[Bug 2590] Seccomp filter for missing architectures

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Aug 17 15:50:14 AEST 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2590

--- Comment #6 from Joshua Kinard <kumba at gentoo.org> ---
(In reply to Darren Tucker from comment #5)
> (In reply to Joshua Kinard from comment #3)
> > 
> > I hate to reopen, but I found a corner case for MIPS broken by the
> > MIPS whitelist.  Specifically, the proposed whitelist does not
> > account for MIPS N32 ABI (under mips64).
> > 
> > Specifically:
> > +	mips64-*)
> > +		seccomp_audit_arch=AUDIT_ARCH_MIPS64
> > 
> > There needs to be another hook to somehow detect N32 and then set
> > either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32
> > (little-endian).
> 
> what does configure.guess report on such systems?  If that's not a
> reliable indicator, what is?  mips64-* && AC_CHECK_SIZEOF([int],
> [4]) ?

config.guess reports back "mips64-unknown-linux-gnu", which is my
system CHOST value (Gentoo, SGI Octane).  It does the same in an O32
chroot, so this might be unreliable.  O32 Linux userlands require a
CHOST of "mips-unknown-linux-gnu", even when run under a mips64 kernel.

Per the MIPS N32 handbook, you can tell O32/N32 apart from N64 (full
64-bit) by checking the size of a pointer, which should be 8 bytes on
N64.  But it'll be 4 bytes under both O32/N32, so this approach won't
work either.

Is it possible to have configure compile a test binary using the
provided C compiler and flags, then check the file magic of the output
binary?  That's a definitive way to differ between all three ABI's (and
may even be applicable for multilib setups).  I scanned briefly through
the autoconf manual, but I don't see a built-in check for this.

O32 /bin/cat:
/bin/cat: ELF 32-bit MSB executable, MIPS, MIPS-IV version 1 (SYSV),
dynamically linked, interpreter /lib/ld.so.1, for GNU/Linux 2.6.32,
stripped

N32 /bin/cat:
/bin/cat: ELF 32-bit MSB executable, MIPS, N32 MIPS-IV version 1
(SYSV), dynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux
2.6.32, stripped

So a check for the presence of "N32" in file's output would be enough
to detect between O32 and N32.

Should you ever get around to supporting X32 on the Intel/AMD
platforms, this same situation is bound to come up again.  X32 either
copies, or was inspired by, N32 and so they aim to achieve similar
goals.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list