passt/seccomp.sh, branch bug165c Plug A Simple Socket Transport seccomp: Fix build and operation on 32-bit musl targets 2025-12-07T22:17:25+00:00 Stefano Brivio sbrivio@redhat.com 2025-12-04T20:48:20+00:00 9e2e381be1d2ff6b385067af276d0e38f202422c On 32-bit musl targets (for example, Alpine i386 / i586), we need to: - use the set of system calls already defined for i686. While Alpine's kernel supports i586 as well (Debian for example doesn't), it's the same architecture, so change i386/i486/i586 machine strings to i686 in seccomp.sh - allow clock_gettime64() as an alternative to clock_gettime() (not just added on top, rather replacing it), because clock_gettime() isn't available as a system call name at all in musl headers (while glibc aliases it to the kernel's clock_gettime64()) - similarly, allow timerfd_gettime64() as a name for timerfd_gettime() - allow timerfd_settime32() as a name for timerfd_settime(), even though there's no such system call declared in Linux kernel headers, as musl uses that name to distinguish it from timerfd_settime64() - unconditionally allow timerfd_settime64(), because musl uses it whenever the 'old' argument is non-NULL and sizeof(time_t) > 4, which happens to be the case in tcp_timer_handler() Reported-by: John D. Rowell <me@jdrowell.com> Link: https://bugs.passt.top/show_bug.cgi?id=177 Link: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17686 Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
On 32-bit musl targets (for example, Alpine i386 / i586), we need to:

- use the set of system calls already defined for i686. While Alpine's
  kernel supports i586 as well (Debian for example doesn't), it's the
  same architecture, so change i386/i486/i586 machine strings to i686
  in seccomp.sh

- allow clock_gettime64() as an alternative to clock_gettime() (not
  just added on top, rather replacing it), because clock_gettime()
  isn't available as a system call name at all in musl headers (while
  glibc aliases it to the kernel's clock_gettime64())

- similarly, allow timerfd_gettime64() as a name for timerfd_gettime()

- allow timerfd_settime32() as a name for timerfd_settime(), even
  though there's no such system call declared in Linux kernel headers,
  as musl uses that name to distinguish it from timerfd_settime64()

- unconditionally allow timerfd_settime64(), because musl uses it
  whenever the 'old' argument is non-NULL and sizeof(time_t) > 4,
  which happens to be the case in tcp_timer_handler()

Reported-by: John D. Rowell <me@jdrowell.com>
Link: https://bugs.passt.top/show_bug.cgi?id=177
Link: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17686
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp.sh: Quote tr character ranges to prevent glob expansion 2025-11-04T17:53:41+00:00 Laurent Vivier lvivier@redhat.com 2025-11-03T12:08:34+00:00 a36031a4d807ca3197b6b14c50a93816d4d28f18 we use [a-z] and [A-Z] patterns with 'tr', but if there are files with names matching these patterns they will be replaced by the name of the file and seccomp.h will not be generated correctly: $ rm seccomp.h $ touch a b $ make tr: extra operand '[A-Z]' Try 'tr --help' for more information. seccomp profile passt allows: accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto ... cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt In file included from isolation.c:83: seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'? 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80), | ^~~~~~~~~~~ Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
we use [a-z] and [A-Z] patterns with 'tr', but
if there are files with names matching these patterns they will be
replaced by the name of the file and seccomp.h will not be generated
correctly:
$ rm seccomp.h
$ touch a b
$ make
tr: extra operand '[A-Z]'
Try 'tr --help' for more information.
seccomp profile passt allows:  accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group
   fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto
...
cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong   arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt
In file included from isolation.c:83:
seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'?
   11 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80),
      |                                             ^~~~~~~~~~~

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp.sh: Silence stty errors 2025-02-24T17:46:28+00:00 Michal Privoznik mprivozn@redhat.com 2025-02-21T11:53:13+00:00 be86232f72dcfbd51a889206e80d587fbcaa1c5b When printing list of allowed syscalls the width of terminal is obtained for nicer output (see commit below). The width is obtained by running 'stty'. While this works when building from a console, it doesn't work during rpmbuild/emerge/.. as stdout is usually not a console but a logfile and stdin is usually /dev/null or something. This results in stty reporting errors like this: stty: 'standard input': Inappropriate ioctl for device Redirect stty's stderr to /dev/null to silence it. Fixes: 712ca3235329 ("seccomp.sh: Try to account for terminal width while formatting list of system calls") Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When printing list of allowed syscalls the width of terminal is
obtained for nicer output (see commit below). The width is
obtained by running 'stty'. While this works when building from a
console, it doesn't work during rpmbuild/emerge/.. as stdout is
usually not a console but a logfile and stdin is usually
/dev/null or something. This results in stty reporting errors
like this:

  stty: 'standard input': Inappropriate ioctl for device

Redirect stty's stderr to /dev/null to silence it.

Fixes: 712ca3235329 ("seccomp.sh: Try to account for terminal width while formatting list of system calls")
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Introduce passt-repair 2025-02-04T00:28:04+00:00 Stefano Brivio sbrivio@redhat.com 2025-01-27T23:03:13+00:00 8c24301462c39027e6eb6f1ad56c1f6c83fb0c23 A privileged helper to set/clear TCP_REPAIR on sockets on behalf of passt. Not used yet. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A privileged helper to set/clear TCP_REPAIR on sockets on behalf of
passt. Not used yet.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp: Simplify handling of AUDIT_ARCH 2024-11-07T11:46:55+00:00 David Gibson david@gibson.dropbear.id.au 2024-11-05T23:25:24+00:00 7917159005d41d2f87213645e9460534beb1e14f Currently we construct the AUDIT_ARCH variable in the Makefile, then pass it into the C code with -D. The only place that uses it, though is the BPF filter generated by seccomp.sh. seccomp.sh already needs to do things differently depending on the arch, so it might as well just insert the expanded AUDIT_ARCH directly into the generated code, rather than using a #define. Arguably this is better, even, since it ensures more locally that the arch the BPF checks for matches the arch seccomp.sh built the filter for. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently we construct the AUDIT_ARCH variable in the Makefile, then pass
it into the C code with -D.  The only place that uses it, though is the
BPF filter generated by seccomp.sh.  seccomp.sh already needs to do things
differently depending on the arch, so it might as well just insert the
expanded AUDIT_ARCH directly into the generated code, rather than using
a #define.  Arguably this is better, even, since it ensures more locally
that the arch the BPF checks for matches the arch seccomp.sh built the
filter for.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp.sh: Try to account for terminal width while formatting list of system calls 2024-08-27T12:30:17+00:00 Stefano Brivio sbrivio@redhat.com 2024-08-27T06:23:41+00:00 712ca3235329b049bf9a4e481ba38a4c64768e8b Avoid excess lines on wide terminals, but make sure we don't fail if we can't fetch the number of columns for any reason, as it's not a fundamental feature and we don't want to break anything with it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Avoid excess lines on wide terminals, but make sure we don't fail if
we can't fetch the number of columns for any reason, as it's not a
fundamental feature and we don't want to break anything with it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
cppcheck: Explicitly give files to check 2024-04-05T14:59:11+00:00 David Gibson david@gibson.dropbear.id.au 2024-03-21T04:57:38+00:00 ef2cb13b499a41b6da215822772bf2a05aa69f9e Currently "make cppcheck" invokes cppcheck on ".", so it will check all the .c and .h files it can find in the source tree. This isn't ideal, because it can find files that aren't actually part of the real build, or even stale files which aren't in git. More practically, some upcoming changes are looking at downloading other source trees for some tests. Static errors in there is Not Our Problem, so checking them is both slow and pointless. So, change the Makefile to invoke cppcheck only on the specific source files that are part of the build. For some reason in this format the badBitmaskCheck warnings in seccomp.h which were suppressed by 5beb3472e ("cppcheck: Avoid errors due to zeroes in bitwise ORs") no longer trigger. That means we get unmatchedSuppression warnings instead. We add an unmatchedSuppression suppression instead of simply removing the original suppressions, just in case this odd behaviour isn't the same for all cppcheck versions. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently "make cppcheck" invokes cppcheck on ".", so it will check all the
.c and .h files it can find in the source tree.  This isn't ideal, because
it can find files that aren't actually part of the real build, or even
stale files which aren't in git.

More practically, some upcoming changes are looking at downloading other
source trees for some tests.  Static errors in there is Not Our Problem,
so checking them is both slow and pointless.

So, change the Makefile to invoke cppcheck only on the specific source
files that are part of the build.  For some reason in this format the
badBitmaskCheck warnings in seccomp.h which were suppressed by 5beb3472e
("cppcheck: Avoid errors due to zeroes in bitwise ORs") no longer trigger.
That means we get unmatchedSuppression warnings instead.  We add an
unmatchedSuppression suppression instead of simply removing the original
suppressions, just in case this odd behaviour isn't the same for all
cppcheck versions.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seccomp: Make seccomp.sh re-entrancy safe 2023-06-25T21:49:11+00:00 David Gibson david@gibson.dropbear.id.au 2023-06-21T03:06:37+00:00 db29fd281a7555698472bf86a92d0c5a6827db96 seccomp.sh generates seccomp.h piece by piece using >> directives. This means that if two instances of seccomp.h are run concurrently a corrupted version of seccomp.h will be generated. Amongst other problems this can cause spurious failures on clang-tidy. Alter seccomp.sh to build the output in a temporary file and atomic move it to seccomp.h, so concurrent invocations will still result in valud output. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
seccomp.sh generates seccomp.h piece by piece using >> directives.  This
means that if two instances of seccomp.h are run concurrently a corrupted
version of seccomp.h will be generated. Amongst other problems this can
cause spurious failures on clang-tidy.

Alter seccomp.sh to build the output in a temporary file and atomic move it
to seccomp.h, so concurrent invocations will still result in valud output.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt: Relicense to GPL 2.0, or any later version 2023-04-06T16:00:33+00:00 Stefano Brivio sbrivio@redhat.com 2023-04-05T18:11:44+00:00 ca2749e1bd520c6a1dbca24f1561ee31dd833a54 In practical terms, passt doesn't benefit from the additional protection offered by the AGPL over the GPL, because it's not suitable to be executed over a computer network. Further, restricting the distribution under the version 3 of the GPL wouldn't provide any practical advantage either, as long as the passt codebase is concerned, and might cause unnecessary compatibility dilemmas. Change licensing terms to the GNU General Public License Version 2, or any later version, with written permission from all current and past contributors, namely: myself, David Gibson, Laine Stump, Andrea Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
In practical terms, passt doesn't benefit from the additional
protection offered by the AGPL over the GPL, because it's not
suitable to be executed over a computer network.

Further, restricting the distribution under the version 3 of the GPL
wouldn't provide any practical advantage either, as long as the passt
codebase is concerned, and might cause unnecessary compatibility
dilemmas.

Change licensing terms to the GNU General Public License Version 2,
or any later version, with written permission from all current and
past contributors, namely: myself, David Gibson, Laine Stump, Andrea
Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian
Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Makefile, seccomp.sh: Fix cross-builds, adjust syscalls list to compiler 2023-03-08T23:36:03+00:00 Stefano Brivio sbrivio@redhat.com 2023-02-27T23:53:01+00:00 0d8c114aa25cb093607feea5d98ce81d7389aa73 Debian cross-building automatic checks: http://crossqa.debian.net/src/passt currently fail because we don't use the right target architecture and compiler while building the system call lists and resolving their numbers in seccomp.sh. Pass ARCH and CC to seccomp.sh and use them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Debian cross-building automatic checks:

  http://crossqa.debian.net/src/passt

currently fail because we don't use the right target architecture and
compiler while building the system call lists and resolving their
numbers in seccomp.sh. Pass ARCH and CC to seccomp.sh and use them.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>