seccomp · kraj · Jun 9, 2021 · Jul 28, 2021 · Oct 1, 2021
diff --git a/CREDITS b/CREDITS
@@ -33,6 +33,7 @@ John Paul Adrian Glaubitz <[email protected]>
 Jonah Petri <[email protected]>
 Justin Cormack <[email protected]>
 Kees Cook <[email protected]>
+Khem Raj <[email protected]>
 Kyle R. Conway <[email protected]>
 Kenta Tada <[email protected]>
 Kir Kolyshkin <[email protected]>

diff --git a/README.md b/README.md
@@ -54,6 +54,7 @@ The libseccomp library currently supports the architectures listed below:
 * 32-bit s390 (s390)
 * 64-bit s390x (s390x)
 * 64-bit RISC-V (riscv64)
+* 32-bit RISC-V (riscv32)
 * 32-bit SuperH big endian (sheb)
 * 32-bit SuperH (sh)
 

diff --git a/doc/man/man1/scmp_sys_resolver.1 b/doc/man/man1/scmp_sys_resolver.1
@@ -36,7 +36,7 @@ The architecture to use for resolving the system call.  Valid
 .I ARCH
 values are "x86", "x86_64", "x32", "arm", "aarch64", "mips", "mipsel", "mips64",
 "mipsel64", "mips64n32", "mipsel64n32", "parisc", "parisc64", "ppc", "ppc64",
-"ppc64le", "s390", "s390x", "sheb" and "sh".
+"ppc64le", "riscv64", "riscv32", "s390", "s390x", "sheb" and "sh".
 .TP
 .B \-t
 If necessary, translate the system call name to the proper system call number,

diff --git a/doc/man/man3/seccomp_arch_add.3 b/doc/man/man3/seccomp_arch_add.3
@@ -30,6 +30,7 @@ seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \
 .B #define SCMP_ARCH_S390X
 .B #define SCMP_ARCH_PARISC
 .B #define SCMP_ARCH_PARISC64
+.B #define SCMP_ARCH_RISCV32
 .B #define SCMP_ARCH_RISCV64
 .sp
 .BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");"

diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
@@ -276,6 +276,14 @@
 #define __PNR_renameat				-10242
 #define __PNR_riscv_flush_icache		-10243
 #define __PNR_memfd_secret			-10244
+#define __PNR_fstat				-10245
+#define __PNR_futex				-10246
+#define __PNR_nanosleep				-10247
+#define __PNR_lseek				-10248
+#define __PNR_clock_gettime			-10249
+#define __PNR_clock_nanosleep			-10250
+#define __PNR_gettimeofday			-10251
+#define __PNR_fcntl				-10252
 
 /*
  * libseccomp syscall definitions
@@ -443,15 +451,23 @@
 #define __SNR_clock_getres_time64	__PNR_clock_getres_time64
 #endif
 
+#ifdef __NR_clock_gettime
 #define __SNR_clock_gettime		__NR_clock_gettime
+#else
+#define __SNR_clock_gettime		__PNR_clock_gettime
+#endif
 
 #ifdef __NR_clock_gettime64
 #define __SNR_clock_gettime64		__NR_clock_gettime64
 #else
 #define __SNR_clock_gettime64		__PNR_clock_gettime64
 #endif
 
+#ifdef __NR_clock_nanosleep
 #define __SNR_clock_nanosleep		__NR_clock_nanosleep
+#else
+#define __SNR_clock_nanosleep		__PNR_clock_nanosleep
+#endif
 
 #ifdef __NR_clock_nanosleep_time64
 #define __SNR_clock_nanosleep_time64	__NR_clock_nanosleep_time64
@@ -715,7 +731,11 @@
 #define __SNR_ftruncate64		__PNR_ftruncate64
 #endif
 
+#ifdef __NR_futex
 #define __SNR_futex			__NR_futex
+#else
+#define __SNR_futex			__PNR_futex
+#endif
 
 #ifdef __NR_futex_time64
 #define __SNR_futex_time64		__NR_futex_time64
@@ -901,7 +921,11 @@
 
 #define __SNR_gettid			__NR_gettid
 
+#ifdef __NR_gettimeofday
 #define __SNR_gettimeofday		__NR_gettimeofday
+#else
+#define __SNR_gettimeofday		__PNR_gettimeofday
+#endif
 
 #ifdef __NR_getuid
 #define __SNR_getuid			__NR_getuid
@@ -1055,7 +1079,11 @@
 
 #define __SNR_lremovexattr		__NR_lremovexattr
 
+#ifdef __NR_lseek
 #define __SNR_lseek			__NR_lseek
+#else
+#define __SNR_lseek			__PNR_lseek
+#endif
 
 #define __SNR_lsetxattr			__NR_lsetxattr
 
@@ -1235,7 +1263,11 @@
 
 #define __SNR_name_to_handle_at			__NR_name_to_handle_at
 
+#ifdef __NR_nanosleep
 #define __SNR_nanosleep			__NR_nanosleep
+#else
+#define __SNR_nanosleep			__PNR_nanosleep
+#endif
 
 #ifdef __NR_newfstatat
 #define __SNR_newfstatat		__NR_newfstatat

diff --git a/include/seccomp.h.in b/include/seccomp.h.in
@@ -215,7 +215,16 @@ struct scmp_arg_cmp {
 #endif /* EM_RISCV */
 #define AUDIT_ARCH_RISCV64	(EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #endif /* AUDIT_ARCH_RISCV64 */
+
+#ifndef AUDIT_ARCH_RISCV32
+#ifndef EM_RISCV
+#define EM_RISCV		243
+#endif /* EM_RISCV */
+#define AUDIT_ARCH_RISCV32	(EM_RISCV|__AUDIT_ARCH_LE)
+#endif /* AUDIT_ARCH_RISCV32 */
+
 #define SCMP_ARCH_RISCV64	AUDIT_ARCH_RISCV64
+#define SCMP_ARCH_RISCV32	AUDIT_ARCH_RISCV32
 
 /**
  * The SuperH architecture tokens

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -40,6 +40,7 @@ SOURCES_ALL = \
 	arch-ppc.h arch-ppc.c \
 	arch-ppc64.h arch-ppc64.c \
 	arch-riscv64.h arch-riscv64.c \
+	arch-riscv32.h arch-riscv32.c \
 	arch-s390.h arch-s390.c \
 	arch-s390x.h arch-s390x.c \
 	arch-sh.h arch-sh.c \

diff --git a/src/arch-riscv32.c b/src/arch-riscv32.c
@@ -0,0 +1,34 @@
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <linux/audit.h>
+
+#include "arch.h"
+#include "arch-riscv32.h"
+#include "syscalls.h"
+
+ARCH_DEF(riscv32)
+
+const struct arch_def arch_def_riscv32 = {
+	.token = SCMP_ARCH_RISCV32,
+	.token_bpf = AUDIT_ARCH_RISCV32,
+	.size = ARCH_SIZE_32,
+	.endian = ARCH_ENDIAN_LITTLE,
+	.syscall_resolve_name_raw = riscv32_syscall_resolve_name,
+	.syscall_resolve_num_raw = riscv32_syscall_resolve_num,
+	.syscall_rewrite = NULL,
+	.rule_add = NULL,
+};
diff --git a/src/arch-riscv32.h b/src/arch-riscv32.h
@@ -0,0 +1,22 @@
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _ARCH_RISCV32_H
+#define _ARCH_RISCV32_H
+
+#include "arch.h"
+
+ARCH_DECL(riscv32)
+
+#endif
diff --git a/src/arch-syscall-dump.c b/src/arch-syscall-dump.c
@@ -43,6 +43,7 @@
 #include "arch-ppc.h"
 #include "arch-ppc64.h"
 #include "arch-riscv64.h"
+#include "arch-riscv32.h"
 #include "arch-s390.h"
 #include "arch-s390x.h"
 #include "arch-sh.h"
@@ -135,6 +136,9 @@ int main(int argc, char *argv[])
 		case SCMP_ARCH_RISCV64:
 			sys = riscv64_syscall_iterate(iter);
 			break;
+		case SCMP_ARCH_RISCV32:
+			sys = riscv32_syscall_iterate(iter);
+			break;
 		case SCMP_ARCH_S390:
 			sys = s390_syscall_iterate(iter);
 			break;

diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate
@@ -519,6 +519,49 @@ function dump_lib_riscv64() {
 	dump_lib_arch riscv64 | mangle_lib_syscall riscv64
 }
 
+#
+# Dump the riscv32 system syscall table
+#
+# Arguments:
+#     1    path to the kernel source
+#
+#  Dump the architecture's syscall table to stdout.
+#
+function dump_sys_riscv32() {
+	local sed_filter=""
+
+	sed_filter+='s/__NR3264_fadvise64/223/;'
+	sed_filter+='s/__NR3264_fcntl/25/;'
+	sed_filter+='s/__NR3264_fstatat/79/;'
+	sed_filter+='s/__NR3264_fstatfs/44/;'
+	sed_filter+='s/__NR3264_ftruncate/46/;'
+	sed_filter+='s/__NR3264_lseek/62/;'
+	sed_filter+='s/__NR3264_mmap/222/;'
+	sed_filter+='s/__NR3264_sendfile/71/;'
+	sed_filter+='s/__NR3264_statfs/43/;'
+	sed_filter+='s/__NR3264_truncate/45/;'
+	sed_filter+='s/__NR3264_fstat/80/;'
+
+	gcc -E -dM -I$1/include/uapi \
+		-D__BITS_PER_LONG=32 \
+		$1/arch/riscv/include/uapi/asm/unistd.h | \
+		grep "^#define __NR_" | \
+		sed '/__NR_syscalls/d' | \
+		sed 's/(__NR_arch_specific_syscall + 15)/259/' | \
+		sed '/__NR_arch_specific_syscall/d' | \
+		sed 's/#define[ \t]\+__NR_\([^ \t]\+\)[ \t]\+\(.*\)/\1,\2/' | \
+		sed $sed_filter | sort
+}
+
+#
+# Dump the riscv32 library syscall table
+#
+#  Dump the library's syscall table to stdout.
+#
+function dump_lib_riscv32() {
+	dump_lib_arch riscv32 | mangle_lib_syscall riscv32
+}
+
 #
 # Dump the s390 system syscall table
 #
@@ -639,6 +682,9 @@ function dump_sys() {
 	ppc64)
 		dump_sys_ppc64 "$2"
 		;;
+	riscv32)
+		dump_sys_riscv32 "$2"
+		;;
 	riscv64)
 		dump_sys_riscv64 "$2"
 		;;
@@ -706,6 +752,9 @@ function dump_lib() {
 	ppc64)
 		dump_lib_ppc64
 		;;
+	riscv32)
+		dump_lib_riscv32
+		;;
 	riscv64)
 		dump_lib_riscv64
 		;;
@@ -751,7 +800,7 @@ function gen_csv() {
 	abi_list+=" mips mips64 mips64n32"
 	abi_list+=" parisc parisc64"
 	abi_list+=" ppc ppc64"
-	abi_list+=" riscv64"
+	abi_list+=" riscv32 riscv64"
 	abi_list+=" s390 s390x"
 	abi_list+=" sh"
 

diff --git a/src/arch.c b/src/arch.c
@@ -43,6 +43,7 @@
 #include "arch-ppc.h"
 #include "arch-ppc64.h"
 #include "arch-riscv64.h"
+#include "arch-riscv32.h"
 #include "arch-s390.h"
 #include "arch-s390x.h"
 #include "arch-sh.h"
@@ -97,8 +98,12 @@ const struct arch_def *arch_def_native = &arch_def_ppc;
 const struct arch_def *arch_def_native = &arch_def_s390x;
 #elif __s390__
 const struct arch_def *arch_def_native = &arch_def_s390;
-#elif __riscv && __riscv_xlen == 64
+#elif __riscv
+#if __riscv_xlen == 64
 const struct arch_def *arch_def_native = &arch_def_riscv64;
+#elif __riscv_xlen == 32
+const struct arch_def *arch_def_native = &arch_def_riscv32;
+#endif
 #elif __sh__
 #ifdef __BIG_ENDIAN__
 const struct arch_def *arch_def_native = &arch_def_sheb;
@@ -167,6 +172,8 @@ const struct arch_def *arch_def_lookup(uint32_t token)
 		return &arch_def_s390;
 	case SCMP_ARCH_S390X:
 		return &arch_def_s390x;
+	case SCMP_ARCH_RISCV32:
+		return &arch_def_riscv32;
 	case SCMP_ARCH_RISCV64:
 		return &arch_def_riscv64;
 	case SCMP_ARCH_SHEB:
@@ -223,6 +230,8 @@ const struct arch_def *arch_def_lookup_name(const char *arch_name)
 		return &arch_def_s390;
 	else if (strcmp(arch_name, "s390x") == 0)
 		return &arch_def_s390x;
+	else if (strcmp(arch_name, "riscv32") == 0)
+		return &arch_def_riscv32;
 	else if (strcmp(arch_name, "riscv64") == 0)
 		return &arch_def_riscv64;
 	else if (strcmp(arch_name, "sheb") == 0)

diff --git a/src/gen_pfc.c b/src/gen_pfc.c
@@ -87,6 +87,8 @@ static const char *_pfc_arch(const struct arch_def *arch)
 		return "s390x";
 	case SCMP_ARCH_S390:
 		return "s390";
+	case SCMP_ARCH_RISCV32:
+		return "riscv32";
 	case SCMP_ARCH_RISCV64:
 		return "riscv64";
 	case SCMP_ARCH_SHEB:

diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
@@ -51,6 +51,7 @@ cdef extern from "seccomp.h":
         SCMP_ARCH_PPC64LE
         SCMP_ARCH_S390
         SCMP_ARCH_S390X
+        SCMP_ARCH_RISCV32
         SCMP_ARCH_RISCV64
 
     cdef enum scmp_filter_attr:

diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
@@ -216,6 +216,7 @@ cdef class Arch:
     PARISC64 - 64-bit PA-RISC
     PPC64 - 64-bit PowerPC
     PPC - 32-bit PowerPC
+    RISCV32 - 32-bit RISC-V
     RISCV64 - 64-bit RISC-V
     """
 
@@ -240,6 +241,7 @@ cdef class Arch:
     PPC64LE = libseccomp.SCMP_ARCH_PPC64LE
     S390 = libseccomp.SCMP_ARCH_S390
     S390X = libseccomp.SCMP_ARCH_S390X
+    RISCV32 = libseccomp.SCMP_ARCH_RISCV32
     RISCV64 = libseccomp.SCMP_ARCH_RISCV64
 
     def __cinit__(self, arch=libseccomp.SCMP_ARCH_NATIVE):