[Oneiric][pull request] SECCOMP syscall filtering

Kees Cook kees.cook at canonical.com
Thu Aug 18 17:46:10 UTC 2011


On Wed, Aug 17, 2011 at 03:49:20PM -0500, Will Drewry wrote:
> On Wed, Aug 17, 2011 at 3:28 PM, Leann Ogasawara
> <leann.ogasawara at canonical.com> wrote:
> > Kees, I'm seeing some build failures doing a quick test build on ARM
> > [1].  Did you want to disable on ARM for now or did you want to try and
> > fix up these failures?  Either way, care to send an updated pull request
> > to either fix up the build failures or disable for ARM.
> >
> > Thanks,
> > Leann
> >
> > [1]
> > kernel/seccomp.c: In function '__secure_computing':
> > kernel/seccomp.c:55:23: error: 'NR_syscalls' undeclared (first use in this function)
> > kernel/seccomp.c:55:23: note: each undeclared identifier is reported only once for each function it appears in
> > make[3]: *** [kernel/seccomp.o] Error 1
> > make[3]: *** Waiting for unfinished jobs....
> > ...
> > kernel/seccomp_filter.c:34:25: fatal error: asm/syscall.h: No such file or directory
> > compilation terminated.
> > make[3]: *** [kernel/seccomp_filter.o] Error 1
> Yup - it's broken on ARM.  My apologies!
> While I proposed wiring up NR_syscalls upstream yesterday,  it uses
> syscall numbers as indices like ftrace_syscalls does which is not ARM
> friendly.  I am testing out a larger change to the patch to remove all
> references to NR_syscalls unless CONFIG_FTRACE_SYSCALLS is enabled.  I
> hope to have a better version available quite shortly.  I had failed
> to notice that I broke all these other platforms during the patchset
> churn on LKML.

For Oneiric, since we're pretty late, let's disable ARM. The new
syscall numbering will happen later, and we can update the patch then
(in Oneiric+1). The interface is the same, it'll just include
additional architecture support.

I'll prepare an updated pull.



Kees Cook
Ubuntu Security Team

More information about the kernel-team mailing list