[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Seccomp support for linux-m68k


On 3/22/20 12:18 AM, Michael Schmitz wrote:
Am 21.03.2020 um 11:59 schrieb John Paul Adrian Glaubitz:
On 3/20/20 11:49 PM, Finn Thain wrote:
I suspect (without evidence) that many m68k systems are actually virtual
machines. And the need for container hosting on m68k seems negligible.

It isn't about security. It's about being able to build more packages
as some packages have started to make libseccomp support mandatory.

Is there a good technical reason for this decision? I suppose most of these packages are not about VM or container hosting?

Besides VM / container programs, SSH and browsers use it also:

What about checking at runtime for availability of the library, and disabling VM related functionality if it wasn't possible to load?

That would require changing large number of
upstream projects (including things like Chromium)
* load it dynamically
* handling libseccomp missing

I think much easier would be to patch libseccomp
to build without arch support, and just return
errors to API calls:

In the event that kernel support can't be avoided: I suppose there a git commit for Helge's hppa changes that would help gauge the effort required for implementing such support?

In general it seems to require:

* libseccomp: arch recognition & syscall
  mapping support:


* kernel: Adding the new syscall number

* kernel: Calling seccomp on syscall invalidation path

* kernel: Potentially something related to 32-bit & ptrace

Which all seem fairly straightforward, but many of
the projects seem to be using seccomp-bpf, instead
of plain seccomp.

How's m68k BPF support?

	- Eero

PS. Not related to seccomp, but Hatari's 030
emulation exception handling has been improved
a lot recently, e.g. exception addresses on auto-
increment instructions should be correct etc.

(I'm still seeing random errors on kernel syscall
interface, but I'm starting to wonder whether it's
related to something else than 030 emulation, as
Linux works fine under the same CPU core code
within WinUAE Amiga emulator.)

Reply to: