Re: [PATCH 3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

[Paul Moore <pmoore@redhat.com>]

On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > does not provide enough information about the ABI for the 64-bit
> > process. As a result of which, userland needs to use complex
> > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > can be used by seccomp to explicitely set syscall filters for this ABI.
> > 
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Eric Paris <eparis@redhat.com>
> > Cc: Paul Moore <pmoore@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > ---
> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > 
> > Thanks a lot!
> > ---
> > 
> >  arch/mips/include/asm/syscall.h |  2 ++
> >  include/uapi/linux/audit.h      | 12 ++++++++++++
> >  2 files changed, 14 insertions(+)
> 
> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as
> this *really* should be in 3.15]
> 
> I'm re-replying to this patch and adding lkml to the To line because I
> believe it is very important we get this patch into 3.15.  For those who
> don't follow the MIPS architecture very closely, the upcoming 3.15 is the
> first release to include support for seccomp filters, the latest generation
> of syscall filtering which used a BPF based filter language.  For reason
> that are easy to understand, the syscall filters are ABI specific (e.g.
> syscall tables, word length, endianness) and those generating syscall
> filters in userspace (e.g. libseccomp) need to take great care to ensure
> that the generated filters take the ABI into account and fail safely in the
> case where a different ABI is used (e.g. x86, x86_64, x32).
> 
> The patch below corrects, what is IMHO, an omission in the original MIPS
> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.
> Without this patch we will be forced to handle MIPS/MIPS64 like we handle
> x86_64/x32 which is a royal pain and not something I want to have deal with
> again.
> 
> Further, while I don't want to speak for the audit folks, it is my
> understanding that they want this patch for similar reasons.
> 
> Please merge this patch for 3.15 or at least provide some feedback as to why
> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this
> will require breaking the MIPS ABI which isn't something any of us want.
> 
> Thanks,
> -Paul

*Bump*

I don't know what else needs to be done to get some action on this and we're 
running out of time for 3.15.

-- 
paul moore
security and virtualization @ redhat