diff options
| author | Ming Liu <liu.ming50@gmail.com> | 2019-12-28 14:18:02 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-01-27 16:48:08 +0000 |
| commit | a315a01826726d4e403d987e99cb879b2a97329d (patch) | |
| tree | d7cb283a4ebfa43bc2fc327305f19ee4624fdef0 | |
| parent | e9e1aa199bd654ee485918bdc2e53df93522b381 (diff) | |
| download | poky-a315a01826726d4e403d987e99cb879b2a97329d.tar.gz | |
systemd: fix a test-seccomp build issue
Fix a following compiling issue when seccomp is enabled by
PACKAGECONFIG:
| ../test-seccomp.c: In function 'test_protect_sysctl':
| ../test-seccomp.c:307:5: error: "__NR__sysctl" is not defined, evaluates to 0 [-Werror=undef]
| 307 | #if __NR__sysctl > 0
| | ^~~~~~~~~~~~
Reference:
https://github.com/systemd/systemd/pull/14032
(From OE-Core rev: e0e7a6a8b4041d858e6a5f0e7d32f5df38ac53c5)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch | 152 | ||||
| -rw-r--r-- | meta/recipes-core/systemd/systemd_243.2.bb | 1 |
2 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch new file mode 100644 index 0000000000..f359d2879b --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch | |||
| @@ -0,0 +1,152 @@ | |||
| 1 | From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lennart Poettering <lennart@poettering.net> | ||
| 3 | Date: Thu, 14 Nov 2019 17:51:30 +0100 | ||
| 4 | Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's | ||
| 5 | __NR_xyz namespace invasion | ||
| 6 | |||
| 7 | A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the | ||
| 8 | same conditioning for all cases of our __NR_xyz use. | ||
| 9 | |||
| 10 | Fixes: #14031 | ||
| 11 | |||
| 12 | Reference: | ||
| 13 | https://github.com/systemd/systemd/pull/14032/commits/62f66fdbcc33580467c01b1f149474b6c973df5a | ||
| 14 | |||
| 15 | Upstream-Status: Backport | ||
| 16 | |||
| 17 | Signed-off-by: Ming Liu <liu.ming50@gmail.com> | ||
| 18 | --- | ||
| 19 | src/basic/missing_syscall.h | 10 +++++----- | ||
| 20 | src/test/test-seccomp.c | 19 ++++++++++--------- | ||
| 21 | 2 files changed, 15 insertions(+), 14 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h | ||
| 24 | index 6d9b125..1255d8b 100644 | ||
| 25 | --- a/src/basic/missing_syscall.h | ||
| 26 | +++ b/src/basic/missing_syscall.h | ||
| 27 | @@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c | ||
| 28 | |||
| 29 | #if !HAVE_KCMP | ||
| 30 | static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { | ||
| 31 | -# ifdef __NR_kcmp | ||
| 32 | +# if defined __NR_kcmp && __NR_kcmp > 0 | ||
| 33 | return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); | ||
| 34 | # else | ||
| 35 | errno = ENOSYS; | ||
| 36 | @@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i | ||
| 37 | |||
| 38 | #if !HAVE_KEYCTL | ||
| 39 | static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { | ||
| 40 | -# ifdef __NR_keyctl | ||
| 41 | +# if defined __NR_keyctl && __NR_keyctl > 0 | ||
| 42 | return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); | ||
| 43 | # else | ||
| 44 | errno = ENOSYS; | ||
| 45 | @@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg | ||
| 46 | } | ||
| 47 | |||
| 48 | static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { | ||
| 49 | -# ifdef __NR_add_key | ||
| 50 | +# if defined __NR_add_key && __NR_add_key > 0 | ||
| 51 | return syscall(__NR_add_key, type, description, payload, plen, ringid); | ||
| 52 | # else | ||
| 53 | errno = ENOSYS; | ||
| 54 | @@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip | ||
| 55 | } | ||
| 56 | |||
| 57 | static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { | ||
| 58 | -# ifdef __NR_request_key | ||
| 59 | +# if defined __NR_request_key && __NR_request_key > 0 | ||
| 60 | return syscall(__NR_request_key, type, description, callout_info, destringid); | ||
| 61 | # else | ||
| 62 | errno = ENOSYS; | ||
| 63 | @@ -496,7 +496,7 @@ enum { | ||
| 64 | static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, | ||
| 65 | unsigned long maxnode) { | ||
| 66 | long i; | ||
| 67 | -# ifdef __NR_set_mempolicy | ||
| 68 | +# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 | ||
| 69 | i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); | ||
| 70 | # else | ||
| 71 | errno = ENOSYS; | ||
| 72 | diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c | ||
| 73 | index 018c20f..c669204 100644 | ||
| 74 | --- a/src/test/test-seccomp.c | ||
| 75 | +++ b/src/test/test-seccomp.c | ||
| 76 | @@ -28,7 +28,8 @@ | ||
| 77 | #include "tmpfile-util.h" | ||
| 78 | #include "virt.h" | ||
| 79 | |||
| 80 | -#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | ||
| 81 | +/* __NR_socket may be invalid due to libseccomp */ | ||
| 82 | +#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | ||
| 83 | /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, | ||
| 84 | * and we can't restrict it hence via seccomp. */ | ||
| 85 | # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 | ||
| 86 | @@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { | ||
| 87 | assert_se(pid >= 0); | ||
| 88 | |||
| 89 | if (pid == 0) { | ||
| 90 | -#if __NR__sysctl > 0 | ||
| 91 | +#if defined __NR__sysctl && __NR__sysctl > 0 | ||
| 92 | assert_se(syscall(__NR__sysctl, NULL) < 0); | ||
| 93 | assert_se(errno == EFAULT); | ||
| 94 | #endif | ||
| 95 | |||
| 96 | assert_se(seccomp_protect_sysctl() >= 0); | ||
| 97 | |||
| 98 | -#if __NR__sysctl > 0 | ||
| 99 | +#if defined __NR__sysctl && __NR__sysctl > 0 | ||
| 100 | assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); | ||
| 101 | assert_se(errno == EPERM); | ||
| 102 | #endif | ||
| 103 | @@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
| 104 | assert_se(poll(NULL, 0, 0) == 0); | ||
| 105 | |||
| 106 | assert_se(s = hashmap_new(NULL)); | ||
| 107 | -#if SCMP_SYS(access) >= 0 | ||
| 108 | +#if defined __NR_access && __NR_access > 0 | ||
| 109 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); | ||
| 110 | #else | ||
| 111 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); | ||
| 112 | @@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
| 113 | s = hashmap_free(s); | ||
| 114 | |||
| 115 | assert_se(s = hashmap_new(NULL)); | ||
| 116 | -#if SCMP_SYS(access) >= 0 | ||
| 117 | +#if defined __NR_access && __NR_access > 0 | ||
| 118 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
| 119 | #else | ||
| 120 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
| 121 | @@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
| 122 | s = hashmap_free(s); | ||
| 123 | |||
| 124 | assert_se(s = hashmap_new(NULL)); | ||
| 125 | -#if SCMP_SYS(poll) >= 0 | ||
| 126 | +#if defined __NR_poll && __NR_poll > 0 | ||
| 127 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); | ||
| 128 | #else | ||
| 129 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); | ||
| 130 | @@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
| 131 | s = hashmap_free(s); | ||
| 132 | |||
| 133 | assert_se(s = hashmap_new(NULL)); | ||
| 134 | -#if SCMP_SYS(poll) >= 0 | ||
| 135 | +#if defined __NR_poll && __NR_poll > 0 | ||
| 136 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
| 137 | #else | ||
| 138 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
| 139 | @@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { | ||
| 140 | * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On | ||
| 141 | * other architectures, let's just fall back to the glibc call. */ | ||
| 142 | |||
| 143 | -#ifdef SYS_open | ||
| 144 | - return (int) syscall(SYS_open, path, flags, mode); | ||
| 145 | +#if defined __NR_open && __NR_open > 0 | ||
| 146 | + return (int) syscall(__NR_open, path, flags, mode); | ||
| 147 | #else | ||
| 148 | return open(path, flags, mode); | ||
| 149 | #endif | ||
| 150 | -- | ||
| 151 | 2.7.4 | ||
| 152 | |||
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb index 5ea9bf2a83..e31fac8c56 100644 --- a/meta/recipes-core/systemd/systemd_243.2.bb +++ b/meta/recipes-core/systemd/systemd_243.2.bb | |||
| @@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \ | |||
| 23 | file://0004-rules-whitelist-hd-devices.patch \ | 23 | file://0004-rules-whitelist-hd-devices.patch \ |
| 24 | file://0005-rules-watch-metadata-changes-in-ide-devices.patch \ | 24 | file://0005-rules-watch-metadata-changes-in-ide-devices.patch \ |
| 25 | file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ | 25 | file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ |
| 26 | file://0001-seccomp-more-comprehensive-protection-against-libsec.patch \ | ||
| 26 | file://99-default.preset \ | 27 | file://99-default.preset \ |
| 27 | " | 28 | " |
| 28 | 29 | ||