Hi Bruce,
On 8/9/23 02:30, Bruce Ashfield wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
In message: [linux-yocto][yocto-kernel-cache][yocto-6.1][PATCH 0/1] proposal to
disable CONFIG_OABI_COMPAT on arm platform
on 04/08/2023 Xiangyu Chen wrote:
From: Xiangyu Chen <xiangyu.c...@windriver.com>
Hi Bruce,
Recently, we found that the audit tool cannot work correctly on qemuarm
platform unless we
disable the CONFIG_OABI_COMPAT option.
What exactly is the issue ? Are some of the syscalls not available ?
or some structure differences ?
Yes, it causes syscalls unavailable.
When the OABI_COMPAT enabled, the CONFIG_HAVE_ARCH_AUDITSYSCALL
would be disabled due to it depends !OABI_COMPAT on ARM platform[1].
This also happens on seccomp filter features, it also required no
OABI_COMPAT[2].
We can do a simple audit test on qemuarm with following steps:
1) add IMAGE_INSTALL:append = " audit auditd" to local.conf and build a
image,
2) boot up the image with qemu and add some test audit rules to
/etc/audit/audit.rules.
3) using "auditctl -R /etc/audit/audit.rules" to apply the rule, it
would return an error.
Using strace to track the syscalls we can observe that some
command/rules cannot be
supported by kernel:
... log ...
sendto(3, [{nlmsg_len=1072, nlmsg_type=0x3f3 /* NLMSG_??? */,
nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=10, nlmsg_pid=0},
"\x04\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00"...],
1072, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 1072
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, [{nlmsg_len=1092, nlmsg_type=NLMSG_ERROR, nlmsg_flags=0,
nlmsg_seq=10, nlmsg_pid=529}, {error=-EINVAL, msg=[{nlmsg_len=1072,
nlmsg_type=0x3f3 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK,
nlmsg_seq=10, nlmsg_pid=0},
"\x04\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00"...]}],
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0,
nl_groups=00000000}, [12]) = 1092
write(2, "Error sending add rule data requ"..., 54Error sending add rule
data request (Invalid argument)) = 54
... end of log ...
[1]
https://github.com/torvalds/linux/commit/7a017721283d3fd011a41884fd8e99beae8fe831
[2]
https://github.com/torvalds/linux/commit/9170217510cd280c704966738e7c1660c8fa5cbd
Thanks,
Xiangyu
OABI_COMPAT is a backwards compatibility tool intended to support the old Linux
ARM ABI. Since
more and more platforms turned to EABI and some kernel features like
seccomp/audit cannot use
under OABI_COMPAT enabled, so proposal that to disable the CONFIG_OABI_COMPAT
option by default.
That being said, I made that OABI change a LONG time ago, when we
were switching from OABI to EABI. We can safely drop it by default
at this point.
I'd just like a more detailed log in the commit message, so we can
track exactly what was breaking.
Bruce
Thanks,
Xiangyu
Xiangyu Chen (1):
disable CONFIG_OABI_COMPAT on arm platform
arch/arm/arm.cfg | 2 --
1 file changed, 2 deletions(-)
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12945):
https://lists.yoctoproject.org/g/linux-yocto/message/12945
Mute This Topic: https://lists.yoctoproject.org/mt/100541501/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-