diff --git a/README.md b/README.md index 2aa002c..fc45f9c 100644 --- a/README.md +++ b/README.md @@ -235,6 +235,7 @@ See `docs/gdb-workflow.md` for the full workflow. - x86_64 - aarch64 +- riscv64 ## License `kbox` is available under a permissive MIT-style license. diff --git a/mk/toolchain.mk b/mk/toolchain.mk index cd782d7..ac9f6e1 100644 --- a/mk/toolchain.mk +++ b/mk/toolchain.mk @@ -28,6 +28,11 @@ CFLAGS += -std=gnu11 -D_GNU_SOURCE -Wall -Wextra -Wpedantic -Wshadow CFLAGS += -Wno-unused-parameter CFLAGS += -Iinclude -Isrc +# Disable link relaxation of riscv64 architecture to prevent long link time +ifeq ($(ARCH),riscv64) + LDFLAGS += -Wl,--no-relax +endif + # Build mode from Kconfig (fallback to BUILD= for unconfigured builds) ifeq ($(CONFIG_BUILD_RELEASE),y) CFLAGS += -O2 -DNDEBUG diff --git a/scripts/alpine-sha256.txt b/scripts/alpine-sha256.txt index 6259d19..346dec3 100644 --- a/scripts/alpine-sha256.txt +++ b/scripts/alpine-sha256.txt @@ -1,2 +1,3 @@ 55ea3e5a7c2c35e6268c5dcbb8e45a9cd5b0e372e7b4e798499a526834f7ed90 alpine-minirootfs-3.21.0-x86_64.tar.gz f31202c4070c4ef7de9e157e1bd01cb4da3a2150035d74ea5372c5e86f1efac1 alpine-minirootfs-3.21.0-aarch64.tar.gz +b2c5ed2be586aebd2da5dd13dbc96bc8cc41b72e517d0726dfbbb0a9810e66d6 alpine-minirootfs-3.21.0-riscv64.tar.gz diff --git a/scripts/fetch-lkl.sh b/scripts/fetch-lkl.sh index f6e9b3b..d265b86 100755 --- a/scripts/fetch-lkl.sh +++ b/scripts/fetch-lkl.sh @@ -17,6 +17,7 @@ set -eu case "${1:-$(uname -m)}" in x86_64 | amd64) ARCH="x86_64" ;; aarch64 | arm64) ARCH="aarch64" ;; + riscv64) ARCH="riscv64" ;; *) echo "error: unsupported architecture: ${1:-$(uname -m)}" >&2 exit 1 diff --git a/scripts/mkrootfs.sh b/scripts/mkrootfs.sh index 13f8028..9d97add 100755 --- a/scripts/mkrootfs.sh +++ b/scripts/mkrootfs.sh @@ -27,6 +27,7 @@ if [ -z "${ALPINE_ARCH:-}" ]; then case "$(uname -m)" in aarch64 | arm64) ALPINE_ARCH="aarch64" ;; x86_64 | amd64) ALPINE_ARCH="x86_64" ;; + riscv64) ALPINE_ARCH="riscv64" ;; *) die "Unsupported host architecture: $(uname -m). Set ALPINE_ARCH explicitly." ;; esac fi diff --git a/src/seccomp-bpf.c b/src/seccomp-bpf.c index 642a726..c622cca 100644 --- a/src/seccomp-bpf.c +++ b/src/seccomp-bpf.c @@ -138,7 +138,7 @@ static const int deny_nrs[] = { 153, /* vhangup */ }; -#elif defined(__aarch64__) +#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64) static const int deny_nrs[] = { /* Seccomp manipulation */ 277, /* seccomp */ diff --git a/src/seccomp-defs.h b/src/seccomp-defs.h index 3e52e99..12f0f7b 100644 --- a/src/seccomp-defs.h +++ b/src/seccomp-defs.h @@ -28,6 +28,8 @@ #define KBOX_AUDIT_ARCH_CURRENT 0xc000003eU #elif defined(__aarch64__) #define KBOX_AUDIT_ARCH_CURRENT 0xc00000b7U +#elif defined(__riscv) && __riscv_xlen == 64 +#define KBOX_AUDIT_ARCH_CURRENT 0xc00000f3U #else #error "unsupported architecture" #endif @@ -44,11 +46,16 @@ struct kbox_sock_fprog { struct kbox_sock_filter *filter; }; -#define KBOX_BPF_STMT(c, val) {(unsigned short) (c), 0, 0, (unsigned int) (val)} +#define KBOX_BPF_STMT(c, val) \ + { \ + (unsigned short) (c), 0, 0, (unsigned int) (val) \ + } -#define KBOX_BPF_JUMP(c, val, t, f) \ - {(unsigned short) (c), (unsigned char) (t), (unsigned char) (f), \ - (unsigned int) (val)} +#define KBOX_BPF_JUMP(c, val, t, f) \ + { \ + (unsigned short) (c), (unsigned char) (t), (unsigned char) (f), \ + (unsigned int) (val) \ + } struct kbox_seccomp_notif { uint64_t id; diff --git a/src/seccomp-dispatch.c b/src/seccomp-dispatch.c index bcf5534..a0f795b 100644 --- a/src/seccomp-dispatch.c +++ b/src/seccomp-dispatch.c @@ -4548,7 +4548,7 @@ struct kbox_dispatch kbox_dispatch_syscall(struct kbox_supervisor_ctx *ctx, return kbox_dispatch_continue(); /* return from signal handler */ if (nr == h->rt_sigpending) return kbox_dispatch_continue(); /* pending signal query */ - if (nr == h->rt_sigaltstack) + if (nr == h->sigaltstack) return kbox_dispatch_continue(); /* alternate signal stack */ if (nr == h->setitimer) return kbox_dispatch_continue(); /* interval timer */ diff --git a/src/seccomp-supervisor.c b/src/seccomp-supervisor.c index 2dde262..bb03fcc 100644 --- a/src/seccomp-supervisor.c +++ b/src/seccomp-supervisor.c @@ -369,7 +369,7 @@ int kbox_run_supervisor(const struct kbox_sysnrs *sysnrs, /* Architecture-specific host syscall numbers for the BPF filter. */ #if defined(__x86_64__) const struct kbox_host_nrs *host_nrs = &HOST_NRS_X86_64; -#elif defined(__aarch64__) +#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64) const struct kbox_host_nrs *host_nrs = &HOST_NRS_AARCH64; #else #error "Unsupported architecture" diff --git a/src/syscall-nr.c b/src/syscall-nr.c index a053530..7914f90 100644 --- a/src/syscall-nr.c +++ b/src/syscall-nr.c @@ -298,7 +298,7 @@ const struct kbox_host_nrs HOST_NRS_X86_64 = { .rt_sigprocmask = 14, .rt_sigreturn = 15, .rt_sigpending = 127, - .rt_sigaltstack = 131, + .sigaltstack = 131, .kill = 62, .tgkill = 234, .tkill = 200, @@ -467,7 +467,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = { .rt_sigprocmask = 135, .rt_sigreturn = 139, .rt_sigpending = 136, - .rt_sigaltstack = 132, + .sigaltstack = 132, .kill = 129, .tgkill = 131, .tkill = 130, @@ -500,7 +500,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = { .sched_getaffinity = 123, .prlimit64 = 261, .madvise = 233, - .getrlimit = -1, + .getrlimit = 163, .getrusage = 165, .epoll_create1 = 20, .epoll_ctl = 21, @@ -516,7 +516,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = { .timerfd_gettime = 87, .eventfd = -1, .eventfd2 = 19, - .statfs = -1, + .statfs = 43, .fstatfs = 44, .sysinfo = 179, .readlink = -1, diff --git a/src/syscall-nr.h b/src/syscall-nr.h index ec7e902..608756f 100644 --- a/src/syscall-nr.h +++ b/src/syscall-nr.h @@ -118,7 +118,7 @@ X(rt_sigprocmask) \ X(rt_sigreturn) \ X(rt_sigpending) \ - X(rt_sigaltstack) \ + X(sigaltstack) \ X(kill) \ X(tgkill) \ X(tkill) \