test-seccomp: assume socket filtering is broken on powerpc too#17722
Merged
poettering merged 1 commit intosystemd:masterfrom Nov 26, 2020
Merged
test-seccomp: assume socket filtering is broken on powerpc too#17722poettering merged 1 commit intosystemd:masterfrom
poettering merged 1 commit intosystemd:masterfrom
Conversation
yuwata
reviewed
Nov 26, 2020
Comment on lines
34
to
35
| /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, | ||
| * and we can't restrict it hence via seccomp. */ |
Member
There was a problem hiding this comment.
Hmm, this comment sounds incompatible with the comment in seccomp_restrict_address_families():
/* These we know we support (i.e. are the ones that do not use socketcall()) */
Is it not necessary to revert the change for seccomp_restrict_address_families() in da1921a?
Member
Author
There was a problem hiding this comment.
You're right, a revert is in order. Updated in place.
Member
Author
There was a problem hiding this comment.
This passes on ppc64 with libseccomp-2.5.0-3.fc33.ppc64le.
This reverts the gist of da1921a and 0d9fca7 (for ppc). Quoting systemd#17559: > libseccomp 2.5 added socket syscall multiplexing on ppc64(el): > seccomp/libseccomp#229 > > Like with i386, s390 and s390x this breaks socket argument filtering, so > RestrictAddressFamilies doesn't work. > > This causes the unit test to fail: > /* test_restrict_address_families */ > Operating on architecture: ppc > Failed to install socket family rules for architecture ppc, skipping: Operation canceled > Operating on architecture: ppc64 > Failed to add socket() rule for architecture ppc64, skipping: Invalid argument > Operating on architecture: ppc64-le > Failed to add socket() rule for architecture ppc64-le, skipping: Invalid argument > Assertion 'fd < 0' failed at src/test/test-seccomp.c:424, function test_restrict_address_families(). Aborting. > > The socket filters can't be added so `socket(AF_UNIX, SOCK_DGRAM, 0);` still > works, triggering the assertion. Fixes systemd#17559.
90f014d to
25e6e74
Compare
Member
|
(looks superficially ok, but I am no PPC person. Merged, since tests passed) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This partially reverts da1921a. Fixes #17559.
Quoting #17559:
libseccomp 2.5 added socket syscall multiplexing on ppc64(el):
seccomp/libseccomp#229
Like with i386, s390 and s390x this breaks socket argument filtering, so
RestrictAddressFamilies doesn't work.
This causes the unit test to fail:
/* test_restrict_address_families */
Operating on architecture: ppc
Failed to install socket family rules for architecture ppc, skipping: Operation canceled
Operating on architecture: ppc64
Failed to add socket() rule for architecture ppc64, skipping: Invalid argument
Operating on architecture: ppc64-le
Failed to add socket() rule for architecture ppc64-le, skipping: Invalid argument
Assertion 'fd < 0' failed at src/test/test-seccomp.c:424, function test_restrict_address_families(). Aborting.
The socket filters can't be added so
socket(AF_UNIX, SOCK_DGRAM, 0);stillworks, triggering the assertion.