On Thu, Oct 01, 2020 at 01:08:04AM +0200, Jann Horn wrote: > [adding x86 folks to enhance bikeshedding] > > On Thu, Oct 1, 2020 at 12:59 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Wed, Sep 30, 2020 at 10:19:16AM -0500, YiFei Zhu wrote: > > > From: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> > > > > > > Currently the kernel does not provide an infrastructure to translate > > > architecture numbers to a human-readable name. Translating syscall > > > numbers to syscall names is possible through FTRACE_SYSCALL > > > infrastructure but it does not provide support for compat syscalls. > > > > > > This will create a file for each PID as /proc/pid/seccomp_cache. > > > The file will be empty when no seccomp filters are loaded, or be > > > in the format of: > > > <arch name> <decimal syscall number> <ALLOW | FILTER> > > > where ALLOW means the cache is guaranteed to allow the syscall, > > > and filter means the cache will pass the syscall to the BPF filter. > > > > > > For the docker default profile on x86_64 it looks like: > > > x86_64 0 ALLOW > > > x86_64 1 ALLOW > > > x86_64 2 ALLOW > > > x86_64 3 ALLOW > > > [...] > > > x86_64 132 ALLOW > > > x86_64 133 ALLOW > > > x86_64 134 FILTER > > > x86_64 135 FILTER > > > x86_64 136 FILTER > > > x86_64 137 ALLOW > > > x86_64 138 ALLOW > > > x86_64 139 FILTER > > > x86_64 140 ALLOW > > > x86_64 141 ALLOW > [...] > > > diff --git a/arch/x86/include/asm/seccomp.h b/arch/x86/include/asm/seccomp.h > > > index 7b3a58271656..33ccc074be7a 100644 > > > --- a/arch/x86/include/asm/seccomp.h > > > +++ b/arch/x86/include/asm/seccomp.h > > > @@ -19,13 +19,16 @@ > > > #ifdef CONFIG_X86_64 > > > # define SECCOMP_ARCH_DEFAULT AUDIT_ARCH_X86_64 > > > # define SECCOMP_ARCH_DEFAULT_NR NR_syscalls > > > +# define SECCOMP_ARCH_DEFAULT_NAME "x86_64" > > > # ifdef CONFIG_COMPAT > > > # define SECCOMP_ARCH_COMPAT AUDIT_ARCH_I386 > > > # define SECCOMP_ARCH_COMPAT_NR IA32_NR_syscalls > > > +# define SECCOMP_ARCH_COMPAT_NAME "x86_32" > > > > I think this should be "ia32"? Is there a good definitive guide on this > > naming convention? > > "man 2 syscall" calls them "x86-64" and "i386". The syscall table > files use ABI names "i386" and "64". The syscall stub prefixes use > "x64" and "ia32". > > I don't think we have a good consistent naming strategy here. :P Agreed. And with "i386" being so hopelessly inaccurate, I prefer "ia32" ... *shrug* I would hope we don't have to be super-pedantic and call them "x86-64" and "IA-32". :P -- Kees Cook _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers