[3.15] MIPS: Add new AUDIT_ARCH token for the N32 ABI on MIPS64

diff mbox

A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
(O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
does not provide enough information about the ABI for the 64-bit
process. As a result of which, userland needs to use complex
seccomp filters to decide whether a syscall belongs to the o32 or n32
or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
can be used by seccomp to explicitely set syscall filters for this ABI.

Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <pmoore@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?

Thanks a lot!
---
 arch/mips/include/asm/syscall.h |  2 ++
 include/uapi/linux/audit.h      | 12 ++++++++++++
 2 files changed, 14 insertions(+)

On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> does not provide enough information about the ABI for the 64-bit
> process. As a result of which, userland needs to use complex
> seccomp filters to decide whether a syscall belongs to the o32 or n32
> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> can be used by seccomp to explicitely set syscall filters for this ABI.
> 
> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: Ralf Baechle <ralf@linux-mips.org>
> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> ---
> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> 
> Thanks a lot!
> ---
>  arch/mips/include/asm/syscall.h |  2 ++
>  include/uapi/linux/audit.h      | 12 ++++++++++++
>  2 files changed, 14 insertions(+)

I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
my support for this patch.  As Markos states above, without this patch any 
seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
projects that try to abstract away the arch/ABI specific nature of the BPF 
seccomp filters will be have to do a lot more work.  Please merge this patch, 
or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
until 3.16 will be too late.

I also don't want to speak for the audit folks (Eric?), but I think you'll 
hear that this patch makes life much easier for them as well.

Thanks,
-Paul

> diff --git a/arch/mips/include/asm/syscall.h
> b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> --- a/arch/mips/include/asm/syscall.h
> +++ b/arch/mips/include/asm/syscall.h
> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>  #ifdef CONFIG_64BIT
>  	if (!test_thread_flag(TIF_32BIT_REGS))
>  		arch |= __AUDIT_ARCH_64BIT;
> +	if (test_thread_flag(TIF_32BIT_ADDR))
> +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
>  #endif
>  #if defined(__LITTLE_ENDIAN)
>  	arch |=  __AUDIT_ARCH_LE;
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 11917f7..1b1efdd 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -331,9 +331,17 @@ enum {
>  #define AUDIT_FAIL_PRINTK	1
>  #define AUDIT_FAIL_PANIC	2
> 
> +/*
> + * These bits disambiguate different calling conventions that share an
> + * ELF machine type, bitness, and endianness
> + */
> +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> +
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> @@ -346,7 +354,11 @@ enum {
>  #define AUDIT_ARCH_MIPS		(EM_MIPS)
>  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
__AUDIT_ARCH_LE\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
>  #define AUDIT_ARCH_PARISC	(EM_PARISC)
>  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)

On 04/24/2014 08:19 PM, Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>> does not provide enough information about the ABI for the 64-bit
>> process. As a result of which, userland needs to use complex
>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>
>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Eric Paris <eparis@redhat.com>
>> Cc: Paul Moore <pmoore@redhat.com>
>> Cc: Ralf Baechle <ralf@linux-mips.org>
>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> ---
>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>
>> Thanks a lot!
>> ---
>>  arch/mips/include/asm/syscall.h |  2 ++
>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>  2 files changed, 14 insertions(+)
> 
> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
> my support for this patch.  As Markos states above, without this patch any 
> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
> projects that try to abstract away the arch/ABI specific nature of the BPF 
> seccomp filters will be have to do a lot more work.  Please merge this patch, 
> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
> until 3.16 will be too late.
> 
> I also don't want to speak for the audit folks (Eric?), but I think you'll 
> hear that this patch makes life much easier for them as well.
> 
> Thanks,
> -Paul

Ralf ping? Can we please have this in 3.15 so userspace application get
the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
n32 and n64? It may be harder to change it once 3.15 is released (ABI
break).

On 04/30/2014 10:24 AM, Markos Chandras wrote:
> On 04/24/2014 08:19 PM, Paul Moore wrote:
>> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>>> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>>> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>>> does not provide enough information about the ABI for the 64-bit
>>> process. As a result of which, userland needs to use complex
>>> seccomp filters to decide whether a syscall belongs to the o32 or n32
>>> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>>> can be used by seccomp to explicitely set syscall filters for this ABI.
>>>
>>> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>>> Cc: Andy Lutomirski <luto@amacapital.net>
>>> Cc: Eric Paris <eparis@redhat.com>
>>> Cc: Paul Moore <pmoore@redhat.com>
>>> Cc: Ralf Baechle <ralf@linux-mips.org>
>>> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>>> ---
>>> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>>>
>>> Thanks a lot!
>>> ---
>>>  arch/mips/include/asm/syscall.h |  2 ++
>>>  include/uapi/linux/audit.h      | 12 ++++++++++++
>>>  2 files changed, 14 insertions(+)
>>
>> I'm far from qualified to ACK any MIPS specific patches, but I do want to add 
>> my support for this patch.  As Markos states above, without this patch any 
>> seccomp BPF code will be more complex than necessary (see x32 for an idea) and 
>> projects that try to abstract away the arch/ABI specific nature of the BPF 
>> seccomp filters will be have to do a lot more work.  Please merge this patch, 
>> or something similar, along with the MIPS BPF seccomp filters in 3.15; waiting 
>> until 3.16 will be too late.
>>
>> I also don't want to speak for the audit folks (Eric?), but I think you'll 
>> hear that this patch makes life much easier for them as well.
>>
>> Thanks,
>> -Paul
> 
> Ralf ping? Can we please have this in 3.15 so userspace application get
> the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
> n32 and n64? It may be harder to change it once 3.15 is released (ABI
> break).
> 

Ralf ping again? With -r5 approaching, there might be limited time left
to push this.

On Wednesday, April 30, 2014 10:24:10 AM Markos Chandras wrote:
> On 04/24/2014 08:19 PM, Paul Moore wrote:
> > On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> >> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> >> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> >> does not provide enough information about the ABI for the 64-bit
> >> process. As a result of which, userland needs to use complex
> >> seccomp filters to decide whether a syscall belongs to the o32 or n32
> >> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> >> can be used by seccomp to explicitely set syscall filters for this ABI.
> >> 
> >> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> >> Cc: Andy Lutomirski <luto@amacapital.net>
> >> Cc: Eric Paris <eparis@redhat.com>
> >> Cc: Paul Moore <pmoore@redhat.com>
> >> Cc: Ralf Baechle <ralf@linux-mips.org>
> >> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> >> ---
> >> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> >> 
> >> Thanks a lot!
> >> ---
> >> 
> >>  arch/mips/include/asm/syscall.h |  2 ++
> >>  include/uapi/linux/audit.h      | 12 ++++++++++++
> >>  2 files changed, 14 insertions(+)
> > 
> > I'm far from qualified to ACK any MIPS specific patches, but I do want to
> > add my support for this patch.  As Markos states above, without this
> > patch any seccomp BPF code will be more complex than necessary (see x32
> > for an idea) and projects that try to abstract away the arch/ABI specific
> > nature of the BPF seccomp filters will be have to do a lot more work. 
> > Please merge this patch, or something similar, along with the MIPS BPF
> > seccomp filters in 3.15; waiting until 3.16 will be too late.
> > 
> > I also don't want to speak for the audit folks (Eric?), but I think you'll
> > hear that this patch makes life much easier for them as well.
> > 
> > Thanks,
> > -Paul
> 
> Ralf ping? Can we please have this in 3.15 so userspace application get
> the updated token instead of using the AUDIT_ARCH_MIPS{,EL}64 for both
> n32 and n64? It may be harder to change it once 3.15 is released (ABI
> break).

I haven't heard anything on this patch and I don't see it in the tree this 
morning.  Can we please get this into the 3.15 release?  If not, can you 
please explain why so we have something to go on?

This will cause us a lot of pain in userspace if we don't get this patch 
merged.

On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> does not provide enough information about the ABI for the 64-bit
> process. As a result of which, userland needs to use complex
> seccomp filters to decide whether a syscall belongs to the o32 or n32
> or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> can be used by seccomp to explicitely set syscall filters for this ABI.
> 
> Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: Paul Moore <pmoore@redhat.com>
> Cc: Ralf Baechle <ralf@linux-mips.org>
> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> ---
> Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> 
> Thanks a lot!
> ---
>  arch/mips/include/asm/syscall.h |  2 ++
>  include/uapi/linux/audit.h      | 12 ++++++++++++
>  2 files changed, 14 insertions(+)

[NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as 
this *really* should be in 3.15]

I'm re-replying to this patch and adding lkml to the To line because I believe 
it is very important we get this patch into 3.15.  For those who don't follow 
the MIPS architecture very closely, the upcoming 3.15 is the first release to 
include support for seccomp filters, the latest generation of syscall 
filtering which used a BPF based filter language.  For reason that are easy to 
understand, the syscall filters are ABI specific (e.g. syscall tables, word 
length, endianness) and those generating syscall filters in userspace (e.g. 
libseccomp) need to take great care to ensure that the generated filters take 
the ABI into account and fail safely in the case where a different ABI is used 
(e.g. x86, x86_64, x32).

The patch below corrects, what is IMHO, an omission in the original MIPS 
seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.  
Without this patch we will be forced to handle MIPS/MIPS64 like we handle 
x86_64/x32 which is a royal pain and not something I want to have deal with 
again.

Further, while I don't want to speak for the audit folks, it is my 
understanding that they want this patch for similar reasons.

Please merge this patch for 3.15 or at least provide some feedback as to why 
this isn't a viable solution for upstream.  Once 3.15 ships, fixing this will 
require breaking the MIPS ABI which isn't something any of us want.

Thanks,
-Paul

> diff --git a/arch/mips/include/asm/syscall.h
> b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> --- a/arch/mips/include/asm/syscall.h
> +++ b/arch/mips/include/asm/syscall.h
> @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
>  #ifdef CONFIG_64BIT
>  	if (!test_thread_flag(TIF_32BIT_REGS))
>  		arch |= __AUDIT_ARCH_64BIT;
> +	if (test_thread_flag(TIF_32BIT_ADDR))
> +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
>  #endif
>  #if defined(__LITTLE_ENDIAN)
>  	arch |=  __AUDIT_ARCH_LE;
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 11917f7..1b1efdd 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -331,9 +331,17 @@ enum {
>  #define AUDIT_FAIL_PRINTK	1
>  #define AUDIT_FAIL_PANIC	2
> 
> +/*
> + * These bits disambiguate different calling conventions that share an
> + * ELF machine type, bitness, and endianness
> + */
> +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> +
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> @@ -346,7 +354,11 @@ enum {
>  #define AUDIT_ARCH_MIPS		(EM_MIPS)
>  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
__AUDIT_ARCH_LE\
> +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
>  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
>  #define AUDIT_ARCH_PARISC	(EM_PARISC)
>  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)

On Mon, 2014-05-12 at 14:53 -0400, Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > does not provide enough information about the ABI for the 64-bit
> > process. As a result of which, userland needs to use complex
> > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > can be used by seccomp to explicitely set syscall filters for this ABI.
> > 
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Eric Paris <eparis@redhat.com>
> > Cc: Paul Moore <pmoore@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > ---
> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > 
> > Thanks a lot!
> > ---
> >  arch/mips/include/asm/syscall.h |  2 ++
> >  include/uapi/linux/audit.h      | 12 ++++++++++++
> >  2 files changed, 14 insertions(+)
> 
> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as 
> this *really* should be in 3.15]
> 
> I'm re-replying to this patch and adding lkml to the To line because I believe 
> it is very important we get this patch into 3.15.  For those who don't follow 
> the MIPS architecture very closely, the upcoming 3.15 is the first release to 
> include support for seccomp filters, the latest generation of syscall 
> filtering which used a BPF based filter language.  For reason that are easy to 
> understand, the syscall filters are ABI specific (e.g. syscall tables, word 
> length, endianness) and those generating syscall filters in userspace (e.g. 
> libseccomp) need to take great care to ensure that the generated filters take 
> the ABI into account and fail safely in the case where a different ABI is used 
> (e.g. x86, x86_64, x32).
> 
> The patch below corrects, what is IMHO, an omission in the original MIPS 
> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.  
> Without this patch we will be forced to handle MIPS/MIPS64 like we handle 
> x86_64/x32 which is a royal pain and not something I want to have deal with 
> again.
> 
> Further, while I don't want to speak for the audit folks, it is my 
> understanding that they want this patch for similar reasons.

Audit would also like to see this patch.  We can survive without it, but
having this patch lets us write a better/easier userspace.

Acked-by: Eric Paris <eparis@redhat.com>

> 
> Please merge this patch for 3.15 or at least provide some feedback as to why 
> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this will 
> require breaking the MIPS ABI which isn't something any of us want.
> 
> Thanks,
> -Paul
> 
> > diff --git a/arch/mips/include/asm/syscall.h
> > b/arch/mips/include/asm/syscall.h index c6e9cd2..17960fe 100644
> > --- a/arch/mips/include/asm/syscall.h
> > +++ b/arch/mips/include/asm/syscall.h
> > @@ -133,6 +133,8 @@ static inline int syscall_get_arch(void)
> >  #ifdef CONFIG_64BIT
> >  	if (!test_thread_flag(TIF_32BIT_REGS))
> >  		arch |= __AUDIT_ARCH_64BIT;
> > +	if (test_thread_flag(TIF_32BIT_ADDR))
> > +		arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
> >  #endif
> >  #if defined(__LITTLE_ENDIAN)
> >  	arch |=  __AUDIT_ARCH_LE;
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 11917f7..1b1efdd 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -331,9 +331,17 @@ enum {
> >  #define AUDIT_FAIL_PRINTK	1
> >  #define AUDIT_FAIL_PANIC	2
> > 
> > +/*
> > + * These bits disambiguate different calling conventions that share an
> > + * ELF machine type, bitness, and endianness
> > + */
> > +#define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
> > +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
> > +
> >  /* distinguish syscall tables */
> >  #define __AUDIT_ARCH_64BIT 0x80000000
> >  #define __AUDIT_ARCH_LE	   0x40000000
> > +
> >  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > @@ -346,7 +354,11 @@ enum {
> >  #define AUDIT_ARCH_MIPS		(EM_MIPS)
> >  #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
> >  #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
> > +#define AUDIT_ARCH_MIPS64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|\
> > +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> >  #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > +#define AUDIT_ARCH_MIPSEL64N32	(EM_MIPS|__AUDIT_ARCH_64BIT|
> __AUDIT_ARCH_LE\
> > +				 __AUDIT_ARCH_CONVENTION_MIPS64_N32)
> >  #define AUDIT_ARCH_OPENRISC	(EM_OPENRISC)
> >  #define AUDIT_ARCH_PARISC	(EM_PARISC)
> >  #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)
>

On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > does not provide enough information about the ABI for the 64-bit
> > process. As a result of which, userland needs to use complex
> > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > can be used by seccomp to explicitely set syscall filters for this ABI.
> > 
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Eric Paris <eparis@redhat.com>
> > Cc: Paul Moore <pmoore@redhat.com>
> > Cc: Ralf Baechle <ralf@linux-mips.org>
> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > ---
> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > 
> > Thanks a lot!
> > ---
> > 
> >  arch/mips/include/asm/syscall.h |  2 ++
> >  include/uapi/linux/audit.h      | 12 ++++++++++++
> >  2 files changed, 14 insertions(+)
> 
> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as
> this *really* should be in 3.15]
> 
> I'm re-replying to this patch and adding lkml to the To line because I
> believe it is very important we get this patch into 3.15.  For those who
> don't follow the MIPS architecture very closely, the upcoming 3.15 is the
> first release to include support for seccomp filters, the latest generation
> of syscall filtering which used a BPF based filter language.  For reason
> that are easy to understand, the syscall filters are ABI specific (e.g.
> syscall tables, word length, endianness) and those generating syscall
> filters in userspace (e.g. libseccomp) need to take great care to ensure
> that the generated filters take the ABI into account and fail safely in the
> case where a different ABI is used (e.g. x86, x86_64, x32).
> 
> The patch below corrects, what is IMHO, an omission in the original MIPS
> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.
> Without this patch we will be forced to handle MIPS/MIPS64 like we handle
> x86_64/x32 which is a royal pain and not something I want to have deal with
> again.
> 
> Further, while I don't want to speak for the audit folks, it is my
> understanding that they want this patch for similar reasons.
> 
> Please merge this patch for 3.15 or at least provide some feedback as to why
> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this
> will require breaking the MIPS ABI which isn't something any of us want.
> 
> Thanks,
> -Paul

*Bump*

I don't know what else needs to be done to get some action on this and we're 
running out of time for 3.15.

On Wed, May 21, 2014 at 1:59 PM, Paul Moore <pmoore@redhat.com> wrote:
> On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
>> On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
>> > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
>> > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
>> > does not provide enough information about the ABI for the 64-bit
>> > process. As a result of which, userland needs to use complex
>> > seccomp filters to decide whether a syscall belongs to the o32 or n32
>> > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
>> > can be used by seccomp to explicitely set syscall filters for this ABI.
>> >
>> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
>> > Cc: Andy Lutomirski <luto@amacapital.net>
>> > Cc: Eric Paris <eparis@redhat.com>
>> > Cc: Paul Moore <pmoore@redhat.com>
>> > Cc: Ralf Baechle <ralf@linux-mips.org>
>> > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
>> > ---
>> > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
>> >
>> > Thanks a lot!
>> > ---
>> >
>> >  arch/mips/include/asm/syscall.h |  2 ++
>> >  include/uapi/linux/audit.h      | 12 ++++++++++++
>> >  2 files changed, 14 insertions(+)
>>
>> [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance as
>> this *really* should be in 3.15]
>>
>> I'm re-replying to this patch and adding lkml to the To line because I
>> believe it is very important we get this patch into 3.15.  For those who
>> don't follow the MIPS architecture very closely, the upcoming 3.15 is the
>> first release to include support for seccomp filters, the latest generation
>> of syscall filtering which used a BPF based filter language.  For reason
>> that are easy to understand, the syscall filters are ABI specific (e.g.
>> syscall tables, word length, endianness) and those generating syscall
>> filters in userspace (e.g. libseccomp) need to take great care to ensure
>> that the generated filters take the ABI into account and fail safely in the
>> case where a different ABI is used (e.g. x86, x86_64, x32).
>>
>> The patch below corrects, what is IMHO, an omission in the original MIPS
>> seccomp filter patch, allowing userspace to easily separate MIPS and MIPS64.
>> Without this patch we will be forced to handle MIPS/MIPS64 like we handle
>> x86_64/x32 which is a royal pain and not something I want to have deal with
>> again.
>>
>> Further, while I don't want to speak for the audit folks, it is my
>> understanding that they want this patch for similar reasons.
>>
>> Please merge this patch for 3.15 or at least provide some feedback as to why
>> this isn't a viable solution for upstream.  Once 3.15 ships, fixing this
>> will require breaking the MIPS ABI which isn't something any of us want.
>>
>> Thanks,
>> -Paul
>
> *Bump*
>
> I don't know what else needs to be done to get some action on this and we're
> running out of time for 3.15.

Reply to Linus' next -rc email.

--Andy

On Wednesday 21 May 2014 16:59:22 Paul Moore wrote:
> On Monday, May 12, 2014 02:53:05 PM Paul Moore wrote:
> > On Tuesday, April 22, 2014 03:40:36 PM Markos Chandras wrote:
> > > A MIPS64 kernel may support ELF files for all 3 MIPS ABIs
> > > (O32, N32, N64). Furthermore, the AUDIT_ARCH_MIPS{,EL}64 token
> > > does not provide enough information about the ABI for the 64-bit
> > > process. As a result of which, userland needs to use complex
> > > seccomp filters to decide whether a syscall belongs to the o32 or n32
> > > or n64 ABI. Therefore, a new arch token for MIPS64/n32 is added so it
> > > can be used by seccomp to explicitely set syscall filters for this ABI.
> > > 
> > > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > > Cc: Andy Lutomirski <luto@amacapital.net>
> > > Cc: Eric Paris <eparis@redhat.com>
> > > Cc: Paul Moore <pmoore@redhat.com>
> > > Cc: Ralf Baechle <ralf@linux-mips.org>
> > > Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
> > > ---
> > > Ralf, can we please have this in 3.15 (Assuming it's ACK'd)?
> > > 
> > > Thanks a lot!
> > > ---
> > > 
> > >  arch/mips/include/asm/syscall.h |  2 ++
> > >  include/uapi/linux/audit.h      | 12 ++++++++++++
> > >  2 files changed, 14 insertions(+)
> > 
> > [NOTE: Adding lkml to the To line to hopefully spur discussion/acceptance
> > as this *really* should be in 3.15]
> > 
> > I'm re-replying to this patch and adding lkml to the To line because I
> > believe it is very important we get this patch into 3.15.  For those who
> > don't follow the MIPS architecture very closely, the upcoming 3.15 is the
> > first release to include support for seccomp filters, the latest
> > generation
> > of syscall filtering which used a BPF based filter language.  For reason
> > that are easy to understand, the syscall filters are ABI specific (e.g.
> > syscall tables, word length, endianness) and those generating syscall
> > filters in userspace (e.g. libseccomp) need to take great care to ensure
> > that the generated filters take the ABI into account and fail safely in
> > the
> > case where a different ABI is used (e.g. x86, x86_64, x32).
> > 
> > The patch below corrects, what is IMHO, an omission in the original MIPS
> > seccomp filter patch, allowing userspace to easily separate MIPS and
> > MIPS64. Without this patch we will be forced to handle MIPS/MIPS64 like
> > we handle x86_64/x32 which is a royal pain and not something I want to
> > have deal with again.
> > 
> > Further, while I don't want to speak for the audit folks, it is my
> > understanding that they want this patch for similar reasons.
> > 
> > Please merge this patch for 3.15 or at least provide some feedback as to
> > why this isn't a viable solution for upstream.  Once 3.15 ships, fixing
> > this will require breaking the MIPS ABI which isn't something any of us
> > want.
> > 
> > Thanks,
> > -Paul
> 
> *Bump*
> 
> I don't know what else needs to be done to get some action on this and we're
> running out of time for 3.15.

It was merged yesterday:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c7d6891a770aa97dd36c2df3545031e64c6a0ef3

Cheers
James