Discussion:
[libseccomp-discuss] Support for PowerPC platforms
Marcus Meissner
2015-01-21 12:37:43 UTC
Permalink
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.

Feel free to take and improve.

Ciao, Marcus
Paul Moore
2015-01-22 03:23:42 UTC
Permalink
Post by Marcus Meissner
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.
Feel free to take and improve.
I also put together some patches to support ppc64, but never tested
them on a ppc64 system, and to be honest it was a few months ago so
I'm not sure what state they are in ... if you are interested I can
try to dust them off and post them here.
--
paul moore
www.paul-moore.com
Marcus Meissner
2015-01-22 07:12:02 UTC
Permalink
Post by Paul Moore
Post by Marcus Meissner
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.
Feel free to take and improve.
I also put together some patches to support ppc64, but never tested
them on a ppc64 system, and to be honest it was a few months ago so
I'm not sure what state they are in ... if you are interested I can
try to dust them off and post them here.
I can still test ppc32 and ppc64 (big or little endian) if there is need.

Ciao, Marcus
Purcareata Bogdan
2015-01-22 07:16:43 UTC
Permalink
Post by Marcus Meissner
Post by Paul Moore
Post by Marcus Meissner
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.
Feel free to take and improve.
I also put together some patches to support ppc64, but never tested
them on a ppc64 system, and to be honest it was a few months ago so
I'm not sure what state they are in ... if you are interested I can
try to dust them off and post them here.
I can still test ppc32 and ppc64 (big or little endian) if there is need.
Anything would be great. I'm planning to develop and test both ppc and
ppc64 Linux. Not sure at this point if there is any impact, but the
platforms I'm working on are book3e, not book3s.

Unfortunately I don't have access to any zSeries platforms.

Thank you for the kind replies,
Bogdan P.
Paul Moore
2015-01-22 16:34:01 UTC
Permalink
Post by Purcareata Bogdan
Post by Marcus Meissner
Post by Paul Moore
Post by Marcus Meissner
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.
Feel free to take and improve.
I also put together some patches to support ppc64, but never tested
them on a ppc64 system, and to be honest it was a few months ago so
I'm not sure what state they are in ... if you are interested I can
try to dust them off and post them here.
I can still test ppc32 and ppc64 (big or little endian) if there is need.
Anything would be great. I'm planning to develop and test both ppc and
ppc64 Linux. Not sure at this point if there is any impact, but the
platforms I'm working on are book3e, not book3s.
Unfortunately I don't have access to any zSeries platforms.
To clarify, are you planning to also develop the necessary kernel support?
One of the reasons we do not support ppc* in libseccomp is that the kernel is
currently lacking (or at least it was when I looked a few months ago) the
necessary CONFIG_SECCOMP_FILTER support.
--
paul moore
www.paul-moore.com
Purcareata Bogdan
2015-01-29 11:02:36 UTC
Permalink
Post by Paul Moore
Post by Purcareata Bogdan
Post by Marcus Meissner
Post by Paul Moore
Post by Marcus Meissner
Hello,
I noticed a patch from a while ago on the mailing list adding support
for PowerPC platforms and zSeries [1]. The patch, however, has not been
upstreamed due to some issues in the testsuite. I was wondering whether
there have been any news on the patch and whether it's still of interest.
I'm interested in running LXC containers on PowerPC platforms, and would
like to have seccomp support as well. Right now, I don't have much
experience with seccomp, but I would be glad to start looking at the
code and contribute.
[1]http://sourceforge.net/p/libseccomp/mailman/message/32609277/
I did not continue on this patch as my other work is keeping me very busy,
sadly also for the foreseeable future.
Feel free to take and improve.
I also put together some patches to support ppc64, but never tested
them on a ppc64 system, and to be honest it was a few months ago so
I'm not sure what state they are in ... if you are interested I can
try to dust them off and post them here.
I can still test ppc32 and ppc64 (big or little endian) if there is need.
Anything would be great. I'm planning to develop and test both ppc and
ppc64 Linux. Not sure at this point if there is any impact, but the
platforms I'm working on are book3e, not book3s.
Unfortunately I don't have access to any zSeries platforms.
To clarify, are you planning to also develop the necessary kernel support?
One of the reasons we do not support ppc* in libseccomp is that the kernel is
currently lacking (or at least it was when I looked a few months ago) the
necessary CONFIG_SECCOMP_FILTER support.
Thanks for pointing it out, I wasn't aware of the differences between
seccomp strict and seccomp filter (still new to the subject).

Following the reference at [1], I looked at the bit of how the
requirements in the kernel apply to ppc:

config HAVE_ARCH_SECCOMP_FILTER

bool
help
An arch should select this symbol if it provides all of these things:
- syscall_get_arch() - DONE
- syscall_get_arguments() - DONE
- syscall_rollback() - DONE
- syscall_set_return_value() - DONE
- SIGSYS siginfo_t support - DONE
(SIGSYS present in arch/powerpc/include/uapi/asm/signal.h)
- secure_computing is called from a ptrace_event()-safe context
TO CHECK
- secure_computing return value is checked and a return value of -1
results in the system call being skipped immediately. - TODO

So what's left looks pretty feasible. I'll try to take care of it and
come back to you when I have some news.

Meanwhile, I added the support for ppc in the master libseccomp by
backporting Marcus's patch. All the regression tests pass - the initial
problem with the BPF simulator has been fixed.

I plan to post the patch after I've validated SECCOMP_FILTER support for
ppc in the kernel. I saw that the regression tests use an userspace BPF
simulator for testing the library. Are there any tests than I can use to
validate the kernel SECCOMP_FILTER support as well?

[1] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

Thanks,
Bogdan P.
Paul Moore
2015-01-29 21:00:27 UTC
Permalink
Post by Purcareata Bogdan
Post by Paul Moore
To clarify, are you planning to also develop the necessary kernel support?
One of the reasons we do not support ppc* in libseccomp is that the kernel
is currently lacking (or at least it was when I looked a few months ago) the
necessary CONFIG_SECCOMP_FILTER support.
Thanks for pointing it out, I wasn't aware of the differences between
seccomp strict and seccomp filter (still new to the subject).
Following the reference at [1], I looked at the bit of how the requirements
config HAVE_ARCH_SECCOMP_FILTER
bool
help
- syscall_get_arch() - DONE
- syscall_get_arguments() - DONE
- syscall_rollback() - DONE
- syscall_set_return_value() - DONE
- SIGSYS siginfo_t support - DONE
(SIGSYS present in arch/powerpc/include/uapi/asm/signal.h)
- secure_computing is called from a ptrace_event()-safe context
TO CHECK
- secure_computing return value is checked and a return value of -1
results in the system call being skipped immediately. - TODO
So what's left looks pretty feasible. I'll try to take care of it and come
back to you when I have some news.
For what it's worth, IBM might also have some interest in this work.
I'm not exactly sure who would be the best contact there to find out,
but if you have any contacts with IBM it might be worth sending some
mail.
Post by Purcareata Bogdan
Meanwhile, I added the support for ppc in the master libseccomp by
backporting Marcus's patch. All the regression tests pass - the initial
problem with the BPF simulator has been fixed.
Okay, that's good to know. I'm a little busy right now with other
things at the moment, but if you intend to work on this, perhaps I'll
setup a ppc branch that we can work from while we wait for proper
kernel support.
Post by Purcareata Bogdan
I plan to post the patch after I've validated SECCOMP_FILTER support for ppc
in the kernel. I saw that the regression tests use an userspace BPF
simulator for testing the library. Are there any tests than I can use to
validate the kernel SECCOMP_FILTER support as well?
Look at the "live" tests, they are basic, but they do perform some
basic sanity checks.

# ./regression -T live
Post by Purcareata Bogdan
[1] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
Thanks,
Bogdan P.
--
paul moore
www.paul-moore.com
Mike Strosaker
2015-01-30 20:01:16 UTC
Permalink
Post by Paul Moore
Post by Purcareata Bogdan
Post by Paul Moore
To clarify, are you planning to also develop the necessary kernel support?
One of the reasons we do not support ppc* in libseccomp is that the kernel
is currently lacking (or at least it was when I looked a few months ago) the
necessary CONFIG_SECCOMP_FILTER support.
Thanks for pointing it out, I wasn't aware of the differences between
seccomp strict and seccomp filter (still new to the subject).
Following the reference at [1], I looked at the bit of how the requirements
config HAVE_ARCH_SECCOMP_FILTER
bool
help
- syscall_get_arch() - DONE
- syscall_get_arguments() - DONE
- syscall_rollback() - DONE
- syscall_set_return_value() - DONE
- SIGSYS siginfo_t support - DONE
(SIGSYS present in arch/powerpc/include/uapi/asm/signal.h)
- secure_computing is called from a ptrace_event()-safe context
TO CHECK
- secure_computing return value is checked and a return value of -1
results in the system call being skipped immediately. - TODO
So what's left looks pretty feasible. I'll try to take care of it and come
back to you when I have some news.
For what it's worth, IBM might also have some interest in this work.
I'm not exactly sure who would be the best contact there to find out,
but if you have any contacts with IBM it might be worth sending some
mail.
Yes, there is interest at IBM. I had just started looking into it when
I discovered that there are others interested as well. I am definitely
interested in contributing to the kernel and libseccomp support for
seccomp filter on powerpc, but want to make sure I'm not duplicating
effort that is already being made.

Thanks,
Mike

Loading...