lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <399D41C97A8022B1+ZzBTIyrwGyqb9Ai7@HX09040029.powercore.com.cn>
Date: Sun, 10 Nov 2024 14:30:59 +0800
From: Luming Yu <luming.yu@...ngroup.cn>
To: Michael Ellerman <mpe@...erman.id.au>
Cc: Christophe Leroy <christophe.leroy@...roup.eu>,
	linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	npiggin <npiggin@...il.com>, "luming.yu" <luming.yu@...il.com>
Subject: Re: [PATCH 1/7] powerpc/entry: convert to common and generic entry

On Thu, Nov 07, 2024 at 11:40:04AM +0800, Luming Yu wrote:
> On Tue, Nov 05, 2024 at 12:47:18PM +0800, Luming Yu wrote:
> > On Fri, Oct 25, 2024 at 10:50:05AM +0800, Luming Yu wrote:
> > > On Thu, Oct 24, 2024 at 04:43:04PM +0800, Luming Yu wrote:
> > > > On Wed, Oct 23, 2024 at 12:53:47PM +1100, Michael Ellerman wrote:
> > > > > "虞陆铭" <luming.yu@...ngroup.cn> writes:
> > > > > >>Le 12/10/2024 à 05:56, Luming Yu a écrit :
> > > > > >>> convert powerpc entry code in syscall and fault to use syscall_work
> > > > > >>> and irqentry_state as well as common calls implemented in generic
> > > > > >>> entry infrastructure.
> > > > > >>> 
> > > > > >>> Signed-off-by: Luming Yu <luming.yu@...ngroup.cn>
> > > > > >>> ---
> > > > > >>>   arch/powerpc/Kconfig                   | 1 +
> > > > > >>>   arch/powerpc/include/asm/hw_irq.h      | 5 +++++
> > > > > >>>   arch/powerpc/include/asm/processor.h   | 6 ++++++
> > > > > >>>   arch/powerpc/include/asm/syscall.h     | 5 +++++
> > > > > >>>   arch/powerpc/include/asm/thread_info.h | 1 +
> > > > > >>>   arch/powerpc/kernel/syscall.c          | 5 ++++-
> > > > > >>>   arch/powerpc/mm/fault.c                | 3 +++
> > > > > >>>   7 files changed, 25 insertions(+), 1 deletion(-)
> > > > > >>> 
> > > > > >>
> > > > > >>...
> > > > > >>
> > > > > >>> diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > > > > >>> index 77fedb190c93..e0338bd8d383 100644
> > > > > >>> --- a/arch/powerpc/kernel/syscall.c
> > > > > >>> +++ b/arch/powerpc/kernel/syscall.c
> > > > > >>> @@ -3,6 +3,7 @@
> > > > > >>>   #include <linux/compat.h>
> > > > > >>>   #include <linux/context_tracking.h>
> > > > > >>>   #include <linux/randomize_kstack.h>
> > > > > >>> +#include <linux/entry-common.h>
> > > > > >>>   
> > > > > >>>   #include <asm/interrupt.h>
> > > > > >>>   #include <asm/kup.h>
> > > > > >>> @@ -131,7 +132,7 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > > > > >>>   		 * and the test against NR_syscalls will fail and the return
> > > > > >>>   		 * value to be used is in regs->gpr[3].
> > > > > >>>   		 */
> > > > > >>> -		r0 = do_syscall_trace_enter(regs);
> > > > > >>> +		r0 = syscall_enter_from_user_mode(regs, r0);
> > > > > >>
> > > > > >>Can you provide details on how this works ?
> > > > > > I assume the common entry would take over th details.
> > > > > > So I just made the switch from the high level call.
> > > > > >
> > > >  > As you said as the subtle ABI requirement about regs->r3 needs to
> > > > > > be restored, I'm wondering which test can capture the lost
> > > > > > ABI feature. As simple Boot test is insufficient, what is the test set
> > > > > > that can capture it?
> > > > > 
> > > > > The seccomp selftest did exercise it back when I originally wrote that
> > > > > code. I don't know for sure that it still does, but that would be a good
> > > > > start.
> > > > > 
> > > > > It's in tools/testing/selftests/seccomp/
> > > > Thanks for the hint.
> > > > It seems to be running into some not ok cases the way hits the bpf test that doesn't return. 
> > > > I will re-run with the same kernel w/o the patch-set to sort out the cases that could be
> > > > caused by the patch Then I will try to debug out the root cause.
> > > w/o the patch set, all ok, as below. So, it would great if the test of feature can be used in
> > > linux-ci github workflow. And I'm clear what needs to be done in v2 now.
> > Despite being pulled to another urgent business for a while, I managed to sequeeze resource and
> > find the clue for the root cause that is a ppc specific test against a flag in thread info. 
> > By yanking out the ppc specific test as below, the most seccomp_bpf test run successfully 
> > w/ the patch set.
> > 
> > diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> > index dabe7f2b4bd4..2fa517160ef3 100644
> > --- a/arch/powerpc/kernel/syscall.c
> > +++ b/arch/powerpc/kernel/syscall.c
> > @@ -119,7 +119,7 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> > 
> >         local_irq_enable();
> > 
> > -       if (unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)) {
> > +       if (1/*unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)*/) {
> >                 if (unlikely(trap_is_unsupported_scv(regs))) {
> >                         /* Unsupported scv vector */
> >                         _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
> > 
> > Let me clean it up a little bit more then I will send out patch update soon.
> diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
> index dabe7f2b4bd4..960a1cd6fb7e 100644
> --- a/arch/powerpc/kernel/syscall.c
> +++ b/arch/powerpc/kernel/syscall.c
> @@ -119,7 +119,7 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
> 
>         local_irq_enable();
> 
> -       if (unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)) {
> +       if (1 /*unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)*/) {
>                 if (unlikely(trap_is_unsupported_scv(regs))) {
>                         /* Unsupported scv vector */
>                         _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
> @@ -132,10 +132,18 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
>                  * and the test against NR_syscalls will fail and the return
>                  * value to be used is in regs->gpr[3].
>                  */
> +               if (test_thread_flag(TIF_SECCOMP))
> +                       regs->gpr[3] = -ENOSYS;
>                 r0 = syscall_enter_from_user_mode(regs, r0);
> +               if (test_thread_flag(TIF_SECCOMP) && (r0 != -1)) {
> +                       regs->gpr[3] = regs->orig_gpr3;
> +                       r0 = regs->gpr[0];
> +               }
> +               if (regs->gpr[0] > NR_syscalls)
> +                       regs->gpr[3] = -ENOSYS;
> +
>                 if (unlikely(r0 >= NR_syscalls))
>                         return regs->gpr[3];
> 
> Trying to mimic the original parameters, pt_regs and return value behavior from the deleted code,
> out of 98 seccomp_bpf test cases, there are still two subtle cases failed.
> 
> #  RUN           TRACE_syscall.seccomp.syscall_errno ...
> # seccomp_bpf.c:2227:syscall_errno:Expected -(-3) (3) == errno (38)
> # syscall_errno: Test failed
> #          FAIL  TRACE_syscall.seccomp.syscall_errno
> not ok 85 TRACE_syscall.seccomp.syscall_errno
> #  RUN           TRACE_syscall.seccomp.syscall_faked ...
> # seccomp_bpf.c:2233:syscall_faked:Expected 45000 (45000) == syscall(207) (-1)
> # syscall_faked: Test failed
> #          FAIL  TRACE_syscall.seccomp.syscall_faked
> not ok 86 TRACE_syscall.seccomp.syscall_faked
>  
> Apparently, there is still some magic that needs to be debug out.
> 
> # FAILED: 96 / 98 tests passed.
> # Totals: pass:96 fail:2 xfail:0 xpass:0 skip:0 error:0
Due to the common layer and internal calls details are hidden from
the top level at the call side in ppc arch code, there are some difficulties in preserving
all semantics implications of the original code in the patch. e.g  when we got -1 returned
from syscall_enter_from_user_mode, without touching common code, we have to do
our own inference to recover the reasonable route to return, in order to have correct errno
and syscall work behaviors,that are tested in seccomp_bpf 98 test cases. (test coverage is
another story)

I managed to get this one done, which seems to have passed all these seccomp_bpf 98 tests.
 
[root@10 linux-ci]# git diff HEAD arch/powerpc/kernel/syscall.c
diff --git a/arch/powerpc/kernel/syscall.c b/arch/powerpc/kernel/syscall.c
index dabe7f2b4bd4..b18703e47e4b 100644
--- a/arch/powerpc/kernel/syscall.c
+++ b/arch/powerpc/kernel/syscall.c
@@ -18,6 +18,7 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
 {
        long ret;
        syscall_fn f;
+       unsigned long work = READ_ONCE(current_thread_info()->syscall_work);

        kuap_lock();

@@ -119,7 +120,8 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)

        local_irq_enable();

-       if (unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)) {
+       //if (1 /*unlikely(read_thread_flags() & _TIF_SYSCALL_DOTRACE)*/) {
+       if (work & SYSCALL_WORK_ENTER) {
                if (unlikely(trap_is_unsupported_scv(regs))) {
                        /* Unsupported scv vector */
                        _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
@@ -132,10 +134,37 @@ notrace long system_call_exception(struct pt_regs *regs, unsigned long r0)
                 * and the test against NR_syscalls will fail and the return
                 * value to be used is in regs->gpr[3].
                 */
+               //if (test_thread_flag(TIF_SECCOMP))
+               if (test_syscall_work(SECCOMP) &&
+                               !test_syscall_work(SYSCALL_EMU))
+                       regs->gpr[3] = -ENOSYS;
                r0 = syscall_enter_from_user_mode(regs, r0);
+
+               //if ((r0 != -1) && test_thread_flag(TIF_SECCOMP)) {
+               if (test_syscall_work(SECCOMP)) {
+                       if (r0 != -1)
+                               regs->gpr[3] = regs->orig_gpr3;
+                       else
+                               goto skip;
+               }
+               //if (r0 && test_thread_flag(TIF_SYSCALL_TRACEPOINT)) {
+               if ((r0 == -1) && (test_syscall_work(SYSCALL_TRACE))) {
+                       goto skip1;
+               }
+               if ((r0 == -1) && test_syscall_work(SYSCALL_EMU))
+                       goto skip;
+               if (regs->gpr[0] >= NR_syscalls)
+                       goto skip1;
+
+               r0 = regs->gpr[0];
+               if (r0 != -1)
+                       goto skip;
+skip1:
+               r0 = -1;
+               regs->gpr[3] = -ENOSYS;
+skip:
                if (unlikely(r0 >= NR_syscalls))
                        return regs->gpr[3];

Apparently, more reivew and testing are required for 
the v2 version update of the ppc common entry feature I will send out today. 

> 
> 
> > 
> > > [root@10 linux-ci]# make -C tools/testing/selftests TARGETS=seccomp run_tests
> > > make: Entering directory '/root/linux-ci/tools/testing/selftests'
> > > make[1]: Nothing to be done for 'all'.
> > > TAP version 13
> > > 1..2
> > > # timeout set to 180
> > > # selftests: seccomp: seccomp_bpf
> > > # TAP version 13
> > > # 1..98
> > > # # Starting 98 tests from 8 test cases.
> > > # #  RUN           global.kcmp ...
> > > # #            OK  global.kcmp
> > > # ok 1 global.kcmp
> > > # #  RUN           global.mode_strict_support ...
> > > # #            OK  global.mode_strict_support
> > > # ok 2 global.mode_strict_support
> > > # #  RUN           global.mode_strict_cannot_call_prctl ...
> > > # #            OK  global.mode_strict_cannot_call_prctl
> > > # ok 3 global.mode_strict_cannot_call_prctl
> > > # #  RUN           global.no_new_privs_support ...
> > > # #            OK  global.no_new_privs_support
> > > # ok 4 global.no_new_privs_support
> > > # #  RUN           global.mode_filter_support ...
> > > # #            OK  global.mode_filter_support
> > > # ok 5 global.mode_filter_support
> > > # #  RUN           global.mode_filter_without_nnp ...
> > > # #            OK  global.mode_filter_without_nnp
> > > # ok 6 global.mode_filter_without_nnp
> > > # #  RUN           global.filter_size_limits ...
> > > # #            OK  global.filter_size_limits
> > > # ok 7 global.filter_size_limits
> > > # #  RUN           global.filter_chain_limits ...
> > > # #            OK  global.filter_chain_limits
> > > # ok 8 global.filter_chain_limits
> > > # #  RUN           global.mode_filter_cannot_move_to_strict ...
> > > # #            OK  global.mode_filter_cannot_move_to_strict
> > > # ok 9 global.mode_filter_cannot_move_to_strict
> > > # #  RUN           global.mode_filter_get_seccomp ...
> > > # #            OK  global.mode_filter_get_seccomp
> > > # ok 10 global.mode_filter_get_seccomp
> > > # #  RUN           global.ALLOW_all ...
> > > # #            OK  global.ALLOW_all
> > > # ok 11 global.ALLOW_all
> > > # #  RUN           global.empty_prog ...
> > > # #            OK  global.empty_prog
> > > # ok 12 global.empty_prog
> > > # #  RUN           global.log_all ...
> > > # #            OK  global.log_all
> > > # ok 13 global.log_all
> > > # #  RUN           global.unknown_ret_is_kill_inside ...
> > > # #            OK  global.unknown_ret_is_kill_inside
> > > # ok 14 global.unknown_ret_is_kill_inside
> > > # #  RUN           global.unknown_ret_is_kill_above_allow ...
> > > # #            OK  global.unknown_ret_is_kill_above_allow
> > > # ok 15 global.unknown_ret_is_kill_above_allow
> > > # #  RUN           global.KILL_all ...
> > > # #            OK  global.KILL_all
> > > # ok 16 global.KILL_all
> > > # #  RUN           global.KILL_one ...
> > > # #            OK  global.KILL_one
> > > # ok 17 global.KILL_one
> > > # #  RUN           global.KILL_one_arg_one ...
> > > # #            OK  global.KILL_one_arg_one
> > > # ok 18 global.KILL_one_arg_one
> > > # #  RUN           global.KILL_one_arg_six ...
> > > # #            OK  global.KILL_one_arg_six
> > > # ok 19 global.KILL_one_arg_six
> > > # #  RUN           global.KILL_thread ...
> > > # #            OK  global.KILL_thread
> > > # ok 20 global.KILL_thread
> > > # #  RUN           global.KILL_process ...
> > > # #            OK  global.KILL_process
> > > # ok 21 global.KILL_process
> > > # #  RUN           global.KILL_unknown ...
> > > # #            OK  global.KILL_unknown
> > > # ok 22 global.KILL_unknown
> > > # #  RUN           global.arg_out_of_range ...
> > > # #            OK  global.arg_out_of_range
> > > # ok 23 global.arg_out_of_range
> > > # #  RUN           global.ERRNO_valid ...
> > > # #            OK  global.ERRNO_valid
> > > # ok 24 global.ERRNO_valid
> > > # #  RUN           global.ERRNO_zero ...
> > > # #            OK  global.ERRNO_zero
> > > # ok 25 global.ERRNO_zero
> > > # #  RUN           global.ERRNO_capped ...
> > > # #            OK  global.ERRNO_capped
> > > # ok 26 global.ERRNO_capped
> > > # #  RUN           global.ERRNO_order ...
> > > # #            OK  global.ERRNO_order
> > > # ok 27 global.ERRNO_order
> > > # #  RUN           global.negative_ENOSYS ...
> > > # #            OK  global.negative_ENOSYS
> > > # ok 28 global.negative_ENOSYS
> > > # #  RUN           global.seccomp_syscall ...
> > > # #            OK  global.seccomp_syscall
> > > # ok 29 global.seccomp_syscall
> > > # #  RUN           global.seccomp_syscall_mode_lock ...
> > > # #            OK  global.seccomp_syscall_mode_lock
> > > # ok 30 global.seccomp_syscall_mode_lock
> > > # #  RUN           global.detect_seccomp_filter_flags ...
> > > # #            OK  global.detect_seccomp_filter_flags
> > > # ok 31 global.detect_seccomp_filter_flags
> > > # #  RUN           global.TSYNC_first ...
> > > # #            OK  global.TSYNC_first
> > > # ok 32 global.TSYNC_first
> > > # #  RUN           global.syscall_restart ...
> > > # #            OK  global.syscall_restart
> > > # ok 33 global.syscall_restart
> > > # #  RUN           global.filter_flag_log ...
> > > # #            OK  global.filter_flag_log
> > > # ok 34 global.filter_flag_log
> > > # #  RUN           global.get_action_avail ...
> > > # #            OK  global.get_action_avail
> > > # ok 35 global.get_action_avail
> > > # #  RUN           global.get_metadata ...
> > > # #            OK  global.get_metadata
> > > # ok 36 global.get_metadata
> > > # #  RUN           global.user_notification_basic ...
> > > # #            OK  global.user_notification_basic
> > > # ok 37 global.user_notification_basic
> > > # #  RUN           global.user_notification_with_tsync ...
> > > # #            OK  global.user_notification_with_tsync
> > > # ok 38 global.user_notification_with_tsync
> > > # #  RUN           global.user_notification_kill_in_middle ...
> > > # #            OK  global.user_notification_kill_in_middle
> > > # ok 39 global.user_notification_kill_in_middle
> > > # #  RUN           global.user_notification_signal ...
> > > # #            OK  global.user_notification_signal
> > > # ok 40 global.user_notification_signal
> > > # #  RUN           global.user_notification_closed_listener ...
> > > # #            OK  global.user_notification_closed_listener
> > > # ok 41 global.user_notification_closed_listener
> > > # #  RUN           global.user_notification_child_pid_ns ...
> > > # #            OK  global.user_notification_child_pid_ns
> > > # ok 42 global.user_notification_child_pid_ns
> > > # #  RUN           global.user_notification_sibling_pid_ns ...
> > > # #            OK  global.user_notification_sibling_pid_ns
> > > # ok 43 global.user_notification_sibling_pid_ns
> > > # #  RUN           global.user_notification_fault_recv ...
> > > # #            OK  global.user_notification_fault_recv
> > > # ok 44 global.user_notification_fault_recv
> > > # #  RUN           global.seccomp_get_notif_sizes ...
> > > # #            OK  global.seccomp_get_notif_sizes
> > > # ok 45 global.seccomp_get_notif_sizes
> > > # #  RUN           global.user_notification_continue ...
> > > # #            OK  global.user_notification_continue
> > > # ok 46 global.user_notification_continue
> > > # #  RUN           global.user_notification_filter_empty ...
> > > # #            OK  global.user_notification_filter_empty
> > > # ok 47 global.user_notification_filter_empty
> > > # #  RUN           global.user_ioctl_notification_filter_empty ...
> > > # #            OK  global.user_ioctl_notification_filter_empty
> > > # ok 48 global.user_ioctl_notification_filter_empty
> > > # #  RUN           global.user_notification_filter_empty_threaded ...
> > > # #            OK  global.user_notification_filter_empty_threaded
> > > # ok 49 global.user_notification_filter_empty_threaded
> > > # #  RUN           global.user_notification_addfd ...
> > > # #            OK  global.user_notification_addfd
> > > # ok 50 global.user_notification_addfd
> > > # #  RUN           global.user_notification_addfd_rlimit ...
> > > # #            OK  global.user_notification_addfd_rlimit
> > > # ok 51 global.user_notification_addfd_rlimit
> > > # #  RUN           global.user_notification_sync ...
> > > # #            OK  global.user_notification_sync
> > > # ok 52 global.user_notification_sync
> > > # #  RUN           global.user_notification_fifo ...
> > > # #            OK  global.user_notification_fifo
> > > # ok 53 global.user_notification_fifo
> > > # #  RUN           global.user_notification_wait_killable_pre_notification ...
> > > # #            OK  global.user_notification_wait_killable_pre_notification
> > > # ok 54 global.user_notification_wait_killable_pre_notification
> > > # #  RUN           global.user_notification_wait_killable ...
> > > # #            OK  global.user_notification_wait_killable
> > > # ok 55 global.user_notification_wait_killable
> > > # #  RUN           global.user_notification_wait_killable_fatal ...
> > > # #            OK  global.user_notification_wait_killable_fatal
> > > # ok 56 global.user_notification_wait_killable_fatal
> > > # #  RUN           global.tsync_vs_dead_thread_leader ...
> > > # #            OK  global.tsync_vs_dead_thread_leader
> > > # ok 57 global.tsync_vs_dead_thread_leader
> > > # #  RUN           TRAP.dfl ...
> > > # #            OK  TRAP.dfl
> > > # ok 58 TRAP.dfl
> > > # #  RUN           TRAP.ign ...
> > > # #            OK  TRAP.ign
> > > # ok 59 TRAP.ign
> > > # #  RUN           TRAP.handler ...
> > > # #            OK  TRAP.handler
> > > # ok 60 TRAP.handler
> > > # #  RUN           precedence.allow_ok ...
> > > # #            OK  precedence.allow_ok
> > > # ok 61 precedence.allow_ok
> > > # #  RUN           precedence.kill_is_highest ...
> > > # #            OK  precedence.kill_is_highest
> > > # ok 62 precedence.kill_is_highest
> > > # #  RUN           precedence.kill_is_highest_in_any_order ...
> > > # #            OK  precedence.kill_is_highest_in_any_order
> > > # ok 63 precedence.kill_is_highest_in_any_order
> > > # #  RUN           precedence.trap_is_second ...
> > > # #            OK  precedence.trap_is_second
> > > # ok 64 precedence.trap_is_second
> > > # #  RUN           precedence.trap_is_second_in_any_order ...
> > > # #            OK  precedence.trap_is_second_in_any_order
> > > # ok 65 precedence.trap_is_second_in_any_order
> > > # #  RUN           precedence.errno_is_third ...
> > > # #            OK  precedence.errno_is_third
> > > # ok 66 precedence.errno_is_third
> > > # #  RUN           precedence.errno_is_third_in_any_order ...
> > > # #            OK  precedence.errno_is_third_in_any_order
> > > # ok 67 precedence.errno_is_third_in_any_order
> > > # #  RUN           precedence.trace_is_fourth ...
> > > # #            OK  precedence.trace_is_fourth
> > > # ok 68 precedence.trace_is_fourth
> > > # #  RUN           precedence.trace_is_fourth_in_any_order ...
> > > # #            OK  precedence.trace_is_fourth_in_any_order
> > > # ok 69 precedence.trace_is_fourth_in_any_order
> > > # #  RUN           precedence.log_is_fifth ...
> > > # #            OK  precedence.log_is_fifth
> > > # ok 70 precedence.log_is_fifth
> > > # #  RUN           precedence.log_is_fifth_in_any_order ...
> > > # #            OK  precedence.log_is_fifth_in_any_order
> > > # ok 71 precedence.log_is_fifth_in_any_order
> > > # #  RUN           TRACE_poke.read_has_side_effects ...
> > > # #            OK  TRACE_poke.read_has_side_effects
> > > # ok 72 TRACE_poke.read_has_side_effects
> > > # #  RUN           TRACE_poke.getpid_runs_normally ...
> > > # #            OK  TRACE_poke.getpid_runs_normally
> > > # ok 73 TRACE_poke.getpid_runs_normally
> > > # #  RUN           TRACE_syscall.ptrace.negative_ENOSYS ...
> > > # #            OK  TRACE_syscall.ptrace.negative_ENOSYS
> > > # ok 74 TRACE_syscall.ptrace.negative_ENOSYS
> > > # #  RUN           TRACE_syscall.ptrace.syscall_allowed ...
> > > # #            OK  TRACE_syscall.ptrace.syscall_allowed
> > > # ok 75 TRACE_syscall.ptrace.syscall_allowed
> > > # #  RUN           TRACE_syscall.ptrace.syscall_redirected ...
> > > # #            OK  TRACE_syscall.ptrace.syscall_redirected
> > > # ok 76 TRACE_syscall.ptrace.syscall_redirected
> > > # #  RUN           TRACE_syscall.ptrace.syscall_errno ...
> > > # #            OK  TRACE_syscall.ptrace.syscall_errno
> > > # ok 77 TRACE_syscall.ptrace.syscall_errno
> > > # #  RUN           TRACE_syscall.ptrace.syscall_faked ...
> > > # #            OK  TRACE_syscall.ptrace.syscall_faked
> > > # ok 78 TRACE_syscall.ptrace.syscall_faked
> > > # #  RUN           TRACE_syscall.ptrace.kill_immediate ...
> > > # #            OK  TRACE_syscall.ptrace.kill_immediate
> > > # ok 79 TRACE_syscall.ptrace.kill_immediate
> > > # #  RUN           TRACE_syscall.ptrace.skip_after ...
> > > # #            OK  TRACE_syscall.ptrace.skip_after
> > > # ok 80 TRACE_syscall.ptrace.skip_after
> > > # #  RUN           TRACE_syscall.ptrace.kill_after ...
> > > # #            OK  TRACE_syscall.ptrace.kill_after
> > > # ok 81 TRACE_syscall.ptrace.kill_after
> > > # #  RUN           TRACE_syscall.seccomp.negative_ENOSYS ...
> > > # #            OK  TRACE_syscall.seccomp.negative_ENOSYS
> > > # ok 82 TRACE_syscall.seccomp.negative_ENOSYS
> > > # #  RUN           TRACE_syscall.seccomp.syscall_allowed ...
> > > # #            OK  TRACE_syscall.seccomp.syscall_allowed
> > > # ok 83 TRACE_syscall.seccomp.syscall_allowed
> > > # #  RUN           TRACE_syscall.seccomp.syscall_redirected ...
> > > # #            OK  TRACE_syscall.seccomp.syscall_redirected
> > > # ok 84 TRACE_syscall.seccomp.syscall_redirected
> > > # #  RUN           TRACE_syscall.seccomp.syscall_errno ...
> > > # #            OK  TRACE_syscall.seccomp.syscall_errno
> > > # ok 85 TRACE_syscall.seccomp.syscall_errno
> > > # #  RUN           TRACE_syscall.seccomp.syscall_faked ...
> > > # #            OK  TRACE_syscall.seccomp.syscall_faked
> > > # ok 86 TRACE_syscall.seccomp.syscall_faked
> > > # #  RUN           TRACE_syscall.seccomp.kill_immediate ...
> > > # #            OK  TRACE_syscall.seccomp.kill_immediate
> > > # ok 87 TRACE_syscall.seccomp.kill_immediate
> > > # #  RUN           TRACE_syscall.seccomp.skip_after ...
> > > # #            OK  TRACE_syscall.seccomp.skip_after
> > > # ok 88 TRACE_syscall.seccomp.skip_after
> > > # #  RUN           TRACE_syscall.seccomp.kill_after ...
> > > # #            OK  TRACE_syscall.seccomp.kill_after
> > > # ok 89 TRACE_syscall.seccomp.kill_after
> > > # #  RUN           TSYNC.siblings_fail_prctl ...
> > > # #            OK  TSYNC.siblings_fail_prctl
> > > # ok 90 TSYNC.siblings_fail_prctl
> > > # #  RUN           TSYNC.two_siblings_with_ancestor ...
> > > # #            OK  TSYNC.two_siblings_with_ancestor
> > > # ok 91 TSYNC.two_siblings_with_ancestor
> > > # #  RUN           TSYNC.two_sibling_want_nnp ...
> > > # #            OK  TSYNC.two_sibling_want_nnp
> > > # ok 92 TSYNC.two_sibling_want_nnp
> > > # #  RUN           TSYNC.two_siblings_with_no_filter ...
> > > # #            OK  TSYNC.two_siblings_with_no_filter
> > > # ok 93 TSYNC.two_siblings_with_no_filter
> > > # #  RUN           TSYNC.two_siblings_with_one_divergence ...
> > > # #            OK  TSYNC.two_siblings_with_one_divergence
> > > # ok 94 TSYNC.two_siblings_with_one_divergence
> > > # #  RUN           TSYNC.two_siblings_with_one_divergence_no_tid_in_err ...
> > > # #            OK  TSYNC.two_siblings_with_one_divergence_no_tid_in_err
> > > # ok 95 TSYNC.two_siblings_with_one_divergence_no_tid_in_err
> > > # #  RUN           TSYNC.two_siblings_not_under_filter ...
> > > # #            OK  TSYNC.two_siblings_not_under_filter
> > > # ok 96 TSYNC.two_siblings_not_under_filter
> > > # #  RUN           O_SUSPEND_SECCOMP.setoptions ...
> > > # #            OK  O_SUSPEND_SECCOMP.setoptions
> > > # ok 97 O_SUSPEND_SECCOMP.setoptions
> > > # #  RUN           O_SUSPEND_SECCOMP.seize ...
> > > # #            OK  O_SUSPEND_SECCOMP.seize
> > > # ok 98 O_SUSPEND_SECCOMP.seize
> > > # # PASSED: 98 / 98 tests passed.
> > > # # Totals: pass:98 fail:0 xfail:0 xpass:0 skip:0 error:0
> > > ok 1 selftests: seccomp: seccomp_bpf
> > > # timeout set to 180
> > > # selftests: seccomp: seccomp_benchmark
> > > # TAP version 13
> > > # 1..7
> > > # # Running on:
> > > # # Linux 10.0.2.15 6.12.0-rc1-gf85c105361db #6 SMP Thu Oct 24 12:16:15 UTC 2024 ppc64le GNU/Linux
> > > # # Current BPF sysctl settings:
> > > # # /proc/sys/net/core/bpf_jit_enable:1
> > > # # /proc/sys/net/core/bpf_jit_harden:0
> > > # Pinned to CPU 16 of 16
> > > # # Calibrating sample size for 15 seconds worth of syscalls ...
> > > # # Benchmarking 56397315 syscalls...
> > > [  263.908829][   C15] sched: DL replenish lagged too much
> > > # # 12.720538528 - 0.000000000 = 12720538528 (12.7s)
> > > # # getpid native: 225 ns
> > > # # 31.362959638 - 12.720723906 = 18642235732 (18.6s)
> > > # # getpid RET_ALLOW 1 filter (bitmap): 330 ns
> > > # # 50.202651764 - 31.363058760 = 18839593004 (18.8s)
> > > # # getpid RET_ALLOW 2 filters (bitmap): 334 ns
> > > # # 73.073719578 - 50.202778500 = 22870941078 (22.9s)
> > > # # getpid RET_ALLOW 3 filters (full): 405 ns
> > > # # 97.560580500 - 73.073834670 = 24486745830 (24.5s)
> > > # # getpid RET_ALLOW 4 filters (full): 434 ns
> > > # # Estimated total seccomp overhead for 1 bitmapped filter: 105 ns
> > > # # Estimated total seccomp overhead for 2 bitmapped filters: 109 ns
> > > # # Estimated total seccomp overhead for 3 full filters: 180 ns
> > > # # Estimated total seccomp overhead for 4 full filters: 209 ns
> > > # # Estimated seccomp entry overhead: 101 ns
> > > # # Estimated seccomp per-filter overhead (last 2 diff): 29 ns
> > > # # Estimated seccomp per-filter overhead (filters / 4): 27 ns
> > > # # Expectations:
> > > # #     native ≤ 1 bitmap (225 ≤ 330): ✔️
> > > # ok 1 native ≤ 1 bitmap
> > > # #     native ≤ 1 filter (225 ≤ 405): ✔️
> > > # ok 2 native ≤ 1 filter
> > > # #     per-filter (last 2 diff) ≈ per-filter (filters / 4) (29 ≈ 27): ✔️
> > > # ok 3 per-filter (last 2 diff) ≈ per-filter (filters / 4)
> > > # #     1 bitmapped ≈ 2 bitmapped (105 ≈ 109): ✔️
> > > # ok 4 1 bitmapped ≈ 2 bitmapped
> > > # #     entry ≈ 1 bitmapped (101 ≈ 105): ✔️
> > > # ok 5 entry ≈ 1 bitmapped
> > > # #     entry ≈ 2 bitmapped (101 ≈ 109): ✔️
> > > # ok 6 entry ≈ 2 bitmapped
> > > # #     native + entry + (per filter * 4) ≈ 4 filters total (442 ≈ 434): ✔️
> > > # ok 7 native + entry + (per filter * 4) ≈ 4 filters total
> > > # # Totals: pass:7 fail:0 xfail:0 xpass:0 skip:0 error:0
> > > ok 2 selftests: seccomp: seccomp_benchmark
> > > make: Leaving directory '/root/linux-ci/tools/testing/selftests'
> > > 
> > > 
> > > > [root@10 linux-ci]# make -C tools/testing/selftests TARGETS=seccomp run_tests
> > > > make: Entering directory '/root/linux-ci/tools/testing/selftests'
> > > > make[1]: Nothing to be done for 'all'.
> > > > TAP version 13
> > > > 1..2
> > > > # timeout set to 180
> > > > # selftests: seccomp: seccomp_bpf
> > > > # TAP version 13
> > > > # 1..98
> > > > # # Starting 98 tests from 8 test cases.
> > > > # #  RUN           global.kcmp ...
> > > > # #            OK  global.kcmp
> > > > # ok 1 global.kcmp
> > > > # #  RUN           global.mode_strict_support ...
> > > > # #            OK  global.mode_strict_support
> > > > # ok 2 global.mode_strict_support
> > > > # #  RUN           global.mode_strict_cannot_call_prctl ...
> > > > # # seccomp_bpf.c:359:mode_strict_cannot_call_prctl:Expected 0 (0) == true (1)
> > > > # # seccomp_bpf.c:360:mode_strict_cannot_call_prctl:Unreachable!
> > > > # # mode_strict_cannot_call_prctl: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.mode_strict_cannot_call_prctl
> > > > # not ok 3 global.mode_strict_cannot_call_prctl
> > > > # #  RUN           global.no_new_privs_support ...
> > > > # #            OK  global.no_new_privs_support
> > > > # ok 4 global.no_new_privs_support
> > > > # #  RUN           global.mode_filter_support ...
> > > > # #            OK  global.mode_filter_support
> > > > # ok 5 global.mode_filter_support
> > > > # #  RUN           global.mode_filter_without_nnp ...
> > > > # #            OK  global.mode_filter_without_nnp
> > > > # ok 6 global.mode_filter_without_nnp
> > > > # #  RUN           global.filter_size_limits ...
> > > > # #            OK  global.filter_size_limits
> > > > # ok 7 global.filter_size_limits
> > > > # #  RUN           global.filter_chain_limits ...
> > > > # #            OK  global.filter_chain_limits
> > > > # ok 8 global.filter_chain_limits
> > > > # #  RUN           global.mode_filter_cannot_move_to_strict ...
> > > > # #            OK  global.mode_filter_cannot_move_to_strict
> > > > # ok 9 global.mode_filter_cannot_move_to_strict
> > > > # #  RUN           global.mode_filter_get_seccomp ...
> > > > # #            OK  global.mode_filter_get_seccomp
> > > > # ok 10 global.mode_filter_get_seccomp
> > > > # #  RUN           global.ALLOW_all ...
> > > > # #            OK  global.ALLOW_all
> > > > # ok 11 global.ALLOW_all
> > > > # #  RUN           global.empty_prog ...
> > > > # #            OK  global.empty_prog
> > > > # ok 12 global.empty_prog
> > > > # #  RUN           global.log_all ...
> > > > # #            OK  global.log_all
> > > > # ok 13 global.log_all
> > > > # #  RUN           global.unknown_ret_is_kill_inside ...
> > > > # # seccomp_bpf.c:621:unknown_ret_is_kill_inside:Expected 0 (0) == syscall(__NR_getpid) (1406)
> > > > # # seccomp_bpf.c:622:unknown_ret_is_kill_inside:getpid() shouldn't ever return
> > > > # # unknown_ret_is_kill_inside: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.unknown_ret_is_kill_inside
> > > > # not ok 14 global.unknown_ret_is_kill_inside
> > > > # #  RUN           global.unknown_ret_is_kill_above_allow ...
> > > > # # seccomp_bpf.c:643:unknown_ret_is_kill_above_allow:Expected 0 (0) == syscall(__NR_getpid) (1407)
> > > > # # seccomp_bpf.c:644:unknown_ret_is_kill_above_allow:getpid() shouldn't ever return
> > > > # # unknown_ret_is_kill_above_allow: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.unknown_ret_is_kill_above_allow
> > > > # not ok 15 global.unknown_ret_is_kill_above_allow
> > > > # #  RUN           global.KILL_all ...
> > > > # # KILL_all: Test exited normally instead of by signal (code: 0)
> > > > # #          FAIL  global.KILL_all
> > > > # not ok 16 global.KILL_all
> > > > # #  RUN           global.KILL_one ...
> > > > # # seccomp_bpf.c:690:KILL_one:Expected 0 (0) == syscall(__NR_getpid) (1409)
> > > > # # KILL_one: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.KILL_one
> > > > # not ok 17 global.KILL_one
> > > > # #  RUN           global.KILL_one_arg_one ...
> > > > # # seccomp_bpf.c:726:KILL_one_arg_one:Expected 0 (0) == syscall(__NR_times, &fatal_address) (4295224651)
> > > > # # KILL_one_arg_one: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.KILL_one_arg_one
> > > > # not ok 18 global.KILL_one_arg_one
> > > > # #  RUN           global.KILL_one_arg_six ...
> > > > # # KILL_one_arg_six: Test exited normally instead of by signal (code: 0)
> > > > # #          FAIL  global.KILL_one_arg_six
> > > > # not ok 19 global.KILL_one_arg_six
> > > > # #  RUN           global.KILL_thread ...
> > > > # # seccomp_bpf.c:856:KILL_thread:Expected SIBLING_EXIT_FAILURE (195951310) != (unsigned long)status (195951310)
> > > > # # seccomp_bpf.c:881:KILL_thread:Expected 0 (0) != WIFEXITED(status) (0)
> > > > # # KILL_thread: Test terminated by assertion
> > > > # #          FAIL  global.KILL_thread
> > > > # not ok 20 global.KILL_thread
> > > > # #  RUN           global.KILL_process ...
> > > > # # seccomp_bpf.c:856:KILL_process:Expected SIBLING_EXIT_FAILURE (195951310) != (unsigned long)status (195951310)
> > > > # # seccomp_bpf.c:901:KILL_process:Expected SIGSYS (31) == WTERMSIG(status) (6)
> > > > # # KILL_process: Test terminated by assertion
> > > > # #          FAIL  global.KILL_process
> > > > # not ok 21 global.KILL_process
> > > > # #  RUN           global.KILL_unknown ...
> > > > # # seccomp_bpf.c:856:KILL_unknown:Expected SIBLING_EXIT_FAILURE (195951310) != (unsigned long)status (195951310)
> > > > # # seccomp_bpf.c:922:KILL_unknown:Expected SIGSYS (31) == WTERMSIG(status) (6)
> > > > # # KILL_unknown: Test terminated by assertion
> > > > # #          FAIL  global.KILL_unknown
> > > > # not ok 22 global.KILL_unknown
> > > > # #  RUN           global.arg_out_of_range ...
> > > > # #            OK  global.arg_out_of_range
> > > > # ok 23 global.arg_out_of_range
> > > > # #  RUN           global.ERRNO_valid ...
> > > > # # seccomp_bpf.c:974:ERRNO_valid:Expected E2BIG (7) == errno (9)
> > > > # # ERRNO_valid: Test failed
> > > > # #          FAIL  global.ERRNO_valid
> > > > # not ok 24 global.ERRNO_valid
> > > > # #  RUN           global.ERRNO_zero ...
> > > > # # seccomp_bpf.c:992:ERRNO_zero:Expected 0 (0) == read(-1, NULL, 0) (-1)
> > > > # # ERRNO_zero: Test failed
> > > > # #          FAIL  global.ERRNO_zero
> > > > # not ok 25 global.ERRNO_zero
> > > > # #  RUN           global.ERRNO_capped ...
> > > > # # seccomp_bpf.c:1014:ERRNO_capped:Expected 4095 (4095) == errno (9)
> > > > # # ERRNO_capped: Test failed
> > > > # #          FAIL  global.ERRNO_capped
> > > > # not ok 26 global.ERRNO_capped
> > > > # #  RUN           global.ERRNO_order ...
> > > > # # seccomp_bpf.c:1045:ERRNO_order:Expected 12 (12) == errno (9)
> > > > # # ERRNO_order: Test failed
> > > > # #          FAIL  global.ERRNO_order
> > > > # not ok 27 global.ERRNO_order
> > > > # #  RUN           global.negative_ENOSYS ...
> > > > # #            OK  global.negative_ENOSYS
> > > > # ok 28 global.negative_ENOSYS
> > > > # #  RUN           global.seccomp_syscall ...
> > > > # #            OK  global.seccomp_syscall
> > > > # ok 29 global.seccomp_syscall
> > > > # #  RUN           global.seccomp_syscall_mode_lock ...
> > > > # #            OK  global.seccomp_syscall_mode_lock
> > > > # ok 30 global.seccomp_syscall_mode_lock
> > > > # #  RUN           global.detect_seccomp_filter_flags ...
> > > > # #            OK  global.detect_seccomp_filter_flags
> > > > # ok 31 global.detect_seccomp_filter_flags
> > > > # #  RUN           global.TSYNC_first ...
> > > > # #            OK  global.TSYNC_first
> > > > # ok 32 global.TSYNC_first
> > > > # #  RUN           global.syscall_restart ...
> > > > # # syscall_restart: Test terminated by timeout
> > > > # #          FAIL  global.syscall_restart
> > > > # not ok 33 global.syscall_restart
> > > > # #  RUN           global.filter_flag_log ...
> > > > # # seccomp_bpf.c:3239:filter_flag_log:Expected 0 (0) == syscall(__NR_getpid) (1482)
> > > > # # filter_flag_log: Test exited normally instead of by signal (code: 1)
> > > > # #          FAIL  global.filter_flag_log
> > > > # not ok 34 global.filter_flag_log
> > > > # #  RUN           global.get_action_avail ...
> > > > # #            OK  global.get_action_avail
> > > > # ok 35 global.get_action_avail
> > > > # #  RUN           global.get_metadata ...
> > > > # #            OK  global.get_metadata
> > > > # ok 36 global.get_metadata
> > > > # #  RUN           global.user_notification_basic ...
> > > > # # seccomp_bpf.c:3397:user_notification_basic:Expected 0 (0) == WEXITSTATUS(status) (1)
> > > > # # user_notification_basic: Test terminated by timeout
> > > > # #          FAIL  global.user_notification_basic
> > > > # not ok 37 global.user_notification_basic
> > > > # #  RUN           global.user_notification_with_tsync ...
> > > > # #            OK  global.user_notification_with_tsync
> > > > # ok 38 global.user_notification_with_tsync
> > > > # #  RUN           global.user_notification_kill_in_middle ...
> > > > # # user_notification_kill_in_middle: Test terminated by timeout
> > > > # #          FAIL  global.user_notification_kill_in_middle
> > > > # not ok 39 global.user_notification_kill_in_middle
> > > > # #  RUN           global.user_notification_signal ...
> > > > # # user_notification_signal: Test terminated by timeout
> > > > # #          FAIL  global.user_notification_signal
> > > > # not ok 40 global.user_notification_signal
> > > > # #  RUN           global.user_notification_closed_listener ...
> > > > # # seccomp_bpf.c:3647:user_notification_closed_listener:Expected 0 (0) == WEXITSTATUS(status) (1)
> > > > # # user_notification_closed_listener: Test failed
> > > > # #          FAIL  global.user_notification_closed_listener
> > > > # not ok 41 global.user_notification_closed_listener
> > > > # #  RUN           global.user_notification_child_pid_ns ...
> > > > # # user_notification_child_pid_ns: Test terminated by timeout
> > > > # #          FAIL  global.user_notification_child_pid_ns
> > > > # not ok 42 global.user_notification_child_pid_ns
> > > > # #  RUN           global.user_notification_sibling_pid_ns ...
> > > > # # seccomp_bpf.c:3728:user_notification_sibling_pid_ns:Expected 0 (0) == WEXITSTATUS(status) (1)
> > > > # # seccomp_bpf.c:3764:user_notification_sibling_pid_ns:Expected 0 (0) == WEXITSTATUS(status) (1)
> > > > 
> > > > 
> > > > > 
> > > > > cheers
> > > > > 
> > > > 
> > > 
> > 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ