-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modernize architectures and generate seccomp policy for all architectures supported by host OS #26
base: master
Are you sure you want to change the base?
Conversation
@happyCoder92 @robertswiecki please review it and merge! This fixes a CVE used in many CTFs and also allows using nsjail as a Linux container replacement in fully rootless mode. |
tools/gen_syscalls/extract.py
Outdated
@@ -19,6 +19,15 @@ | |||
|
|||
import re | |||
|
|||
# "xrange" was renamed to "range" in Python 3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just use range instead.
It will work also in python2 but will be less efficient (does not matter here though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, thanks!
src/syscall.c
Outdated
@@ -52,15 +52,18 @@ const struct syscall_list syscall_lists[] = { | |||
#endif | |||
#ifdef AUDIT_ARCH_AARCH64 | |||
SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64), | |||
SYSCALL_LIST(AUDIT_ARCH_ARM, arm), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will result in duplicate entries
perhaps just verify that defined(AUDIT_ARCH_AARCH64) implies defined(AUDIT_ARCH_ARM) etc. else #error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I see, AArch64 syscall list is not duplicating arm one because the extract.py script dumps syscall table and there is separate syscall table for every arch within kernel. This also applies to amd64/i386/x32, I had to expose SYSCALLTABLENAME
environment variable to select the table I want to dump.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've meant duplicated entries in syscall_lists
array.
Note above there is:
#ifdef AUDIT_ARCH_ARM
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#endif
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure AUDIT_ARCH_AARCH64
implies AUDIT_ARCH_ARM
: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/audit.h#L389
Or do you want me to do:
#if defined(AUDIT_ARCH_AARCH64)
SYSCALL_LIST(AUDIT_ARCH_AARCH64, aarch64),
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_ARM)
SYSCALL_LIST(AUDIT_ARCH_ARM, arm),
#elif defined(AUDIT_ARCH_X86_64)
…
#else
#error
#endif
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean if AUDIT_ARCH_ARM
is not defined while AUDIT_ARCH_AARCH64
is defined then the above will not compile anyhow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uhm, I think I got what I did I do wrong here 👍 My intention was to check if KAFEL_DEFAULT_TARGET_ARCH
contains the respective architecture to include what is only needed. Target i386
can not be executed on aarch64
stuff etc. I will checnge to #ifdef __x86-64__
etc here.
include/kafel.h
Outdated
* Sets compilation target architecture for ctxt to target_archs | ||
* target_arch must be a supported AUDIT_ARCH_* value (see <linux/audit.h>) | ||
*/ | ||
void kafel_set_target_architectures(kafel_ctxt_t ctxt, uint32_t* target_archs, uint32_t size); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use int
or size_t
for size
or better just accept fixed number of KAFEL_MAX_TARGET_ARCHS
entries
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, ack!
src/context.h
Outdated
@@ -30,6 +30,8 @@ | |||
#include "policy.h" | |||
#include "syscall.h" | |||
|
|||
#define MAX_TARGET_ARCHS 4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prefix with KAFEL_
and expose in include/kafel.h
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also makes sense!
src/kafel.c
Outdated
} | ||
|
||
// Read YY_BUF_SIZE from file as string | ||
filebuf = calloc(1, YY_BUF_SIZE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will not handle files larger than YY_BUF_SIZE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/google/kafel/blob/master/src/kafel.c#L46 I was in doubt how many bytes does this buffer have. I deduced that the buffer used internally is exactly YY_BUF_SIZE and followed that assumption. How big buffer do we really need here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The buffer is YY_BUF_SIZE bytes but it'll refill with more data from the file if needed.
src/syscall.c
Outdated
@@ -87,6 +87,17 @@ const struct syscall_list* syscalls_lookup(uint32_t arch) { | |||
return NULL; | |||
} | |||
|
|||
const struct syscall_list* companion_syscalls_lookup(uint32_t arch) { | |||
for (size_t i = 0; | |||
i < sizeof(companion_syscall_lists) / sizeof(companion_syscall_lists[0]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit is not self-contained.
companion_syscall_lists
is undefined.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, will declare companion_syscall_lists
there and populate it with x32 using the x32 commit as fixup.
src/context.c
Outdated
uint32_t KAFEL_DEFAULT_TARGET_ARCH[4] = | ||
|
||
#if defined(__x86_64__) | ||
{ AUDIT_ARCH_X86_64, AUDIT_ARCH_I386, 0, 0 }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"pay only for what you use".
include just AUDIT_ARCH_X86_64
there to preserve existing behavior (same for other archs).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Include just AUDIT_ARCH_X86_64 there to preserve existing behavior (same for other archs).
And to enable new target architectures in, say, nsjail i will need a new CLI switch invoking kafel_set_target_architectures
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, interaction with nsjail will be a bit inconvenient.
I see 2 solutions:
- make the generated archs depend on default action (the mentioned bypass applies only to allowlists):
- generate all if the action is
ALLOW
/LOG
- otherwise generate just for native arch by default
- generate all if the action is
- introduce to kafel a language construct to change options, e.g.
#option ARCH amd64,x32,i386
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
introduce to kafel a language construct to change option
I think it is the best option! Can you please help me with it as I am still not very familiar with lexer?
src/syscalls/mipso32_syscalls.c
Outdated
@@ -33,15 +33,15 @@ | |||
|
|||
const struct syscall_descriptor mipso32_syscall_list[] = { | |||
{"accept", | |||
4168, | |||
168, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems all syscall numbers here differ by 4000.
Similary for MIPS64 the difference is 5000.
I have no experience with MIPS but I looked up syscall tables online and seems they all list 4xxx and 5xxx syscalls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the most doubtful commit. Do you know by chance which kernel sources were used to build kernels later dumped with extract.py
? Debian kernels have syscall numbers changed and I really don't like it. I'd like to dump syscalls following the initial procedure to get the closest possible result.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MIPS support was contributed by another user.
I don't know the procedure used there, but seems the syscall list was compiled partly by hand.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know the procedure used there, but seems the syscall list was compiled partly by hand
If we know whetger the kernel built was vanilla one and toolchains used, I can build all these vanilla kernels using the same toolchains and run gdb extractor. Then making syscall argument names the same - and I hope we get an extended but not repkaced syscall list.
src/codegen.c
Outdated
@@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) { | |||
normalize_rules(rules, kafel_ctxt->default_action); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for companion arch just issue another add_policy_rules
here (with another kafel_ctxt
containing policy parsed using the companion arch).
Companion policy generation should be turned off by default and this should be configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So should expose kafel_set_use_companion_architecture
to the public API and use it to control add_policy_rules
added, right? And filter companion architectures in nsjail CLI switch, too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, just perhaps drop the set
, kafel_use_companion_architecture(kafel_ctxt_t*, bool)
sounds better.
For the nsjail interaction see my other comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, will do!
src/codegen.c
Outdated
@@ -615,15 +626,23 @@ int compile_policy(struct kafel_ctxt *kafel_ctxt, struct sock_fprog *prog) { | |||
normalize_rules(rules, kafel_ctxt->default_action); | |||
int begin = CURRENT_LOC; | |||
int next = generate_rules(ctxt, rules->data, rules->len); | |||
int next2 = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will not work as it will skip the marker and target arch check if the resulting policy is a constant action.
There are cases where a policy is a constant action on one arch and is not a constant action on another arch due to e.g. different argument sizes:
KILL { some_syscall { arg1 > 65535 } } DEFAULT ALLOW
will result in just ALLOW
when arg1 is 16-bit and a more complex policy otherwise.
Arch checks should be added after all per arch generation is done.
ctxt
should be reused when generating policies for all the archs.
Something like:
struct codegen_ctxt *ctxt = context_create();
for (int i = 0; i < num_target_archs; ++i) {
struct kafel_ctxt* target_ctxt = copy_kafel_ctxt(kafel_ctxt);
kafel_set_target_arch(target_archs[i]);
parse(target_ctxt); // TODO: error handling
policy_for_arch[i] = generate_policy_without_arch_check(ctxt, target_ctxt);
kafel_ctxt_destroy(target_ctxt);
}
int begin = CURRENT_LOC;
int next = -ACTION_KILL;
for (int i = 0; i < num_target_archs; ++i) {
next = add_jump(ctxt, BPF_JEQ, target_archs[i], policy_for_arch[i], next);
}
if (next > begin) {
begin = next = ADD_INSTR(BPF_LOAD_ARCH);
}
if (next < 0) {
resolve_location(ctxt, next);
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this seems the better approach. It will probably not eliminate the need to cache policy read from file (we simply cannot rewind stdin
) but overall the code looks cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I really don't understand now is what is wrong with your example.
I tried:
/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 32 instructions
0: A := architecture
1: if A == 0xc000003e goto 3
2: jump to 21
3: A := syscall number
4: if A < 0x65 goto 10
5: if A >= 0x66 goto 10
6: A := arg 2 high
7: if A > 0 goto 11
8: A := arg 2 low
9: if A > 0xfffffffe goto 11
10: jump to 12
11: KILL
12: A := syscall number
13: if A < 0x40000209 goto 19
14: if A >= 0x4000020a goto 19
15: A := arg 2 high
16: if A > 0 goto 20
17: A := arg 2 low
18: if A > 0xfffffffe goto 20
19: ALLOW
20: KILL
21: A := architecture
22: if A == 0x40000003 goto 24
23: jump to 31
24: A := syscall number
25: if A < 0x1a goto 29
26: if A >= 0x1b goto 29
27: A := arg 2 low
28: if A > 0xfffffffe goto 30
29: ALLOW
30: KILL
31: KILL
/tmp/kafel$ echo 'KILL { ptrace { addr > 0xFFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x12u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 5),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 4, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0u, 3, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x7u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 3),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 2, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf
BPF program with 37 instructions
0: A := architecture
1: if A == 0xc000003e goto 3
2: jump to 23
3: A := syscall number
4: if A < 0x65 goto 11
5: if A >= 0x66 goto 11
6: A := arg 2 high
7: if A > 0x1 goto 12
8: if A < 0x1 goto 11
9: A := arg 2 low
10: if A > 0xfffffffe goto 12
11: jump to 13
12: KILL
13: A := syscall number
14: if A < 0x40000209 goto 21
15: if A >= 0x4000020a goto 21
16: A := arg 2 high
17: if A > 0x1 goto 22
18: if A < 0x1 goto 21
19: A := arg 2 low
20: if A > 0xfffffffe goto 22
21: ALLOW
22: KILL
23: A := architecture
24: if A == 0x40000003 goto 26
25: jump to 36
26: A := syscall number
27: if A < 0x1a goto 34
28: if A >= 0x1b goto 34
29: A := arg 2 high
30: if A > 0x1 goto 35
31: if A < 0x1 goto 34
32: A := arg 2 low
33: if A > 0xfffffffe goto 35
34: ALLOW
35: KILL
36: KILL
/tmp/kafel$ echo 'KILL { ptrace { addr > 0x1FFFFFFFE } } DEFAULT ALLOW' | tools/dump_policy_bpf/dump_policy_bpf -c
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xc000003eu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x14u, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x65u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x66u, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0x1u, 0, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x40000209u, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x4000020au, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x40000003u, 1, 0),
BPF_JUMP(BPF_JMP | BPF_JA, 0xau, 0, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1au, 0, 6),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1bu, 5, 0),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2]) + sizeof(__u32)),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0x1u, 4, 0),
BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, 0x1u, 0, 2),
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, 0xfffffffeu, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kafel_reset
should not reset target architectures to default.
Otherwise it is impossible to set different architectures for compilation.
Then after that is fixed if the user sets architectures like this:
uint32_t archs[4] = {AUDIT_ARCH_I386, AUDIT_ARCH_X86_64, 0, 0};
kafel_set_target_architectures(ctxt, archs, 4);
then compilation of KILL { open { filename > 0xFFFFFFFF } } DEFAULT ALLOW'
will result in
BPF program with 1 instructions
0: ALLOW
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I will rewrite this part as you suggested and drop the commits updating syscall lists and the commit introducing file caching. You will add the lexer modifications and the PR will be ready for merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just pushed 46ae6b8
For multi-target_archs it will require changes in validate_references
- check that syscall is present in all the syscall tables and validate used arguments for all architectures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Sorry for the delay, I will rebase the PR and complete what I have started :)
Hi! Are you still going to work on this one? |
Hi! Yes, I noticed the request! Let me wrap around Android ASB & get back to it this weekend.
|
Hi! I had a while to work on it and just commited multi-arch support. |
Just a note: we're thankful someone's looked into this and it would be a shame if it stalled. Compiler Explorer relies on nsjail and thus kafel and we currently can't enable seccomp stuff without this PR. which would be nice! |
oh! OK @mattgodbolt I will resurrect this. |
* Use LANG=C everywhere to make readelf happy on non-English systems Signed-off-by: Vasyl Gello <[email protected]>
5b58e5d
to
0ffeda5
Compare
Make the extractor configurable to extract {amd64,i386,x32} from amd64 and other companion architecture syscalls if needed. Also introduce "GDB" environment variable allowing invocation of custom GDB, i.e: GDB=gdb-multiarch ./gen_syscalls.sh /tmp/vmlinux-armmp Signed-off-by: Vasyl Gello <[email protected]>
0ffeda5
to
d40625d
Compare
|
||
cat output_syscalls.c | sort -k1,1 --unique --stable -t',' >> "$outname" | ||
rm output_syscalls.c | ||
if [ -f "missing/${arch,,}.c" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would prefer that missing/{arch}.c
takes precedence over automatically extracted as it was before
Fixes #19