Enable the required config options to run docker in the default defconfig for Morello Transitional PureCap User ABI (PCuABI) (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled - CONFIG_BRIDGE_NETFILTER: enabled - CONFIG_IP_NF_FILTER: enabled - CONFIG_IP_NF_TARGET_MASQUERADE: enabled - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled - CONFIG_NETFILTER_XT_MARK: enabled - CONFIG_IP_NF_NAT: enabled - CONFIG_NF_NAT: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
A rebased version of the patches on morello/next, to be used for testing purposes, can be found at: https://git.morello-project.org/vincenzo/linux morello/docker/v2
Changes: -------- v2: - Address review comments - Regenerate defconfig file
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
Vincenzo Frascino (5): bpf: Use proper typecast for capability type net: Use proper typecast for capability type security/keys: Remove inconsistent __user annotation arm64: compat64: Make keyctl compatibility version generic morello: Enable docker in defconfig
.../morello_transitional_pcuabi_defconfig | 18 ++++++++++++++++++ kernel/bpf/helpers.c | 3 ++- net/bridge/br_ioctl.c | 4 ++++ security/keys/compat.c | 8 ++++---- security/keys/keyring.c | 2 +- 5 files changed, 29 insertions(+), 6 deletions(-)
With the introduction of capabilities, the PCuABI expects a capability when dealing with the user pointers.
Address the compilation warning below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/kernel/bpf/helpers.c: warning: the following conversion will result in a CToPtr operation; the behaviour of CToPtr can be confusing since using CToPtr on an untagged capability will give 0 instead of the integer value and should therefore be explicitly annotated [-Wcheri-pointer-conversion] ret = access_process_vm(tsk, (unsigned long)user_ptr, dst,size, 0);
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- kernel/bpf/helpers.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 315053ef6a75..bd2406946a53 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -680,7 +680,8 @@ BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size, if (unlikely(!size)) return 0;
- ret = access_process_vm(tsk, (unsigned long)user_ptr, dst, size, 0); + /* TODO [PCuABI] - capability checks for uaccess */ + ret = access_process_vm(tsk, user_ptr_addr(user_ptr), dst, size, 0); if (ret == size) return 0;
With the introduction of capabilities, the PCuABI expects a capability when dealing with the user pointers.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/net/bridge/br_ioctl.c: error: use of __capability is ambiguous void __user **argp, void __user *data)
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- net/bridge/br_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index f213ed108361..9c3030de438c 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -105,7 +105,11 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
#define BR_UARGS_MAX 4 static int br_dev_read_uargs(unsigned long *args, size_t nr_args, +#ifdef CONFIG_CHERI_PURECAP_UABI + void * __capability * __capability argp, void __user *data) +#else void __user **argp, void __user *data) +#endif { int ret;
With the introduction of capabilities, the PCuABI expects a capability when dealing with the user pointers.
Address the compilation issues below triggered by otherwise implicit conversion that might lead to unexpected behaviour when operating on capabilities.
make[1]: linux/security/keys/keyring.c:93 error: incompatible function pointer types initializing 'long (*)(const struct key *, char *, size_t)' (aka 'long (*)(const struct key *, char *, unsigned long)') with an expression of type 'long (const struct key *, char * __capability, size_t)' (aka 'long (const struct key *, char * __capability, unsigned long)') [-Werror,-Wincompatible-function-pointer-types] .read = keyring_read,
Note: The declaration of keyring_read does not match the definition (security/keys/keyring.c). In this case the definition is correct because it matches what defined in "struct key_type::read" (linux/key-type.h).
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- security/keys/keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..4448758f643a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -79,7 +79,7 @@ static void keyring_revoke(struct key *keyring); static void keyring_destroy(struct key *keyring); static void keyring_describe(const struct key *keyring, struct seq_file *m); static long keyring_read(const struct key *keyring, - char __user *buffer, size_t buflen); + char *buffer, size_t buflen);
struct key_type key_type_keyring = { .name = "keyring",
With the introduction of Morello support in the kernel we enabled compat64 mode to execute normal arm64 binaries.
Make keyctl compatibility version interface generic to be used by both compat32 and compat64 modes.
Note: This fixes a silent error that prevents running docker correctly in compat64 mode.
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- security/keys/compat.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/keys/compat.c b/security/keys/compat.c index 1545efdca562..028972ee49fd 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c @@ -1,6 +1,5 @@ // SPDX-License-Identifier: GPL-2.0-or-later -/* 32-bit compatibility syscall for 64-bit systems - * +/* * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) */ @@ -12,10 +11,11 @@ #include "internal.h"
/* - * The key control system call, 32-bit compatibility version for 64-bit archs + * The key control system call, compatibility version */ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option, - u32, arg2, u32, arg3, u32, arg4, u32, arg5) + compat_ulong_t, arg2, compat_ulong_t, arg3, + compat_ulong_t, arg4, compat_ulong_t, arg5) { switch (option) { case KEYCTL_GET_KEYRING_ID:
Enable the required config options to run docker in the default defconfig for Morello Transitional PCUABI (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled - CONFIG_BRIDGE_NETFILTER: enabled - CONFIG_IP_NF_FILTER: enabled - CONFIG_IP_NF_TARGET_MASQUERADE: enabled - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled - CONFIG_NETFILTER_XT_MARK: enabled - CONFIG_IP_NF_NAT: enabled - CONFIG_NF_NAT: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com --- .../morello_transitional_pcuabi_defconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index 20f14545d27e..d8365d9a916d 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -3,6 +3,7 @@ CONFIG_POSIX_MQUEUE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y CONFIG_PREEMPT=y CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_BSD_PROCESS_ACCT=y @@ -19,11 +20,13 @@ CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y CONFIG_UCLAMP_TASK_GROUP=y CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_HUGETLB=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y CONFIG_USER_NS=y CONFIG_SCHED_AUTOGROUP=y CONFIG_BLK_DEV_INITRD=y @@ -64,6 +67,19 @@ CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y CONFIG_PCI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y @@ -77,6 +93,7 @@ CONFIG_SATA_AHCI=y CONFIG_MD=y CONFIG_BLK_DEV_DM=y CONFIG_NETDEVICES=y +CONFIG_VETH=y CONFIG_VIRTIO_NET=y CONFIG_R8169=y CONFIG_SMC91X=y @@ -113,6 +130,7 @@ CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_SELINUX=y
On 9/2/22 09:56, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PureCap User ABI (PCuABI) (morello_transitional_pcuabi_defconfig).
CI: Testing pipeline for LTP is failing on the series because of a known issue:
Job[19415] mmap1: fail Job[19415] mmap2: fail Job[19415] mmap3: fail
The rest looks fine.
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
A rebased version of the patches on morello/next, to be used for testing purposes, can be found at: https://git.morello-project.org/vincenzo/linux morello/docker/v2
Changes:
v2:
- Address review comments
- Regenerate defconfig file
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
Vincenzo Frascino (5): bpf: Use proper typecast for capability type net: Use proper typecast for capability type security/keys: Remove inconsistent __user annotation arm64: compat64: Make keyctl compatibility version generic morello: Enable docker in defconfig
.../morello_transitional_pcuabi_defconfig | 18 ++++++++++++++++++ kernel/bpf/helpers.c | 3 ++- net/bridge/br_ioctl.c | 4 ++++ security/keys/compat.c | 8 ++++---- security/keys/keyring.c | 2 +- 5 files changed, 29 insertions(+), 6 deletions(-)
On 02/09/2022 10:56, Vincenzo Frascino wrote:
Enable the required config options to run docker in the default defconfig for Morello Transitional PureCap User ABI (PCuABI) (morello_transitional_pcuabi_defconfig).
The resulting .config was certified with [1]:
...
info: reading kernel config from linux-out/.config ...
Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled
...
[1] https://github.com/moby/moby/blob/master/contrib/check-config.sh
A rebased version of the patches on morello/next, to be used for testing purposes, can be found at: https://git.morello-project.org/vincenzo/linux morello/docker/v2
Changes:
v2:
- Address review comments
- Regenerate defconfig file
Signed-off-by: Vincenzo Frascino vincenzo.frascino@arm.com
Vincenzo Frascino (5): bpf: Use proper typecast for capability type net: Use proper typecast for capability type security/keys: Remove inconsistent __user annotation arm64: compat64: Make keyctl compatibility version generic morello: Enable docker in defconfig
Looks all good, thanks. Now applied on next with the following changes to the commit titles, as agreed offline: - Patch 2: "net: Fix the position of __capability in double pointer" - Patch 4: "security/keys: Make keyctl compatibility version generic"
Cheers, Kevin
.../morello_transitional_pcuabi_defconfig | 18 ++++++++++++++++++ kernel/bpf/helpers.c | 3 ++- net/bridge/br_ioctl.c | 4 ++++ security/keys/compat.c | 8 ++++---- security/keys/keyring.c | 2 +- 5 files changed, 29 insertions(+), 6 deletions(-)
linux-morello@op-lists.linaro.org
-
Kevin Brodsky -
Vincenzo Frascino