Re: Seccomp support for linux-m68k

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, linux-m68k <linux-m68k@lists.linux-m68k.org>
Cc: Debian m68k <debian-68k@lists.debian.org>, Helge Deller <deller@gmx.de>
Subject: Re: Seccomp support for linux-m68k
From: Michael Schmitz <schmitzmic@gmail.com>
Date: Sat, 25 Jul 2020 21:29:33 +1200
Message-id: <[🔎] 06f3ccd0-3567-5905-eea0-80fb18206648@gmail.com>
In-reply-to: <[🔎] 5642df4a-be8f-01eb-63c1-b5b4d75fa9d0@physik.fu-berlin.de>
References: <cd3ff9a1-030e-1e34-3950-99088ef81be0@physik.fu-berlin.de> <[🔎] 5642df4a-be8f-01eb-63c1-b5b4d75fa9d0@physik.fu-berlin.de>

Hi Adrian,

Am 22.07.2020 um 03:13 schrieb John Paul Adrian Glaubitz:

Hello!

On 3/20/20 9:46 AM, John Paul Adrian Glaubitz wrote:

Would it be possible to add seccomp support for m68k in the kernel?

There are some packages like kscreensaver in Debian that require
libseccomp-dev and it would therefore be desirable if we could
that library on Linux/m68k as well.

>From what I have learned from Helge Deller who added seccomp for
hppa, it doesn't seem much that is necessary to get seccomp working
on an architecture.

So, if anyone could work on the kernel part, I could do the work on
libseccomp.

I just had another look at the topic and it seems with just need a minimal
patch to add SECCOMP and SECCOMP_FILTER support when looking at the changes
for riscv64 [1].

The most complex change seem to be the changes in entry.S to add some additional
checks for syscall numbers. I think we could just do this for m68k (and SH) as
well.

Looking at your SH patch, I see no changes to check for syscall numbers,just a check of the syscall_trace_enter() return code added? Is that allthat's needed for m68k as well?

What return code would we need to set on returning from an abortedsyscall? (Without setting a specific one, -ENOSYS will be used by default.)

The userland land part is trivial as well, I actually added SuperH support to
libseccomp today which was rather easy but my pull request was rejected for the
time being due to SuperH not supporting SECCOMP_FILTER yet (only basic SECCOMP).

So, if someone could do the kernel pieces for m68k, I would work on the userspace
changes in libsseccomp.

My earlier patch switching m68k to use syscall_trace_enter() isincomplete, please add the return call check


--- a/arch/m68k/kernel/entry.S
+++ b/arch/m68k/kernel/entry.S
@@ -167,6 +167,8 @@ do_trace_entry:
        jbsr    syscall_trace_enter
        RESTORE_SWITCH_STACK
        addql   #4,%sp
+       tstb    %d0
+       jne     ret_from_syscall
        movel   %sp@(PT_OFF_ORIG_D0),%d0
        cmpl    #NR_syscalls,%d0
        jcs     syscall

and add the same seccomp check you used in the SH syscall_trace_enter()patch, if returning -ENOSYS on filtered syscalls is appropriate.


Cheers,

	Michael


Adrian

[1] https://github.com/torvalds/linux/commit/5340627e3fe08030988bdda46dd86cd5d5fb7517
[2] https://github.com/seccomp/libseccomp/pull/271

Reply to:

Follow-Ups:
- Re: Seccomp support for linux-m68k
  - From: Andreas Schwab <schwab@linux-m68k.org>
- Re: Seccomp support for linux-m68k
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: Seccomp support for linux-m68k
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

References:
- Re: Seccomp support for linux-m68k
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Prev by Date: Re: Seccomp support for linux-m68k
Next by Date: Re: Seccomp support for linux-m68k
Previous by thread: Re: Seccomp support for linux-m68k
Next by thread: Re: Seccomp support for linux-m68k
Index(es):
- Date
- Thread