On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> does not provide enough information about the ABI for the 64-bit
> process. As a result of which, userland needs to use complex
> seccomp filters to decide whether a syscall belongs to the o32 or n32
> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> can be used by seccomp to explicitely set syscall filters for this ABI.
>
> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Paul Moore <pmoore@xxxxxxxxxx>
> Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx>
> Signed-off-by: Markos Chandras <markos.chandras@xxxxxxxxxx>
> ---
> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>
> Thanks a lot!
> ---
> arch/mips/include/asm/syscall.h | 2 ++
> include/uapi/linux/audit.h | 12 ++++++++++++
> 2 files changed, 14 insertions(+)
I'm far from qualified to ACK any MIPS specific patches, but I do want to add
my support for this patch. As Markos states above, without this patch any
seccomp BPF code will be more complex than necessary (see x32 for an idea) and
projects that try to abstract away the arch/ABI specific nature of the BPF
seccomp filters will be have to do a lot more work. Please merge this patch,
or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting
until 3.16 will be too late.
I also don't want to speak for the audit folks (Eric?), but I think you'll
hear that this patch makes life much easier for them as well.
Thanks,
-Paul
> diff --git a/arch/mips/include/asm/syscall.h
> b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> --- a/arch/mips/include/asm/syscall.h
> +++ b/arch/mips/include/asm/syscall.h
> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
> #ifdef CONFIG_64BIT
> if (!test_thread_flag(TIF_32BIT_REGS))
> arch |= __AUDIT_ARCH_64BIT;
> + if (test_thread_flag(TIF_32BIT_ADDR))
> + arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
> #endif
> #if defined(__LITTLE_ENDIAN)
> arch |= __AUDIT_ARCH_LE;
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 11917f7..1b1efdd 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -331,9 +331,17 @@ enum {
> #define AUDIT_FAIL_PRINTK 1
> #define AUDIT_FAIL_PANIC 2
>
> +/*
> + * These bits disambiguate different calling conventions that share an
> + * ELF machine type, bitness, and endianness
> + */
> +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> +
> /* distinguish syscall tables */
> #define __AUDIT_ARCH_64BIT 0x80000000
> #define __AUDIT_ARCH_LE 0x40000000
> +
> #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
> #define AUDIT_ARCH_ARMEB (EM_ARM)
> @@ -346,7 +354,11 @@ enum {
> #define AUDIT_ARCH_MIPS (EM_MIPS)
> #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
> #define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT)
> +#define AUDIT_ARCH_MIPS64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|\
> + __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> #define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_MIPSEL64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|
__AUDIT_ARCH_LE\
> + __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> #define AUDIT_ARCH_OPENRISC (EM_OPENRISC)
> #define AUDIT_ARCH_PARISC (EM_PARISC)
> #define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
--
paul moore
security and virtualization @ redhat
