interfaces/seccomp/template: adding kcmp to allow Mesa usecases #12673
Conversation
Well, the suggested change is not working, that's more worrying: |
|
Ah okay, we need to teach snap-seccomp about diff --git a/cmd/snap-seccomp/main.go b/cmd/snap-seccomp/main.go
index 40d3dfbbdf..5356783eb6 100644
--- a/cmd/snap-seccomp/main.go
+++ b/cmd/snap-seccomp/main.go
@@ -28,6 +28,7 @@ package main
//#include <errno.h>
//#include <linux/can.h>
//#include <linux/netlink.h>
+//#include <linux/kcmp.h>
//#include <sched.h>
//#include <search.h>
//#include <stdbool.h>
@@ -182,6 +183,33 @@ package main
// #ifndef PTRACE_SETFPXREGS
// #define PTRACE_SETFPXREGS 19
// #endif
+
+// /* Define missing kcmp constants */
+// #ifndef KCMP_FILE
+// #define KCMP_FILE 0
+// #endif
+// #ifndef KCMP_VM
+// #define KCMP_VM 1
+// #endif
+// #ifndef KCMP_FILES
+// #define KCMP_FILES 2
+// #endif
+// #ifndef KCMP_FS
+// #define KCMP_FS 3
+// #endif
+// #ifndef KCMP_SIGHAND
+// #define KCMP_SIGHAND 4
+// #endif
+// #ifndef KCMP_IO
+// #define KCMP_IO 5
+// #endif
+// #ifndef KCMP_SYSVSEM
+// #define KCMP_SYSVSEM 6
+// #endif
+// #ifndef KCMP_EPOLL_TFD
+// #define KCMP_EPOLL_TFD 7
+// #endif
+
import "C"
import (
@@ -439,6 +467,16 @@ var seccompResolver = map[string]uint64{
"PTRACE_PEEKUSR": C.PTRACE_PEEKUSER,
"PTRACE_PEEKUSER": C.PTRACE_PEEKUSER,
"PTRACE_CONT": C.PTRACE_CONT,
+
+ // man 2 kcmp
+ "KCMP_FILE": C.KCMP_FILE,
+ "KCMP_VM": C.KCMP_VM,
+ "KCMP_FILES": C.KCMP_FILES,
+ "KCMP_FS": C.KCMP_FS,
+ "KCMP_SIGHAND": C.KCMP_SIGHAND,
+ "KCMP_IO": C.KCMP_IO,
+ "KCMP_SYSVSEM": C.KCMP_SYSVSEM,
+ "KCMP_EPOLL_TFD": C.KCMP_EPOLL_TFD,
}
// DpkgArchToScmpArch takes a dpkg architecture and converts it to |
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
2 times, most recently
from
a52325e
to
a7e5fe0
Compare
pedronis
changed the title
|
@alexmurray Can this be merged and when can we expect it ships to users ? |
|
I'm not on the snapd team so I don't have permission to merge PRs nor decide what goes in each scheduled release - @mvo5 can you (or someone on your team) please take a look at this? Thanks |
|
Is there anything blocking now ? @alexmurray @mvo5 |
|
Nothing on my side - it is waiting on the snapd team to review and merge it. |
|
@mvo5 can we please get someone to review this? I've been seeing the same sort of spamming of the journal from gnome-shell in core desktop as well, which I think this would fix. |
cmd/snap-seccomp/main.go
Outdated
| // /* Define missing kcmp constants */ | ||
| // #ifndef KCMP_FILE | ||
| // #define KCMP_FILE 0 | ||
| // #endif | ||
| // #ifndef KCMP_VM | ||
| // #define KCMP_VM 1 | ||
| // #endif | ||
| // #ifndef KCMP_FILES | ||
| // #define KCMP_FILES 2 | ||
| // #endif | ||
| // #ifndef KCMP_FS | ||
| // #define KCMP_FS 3 | ||
| // #endif | ||
| // #ifndef KCMP_SIGHAND | ||
| // #define KCMP_SIGHAND 4 | ||
| // #endif | ||
| // #ifndef KCMP_IO | ||
| // #define KCMP_IO 5 | ||
| // #endif | ||
| // #ifndef KCMP_SYSVSEM | ||
| // #define KCMP_SYSVSEM 6 | ||
| // #endif | ||
| // #ifndef KCMP_EPOLL_TFD | ||
| // #define KCMP_EPOLL_TFD 7 | ||
| // #endif |
There was a problem hiding this comment.
In the upstream kernel headers, these symbols come from the kcmp_type enum:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/kcmp.h
They are not preprocessor macros, so all of these #ifndef blocks will be included and we'll shadow the enumeration values with #defines to integers. So we're always ignoring the enumeration values from the kernel with this.
Maybe a better option would be to use the macros in <linux/version.h> to decide whether we've got a new enough kernel to rely on <linux/kcmp.h>, and then declare the enumeration (or macros) if not.
There was a problem hiding this comment.
Ok, so <linux/kcmp.h> was added in 3.19
There was a problem hiding this comment.
And KCMP_EPOLL_TFD was added in 4.13
There was a problem hiding this comment.
Given we only care about the KCMP_FILE constant for now, we can probably ignore KCMP_EPOLL_TFD.
So the fallback could look something like:
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
# include <linux/kcmp.h>
#else
# define KCMP_FILE 0
# define KCMP_VM 1
...
#endif
The man page says kcmp() was added in 3.5, so I'm not sure whether the version check is fully correct. It's far enough back that I'm not sure it really matters though.
There was a problem hiding this comment.
Right, 3.19 made a move to uapi
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
2 times, most recently
from
8b91d4b
to
ff7d138
Compare
cmd/snap-seccomp/main.go
Outdated
| // #if LINUX_VERSION_CODE < KERNEL_VERSION(4,13,0) | ||
| // #define KCMP_EPOLL_TFD 7 | ||
| // #endif // LINUX_VERSION_CODE < KERNEL_VERSION(4,13,0) | ||
| //#endif // LINUX_VERSION_CODE < KERNEL_VERSION(3,5,0) |
There was a problem hiding this comment.
I think you were right to pick 3.19 first time around: while the system call is in 3.5, the <linux/kcmp.h> header is not installed (at least it doesn't seem to be in trusty's linux-libc-dev package built from 3.13).
Also as a style note, I'd suggest putting the primary path of these if statements first with fallbacks after. Here we've got the main `#include <linux.kcmp.h> buried in the middle of two lots of fallbacks, so it isn't as obvious what the common case is going to be.
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## master #12673 +/- ##
=======================================
Coverage 78.60% 78.60%
=======================================
Files 991 991
Lines 122768 122768
=======================================
+ Hits 96498 96504 +6
+ Misses 20193 20189 -4
+ Partials 6077 6075 -2
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 2 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
from
ff7d138
to
a500522
Compare
I know nothing about Go ... Maybe we still need somehow to |
|
@lissyx I merged "master" into your brand and pushed so that we benefit from the latest fixes in snapd for the integration tests (various external components have moved on and needed updates since this branch was created). Hope that is okay. |
I rebased on master before my previous push already ? |
Uh, sorry for that then, please just force push again, we must have had a mid-air collision then, I looked at the branch and thought it was based on a some weeks old "master" (apologies again!) [edit: or juts ignore as I will merge via a "rebase-merge" anyway so it should not matter :)] |
no problem, let's see if your push passes. if it does not, I'll need help because I have no idea what is wrong ... |
|
@mvo5 Still failing with the same error: |
Thank you, it only happens in the "snap-build" test which is a bit special, let me see what is going on there. |
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
from
297d4d4
to
f376754
Compare
|
Thanks! This looks great now and builds are passing |
|
It looks like the 14.04 build is still not fully happy :-/ |
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
from
04ea404
to
936df6a
Compare
For fixing https://bugs.launchpad.net/snapd/+bug/1998980 implement the suggested fix of allowing kcmp in the base template.
lissyx
force-pushed
the
bug1800951_kcmp_zoom
branch
from
936df6a
to
bfce6e9
Compare
For fixing https://bugs.launchpad.net/snapd/+bug/1998980 implement the suggested fix of allowing kcmp in the base template.