From 3a69b1a052bbb23988dc14e43fd976dca76822b4 Mon Sep 17 00:00:00 2001 From: Anway De Date: Thu, 15 May 2025 19:37:53 +0000 Subject: [PATCH] fix arm build --- ...{pidns.arm64_seccomp.h => pidns_arm64_seccomp.h} | 4 ++-- ...rm64.seccomppolicy => pidns_arm64.seccomppolicy} | 0 src/app/shared/commands/run/run.c | 13 ++++++++++--- src/disco/gui/fd_gui_tile.c | 2 +- ...eccomppolicy => fd_gui_tile_arm64.seccomppolicy} | 0 ....arm64_seccomp.h => fd_gui_tile_arm64_seccomp.h} | 4 ++-- src/disco/metrics/fd_metric_tile.c | 2 +- ...omppolicy => fd_metric_tile_arm64.seccomppolicy} | 0 ...m64_seccomp.h => fd_metric_tile_arm64_seccomp.h} | 4 ++-- 9 files changed, 18 insertions(+), 11 deletions(-) rename src/app/shared/commands/run/generated/{pidns.arm64_seccomp.h => pidns_arm64_seccomp.h} (96%) rename src/app/shared/commands/run/{pidns.arm64.seccomppolicy => pidns_arm64.seccomppolicy} (100%) rename src/disco/gui/{fd_gui_tile.arm64.seccomppolicy => fd_gui_tile_arm64.seccomppolicy} (100%) rename src/disco/gui/generated/{fd_gui_tile.arm64_seccomp.h => fd_gui_tile_arm64_seccomp.h} (98%) rename src/disco/metrics/{fd_metric_tile.arm64.seccomppolicy => fd_metric_tile_arm64.seccomppolicy} (100%) rename src/disco/metrics/generated/{fd_metric_tile.arm64_seccomp.h => fd_metric_tile_arm64_seccomp.h} (98%) diff --git a/src/app/shared/commands/run/generated/pidns.arm64_seccomp.h b/src/app/shared/commands/run/generated/pidns_arm64_seccomp.h similarity index 96% rename from src/app/shared/commands/run/generated/pidns.arm64_seccomp.h rename to src/app/shared/commands/run/generated/pidns_arm64_seccomp.h index f3f69e66ea..a820bfe503 100644 --- a/src/app/shared/commands/run/generated/pidns.arm64_seccomp.h +++ b/src/app/shared/commands/run/generated/pidns_arm64_seccomp.h @@ -21,9 +21,9 @@ #else # error "Target architecture is unsupported by seccomp." #endif -static const unsigned int sock_filter_policy_pidns.arm64_instr_cnt = 23; +static const unsigned int sock_filter_policy_pidns_arm64_instr_cnt = 23; -static void populate_sock_filter_policy_pidns.arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd) { +static void populate_sock_filter_policy_pidns_arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd) { FD_TEST( out_cnt >= 23 ); struct sock_filter filter[23] = { /* Check: Jump to RET_KILL_PROCESS if the script's arch != the runtime arch */ diff --git a/src/app/shared/commands/run/pidns.arm64.seccomppolicy b/src/app/shared/commands/run/pidns_arm64.seccomppolicy similarity index 100% rename from src/app/shared/commands/run/pidns.arm64.seccomppolicy rename to src/app/shared/commands/run/pidns_arm64.seccomppolicy diff --git a/src/app/shared/commands/run/run.c b/src/app/shared/commands/run/run.c index 129d486b4f..495bfd4e94 100644 --- a/src/app/shared/commands/run/run.c +++ b/src/app/shared/commands/run/run.c @@ -4,7 +4,7 @@ #include #include "generated/main_seccomp.h" #if defined(__aarch64__) -#include "generated/pidns.arm64_seccomp.h" +#include "generated/pidns_arm64_seccomp.h" #else #include "generated/pidns_seccomp.h" #endif @@ -336,7 +336,14 @@ main_pid_namespace( void * _args ) { allow_fds[ allow_fds_cnt++ ] = fds[ i ].fd; /* read end of child pipes */ struct sock_filter seccomp_filter[ 128UL ]; + unsigned int instr_cnt; + #if defined(__aarch64__) + populate_sock_filter_policy_pidns_arm64( 128UL, seccomp_filter, (uint)fd_log_private_logfile_fd() ); + instr_cnt = sock_filter_policy_pidns_arm64_instr_cnt; + #else populate_sock_filter_policy_pidns( 128UL, seccomp_filter, (uint)fd_log_private_logfile_fd() ); + instr_cnt = sock_filter_policy_pidns_instr_cnt; + #endif if( FD_LIKELY( config->development.sandbox ) ) { fd_sandbox_enter( config->uid, @@ -350,7 +357,7 @@ main_pid_namespace( void * _args ) { 0UL, allow_fds_cnt, allow_fds, - sock_filter_policy_pidns_instr_cnt, + instr_cnt, seccomp_filter ); } else { fd_sandbox_switch_uid_gid( config->uid, config->gid ); @@ -783,7 +790,7 @@ run_firedancer( config_t * config, run_firedancer_init( config, init_workspaces ); -#if defined(__x86_64__) +#if defined(__x86_64__) || defined(__aarch64__) #ifndef SYS_landlock_create_ruleset #define SYS_landlock_create_ruleset 444 diff --git a/src/disco/gui/fd_gui_tile.c b/src/disco/gui/fd_gui_tile.c index db287b3095..48dc649358 100644 --- a/src/disco/gui/fd_gui_tile.c +++ b/src/disco/gui/fd_gui_tile.c @@ -11,7 +11,7 @@ #include /* SOCK_CLOEXEC, SOCK_NONBLOCK needed for seccomp filter */ #if defined(__aarch64__) -#include "generated/fd_gui_tile.arm64_seccomp.h" +#include "generated/fd_gui_tile_arm64_seccomp.h" #else #include "generated/fd_gui_tile_seccomp.h" #endif diff --git a/src/disco/gui/fd_gui_tile.arm64.seccomppolicy b/src/disco/gui/fd_gui_tile_arm64.seccomppolicy similarity index 100% rename from src/disco/gui/fd_gui_tile.arm64.seccomppolicy rename to src/disco/gui/fd_gui_tile_arm64.seccomppolicy diff --git a/src/disco/gui/generated/fd_gui_tile.arm64_seccomp.h b/src/disco/gui/generated/fd_gui_tile_arm64_seccomp.h similarity index 98% rename from src/disco/gui/generated/fd_gui_tile.arm64_seccomp.h rename to src/disco/gui/generated/fd_gui_tile_arm64_seccomp.h index 780c99ff90..9bfd6ce469 100644 --- a/src/disco/gui/generated/fd_gui_tile.arm64_seccomp.h +++ b/src/disco/gui/generated/fd_gui_tile_arm64_seccomp.h @@ -21,9 +21,9 @@ #else # error "Target architecture is unsupported by seccomp." #endif -static const unsigned int sock_filter_policy_fd_gui_tile.arm64_instr_cnt = 45; +static const unsigned int sock_filter_policy_fd_gui_tile_arm64_instr_cnt = 45; -static void populate_sock_filter_policy_fd_gui_tile.arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd, unsigned int gui_socket_fd) { +static void populate_sock_filter_policy_fd_gui_tile_arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd, unsigned int gui_socket_fd) { FD_TEST( out_cnt >= 45 ); struct sock_filter filter[45] = { /* Check: Jump to RET_KILL_PROCESS if the script's arch != the runtime arch */ diff --git a/src/disco/metrics/fd_metric_tile.c b/src/disco/metrics/fd_metric_tile.c index 9847fb7f05..a0d8a3549c 100644 --- a/src/disco/metrics/fd_metric_tile.c +++ b/src/disco/metrics/fd_metric_tile.c @@ -8,7 +8,7 @@ #include #if defined(__aarch64__) -#include "generated/fd_metric_tile.arm64_seccomp.h" +#include "generated/fd_metric_tile_arm64_seccomp.h" #else #include "generated/fd_metric_tile_seccomp.h" #endif diff --git a/src/disco/metrics/fd_metric_tile.arm64.seccomppolicy b/src/disco/metrics/fd_metric_tile_arm64.seccomppolicy similarity index 100% rename from src/disco/metrics/fd_metric_tile.arm64.seccomppolicy rename to src/disco/metrics/fd_metric_tile_arm64.seccomppolicy diff --git a/src/disco/metrics/generated/fd_metric_tile.arm64_seccomp.h b/src/disco/metrics/generated/fd_metric_tile_arm64_seccomp.h similarity index 98% rename from src/disco/metrics/generated/fd_metric_tile.arm64_seccomp.h rename to src/disco/metrics/generated/fd_metric_tile_arm64_seccomp.h index 026c2e942c..368870f340 100644 --- a/src/disco/metrics/generated/fd_metric_tile.arm64_seccomp.h +++ b/src/disco/metrics/generated/fd_metric_tile_arm64_seccomp.h @@ -21,9 +21,9 @@ #else # error "Target architecture is unsupported by seccomp." #endif -static const unsigned int sock_filter_policy_fd_metric_tile.arm64_instr_cnt = 45; +static const unsigned int sock_filter_policy_fd_metric_tile_arm64_instr_cnt = 45; -static void populate_sock_filter_policy_fd_metric_tile.arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd, unsigned int metrics_socket_fd) { +static void populate_sock_filter_policy_fd_metric_tile_arm64( ulong out_cnt, struct sock_filter * out, unsigned int logfile_fd, unsigned int metrics_socket_fd) { FD_TEST( out_cnt >= 45 ); struct sock_filter filter[45] = { /* Check: Jump to RET_KILL_PROCESS if the script's arch != the runtime arch */