Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modernize architectures and generate seccomp policy for all architectures supported by host OS #26

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

basilgello
Copy link

Fixes #19

@basilgello
Copy link
Author

@happyCoder92 @robertswiecki please review it and merge! This fixes a CVE used in many CTFs and also allows using nsjail as a Linux container replacement in fully rootless mode.

@@ -19,6 +19,15 @@

import re

# "xrange" was renamed to "range" in Python 3
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just use range instead.
It will work also in python2 but will be less efficient (does not matter here though)

Copy link
Author

@basilgello basilgello Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thanks!

src/syscall.c Outdated
@@ -52,15 +52,18 @@ const struct syscall_list syscall_lists[] = {
#endif
#ifdef AUDIT_ARCH_AARCH64
SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64),
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will result in duplicate entries
perhaps just verify that defined(AUDIT_ARCH_AARCH64) implies defined(AUDIT_ARCH_ARM) etc. else #error

Copy link
Author

@basilgello basilgello Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I see, AArch64 syscall list is not duplicating arm one because the extract.py script dumps syscall table and there is separate syscall table for every arch within kernel. This also applies to amd64/i386/x32, I had to expose SYSCALLTABLENAME environment variable to select the table I want to dump.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've meant duplicated entries in syscall_lists array.
Note above there is:

#ifdef AUDIT_ARCH_ARM
    SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#endif

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure AUDIT_ARCH_AARCH64 implies AUDIT_ARCH_ARM: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/audit.h#L389

Or do you want me to do:

#if defined(AUDIT_ARCH_AARCH64)
    SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64),
    SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_ARM)
    SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_X86_64)
… 
#else
#error
#endif

here?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean if AUDIT_ARCH_ARM is not defined while AUDIT_ARCH_AARCH64 is defined then the above will not compile anyhow.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uhm, I think I got what I did I do wrong here 👍 My intention was to check if KAFEL_DEFAULT_TARGET_ARCH contains the respective architecture to include what is only needed. Target i386 can not be executed on aarch64 stuff etc. I will checnge to #ifdef __x86-64__ etc here.

include/kafel.h Outdated
* Sets compilation target architecture for ctxt to target_archs
* target_arch must be a supported AUDIT_ARCH_* value (see <linux/audit.h>)
*/
void kafel_set_target_architectures(kafel_ctxt_t ctxt, uint32_t* target_archs, uint32_t size);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use int or size_t for size
or better just accept fixed number of KAFEL_MAX_TARGET_ARCHS entries

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, ack!

src/context.h Outdated
@@ -30,6 +30,8 @@
#include "policy.h"
#include "syscall.h"

#define MAX_TARGET_ARCHS 4
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prefix with KAFEL_ and expose in include/kafel.h

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also makes sense!

src/kafel.c Outdated
}

// Read YY_BUF_SIZE from file as string
filebuf = calloc(1, YY_BUF_SIZE);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not handle files larger than YY_BUF_SIZE

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/google/kafel/blob/master/src/kafel.c#L46 I was in doubt how many bytes does this buffer have. I deduced that the buffer used internally is exactly YY_BUF_SIZE and followed that assumption. How big buffer do we really need here?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The buffer is YY_BUF_SIZE bytes but it'll refill with more data from the file if needed.

src/syscall.c Outdated
@@ -87,6 +87,17 @@ const struct syscall_list* syscalls_lookup(uint32_t arch) {
return NULL;
}

const struct syscall_list* companion_syscalls_lookup(uint32_t arch) {
for (size_t i = 0;
i < sizeof(companion_syscall_lists) / sizeof(companion_syscall_lists[0]);
Copy link
Collaborator

@happyCoder92 happyCoder92 Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit is not self-contained.
companion_syscall_lists is undefined.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, will declare companion_syscall_lists there and populate it with x32 using the x32 commit as fixup.

src/context.c Outdated
uint32_t KAFEL_DEFAULT_TARGET_ARCH[4] =

#if defined(__x86_64__)
{ AUDIT_ARCH_X86_64, AUDIT_ARCH_I386, 0, 0 };
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"pay only for what you use".
include just AUDIT_ARCH_X86_64 there to preserve existing behavior (same for other archs).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include just AUDIT_ARCH_X86_64 there to preserve existing behavior (same for other archs).

And to enable new target architectures in, say, nsjail i will need a new CLI switch invoking kafel_set_target_architectures, right?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, interaction with nsjail will be a bit inconvenient.
I see 2 solutions:

  • make the generated archs depend on default action (the mentioned bypass applies only to allowlists):
    • generate all if the action is ALLOW/LOG
    • otherwise generate just for native arch by default
  • introduce to kafel a language construct to change options, e.g.
#option ARCH amd64,x32,i386

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

introduce to kafel a language construct to change option

I think it is the best option! Can you please help me with it as I am still not very familiar with lexer?

@@ -33,15 +33,15 @@

const struct syscall_descriptor mipso32_syscall_list[] = {
{"accept",
4168,
168,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems all syscall numbers here differ by 4000.
Similary for MIPS64 the difference is 5000.
I have no experience with MIPS but I looked up syscall tables online and seems they all list 4xxx and 5xxx syscalls.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the most doubtful commit. Do you know by chance which kernel sources were used to build kernels later dumped with extract.py? Debian kernels have syscall numbers changed and I really don't like it. I'd like to dump syscalls following the initial procedure to get the closest possible result.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MIPS support was contributed by another user.
I don't know the procedure used there, but seems the syscall list was compiled partly by hand.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know the procedure used there, but seems the syscall list was compiled partly by hand

If we know whetger the kernel built was vanilla one and toolchains used, I can build all these vanilla kernels using the same toolchains and run gdb extractor. Then making syscall argument names the same - and I hope we get an extended but not repkaced syscall list.

src/codegen.c Outdated
@@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) {
normalize_rules(rules, kafel_ctxt->default_action);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for companion arch just issue another add_policy_rules here (with another kafel_ctxt containing policy parsed using the companion arch).
Companion policy generation should be turned off by default and this should be configurable.

Copy link
Author

@basilgello basilgello Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So should expose kafel_set_use_companion_architecture to the public API and use it to control add_policy_rules added, right? And filter companion architectures in nsjail CLI switch, too?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, just perhaps drop the set, kafel_use_companion_architecture(kafel_ctxt_t*, bool) sounds better.
For the nsjail interaction see my other comment.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, will do!

src/codegen.c Outdated
@@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) {
normalize_rules(rules, kafel_ctxt->default_action);
int begin = CURRENT_LOC;
int next = generate_rules(ctxt, rules->data, rules->len);
int next2 = 0;
Copy link
Collaborator

@happyCoder92 happyCoder92 Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work as it will skip the marker and target arch check if the resulting policy is a constant action.
There are cases where a policy is a constant action on one arch and is not a constant action on another arch due to e.g. different argument sizes:

KILL { some_syscall { arg1 > 65535 } } DEFAULT ALLOW

will result in just ALLOW when arg1 is 16-bit and a more complex policy otherwise.

Arch checks should be added after all per arch generation is done.
ctxt should be reused when generating policies for all the archs.

Something like:

struct codegen_ctxt *ctxt = context_create();
for (int i = 0; i < num_target_archs; ++i)  {
  struct kafel_ctxt* target_ctxt = copy_kafel_ctxt(kafel_ctxt);
  kafel_set_target_arch(target_archs[i]);
  parse(target_ctxt); // TODO: error handling
  policy_for_arch[i] = generate_policy_without_arch_check(ctxt, target_ctxt);
  kafel_ctxt_destroy(target_ctxt);
}
int begin = CURRENT_LOC;
int next = -ACTION_KILL;
for (int i = 0; i < num_target_archs; ++i)  {
  next = add_jump(ctxt, BPF_JEQ, target_archs[i], policy_for_arch[i], next);
}
if (next > begin) {
  begin = next = ADD_INSTR(BPF_LOAD_ARCH);
}
if (next < 0) {
  resolve_location(ctxt, next);
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this seems the better approach. It will probably not eliminate the need to cache policy read from file (we simply cannot rewind stdin) but overall the code looks cleaner.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I really don't understand now is what is wrong with your example.

I tried:

/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 32 instructions
  0: A := architecture
  1: if A == 0xc000003e goto 3
  2: jump to 21
  3: A := syscall number
  4: if A < 0x65 goto 10
  5: if A >= 0x66 goto 10
  6: A := arg 2 high
  7: if A > 0 goto 11
  8: A := arg 2 low
  9: if A > 0xfffffffe goto 11
 10: jump to 12
 11: KILL
 12: A := syscall number
 13: if A < 0x40000209 goto 19
 14: if A >= 0x4000020a goto 19
 15: A := arg 2 high
 16: if A > 0 goto 20
 17: A := arg 2 low
 18: if A > 0xfffffffe goto 20
 19: ALLOW
 20: KILL
 21: A := architecture
 22: if A == 0x40000003 goto 24
 23: jump to 31
 24: A := syscall number
 25: if A < 0x1a goto 29
 26: if A >= 0x1b goto 29
 27: A := arg 2 low
 28: if A > 0xfffffffe goto 30
 29: ALLOW
 30: KILL
 31: KILL
/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x12u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x7u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 3),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 2, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 37 instructions
  0: A := architecture
  1: if A == 0xc000003e goto 3
  2: jump to 23
  3: A := syscall number
  4: if A < 0x65 goto 11
  5: if A >= 0x66 goto 11
  6: A := arg 2 high
  7: if A > 0x1 goto 12
  8: if A < 0x1 goto 11
  9: A := arg 2 low
 10: if A > 0xfffffffe goto 12
 11: jump to 13
 12: KILL
 13: A := syscall number
 14: if A < 0x40000209 goto 21
 15: if A >= 0x4000020a goto 21
 16: A := arg 2 high
 17: if A > 0x1 goto 22
 18: if A < 0x1 goto 21
 19: A := arg 2 low
 20: if A > 0xfffffffe goto 22
 21: ALLOW
 22: KILL
 23: A := architecture
 24: if A == 0x40000003 goto 26
 25: jump to 36
 26: A := syscall number
 27: if A < 0x1a goto 34
 28: if A >= 0x1b goto 34
 29: A := arg 2 high
 30: if A > 0x1 goto 35
 31: if A < 0x1 goto 34
 32: A := arg 2 low
 33: if A > 0xfffffffe goto 35
 34: ALLOW
 35: KILL
 36: KILL
/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x14u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0xau, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kafel_reset should not reset target architectures to default.
Otherwise it is impossible to set different architectures for compilation.

Then after that is fixed if the user sets architectures like this:

  uint32_t archs[4] = {AUDIT_ARCH_I386, AUDIT_ARCH_X86_64, 0, 0};
  kafel_set_target_architectures(ctxt, archs, 4);

then compilation of KILL { open { filename > 0xFFFFFFFF } } DEFAULT ALLOW' will result in

BPF program with 1 instructions
  0: ALLOW

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I will rewrite this part as you suggested and drop the commits updating syscall lists and the commit introducing file caching. You will add the lexer modifications and the PR will be ready for merge.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just pushed 46ae6b8
For multi-target_archs it will require changes in validate_references - check that syscall is present in all the syscall tables and validate used arguments for all architectures.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! Sorry for the delay, I will rebase the PR and complete what I have started :)

@happyCoder92
Copy link
Collaborator

Hi! Are you still going to work on this one?
Seems there are more users requesting it and it would be nice to merge it soon :)

@basilgello
Copy link
Author

basilgello commented Apr 6, 2021 via email

@happyCoder92
Copy link
Collaborator

Hi! I had a while to work on it and just commited multi-arch support.
It still needs to be integrated with nsjail and perhaps exposed in new language constructs.
Also I did not add x32 syscalls yet :)

@mattgodbolt
Copy link

Just a note: we're thankful someone's looked into this and it would be a shame if it stalled. Compiler Explorer relies on nsjail and thus kafel and we currently can't enable seccomp stuff without this PR. which would be nice!

@basilgello
Copy link
Author

oh! OK @mattgodbolt I will resurrect this.

@basilgello basilgello mentioned this pull request Aug 3, 2023
4 tasks
 * Use LANG=C everywhere to make readelf happy on non-English systems

Signed-off-by: Vasyl Gello <[email protected]>
Make the extractor configurable to extract {amd64,i386,x32}
from amd64 and other companion architecture syscalls if needed.

Also introduce "GDB" environment variable allowing invocation
of custom GDB, i.e:

GDB=gdb-multiarch ./gen_syscalls.sh /tmp/vmlinux-armmp

Signed-off-by: Vasyl Gello <[email protected]>

cat output_syscalls.c | sort -k1,1 --unique --stable -t',' >> "$outname"
rm output_syscalls.c
if [ -f "missing/${arch,,}.c" ]; then
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would prefer that missing/{arch}.c takes precedence over automatically extracted as it was before

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

__X32_SYSCALL_BIT not checked
3 participants