diff options
author | Ming Liu <liu.ming50@gmail.com> | 2019-12-28 14:18:02 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-01-27 16:48:08 +0000 |
commit | a315a01826726d4e403d987e99cb879b2a97329d (patch) | |
tree | d7cb283a4ebfa43bc2fc327305f19ee4624fdef0 /meta/recipes-core/systemd | |
parent | e9e1aa199bd654ee485918bdc2e53df93522b381 (diff) | |
download | poky-a315a01826726d4e403d987e99cb879b2a97329d.tar.gz |
systemd: fix a test-seccomp build issue
Fix a following compiling issue when seccomp is enabled by
PACKAGECONFIG:
| ../test-seccomp.c: In function 'test_protect_sysctl':
| ../test-seccomp.c:307:5: error: "__NR__sysctl" is not defined, evaluates to 0 [-Werror=undef]
| 307 | #if __NR__sysctl > 0
| | ^~~~~~~~~~~~
Reference:
https://github.com/systemd/systemd/pull/14032
(From OE-Core rev: e0e7a6a8b4041d858e6a5f0e7d32f5df38ac53c5)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch | 152 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_243.2.bb | 1 |
2 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch new file mode 100644 index 0000000000..f359d2879b --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch | |||
@@ -0,0 +1,152 @@ | |||
1 | From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001 | ||
2 | From: Lennart Poettering <lennart@poettering.net> | ||
3 | Date: Thu, 14 Nov 2019 17:51:30 +0100 | ||
4 | Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's | ||
5 | __NR_xyz namespace invasion | ||
6 | |||
7 | A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the | ||
8 | same conditioning for all cases of our __NR_xyz use. | ||
9 | |||
10 | Fixes: #14031 | ||
11 | |||
12 | Reference: | ||
13 | https://github.com/systemd/systemd/pull/14032/commits/62f66fdbcc33580467c01b1f149474b6c973df5a | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Ming Liu <liu.ming50@gmail.com> | ||
18 | --- | ||
19 | src/basic/missing_syscall.h | 10 +++++----- | ||
20 | src/test/test-seccomp.c | 19 ++++++++++--------- | ||
21 | 2 files changed, 15 insertions(+), 14 deletions(-) | ||
22 | |||
23 | diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h | ||
24 | index 6d9b125..1255d8b 100644 | ||
25 | --- a/src/basic/missing_syscall.h | ||
26 | +++ b/src/basic/missing_syscall.h | ||
27 | @@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c | ||
28 | |||
29 | #if !HAVE_KCMP | ||
30 | static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { | ||
31 | -# ifdef __NR_kcmp | ||
32 | +# if defined __NR_kcmp && __NR_kcmp > 0 | ||
33 | return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); | ||
34 | # else | ||
35 | errno = ENOSYS; | ||
36 | @@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i | ||
37 | |||
38 | #if !HAVE_KEYCTL | ||
39 | static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { | ||
40 | -# ifdef __NR_keyctl | ||
41 | +# if defined __NR_keyctl && __NR_keyctl > 0 | ||
42 | return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); | ||
43 | # else | ||
44 | errno = ENOSYS; | ||
45 | @@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg | ||
46 | } | ||
47 | |||
48 | static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { | ||
49 | -# ifdef __NR_add_key | ||
50 | +# if defined __NR_add_key && __NR_add_key > 0 | ||
51 | return syscall(__NR_add_key, type, description, payload, plen, ringid); | ||
52 | # else | ||
53 | errno = ENOSYS; | ||
54 | @@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip | ||
55 | } | ||
56 | |||
57 | static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { | ||
58 | -# ifdef __NR_request_key | ||
59 | +# if defined __NR_request_key && __NR_request_key > 0 | ||
60 | return syscall(__NR_request_key, type, description, callout_info, destringid); | ||
61 | # else | ||
62 | errno = ENOSYS; | ||
63 | @@ -496,7 +496,7 @@ enum { | ||
64 | static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, | ||
65 | unsigned long maxnode) { | ||
66 | long i; | ||
67 | -# ifdef __NR_set_mempolicy | ||
68 | +# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 | ||
69 | i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); | ||
70 | # else | ||
71 | errno = ENOSYS; | ||
72 | diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c | ||
73 | index 018c20f..c669204 100644 | ||
74 | --- a/src/test/test-seccomp.c | ||
75 | +++ b/src/test/test-seccomp.c | ||
76 | @@ -28,7 +28,8 @@ | ||
77 | #include "tmpfile-util.h" | ||
78 | #include "virt.h" | ||
79 | |||
80 | -#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | ||
81 | +/* __NR_socket may be invalid due to libseccomp */ | ||
82 | +#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) | ||
83 | /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, | ||
84 | * and we can't restrict it hence via seccomp. */ | ||
85 | # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 | ||
86 | @@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { | ||
87 | assert_se(pid >= 0); | ||
88 | |||
89 | if (pid == 0) { | ||
90 | -#if __NR__sysctl > 0 | ||
91 | +#if defined __NR__sysctl && __NR__sysctl > 0 | ||
92 | assert_se(syscall(__NR__sysctl, NULL) < 0); | ||
93 | assert_se(errno == EFAULT); | ||
94 | #endif | ||
95 | |||
96 | assert_se(seccomp_protect_sysctl() >= 0); | ||
97 | |||
98 | -#if __NR__sysctl > 0 | ||
99 | +#if defined __NR__sysctl && __NR__sysctl > 0 | ||
100 | assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); | ||
101 | assert_se(errno == EPERM); | ||
102 | #endif | ||
103 | @@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
104 | assert_se(poll(NULL, 0, 0) == 0); | ||
105 | |||
106 | assert_se(s = hashmap_new(NULL)); | ||
107 | -#if SCMP_SYS(access) >= 0 | ||
108 | +#if defined __NR_access && __NR_access > 0 | ||
109 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); | ||
110 | #else | ||
111 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); | ||
112 | @@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
113 | s = hashmap_free(s); | ||
114 | |||
115 | assert_se(s = hashmap_new(NULL)); | ||
116 | -#if SCMP_SYS(access) >= 0 | ||
117 | +#if defined __NR_access && __NR_access > 0 | ||
118 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
119 | #else | ||
120 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
121 | @@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
122 | s = hashmap_free(s); | ||
123 | |||
124 | assert_se(s = hashmap_new(NULL)); | ||
125 | -#if SCMP_SYS(poll) >= 0 | ||
126 | +#if defined __NR_poll && __NR_poll > 0 | ||
127 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); | ||
128 | #else | ||
129 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); | ||
130 | @@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { | ||
131 | s = hashmap_free(s); | ||
132 | |||
133 | assert_se(s = hashmap_new(NULL)); | ||
134 | -#if SCMP_SYS(poll) >= 0 | ||
135 | +#if defined __NR_poll && __NR_poll > 0 | ||
136 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
137 | #else | ||
138 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); | ||
139 | @@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { | ||
140 | * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On | ||
141 | * other architectures, let's just fall back to the glibc call. */ | ||
142 | |||
143 | -#ifdef SYS_open | ||
144 | - return (int) syscall(SYS_open, path, flags, mode); | ||
145 | +#if defined __NR_open && __NR_open > 0 | ||
146 | + return (int) syscall(__NR_open, path, flags, mode); | ||
147 | #else | ||
148 | return open(path, flags, mode); | ||
149 | #endif | ||
150 | -- | ||
151 | 2.7.4 | ||
152 | |||
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb index 5ea9bf2a83..e31fac8c56 100644 --- a/meta/recipes-core/systemd/systemd_243.2.bb +++ b/meta/recipes-core/systemd/systemd_243.2.bb | |||
@@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \ | |||
23 | file://0004-rules-whitelist-hd-devices.patch \ | 23 | file://0004-rules-whitelist-hd-devices.patch \ |
24 | file://0005-rules-watch-metadata-changes-in-ide-devices.patch \ | 24 | file://0005-rules-watch-metadata-changes-in-ide-devices.patch \ |
25 | file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ | 25 | file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ |
26 | file://0001-seccomp-more-comprehensive-protection-against-libsec.patch \ | ||
26 | file://99-default.preset \ | 27 | file://99-default.preset \ |
27 | " | 28 | " |
28 | 29 | ||