From: Peter Seiderer Date: Mon, 8 Jul 2024 09:05:47 +0000 (+0200) Subject: Add support for landlock_create_ruleset (444), landlock_add_rule (445) and landlock_r... X-Git-Tag: VALGRIND_3_25_0~218 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1453546fe7396e7d4b4b2fc8ec7e64b71d18611;p=thirdparty%2Fvalgrind.git Add support for landlock_create_ruleset (444), landlock_add_rule (445) and landlock_restrict_self (446) syscalls - add support for landlock_create_ruleset (444) syscall - add support for landlock_add_rule (445) syscall - add support for landlock_restrict_self (446) syscall https://bugs.kde.org/show_bug.cgi?id=489913 Signed-off-by: Peter Seiderer --- diff --git a/NEWS b/NEWS index ad5fa1a41..e5a7345e1 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,7 @@ bugzilla (https://bugs.kde.org/enter_bug.cgi?product=valgrind) rather than mailing the developers (or mailing lists) directly -- bugs that are not entered into bugzilla tend to get forgotten about or ignored. +489913 WARNING: unhandled amd64-linux syscall: 444 (landlock_create_ruleset) 494327 Crash when running Helgrind built with #define TRACE_PTH_FNS 1 494337 All threaded applications cause still holding lock errors 495488 Add FreeBSD getrlimitusage syscall wrapper diff --git a/coregrind/m_syswrap/priv_syswrap-linux.h b/coregrind/m_syswrap/priv_syswrap-linux.h index d50cdcc98..221439a0e 100644 --- a/coregrind/m_syswrap/priv_syswrap-linux.h +++ b/coregrind/m_syswrap/priv_syswrap-linux.h @@ -328,6 +328,11 @@ DECL_TEMPLATE(linux, sys_pidfd_open); DECL_TEMPLATE(linux, sys_close_range); DECL_TEMPLATE(linux, sys_openat2); +// Linux-specific (new in Linux 5.13) +DECL_TEMPLATE(linux, sys_landlock_create_ruleset) +DECL_TEMPLATE(linux, sys_landlock_add_rule) +DECL_TEMPLATE(linux, sys_landlock_restrict_self) + // Linux-specific (new in Linux 5.14) DECL_TEMPLATE(linux, sys_memfd_secret); diff --git a/coregrind/m_syswrap/syswrap-amd64-linux.c b/coregrind/m_syswrap/syswrap-amd64-linux.c index 2230baf77..9488d3090 100644 --- a/coregrind/m_syswrap/syswrap-amd64-linux.c +++ b/coregrind/m_syswrap/syswrap-amd64-linux.c @@ -887,6 +887,10 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINXY(__NR_memfd_secret, sys_memfd_secret), // 447 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 diff --git a/coregrind/m_syswrap/syswrap-arm-linux.c b/coregrind/m_syswrap/syswrap-arm-linux.c index c8c23a928..5dac60f82 100644 --- a/coregrind/m_syswrap/syswrap-arm-linux.c +++ b/coregrind/m_syswrap/syswrap-arm-linux.c @@ -1063,6 +1063,10 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 }; diff --git a/coregrind/m_syswrap/syswrap-arm64-linux.c b/coregrind/m_syswrap/syswrap-arm64-linux.c index 05e0e421f..151ae0640 100644 --- a/coregrind/m_syswrap/syswrap-arm64-linux.c +++ b/coregrind/m_syswrap/syswrap-arm64-linux.c @@ -840,6 +840,10 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINXY(__NR_memfd_secret, sys_memfd_secret), // 447 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c index 775fae75b..5af84d739 100644 --- a/coregrind/m_syswrap/syswrap-linux.c +++ b/coregrind/m_syswrap/syswrap-linux.c @@ -4163,6 +4163,54 @@ POST(sys_memfd_create) } } +PRE(sys_landlock_create_ruleset) +{ + PRINT("sys_landlock_create_ruleset ( %#" FMT_REGWORD "x, %lu, %lu )", + ARG1, ARG2, ARG3); + PRE_REG_READ3(long, "landlock_create_ruleset", + const struct vki_landlock_ruleset_attr*, attr, + vki_size_t, size, vki_uint32_t, flags); + PRE_MEM_READ( "landlock_create_ruleset(value)", ARG1, ARG2 ); + + /* XXX Alternatively we could always fail with EOPNOTSUPP + since the rules might interfere with valgrind itself. */ +} + +POST(sys_landlock_create_ruleset) +{ + /* Returns either the abi version or a file descriptor. */ + if (ARG3 != VKI_LANDLOCK_CREATE_RULESET_VERSION) { + if (!ML_(fd_allowed)(RES, "landlock_create_ruleset", tid, True)) { + VG_(close)(RES); + SET_STATUS_Failure( VKI_EMFILE ); + } else { + if (VG_(clo_track_fds)) + ML_(record_fd_open_nameless)(tid, RES); + } + } +} + +PRE(sys_landlock_add_rule) +{ + PRINT("sys_landlock_add_rule ( %ld, %lu, %#" FMT_REGWORD "x, %lu )", + SARG1, ARG2, ARG3, ARG4); + PRE_REG_READ4(long, "landlock_add_rule", + int, ruleset_fd, enum vki_landlock_rule_type, rule_type, + const void*, rule_attr, vki_uint32_t, flags); + if (!ML_(fd_allowed)(ARG1, "landlock_add_rule", tid, False)) + SET_STATUS_Failure(VKI_EBADF); + /* XXX Depending on rule_type we should also check the given rule_attr. */ +} + +PRE(sys_landlock_restrict_self) +{ + PRINT("sys_landlock_restrict_self ( %ld, %lu )", SARG1, ARG2); + PRE_REG_READ2(long, "landlock_create_ruleset", + int, ruleset_fd, vki_uint32_t, flags); + if (!ML_(fd_allowed)(ARG1, "landlock_restrict_self", tid, False)) + SET_STATUS_Failure(VKI_EBADF); +} + PRE(sys_memfd_secret) { PRINT("sys_memfd_secret ( %#" FMT_REGWORD "x )", ARG1); diff --git a/coregrind/m_syswrap/syswrap-mips32-linux.c b/coregrind/m_syswrap/syswrap-mips32-linux.c index 421344213..757b637ba 100644 --- a/coregrind/m_syswrap/syswrap-mips32-linux.c +++ b/coregrind/m_syswrap/syswrap-mips32-linux.c @@ -1147,6 +1147,10 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 }; diff --git a/coregrind/m_syswrap/syswrap-mips64-linux.c b/coregrind/m_syswrap/syswrap-mips64-linux.c index e9bb5c54c..f0c5f7e04 100644 --- a/coregrind/m_syswrap/syswrap-mips64-linux.c +++ b/coregrind/m_syswrap/syswrap-mips64-linux.c @@ -824,7 +824,10 @@ static SyscallTableEntry syscall_main_table[] = { LINXY (__NR_openat2, sys_openat2), LINXY (__NR_pidfd_getfd, sys_pidfd_getfd), LINX_ (__NR_faccessat2, sys_faccessat2), - LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), + LINXY (__NR_epoll_pwait2, sys_epoll_pwait2), + LINXY (__NR_landlock_create_ruleset, sys_landlock_create_ruleset), + LINX_ (__NR_landlock_add_rule, sys_landlock_add_rule), + LINX_ (__NR_landlock_restrict_self, sys_landlock_restrict_self), LINX_ (__NR_fchmodat2, sys_fchmodat2), }; diff --git a/coregrind/m_syswrap/syswrap-nanomips-linux.c b/coregrind/m_syswrap/syswrap-nanomips-linux.c index 36a5c0ca0..f466aca14 100644 --- a/coregrind/m_syswrap/syswrap-nanomips-linux.c +++ b/coregrind/m_syswrap/syswrap-nanomips-linux.c @@ -831,6 +831,9 @@ static SyscallTableEntry syscall_main_table[] = { LINXY(__NR_pidfd_getfd, sys_pidfd_getfd), LINX_ (__NR_faccessat2, sys_faccessat2), LINXY (__NR_epoll_pwait2, sys_epoll_pwait2), + LINXY (__NR_landlock_create_ruleset,sys_landlock_create_ruleset), + LINX_ (__NR_landlock_add_rule, sys_landlock_add_rule), + LINX_ (__NR_landlock_restrict_self, sys_landlock_restrict_self), LINX_ (__NR_fchmodat2, sys_fchmodat2), }; diff --git a/coregrind/m_syswrap/syswrap-ppc32-linux.c b/coregrind/m_syswrap/syswrap-ppc32-linux.c index f7a90c753..634f288ce 100644 --- a/coregrind/m_syswrap/syswrap-ppc32-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc32-linux.c @@ -1069,6 +1069,10 @@ static SyscallTableEntry syscall_table[] = { LINXY (__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 }; diff --git a/coregrind/m_syswrap/syswrap-ppc64-linux.c b/coregrind/m_syswrap/syswrap-ppc64-linux.c index 8de95624f..2c2def330 100644 --- a/coregrind/m_syswrap/syswrap-ppc64-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc64-linux.c @@ -1035,6 +1035,10 @@ static SyscallTableEntry syscall_table[] = { LINXY (__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 }; diff --git a/coregrind/m_syswrap/syswrap-s390x-linux.c b/coregrind/m_syswrap/syswrap-s390x-linux.c index 8a1be8cbe..ca571f0f1 100644 --- a/coregrind/m_syswrap/syswrap-s390x-linux.c +++ b/coregrind/m_syswrap/syswrap-s390x-linux.c @@ -875,6 +875,10 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINXY(__NR_memfd_secret, sys_memfd_secret), // 447 LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c index 31243a0db..a23743743 100644 --- a/coregrind/m_syswrap/syswrap-x86-linux.c +++ b/coregrind/m_syswrap/syswrap-x86-linux.c @@ -1656,6 +1656,10 @@ static SyscallTableEntry syscall_table[] = { LINXY(__NR_epoll_pwait2, sys_epoll_pwait2), // 441 + LINXY(__NR_landlock_create_ruleset, sys_landlock_create_ruleset), // 444 + LINX_(__NR_landlock_add_rule, sys_landlock_add_rule), // 445 + LINX_(__NR_landlock_restrict_self, sys_landlock_restrict_self), // 446 + LINXY(__NR_memfd_secret, sys_memfd_secret), // 447 LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 diff --git a/include/Makefile.am b/include/Makefile.am index 8012d7374..5d5162a46 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -107,4 +107,5 @@ nobase_pkginclude_HEADERS = \ vki/vki-xen-xsm.h \ vki/vki-xen-x86.h \ vki/vki-linux-drm.h \ - vki/vki-linux-io_uring.h + vki/vki-linux-io_uring.h \ + vki/vki-linux-landlock.h diff --git a/include/pub_tool_vki.h b/include/pub_tool_vki.h index 24f99cc09..7b6e71e11 100644 --- a/include/pub_tool_vki.h +++ b/include/pub_tool_vki.h @@ -47,6 +47,7 @@ # include "vki/vki-linux.h" # include "vki/vki-linux-drm.h" # include "vki/vki-linux-io_uring.h" +# include "vki/vki-linux-landlock.h" #elif defined(VGO_darwin) # include "vki/vki-darwin.h" #elif defined(VGO_solaris) diff --git a/include/vki/vki-linux-landlock.h b/include/vki/vki-linux-landlock.h new file mode 100644 index 000000000..e549ae93e --- /dev/null +++ b/include/vki/vki-linux-landlock.h @@ -0,0 +1,37 @@ +/* + This file is part of Valgrind, a dynamic binary instrumentation framework. + + Copyright (C) 2024 Peter Seiderer + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 2 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, see . + + The GNU General Public License is contained in the file COPYING. +*/ +#ifndef __VKI_LANDLOCK_H +#define __VKI_LANDLOCK_H + +// Derived from linux-6.9.7/include/uapi/linux/landlock.h +struct vki_landlock_ruleset_attr { + __vki_u64 handled_access_fs; + __vki_u64 handled_access_net; +}; + +enum vki_landlock_rule_type { + VKI_LANDLOCK_RULE_PATH_BENEATH = 1, + VKI_LANDLOCK_RULE_NET_PORT, +}; + +#define VKI_LANDLOCK_CREATE_RULESET_VERSION 1 + +#endif diff --git a/include/vki/vki-scnums-shared-linux.h b/include/vki/vki-scnums-shared-linux.h index 068a2cd12..20346ca71 100644 --- a/include/vki/vki-scnums-shared-linux.h +++ b/include/vki/vki-scnums-shared-linux.h @@ -48,6 +48,10 @@ #define __NR_epoll_pwait2 441 +#define __NR_landlock_create_ruleset 444 +#define __NR_landlock_add_rule 445 +#define __NR_landlock_restrict_self 446 + #define __NR_memfd_secret 447 #define __NR_fchmodat2 452