-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces/seccomp/template: adding kcmp to allow Mesa usecases #12673
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add a comment above this saying that kcmp is guarded in the kernel via ptrace
with PTRACE_MODE_READ_REALCREDS
such that the calling process must already be able to ptrace
the target processes and so this is safe.
Well, the suggested change is not working, that's more worrying: |
Ah okay, we need to teach snap-seccomp about diff --git a/cmd/snap-seccomp/main.go b/cmd/snap-seccomp/main.go
index 40d3dfbbdf..5356783eb6 100644
--- a/cmd/snap-seccomp/main.go
+++ b/cmd/snap-seccomp/main.go
@@ -28,6 +28,7 @@ package main
//#include <errno.h>
//#include <linux/can.h>
//#include <linux/netlink.h>
+//#include <linux/kcmp.h>
//#include <sched.h>
//#include <search.h>
//#include <stdbool.h>
@@ -182,6 +183,33 @@ package main
// #ifndef PTRACE_SETFPXREGS
// #define PTRACE_SETFPXREGS 19
// #endif
+
+// /* Define missing kcmp constants */
+// #ifndef KCMP_FILE
+// #define KCMP_FILE 0
+// #endif
+// #ifndef KCMP_VM
+// #define KCMP_VM 1
+// #endif
+// #ifndef KCMP_FILES
+// #define KCMP_FILES 2
+// #endif
+// #ifndef KCMP_FS
+// #define KCMP_FS 3
+// #endif
+// #ifndef KCMP_SIGHAND
+// #define KCMP_SIGHAND 4
+// #endif
+// #ifndef KCMP_IO
+// #define KCMP_IO 5
+// #endif
+// #ifndef KCMP_SYSVSEM
+// #define KCMP_SYSVSEM 6
+// #endif
+// #ifndef KCMP_EPOLL_TFD
+// #define KCMP_EPOLL_TFD 7
+// #endif
+
import "C"
import (
@@ -439,6 +467,16 @@ var seccompResolver = map[string]uint64{
"PTRACE_PEEKUSR": C.PTRACE_PEEKUSER,
"PTRACE_PEEKUSER": C.PTRACE_PEEKUSER,
"PTRACE_CONT": C.PTRACE_CONT,
+
+ // man 2 kcmp
+ "KCMP_FILE": C.KCMP_FILE,
+ "KCMP_VM": C.KCMP_VM,
+ "KCMP_FILES": C.KCMP_FILES,
+ "KCMP_FS": C.KCMP_FS,
+ "KCMP_SIGHAND": C.KCMP_SIGHAND,
+ "KCMP_IO": C.KCMP_IO,
+ "KCMP_SYSVSEM": C.KCMP_SYSVSEM,
+ "KCMP_EPOLL_TFD": C.KCMP_EPOLL_TFD,
}
// DpkgArchToScmpArch takes a dpkg architecture and converts it to |
a52325e
to
a7e5fe0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@alexmurray Can this be merged and when can we expect it ships to users ? |
I'm not on the snapd team so I don't have permission to merge PRs nor decide what goes in each scheduled release - @mvo5 can you (or someone on your team) please take a look at this? Thanks |
Is there anything blocking now ? @alexmurray @mvo5 |
Nothing on my side - it is waiting on the snapd team to review and merge it. |
@mvo5 can we please get someone to review this? I've been seeing the same sort of spamming of the journal from gnome-shell in core desktop as well, which I think this would fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems reasonable. I have some concerns about how the fallback constants are being declared though.
cmd/snap-seccomp/main.go
Outdated
// /* Define missing kcmp constants */ | ||
// #ifndef KCMP_FILE | ||
// #define KCMP_FILE 0 | ||
// #endif | ||
// #ifndef KCMP_VM | ||
// #define KCMP_VM 1 | ||
// #endif | ||
// #ifndef KCMP_FILES | ||
// #define KCMP_FILES 2 | ||
// #endif | ||
// #ifndef KCMP_FS | ||
// #define KCMP_FS 3 | ||
// #endif | ||
// #ifndef KCMP_SIGHAND | ||
// #define KCMP_SIGHAND 4 | ||
// #endif | ||
// #ifndef KCMP_IO | ||
// #define KCMP_IO 5 | ||
// #endif | ||
// #ifndef KCMP_SYSVSEM | ||
// #define KCMP_SYSVSEM 6 | ||
// #endif | ||
// #ifndef KCMP_EPOLL_TFD | ||
// #define KCMP_EPOLL_TFD 7 | ||
// #endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the upstream kernel headers, these symbols come from the kcmp_type
enum:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/kcmp.h
They are not preprocessor macros, so all of these #ifndef
blocks will be included and we'll shadow the enumeration values with #define
s to integers. So we're always ignoring the enumeration values from the kernel with this.
Maybe a better option would be to use the macros in <linux/version.h>
to decide whether we've got a new enough kernel to rely on <linux/kcmp.h>
, and then declare the enumeration (or macros) if not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so <linux/kcmp.h>
was added in 3.19
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And KCMP_EPOLL_TFD
was added in 4.13
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given we only care about the KCMP_FILE
constant for now, we can probably ignore KCMP_EPOLL_TFD
.
So the fallback could look something like:
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
# include <linux/kcmp.h>
#else
# define KCMP_FILE 0
# define KCMP_VM 1
...
#endif
The man page says kcmp() was added in 3.5, so I'm not sure whether the version check is fully correct. It's far enough back that I'm not sure it really matters though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, 3.19 made a move to uapi
8b91d4b
to
ff7d138
Compare
cmd/snap-seccomp/main.go
Outdated
// #if LINUX_VERSION_CODE < KERNEL_VERSION(4,13,0) | ||
// #define KCMP_EPOLL_TFD 7 | ||
// #endif // LINUX_VERSION_CODE < KERNEL_VERSION(4,13,0) | ||
//#endif // LINUX_VERSION_CODE < KERNEL_VERSION(3,5,0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you were right to pick 3.19 first time around: while the system call is in 3.5, the <linux/kcmp.h>
header is not installed (at least it doesn't seem to be in trusty's linux-libc-dev package built from 3.13).
Also as a style note, I'd suggest putting the primary path of these if statements first with fallbacks after. Here we've got the main `#include <linux.kcmp.h> buried in the middle of two lots of fallbacks, so it isn't as obvious what the common case is going to be.
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## master #12673 +/- ##
=======================================
Coverage 78.60% 78.60%
=======================================
Files 991 991
Lines 122768 122768
=======================================
+ Hits 96498 96504 +6
+ Misses 20193 20189 -4
+ Partials 6077 6075 -2
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 2 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
ff7d138
to
a500522
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this looks reasonable.
I know nothing about Go ... Maybe we still need somehow to |
@lissyx I merged "master" into your brand and pushed so that we benefit from the latest fixes in snapd for the integration tests (various external components have moved on and needed updates since this branch was created). Hope that is okay. |
I rebased on master before my previous push already ? |
Uh, sorry for that then, please just force push again, we must have had a mid-air collision then, I looked at the branch and thought it was based on a some weeks old "master" (apologies again!) [edit: or juts ignore as I will merge via a "rebase-merge" anyway so it should not matter :)] |
no problem, let's see if your push passes. if it does not, I'll need help because I have no idea what is wrong ... |
@mvo5 Still failing with the same error:
|
Thank you, it only happens in the "snap-build" test which is a bit special, let me see what is going on there. |
297d4d4
to
f376754
Compare
Thanks! This looks great now and builds are passing |
It looks like the 14.04 build is still not fully happy :-/
|
04ea404
to
936df6a
Compare
For fixing https://bugs.launchpad.net/snapd/+bug/1998980 implement the suggested fix of allowing kcmp in the base template.
936df6a
to
bfce6e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
For fixing https://bugs.launchpad.net/snapd/+bug/1998980 implement the suggested fix of allowing kcmp in the base template.