diff options
| -rw-r--r-- | meta/recipes-devtools/pseudo/files/seccomp.patch | 124 | ||||
| -rw-r--r-- | meta/recipes-devtools/pseudo/pseudo_git.bb | 1 |
2 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-devtools/pseudo/files/seccomp.patch b/meta/recipes-devtools/pseudo/files/seccomp.patch new file mode 100644 index 0000000000..be42eaf353 --- /dev/null +++ b/meta/recipes-devtools/pseudo/files/seccomp.patch @@ -0,0 +1,124 @@ +Pseudo changes the syscall access patterns which makes it incompatible with +seccomp. Therefore intercept the seccomp syscall and alter it, pretending that +seccomp was setup when in fact we do nothing. If we error as unsupported, +utilities like file will exit with errors so we can't just disable it. + +Upstream-Status: Pending +RP 2020/4/3 +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: git/ports/linux/pseudo_wrappers.c +=================================================================== +--- git.orig/ports/linux/pseudo_wrappers.c ++++ git/ports/linux/pseudo_wrappers.c +@@ -57,6 +57,7 @@ int pseudo_capset(cap_user_header_t hdrp + long + syscall(long number, ...) { + long rc = -1; ++ va_list ap; + + if (!pseudo_check_wrappers() || !real_syscall) { + /* rc was initialized to the "failure" value */ +@@ -77,6 +78,20 @@ syscall(long number, ...) { + (void) number; + #endif + ++#ifdef SYS_seccomp ++ /* pseudo and seccomp are incompatible as pseudo uses different syscalls ++ * so pretend to enable seccomp but really do nothing */ ++ if (number == SYS_seccomp) { ++ unsigned long cmd; ++ va_start(ap, number); ++ cmd = va_arg(ap, unsigned long); ++ va_end(ap); ++ if (cmd == SECCOMP_SET_MODE_FILTER) { ++ return 0; ++ } ++ } ++#endif ++ + /* gcc magic to attempt to just pass these args to syscall. we have to + * guess about the number of args; the docs discuss calling conventions + * up to 7, so let's try that? +@@ -92,3 +108,42 @@ static long wrap_syscall(long nr, va_lis + (void) ap; + return -1; + } ++ ++int ++prctl(int option, ...) { ++ int rc = -1; ++ va_list ap; ++ ++ if (!pseudo_check_wrappers() || !real_prctl) { ++ /* rc was initialized to the "failure" value */ ++ pseudo_enosys("prctl"); ++ return rc; ++ } ++ ++ /* pseudo and seccomp are incompatible as pseudo uses different syscalls ++ * so pretend to enable seccomp but really do nothing */ ++ if (option == PR_SET_SECCOMP) { ++ unsigned long cmd; ++ va_start(ap, option); ++ cmd = va_arg(ap, unsigned long); ++ va_end(ap); ++ if (cmd == SECCOMP_SET_MODE_FILTER) { ++ return 0; ++ } ++ } ++ ++ /* gcc magic to attempt to just pass these args to prctl. we have to ++ * guess about the number of args; the docs discuss calling conventions ++ * up to 5, so let's try that? ++ */ ++ void *res = __builtin_apply((void (*)()) real_prctl, __builtin_apply_args(), sizeof(long) * 5); ++ __builtin_return(res); ++} ++ ++/* unused. ++ */ ++static int wrap_prctl(int option, va_list ap) { ++ (void) option; ++ (void) ap; ++ return -1; ++} +Index: git/ports/linux/guts/prctl.c +=================================================================== +--- /dev/null ++++ git/ports/linux/guts/prctl.c +@@ -0,0 +1,15 @@ ++/* ++ * Copyright (c) 2020 Richard Purdie ++ * ++ * SPDX-License-Identifier: LGPL-2.1-only ++ * ++ * int prctl(int option, ...) ++ * int rc = -1; ++ */ ++ ++ /* we should never get here, prctl is hand-wrapped */ ++ rc = -1; ++ ++/* return rc; ++ * } ++ */ +Index: git/ports/linux/portdefs.h +=================================================================== +--- git.orig/ports/linux/portdefs.h ++++ git/ports/linux/portdefs.h +@@ -32,3 +32,5 @@ GLIBC_COMPAT_SYMBOL(memcpy,2.0); + + #include <linux/capability.h> + #include <sys/syscall.h> ++#include <sys/prctl.h> ++#include <linux/seccomp.h> +Index: git/ports/linux/wrapfuncs.in +=================================================================== +--- git.orig/ports/linux/wrapfuncs.in ++++ git/ports/linux/wrapfuncs.in +@@ -56,3 +56,4 @@ int getgrent_r(struct group *gbuf, char + int capset(cap_user_header_t hdrp, const cap_user_data_t datap); /* real_func=pseudo_capset */ + long syscall(long nr, ...); /* hand_wrapped=1 */ + int renameat2(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, unsigned int flags); /* flags=AT_SYMLINK_NOFOLLOW */ ++int prctl(int option, ...); /* hand_wrapped=1 */ diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index d921d85a05..89e43c5996 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -10,6 +10,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo \ file://0001-Add-statx.patch \ file://0001-realpath.c-Remove-trailing-slashes.patch \ file://0006-xattr-adjust-for-attr-2.4.48-release.patch \ + file://seccomp.patch \ " SRCREV = "060058bb29f70b244e685b3c704eb0641b736f73" |