seccomp.patch124
-rw-r--r--meta/recipes-devtools/pseudo/pseudo_git.bb1
2 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-devtools/pseudo/files/seccomp.patch b/meta/recipes-devtools/pseudo/files/seccomp.patch
new file mode 100644
index 0000000..be42eaf
--- /dev/null
+++ b/meta/recipes-devtools/pseudo/files/seccomp.patch
@@ -0,0 +1,124 @@
1Pseudo changes the syscall access patterns which makes it incompatible with
2seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
3seccomp was setup when in fact we do nothing. If we error as unsupported,
4utilities like file will exit with errors so we can't just disable it.
5
6Upstream-Status: Pending
7RP 2020/4/3
8Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
9
10Index: git/ports/linux/pseudo_wrappers.c
11===================================================================
12--- git.orig/ports/linux/pseudo_wrappers.c
13+++ git/ports/linux/pseudo_wrappers.c
14@@ -57,6 +57,7 @@ int pseudo_capset(cap_user_header_t hdrp
15 long
16 syscall(long number, ...) {
17 long rc = -1;
18+ va_list ap;
19
20 if (!pseudo_check_wrappers() || !real_syscall) {
21 /* rc was initialized to the "failure" value */
22@@ -77,6 +78,20 @@ syscall(long number, ...) {
23 (void) number;
24 #endif
25
26+#ifdef SYS_seccomp
27+ /* pseudo and seccomp are incompatible as pseudo uses different syscalls
28+ * so pretend to enable seccomp but really do nothing */
29+ if (number == SYS_seccomp) {
30+ unsigned long cmd;
31+ va_start(ap, number);
32+ cmd = va_arg(ap, unsigned long);
33+ va_end(ap);
34+ if (cmd == SECCOMP_SET_MODE_FILTER) {
35+ return 0;
36+ }
37+ }
38+#endif
39+
40 /* gcc magic to attempt to just pass these args to syscall. we have to
41 * guess about the number of args; the docs discuss calling conventions
42 * up to 7, so let's try that?
43@@ -92,3 +108,42 @@ static long wrap_syscall(long nr, va_lis
44 (void) ap;
45 return -1;
46 }
47+
48+int
49+prctl(int option, ...) {
50+ int rc = -1;
51+ va_list ap;
52+
53+ if (!pseudo_check_wrappers() || !real_prctl) {
54+ /* rc was initialized to the "failure" value */
55+ pseudo_enosys("prctl");
56+ return rc;
57+ }
58+
59+ /* pseudo and seccomp are incompatible as pseudo uses different syscalls
60+ * so pretend to enable seccomp but really do nothing */
61+ if (option == PR_SET_SECCOMP) {
62+ unsigned long cmd;
63+ va_start(ap, option);
64+ cmd = va_arg(ap, unsigned long);
65+ va_end(ap);
66+ if (cmd == SECCOMP_SET_MODE_FILTER) {
67+ return 0;
68+ }
69+ }
70+
71+ /* gcc magic to attempt to just pass these args to prctl. we have to
72+ * guess about the number of args; the docs discuss calling conventions
73+ * up to 5, so let's try that?
74+ */
75+ void *res = __builtin_apply((void (*)()) real_prctl, __builtin_apply_args(), sizeof(long) * 5);
76+ __builtin_return(res);
77+}
78+
79+/* unused.
80+ */
81+static int wrap_prctl(int option, va_list ap) {
82+ (void) option;
83+ (void) ap;
84+ return -1;
85+}
86Index: git/ports/linux/guts/prctl.c
87===================================================================
88--- /dev/null
89+++ git/ports/linux/guts/prctl.c
90@@ -0,0 +1,15 @@
91+/*
92+ * Copyright (c) 2020 Richard Purdie
93+ *
94+ * SPDX-License-Identifier: LGPL-2.1-only
95+ *
96+ * int prctl(int option, ...)
97+ * int rc = -1;
98+ */
99+
100+ /* we should never get here, prctl is hand-wrapped */
101+ rc = -1;
102+
103+/* return rc;
104+ * }
105+ */
106Index: git/ports/linux/portdefs.h
107===================================================================
108--- git.orig/ports/linux/portdefs.h
109+++ git/ports/linux/portdefs.h
110@@ -32,3 +32,5 @@ GLIBC_COMPAT_SYMBOL(memcpy,2.0);
111
112 #include <linux/capability.h>
113 #include <sys/syscall.h>
114+#include <sys/prctl.h>
115+#include <linux/seccomp.h>
116Index: git/ports/linux/wrapfuncs.in
117===================================================================
118--- git.orig/ports/linux/wrapfuncs.in
119+++ git/ports/linux/wrapfuncs.in
120@@ -56,3 +56,4 @@ int getgrent_r(struct group *gbuf, char
121 int capset(cap_user_header_t hdrp, const cap_user_data_t datap); /* real_func=pseudo_capset */
122 long syscall(long nr, ...); /* hand_wrapped=1 */
123 int renameat2(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, unsigned int flags); /* flags=AT_SYMLINK_NOFOLLOW */
124+int prctl(int option, ...); /* hand_wrapped=1 */
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index d921d85..89e43c5 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo \
10 file://0001-Add-statx.patch \ 10 file://0001-Add-statx.patch \
11 file://0001-realpath.c-Remove-trailing-slashes.patch \ 11 file://0001-realpath.c-Remove-trailing-slashes.patch \
12 file://0006-xattr-adjust-for-attr-2.4.48-release.patch \ 12 file://0006-xattr-adjust-for-attr-2.4.48-release.patch \
13 file://seccomp.patch \
13 " 14 "
14 15
15SRCREV = "060058bb29f70b244e685b3c704eb0641b736f73" 16SRCREV = "060058bb29f70b244e685b3c704eb0641b736f73"