[PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1

[PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1

[Palmer Dabbelt]

The following changes since commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d:

  Linux 4.19 (2018-10-22 07:37:37 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux.git tags/riscv-for-linus-4.20-mw0

for you to fetch changes up to d26c4bbf992463c043fdee4b3e5efa3f08990862:

  RISC-V: SMP cleanup and new features (2018-10-22 17:41:43 -0700)

----------------------------------------------------------------
RISC-V Patches for the 4.20 Merge Window, Part 1

This patch set contains a lot (at least, for me) of improvements to the
RISC-V kernel port:

* The removal of some cacheinfo values that were bogus.
* On systems with F but without D the kernel will not show the F
  extension to userspace, as it isn't actually supported.
* Support for futexes.
* Removal of some unused code.
* Cleanup of some menuconfig entries.
* Support for systems without a floating-point unit, and for building
  kernels that will never use the floating-point unit.
* More fixes to the RV32I port, which regressed again.  It's really time
  to get this into a regression test somewhere so I stop breaking it.
  Thanks to Zong for resurrecting it again!
* Various fixes that resulted from a year old review of our original
  patch set that I finally got around to.
* Various improvements to SMP support, largely based around having
  switched to logical hart numbering, as well as some interrupt
  improvements.  This one is in the same patch set as above, thanks to
  Atish for sheparding everything though as my patch set was a bit of a
  mess.

I'm pretty sure this is our largest patch set since the original kernel
contribution, and it's certainly the one with the most contributors.
While I don't have anything else I know I'm going to submit for the
merge window, I would be somewhat surprised if I didn't screw anything
up.

Thanks for the help, everyone!

----------------------------------------------------------------
Alan Kao (5):
      Extract FPU context operations from entry.S
      Refactor FPU code in signal setup/return procedures
      Cleanup ISA string setting
      Allow to disable FPU support
      Auto-detect whether a FPU exists

Anup Patel (3):
      RISC-V: No need to pass scause as arg to do_IRQ()
      RISC-V: Show CPU ID and Hart ID separately in /proc/cpuinfo
      RISC-V: Show IPI stats

Atish Patra (4):
      RISC-V: Disable preemption before enabling interrupts
      RISC-V: Use WRITE_ONCE instead of direct access
      RISC-V: Add logical CPU indexing for RISC-V
      RISC-V: Use Linux logical CPU number instead of hartid

Christoph Hellwig (1):
      RISC-V: remove the unused return_to_handler export

Jim Wilson (2):
      RISC-V: Add FP register ptrace support for gdb.
      RISC-V: Add futex support.

Masahiro Yamada (1):
      riscv: move GCC version check for ARCH_SUPPORTS_INT128 to Kconfig

Nick Kossifidis (1):
      RISC-V: Cosmetic menuconfig changes

Palmer Dabbelt (12):
      RISC-V: Don't set cacheinfo.{physical_line_partition,attributes}
      RISC-V: Filter ISA and MMU values in cpuinfo
      RISC-V: Comment on the TLB flush in smp_callin()
      RISC-V: Provide a cleaner raw_smp_processor_id()
      RISC-V: Rename riscv_of_processor_hart to riscv_of_processor_hartid
      RISC-V: Rename im_okay_therefore_i_am to found_boot_cpu
      RISC-V: Use mmgrab()
      RISC-V: Don't set cacheinfo.{physical_line_partition,attributes}
      RISC-V: Mask out the F extension on systems without D
      riscv: Add support to no-FPU systems
      RISC-V: Fix some RV32 bugs and build failures
      RISC-V: SMP cleanup and new features

Vincent Chen (1):
      RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap

Zong Li (4):
      RISC-V: Build tishift only on 64-bit
      RISC-V: Use swiotlb on RV64 only
      lib: Add umoddi3 and udivmoddi4 of GCC library routines
      RISC-V: Select GENERIC_LIB_UMODDI3 on RV32

 arch/riscv/Kconfig                 |  52 ++++++-
 arch/riscv/Kconfig.debug           |  35 -----
 arch/riscv/Makefile                |  21 +--
 arch/riscv/include/asm/Kbuild      |   1 -
 arch/riscv/include/asm/futex.h     | 128 +++++++++++++++
 arch/riscv/include/asm/processor.h |   2 +-
 arch/riscv/include/asm/smp.h       |  47 ++++--
 arch/riscv/include/asm/switch_to.h |  12 +-
 arch/riscv/include/asm/tlbflush.h  |  16 +-
 arch/riscv/include/uapi/asm/elf.h  |   3 +
 arch/riscv/kernel/Makefile         |   1 +
 arch/riscv/kernel/cacheinfo.c      |   7 -
 arch/riscv/kernel/cpu.c            |  87 +++++++++--
 arch/riscv/kernel/cpufeature.c     |  15 ++
 arch/riscv/kernel/entry.S          |  88 -----------
 arch/riscv/kernel/fpu.S            | 106 +++++++++++++
 arch/riscv/kernel/head.S           |   4 +-
 arch/riscv/kernel/irq.c            |  12 +-
 arch/riscv/kernel/mcount.S         |   1 -
 arch/riscv/kernel/process.c        |   6 +-
 arch/riscv/kernel/ptrace.c         |  52 +++++++
 arch/riscv/kernel/setup.c          |  13 ++
 arch/riscv/kernel/signal.c         |  75 +++++----
 arch/riscv/kernel/smp.c            |  82 ++++++++--
 arch/riscv/kernel/smpboot.c        |  46 ++++--
 arch/riscv/lib/Makefile            |   3 +-
 arch/riscv/mm/ioremap.c            |   2 +-
 drivers/clocksource/riscv_timer.c  |  12 +-
 drivers/irqchip/irq-sifive-plic.c  |  10 +-
 lib/Kconfig                        |   3 +
 lib/Makefile                       |   1 +
 lib/udivmoddi4.c                   | 310 +++++++++++++++++++++++++++++++++++++
 lib/umoddi3.c                      |  32 ++++
 33 files changed, 1039 insertions(+), 246 deletions(-)
 create mode 100644 arch/riscv/include/asm/futex.h
 create mode 100644 arch/riscv/kernel/fpu.S
 create mode 100644 lib/udivmoddi4.c
 create mode 100644 lib/umoddi3.c

[PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1

[Palmer Dabbelt]

The following changes since commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d:

  Linux 4.19 (2018-10-22 07:37:37 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux.git tags/riscv-for-linus-4.20-mw0

for you to fetch changes up to d26c4bbf992463c043fdee4b3e5efa3f08990862:

  RISC-V: SMP cleanup and new features (2018-10-22 17:41:43 -0700)

----------------------------------------------------------------
RISC-V Patches for the 4.20 Merge Window, Part 1

This patch set contains a lot (at least, for me) of improvements to the
RISC-V kernel port:

* The removal of some cacheinfo values that were bogus.
* On systems with F but without D the kernel will not show the F
  extension to userspace, as it isn't actually supported.
* Support for futexes.
* Removal of some unused code.
* Cleanup of some menuconfig entries.
* Support for systems without a floating-point unit, and for building
  kernels that will never use the floating-point unit.
* More fixes to the RV32I port, which regressed again.  It's really time
  to get this into a regression test somewhere so I stop breaking it.
  Thanks to Zong for resurrecting it again!
* Various fixes that resulted from a year old review of our original
  patch set that I finally got around to.
* Various improvements to SMP support, largely based around having
  switched to logical hart numbering, as well as some interrupt
  improvements.  This one is in the same patch set as above, thanks to
  Atish for sheparding everything though as my patch set was a bit of a
  mess.

I'm pretty sure this is our largest patch set since the original kernel
contribution, and it's certainly the one with the most contributors.
While I don't have anything else I know I'm going to submit for the
merge window, I would be somewhat surprised if I didn't screw anything
up.

Thanks for the help, everyone!

----------------------------------------------------------------
Alan Kao (5):
      Extract FPU context operations from entry.S
      Refactor FPU code in signal setup/return procedures
      Cleanup ISA string setting
      Allow to disable FPU support
      Auto-detect whether a FPU exists

Anup Patel (3):
      RISC-V: No need to pass scause as arg to do_IRQ()
      RISC-V: Show CPU ID and Hart ID separately in /proc/cpuinfo
      RISC-V: Show IPI stats

Atish Patra (4):
      RISC-V: Disable preemption before enabling interrupts
      RISC-V: Use WRITE_ONCE instead of direct access
      RISC-V: Add logical CPU indexing for RISC-V
      RISC-V: Use Linux logical CPU number instead of hartid

Christoph Hellwig (1):
      RISC-V: remove the unused return_to_handler export

Jim Wilson (2):
      RISC-V: Add FP register ptrace support for gdb.
      RISC-V: Add futex support.

Masahiro Yamada (1):
      riscv: move GCC version check for ARCH_SUPPORTS_INT128 to Kconfig

Nick Kossifidis (1):
      RISC-V: Cosmetic menuconfig changes

Palmer Dabbelt (12):
      RISC-V: Don't set cacheinfo.{physical_line_partition,attributes}
      RISC-V: Filter ISA and MMU values in cpuinfo
      RISC-V: Comment on the TLB flush in smp_callin()
      RISC-V: Provide a cleaner raw_smp_processor_id()
      RISC-V: Rename riscv_of_processor_hart to riscv_of_processor_hartid
      RISC-V: Rename im_okay_therefore_i_am to found_boot_cpu
      RISC-V: Use mmgrab()
      RISC-V: Don't set cacheinfo.{physical_line_partition,attributes}
      RISC-V: Mask out the F extension on systems without D
      riscv: Add support to no-FPU systems
      RISC-V: Fix some RV32 bugs and build failures
      RISC-V: SMP cleanup and new features

Vincent Chen (1):
      RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap

Zong Li (4):
      RISC-V: Build tishift only on 64-bit
      RISC-V: Use swiotlb on RV64 only
      lib: Add umoddi3 and udivmoddi4 of GCC library routines
      RISC-V: Select GENERIC_LIB_UMODDI3 on RV32

 arch/riscv/Kconfig                 |  52 ++++++-
 arch/riscv/Kconfig.debug           |  35 -----
 arch/riscv/Makefile                |  21 +--
 arch/riscv/include/asm/Kbuild      |   1 -
 arch/riscv/include/asm/futex.h     | 128 +++++++++++++++
 arch/riscv/include/asm/processor.h |   2 +-
 arch/riscv/include/asm/smp.h       |  47 ++++--
 arch/riscv/include/asm/switch_to.h |  12 +-
 arch/riscv/include/asm/tlbflush.h  |  16 +-
 arch/riscv/include/uapi/asm/elf.h  |   3 +
 arch/riscv/kernel/Makefile         |   1 +
 arch/riscv/kernel/cacheinfo.c      |   7 -
 arch/riscv/kernel/cpu.c            |  87 +++++++++--
 arch/riscv/kernel/cpufeature.c     |  15 ++
 arch/riscv/kernel/entry.S          |  88 -----------
 arch/riscv/kernel/fpu.S            | 106 +++++++++++++
 arch/riscv/kernel/head.S           |   4 +-
 arch/riscv/kernel/irq.c            |  12 +-
 arch/riscv/kernel/mcount.S         |   1 -
 arch/riscv/kernel/process.c        |   6 +-
 arch/riscv/kernel/ptrace.c         |  52 +++++++
 arch/riscv/kernel/setup.c          |  13 ++
 arch/riscv/kernel/signal.c         |  75 +++++----
 arch/riscv/kernel/smp.c            |  82 ++++++++--
 arch/riscv/kernel/smpboot.c        |  46 ++++--
 arch/riscv/lib/Makefile            |   3 +-
 arch/riscv/mm/ioremap.c            |   2 +-
 drivers/clocksource/riscv_timer.c  |  12 +-
 drivers/irqchip/irq-sifive-plic.c  |  10 +-
 lib/Kconfig                        |   3 +
 lib/Makefile                       |   1 +
 lib/udivmoddi4.c                   | 310 +++++++++++++++++++++++++++++++++++++
 lib/umoddi3.c                      |  32 ++++
 33 files changed, 1039 insertions(+), 246 deletions(-)
 create mode 100644 arch/riscv/include/asm/futex.h
 create mode 100644 arch/riscv/kernel/fpu.S
 create mode 100644 lib/udivmoddi4.c
 create mode 100644 lib/umoddi3.c

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1

[David Abdurachmanov]

On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:

> I'm pretty sure this is our largest patch set since the original kernel
> contribution, and it's certainly the one with the most contributors.
> While I don't have anything else I know I'm going to submit for the
> merge window, I would be somewhat surprised if I didn't screw anything
> up.

Hi Palmer,

Do you plan to land wip-seccomp in 4.20?

It was mentioned back in August:
http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html

david

Re: [PULL RFC] RISC-V Patches for the 4.20 Merge Window, Part 1

[David Abdurachmanov]

On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:

> I'm pretty sure this is our largest patch set since the original kernel
> contribution, and it's certainly the one with the most contributors.
> While I don't have anything else I know I'm going to submit for the
> merge window, I would be somewhat surprised if I didn't screw anything
> up.

Hi Palmer,

Do you plan to land wip-seccomp in 4.20?

It was mentioned back in August:
http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html

david

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 0/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Tue, 23 Oct 2018 01:20:28 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:
>
>> I'm pretty sure this is our largest patch set since the original kernel
>> contribution, and it's certainly the one with the most contributors.
>> While I don't have anything else I know I'm going to submit for the
>> merge window, I would be somewhat surprised if I didn't screw anything
>> up.
>
> Hi Palmer,
>
> Do you plan to land wip-seccomp in 4.20?
>
> It was mentioned back in August:
> http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html
>
> david

I've updated the patches to live on top of 4.19 as well as cleaning up
the Kconfig entry.  Unless anyone has any comments I'll add them to
for-next and submit a PR next week.

Thanks for the reminder!

[PATCH 0/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Tue, 23 Oct 2018 01:20:28 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:
>
>> I'm pretty sure this is our largest patch set since the original kernel
>> contribution, and it's certainly the one with the most contributors.
>> While I don't have anything else I know I'm going to submit for the
>> merge window, I would be somewhat surprised if I didn't screw anything
>> up.
>
> Hi Palmer,
>
> Do you plan to land wip-seccomp in 4.20?
>
> It was mentioned back in August:
> http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html
>
> david

I've updated the patches to live on top of 4.19 as well as cleaning up
the Kconfig entry.  Unless anyone has any comments I'll add them to
for-next and submit a PR next week.

Thanks for the reminder!

[PATCH 0/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Tue, 23 Oct 2018 01:20:28 PDT (-0700), david.abdurachmanov at gmail.com wrote:
> On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:
>
>> I'm pretty sure this is our largest patch set since the original kernel
>> contribution, and it's certainly the one with the most contributors.
>> While I don't have anything else I know I'm going to submit for the
>> merge window, I would be somewhat surprised if I didn't screw anything
>> up.
>
> Hi Palmer,
>
> Do you plan to land wip-seccomp in 4.20?
>
> It was mentioned back in August:
> http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html
>
> david

I've updated the patches to live on top of 4.19 as well as cleaning up
the Kconfig entry.  Unless anyone has any comments I'll add them to
for-next and submit a PR next week.

Thanks for the reminder!

[PATCH 0/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Tue, 23 Oct 2018 01:20:28 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:
>
>> I'm pretty sure this is our largest patch set since the original kernel
>> contribution, and it's certainly the one with the most contributors.
>> While I don't have anything else I know I'm going to submit for the
>> merge window, I would be somewhat surprised if I didn't screw anything
>> up.
>
> Hi Palmer,
>
> Do you plan to land wip-seccomp in 4.20?
>
> It was mentioned back in August:
> http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html
>
> david

I've updated the patches to live on top of 4.19 as well as cleaning up
the Kconfig entry.  Unless anyone has any comments I'll add them to
for-next and submit a PR next week.

Thanks for the reminder!



_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Palmer Dabbelt]

This should never have been inside our arch port to begin with, it's
just a relic from when we were maintaining out of tree patches.

Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/include/asm/elf.h | 3 ---
 include/uapi/linux/elf-em.h  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
index a1ef503d616e..697fc23b0d5a 100644
--- a/arch/riscv/include/asm/elf.h
+++ b/arch/riscv/include/asm/elf.h
@@ -16,9 +16,6 @@
 #include <asm/auxvec.h>
 #include <asm/byteorder.h>
 
-/* TODO: Move definition into include/uapi/linux/elf-em.h */
-#define EM_RISCV	0xF3
-
 /*
  * These are used to set parameters in the core dumps.
  */
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 31aa10178335..93722e60204c 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -41,6 +41,7 @@
 #define EM_TILEPRO	188	/* Tilera TILEPro */
 #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
 #define EM_TILEGX	191	/* Tilera TILE-Gx */
+#define EM_RISCV	243	/* RISC-V */
 #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
 #define EM_FRV		0x5441	/* Fujitsu FR-V */
 
-- 
2.18.1

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Palmer Dabbelt]

This should never have been inside our arch port to begin with, it's
just a relic from when we were maintaining out of tree patches.

Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/include/asm/elf.h | 3 ---
 include/uapi/linux/elf-em.h  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
index a1ef503d616e..697fc23b0d5a 100644
--- a/arch/riscv/include/asm/elf.h
+++ b/arch/riscv/include/asm/elf.h
@@ -16,9 +16,6 @@
 #include <asm/auxvec.h>
 #include <asm/byteorder.h>
 
-/* TODO: Move definition into include/uapi/linux/elf-em.h */
-#define EM_RISCV	0xF3
-
 /*
  * These are used to set parameters in the core dumps.
  */
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 31aa10178335..93722e60204c 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -41,6 +41,7 @@
 #define EM_TILEPRO	188	/* Tilera TILEPro */
 #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
 #define EM_TILEGX	191	/* Tilera TILE-Gx */
+#define EM_RISCV	243	/* RISC-V */
 #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
 #define EM_FRV		0x5441	/* Fujitsu FR-V */
 
-- 
2.18.1

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Palmer Dabbelt]

This should never have been inside our arch port to begin with, it's
just a relic from when we were maintaining out of tree patches.

Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/include/asm/elf.h | 3 ---
 include/uapi/linux/elf-em.h  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
index a1ef503d616e..697fc23b0d5a 100644
--- a/arch/riscv/include/asm/elf.h
+++ b/arch/riscv/include/asm/elf.h
@@ -16,9 +16,6 @@
 #include <asm/auxvec.h>
 #include <asm/byteorder.h>
 
-/* TODO: Move definition into include/uapi/linux/elf-em.h */
-#define EM_RISCV	0xF3
-
 /*
  * These are used to set parameters in the core dumps.
  */
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 31aa10178335..93722e60204c 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -41,6 +41,7 @@
 #define EM_TILEPRO	188	/* Tilera TILEPro */
 #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
 #define EM_TILEGX	191	/* Tilera TILE-Gx */
+#define EM_RISCV	243	/* RISC-V */
 #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
 #define EM_FRV		0x5441	/* Fujitsu FR-V */
 
-- 
2.18.1

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Palmer Dabbelt]

This should never have been inside our arch port to begin with, it's
just a relic from when we were maintaining out of tree patches.

Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/include/asm/elf.h | 3 ---
 include/uapi/linux/elf-em.h  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
index a1ef503d616e..697fc23b0d5a 100644
--- a/arch/riscv/include/asm/elf.h
+++ b/arch/riscv/include/asm/elf.h
@@ -16,9 +16,6 @@
 #include <asm/auxvec.h>
 #include <asm/byteorder.h>
 
-/* TODO: Move definition into include/uapi/linux/elf-em.h */
-#define EM_RISCV	0xF3
-
 /*
  * These are used to set parameters in the core dumps.
  */
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 31aa10178335..93722e60204c 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -41,6 +41,7 @@
 #define EM_TILEPRO	188	/* Tilera TILEPro */
 #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
 #define EM_TILEGX	191	/* Tilera TILE-Gx */
+#define EM_RISCV	243	/* RISC-V */
 #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
 #define EM_FRV		0x5441	/* Fujitsu FR-V */
 
-- 
2.18.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/riscv/include/asm/elf.h | 3 ---
>  include/uapi/linux/elf-em.h  | 1 +
>  2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>  #include <asm/auxvec.h>
>  #include <asm/byteorder.h>
>
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV       0xF3
> -
>  /*
>   * These are used to set parameters in the core dumps.
>   */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>  #define EM_TILEPRO     188     /* Tilera TILEPro */
>  #define EM_MICROBLAZE  189     /* Xilinx MicroBlaze */
>  #define EM_TILEGX      191     /* Tilera TILE-Gx */
> +#define EM_RISCV       243     /* RISC-V */
>  #define EM_BPF         247     /* Linux BPF - in-kernel virtual machine */
>  #define EM_FRV         0x5441  /* Fujitsu FR-V */
>
> --
> 2.18.1
>



-- 
Kees Cook

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/riscv/include/asm/elf.h | 3 ---
>  include/uapi/linux/elf-em.h  | 1 +
>  2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>  #include <asm/auxvec.h>
>  #include <asm/byteorder.h>
>
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV       0xF3
> -
>  /*
>   * These are used to set parameters in the core dumps.
>   */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>  #define EM_TILEPRO     188     /* Tilera TILEPro */
>  #define EM_MICROBLAZE  189     /* Xilinx MicroBlaze */
>  #define EM_TILEGX      191     /* Tilera TILE-Gx */
> +#define EM_RISCV       243     /* RISC-V */
>  #define EM_BPF         247     /* Linux BPF - in-kernel virtual machine */
>  #define EM_FRV         0x5441  /* Fujitsu FR-V */
>
> --
> 2.18.1
>



-- 
Kees Cook

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/riscv/include/asm/elf.h | 3 ---
>  include/uapi/linux/elf-em.h  | 1 +
>  2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>  #include <asm/auxvec.h>
>  #include <asm/byteorder.h>
>
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV       0xF3
> -
>  /*
>   * These are used to set parameters in the core dumps.
>   */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>  #define EM_TILEPRO     188     /* Tilera TILEPro */
>  #define EM_MICROBLAZE  189     /* Xilinx MicroBlaze */
>  #define EM_TILEGX      191     /* Tilera TILE-Gx */
> +#define EM_RISCV       243     /* RISC-V */
>  #define EM_BPF         247     /* Linux BPF - in-kernel virtual machine */
>  #define EM_FRV         0x5441  /* Fujitsu FR-V */
>
> --
> 2.18.1
>



-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER

I think this patch is missing most of the actual seccomp glue?

config HAVE_ARCH_SECCOMP_FILTER
        bool
        help
          An arch should select this symbol if it provides all of these things:
          - syscall_get_arch()
          - syscall_get_arguments()
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
          - secure_computing is called from a ptrace_event()-safe context
          - secure_computing return value is checked and a return value of -1
            results in the system call being skipped immediately.
          - seccomp syscall wired up

I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
expect a masked check in entry.S -- it seems like tracepoints are
getting missed too? I see it handled in ptrace.c but not checked in
entry.S?) There's no checking for seccomp in ptrace.c, etc.

At the very least, I think the Kconfigs should not be included in this
patch. The other things are needed, but without everything else,
seccomp isn't actually available. :)

Reading the per-arch Kconfigs, I am reminded I still need to move
CONFIG_SECCOMP up into arch/Kconfig. :P

-Kees

-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER

I think this patch is missing most of the actual seccomp glue?

config HAVE_ARCH_SECCOMP_FILTER
        bool
        help
          An arch should select this symbol if it provides all of these things:
          - syscall_get_arch()
          - syscall_get_arguments()
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
          - secure_computing is called from a ptrace_event()-safe context
          - secure_computing return value is checked and a return value of -1
            results in the system call being skipped immediately.
          - seccomp syscall wired up

I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
expect a masked check in entry.S -- it seems like tracepoints are
getting missed too? I see it handled in ptrace.c but not checked in
entry.S?) There's no checking for seccomp in ptrace.c, etc.

At the very least, I think the Kconfigs should not be included in this
patch. The other things are needed, but without everything else,
seccomp isn't actually available. :)

Reading the per-arch Kconfigs, I am reminded I still need to move
CONFIG_SECCOMP up into arch/Kconfig. :P

-Kees

-- 
Kees Cook

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER

I think this patch is missing most of the actual seccomp glue?

config HAVE_ARCH_SECCOMP_FILTER
        bool
        help
          An arch should select this symbol if it provides all of these things:
          - syscall_get_arch()
          - syscall_get_arguments()
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
          - secure_computing is called from a ptrace_event()-safe context
          - secure_computing return value is checked and a return value of -1
            results in the system call being skipped immediately.
          - seccomp syscall wired up

I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
expect a masked check in entry.S -- it seems like tracepoints are
getting missed too? I see it handled in ptrace.c but not checked in
entry.S?) There's no checking for seccomp in ptrace.c, etc.

At the very least, I think the Kconfigs should not be included in this
patch. The other things are needed, but without everything else,
seccomp isn't actually available. :)

Reading the per-arch Kconfigs, I am reminded I still need to move
CONFIG_SECCOMP up into arch/Kconfig. :P

-Kees

-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER

I think this patch is missing most of the actual seccomp glue?

config HAVE_ARCH_SECCOMP_FILTER
        bool
        help
          An arch should select this symbol if it provides all of these things:
          - syscall_get_arch()
          - syscall_get_arguments()
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
          - secure_computing is called from a ptrace_event()-safe context
          - secure_computing return value is checked and a return value of -1
            results in the system call being skipped immediately.
          - seccomp syscall wired up

I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
expect a masked check in entry.S -- it seems like tracepoints are
getting missed too? I see it handled in ptrace.c but not checked in
entry.S?) There's no checking for seccomp in ptrace.c, etc.

At the very least, I think the Kconfigs should not be included in this
patch. The other things are needed, but without everything else,
seccomp isn't actually available. :)

Reading the per-arch Kconfigs, I am reminded I still need to move
CONFIG_SECCOMP up into arch/Kconfig. :P

-Kees

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up

Oh, and I should add to this list, "passes
tools/testing/selftests/seccomp/seccomp_bpf test". :)

-- 
Kees Cook

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up

Oh, and I should add to this list, "passes
tools/testing/selftests/seccomp/seccomp_bpf test". :)

-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up

Oh, and I should add to this list, "passes
tools/testing/selftests/seccomp/seccomp_bpf test". :)

-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Paul Walmsley]

On 10/24/18 1:40 PM, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>   arch/riscv/include/asm/elf.h | 3 ---
>   include/uapi/linux/elf-em.h  | 1 +
>   2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>   #include <asm/auxvec.h>
>   #include <asm/byteorder.h>
>   
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV	0xF3
> -
>   /*
>    * These are used to set parameters in the core dumps.
>    */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>   #define EM_TILEPRO	188	/* Tilera TILEPro */
>   #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
>   #define EM_TILEGX	191	/* Tilera TILE-Gx */
> +#define EM_RISCV	243	/* RISC-V */
>   #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
>   #define EM_FRV		0x5441	/* Fujitsu FR-V */
>   


Reviewed-by: Paul Walmsley <paul.walmsley@sifive.com>


- Paul

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Paul Walmsley]

On 10/24/18 1:40 PM, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>   arch/riscv/include/asm/elf.h | 3 ---
>   include/uapi/linux/elf-em.h  | 1 +
>   2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>   #include <asm/auxvec.h>
>   #include <asm/byteorder.h>
>   
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV	0xF3
> -
>   /*
>    * These are used to set parameters in the core dumps.
>    */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>   #define EM_TILEPRO	188	/* Tilera TILEPro */
>   #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
>   #define EM_TILEGX	191	/* Tilera TILE-Gx */
> +#define EM_RISCV	243	/* RISC-V */
>   #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
>   #define EM_FRV		0x5441	/* Fujitsu FR-V */
>   


Reviewed-by: Paul Walmsley <paul.walmsley@sifive.com>


- Paul



_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER
>         select HAVE_MEMBLOCK
>         select HAVE_MEMBLOCK_NODE_MAP
>         select HAVE_DMA_CONTIGUOUS
> @@ -214,6 +215,22 @@ menu "Kernel type"
>
>  source "kernel/Kconfig.hz"
>
> +config SECCOMP
> +       bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +       help
> +         This kernel feature is useful for number crunching applications
> +         that may need to compute untrusted bytecode during their
> +         execution. By using pipes or other transports made available to
> +         the process as file descriptors supporting the read/write
> +         syscalls, it's possible to isolate those applications in
> +         their own address space using seccomp. Once seccomp is
> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> +         and the task is only allowed to execute a few safe syscalls
> +         defined by each seccomp mode.
> +
> +         If unsure, say Y. Only embedded should say N here.
> +
>  endmenu
>
>  menu "Bus support"
> @@ -243,3 +260,4 @@ menu "Power management options"
>  source kernel/power/Kconfig
>
>  endmenu
> +
> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
> new file mode 100644
> index 000000000000..c1b4407f1038
> --- /dev/null
> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>
> +
> +#endif /* _ASM_RISCV_SECCOMP_H */
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 8d25f8904c00..d24f774f39df 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -19,6 +19,7 @@
>  #define _ASM_RISCV_SYSCALL_H
>
>  #include <linux/sched.h>
> +#include <uapi/linux/audit.h>
>  #include <linux/err.h>
>
>  /* The array of function pointers for syscalls. */
> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>  }
>
> +static inline int syscall_get_arch(void)
> +{
> +       return AUDIT_ARCH_RISCV;
> +}
> +
>  #endif /* _ASM_RISCV_SYSCALL_H */
> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
> index f8fa1cd2dad9..374973dc05c6 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -80,6 +80,7 @@ struct thread_info {
>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>
>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 818ae690ab79..c16fa1a76659 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -399,6 +399,7 @@ enum {
>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>  #define AUDIT_ARCH_S390                (EM_S390)
>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_SH          (EM_SH)

Palmer,

Half of the patch seems to touch audit parts. I started working on audit
support this morning, and I can boot Fedora with audit traces.

[root@fedora-riscv ~]# dmesg | grep audit
[    0.312000] audit: initializing netlink subsys (disabled)
[    0.316000] audit: type=2000 audit(0.316:1): state=initialized
audit_enabled=0 res=1
[    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
[    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[..]

I am still working on audit user-space support for better testing.

I suggest we first implement audit and then seccomp.

david

[PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER
>         select HAVE_MEMBLOCK
>         select HAVE_MEMBLOCK_NODE_MAP
>         select HAVE_DMA_CONTIGUOUS
> @@ -214,6 +215,22 @@ menu "Kernel type"
>
>  source "kernel/Kconfig.hz"
>
> +config SECCOMP
> +       bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +       help
> +         This kernel feature is useful for number crunching applications
> +         that may need to compute untrusted bytecode during their
> +         execution. By using pipes or other transports made available to
> +         the process as file descriptors supporting the read/write
> +         syscalls, it's possible to isolate those applications in
> +         their own address space using seccomp. Once seccomp is
> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> +         and the task is only allowed to execute a few safe syscalls
> +         defined by each seccomp mode.
> +
> +         If unsure, say Y. Only embedded should say N here.
> +
>  endmenu
>
>  menu "Bus support"
> @@ -243,3 +260,4 @@ menu "Power management options"
>  source kernel/power/Kconfig
>
>  endmenu
> +
> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
> new file mode 100644
> index 000000000000..c1b4407f1038
> --- /dev/null
> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>
> +
> +#endif /* _ASM_RISCV_SECCOMP_H */
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 8d25f8904c00..d24f774f39df 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -19,6 +19,7 @@
>  #define _ASM_RISCV_SYSCALL_H
>
>  #include <linux/sched.h>
> +#include <uapi/linux/audit.h>
>  #include <linux/err.h>
>
>  /* The array of function pointers for syscalls. */
> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>  }
>
> +static inline int syscall_get_arch(void)
> +{
> +       return AUDIT_ARCH_RISCV;
> +}
> +
>  #endif /* _ASM_RISCV_SYSCALL_H */
> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
> index f8fa1cd2dad9..374973dc05c6 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -80,6 +80,7 @@ struct thread_info {
>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>
>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 818ae690ab79..c16fa1a76659 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -399,6 +399,7 @@ enum {
>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>  #define AUDIT_ARCH_S390                (EM_S390)
>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_SH          (EM_SH)

Palmer,

Half of the patch seems to touch audit parts. I started working on audit
support this morning, and I can boot Fedora with audit traces.

[root at fedora-riscv ~]# dmesg | grep audit
[    0.312000] audit: initializing netlink subsys (disabled)
[    0.316000] audit: type=2000 audit(0.316:1): state=initialized
audit_enabled=0 res=1
[    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
[    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[..]

I am still working on audit user-space support for better testing.

I suggest we first implement audit and then seccomp.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER
>         select HAVE_MEMBLOCK
>         select HAVE_MEMBLOCK_NODE_MAP
>         select HAVE_DMA_CONTIGUOUS
> @@ -214,6 +215,22 @@ menu "Kernel type"
>
>  source "kernel/Kconfig.hz"
>
> +config SECCOMP
> +       bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +       help
> +         This kernel feature is useful for number crunching applications
> +         that may need to compute untrusted bytecode during their
> +         execution. By using pipes or other transports made available to
> +         the process as file descriptors supporting the read/write
> +         syscalls, it's possible to isolate those applications in
> +         their own address space using seccomp. Once seccomp is
> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> +         and the task is only allowed to execute a few safe syscalls
> +         defined by each seccomp mode.
> +
> +         If unsure, say Y. Only embedded should say N here.
> +
>  endmenu
>
>  menu "Bus support"
> @@ -243,3 +260,4 @@ menu "Power management options"
>  source kernel/power/Kconfig
>
>  endmenu
> +
> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
> new file mode 100644
> index 000000000000..c1b4407f1038
> --- /dev/null
> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>
> +
> +#endif /* _ASM_RISCV_SECCOMP_H */
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 8d25f8904c00..d24f774f39df 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -19,6 +19,7 @@
>  #define _ASM_RISCV_SYSCALL_H
>
>  #include <linux/sched.h>
> +#include <uapi/linux/audit.h>
>  #include <linux/err.h>
>
>  /* The array of function pointers for syscalls. */
> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>  }
>
> +static inline int syscall_get_arch(void)
> +{
> +       return AUDIT_ARCH_RISCV;
> +}
> +
>  #endif /* _ASM_RISCV_SYSCALL_H */
> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
> index f8fa1cd2dad9..374973dc05c6 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -80,6 +80,7 @@ struct thread_info {
>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>
>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 818ae690ab79..c16fa1a76659 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -399,6 +399,7 @@ enum {
>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>  #define AUDIT_ARCH_S390                (EM_S390)
>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_SH          (EM_SH)

Palmer,

Half of the patch seems to touch audit parts. I started working on audit
support this morning, and I can boot Fedora with audit traces.

[root@fedora-riscv ~]# dmesg | grep audit
[    0.312000] audit: initializing netlink subsys (disabled)
[    0.316000] audit: type=2000 audit(0.316:1): state=initialized
audit_enabled=0 res=1
[    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
[    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[..]

I am still working on audit user-space support for better testing.

I suggest we first implement audit and then seccomp.

david

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Paul Moore]

On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>

...

> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

FYI, while small and far from comprehensive, we do have a test suite
we use for basic validation of the audit kernel bits which may be
helpful while you're working on the audit enablement:

* https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Paul Moore]

On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>

...

> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root at fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

FYI, while small and far from comprehensive, we do have a test suite
we use for basic validation of the audit kernel bits which may be
helpful while you're working on the audit enablement:

* https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Paul Moore]

On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>

...

> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

FYI, while small and far from comprehensive, we do have a test suite
we use for basic validation of the audit kernel bits which may be
helpful while you're working on the audit enablement:

* https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Andy Lutomirski]

On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >
> > This is a fairly straight-forward implementation of seccomp for RISC-V
> > systems.
> >
> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> > ---
> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
> >  arch/riscv/include/asm/thread_info.h |  1 +
> >  include/uapi/linux/audit.h           |  1 +
> >  5 files changed, 36 insertions(+)
> >  create mode 100644 arch/riscv/include/asm/seccomp.h
> >
> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> > index a344980287a5..28abe47602a1 100644
> > --- a/arch/riscv/Kconfig
> > +++ b/arch/riscv/Kconfig
> > @@ -28,6 +28,7 @@ config RISCV
> >         select GENERIC_STRNLEN_USER
> >         select GENERIC_SMP_IDLE_THREAD
> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> > +       select HAVE_ARCH_SECCOMP_FILTER
>
> I think this patch is missing most of the actual seccomp glue?
>
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up
>
> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
> expect a masked check in entry.S -- it seems like tracepoints are
> getting missed too? I see it handled in ptrace.c but not checked in
> entry.S?) There's no checking for seccomp in ptrace.c, etc.

Hi RISC-V people:

I strongly, strongly suggest that you rewrite your asm to work the way
that x86's does: have a function called prepare_exit_to_usermode() and
make it work more or less like x86's.  Doing all the exit work in asm
like you are is just setting you up for a world of pain.

--Andy

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Andy Lutomirski]

On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >
> > This is a fairly straight-forward implementation of seccomp for RISC-V
> > systems.
> >
> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> > ---
> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
> >  arch/riscv/include/asm/thread_info.h |  1 +
> >  include/uapi/linux/audit.h           |  1 +
> >  5 files changed, 36 insertions(+)
> >  create mode 100644 arch/riscv/include/asm/seccomp.h
> >
> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> > index a344980287a5..28abe47602a1 100644
> > --- a/arch/riscv/Kconfig
> > +++ b/arch/riscv/Kconfig
> > @@ -28,6 +28,7 @@ config RISCV
> >         select GENERIC_STRNLEN_USER
> >         select GENERIC_SMP_IDLE_THREAD
> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> > +       select HAVE_ARCH_SECCOMP_FILTER
>
> I think this patch is missing most of the actual seccomp glue?
>
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up
>
> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
> expect a masked check in entry.S -- it seems like tracepoints are
> getting missed too? I see it handled in ptrace.c but not checked in
> entry.S?) There's no checking for seccomp in ptrace.c, etc.

Hi RISC-V people:

I strongly, strongly suggest that you rewrite your asm to work the way
that x86's does: have a function called prepare_exit_to_usermode() and
make it work more or less like x86's.  Doing all the exit work in asm
like you are is just setting you up for a world of pain.

--Andy

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Andy Lutomirski]

On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >
> > This is a fairly straight-forward implementation of seccomp for RISC-V
> > systems.
> >
> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> > ---
> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
> >  arch/riscv/include/asm/thread_info.h |  1 +
> >  include/uapi/linux/audit.h           |  1 +
> >  5 files changed, 36 insertions(+)
> >  create mode 100644 arch/riscv/include/asm/seccomp.h
> >
> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> > index a344980287a5..28abe47602a1 100644
> > --- a/arch/riscv/Kconfig
> > +++ b/arch/riscv/Kconfig
> > @@ -28,6 +28,7 @@ config RISCV
> >         select GENERIC_STRNLEN_USER
> >         select GENERIC_SMP_IDLE_THREAD
> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> > +       select HAVE_ARCH_SECCOMP_FILTER
>
> I think this patch is missing most of the actual seccomp glue?
>
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up
>
> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
> expect a masked check in entry.S -- it seems like tracepoints are
> getting missed too? I see it handled in ptrace.c but not checked in
> entry.S?) There's no checking for seccomp in ptrace.c, etc.

Hi RISC-V people:

I strongly, strongly suggest that you rewrite your asm to work the way
that x86's does: have a function called prepare_exit_to_usermode() and
make it work more or less like x86's.  Doing all the exit work in asm
like you are is just setting you up for a world of pain.

--Andy

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>>  arch/riscv/include/asm/thread_info.h |  1 +
>>  include/uapi/linux/audit.h           |  1 +
>>  5 files changed, 36 insertions(+)
>>  create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>>         select GENERIC_STRNLEN_USER
>>         select GENERIC_SMP_IDLE_THREAD
>>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> +       select HAVE_ARCH_SECCOMP_FILTER
>>         select HAVE_MEMBLOCK
>>         select HAVE_MEMBLOCK_NODE_MAP
>>         select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>>  source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> +       bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> +       help
>> +         This kernel feature is useful for number crunching applications
>> +         that may need to compute untrusted bytecode during their
>> +         execution. By using pipes or other transports made available to
>> +         the process as file descriptors supporting the read/write
>> +         syscalls, it's possible to isolate those applications in
>> +         their own address space using seccomp. Once seccomp is
>> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> +         and the task is only allowed to execute a few safe syscalls
>> +         defined by each seccomp mode.
>> +
>> +         If unsure, say Y. Only embedded should say N here.
>> +
>>  endmenu
>>
>>  menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>>  source kernel/power/Kconfig
>>
>>  endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>>  #define _ASM_RISCV_SYSCALL_H
>>
>>  #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>>  #include <linux/err.h>
>>
>>  /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>>  }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> +       return AUDIT_ARCH_RISCV;
>> +}
>> +
>>  #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>>
>>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>>  #define AUDIT_ARCH_S390                (EM_S390)
>>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_SH          (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

Works for me.  I'll drop my patch set for now.

Thanks!

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>>  arch/riscv/include/asm/thread_info.h |  1 +
>>  include/uapi/linux/audit.h           |  1 +
>>  5 files changed, 36 insertions(+)
>>  create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>>         select GENERIC_STRNLEN_USER
>>         select GENERIC_SMP_IDLE_THREAD
>>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> +       select HAVE_ARCH_SECCOMP_FILTER
>>         select HAVE_MEMBLOCK
>>         select HAVE_MEMBLOCK_NODE_MAP
>>         select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>>  source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> +       bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> +       help
>> +         This kernel feature is useful for number crunching applications
>> +         that may need to compute untrusted bytecode during their
>> +         execution. By using pipes or other transports made available to
>> +         the process as file descriptors supporting the read/write
>> +         syscalls, it's possible to isolate those applications in
>> +         their own address space using seccomp. Once seccomp is
>> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> +         and the task is only allowed to execute a few safe syscalls
>> +         defined by each seccomp mode.
>> +
>> +         If unsure, say Y. Only embedded should say N here.
>> +
>>  endmenu
>>
>>  menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>>  source kernel/power/Kconfig
>>
>>  endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>>  #define _ASM_RISCV_SYSCALL_H
>>
>>  #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>>  #include <linux/err.h>
>>
>>  /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>>  }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> +       return AUDIT_ARCH_RISCV;
>> +}
>> +
>>  #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>>
>>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>>  #define AUDIT_ARCH_S390                (EM_S390)
>>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_SH          (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

Works for me.  I'll drop my patch set for now.

Thanks!

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov at gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>>  arch/riscv/include/asm/thread_info.h |  1 +
>>  include/uapi/linux/audit.h           |  1 +
>>  5 files changed, 36 insertions(+)
>>  create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>>         select GENERIC_STRNLEN_USER
>>         select GENERIC_SMP_IDLE_THREAD
>>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> +       select HAVE_ARCH_SECCOMP_FILTER
>>         select HAVE_MEMBLOCK
>>         select HAVE_MEMBLOCK_NODE_MAP
>>         select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>>  source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> +       bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> +       help
>> +         This kernel feature is useful for number crunching applications
>> +         that may need to compute untrusted bytecode during their
>> +         execution. By using pipes or other transports made available to
>> +         the process as file descriptors supporting the read/write
>> +         syscalls, it's possible to isolate those applications in
>> +         their own address space using seccomp. Once seccomp is
>> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> +         and the task is only allowed to execute a few safe syscalls
>> +         defined by each seccomp mode.
>> +
>> +         If unsure, say Y. Only embedded should say N here.
>> +
>>  endmenu
>>
>>  menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>>  source kernel/power/Kconfig
>>
>>  endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>>  #define _ASM_RISCV_SYSCALL_H
>>
>>  #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>>  #include <linux/err.h>
>>
>>  /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>>  }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> +       return AUDIT_ARCH_RISCV;
>> +}
>> +
>>  #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>>
>>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>>  #define AUDIT_ARCH_S390                (EM_S390)
>>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_SH          (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root at fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

Works for me.  I'll drop my patch set for now.

Thanks!

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>>  arch/riscv/include/asm/thread_info.h |  1 +
>>  include/uapi/linux/audit.h           |  1 +
>>  5 files changed, 36 insertions(+)
>>  create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>>         select GENERIC_STRNLEN_USER
>>         select GENERIC_SMP_IDLE_THREAD
>>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> +       select HAVE_ARCH_SECCOMP_FILTER
>>         select HAVE_MEMBLOCK
>>         select HAVE_MEMBLOCK_NODE_MAP
>>         select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>>  source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> +       bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> +       help
>> +         This kernel feature is useful for number crunching applications
>> +         that may need to compute untrusted bytecode during their
>> +         execution. By using pipes or other transports made available to
>> +         the process as file descriptors supporting the read/write
>> +         syscalls, it's possible to isolate those applications in
>> +         their own address space using seccomp. Once seccomp is
>> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> +         and the task is only allowed to execute a few safe syscalls
>> +         defined by each seccomp mode.
>> +
>> +         If unsure, say Y. Only embedded should say N here.
>> +
>>  endmenu
>>
>>  menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>>  source kernel/power/Kconfig
>>
>>  endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>>  #define _ASM_RISCV_SYSCALL_H
>>
>>  #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>>  #include <linux/err.h>
>>
>>  /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>>  }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> +       return AUDIT_ARCH_RISCV;
>> +}
>> +
>>  #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>>
>>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>>  #define AUDIT_ARCH_S390                (EM_S390)
>>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_SH          (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

Works for me.  I'll drop my patch set for now.

Thanks!

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto@amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
>> >  arch/riscv/include/asm/thread_info.h |  1 +
>> >  include/uapi/linux/audit.h           |  1 +
>> >  5 files changed, 36 insertions(+)
>> >  create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> >         select GENERIC_STRNLEN_USER
>> >         select GENERIC_SMP_IDLE_THREAD
>> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > +       select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>>         bool
>>         help
>>           An arch should select this symbol if it provides all of these things:
>>           - syscall_get_arch()
>>           - syscall_get_arguments()
>>           - syscall_rollback()
>>           - syscall_set_return_value()
>>           - SIGSYS siginfo_t support
>>           - secure_computing is called from a ptrace_event()-safe context
>>           - secure_computing return value is checked and a return value of -1
>>             results in the system call being skipped immediately.
>>           - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's.  Doing all the exit work in asm
> like you are is just setting you up for a world of pain.

OK, thanks for the suggestion.  Next time we have to change it I'll try to take 
a look and figure out something sane.

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto at amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
>> >  arch/riscv/include/asm/thread_info.h |  1 +
>> >  include/uapi/linux/audit.h           |  1 +
>> >  5 files changed, 36 insertions(+)
>> >  create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> >         select GENERIC_STRNLEN_USER
>> >         select GENERIC_SMP_IDLE_THREAD
>> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > +       select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>>         bool
>>         help
>>           An arch should select this symbol if it provides all of these things:
>>           - syscall_get_arch()
>>           - syscall_get_arguments()
>>           - syscall_rollback()
>>           - syscall_set_return_value()
>>           - SIGSYS siginfo_t support
>>           - secure_computing is called from a ptrace_event()-safe context
>>           - secure_computing return value is checked and a return value of -1
>>             results in the system call being skipped immediately.
>>           - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's.  Doing all the exit work in asm
> like you are is just setting you up for a world of pain.

OK, thanks for the suggestion.  Next time we have to change it I'll try to take 
a look and figure out something sane.

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto@amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
>> >  arch/riscv/include/asm/thread_info.h |  1 +
>> >  include/uapi/linux/audit.h           |  1 +
>> >  5 files changed, 36 insertions(+)
>> >  create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> >         select GENERIC_STRNLEN_USER
>> >         select GENERIC_SMP_IDLE_THREAD
>> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > +       select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>>         bool
>>         help
>>           An arch should select this symbol if it provides all of these things:
>>           - syscall_get_arch()
>>           - syscall_get_arguments()
>>           - syscall_rollback()
>>           - syscall_set_return_value()
>>           - SIGSYS siginfo_t support
>>           - secure_computing is called from a ptrace_event()-safe context
>>           - secure_computing return value is checked and a return value of -1
>>             results in the system call being skipped immediately.
>>           - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's.  Doing all the exit work in asm
> like you are is just setting you up for a world of pain.

OK, thanks for the suggestion.  Next time we have to change it I'll try to take 
a look and figure out something sane.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Christoph Hellwig]

On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
> 
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Looks good, and probably harmless enought that we should pick it up
for this merge window:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Christoph Hellwig]

On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
> 
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Looks good, and probably harmless enought that we should pick it up
for this merge window:

Reviewed-by: Christoph Hellwig <hch@lst.de>

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Christoph Hellwig]

On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
> 
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Looks good, and probably harmless enought that we should pick it up
for this merge window:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Christoph Hellwig]

On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
> 
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Looks good, and probably harmless enought that we should pick it up
for this merge window:

Reviewed-by: Christoph Hellwig <hch@lst.de>

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Christoph Hellwig]

I don't know much about seccomp, so just a few general nitpicks:

On Wed, Oct 24, 2018 at 01:40:36PM -0700, Palmer Dabbelt wrote:
> +	bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +	help

The empty line above is odd, please drop it.

> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */

The SPDX tag should go into the first line.

> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>

And while at it I'd drop this empty line as well.

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Christoph Hellwig]

I don't know much about seccomp, so just a few general nitpicks:

On Wed, Oct 24, 2018 at 01:40:36PM -0700, Palmer Dabbelt wrote:
> +	bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +	help

The empty line above is odd, please drop it.

> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */

The SPDX tag should go into the first line.

> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>

And while at it I'd drop this empty line as well.

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Christoph Hellwig]

I don't know much about seccomp, so just a few general nitpicks:

On Wed, Oct 24, 2018 at 01:40:36PM -0700, Palmer Dabbelt wrote:
> +	bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +	help

The empty line above is odd, please drop it.

> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */

The SPDX tag should go into the first line.

> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>

And while at it I'd drop this empty line as well.

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Christoph Hellwig]

I don't know much about seccomp, so just a few general nitpicks:

On Wed, Oct 24, 2018 at 01:40:36PM -0700, Palmer Dabbelt wrote:
> +	bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +	help

The empty line above is odd, please drop it.

> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */

The SPDX tag should go into the first line.

> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>

And while at it I'd drop this empty line as well.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[David Abdurachmanov]

On Sat, Oct 27, 2018 at 9:46 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> > This should never have been inside our arch port to begin with, it's
> > just a relic from when we were maintaining out of tree patches.
> >
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>
> Looks good, and probably harmless enought that we should pick it up
> for this merge window:

That would be nice. The audit parts I am working on depends on this patch.

Tested-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

[PATCH 1/2] Move EM_RISCV into elf-em.h

[David Abdurachmanov]

On Sat, Oct 27, 2018 at 9:46 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> > This should never have been inside our arch port to begin with, it's
> > just a relic from when we were maintaining out of tree patches.
> >
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>
> Looks good, and probably harmless enought that we should pick it up
> for this merge window:

That would be nice. The audit parts I am working on depends on this patch.

Tested-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[David Abdurachmanov]

On Sat, Oct 27, 2018 at 9:46 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> > This should never have been inside our arch port to begin with, it's
> > just a relic from when we were maintaining out of tree patches.
> >
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>
> Looks good, and probably harmless enought that we should pick it up
> for this merge window:

That would be nice. The audit parts I am working on depends on this patch.

Tested-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> <david.abdurachmanov@gmail.com> wrote:
> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> ...
>
> > Palmer,
> >
> > Half of the patch seems to touch audit parts. I started working on audit
> > support this morning, and I can boot Fedora with audit traces.
> >
> > [root@fedora-riscv ~]# dmesg | grep audit
> > [    0.312000] audit: initializing netlink subsys (disabled)
> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> > audit_enabled=0 res=1
> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=success'
> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'
> > [..]
> >
> > I am still working on audit user-space support for better testing.
> >
> > I suggest we first implement audit and then seccomp.
>
> FYI, while small and far from comprehensive, we do have a test suite
> we use for basic validation of the audit kernel bits which may be
> helpful while you're working on the audit enablement:
>
> * https://github.com/linux-audit/audit-testsuite

Currently I checked the following to work:
- /proc/self/loginuid (required by DNF [package manager])
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and
  return value/input arguments seems to be correct)

I checked audit-testsuite yesterday and it seems to be only for
x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:

Failed 4/14 test programs. 19/88 subtests failed.

I don't plan to look further in the failure, e.g.:
- syscall_socketcall: that's an old stuff and not relevant to
  new arches
- syscall_module: Fedora kernel currently is not compiled
  with kernel loadable module support
- filter_exclude: two tests fail because id -Z doesn't print
  any categories, but "semanage login -l" output is identical
  between x86_64 and riscv64
- netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled

Fedora kernel currently has minimal CONFIG_* options
and is built without loadable module support.

I will send the patches for review soon.

david

[PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> <david.abdurachmanov@gmail.com> wrote:
> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> ...
>
> > Palmer,
> >
> > Half of the patch seems to touch audit parts. I started working on audit
> > support this morning, and I can boot Fedora with audit traces.
> >
> > [root at fedora-riscv ~]# dmesg | grep audit
> > [    0.312000] audit: initializing netlink subsys (disabled)
> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> > audit_enabled=0 res=1
> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=success'
> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'
> > [..]
> >
> > I am still working on audit user-space support for better testing.
> >
> > I suggest we first implement audit and then seccomp.
>
> FYI, while small and far from comprehensive, we do have a test suite
> we use for basic validation of the audit kernel bits which may be
> helpful while you're working on the audit enablement:
>
> * https://github.com/linux-audit/audit-testsuite

Currently I checked the following to work:
- /proc/self/loginuid (required by DNF [package manager])
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and
  return value/input arguments seems to be correct)

I checked audit-testsuite yesterday and it seems to be only for
x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:

Failed 4/14 test programs. 19/88 subtests failed.

I don't plan to look further in the failure, e.g.:
- syscall_socketcall: that's an old stuff and not relevant to
  new arches
- syscall_module: Fedora kernel currently is not compiled
  with kernel loadable module support
- filter_exclude: two tests fail because id -Z doesn't print
  any categories, but "semanage login -l" output is identical
  between x86_64 and riscv64
- netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled

Fedora kernel currently has minimal CONFIG_* options
and is built without loadable module support.

I will send the patches for review soon.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> <david.abdurachmanov@gmail.com> wrote:
> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> ...
>
> > Palmer,
> >
> > Half of the patch seems to touch audit parts. I started working on audit
> > support this morning, and I can boot Fedora with audit traces.
> >
> > [root@fedora-riscv ~]# dmesg | grep audit
> > [    0.312000] audit: initializing netlink subsys (disabled)
> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> > audit_enabled=0 res=1
> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=success'
> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'
> > [..]
> >
> > I am still working on audit user-space support for better testing.
> >
> > I suggest we first implement audit and then seccomp.
>
> FYI, while small and far from comprehensive, we do have a test suite
> we use for basic validation of the audit kernel bits which may be
> helpful while you're working on the audit enablement:
>
> * https://github.com/linux-audit/audit-testsuite

Currently I checked the following to work:
- /proc/self/loginuid (required by DNF [package manager])
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and
  return value/input arguments seems to be correct)

I checked audit-testsuite yesterday and it seems to be only for
x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:

Failed 4/14 test programs. 19/88 subtests failed.

I don't plan to look further in the failure, e.g.:
- syscall_socketcall: that's an old stuff and not relevant to
  new arches
- syscall_module: Fedora kernel currently is not compiled
  with kernel loadable module support
- filter_exclude: two tests fail because id -Z doesn't print
  any categories, but "semanage login -l" output is identical
  between x86_64 and riscv64
- netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled

Fedora kernel currently has minimal CONFIG_* options
and is built without loadable module support.

I will send the patches for review soon.

david

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> <david.abdurachmanov@gmail.com> wrote:
>> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> ...
>>
>> > Palmer,
>> >
>> > Half of the patch seems to touch audit parts. I started working on audit
>> > support this morning, and I can boot Fedora with audit traces.
>> >
>> > [root@fedora-riscv ~]# dmesg | grep audit
>> > [    0.312000] audit: initializing netlink subsys (disabled)
>> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> > audit_enabled=0 res=1
>> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> > terminal=? res=success'
>> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> > res=success'
>> > [..]
>> >
>> > I am still working on audit user-space support for better testing.
>> >
>> > I suggest we first implement audit and then seccomp.
>>
>> FYI, while small and far from comprehensive, we do have a test suite
>> we use for basic validation of the audit kernel bits which may be
>> helpful while you're working on the audit enablement:
>>
>> * https://github.com/linux-audit/audit-testsuite
>
> Currently I checked the following to work:
> - /proc/self/loginuid (required by DNF [package manager])
> - auditctl (checked several different example rules from internet)
> - aulast
> - aulastlog
> - ausearch
> - ausyscall
> - aureport
> - autrace (compared some syscalls to strace: order and
>   return value/input arguments seems to be correct)
>
> I checked audit-testsuite yesterday and it seems to be only for
> x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>
> Failed 4/14 test programs. 19/88 subtests failed.
>
> I don't plan to look further in the failure, e.g.:
> - syscall_socketcall: that's an old stuff and not relevant to
>   new arches
> - syscall_module: Fedora kernel currently is not compiled
>   with kernel loadable module support
> - filter_exclude: two tests fail because id -Z doesn't print
>   any categories, but "semanage login -l" output is identical
>   between x86_64 and riscv64
> - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>
> Fedora kernel currently has minimal CONFIG_* options
> and is built without loadable module support.
>
> I will send the patches for review soon.

Thanks!

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov at gmail.com wrote:
> On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> <david.abdurachmanov@gmail.com> wrote:
>> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> ...
>>
>> > Palmer,
>> >
>> > Half of the patch seems to touch audit parts. I started working on audit
>> > support this morning, and I can boot Fedora with audit traces.
>> >
>> > [root at fedora-riscv ~]# dmesg | grep audit
>> > [    0.312000] audit: initializing netlink subsys (disabled)
>> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> > audit_enabled=0 res=1
>> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> > terminal=? res=success'
>> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> > res=success'
>> > [..]
>> >
>> > I am still working on audit user-space support for better testing.
>> >
>> > I suggest we first implement audit and then seccomp.
>>
>> FYI, while small and far from comprehensive, we do have a test suite
>> we use for basic validation of the audit kernel bits which may be
>> helpful while you're working on the audit enablement:
>>
>> * https://github.com/linux-audit/audit-testsuite
>
> Currently I checked the following to work:
> - /proc/self/loginuid (required by DNF [package manager])
> - auditctl (checked several different example rules from internet)
> - aulast
> - aulastlog
> - ausearch
> - ausyscall
> - aureport
> - autrace (compared some syscalls to strace: order and
>   return value/input arguments seems to be correct)
>
> I checked audit-testsuite yesterday and it seems to be only for
> x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>
> Failed 4/14 test programs. 19/88 subtests failed.
>
> I don't plan to look further in the failure, e.g.:
> - syscall_socketcall: that's an old stuff and not relevant to
>   new arches
> - syscall_module: Fedora kernel currently is not compiled
>   with kernel loadable module support
> - filter_exclude: two tests fail because id -Z doesn't print
>   any categories, but "semanage login -l" output is identical
>   between x86_64 and riscv64
> - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>
> Fedora kernel currently has minimal CONFIG_* options
> and is built without loadable module support.
>
> I will send the patches for review soon.

Thanks!

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> <david.abdurachmanov@gmail.com> wrote:
>> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> ...
>>
>> > Palmer,
>> >
>> > Half of the patch seems to touch audit parts. I started working on audit
>> > support this morning, and I can boot Fedora with audit traces.
>> >
>> > [root@fedora-riscv ~]# dmesg | grep audit
>> > [    0.312000] audit: initializing netlink subsys (disabled)
>> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> > audit_enabled=0 res=1
>> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> > terminal=? res=success'
>> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> > res=success'
>> > [..]
>> >
>> > I am still working on audit user-space support for better testing.
>> >
>> > I suggest we first implement audit and then seccomp.
>>
>> FYI, while small and far from comprehensive, we do have a test suite
>> we use for basic validation of the audit kernel bits which may be
>> helpful while you're working on the audit enablement:
>>
>> * https://github.com/linux-audit/audit-testsuite
>
> Currently I checked the following to work:
> - /proc/self/loginuid (required by DNF [package manager])
> - auditctl (checked several different example rules from internet)
> - aulast
> - aulastlog
> - ausearch
> - ausyscall
> - aureport
> - autrace (compared some syscalls to strace: order and
>   return value/input arguments seems to be correct)
>
> I checked audit-testsuite yesterday and it seems to be only for
> x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>
> Failed 4/14 test programs. 19/88 subtests failed.
>
> I don't plan to look further in the failure, e.g.:
> - syscall_socketcall: that's an old stuff and not relevant to
>   new arches
> - syscall_module: Fedora kernel currently is not compiled
>   with kernel loadable module support
> - filter_exclude: two tests fail because id -Z doesn't print
>   any categories, but "semanage login -l" output is identical
>   between x86_64 and riscv64
> - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>
> Fedora kernel currently has minimal CONFIG_* options
> and is built without loadable module support.
>
> I will send the patches for review soon.

Thanks!

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
> >>
> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> >> <david.abdurachmanov@gmail.com> wrote:
> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >>
> >> ...
> >>
> >> > Palmer,
> >> >
> >> > Half of the patch seems to touch audit parts. I started working on audit
> >> > support this morning, and I can boot Fedora with audit traces.
> >> >
> >> > [root@fedora-riscv ~]# dmesg | grep audit
> >> > [    0.312000] audit: initializing netlink subsys (disabled)
> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> >> > audit_enabled=0 res=1
> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> >> > terminal=? res=success'
> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> >> > res=success'
> >> > [..]
> >> >
> >> > I am still working on audit user-space support for better testing.
> >> >
> >> > I suggest we first implement audit and then seccomp.
> >>
> >> FYI, while small and far from comprehensive, we do have a test suite
> >> we use for basic validation of the audit kernel bits which may be
> >> helpful while you're working on the audit enablement:
> >>
> >> * https://github.com/linux-audit/audit-testsuite
> >
> > Currently I checked the following to work:
> > - /proc/self/loginuid (required by DNF [package manager])
> > - auditctl (checked several different example rules from internet)
> > - aulast
> > - aulastlog
> > - ausearch
> > - ausyscall
> > - aureport
> > - autrace (compared some syscalls to strace: order and
> >   return value/input arguments seems to be correct)
> >
> > I checked audit-testsuite yesterday and it seems to be only for
> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
> >
> > Failed 4/14 test programs. 19/88 subtests failed.
> >
> > I don't plan to look further in the failure, e.g.:
> > - syscall_socketcall: that's an old stuff and not relevant to
> >   new arches
> > - syscall_module: Fedora kernel currently is not compiled
> >   with kernel loadable module support
> > - filter_exclude: two tests fail because id -Z doesn't print
> >   any categories, but "semanage login -l" output is identical
> >   between x86_64 and riscv64
> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
> >
> > Fedora kernel currently has minimal CONFIG_* options
> > and is built without loadable module support.
> >
> > I will send the patches for review soon.
>
> Thanks!

I fixed the last issue I see with SECCOMP this morning.
I also have patch on top of libseccomp-2.3.3.

Testsuite results for SIM:

Regression Test Summary
 tests run: 4434
 tests skipped: 88
 tests passed: 4434
 tests failed: 0
 tests errored: 0

Testsuite results for LIVE:

Regression Test Summary
 tests run: 6
 tests skipped: 0
 tests passed: 6
 tests failed: 0
 tests errored: 0

Then tested a couple examples manually w/ and w/o BPF and it
performed the same as on x86_64 (also checked exit codes &
strace output).

Upstream libseccomp has now more tests. Once I rebase & re-test
with master of libseccomp, I will send both.

david

[PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov at gmail.com wrote:
> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
> >>
> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> >> <david.abdurachmanov@gmail.com> wrote:
> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >>
> >> ...
> >>
> >> > Palmer,
> >> >
> >> > Half of the patch seems to touch audit parts. I started working on audit
> >> > support this morning, and I can boot Fedora with audit traces.
> >> >
> >> > [root at fedora-riscv ~]# dmesg | grep audit
> >> > [    0.312000] audit: initializing netlink subsys (disabled)
> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> >> > audit_enabled=0 res=1
> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> >> > terminal=? res=success'
> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> >> > res=success'
> >> > [..]
> >> >
> >> > I am still working on audit user-space support for better testing.
> >> >
> >> > I suggest we first implement audit and then seccomp.
> >>
> >> FYI, while small and far from comprehensive, we do have a test suite
> >> we use for basic validation of the audit kernel bits which may be
> >> helpful while you're working on the audit enablement:
> >>
> >> * https://github.com/linux-audit/audit-testsuite
> >
> > Currently I checked the following to work:
> > - /proc/self/loginuid (required by DNF [package manager])
> > - auditctl (checked several different example rules from internet)
> > - aulast
> > - aulastlog
> > - ausearch
> > - ausyscall
> > - aureport
> > - autrace (compared some syscalls to strace: order and
> >   return value/input arguments seems to be correct)
> >
> > I checked audit-testsuite yesterday and it seems to be only for
> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
> >
> > Failed 4/14 test programs. 19/88 subtests failed.
> >
> > I don't plan to look further in the failure, e.g.:
> > - syscall_socketcall: that's an old stuff and not relevant to
> >   new arches
> > - syscall_module: Fedora kernel currently is not compiled
> >   with kernel loadable module support
> > - filter_exclude: two tests fail because id -Z doesn't print
> >   any categories, but "semanage login -l" output is identical
> >   between x86_64 and riscv64
> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
> >
> > Fedora kernel currently has minimal CONFIG_* options
> > and is built without loadable module support.
> >
> > I will send the patches for review soon.
>
> Thanks!

I fixed the last issue I see with SECCOMP this morning.
I also have patch on top of libseccomp-2.3.3.

Testsuite results for SIM:

Regression Test Summary
 tests run: 4434
 tests skipped: 88
 tests passed: 4434
 tests failed: 0
 tests errored: 0

Testsuite results for LIVE:

Regression Test Summary
 tests run: 6
 tests skipped: 0
 tests passed: 6
 tests failed: 0
 tests errored: 0

Then tested a couple examples manually w/ and w/o BPF and it
performed the same as on x86_64 (also checked exit codes &
strace output).

Upstream libseccomp has now more tests. Once I rebase & re-test
with master of libseccomp, I will send both.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
> >>
> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> >> <david.abdurachmanov@gmail.com> wrote:
> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >>
> >> ...
> >>
> >> > Palmer,
> >> >
> >> > Half of the patch seems to touch audit parts. I started working on audit
> >> > support this morning, and I can boot Fedora with audit traces.
> >> >
> >> > [root@fedora-riscv ~]# dmesg | grep audit
> >> > [    0.312000] audit: initializing netlink subsys (disabled)
> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> >> > audit_enabled=0 res=1
> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> >> > terminal=? res=success'
> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> >> > res=success'
> >> > [..]
> >> >
> >> > I am still working on audit user-space support for better testing.
> >> >
> >> > I suggest we first implement audit and then seccomp.
> >>
> >> FYI, while small and far from comprehensive, we do have a test suite
> >> we use for basic validation of the audit kernel bits which may be
> >> helpful while you're working on the audit enablement:
> >>
> >> * https://github.com/linux-audit/audit-testsuite
> >
> > Currently I checked the following to work:
> > - /proc/self/loginuid (required by DNF [package manager])
> > - auditctl (checked several different example rules from internet)
> > - aulast
> > - aulastlog
> > - ausearch
> > - ausyscall
> > - aureport
> > - autrace (compared some syscalls to strace: order and
> >   return value/input arguments seems to be correct)
> >
> > I checked audit-testsuite yesterday and it seems to be only for
> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
> >
> > Failed 4/14 test programs. 19/88 subtests failed.
> >
> > I don't plan to look further in the failure, e.g.:
> > - syscall_socketcall: that's an old stuff and not relevant to
> >   new arches
> > - syscall_module: Fedora kernel currently is not compiled
> >   with kernel loadable module support
> > - filter_exclude: two tests fail because id -Z doesn't print
> >   any categories, but "semanage login -l" output is identical
> >   between x86_64 and riscv64
> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
> >
> > Fedora kernel currently has minimal CONFIG_* options
> > and is built without loadable module support.
> >
> > I will send the patches for review soon.
>
> Thanks!

I fixed the last issue I see with SECCOMP this morning.
I also have patch on top of libseccomp-2.3.3.

Testsuite results for SIM:

Regression Test Summary
 tests run: 4434
 tests skipped: 88
 tests passed: 4434
 tests failed: 0
 tests errored: 0

Testsuite results for LIVE:

Regression Test Summary
 tests run: 6
 tests skipped: 0
 tests passed: 6
 tests failed: 0
 tests errored: 0

Then tested a couple examples manually w/ and w/o BPF and it
performed the same as on x86_64 (also checked exit codes &
strace output).

Upstream libseccomp has now more tests. Once I rebase & re-test
with master of libseccomp, I will send both.

david

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Fri, Nov 2, 2018 at 6:32 AM, David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
>> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>> >>
>> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> >> <david.abdurachmanov@gmail.com> wrote:
>> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >>
>> >> ...
>> >>
>> >> > Palmer,
>> >> >
>> >> > Half of the patch seems to touch audit parts. I started working on audit
>> >> > support this morning, and I can boot Fedora with audit traces.
>> >> >
>> >> > [root@fedora-riscv ~]# dmesg | grep audit
>> >> > [    0.312000] audit: initializing netlink subsys (disabled)
>> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> >> > audit_enabled=0 res=1
>> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> >> > terminal=? res=success'
>> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> >> > res=success'
>> >> > [..]
>> >> >
>> >> > I am still working on audit user-space support for better testing.
>> >> >
>> >> > I suggest we first implement audit and then seccomp.
>> >>
>> >> FYI, while small and far from comprehensive, we do have a test suite
>> >> we use for basic validation of the audit kernel bits which may be
>> >> helpful while you're working on the audit enablement:
>> >>
>> >> * https://github.com/linux-audit/audit-testsuite
>> >
>> > Currently I checked the following to work:
>> > - /proc/self/loginuid (required by DNF [package manager])
>> > - auditctl (checked several different example rules from internet)
>> > - aulast
>> > - aulastlog
>> > - ausearch
>> > - ausyscall
>> > - aureport
>> > - autrace (compared some syscalls to strace: order and
>> >   return value/input arguments seems to be correct)
>> >
>> > I checked audit-testsuite yesterday and it seems to be only for
>> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>> >
>> > Failed 4/14 test programs. 19/88 subtests failed.
>> >
>> > I don't plan to look further in the failure, e.g.:
>> > - syscall_socketcall: that's an old stuff and not relevant to
>> >   new arches
>> > - syscall_module: Fedora kernel currently is not compiled
>> >   with kernel loadable module support
>> > - filter_exclude: two tests fail because id -Z doesn't print
>> >   any categories, but "semanage login -l" output is identical
>> >   between x86_64 and riscv64
>> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>> >
>> > Fedora kernel currently has minimal CONFIG_* options
>> > and is built without loadable module support.
>> >
>> > I will send the patches for review soon.
>>
>> Thanks!
>
> I fixed the last issue I see with SECCOMP this morning.

Can you CC me on the series? I'd love to take a look.

> I also have patch on top of libseccomp-2.3.3.

Nice! If you toss it up on github I can review that too. :)

-Kees

>
> Testsuite results for SIM:
>
> Regression Test Summary
>  tests run: 4434
>  tests skipped: 88
>  tests passed: 4434
>  tests failed: 0
>  tests errored: 0
>
> Testsuite results for LIVE:
>
> Regression Test Summary
>  tests run: 6
>  tests skipped: 0
>  tests passed: 6
>  tests failed: 0
>  tests errored: 0
>
> Then tested a couple examples manually w/ and w/o BPF and it
> performed the same as on x86_64 (also checked exit codes &
> strace output).
>
> Upstream libseccomp has now more tests. Once I rebase & re-test
> with master of libseccomp, I will send both.
>
> david



-- 
Kees Cook

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Fri, Nov 2, 2018 at 6:32 AM, David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov at gmail.com wrote:
>> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>> >>
>> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> >> <david.abdurachmanov@gmail.com> wrote:
>> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >>
>> >> ...
>> >>
>> >> > Palmer,
>> >> >
>> >> > Half of the patch seems to touch audit parts. I started working on audit
>> >> > support this morning, and I can boot Fedora with audit traces.
>> >> >
>> >> > [root at fedora-riscv ~]# dmesg | grep audit
>> >> > [    0.312000] audit: initializing netlink subsys (disabled)
>> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> >> > audit_enabled=0 res=1
>> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> >> > terminal=? res=success'
>> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> >> > res=success'
>> >> > [..]
>> >> >
>> >> > I am still working on audit user-space support for better testing.
>> >> >
>> >> > I suggest we first implement audit and then seccomp.
>> >>
>> >> FYI, while small and far from comprehensive, we do have a test suite
>> >> we use for basic validation of the audit kernel bits which may be
>> >> helpful while you're working on the audit enablement:
>> >>
>> >> * https://github.com/linux-audit/audit-testsuite
>> >
>> > Currently I checked the following to work:
>> > - /proc/self/loginuid (required by DNF [package manager])
>> > - auditctl (checked several different example rules from internet)
>> > - aulast
>> > - aulastlog
>> > - ausearch
>> > - ausyscall
>> > - aureport
>> > - autrace (compared some syscalls to strace: order and
>> >   return value/input arguments seems to be correct)
>> >
>> > I checked audit-testsuite yesterday and it seems to be only for
>> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>> >
>> > Failed 4/14 test programs. 19/88 subtests failed.
>> >
>> > I don't plan to look further in the failure, e.g.:
>> > - syscall_socketcall: that's an old stuff and not relevant to
>> >   new arches
>> > - syscall_module: Fedora kernel currently is not compiled
>> >   with kernel loadable module support
>> > - filter_exclude: two tests fail because id -Z doesn't print
>> >   any categories, but "semanage login -l" output is identical
>> >   between x86_64 and riscv64
>> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>> >
>> > Fedora kernel currently has minimal CONFIG_* options
>> > and is built without loadable module support.
>> >
>> > I will send the patches for review soon.
>>
>> Thanks!
>
> I fixed the last issue I see with SECCOMP this morning.

Can you CC me on the series? I'd love to take a look.

> I also have patch on top of libseccomp-2.3.3.

Nice! If you toss it up on github I can review that too. :)

-Kees

>
> Testsuite results for SIM:
>
> Regression Test Summary
>  tests run: 4434
>  tests skipped: 88
>  tests passed: 4434
>  tests failed: 0
>  tests errored: 0
>
> Testsuite results for LIVE:
>
> Regression Test Summary
>  tests run: 6
>  tests skipped: 0
>  tests passed: 6
>  tests failed: 0
>  tests errored: 0
>
> Then tested a couple examples manually w/ and w/o BPF and it
> performed the same as on x86_64 (also checked exit codes &
> strace output).
>
> Upstream libseccomp has now more tests. Once I rebase & re-test
> with master of libseccomp, I will send both.
>
> david



-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Fri, Nov 2, 2018 at 6:32 AM, David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
>> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>> >>
>> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> >> <david.abdurachmanov@gmail.com> wrote:
>> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >>
>> >> ...
>> >>
>> >> > Palmer,
>> >> >
>> >> > Half of the patch seems to touch audit parts. I started working on audit
>> >> > support this morning, and I can boot Fedora with audit traces.
>> >> >
>> >> > [root@fedora-riscv ~]# dmesg | grep audit
>> >> > [    0.312000] audit: initializing netlink subsys (disabled)
>> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> >> > audit_enabled=0 res=1
>> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> >> > terminal=? res=success'
>> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> >> > res=success'
>> >> > [..]
>> >> >
>> >> > I am still working on audit user-space support for better testing.
>> >> >
>> >> > I suggest we first implement audit and then seccomp.
>> >>
>> >> FYI, while small and far from comprehensive, we do have a test suite
>> >> we use for basic validation of the audit kernel bits which may be
>> >> helpful while you're working on the audit enablement:
>> >>
>> >> * https://github.com/linux-audit/audit-testsuite
>> >
>> > Currently I checked the following to work:
>> > - /proc/self/loginuid (required by DNF [package manager])
>> > - auditctl (checked several different example rules from internet)
>> > - aulast
>> > - aulastlog
>> > - ausearch
>> > - ausyscall
>> > - aureport
>> > - autrace (compared some syscalls to strace: order and
>> >   return value/input arguments seems to be correct)
>> >
>> > I checked audit-testsuite yesterday and it seems to be only for
>> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>> >
>> > Failed 4/14 test programs. 19/88 subtests failed.
>> >
>> > I don't plan to look further in the failure, e.g.:
>> > - syscall_socketcall: that's an old stuff and not relevant to
>> >   new arches
>> > - syscall_module: Fedora kernel currently is not compiled
>> >   with kernel loadable module support
>> > - filter_exclude: two tests fail because id -Z doesn't print
>> >   any categories, but "semanage login -l" output is identical
>> >   between x86_64 and riscv64
>> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>> >
>> > Fedora kernel currently has minimal CONFIG_* options
>> > and is built without loadable module support.
>> >
>> > I will send the patches for review soon.
>>
>> Thanks!
>
> I fixed the last issue I see with SECCOMP this morning.

Can you CC me on the series? I'd love to take a look.

> I also have patch on top of libseccomp-2.3.3.

Nice! If you toss it up on github I can review that too. :)

-Kees

>
> Testsuite results for SIM:
>
> Regression Test Summary
>  tests run: 4434
>  tests skipped: 88
>  tests passed: 4434
>  tests failed: 0
>  tests errored: 0
>
> Testsuite results for LIVE:
>
> Regression Test Summary
>  tests run: 6
>  tests skipped: 0
>  tests passed: 6
>  tests failed: 0
>  tests errored: 0
>
> Then tested a couple examples manually w/ and w/o BPF and it
> performed the same as on x86_64 (also checked exit codes &
> strace output).
>
> Upstream libseccomp has now more tests. Once I rebase & re-test
> with master of libseccomp, I will send both.
>
> david



-- 
Kees Cook

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv