Skip to content

systemd: re-enable bpf-framework#328648

Merged
Mic92 merged 1 commit intoNixOS:stagingfrom
martinetd:systemd_bpf
Jul 21, 2024
Merged

systemd: re-enable bpf-framework#328648
Mic92 merged 1 commit intoNixOS:stagingfrom
martinetd:systemd_bpf

Conversation

@martinetd
Copy link
Copy Markdown
Member

@martinetd martinetd commented Jul 20, 2024

Description of changes

systemd meson.build apparently didn't check properly that the option was enabled in all code paths, so it was possible to build systemd such as --version would have -BPF_FRAMEWORK (properly disabled in config.h) with -Dbpf-framework=enabled.

Fix the failing check, which was clang -target bpf breaking with zerocallusedregs hardening -- this is apparently a known problem as it's disabled in quite a few other packages that mention bpf in comment above the exception...

Link: systemd/systemd#33793

I noticed SocketBindDeny didn't work when testing cryptpad hardening...
This can easily be confirmed with systemctl --version which lists -BPF_FRAMEWORK without this, and + with it.

Fixing the hardening to do the right thing and automatically skip itself if -target bpf is out of scope and might be done later, but I've already spent more time on this than I have available right now.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@martinetd
systemd: re-enable bpf-framework
ef593db 
systemd meson.build apparently didn't check properly that the option was
enabled in all code paths, so it was possible to build systemd such as
--version would have -BPF_FRAMEWORK (properly disabled in config.h) with
-Dbpf-framework=enabled.

Fix the failing check, which was `clang -target bpf` breaking with
zerocallusedregs hardening -- this is apparently a known problem as it's
disabled in quite a few other packages that mention bpf in comment above
the exception...

Link: systemd/systemd#33793
@martinetd martinetd requested a review from a team as a code owner July 20, 2024 11:58
@github-actions github-actions bot added the 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. label Jul 20, 2024
@martinetd
Copy link
Copy Markdown
Member Author

martinetd commented Jul 20, 2024

hmm more packages than I remembered depend on systemd, happy to retarget this to staging

@martinetd martinetd mentioned this pull request Jul 20, 2024
Merged
11 tasks
@ofborg ofborg bot requested review from flokli and kloenk July 20, 2024 12:31
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jul 20, 2024
@emilazy
Copy link
Copy Markdown
Member

emilazy commented Jul 20, 2024

systemd changes definitely need to go to staging.

@arianvp arianvp changed the base branch from master to staging July 20, 2024 18:34
@arianvp arianvp requested a review from Mic92 July 20, 2024 18:36
@Mic92 Mic92 merged commit aba5c08 into NixOS:staging Jul 21, 2024
@Mic92 Mic92 mentioned this pull request Jul 21, 2024
Merged
13 tasks
@github-actions github-actions bot mentioned this pull request Jul 21, 2024
Merged
1 task
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jul 21, 2024

Successfully created backport PR for staging-24.05:

@veehaitch veehaitch added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 22, 2024
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jul 22, 2024

Git push to origin failed for staging-24.05 with exitcode 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arianvp arianvp arianvp approved these changes

@flokli flokli Awaiting requested review from flokli

@kloenk kloenk Awaiting requested review from kloenk

@Mic92 Mic92 Awaiting requested review from Mic92

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@martinetd @emilazy @arianvp @Mic92 @veehaitch