[PATCH 0/2] RISC-V: Add support for SECCOMP

[PATCH 0/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Tue, 23 Oct 2018 01:20:28 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Tue, Oct 23, 2018 at 3:20 AM Palmer Dabbelt <palmer@sifive.com> wrote:
>
>> I'm pretty sure this is our largest patch set since the original kernel
>> contribution, and it's certainly the one with the most contributors.
>> While I don't have anything else I know I'm going to submit for the
>> merge window, I would be somewhat surprised if I didn't screw anything
>> up.
>
> Hi Palmer,
>
> Do you plan to land wip-seccomp in 4.20?
>
> It was mentioned back in August:
> http://lists.infradead.org/pipermail/linux-riscv/2018-August/001182.html
>
> david

I've updated the patches to live on top of 4.19 as well as cleaning up
the Kconfig entry.  Unless anyone has any comments I'll add them to
for-next and submit a PR next week.

Thanks for the reminder!

[PATCH 1/2] Move EM_RISCV into elf-em.h

[Palmer Dabbelt]

This should never have been inside our arch port to begin with, it's
just a relic from when we were maintaining out of tree patches.

Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/include/asm/elf.h | 3 ---
 include/uapi/linux/elf-em.h  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
index a1ef503d616e..697fc23b0d5a 100644
--- a/arch/riscv/include/asm/elf.h
+++ b/arch/riscv/include/asm/elf.h
@@ -16,9 +16,6 @@
 #include <asm/auxvec.h>
 #include <asm/byteorder.h>
 
-/* TODO: Move definition into include/uapi/linux/elf-em.h */
-#define EM_RISCV	0xF3
-
 /*
  * These are used to set parameters in the core dumps.
  */
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 31aa10178335..93722e60204c 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -41,6 +41,7 @@
 #define EM_TILEPRO	188	/* Tilera TILEPro */
 #define EM_MICROBLAZE	189	/* Xilinx MicroBlaze */
 #define EM_TILEGX	191	/* Tilera TILE-Gx */
+#define EM_RISCV	243	/* RISC-V */
 #define EM_BPF		247	/* Linux BPF - in-kernel virtual machine */
 #define EM_FRV		0x5441	/* Fujitsu FR-V */
 
-- 
2.18.1

[PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

From: "Wesley W. Terpstra" <wesley@sifive.com>

This is a fairly straight-forward implementation of seccomp for RISC-V
systems.

Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
---
 arch/riscv/Kconfig                   | 18 ++++++++++++++++++
 arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
 arch/riscv/include/asm/syscall.h     |  6 ++++++
 arch/riscv/include/asm/thread_info.h |  1 +
 include/uapi/linux/audit.h           |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 arch/riscv/include/asm/seccomp.h

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..28abe47602a1 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
 	select GENERIC_STRNLEN_USER
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_MEMBLOCK
 	select HAVE_MEMBLOCK_NODE_MAP
 	select HAVE_DMA_CONTIGUOUS
@@ -214,6 +215,22 @@ menu "Kernel type"
 
 source "kernel/Kconfig.hz"
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
+	  If unsure, say Y. Only embedded should say N here.
+
 endmenu
 
 menu "Bus support"
@@ -243,3 +260,4 @@ menu "Power management options"
 source kernel/power/Kconfig
 
 endmenu
+
diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
new file mode 100644
index 000000000000..c1b4407f1038
--- /dev/null
+++ b/arch/riscv/include/asm/seccomp.h
@@ -0,0 +1,10 @@
+/* Copyright 2018 SiFive, Inc. */
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_RISCV_SECCOMP_H
+#define _ASM_RISCV_SECCOMP_H
+
+#include <asm/unistd.h>
+
+#include <asm-generic/seccomp.h>
+
+#endif /* _ASM_RISCV_SECCOMP_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..d24f774f39df 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #define _ASM_RISCV_SYSCALL_H
 
 #include <linux/sched.h>
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 
 /* The array of function pointers for syscalls. */
@@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
 }
 
+static inline int syscall_get_arch(void)
+{
+	return AUDIT_ARCH_RISCV;
+}
+
 #endif	/* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..374973dc05c6 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,6 +80,7 @@ struct thread_info {
 #define TIF_RESTORE_SIGMASK	4	/* restore signal mask in do_signal() */
 #define TIF_MEMDIE		5	/* is terminating due to OOM killer */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..c16fa1a76659 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,7 @@ enum {
 /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV	(EM_RISCV)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
-- 
2.18.1

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/riscv/include/asm/elf.h | 3 ---
>  include/uapi/linux/elf-em.h  | 1 +
>  2 files changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/riscv/include/asm/elf.h b/arch/riscv/include/asm/elf.h
> index a1ef503d616e..697fc23b0d5a 100644
> --- a/arch/riscv/include/asm/elf.h
> +++ b/arch/riscv/include/asm/elf.h
> @@ -16,9 +16,6 @@
>  #include <asm/auxvec.h>
>  #include <asm/byteorder.h>
>
> -/* TODO: Move definition into include/uapi/linux/elf-em.h */
> -#define EM_RISCV       0xF3
> -
>  /*
>   * These are used to set parameters in the core dumps.
>   */
> diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
> index 31aa10178335..93722e60204c 100644
> --- a/include/uapi/linux/elf-em.h
> +++ b/include/uapi/linux/elf-em.h
> @@ -41,6 +41,7 @@
>  #define EM_TILEPRO     188     /* Tilera TILEPro */
>  #define EM_MICROBLAZE  189     /* Xilinx MicroBlaze */
>  #define EM_TILEGX      191     /* Tilera TILE-Gx */
> +#define EM_RISCV       243     /* RISC-V */
>  #define EM_BPF         247     /* Linux BPF - in-kernel virtual machine */
>  #define EM_FRV         0x5441  /* Fujitsu FR-V */
>
> --
> 2.18.1
>



-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER

I think this patch is missing most of the actual seccomp glue?

config HAVE_ARCH_SECCOMP_FILTER
        bool
        help
          An arch should select this symbol if it provides all of these things:
          - syscall_get_arch()
          - syscall_get_arguments()
          - syscall_rollback()
          - syscall_set_return_value()
          - SIGSYS siginfo_t support
          - secure_computing is called from a ptrace_event()-safe context
          - secure_computing return value is checked and a return value of -1
            results in the system call being skipped immediately.
          - seccomp syscall wired up

I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
expect a masked check in entry.S -- it seems like tracepoints are
getting missed too? I see it handled in ptrace.c but not checked in
entry.S?) There's no checking for seccomp in ptrace.c, etc.

At the very least, I think the Kconfigs should not be included in this
patch. The other things are needed, but without everything else,
seccomp isn't actually available. :)

Reading the per-arch Kconfigs, I am reminded I still need to move
CONFIG_SECCOMP up into arch/Kconfig. :P

-Kees

-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Wed, Oct 24, 2018 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up

Oh, and I should add to this list, "passes
tools/testing/selftests/seccomp/seccomp_bpf test". :)

-- 
Kees Cook

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> This is a fairly straight-forward implementation of seccomp for RISC-V
> systems.
>
> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> ---
>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>  arch/riscv/include/asm/thread_info.h |  1 +
>  include/uapi/linux/audit.h           |  1 +
>  5 files changed, 36 insertions(+)
>  create mode 100644 arch/riscv/include/asm/seccomp.h
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index a344980287a5..28abe47602a1 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -28,6 +28,7 @@ config RISCV
>         select GENERIC_STRNLEN_USER
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> +       select HAVE_ARCH_SECCOMP_FILTER
>         select HAVE_MEMBLOCK
>         select HAVE_MEMBLOCK_NODE_MAP
>         select HAVE_DMA_CONTIGUOUS
> @@ -214,6 +215,22 @@ menu "Kernel type"
>
>  source "kernel/Kconfig.hz"
>
> +config SECCOMP
> +       bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +       help
> +         This kernel feature is useful for number crunching applications
> +         that may need to compute untrusted bytecode during their
> +         execution. By using pipes or other transports made available to
> +         the process as file descriptors supporting the read/write
> +         syscalls, it's possible to isolate those applications in
> +         their own address space using seccomp. Once seccomp is
> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> +         and the task is only allowed to execute a few safe syscalls
> +         defined by each seccomp mode.
> +
> +         If unsure, say Y. Only embedded should say N here.
> +
>  endmenu
>
>  menu "Bus support"
> @@ -243,3 +260,4 @@ menu "Power management options"
>  source kernel/power/Kconfig
>
>  endmenu
> +
> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
> new file mode 100644
> index 000000000000..c1b4407f1038
> --- /dev/null
> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>
> +
> +#endif /* _ASM_RISCV_SECCOMP_H */
> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
> index 8d25f8904c00..d24f774f39df 100644
> --- a/arch/riscv/include/asm/syscall.h
> +++ b/arch/riscv/include/asm/syscall.h
> @@ -19,6 +19,7 @@
>  #define _ASM_RISCV_SYSCALL_H
>
>  #include <linux/sched.h>
> +#include <uapi/linux/audit.h>
>  #include <linux/err.h>
>
>  /* The array of function pointers for syscalls. */
> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>  }
>
> +static inline int syscall_get_arch(void)
> +{
> +       return AUDIT_ARCH_RISCV;
> +}
> +
>  #endif /* _ASM_RISCV_SYSCALL_H */
> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
> index f8fa1cd2dad9..374973dc05c6 100644
> --- a/arch/riscv/include/asm/thread_info.h
> +++ b/arch/riscv/include/asm/thread_info.h
> @@ -80,6 +80,7 @@ struct thread_info {
>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>
>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 818ae690ab79..c16fa1a76659 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -399,6 +399,7 @@ enum {
>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>  #define AUDIT_ARCH_S390                (EM_S390)
>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_SH          (EM_SH)

Palmer,

Half of the patch seems to touch audit parts. I started working on audit
support this morning, and I can boot Fedora with audit traces.

[root@fedora-riscv ~]# dmesg | grep audit
[    0.312000] audit: initializing netlink subsys (disabled)
[    0.316000] audit: type=2000 audit(0.316:1): state=initialized
audit_enabled=0 res=1
[    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
[    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[..]

I am still working on audit user-space support for better testing.

I suggest we first implement audit and then seccomp.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Paul Moore]

On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>

...

> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

FYI, while small and far from comprehensive, we do have a test suite
we use for basic validation of the audit kernel bits which may be
helpful while you're working on the audit enablement:

* https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Andy Lutomirski]

On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
> > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >
> > This is a fairly straight-forward implementation of seccomp for RISC-V
> > systems.
> >
> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
> > ---
> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
> >  arch/riscv/include/asm/thread_info.h |  1 +
> >  include/uapi/linux/audit.h           |  1 +
> >  5 files changed, 36 insertions(+)
> >  create mode 100644 arch/riscv/include/asm/seccomp.h
> >
> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> > index a344980287a5..28abe47602a1 100644
> > --- a/arch/riscv/Kconfig
> > +++ b/arch/riscv/Kconfig
> > @@ -28,6 +28,7 @@ config RISCV
> >         select GENERIC_STRNLEN_USER
> >         select GENERIC_SMP_IDLE_THREAD
> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
> > +       select HAVE_ARCH_SECCOMP_FILTER
>
> I think this patch is missing most of the actual seccomp glue?
>
> config HAVE_ARCH_SECCOMP_FILTER
>         bool
>         help
>           An arch should select this symbol if it provides all of these things:
>           - syscall_get_arch()
>           - syscall_get_arguments()
>           - syscall_rollback()
>           - syscall_set_return_value()
>           - SIGSYS siginfo_t support
>           - secure_computing is called from a ptrace_event()-safe context
>           - secure_computing return value is checked and a return value of -1
>             results in the system call being skipped immediately.
>           - seccomp syscall wired up
>
> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
> expect a masked check in entry.S -- it seems like tracepoints are
> getting missed too? I see it handled in ptrace.c but not checked in
> entry.S?) There's no checking for seccomp in ptrace.c, etc.

Hi RISC-V people:

I strongly, strongly suggest that you rewrite your asm to work the way
that x86's does: have a function called prepare_exit_to_usermode() and
make it work more or less like x86's.  Doing all the exit work in asm
like you are is just setting you up for a world of pain.

--Andy

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 11:31:30 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> This is a fairly straight-forward implementation of seccomp for RISC-V
>> systems.
>>
>> Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> ---
>>  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>>  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>>  arch/riscv/include/asm/syscall.h     |  6 ++++++
>>  arch/riscv/include/asm/thread_info.h |  1 +
>>  include/uapi/linux/audit.h           |  1 +
>>  5 files changed, 36 insertions(+)
>>  create mode 100644 arch/riscv/include/asm/seccomp.h
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index a344980287a5..28abe47602a1 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -28,6 +28,7 @@ config RISCV
>>         select GENERIC_STRNLEN_USER
>>         select GENERIC_SMP_IDLE_THREAD
>>         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> +       select HAVE_ARCH_SECCOMP_FILTER
>>         select HAVE_MEMBLOCK
>>         select HAVE_MEMBLOCK_NODE_MAP
>>         select HAVE_DMA_CONTIGUOUS
>> @@ -214,6 +215,22 @@ menu "Kernel type"
>>
>>  source "kernel/Kconfig.hz"
>>
>> +config SECCOMP
>> +       bool "Enable seccomp to safely compute untrusted bytecode"
>> +
>> +       help
>> +         This kernel feature is useful for number crunching applications
>> +         that may need to compute untrusted bytecode during their
>> +         execution. By using pipes or other transports made available to
>> +         the process as file descriptors supporting the read/write
>> +         syscalls, it's possible to isolate those applications in
>> +         their own address space using seccomp. Once seccomp is
>> +         enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
>> +         and the task is only allowed to execute a few safe syscalls
>> +         defined by each seccomp mode.
>> +
>> +         If unsure, say Y. Only embedded should say N here.
>> +
>>  endmenu
>>
>>  menu "Bus support"
>> @@ -243,3 +260,4 @@ menu "Power management options"
>>  source kernel/power/Kconfig
>>
>>  endmenu
>> +
>> diff --git a/arch/riscv/include/asm/seccomp.h b/arch/riscv/include/asm/seccomp.h
>> new file mode 100644
>> index 000000000000..c1b4407f1038
>> --- /dev/null
>> +++ b/arch/riscv/include/asm/seccomp.h
>> @@ -0,0 +1,10 @@
>> +/* Copyright 2018 SiFive, Inc. */
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +#ifndef _ASM_RISCV_SECCOMP_H
>> +#define _ASM_RISCV_SECCOMP_H
>> +
>> +#include <asm/unistd.h>
>> +
>> +#include <asm-generic/seccomp.h>
>> +
>> +#endif /* _ASM_RISCV_SECCOMP_H */
>> diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
>> index 8d25f8904c00..d24f774f39df 100644
>> --- a/arch/riscv/include/asm/syscall.h
>> +++ b/arch/riscv/include/asm/syscall.h
>> @@ -19,6 +19,7 @@
>>  #define _ASM_RISCV_SYSCALL_H
>>
>>  #include <linux/sched.h>
>> +#include <uapi/linux/audit.h>
>>  #include <linux/err.h>
>>
>>  /* The array of function pointers for syscalls. */
>> @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>         memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
>>  }
>>
>> +static inline int syscall_get_arch(void)
>> +{
>> +       return AUDIT_ARCH_RISCV;
>> +}
>> +
>>  #endif /* _ASM_RISCV_SYSCALL_H */
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> index f8fa1cd2dad9..374973dc05c6 100644
>> --- a/arch/riscv/include/asm/thread_info.h
>> +++ b/arch/riscv/include/asm/thread_info.h
>> @@ -80,6 +80,7 @@ struct thread_info {
>>  #define TIF_RESTORE_SIGMASK    4       /* restore signal mask in do_signal() */
>>  #define TIF_MEMDIE             5       /* is terminating due to OOM killer */
>>  #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
>> +#define TIF_SECCOMP            7       /* seccomp syscall filtering active */
>>
>>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
>>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 818ae690ab79..c16fa1a76659 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -399,6 +399,7 @@ enum {
>>  /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
>>  #define AUDIT_ARCH_PPC64       (EM_PPC64|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_PPC64LE     (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_RISCV       (EM_RISCV)
>>  #define AUDIT_ARCH_S390                (EM_S390)
>>  #define AUDIT_ARCH_S390X       (EM_S390|__AUDIT_ARCH_64BIT)
>>  #define AUDIT_ARCH_SH          (EM_SH)
>
> Palmer,
>
> Half of the patch seems to touch audit parts. I started working on audit
> support this morning, and I can boot Fedora with audit traces.
>
> [root@fedora-riscv ~]# dmesg | grep audit
> [    0.312000] audit: initializing netlink subsys (disabled)
> [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> audit_enabled=0 res=1
> [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> terminal=? res=success'
> [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [..]
>
> I am still working on audit user-space support for better testing.
>
> I suggest we first implement audit and then seccomp.

Works for me.  I'll drop my patch set for now.

Thanks!

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Thu, 25 Oct 2018 14:02:20 PDT (-0700), luto@amacapital.net wrote:
> On Wed, Oct 24, 2018 at 2:42 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> On Wed, Oct 24, 2018 at 1:40 PM, Palmer Dabbelt <palmer@sifive.com> wrote:
>> > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >
>> > This is a fairly straight-forward implementation of seccomp for RISC-V
>> > systems.
>> >
>> > Signed-off-by: Wesley W. Terpstra <wesley@sifive.com>
>> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>> > ---
>> >  arch/riscv/Kconfig                   | 18 ++++++++++++++++++
>> >  arch/riscv/include/asm/seccomp.h     | 10 ++++++++++
>> >  arch/riscv/include/asm/syscall.h     |  6 ++++++
>> >  arch/riscv/include/asm/thread_info.h |  1 +
>> >  include/uapi/linux/audit.h           |  1 +
>> >  5 files changed, 36 insertions(+)
>> >  create mode 100644 arch/riscv/include/asm/seccomp.h
>> >
>> > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> > index a344980287a5..28abe47602a1 100644
>> > --- a/arch/riscv/Kconfig
>> > +++ b/arch/riscv/Kconfig
>> > @@ -28,6 +28,7 @@ config RISCV
>> >         select GENERIC_STRNLEN_USER
>> >         select GENERIC_SMP_IDLE_THREAD
>> >         select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
>> > +       select HAVE_ARCH_SECCOMP_FILTER
>>
>> I think this patch is missing most of the actual seccomp glue?
>>
>> config HAVE_ARCH_SECCOMP_FILTER
>>         bool
>>         help
>>           An arch should select this symbol if it provides all of these things:
>>           - syscall_get_arch()
>>           - syscall_get_arguments()
>>           - syscall_rollback()
>>           - syscall_set_return_value()
>>           - SIGSYS siginfo_t support
>>           - secure_computing is called from a ptrace_event()-safe context
>>           - secure_computing return value is checked and a return value of -1
>>             results in the system call being skipped immediately.
>>           - seccomp syscall wired up
>>
>> I only see syscall_get_arch(). Nothing is using TIF_SECCOMP (I'd
>> expect a masked check in entry.S -- it seems like tracepoints are
>> getting missed too? I see it handled in ptrace.c but not checked in
>> entry.S?) There's no checking for seccomp in ptrace.c, etc.
>
> Hi RISC-V people:
>
> I strongly, strongly suggest that you rewrite your asm to work the way
> that x86's does: have a function called prepare_exit_to_usermode() and
> make it work more or less like x86's.  Doing all the exit work in asm
> like you are is just setting you up for a world of pain.

OK, thanks for the suggestion.  Next time we have to change it I'll try to take 
a look and figure out something sane.

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[Christoph Hellwig]

On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> This should never have been inside our arch port to begin with, it's
> just a relic from when we were maintaining out of tree patches.
> 
> Signed-off-by: Palmer Dabbelt <palmer@sifive.com>

Looks good, and probably harmless enought that we should pick it up
for this merge window:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Christoph Hellwig]

I don't know much about seccomp, so just a few general nitpicks:

On Wed, Oct 24, 2018 at 01:40:36PM -0700, Palmer Dabbelt wrote:
> +	bool "Enable seccomp to safely compute untrusted bytecode"
> +
> +	help

The empty line above is odd, please drop it.

> +++ b/arch/riscv/include/asm/seccomp.h
> @@ -0,0 +1,10 @@
> +/* Copyright 2018 SiFive, Inc. */
> +/* SPDX-License-Identifier: GPL-2.0 */

The SPDX tag should go into the first line.

> +#ifndef _ASM_RISCV_SECCOMP_H
> +#define _ASM_RISCV_SECCOMP_H
> +
> +#include <asm/unistd.h>
> +
> +#include <asm-generic/seccomp.h>

And while at it I'd drop this empty line as well.

Re: [PATCH 1/2] Move EM_RISCV into elf-em.h

[David Abdurachmanov]

On Sat, Oct 27, 2018 at 9:46 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Wed, Oct 24, 2018 at 01:40:35PM -0700, Palmer Dabbelt wrote:
> > This should never have been inside our arch port to begin with, it's
> > just a relic from when we were maintaining out of tree patches.
> >
> > Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
>
> Looks good, and probably harmless enought that we should pick it up
> for this merge window:

That would be nice. The audit parts I am working on depends on this patch.

Tested-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> <david.abdurachmanov@gmail.com> wrote:
> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>
> ...
>
> > Palmer,
> >
> > Half of the patch seems to touch audit parts. I started working on audit
> > support this morning, and I can boot Fedora with audit traces.
> >
> > [root@fedora-riscv ~]# dmesg | grep audit
> > [    0.312000] audit: initializing netlink subsys (disabled)
> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> > audit_enabled=0 res=1
> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > terminal=? res=success'
> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'
> > [..]
> >
> > I am still working on audit user-space support for better testing.
> >
> > I suggest we first implement audit and then seccomp.
>
> FYI, while small and far from comprehensive, we do have a test suite
> we use for basic validation of the audit kernel bits which may be
> helpful while you're working on the audit enablement:
>
> * https://github.com/linux-audit/audit-testsuite

Currently I checked the following to work:
- /proc/self/loginuid (required by DNF [package manager])
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and
  return value/input arguments seems to be correct)

I checked audit-testsuite yesterday and it seems to be only for
x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:

Failed 4/14 test programs. 19/88 subtests failed.

I don't plan to look further in the failure, e.g.:
- syscall_socketcall: that's an old stuff and not relevant to
  new arches
- syscall_module: Fedora kernel currently is not compiled
  with kernel loadable module support
- filter_exclude: two tests fail because id -Z doesn't print
  any categories, but "semanage login -l" output is identical
  between x86_64 and riscv64
- netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled

Fedora kernel currently has minimal CONFIG_* options
and is built without loadable module support.

I will send the patches for review soon.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Palmer Dabbelt]

On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> <david.abdurachmanov@gmail.com> wrote:
>> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>>
>> ...
>>
>> > Palmer,
>> >
>> > Half of the patch seems to touch audit parts. I started working on audit
>> > support this morning, and I can boot Fedora with audit traces.
>> >
>> > [root@fedora-riscv ~]# dmesg | grep audit
>> > [    0.312000] audit: initializing netlink subsys (disabled)
>> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> > audit_enabled=0 res=1
>> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> > terminal=? res=success'
>> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> > res=success'
>> > [..]
>> >
>> > I am still working on audit user-space support for better testing.
>> >
>> > I suggest we first implement audit and then seccomp.
>>
>> FYI, while small and far from comprehensive, we do have a test suite
>> we use for basic validation of the audit kernel bits which may be
>> helpful while you're working on the audit enablement:
>>
>> * https://github.com/linux-audit/audit-testsuite
>
> Currently I checked the following to work:
> - /proc/self/loginuid (required by DNF [package manager])
> - auditctl (checked several different example rules from internet)
> - aulast
> - aulastlog
> - ausearch
> - ausyscall
> - aureport
> - autrace (compared some syscalls to strace: order and
>   return value/input arguments seems to be correct)
>
> I checked audit-testsuite yesterday and it seems to be only for
> x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>
> Failed 4/14 test programs. 19/88 subtests failed.
>
> I don't plan to look further in the failure, e.g.:
> - syscall_socketcall: that's an old stuff and not relevant to
>   new arches
> - syscall_module: Fedora kernel currently is not compiled
>   with kernel loadable module support
> - filter_exclude: two tests fail because id -Z doesn't print
>   any categories, but "semanage login -l" output is identical
>   between x86_64 and riscv64
> - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>
> Fedora kernel currently has minimal CONFIG_* options
> and is built without loadable module support.
>
> I will send the patches for review soon.

Thanks!

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[David Abdurachmanov]

On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>
> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
> >>
> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
> >> <david.abdurachmanov@gmail.com> wrote:
> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
> >>
> >> ...
> >>
> >> > Palmer,
> >> >
> >> > Half of the patch seems to touch audit parts. I started working on audit
> >> > support this morning, and I can boot Fedora with audit traces.
> >> >
> >> > [root@fedora-riscv ~]# dmesg | grep audit
> >> > [    0.312000] audit: initializing netlink subsys (disabled)
> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
> >> > audit_enabled=0 res=1
> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> >> > terminal=? res=success'
> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> >> > res=success'
> >> > [..]
> >> >
> >> > I am still working on audit user-space support for better testing.
> >> >
> >> > I suggest we first implement audit and then seccomp.
> >>
> >> FYI, while small and far from comprehensive, we do have a test suite
> >> we use for basic validation of the audit kernel bits which may be
> >> helpful while you're working on the audit enablement:
> >>
> >> * https://github.com/linux-audit/audit-testsuite
> >
> > Currently I checked the following to work:
> > - /proc/self/loginuid (required by DNF [package manager])
> > - auditctl (checked several different example rules from internet)
> > - aulast
> > - aulastlog
> > - ausearch
> > - ausyscall
> > - aureport
> > - autrace (compared some syscalls to strace: order and
> >   return value/input arguments seems to be correct)
> >
> > I checked audit-testsuite yesterday and it seems to be only for
> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
> >
> > Failed 4/14 test programs. 19/88 subtests failed.
> >
> > I don't plan to look further in the failure, e.g.:
> > - syscall_socketcall: that's an old stuff and not relevant to
> >   new arches
> > - syscall_module: Fedora kernel currently is not compiled
> >   with kernel loadable module support
> > - filter_exclude: two tests fail because id -Z doesn't print
> >   any categories, but "semanage login -l" output is identical
> >   between x86_64 and riscv64
> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
> >
> > Fedora kernel currently has minimal CONFIG_* options
> > and is built without loadable module support.
> >
> > I will send the patches for review soon.
>
> Thanks!

I fixed the last issue I see with SECCOMP this morning.
I also have patch on top of libseccomp-2.3.3.

Testsuite results for SIM:

Regression Test Summary
 tests run: 4434
 tests skipped: 88
 tests passed: 4434
 tests failed: 0
 tests errored: 0

Testsuite results for LIVE:

Regression Test Summary
 tests run: 6
 tests skipped: 0
 tests passed: 6
 tests failed: 0
 tests errored: 0

Then tested a couple examples manually w/ and w/o BPF and it
performed the same as on x86_64 (also checked exit codes &
strace output).

Upstream libseccomp has now more tests. Once I rebase & re-test
with master of libseccomp, I will send both.

david

Re: [PATCH 2/2] RISC-V: Add support for SECCOMP

[Kees Cook]

On Fri, Nov 2, 2018 at 6:32 AM, David Abdurachmanov
<david.abdurachmanov@gmail.com> wrote:
> On Mon, Oct 29, 2018 at 9:27 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>>
>> On Sun, 28 Oct 2018 04:07:55 PDT (-0700), david.abdurachmanov@gmail.com wrote:
>> > On Thu, Oct 25, 2018 at 10:36 PM Paul Moore <paul@paul-moore.com> wrote:
>> >>
>> >> On Thu, Oct 25, 2018 at 2:31 PM David Abdurachmanov
>> >> <david.abdurachmanov@gmail.com> wrote:
>> >> > On Wed, Oct 24, 2018 at 10:40 PM Palmer Dabbelt <palmer@sifive.com> wrote:
>> >> > > From: "Wesley W. Terpstra" <wesley@sifive.com>
>> >>
>> >> ...
>> >>
>> >> > Palmer,
>> >> >
>> >> > Half of the patch seems to touch audit parts. I started working on audit
>> >> > support this morning, and I can boot Fedora with audit traces.
>> >> >
>> >> > [root@fedora-riscv ~]# dmesg | grep audit
>> >> > [    0.312000] audit: initializing netlink subsys (disabled)
>> >> > [    0.316000] audit: type=2000 audit(0.316:1): state=initialized
>> >> > audit_enabled=0 res=1
>> >> > [    7.288000] audit: type=1130 audit(1529665913.772:2): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-remount-fs
>> >> > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
>> >> > terminal=? res=success'
>> >> > [    7.684000] audit: type=1130 audit(1529665914.176:3): pid=1 uid=0
>> >> > auid=4294967295 ses=4294967295 msg='unit=systemd-sysctl comm="systemd"
>> >> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> >> > res=success'
>> >> > [..]
>> >> >
>> >> > I am still working on audit user-space support for better testing.
>> >> >
>> >> > I suggest we first implement audit and then seccomp.
>> >>
>> >> FYI, while small and far from comprehensive, we do have a test suite
>> >> we use for basic validation of the audit kernel bits which may be
>> >> helpful while you're working on the audit enablement:
>> >>
>> >> * https://github.com/linux-audit/audit-testsuite
>> >
>> > Currently I checked the following to work:
>> > - /proc/self/loginuid (required by DNF [package manager])
>> > - auditctl (checked several different example rules from internet)
>> > - aulast
>> > - aulastlog
>> > - ausearch
>> > - ausyscall
>> > - aureport
>> > - autrace (compared some syscalls to strace: order and
>> >   return value/input arguments seems to be correct)
>> >
>> > I checked audit-testsuite yesterday and it seems to be only for
>> > x86-64 / x86-32. After adjusting it (MODE, syscalls) I am at:
>> >
>> > Failed 4/14 test programs. 19/88 subtests failed.
>> >
>> > I don't plan to look further in the failure, e.g.:
>> > - syscall_socketcall: that's an old stuff and not relevant to
>> >   new arches
>> > - syscall_module: Fedora kernel currently is not compiled
>> >   with kernel loadable module support
>> > - filter_exclude: two tests fail because id -Z doesn't print
>> >   any categories, but "semanage login -l" output is identical
>> >   between x86_64 and riscv64
>> > - netfilter_pkt: don't have CONFIG_IP_NF_MANGLE enabled
>> >
>> > Fedora kernel currently has minimal CONFIG_* options
>> > and is built without loadable module support.
>> >
>> > I will send the patches for review soon.
>>
>> Thanks!
>
> I fixed the last issue I see with SECCOMP this morning.

Can you CC me on the series? I'd love to take a look.

> I also have patch on top of libseccomp-2.3.3.

Nice! If you toss it up on github I can review that too. :)

-Kees

>
> Testsuite results for SIM:
>
> Regression Test Summary
>  tests run: 4434
>  tests skipped: 88
>  tests passed: 4434
>  tests failed: 0
>  tests errored: 0
>
> Testsuite results for LIVE:
>
> Regression Test Summary
>  tests run: 6
>  tests skipped: 0
>  tests passed: 6
>  tests failed: 0
>  tests errored: 0
>
> Then tested a couple examples manually w/ and w/o BPF and it
> performed the same as on x86_64 (also checked exit codes &
> strace output).
>
> Upstream libseccomp has now more tests. Once I rebase & re-test
> with master of libseccomp, I will send both.
>
> david



-- 
Kees Cook