seccomp tangle

[Hal Murray]

[Was Subject: Re: Is there a clean way for waf to test for the distro?]
>  Are you really, absolutely, positively sure that you can't check for the
> feature itself directly. If you start going down the distro-checking path,
> things get very messy, very fast. For example, is "Linux Mint" like Ubuntu? 

No, but I don't have any good ideas.  Would a configure option be better? (or 
less worse)

The current status is that seccomp is broken on Arch.  I was looking for a 
hack that would save me an edit every time I wanted to test on Arch.  Let's 
look at the big picture.

Here is the current status.

Something changed on Fedora a month or two ago.   There is a line of code that 
is needed on Arch but dies on Fedora.  An ifdef that used to work now fails.  
So I commented it out.  If you want to use seccomp on Arch, you have to edit 
that line.  I just discovered that Arch now needs another syscall so I'm 
getting my nose rubbed in this area again.

Looks like Fedora may have fixed something.  More later after I've had time 
for more testing.

---------

But as long as I'm typing stuff in...

Should we drop secomp?  It's a pain to maintain.

How many people use it?  Richard: do you turn it on for the Debian builds?

How does seccomp compare to a jail?  Why don't we have a good web page on how 
to setup and use a jail?  Does systemd have a jail option?  Does anybody run 
in a jail?  ...

The root of the problem is that the list of syscalls that are actually used 
depends upon which version of the kernel and which version of the libraries 
you are using, and which hardware, and ...

We dance around that by adding all the calls that are needed by any 
distro/version to the allowed list.  So on most systems, we allow some calls 
that we never use because they are used on some other system.  The catch is 
that some systems don't support some calls, so we have an ifdef to skip those 
-- they can't be used on this system if the kernel doesn't know about them so 
the skip is logically correct.

Testing the version of the seccomp header file is probably cleaner than 
testing for Arch.

-----------

Assuming we wanted to clean up the current mess...

I think we can get a list of the calls that are actually used via strace and a 
script.  The idea is to run it on a particular distro/version and make the 
list of the syscalls that this system uses.

We could read that list at either build time or run time.  A run time option 
would simplify testing.

We might have to special case a few corner cases.  I'm thinking of something 
like the script adds them in even if it doesn't see any examples.  I can't 
think of any good examples but I'd be surprised if there aren't a few calls 
that are only used in rare cases.


-- 
These are my opinions.  I hate spam.