Add riscv64 support

README.md

@@ -235,6 +235,7 @@ See `docs/gdb-workflow.md` for the full workflow.
 
 - x86_64
 - aarch64
+- riscv64
 
 ## License
 `kbox` is available under a permissive MIT-style license.

mk/toolchain.mk

@@ -28,6 +28,11 @@ CFLAGS  += -std=gnu11 -D_GNU_SOURCE -Wall -Wextra -Wpedantic -Wshadow
 CFLAGS  += -Wno-unused-parameter
 CFLAGS  += -Iinclude -Isrc
 
+# Disable link relaxation of riscv64 architecture to prevent long link time
+ifeq ($(ARCH),riscv64)
+	LDFLAGS += -Wl,--no-relax
+endif
+
 # Build mode from Kconfig (fallback to BUILD= for unconfigured builds)
 ifeq ($(CONFIG_BUILD_RELEASE),y)
   CFLAGS  += -O2 -DNDEBUG

scripts/alpine-sha256.txt

@@ -1,2 +1,3 @@
 55ea3e5a7c2c35e6268c5dcbb8e45a9cd5b0e372e7b4e798499a526834f7ed90  alpine-minirootfs-3.21.0-x86_64.tar.gz
 f31202c4070c4ef7de9e157e1bd01cb4da3a2150035d74ea5372c5e86f1efac1  alpine-minirootfs-3.21.0-aarch64.tar.gz
+b2c5ed2be586aebd2da5dd13dbc96bc8cc41b72e517d0726dfbbb0a9810e66d6  alpine-minirootfs-3.21.0-riscv64.tar.gz

scripts/fetch-lkl.sh

@@ -17,6 +17,7 @@ set -eu
 case "${1:-$(uname -m)}" in
     x86_64 | amd64) ARCH="x86_64" ;;
     aarch64 | arm64) ARCH="aarch64" ;;
+    riscv64) ARCH="riscv64" ;;
     *)
         echo "error: unsupported architecture: ${1:-$(uname -m)}" >&2
         exit 1

scripts/mkrootfs.sh

@@ -27,6 +27,7 @@ if [ -z "${ALPINE_ARCH:-}" ]; then
     case "$(uname -m)" in
         aarch64 | arm64) ALPINE_ARCH="aarch64" ;;
         x86_64 | amd64) ALPINE_ARCH="x86_64" ;;
+        riscv64) ALPINE_ARCH="riscv64" ;;
         *) die "Unsupported host architecture: $(uname -m). Set ALPINE_ARCH explicitly." ;;
     esac
 fi

src/seccomp-bpf.c

@@ -138,7 +138,7 @@ static const int deny_nrs[] = {
     153, /* vhangup */
 };
 
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64)
 static const int deny_nrs[] = {
     /* Seccomp manipulation */
     277, /* seccomp */

src/seccomp-defs.h

@@ -28,6 +28,8 @@
 #define KBOX_AUDIT_ARCH_CURRENT 0xc000003eU
 #elif defined(__aarch64__)
 #define KBOX_AUDIT_ARCH_CURRENT 0xc00000b7U
+#elif defined(__riscv) && __riscv_xlen == 64
+#define KBOX_AUDIT_ARCH_CURRENT 0xc00000f3U
 #else
 #error "unsupported architecture"
 #endif
@@ -44,11 +46,16 @@ struct kbox_sock_fprog {
     struct kbox_sock_filter *filter;
 };
 
-#define KBOX_BPF_STMT(c, val) {(unsigned short) (c), 0, 0, (unsigned int) (val)}
+#define KBOX_BPF_STMT(c, val)                            \
+    {                                                    \
+        (unsigned short) (c), 0, 0, (unsigned int) (val) \
+    }
 
-#define KBOX_BPF_JUMP(c, val, t, f)                                  \
-    {(unsigned short) (c), (unsigned char) (t), (unsigned char) (f), \
-     (unsigned int) (val)}
+#define KBOX_BPF_JUMP(c, val, t, f)                                     \
+    {                                                                   \
+        (unsigned short) (c), (unsigned char) (t), (unsigned char) (f), \
+            (unsigned int) (val)                                        \
+    }
 
 struct kbox_seccomp_notif {
     uint64_t id;

src/seccomp-dispatch.c

@@ -4548,7 +4548,7 @@ struct kbox_dispatch kbox_dispatch_syscall(struct kbox_supervisor_ctx *ctx,
         return kbox_dispatch_continue(); /* return from signal handler */
     if (nr == h->rt_sigpending)
         return kbox_dispatch_continue(); /* pending signal query */
-    if (nr == h->rt_sigaltstack)
+    if (nr == h->sigaltstack)
         return kbox_dispatch_continue(); /* alternate signal stack */
     if (nr == h->setitimer)
         return kbox_dispatch_continue(); /* interval timer */

src/seccomp-supervisor.c

@@ -369,7 +369,7 @@ int kbox_run_supervisor(const struct kbox_sysnrs *sysnrs,
     /* Architecture-specific host syscall numbers for the BPF filter. */
 #if defined(__x86_64__)
     const struct kbox_host_nrs *host_nrs = &HOST_NRS_X86_64;
-#elif defined(__aarch64__)
+#elif defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64)
     const struct kbox_host_nrs *host_nrs = &HOST_NRS_AARCH64;
 #else
 #error "Unsupported architecture"

src/syscall-nr.c

@@ -298,7 +298,7 @@ const struct kbox_host_nrs HOST_NRS_X86_64 = {
     .rt_sigprocmask = 14,
     .rt_sigreturn = 15,
     .rt_sigpending = 127,
-    .rt_sigaltstack = 131,
+    .sigaltstack = 131,
     .kill = 62,
     .tgkill = 234,
     .tkill = 200,
@@ -467,7 +467,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = {
     .rt_sigprocmask = 135,
     .rt_sigreturn = 139,
     .rt_sigpending = 136,
-    .rt_sigaltstack = 132,
+    .sigaltstack = 132,
     .kill = 129,
     .tgkill = 131,
     .tkill = 130,
@@ -500,7 +500,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = {
     .sched_getaffinity = 123,
     .prlimit64 = 261,
     .madvise = 233,
-    .getrlimit = -1,
+    .getrlimit = 163,
     .getrusage = 165,
     .epoll_create1 = 20,
     .epoll_ctl = 21,
@@ -516,7 +516,7 @@ const struct kbox_host_nrs HOST_NRS_AARCH64 = {
     .timerfd_gettime = 87,
     .eventfd = -1,
     .eventfd2 = 19,
-    .statfs = -1,
+    .statfs = 43,
     .fstatfs = 44,
     .sysinfo = 179,
     .readlink = -1,

src/syscall-nr.h

@@ -118,7 +118,7 @@
     X(rt_sigprocmask)          \
     X(rt_sigreturn)            \
     X(rt_sigpending)           \
-    X(rt_sigaltstack)          \
+    X(sigaltstack)             \
     X(kill)                    \
     X(tgkill)                  \
     X(tkill)                   \