Re: [libseccomp-discuss] Support for PowerPC platforms
High level interface to the Linux Kernel's seccomp filter
Brought to you by:
pcmoore
Menu
▾
▴
Re: [libseccomp-discuss] Support for PowerPC platforms
|
From: Paul M. <pa...@pa...> - 2015-01-29 21:00:36
|
On Thu, Jan 29, 2015 at 6:02 AM, Purcareata Bogdan <b4...@fr...> wrote: > On 22.01.2015 18:34, Paul Moore wrote: >> To clarify, are you planning to also develop the necessary kernel support? >> One of the reasons we do not support ppc* in libseccomp is that the kernel >> is currently lacking (or at least it was when I looked a few months ago) the >> necessary CONFIG_SECCOMP_FILTER support. > > Thanks for pointing it out, I wasn't aware of the differences between > seccomp strict and seccomp filter (still new to the subject). > > Following the reference at [1], I looked at the bit of how the requirements > in the kernel apply to ppc: > > config HAVE_ARCH_SECCOMP_FILTER > bool > help > An arch should select this symbol if it provides all of these things: > - syscall_get_arch() - DONE > - syscall_get_arguments() - DONE > - syscall_rollback() - DONE > - syscall_set_return_value() - DONE > - SIGSYS siginfo_t support - DONE > (SIGSYS present in arch/powerpc/include/uapi/asm/signal.h) > - secure_computing is called from a ptrace_event()-safe context > TO CHECK > - secure_computing return value is checked and a return value of -1 > results in the system call being skipped immediately. - TODO > > So what's left looks pretty feasible. I'll try to take care of it and come > back to you when I have some news. For what it's worth, IBM might also have some interest in this work. I'm not exactly sure who would be the best contact there to find out, but if you have any contacts with IBM it might be worth sending some mail. > Meanwhile, I added the support for ppc in the master libseccomp by > backporting Marcus's patch. All the regression tests pass - the initial > problem with the BPF simulator has been fixed. Okay, that's good to know. I'm a little busy right now with other things at the moment, but if you intend to work on this, perhaps I'll setup a ppc branch that we can work from while we wait for proper kernel support. > I plan to post the patch after I've validated SECCOMP_FILTER support for ppc > in the kernel. I saw that the regression tests use an userspace BPF > simulator for testing the library. Are there any tests than I can use to > validate the kernel SECCOMP_FILTER support as well? Look at the "live" tests, they are basic, but they do perform some basic sanity checks. # ./regression -T live > [1] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt > > Thanks, > Bogdan P. -- paul moore www.paul-moore.com |
