Re: [libseccomp-discuss] Support for PowerPC platforms

[Purcareata B. <b4...@fr...>]

On 22.01.2015 18:34, Paul Moore wrote:
> On Thursday, January 22, 2015 09:16:43 AM Purcareata Bogdan wrote:
>> On 22.01.2015 09:12, Marcus Meissner wrote:
>>> On Wed, Jan 21, 2015 at 10:23:42PM -0500, Paul Moore wrote:
>>>> On Wed, Jan 21, 2015 at 7:37 AM, Marcus Meissner wrote:
>>>>> On Wed, Jan 21, 2015 at 02:35:51PM +0200, Purcareata Bogdan wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I noticed a patch from a while ago on the mailing list adding support
>>>>>> for PowerPC platforms and zSeries [1]. The patch, however, has not been
>>>>>> upstreamed due to some issues in the testsuite. I was wondering whether
>>>>>> there have been any news on the patch and whether it's still of
>>>>>> interest.
>>>>>>
>>>>>> I'm interested in running LXC containers on PowerPC platforms, and
>>>>>> would
>>>>>> like to have seccomp support as well. Right now, I don't have much
>>>>>> experience with seccomp, but I would be glad to start looking at the
>>>>>> code and contribute.
>>>>>>
>>>>>> [1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
>>>>>
>>>>> I did not continue on this patch as my other work is keeping me very
>>>>> busy,
>>>>> sadly also for the foreseeable future.
>>>>>
>>>>> Feel free to take and improve.
>>>>
>>>> I also put together some patches to support ppc64, but never tested
>>>> them on a ppc64 system, and to be honest it was a few months ago so
>>>> I'm not sure what state they are in ... if you are interested I can
>>>> try to dust them off and post them here.
>>>
>>> I can still test ppc32 and ppc64 (big or little endian) if there is need.
>>
>> Anything would be great. I'm planning to develop and test both ppc and
>> ppc64 Linux. Not sure at this point if there is any impact, but the
>> platforms I'm working on are book3e, not book3s.
>>
>> Unfortunately I don't have access to any zSeries platforms.
>
> To clarify, are you planning to also develop the necessary kernel support?
> One of the reasons we do not support ppc* in libseccomp is that the kernel is
> currently lacking (or at least it was when I looked a few months ago) the
> necessary CONFIG_SECCOMP_FILTER support.

Thanks for pointing it out, I wasn't aware of the differences between 
seccomp strict and seccomp filter (still new to the subject).

Following the reference at [1], I looked at the bit of how the 
requirements in the kernel apply to ppc:

config HAVE_ARCH_SECCOMP_FILTER 

    bool
    help
    An arch should select this symbol if it provides all of these things:
    - syscall_get_arch() - DONE
    - syscall_get_arguments() - DONE
    - syscall_rollback() - DONE
    - syscall_set_return_value() - DONE
    - SIGSYS siginfo_t support - DONE
      (SIGSYS present in arch/powerpc/include/uapi/asm/signal.h)
    - secure_computing is called from a ptrace_event()-safe context
      TO CHECK
    - secure_computing return value is checked and a return value of -1
      results in the system call being skipped immediately. - TODO

So what's left looks pretty feasible. I'll try to take care of it and 
come back to you when I have some news.

Meanwhile, I added the support for ppc in the master libseccomp by 
backporting Marcus's patch. All the regression tests pass - the initial 
problem with the BPF simulator has been fixed.

I plan to post the patch after I've validated SECCOMP_FILTER support for 
ppc in the kernel. I saw that the regression tests use an userspace BPF 
simulator for testing the library. Are there any tests than I can use to 
validate the kernel SECCOMP_FILTER support as well?

[1] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

Thanks,
Bogdan P.