Merge bitcoin/bitcoin#23178: util: Fix GUIX build with syscall sandbox

2d0279987e util: Make sure syscall numbers used in profile are defined (W. J. van der Laan) 8289d19ea5 util: Define SECCOMP_RET_KILL_PROCESS if not provided by the headers (W. J. van der Laan) Pull request description: Looks like we've broke the GUIX build in #20487. This attempts to fix it: - Define `__NR_statx` `__NR_getrandom` `__NR_membarrier` as some kernel headers lack them, and it's important to have the same profile independent on what kernel is used for building. - Define `SECCOMP_RET_KILL_PROCESS` as it isn't defined in the headers. ACKs for top commit: practicalswift: cr ACK 2d0279987e Tree-SHA512: c264c66f90af76bf364150e44d0a31876c2ef99f05777fcdd098a23f1e80efef43028f54bf9b3dad016110056d303320ed9741b0cb4c6266175fa9d5589b4277
2025-02-20 14:05:23 +01:00 · 2021-10-05 16:50:13 +02:00 · 2021-10-05 16:50:13 +02:00 · 89b910711c
commit 89b910711c
parent c4fc899442 2d0279987e
1 changed files with 18 additions and 8 deletions
--- a/src/util/syscall_sandbox.cpp
+++ b/src/util/syscall_sandbox.cpp
@ -40,6 +40,24 @@ bool g_syscall_sandbox_log_violation_before_terminating{false};
 #error Syscall sandbox is an experimental feature currently available only under Linux x86-64.
 #endif // defined(__x86_64__)

+#ifndef SECCOMP_RET_KILL_PROCESS
+#define SECCOMP_RET_KILL_PROCESS 0x80000000U
+#endif
+
+// Define system call numbers for x86_64 that are referenced in the system call profile
+// but not provided by the kernel headers used in the GUIX build.
+#ifndef __NR_statx
+#define __NR_statx 332
+#endif
+
+#ifndef __NR_getrandom
+#define __NR_getrandom 318
+#endif
+
+#ifndef __NR_membarrier
+#define __NR_membarrier 324
+#endif
+
 // This list of syscalls in LINUX_SYSCALLS is only used to map syscall numbers to syscall names in
 // order to be able to print user friendly error messages which include the syscall name in addition
 // to the syscall number.
@ -158,9 +176,7 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
    {__NR_getpmsg, "getpmsg"},
    {__NR_getppid, "getppid"},
    {__NR_getpriority, "getpriority"},
-#if defined(__NR_getrandom)
    {__NR_getrandom, "getrandom"},
-#endif // defined(__NR_getrandom)
    {__NR_getresgid, "getresgid"},
    {__NR_getresuid, "getresuid"},
    {__NR_getrlimit, "getrlimit"},
@ -208,9 +224,7 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
    {__NR_lstat, "lstat"},
    {__NR_madvise, "madvise"},
    {__NR_mbind, "mbind"},
-#if defined(__NR_membarrier)
    {__NR_membarrier, "membarrier"},
-#endif // defined(__NR_membarrier)
    {__NR_memfd_create, "memfd_create"},
    {__NR_migrate_pages, "migrate_pages"},
    {__NR_mincore, "mincore"},
@ -511,9 +525,7 @@ public:
    {
        allowed_syscalls.insert(__NR_brk);     // change data segment size
        allowed_syscalls.insert(__NR_madvise); // give advice about use of memory
-#if defined(__NR_membarrier)
        allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads
-#endif // defined(__NR_membarrier)
        allowed_syscalls.insert(__NR_mlock);    // lock memory
        allowed_syscalls.insert(__NR_mmap);     // map files or devices into memory
        allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory
@ -593,9 +605,7 @@ public:

    void AllowGetRandom()
    {
-#if defined(__NR_getrandom)
        allowed_syscalls.insert(__NR_getrandom); // obtain a series of random bytes
-#endif // defined(__NR_getrandom)
    }

    void AllowGetSimpleId()