Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Andy Lutomirski]

[cc's added]

On Thu, Apr 17, 2014 at 9:08 AM, Eric Paris <eparis@redhat.com> wrote:
> On Thu, 2014-04-17 at 17:05 +0100, Markos Chandras wrote:
>> On 04/17/2014 04:38 PM, Paul Moore wrote:
>> >> Similarly, for MIPS, restricting open() on all 3 ABIs means 3 filters.
>> >> 1) AUDIT_ARCH_MIPS(EL) syscall=4005
>> >> 2) AUDIT_ARCH_MIPS64(EL) syscall=5005 (n64)
>> >> 3) AUDIT_ARCH_MIPS64(EL) syscall=6005 (n32)
>> >>
>> >> Is this bad?
>> >
>> > In my seccomp-heavy opinion it isn't good, but we can work around it.  MIPS64
>> > looks like x86_64/x32, which means we can't identify the ABI by the AUDIT_ARCH
>> > token alone, we need to factor in the syscall number as well; this complicates
>> > the filter generation as well as the filter itself.
>> >
>> > Take a look at the x86_64 BPF generated from the 01-sim-allow test.  You'll
>> > notice that the test creates a seccomp filter without any rules, simply a
>> > default action, yet if you look at the raw BPF below you will notice that we
>> > are checking both the the architecture token ($data[4]) and the syscall
>> > ($data[0]).  Granted, this is a contrived example (look at the more complex
>> > multi-arch examples to understand why this is important) but it is a simple
>> > demonstration.
>> >
>> >   line  OP   JT   JF   K
>> > =================================
>> >   0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
>> >   0001: 0x15 0x00 0x03 0xc000003e   jeq 3221225534 true:0002 false:0005
>> >   0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
>> >   0003: 0x35 0x01 0x00 0x40000000   jge 1073741824 true:0005 false:0004
>> >   0004: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
>> >   0005: 0x06 0x00 0x00 0x00000000   ret KILL
>>
>> I see what you mean. That was very helpful
>>
>> > [.....]
>> >> Even if seccomp could identify the ABI, you still need filters to restrict
>> >> the actual system calls.
>> >
>> > Let me twist the phrasing above a bit ... The libseccomp library must be able
>> > to identify the ABI and apply the correct ABI specific filter rules.
>> >
>> >> I am sorry if my replies make no sense, but it's probably because I
>> >> don't understand why multiple filters (1 filter per ABI syscall) is not
>> >> an option.
>> >
>> > It is more than an option, it is a requirement. :)
>>
>> I understand the problem now. So yeah, it's not a problem, it's more
>> like a desired optimization to simplify the logic in filters as well as
>> making them less complex. And it's not libseccomp specific.
>>
>> So, a quick patch to solve this in the kernel would be something like
>> the following one (completely untested). Given this code hasn't been
>> part of a released kernel, I believe there is time to add this to 3.15.
>> Would something like this make things simpler?
>>
>> diff --git a/arch/mips/include/asm/syscall.h
>> b/arch/mips/include/asm/syscall.h
>> index c6e9cd2..bd7543c 100644
>> --- a/arch/mips/include/asm/syscall.h
>> +++ b/arch/mips/include/asm/syscall.h
>> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>>   #ifdef CONFIG_64BIT
>>           if (!test_thread_flag(TIF_32BIT_REGS))
>>                   arch |= __AUDIT_ARCH_64BIT;
>> +        if (test_thread_flag(TIF_32BIT_ADDR))
>> +                arch |= __AUDIT_ARCH_MIPS64_N32;
>>   #endif
>>   #if defined(__LITTLE_ENDIAN)
>>           arch |=  __AUDIT_ARCH_LE;
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 11917f7..6bd9322 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -334,6 +334,8 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE    0x40000000
>> +#define __AUDIT_ARCH_MIPS64_N32 0x20000000
>> +
>>   #define AUDIT_ARCH_ALPHA
>> (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB        (EM_ARM)
>> @@ -346,7 +348,11 @@ enum {
>>   #define AUDIT_ARCH_MIPS         (EM_MIPS)
>>   #define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
>> +#define AUDIT_ARCH_MIPS64N32    (EM_MIPS|__AUDIT_ARCH_64BIT|\
>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>   #define AUDIT_ARCH_MIPSEL64
>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_MIPSEL64N32
>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>   #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
>>   #define AUDIT_ARCH_PARISC       (EM_PARISC)
>>   #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
>
> I love it from both an audit and libseccomp PoV...
>

I know nothing about the MIPS entry code, but the concept is:

Acked-by: Andy Lutomirski <luto@amacapital.net>

That being said, here's a minor nit:

#define __AUDIT_ARCH_MIPS64_N32 0x20000000

in a cross-arch header doesn't seem like the best idea.  Might it be
better to do:

/* These bits disambiguate different calling conventions that share an
ELF machine type, bitness, and endianness */
#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000

This will encourage reuse of the same bit the next time this happens.

--Andy

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Markos Chandras]

On 04/17/2014 05:20 PM, Andy Lutomirski wrote:
> [cc's added]
>
> On Thu, Apr 17, 2014 at 9:08 AM, Eric Paris <eparis@redhat.com> wrote:
>> On Thu, 2014-04-17 at 17:05 +0100, Markos Chandras wrote:
>>> On 04/17/2014 04:38 PM, Paul Moore wrote:
>>>>> Similarly, for MIPS, restricting open() on all 3 ABIs means 3 filters.
>>>>> 1) AUDIT_ARCH_MIPS(EL) syscall=4005
>>>>> 2) AUDIT_ARCH_MIPS64(EL) syscall=5005 (n64)
>>>>> 3) AUDIT_ARCH_MIPS64(EL) syscall=6005 (n32)
>>>>>
>>>>> Is this bad?
>>>>
>>>> In my seccomp-heavy opinion it isn't good, but we can work around it.  MIPS64
>>>> looks like x86_64/x32, which means we can't identify the ABI by the AUDIT_ARCH
>>>> token alone, we need to factor in the syscall number as well; this complicates
>>>> the filter generation as well as the filter itself.
>>>>
>>>> Take a look at the x86_64 BPF generated from the 01-sim-allow test.  You'll
>>>> notice that the test creates a seccomp filter without any rules, simply a
>>>> default action, yet if you look at the raw BPF below you will notice that we
>>>> are checking both the the architecture token ($data[4]) and the syscall
>>>> ($data[0]).  Granted, this is a contrived example (look at the more complex
>>>> multi-arch examples to understand why this is important) but it is a simple
>>>> demonstration.
>>>>
>>>>    line  OP   JT   JF   K
>>>> =================================
>>>>    0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
>>>>    0001: 0x15 0x00 0x03 0xc000003e   jeq 3221225534 true:0002 false:0005
>>>>    0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
>>>>    0003: 0x35 0x01 0x00 0x40000000   jge 1073741824 true:0005 false:0004
>>>>    0004: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
>>>>    0005: 0x06 0x00 0x00 0x00000000   ret KILL
>>>
>>> I see what you mean. That was very helpful
>>>
>>>> [.....]
>>>>> Even if seccomp could identify the ABI, you still need filters to restrict
>>>>> the actual system calls.
>>>>
>>>> Let me twist the phrasing above a bit ... The libseccomp library must be able
>>>> to identify the ABI and apply the correct ABI specific filter rules.
>>>>
>>>>> I am sorry if my replies make no sense, but it's probably because I
>>>>> don't understand why multiple filters (1 filter per ABI syscall) is not
>>>>> an option.
>>>>
>>>> It is more than an option, it is a requirement. :)
>>>
>>> I understand the problem now. So yeah, it's not a problem, it's more
>>> like a desired optimization to simplify the logic in filters as well as
>>> making them less complex. And it's not libseccomp specific.
>>>
>>> So, a quick patch to solve this in the kernel would be something like
>>> the following one (completely untested). Given this code hasn't been
>>> part of a released kernel, I believe there is time to add this to 3.15.
>>> Would something like this make things simpler?
>>>
>>> diff --git a/arch/mips/include/asm/syscall.h
>>> b/arch/mips/include/asm/syscall.h
>>> index c6e9cd2..bd7543c 100644
>>> --- a/arch/mips/include/asm/syscall.h
>>> +++ b/arch/mips/include/asm/syscall.h
>>> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>>>    #ifdef CONFIG_64BIT
>>>            if (!test_thread_flag(TIF_32BIT_REGS))
>>>                    arch |= __AUDIT_ARCH_64BIT;
>>> +        if (test_thread_flag(TIF_32BIT_ADDR))
>>> +                arch |= __AUDIT_ARCH_MIPS64_N32;
>>>    #endif
>>>    #if defined(__LITTLE_ENDIAN)
>>>            arch |=  __AUDIT_ARCH_LE;
>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>>> index 11917f7..6bd9322 100644
>>> --- a/include/uapi/linux/audit.h
>>> +++ b/include/uapi/linux/audit.h
>>> @@ -334,6 +334,8 @@ enum {
>>>    /* distinguish syscall tables */
>>>    #define __AUDIT_ARCH_64BIT 0x80000000
>>>    #define __AUDIT_ARCH_LE    0x40000000
>>> +#define __AUDIT_ARCH_MIPS64_N32 0x20000000
>>> +
>>>    #define AUDIT_ARCH_ALPHA
>>> (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_ARMEB        (EM_ARM)
>>> @@ -346,7 +348,11 @@ enum {
>>>    #define AUDIT_ARCH_MIPS         (EM_MIPS)
>>>    #define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
>>> +#define AUDIT_ARCH_MIPS64N32    (EM_MIPS|__AUDIT_ARCH_64BIT|\
>>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>>    #define AUDIT_ARCH_MIPSEL64
>>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>> +#define AUDIT_ARCH_MIPSEL64N32
>>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
>>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>>    #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
>>>    #define AUDIT_ARCH_PARISC       (EM_PARISC)
>>>    #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
>>
>> I love it from both an audit and libseccomp PoV...
>>
>
> I know nothing about the MIPS entry code, but the concept is:
>
> Acked-by: Andy Lutomirski <luto@amacapital.net>
>
> That being said, here's a minor nit:
>
> #define __AUDIT_ARCH_MIPS64_N32 0x20000000
>
> in a cross-arch header doesn't seem like the best idea.  Might it be
> better to do:
>
> /* These bits disambiguate different calling conventions that share an
> ELF machine type, bitness, and endianness */
> #define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> #define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
>
> This will encourage reuse of the same bit the next time this happens.
>
> --Andy
>

Thanks. I will change the patch based on your proposal and send it to 
the kernel mailing lists for review.

-- 
markos

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Markos Chandras]

On 04/17/2014 05:20 PM, Andy Lutomirski wrote:
> [cc's added]
>
> On Thu, Apr 17, 2014 at 9:08 AM, Eric Paris <eparis@redhat.com> wrote:
>> On Thu, 2014-04-17 at 17:05 +0100, Markos Chandras wrote:
>>> On 04/17/2014 04:38 PM, Paul Moore wrote:
>>>>> Similarly, for MIPS, restricting open() on all 3 ABIs means 3 filters.
>>>>> 1) AUDIT_ARCH_MIPS(EL) syscall=4005
>>>>> 2) AUDIT_ARCH_MIPS64(EL) syscall=5005 (n64)
>>>>> 3) AUDIT_ARCH_MIPS64(EL) syscall=6005 (n32)
>>>>>
>>>>> Is this bad?
>>>>
>>>> In my seccomp-heavy opinion it isn't good, but we can work around it.  MIPS64
>>>> looks like x86_64/x32, which means we can't identify the ABI by the AUDIT_ARCH
>>>> token alone, we need to factor in the syscall number as well; this complicates
>>>> the filter generation as well as the filter itself.
>>>>
>>>> Take a look at the x86_64 BPF generated from the 01-sim-allow test.  You'll
>>>> notice that the test creates a seccomp filter without any rules, simply a
>>>> default action, yet if you look at the raw BPF below you will notice that we
>>>> are checking both the the architecture token ($data[4]) and the syscall
>>>> ($data[0]).  Granted, this is a contrived example (look at the more complex
>>>> multi-arch examples to understand why this is important) but it is a simple
>>>> demonstration.
>>>>
>>>>    line  OP   JT   JF   K
>>>> =================================
>>>>    0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
>>>>    0001: 0x15 0x00 0x03 0xc000003e   jeq 3221225534 true:0002 false:0005
>>>>    0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
>>>>    0003: 0x35 0x01 0x00 0x40000000   jge 1073741824 true:0005 false:0004
>>>>    0004: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
>>>>    0005: 0x06 0x00 0x00 0x00000000   ret KILL
>>>
>>> I see what you mean. That was very helpful
>>>
>>>> [.....]
>>>>> Even if seccomp could identify the ABI, you still need filters to restrict
>>>>> the actual system calls.
>>>>
>>>> Let me twist the phrasing above a bit ... The libseccomp library must be able
>>>> to identify the ABI and apply the correct ABI specific filter rules.
>>>>
>>>>> I am sorry if my replies make no sense, but it's probably because I
>>>>> don't understand why multiple filters (1 filter per ABI syscall) is not
>>>>> an option.
>>>>
>>>> It is more than an option, it is a requirement. :)
>>>
>>> I understand the problem now. So yeah, it's not a problem, it's more
>>> like a desired optimization to simplify the logic in filters as well as
>>> making them less complex. And it's not libseccomp specific.
>>>
>>> So, a quick patch to solve this in the kernel would be something like
>>> the following one (completely untested). Given this code hasn't been
>>> part of a released kernel, I believe there is time to add this to 3.15.
>>> Would something like this make things simpler?
>>>
>>> diff --git a/arch/mips/include/asm/syscall.h
>>> b/arch/mips/include/asm/syscall.h
>>> index c6e9cd2..bd7543c 100644
>>> --- a/arch/mips/include/asm/syscall.h
>>> +++ b/arch/mips/include/asm/syscall.h
>>> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>>>    #ifdef CONFIG_64BIT
>>>            if (!test_thread_flag(TIF_32BIT_REGS))
>>>                    arch |= __AUDIT_ARCH_64BIT;
>>> +        if (test_thread_flag(TIF_32BIT_ADDR))
>>> +                arch |= __AUDIT_ARCH_MIPS64_N32;
>>>    #endif
>>>    #if defined(__LITTLE_ENDIAN)
>>>            arch |=  __AUDIT_ARCH_LE;
>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>>> index 11917f7..6bd9322 100644
>>> --- a/include/uapi/linux/audit.h
>>> +++ b/include/uapi/linux/audit.h
>>> @@ -334,6 +334,8 @@ enum {
>>>    /* distinguish syscall tables */
>>>    #define __AUDIT_ARCH_64BIT 0x80000000
>>>    #define __AUDIT_ARCH_LE    0x40000000
>>> +#define __AUDIT_ARCH_MIPS64_N32 0x20000000
>>> +
>>>    #define AUDIT_ARCH_ALPHA
>>> (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_ARMEB        (EM_ARM)
>>> @@ -346,7 +348,11 @@ enum {
>>>    #define AUDIT_ARCH_MIPS         (EM_MIPS)
>>>    #define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
>>>    #define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
>>> +#define AUDIT_ARCH_MIPS64N32    (EM_MIPS|__AUDIT_ARCH_64BIT|\
>>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>>    #define AUDIT_ARCH_MIPSEL64
>>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>> +#define AUDIT_ARCH_MIPSEL64N32
>>> (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
>>> +                                 __AUDIT_ARCH_MIPS64_N32)
>>>    #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
>>>    #define AUDIT_ARCH_PARISC       (EM_PARISC)
>>>    #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
>>
>> I love it from both an audit and libseccomp PoV...
>>
>
> I know nothing about the MIPS entry code, but the concept is:
>
> Acked-by: Andy Lutomirski <luto@amacapital.net>
>
> That being said, here's a minor nit:
>
> #define __AUDIT_ARCH_MIPS64_N32 0x20000000
>
> in a cross-arch header doesn't seem like the best idea.  Might it be
> better to do:
>
> /* These bits disambiguate different calling conventions that share an
> ELF machine type, bitness, and endianness */
> #define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> #define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
>
> This will encourage reuse of the same bit the next time this happens.
>
> --Andy
>

Thanks. I will change the patch based on your proposal and send it to 
the kernel mailing lists for review.

-- 
markos

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Ralf Baechle]

On Thu, Apr 17, 2014 at 05:24:15PM +0100, Markos Chandras wrote:

> On 04/17/2014 05:20 PM, Andy Lutomirski wrote:
> >[cc's added]
> >
> >On Thu, Apr 17, 2014 at 9:08 AM, Eric Paris <eparis@redhat.com> wrote:
> >>On Thu, 2014-04-17 at 17:05 +0100, Markos Chandras wrote:
> >>>On 04/17/2014 04:38 PM, Paul Moore wrote:
> >>>>>Similarly, for MIPS, restricting open() on all 3 ABIs means 3 filters.
> >>>>>1) AUDIT_ARCH_MIPS(EL) syscall=4005
> >>>>>2) AUDIT_ARCH_MIPS64(EL) syscall=5005 (n64)
> >>>>>3) AUDIT_ARCH_MIPS64(EL) syscall=6005 (n32)
> >>>>>
> >>>>>Is this bad?
> >>>>
> >>>>In my seccomp-heavy opinion it isn't good, but we can work around it.  MIPS64
> >>>>looks like x86_64/x32, which means we can't identify the ABI by the AUDIT_ARCH
> >>>>token alone, we need to factor in the syscall number as well; this complicates
> >>>>the filter generation as well as the filter itself.
> >>>>
> >>>>Take a look at the x86_64 BPF generated from the 01-sim-allow test.  You'll
> >>>>notice that the test creates a seccomp filter without any rules, simply a
> >>>>default action, yet if you look at the raw BPF below you will notice that we
> >>>>are checking both the the architecture token ($data[4]) and the syscall
> >>>>($data[0]).  Granted, this is a contrived example (look at the more complex
> >>>>multi-arch examples to understand why this is important) but it is a simple
> >>>>demonstration.
> >>>>
> >>>>   line  OP   JT   JF   K
> >>>>=================================
> >>>>   0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
> >>>>   0001: 0x15 0x00 0x03 0xc000003e   jeq 3221225534 true:0002 false:0005
> >>>>   0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
> >>>>   0003: 0x35 0x01 0x00 0x40000000   jge 1073741824 true:0005 false:0004
> >>>>   0004: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
> >>>>   0005: 0x06 0x00 0x00 0x00000000   ret KILL
> >>>
> >>>I see what you mean. That was very helpful
> >>>
> >>>>[.....]
> >>>>>Even if seccomp could identify the ABI, you still need filters to restrict
> >>>>>the actual system calls.
> >>>>
> >>>>Let me twist the phrasing above a bit ... The libseccomp library must be able
> >>>>to identify the ABI and apply the correct ABI specific filter rules.
> >>>>
> >>>>>I am sorry if my replies make no sense, but it's probably because I
> >>>>>don't understand why multiple filters (1 filter per ABI syscall) is not
> >>>>>an option.
> >>>>
> >>>>It is more than an option, it is a requirement. :)
> >>>
> >>>I understand the problem now. So yeah, it's not a problem, it's more
> >>>like a desired optimization to simplify the logic in filters as well as
> >>>making them less complex. And it's not libseccomp specific.
> >>>
> >>>So, a quick patch to solve this in the kernel would be something like
> >>>the following one (completely untested). Given this code hasn't been
> >>>part of a released kernel, I believe there is time to add this to 3.15.
> >>>Would something like this make things simpler?
> >>>
> >>>diff --git a/arch/mips/include/asm/syscall.h
> >>>b/arch/mips/include/asm/syscall.h
> >>>index c6e9cd2..bd7543c 100644
> >>>--- a/arch/mips/include/asm/syscall.h
> >>>+++ b/arch/mips/include/asm/syscall.h
> >>>@@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
> >>>   #ifdef CONFIG_64BIT
> >>>           if (!test_thread_flag(TIF_32BIT_REGS))
> >>>                   arch |= __AUDIT_ARCH_64BIT;
> >>>+        if (test_thread_flag(TIF_32BIT_ADDR))
> >>>+                arch |= __AUDIT_ARCH_MIPS64_N32;
> >>>   #endif
> >>>   #if defined(__LITTLE_ENDIAN)
> >>>           arch |=  __AUDIT_ARCH_LE;
> >>>diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> >>>index 11917f7..6bd9322 100644
> >>>--- a/include/uapi/linux/audit.h
> >>>+++ b/include/uapi/linux/audit.h
> >>>@@ -334,6 +334,8 @@ enum {
> >>>   /* distinguish syscall tables */
> >>>   #define __AUDIT_ARCH_64BIT 0x80000000
> >>>   #define __AUDIT_ARCH_LE    0x40000000
> >>>+#define __AUDIT_ARCH_MIPS64_N32 0x20000000
> >>>+
> >>>   #define AUDIT_ARCH_ALPHA
> >>>(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>   #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
> >>>   #define AUDIT_ARCH_ARMEB        (EM_ARM)
> >>>@@ -346,7 +348,11 @@ enum {
> >>>   #define AUDIT_ARCH_MIPS         (EM_MIPS)
> >>>   #define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
> >>>   #define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
> >>>+#define AUDIT_ARCH_MIPS64N32    (EM_MIPS|__AUDIT_ARCH_64BIT|\
> >>>+                                 __AUDIT_ARCH_MIPS64_N32)
> >>>   #define AUDIT_ARCH_MIPSEL64
> >>>(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>+#define AUDIT_ARCH_MIPSEL64N32
> >>>(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
> >>>+                                 __AUDIT_ARCH_MIPS64_N32)
> >>>   #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
> >>>   #define AUDIT_ARCH_PARISC       (EM_PARISC)
> >>>   #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
> >>
> >>I love it from both an audit and libseccomp PoV...
> >>
> >
> >I know nothing about the MIPS entry code, but the concept is:
> >
> >Acked-by: Andy Lutomirski <luto@amacapital.net>
> >
> >That being said, here's a minor nit:
> >
> >#define __AUDIT_ARCH_MIPS64_N32 0x20000000
> >
> >in a cross-arch header doesn't seem like the best idea.  Might it be
> >better to do:

In another patch of mine adding audit support I've named the
bit __AUDIT_ARCH_ALT which should be a sufficiently neutral name,
I'd hope.

> >/* These bits disambiguate different calling conventions that share an
> >ELF machine type, bitness, and endianness */
> >#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> >#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> >
> >This will encourage reuse of the same bit the next time this happens.
> >
> >--Andy
> >
> 
> Thanks. I will change the patch based on your proposal and send it
> to the kernel mailing lists for review.

I can't imagine any legitimate reason why an application of a particular
ABI would want to try a syscall of another ABI, for example why an N64
process would want to call the O32 open(2) syscall.

For that reason I've long been contemplating to make syscalls of other ABIs
unavailable, even without seccomp.  Would that be useful for seccomp?

One exception though - I've seen a non-O32 application using syscall 4000,
the indirect syscall syscall.  Some needs to be the first to be taken out
and shot ;-)

  Ralf

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Andy Lutomirski]

On Thu, Apr 17, 2014 at 12:13 PM, Ralf Baechle <ralf@linux-mips.org> wrote:
> On Thu, Apr 17, 2014 at 05:24:15PM +0100, Markos Chandras wrote:
>
>> On 04/17/2014 05:20 PM, Andy Lutomirski wrote:
>> >[cc's added]
>> >
>> >On Thu, Apr 17, 2014 at 9:08 AM, Eric Paris <eparis@redhat.com> wrote:
>> >>On Thu, 2014-04-17 at 17:05 +0100, Markos Chandras wrote:
>> >>>On 04/17/2014 04:38 PM, Paul Moore wrote:
>> >>>>>Similarly, for MIPS, restricting open() on all 3 ABIs means 3 filters.
>> >>>>>1) AUDIT_ARCH_MIPS(EL) syscall=4005
>> >>>>>2) AUDIT_ARCH_MIPS64(EL) syscall=5005 (n64)
>> >>>>>3) AUDIT_ARCH_MIPS64(EL) syscall=6005 (n32)
>> >>>>>
>> >>>>>Is this bad?
>> >>>>
>> >>>>In my seccomp-heavy opinion it isn't good, but we can work around it.  MIPS64
>> >>>>looks like x86_64/x32, which means we can't identify the ABI by the AUDIT_ARCH
>> >>>>token alone, we need to factor in the syscall number as well; this complicates
>> >>>>the filter generation as well as the filter itself.
>> >>>>
>> >>>>Take a look at the x86_64 BPF generated from the 01-sim-allow test.  You'll
>> >>>>notice that the test creates a seccomp filter without any rules, simply a
>> >>>>default action, yet if you look at the raw BPF below you will notice that we
>> >>>>are checking both the the architecture token ($data[4]) and the syscall
>> >>>>($data[0]).  Granted, this is a contrived example (look at the more complex
>> >>>>multi-arch examples to understand why this is important) but it is a simple
>> >>>>demonstration.
>> >>>>
>> >>>>   line  OP   JT   JF   K
>> >>>>=================================
>> >>>>   0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
>> >>>>   0001: 0x15 0x00 0x03 0xc000003e   jeq 3221225534 true:0002 false:0005
>> >>>>   0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
>> >>>>   0003: 0x35 0x01 0x00 0x40000000   jge 1073741824 true:0005 false:0004
>> >>>>   0004: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
>> >>>>   0005: 0x06 0x00 0x00 0x00000000   ret KILL
>> >>>
>> >>>I see what you mean. That was very helpful
>> >>>
>> >>>>[.....]
>> >>>>>Even if seccomp could identify the ABI, you still need filters to restrict
>> >>>>>the actual system calls.
>> >>>>
>> >>>>Let me twist the phrasing above a bit ... The libseccomp library must be able
>> >>>>to identify the ABI and apply the correct ABI specific filter rules.
>> >>>>
>> >>>>>I am sorry if my replies make no sense, but it's probably because I
>> >>>>>don't understand why multiple filters (1 filter per ABI syscall) is not
>> >>>>>an option.
>> >>>>
>> >>>>It is more than an option, it is a requirement. :)
>> >>>
>> >>>I understand the problem now. So yeah, it's not a problem, it's more
>> >>>like a desired optimization to simplify the logic in filters as well as
>> >>>making them less complex. And it's not libseccomp specific.
>> >>>
>> >>>So, a quick patch to solve this in the kernel would be something like
>> >>>the following one (completely untested). Given this code hasn't been
>> >>>part of a released kernel, I believe there is time to add this to 3.15.
>> >>>Would something like this make things simpler?
>> >>>
>> >>>diff --git a/arch/mips/include/asm/syscall.h
>> >>>b/arch/mips/include/asm/syscall.h
>> >>>index c6e9cd2..bd7543c 100644
>> >>>--- a/arch/mips/include/asm/syscall.h
>> >>>+++ b/arch/mips/include/asm/syscall.h
>> >>>@@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>> >>>   #ifdef CONFIG_64BIT
>> >>>           if (!test_thread_flag(TIF_32BIT_REGS))
>> >>>                   arch |= __AUDIT_ARCH_64BIT;
>> >>>+        if (test_thread_flag(TIF_32BIT_ADDR))
>> >>>+                arch |= __AUDIT_ARCH_MIPS64_N32;
>> >>>   #endif
>> >>>   #if defined(__LITTLE_ENDIAN)
>> >>>           arch |=  __AUDIT_ARCH_LE;
>> >>>diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> >>>index 11917f7..6bd9322 100644
>> >>>--- a/include/uapi/linux/audit.h
>> >>>+++ b/include/uapi/linux/audit.h
>> >>>@@ -334,6 +334,8 @@ enum {
>> >>>   /* distinguish syscall tables */
>> >>>   #define __AUDIT_ARCH_64BIT 0x80000000
>> >>>   #define __AUDIT_ARCH_LE    0x40000000
>> >>>+#define __AUDIT_ARCH_MIPS64_N32 0x20000000
>> >>>+
>> >>>   #define AUDIT_ARCH_ALPHA
>> >>>(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> >>>   #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
>> >>>   #define AUDIT_ARCH_ARMEB        (EM_ARM)
>> >>>@@ -346,7 +348,11 @@ enum {
>> >>>   #define AUDIT_ARCH_MIPS         (EM_MIPS)
>> >>>   #define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
>> >>>   #define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
>> >>>+#define AUDIT_ARCH_MIPS64N32    (EM_MIPS|__AUDIT_ARCH_64BIT|\
>> >>>+                                 __AUDIT_ARCH_MIPS64_N32)
>> >>>   #define AUDIT_ARCH_MIPSEL64
>> >>>(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> >>>+#define AUDIT_ARCH_MIPSEL64N32
>> >>>(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
>> >>>+                                 __AUDIT_ARCH_MIPS64_N32)
>> >>>   #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
>> >>>   #define AUDIT_ARCH_PARISC       (EM_PARISC)
>> >>>   #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
>> >>
>> >>I love it from both an audit and libseccomp PoV...
>> >>
>> >
>> >I know nothing about the MIPS entry code, but the concept is:
>> >
>> >Acked-by: Andy Lutomirski <luto@amacapital.net>
>> >
>> >That being said, here's a minor nit:
>> >
>> >#define __AUDIT_ARCH_MIPS64_N32 0x20000000
>> >
>> >in a cross-arch header doesn't seem like the best idea.  Might it be
>> >better to do:
>
> In another patch of mine adding audit support I've named the
> bit __AUDIT_ARCH_ALT which should be a sufficiently neutral name,
> I'd hope.
>
>> >/* These bits disambiguate different calling conventions that share an
>> >ELF machine type, bitness, and endianness */
>> >#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
>> >#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
>> >
>> >This will encourage reuse of the same bit the next time this happens.
>> >
>> >--Andy
>> >
>>
>> Thanks. I will change the patch based on your proposal and send it
>> to the kernel mailing lists for review.
>
> I can't imagine any legitimate reason why an application of a particular
> ABI would want to try a syscall of another ABI, for example why an N64
> process would want to call the O32 open(2) syscall.

I've done it for testing.  And x32 does it because it's x32.

>
> For that reason I've long been contemplating to make syscalls of other ABIs
> unavailable, even without seccomp.  Would that be useful for seccomp?

It's still possible to execve something else.

>
> One exception though - I've seen a non-O32 application using syscall 4000,
> the indirect syscall syscall.  Some needs to be the first to be taken out
> and shot ;-)
>

Aargh.  Let me guess: the indirect syscall syscall uses seven argument
registers.  I guess ARM wasn't the only architecture to make the
mistake of having one of those :(

--Andy

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Ralf Baechle]

On Thu, Apr 17, 2014 at 12:38:36PM -0700, Andy Lutomirski wrote:

> > I can't imagine any legitimate reason why an application of a particular
> > ABI would want to try a syscall of another ABI, for example why an N64
> > process would want to call the O32 open(2) syscall.
> 
> I've done it for testing.  And x32 does it because it's x32.

So from that perspective x32 isn't even a new ABI, just a castrated 64 bit
app using the 64 bit ABI.

> > For that reason I've long been contemplating to make syscalls of other ABIs
> > unavailable, even without seccomp.  Would that be useful for seccomp?
> 
> It's still possible to execve something else.

Would that other process then have a different syscall filter or is there only
one global one?

> > One exception though - I've seen a non-O32 application using syscall 4000,
> > the indirect syscall syscall.  Some needs to be the first to be taken out
> > and shot ;-)
> >
> 
> Aargh.  Let me guess: the indirect syscall syscall uses seven argument
> registers.  I guess ARM wasn't the only architecture to make the
> mistake of having one of those :(

Yes, seven arguments.  The sole reason why MIPS has an indirect syscall is that
I followed the the example of earlier MIPS UNIX variants.  And it has interesting
issues such as with 64 bit arguments on 32 bit machines.

  Ralf

Re: [libseccomp-discuss] [PATCH v3 0/2] Add support for MIPS BE/LE and O32 ABI

[Paul Moore]

On Thursday, April 17, 2014 10:07:15 PM Ralf Baechle wrote:
> On Thu, Apr 17, 2014 at 12:38:36PM -0700, Andy Lutomirski wrote:
> > > For that reason I've long been contemplating to make syscalls of other
> > > ABIs unavailable, even without seccomp.  Would that be useful for
> > > seccomp?
> > 
> > It's still possible to execve something else.
> 
> Would that other process then have a different syscall filter or is there
> only one global one?

Once a seccomp filter is loaded it is inherited by all child processes.

-- 
paul moore
security and virtualization @ redhat

[PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
(O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
does not provide enough information about the ABI for the 64-bit
process. As a result of which, userland needs to use complex
seccomp filters to decide whether a syscall belongs to the o32 or n32
or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
can be used by seccomp to explicitely set syscall filters for this ABI.

Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <pmoore@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?

Thanks a lot!
---
 arch/mips/include/asm/syscall.h |  2 ++
 include/uapi/linux/audit.h      | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index c6e9cd2..17960fe 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
 #ifdef CONFIG_64BIT
 	if (!test_thread_flag(TIF_32BIT_REGS))
 		arch |= __AUDIT_ARCH_64BIT;
+	if (test_thread_flag(TIF_32BIT_ADDR))
+		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
 #endif
 #if defined(__LITTLE_ENDIAN)
 	arch |=  __AUDIT_ARCH_LE;
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 11917f7..1b1efdd 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -331,9 +331,17 @@ enum {
 #define AUDIT_FAIL_PRINTK	1
 #define AUDIT_FAIL_PANIC	2
 
+/*
+ * These bits disambiguate different calling conventions that share an
+ * ELF machine type, bitness, and endianness
+ */
+#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
+#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
+
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
@@ -346,7 +354,11 @@ enum {
 #define AUDIT_ARCH_MIPS		(EM_MIPS)
 #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
+				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
 #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
+				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
 #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
 #define AUDIT_ARCH_PARISC	(EM_PARISC)
 #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)
-- 
1.9.2

[PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
(O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
does not provide enough information about the ABI for the 64-bit
process. As a result of which, userland needs to use complex
seccomp filters to decide whether a syscall belongs to the o32 or n32
or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
can be used by seccomp to explicitely set syscall filters for this ABI.

Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <pmoore@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?

Thanks a lot!
---
 arch/mips/include/asm/syscall.h |  2 ++
 include/uapi/linux/audit.h      | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index c6e9cd2..17960fe 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
 #ifdef CONFIG_64BIT
 	if (!test_thread_flag(TIF_32BIT_REGS))
 		arch |= __AUDIT_ARCH_64BIT;
+	if (test_thread_flag(TIF_32BIT_ADDR))
+		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
 #endif
 #if defined(__LITTLE_ENDIAN)
 	arch |=  __AUDIT_ARCH_LE;
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 11917f7..1b1efdd 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -331,9 +331,17 @@ enum {
 #define AUDIT_FAIL_PRINTK	1
 #define AUDIT_FAIL_PANIC	2
 
+/*
+ * These bits disambiguate different calling conventions that share an
+ * ELF machine type, bitness, and endianness
+ */
+#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
+#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
+
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
@@ -346,7 +354,11 @@ enum {
 #define AUDIT_ARCH_MIPS		(EM_MIPS)
 #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
+				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
 #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE\
+				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
 #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
 #define AUDIT_ARCH_PARISC	(EM_PARISC)
 #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)
-- 
1.9.2

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Paul Moore]

On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> does not provide enough information about the ABI for the 64-bit
> process. As a result of which, userland needs to use complex
> seccomp filters to decide whether a syscall belongs to the o32 or n32
> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> can be used by seccomp to explicitely set syscall filters for this ABI.
> 
> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: Ralf Baechle <ralf@linux-mips.org>
> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> ---
> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> 
> Thanks a lot!
> ---
>  arch/mips/include/asm/syscall.h |  2 ++
>  include/uapi/linux/audit.h      | 12 ++++++++++++
>  2 files changed, 14 insertions(+)

I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
my support for this patch.  As Markos states above, without this patch any 
seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
projects that try to abstract away the arch/ABI specific nature of the BPF 
seccomp filters will be have to do a lot more work.  Please merge this patch, 
or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
until 3.16 will be too late.

I also don't want to speak for the audit folks (Eric?), but I think you'll 
hear that this patch makes life much easier for them as well.

Thanks,
-Paul

> diff --git a/arch/mips/include/asm/syscall.h
> b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> --- a/arch/mips/include/asm/syscall.h
> +++ b/arch/mips/include/asm/syscall.h
> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>  #ifdef CONFIG_64BIT
>  	if (!test_thread_flag(TIF_32BIT_REGS))
>  		arch |= __AUDIT_ARCH_64BIT;
> +	if (test_thread_flag(TIF_32BIT_ADDR))
> +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
>  #endif
>  #if defined(__LITTLE_ENDIAN)
>  	arch |=  __AUDIT_ARCH_LE;
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 11917f7..1b1efdd 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -331,9 +331,17 @@ enum {
>  #define AUDIT_FAIL_PRINTK	1
>  #define AUDIT_FAIL_PANIC	2
> 
> +/*
> + * These bits disambiguate different calling conventions that share an
> + * ELF machine type, bitness, and endianness
> + */
> +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> +
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> @@ -346,7 +354,11 @@ enum {
>  #define AUDIT_ARCH_MIPS		(EM_MIPS)
>  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
__AUDIT_ARCH_LE\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
>  #define AUDIT_ARCH_PARISC	(EM_PARISC)
>  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

On 04/24/2014 08:19 PM, Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>> does not provide enough information about the ABI for the 64-bit
>> process. As a result of which, userland needs to use complex
>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>
>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Eric Paris <eparis@redhat.com>
>> Cc: Paul Moore <pmoore@redhat.com>
>> Cc: Ralf Baechle <ralf@linux-mips.org>
>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> ---
>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>
>> Thanks a lot!
>> ---
>>  arch/mips/include/asm/syscall.h |  2 ++
>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>  2 files changed, 14 insertions(+)
> 
> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
> my support for this patch.  As Markos states above, without this patch any 
> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
> projects that try to abstract away the arch/ABI specific nature of the BPF 
> seccomp filters will be have to do a lot more work.  Please merge this patch, 
> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
> until 3.16 will be too late.
> 
> I also don't want to speak for the audit folks (Eric?), but I think you'll 
> hear that this patch makes life much easier for them as well.
> 
> Thanks,
> -Paul

Ralf ping? Can we please have this in 3.15 so userspace application get
the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
n32 and n64? It may be harder to change it once 3.15 is released (ABI
break).

-- 
markos

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

On 04/24/2014 08:19 PM, Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>> does not provide enough information about the ABI for the 64-bit
>> process. As a result of which, userland needs to use complex
>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>
>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Eric Paris <eparis@redhat.com>
>> Cc: Paul Moore <pmoore@redhat.com>
>> Cc: Ralf Baechle <ralf@linux-mips.org>
>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> ---
>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>
>> Thanks a lot!
>> ---
>>  arch/mips/include/asm/syscall.h |  2 ++
>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>  2 files changed, 14 insertions(+)
> 
> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
> my support for this patch.  As Markos states above, without this patch any 
> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
> projects that try to abstract away the arch/ABI specific nature of the BPF 
> seccomp filters will be have to do a lot more work.  Please merge this patch, 
> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
> until 3.16 will be too late.
> 
> I also don't want to speak for the audit folks (Eric?), but I think you'll 
> hear that this patch makes life much easier for them as well.
> 
> Thanks,
> -Paul

Ralf ping? Can we please have this in 3.15 so userspace application get
the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
n32 and n64? It may be harder to change it once 3.15 is released (ABI
break).

-- 
markos

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

On 04/30/2014 10:24 AM, Markos Chandras wrote:
> On 04/24/2014 08:19 PM, Paul Moore wrote:
>> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>>> does not provide enough information about the ABI for the 64-bit
>>> process. As a result of which, userland needs to use complex
>>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>>
>>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>>> Cc: Andy Lutomirski <luto@amacapital.net>
>>> Cc: Eric Paris <eparis@redhat.com>
>>> Cc: Paul Moore <pmoore@redhat.com>
>>> Cc: Ralf Baechle <ralf@linux-mips.org>
>>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>>> ---
>>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>>
>>> Thanks a lot!
>>> ---
>>>  arch/mips/include/asm/syscall.h |  2 ++
>>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>>  2 files changed, 14 insertions(+)
>>
>> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
>> my support for this patch.  As Markos states above, without this patch any 
>> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
>> projects that try to abstract away the arch/ABI specific nature of the BPF 
>> seccomp filters will be have to do a lot more work.  Please merge this patch, 
>> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
>> until 3.16 will be too late.
>>
>> I also don't want to speak for the audit folks (Eric?), but I think you'll 
>> hear that this patch makes life much easier for them as well.
>>
>> Thanks,
>> -Paul
> 
> Ralf ping? Can we please have this in 3.15 so userspace application get
> the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
> n32 and n64? It may be harder to change it once 3.15 is released (ABI
> break).
> 

Ralf ping again? With -r5 approaching, there might be limited time left
to push this.

-- 
markos

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Markos Chandras]

On 04/30/2014 10:24 AM, Markos Chandras wrote:
> On 04/24/2014 08:19 PM, Paul Moore wrote:
>> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>>> does not provide enough information about the ABI for the 64-bit
>>> process. As a result of which, userland needs to use complex
>>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>>
>>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>>> Cc: Andy Lutomirski <luto@amacapital.net>
>>> Cc: Eric Paris <eparis@redhat.com>
>>> Cc: Paul Moore <pmoore@redhat.com>
>>> Cc: Ralf Baechle <ralf@linux-mips.org>
>>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>>> ---
>>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>>
>>> Thanks a lot!
>>> ---
>>>  arch/mips/include/asm/syscall.h |  2 ++
>>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>>  2 files changed, 14 insertions(+)
>>
>> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
>> my support for this patch.  As Markos states above, without this patch any 
>> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
>> projects that try to abstract away the arch/ABI specific nature of the BPF 
>> seccomp filters will be have to do a lot more work.  Please merge this patch, 
>> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
>> until 3.16 will be too late.
>>
>> I also don't want to speak for the audit folks (Eric?), but I think you'll 
>> hear that this patch makes life much easier for them as well.
>>
>> Thanks,
>> -Paul
> 
> Ralf ping? Can we please have this in 3.15 so userspace application get
> the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
> n32 and n64? It may be harder to change it once 3.15 is released (ABI
> break).
> 

Ralf ping again? With -r5 approaching, there might be limited time left
to push this.

-- 
markos

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Paul Moore]

On Wednesday, April 30, 2014 10:24:10 AM Markos Chandras wrote:
> On 04/24/2014 08:19 PM, Paul Moore wrote:
> > On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> >> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> >> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> >> does not provide enough information about the ABI for the 64-bit
> >> process. As a result of which, userland needs to use complex
> >> seccomp filters to decide whether a syscall belongs to the o32 or n32
> >> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> >> can be used by seccomp to explicitely set syscall filters for this ABI.
> >> 
> >> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> >> Cc: Andy Lutomirski <luto@amacapital.net>
> >> Cc: Eric Paris <eparis@redhat.com>
> >> Cc: Paul Moore <pmoore@redhat.com>
> >> Cc: Ralf Baechle <ralf@linux-mips.org>
> >> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> >> ---
> >> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> >> 
> >> Thanks a lot!
> >> ---
> >> 
> >>  arch/mips/include/asm/syscall.h |  2 ++
> >>  include/uapi/linux/audit.h      | 12 ++++++++++++
> >>  2 files changed, 14 insertions(+)
> > 
> > I'm far from qualified to ACK any MIPS specific patches, but I do want to
> > add my support for this patch.  As Markos states above, without this
> > patch any seccomp BPF code will be more complex than necessary (see x32
> > for an idea) and projects that try to abstract away the arch/ABI specific
> > nature of the BPF seccomp filters will be have to do a lot more work. 
> > Please merge this patch, or something similar, along with the MIPS BPF
> > seccomp filters in 3.15; waiting until 3.16 will be too late.
> > 
> > I also don't want to speak for the audit folks (Eric?), but I think you'll
> > hear that this patch makes life much easier for them as well.
> > 
> > Thanks,
> > -Paul
> 
> Ralf ping? Can we please have this in 3.15 so userspace application get
> the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
> n32 and n64? It may be harder to change it once 3.15 is released (ABI
> break).

I haven't heard anything on this patch and I don't see it in the tree this 
morning.  Can we please get this into the 3.15 release?  If not, can you 
please explain why so we have something to go on?

This will cause us a lot of pain in userspace if we don't get this patch 
merged.

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Paul Moore]

On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> does not provide enough information about the ABI for the 64-bit
> process. As a result of which, userland needs to use complex
> seccomp filters to decide whether a syscall belongs to the o32 or n32
> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> can be used by seccomp to explicitely set syscall filters for this ABI.
> 
> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: Ralf Baechle <ralf@linux-mips.org>
> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> ---
> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> 
> Thanks a lot!
> ---
>  arch/mips/include/asm/syscall.h |  2 ++
>  include/uapi/linux/audit.h      | 12 ++++++++++++
>  2 files changed, 14 insertions(+)

[NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as 
this *really* should be in 3.15]

I'm re-replying to this patch and adding lkml to the To line because I believe 
it is very important we get this patch into 3.15.  For those who don't follow 
the MIPS architecture very closely, the upcoming 3.15 is the first release to 
include support for seccomp filters, the latest generation of syscall 
filtering which used a BPF based filter language.  For reason that are easy to 
understand, the syscall filters are ABI specific (e.g. syscall tables, word 
length, endianness) and those generating syscall filters in userspace (e.g. 
libseccomp) need to take great care to ensure that the generated filters take 
the ABI into account and fail safely in the case where a different ABI is used 
(e.g. x86, x86_64, x32).

The patch below corrects, what is IMHO, an omission in the original MIPS 
seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.  
Without this patch we will be forced to handle MIPS/MIPS64 like we handle 
x86_64/x32 which is a royal pain and not something I want to have deal with 
again.

Further, while I don't want to speak for the audit folks, it is my 
understanding that they want this patch for similar reasons.

Please merge this patch for 3.15 or at least provide some feedback as to why 
this isn't a viable solution for upstream.  Once 3.15 ships, fixing this will 
require breaking the MIPS ABI which isn't something any of us want.

Thanks,
-Paul

> diff --git a/arch/mips/include/asm/syscall.h
> b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> --- a/arch/mips/include/asm/syscall.h
> +++ b/arch/mips/include/asm/syscall.h
> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>  #ifdef CONFIG_64BIT
>  	if (!test_thread_flag(TIF_32BIT_REGS))
>  		arch |= __AUDIT_ARCH_64BIT;
> +	if (test_thread_flag(TIF_32BIT_ADDR))
> +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
>  #endif
>  #if defined(__LITTLE_ENDIAN)
>  	arch |=  __AUDIT_ARCH_LE;
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 11917f7..1b1efdd 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -331,9 +331,17 @@ enum {
>  #define AUDIT_FAIL_PRINTK	1
>  #define AUDIT_FAIL_PANIC	2
> 
> +/*
> + * These bits disambiguate different calling conventions that share an
> + * ELF machine type, bitness, and endianness
> + */
> +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> +
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> @@ -346,7 +354,11 @@ enum {
>  #define AUDIT_ARCH_MIPS		(EM_MIPS)
>  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
__AUDIT_ARCH_LE\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
>  #define AUDIT_ARCH_PARISC	(EM_PARISC)
>  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Eric Paris]

On Mon, 2014-05-12 at 14:53 -0400, Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > does not provide enough information about the ABI for the 64-bit
> > process. As a result of which, userland needs to use complex
> > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > can be used by seccomp to explicitely set syscall filters for this ABI.
> > 
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Eric Paris <eparis@redhat.com>
> > Cc: Paul Moore <pmoore@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > ---
> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > 
> > Thanks a lot!
> > ---
> >  arch/mips/include/asm/syscall.h |  2 ++
> >  include/uapi/linux/audit.h      | 12 ++++++++++++
> >  2 files changed, 14 insertions(+)
> 
> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as 
> this *really* should be in 3.15]
> 
> I'm re-replying to this patch and adding lkml to the To line because I believe 
> it is very important we get this patch into 3.15.  For those who don't follow 
> the MIPS architecture very closely, the upcoming 3.15 is the first release to 
> include support for seccomp filters, the latest generation of syscall 
> filtering which used a BPF based filter language.  For reason that are easy to 
> understand, the syscall filters are ABI specific (e.g. syscall tables, word 
> length, endianness) and those generating syscall filters in userspace (e.g. 
> libseccomp) need to take great care to ensure that the generated filters take 
> the ABI into account and fail safely in the case where a different ABI is used 
> (e.g. x86, x86_64, x32).
> 
> The patch below corrects, what is IMHO, an omission in the original MIPS 
> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.  
> Without this patch we will be forced to handle MIPS/MIPS64 like we handle 
> x86_64/x32 which is a royal pain and not something I want to have deal with 
> again.
> 
> Further, while I don't want to speak for the audit folks, it is my 
> understanding that they want this patch for similar reasons.

Audit would also like to see this patch.  We can survive without it, but
having this patch lets us write a better/easier userspace.

Acked-by: Eric Paris <eparis@redhat.com>

> 
> Please merge this patch for 3.15 or at least provide some feedback as to why 
> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this will 
> require breaking the MIPS ABI which isn't something any of us want.
> 
> Thanks,
> -Paul
> 
> > diff --git a/arch/mips/include/asm/syscall.h
> > b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> > --- a/arch/mips/include/asm/syscall.h
> > +++ b/arch/mips/include/asm/syscall.h
> > @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
> >  #ifdef CONFIG_64BIT
> >  	if (!test_thread_flag(TIF_32BIT_REGS))
> >  		arch |= __AUDIT_ARCH_64BIT;
> > +	if (test_thread_flag(TIF_32BIT_ADDR))
> > +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
> >  #endif
> >  #if defined(__LITTLE_ENDIAN)
> >  	arch |=  __AUDIT_ARCH_LE;
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 11917f7..1b1efdd 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -331,9 +331,17 @@ enum {
> >  #define AUDIT_FAIL_PRINTK	1
> >  #define AUDIT_FAIL_PANIC	2
> > 
> > +/*
> > + * These bits disambiguate different calling conventions that share an
> > + * ELF machine type, bitness, and endianness
> > + */
> > +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> > +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> > +
> >  /* distinguish syscall tables */
> >  #define __AUDIT_ARCH_64BIT 0x80000000
> >  #define __AUDIT_ARCH_LE	   0x40000000
> > +
> >  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > @@ -346,7 +354,11 @@ enum {
> >  #define AUDIT_ARCH_MIPS		(EM_MIPS)
> >  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> > +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> > +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> >  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
> __AUDIT_ARCH_LE\
> > +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> >  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
> >  #define AUDIT_ARCH_PARISC	(EM_PARISC)
> >  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)
> 

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Paul Moore]

On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > does not provide enough information about the ABI for the 64-bit
> > process. As a result of which, userland needs to use complex
> > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > can be used by seccomp to explicitely set syscall filters for this ABI.
> > 
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Eric Paris <eparis@redhat.com>
> > Cc: Paul Moore <pmoore@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > ---
> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > 
> > Thanks a lot!
> > ---
> > 
> >  arch/mips/include/asm/syscall.h |  2 ++
> >  include/uapi/linux/audit.h      | 12 ++++++++++++
> >  2 files changed, 14 insertions(+)
> 
> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as
> this *really* should be in 3.15]
> 
> I'm re-replying to this patch and adding lkml to the To line because I
> believe it is very important we get this patch into 3.15.  For those who
> don't follow the MIPS architecture very closely, the upcoming 3.15 is the
> first release to include support for seccomp filters, the latest generation
> of syscall filtering which used a BPF based filter language.  For reason
> that are easy to understand, the syscall filters are ABI specific (e.g.
> syscall tables, word length, endianness) and those generating syscall
> filters in userspace (e.g. libseccomp) need to take great care to ensure
> that the generated filters take the ABI into account and fail safely in the
> case where a different ABI is used (e.g. x86, x86_64, x32).
> 
> The patch below corrects, what is IMHO, an omission in the original MIPS
> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.
> Without this patch we will be forced to handle MIPS/MIPS64 like we handle
> x86_64/x32 which is a royal pain and not something I want to have deal with
> again.
> 
> Further, while I don't want to speak for the audit folks, it is my
> understanding that they want this patch for similar reasons.
> 
> Please merge this patch for 3.15 or at least provide some feedback as to why
> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this
> will require breaking the MIPS ABI which isn't something any of us want.
> 
> Thanks,
> -Paul

*Bump*

I don't know what else needs to be done to get some action on this and we're 
running out of time for 3.15.

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Andy Lutomirski]

On Wed, May 21, 2014 at 1:59 PM, Paul Moore <pmoore@redhat.com> wrote:
> On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
>> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>> > does not provide enough information about the ABI for the 64-bit
>> > process. As a result of which, userland needs to use complex
>> > seccomp filters to decide whether a syscall belongs to the o32 or n32
>> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>> > can be used by seccomp to explicitely set syscall filters for this ABI.
>> >
>> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>> > Cc: Andy Lutomirski <luto@amacapital.net>
>> > Cc: Eric Paris <eparis@redhat.com>
>> > Cc: Paul Moore <pmoore@redhat.com>
>> > Cc: Ralf Baechle <ralf@linux-mips.org>
>> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> > ---
>> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>> >
>> > Thanks a lot!
>> > ---
>> >
>> >  arch/mips/include/asm/syscall.h |  2 ++
>> >  include/uapi/linux/audit.h      | 12 ++++++++++++
>> >  2 files changed, 14 insertions(+)
>>
>> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as
>> this *really* should be in 3.15]
>>
>> I'm re-replying to this patch and adding lkml to the To line because I
>> believe it is very important we get this patch into 3.15.  For those who
>> don't follow the MIPS architecture very closely, the upcoming 3.15 is the
>> first release to include support for seccomp filters, the latest generation
>> of syscall filtering which used a BPF based filter language.  For reason
>> that are easy to understand, the syscall filters are ABI specific (e.g.
>> syscall tables, word length, endianness) and those generating syscall
>> filters in userspace (e.g. libseccomp) need to take great care to ensure
>> that the generated filters take the ABI into account and fail safely in the
>> case where a different ABI is used (e.g. x86, x86_64, x32).
>>
>> The patch below corrects, what is IMHO, an omission in the original MIPS
>> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.
>> Without this patch we will be forced to handle MIPS/MIPS64 like we handle
>> x86_64/x32 which is a royal pain and not something I want to have deal with
>> again.
>>
>> Further, while I don't want to speak for the audit folks, it is my
>> understanding that they want this patch for similar reasons.
>>
>> Please merge this patch for 3.15 or at least provide some feedback as to why
>> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this
>> will require breaking the MIPS ABI which isn't something any of us want.
>>
>> Thanks,
>> -Paul
>
> *Bump*
>
> I don't know what else needs to be done to get some action on this and we're
> running out of time for 3.15.

Reply to Linus' next -rc email.

--Andy

Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[James Hogan]

[-- Attachment #1: Type: text/plain, Size: 3182 bytes --]

On Wednesday 21 May 2014 16:59:22 Paul Moore wrote:
> On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
> > On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > > does not provide enough information about the ABI for the 64-bit
> > > process. As a result of which, userland needs to use complex
> > > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > > can be used by seccomp to explicitely set syscall filters for this ABI.
> > > 
> > > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > > Cc: Andy Lutomirski <luto@amacapital.net>
> > > Cc: Eric Paris <eparis@redhat.com>
> > > Cc: Paul Moore <pmoore@redhat.com>
> > > Cc: Ralf Baechle <ralf@linux-mips.org>
> > > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > > ---
> > > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > > 
> > > Thanks a lot!
> > > ---
> > > 
> > >  arch/mips/include/asm/syscall.h |  2 ++
> > >  include/uapi/linux/audit.h      | 12 ++++++++++++
> > >  2 files changed, 14 insertions(+)
> > 
> > [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance
> > as this *really* should be in 3.15]
> > 
> > I'm re-replying to this patch and adding lkml to the To line because I
> > believe it is very important we get this patch into 3.15.  For those who
> > don't follow the MIPS architecture very closely, the upcoming 3.15 is the
> > first release to include support for seccomp filters, the latest
> > generation
> > of syscall filtering which used a BPF based filter language.  For reason
> > that are easy to understand, the syscall filters are ABI specific (e.g.
> > syscall tables, word length, endianness) and those generating syscall
> > filters in userspace (e.g. libseccomp) need to take great care to ensure
> > that the generated filters take the ABI into account and fail safely in
> > the
> > case where a different ABI is used (e.g. x86, x86_64, x32).
> > 
> > The patch below corrects, what is IMHO, an omission in the original MIPS
> > seccomp filter patch, allowing userspace to easily separate MIPS and
> > MIPS64. Without this patch we will be forced to handle MIPS/MIPS64 like
> > we handle x86_64/x32 which is a royal pain and not something I want to
> > have deal with again.
> > 
> > Further, while I don't want to speak for the audit folks, it is my
> > understanding that they want this patch for similar reasons.
> > 
> > Please merge this patch for 3.15 or at least provide some feedback as to
> > why this isn't a viable solution for upstream.  Once 3.15 ships, fixing
> > this will require breaking the MIPS ABI which isn't something any of us
> > want.
> > 
> > Thanks,
> > -Paul
> 
> *Bump*
> 
> I don't know what else needs to be done to get some action on this and we're
> running out of time for 3.15.

It was merged yesterday:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7d6891a770aa97dd36c2df3545031e64c6a0ef3

Cheers
James

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]