project-lakitu: fix ARM64 build with seccomp enabled
- Backport seccomp fix from an upstream systemd repo:
https://github.com/systemd/systemd/pull/14032
- Enable seccomp flag in ARM64 profile
BUG=b/177594234
TEST=presubmit
RELEASE_NOTE=None
Change-Id: I6e55e8cdb4a5d42b7123a03cc23af7371cc80a0f
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/10973
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Oleksandr Tymoshenko <ovt@google.com>
diff --git a/project-lakitu/profiles/arch/arm64/make.defaults b/project-lakitu/profiles/arch/arm64/make.defaults
index 7c5b0ed..05f7cf0 100644
--- a/project-lakitu/profiles/arch/arm64/make.defaults
+++ b/project-lakitu/profiles/arch/arm64/make.defaults
@@ -7,10 +7,10 @@
# "-mfpu=...", "-mfloat-abi=hard", etc.
BOARD_COMPILER_FLAGS="-march=armv8-a+crc -mtune=cortex-a57"
+# TODO: Move this to project-lakitu/profiles/base/make.defaults
# Empty USE to allow the same form below in real assignments
USE=""
-# TODO: Re-enable "seccomp" once it is fixed. http://b/177594234 .
-USE="${USE} -seccomp"
-# TODO: Re-enable "lakitu_kdump" and "kexec_file" once they are fixed.
-# http://b/177595663 .
+# Enable seccomp support.
+USE="${USE} seccomp"
+# Enable kdump feature.
USE="${USE} lakitu_kdump kexec_file"
diff --git a/project-lakitu/sys-apps/systemd/files/243-seccomp-old-libsec-fix.patch b/project-lakitu/sys-apps/systemd/files/243-seccomp-old-libsec-fix.patch
new file mode 100644
index 0000000..070ed36
--- /dev/null
+++ b/project-lakitu/sys-apps/systemd/files/243-seccomp-old-libsec-fix.patch
@@ -0,0 +1,107 @@
+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
+index 93c6045..e48151d 100644
+--- a/src/basic/missing_syscall.h
++++ b/src/basic/missing_syscall.h
+@@ -238,7 +238,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
+
+ #if !HAVE_KCMP
+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
+-# ifdef __NR_kcmp
++# if defined __NR_kcmp && __NR_kcmp > 0
+ return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
+ # else
+ errno = ENOSYS;
+@@ -253,7 +253,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
+
+ #if !HAVE_KEYCTL
+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4,unsigned long arg5) {
+-# ifdef __NR_keyctl
++# if defined __NR_keyctl && __NR_keyctl > 0
+ return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
+ # else
+ errno = ENOSYS;
+@@ -264,7 +264,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
+ }
+
+ static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
+-# ifdef __NR_add_key
++# if defined __NR_add_key && __NR_add_key > 0
+ return syscall(__NR_add_key, type, description, payload, plen, ringid);
+ # else
+ errno = ENOSYS;
+@@ -275,7 +275,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
+ }
+
+ static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
+-# ifdef __NR_request_key
++# if defined __NR_request_key && __NR_request_key > 0
+ return syscall(__NR_request_key, type, description, callout_info, destringid);
+ # else
+ errno = ENOSYS;
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index d82cb5c..cecb940 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -23,7 +23,8 @@
+ #include "util.h"
+ #include "virt.h"
+
+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
++/* __NR_socket may be invalid due to libseccomp */
++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
+ * and we can't restrict it hence via seccomp. */
+ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+@@ -235,14 +236,14 @@ static void test_protect_sysctl(void) {
+ assert_se(pid >= 0);
+
+ if (pid == 0) {
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+ assert_se(syscall(__NR__sysctl, NULL) < 0);
+ assert_se(errno == EFAULT);
+ #endif
+
+ assert_se(seccomp_protect_sysctl() >= 0);
+
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+ assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
+ assert_se(errno == EPERM);
+ #endif
+@@ -520,7 +521,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ assert_se(poll(NULL, 0, 0) == 0);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
+@@ -536,7 +537,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -552,7 +553,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
+@@ -569,7 +570,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
diff --git a/project-lakitu/sys-apps/systemd/systemd-239-r20.ebuild b/project-lakitu/sys-apps/systemd/systemd-239-r21.ebuild
similarity index 100%
rename from project-lakitu/sys-apps/systemd/systemd-239-r20.ebuild
rename to project-lakitu/sys-apps/systemd/systemd-239-r21.ebuild
diff --git a/project-lakitu/sys-apps/systemd/systemd-239.ebuild b/project-lakitu/sys-apps/systemd/systemd-239.ebuild
index 71b9c47..adc5613 100644
--- a/project-lakitu/sys-apps/systemd/systemd-239.ebuild
+++ b/project-lakitu/sys-apps/systemd/systemd-239.ebuild
@@ -219,6 +219,9 @@
# Cherry-pick of upsteam commit to fix b/171809082:
# https://github.com/systemd/systemd/pull/9625/commits/987c138c19a45e9afe400d50ea797e64264f5fab
"${FILESDIR}"/241-line-begins-match-full-string.patch
+ # Backport of the upstream fix
+ # https://github.com/systemd/systemd/commit/4df8fe8415eaf4abd5b93c3447452547c6ea9e5f
+ "${FILESDIR}"/243-seccomp-old-libsec-fix.patch
)
default
}
