-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kernel Options for systemd 231 #1605
Comments
Arch produce their own kernel. Our default settings are chosen for raspbian. |
Okay, then probably let's postpone this until Raspbian embraces systemd 231, which might take a couple of years... ;-) currently, systemd 231 is in Debian sid only https://packages.debian.org/sid/systemd |
…olution for Issue raspberrypi#1605) Add an additional Kconfig which can optionally automatically select relevant kernel options to ensure maximum Raspberry Pi compatibility when building custom kernels Drawbacks: - Kconfig provides no method to directly deselect options - Kconfig only allows options to be set to 'Y', rather than enabling an option to be built as a module (Deselection could be performed by editing other stock Kconfig files to depend on one of the new options provided here being in a certain state - but this is a more intrusive change)
Same problem on Fedora 25 and official RPI kernel. Any reason why are these settings disabled: |
CONFIG_SECCOMP=y and CONFIG_OABI_COMPAT=y are both in the standard configurations, but not CONFIG_HAVE_ARCH_SECCOMP_FILTER=y or CONFIG_SECCOMP_FILTER=y. As I said in issue 1172:
|
The issue with CONFIG_SECCOMP_FILTER is actually that we have CONFIG_OABI_COMPAT=y, which is itself needed by the old version of GDB in Raspbian. There was talk that it might get patched locally so it doesn't need that, but I don't think that actually happened. |
Didn't @popcornmix already get a patch into Raspbian, so that CONFIG_OABI_COMPAT isn't required for gdb to be vaguely useful. This is turning into deja-vu and these reports are going to keep coming, time and time again, with the newer distributions using the later systemd version which is requiring FILTER if CONFIG_SECCOMP=y. |
And now that the officlal Raspberry Pi blog announced Docker running on it, there will be more and more people like me who wants to run unprivilege and really contained containers, and not simply a slightly better chroot. ;-) So indeed I want SECCOMP (and its filters based on bpf) and user namespace to be compiled in. :-) |
@popcornmix The referenced issue has some performance figures. |
AFAICT, all the required SECCOMP settings are present in the latest kernel, so please test and close as necessary. In the meantime, this issue will be closed within 30 days unless further interactions are posted. If you wish this issue to remain open, please add a comment. A closed issue may be reopened if requested. |
Closing due to lack of activity. Please request to be reopened if you feel this issue is still relevant. |
Hi @JamesH65 First sorry for my low responsiveness. I'm currently taking a bit more care of my family and therefore I have less time for open source projects, or let's say it's less regular now. Anyway, yes the SECCOMP configuration is now mainlined and I can see it also that now Docker supports seccomp on Raspbian Stretch out-of-the box! Thank you! However, AppArmor is still not mainlined although my PR #1698 was containing also changes related to AppArmor. Perhaps if AppArmor or SELinux are not considered for default, they could be compiled as modules and thus people interested in activating them would not have to resort in compiling their own kernel. What do you think? Now for the Kernel MAC (aka AppArmor, SELinux et al), shall we reopen this issue (and perhaps change the title) or shall I create a new issue? Here is the output of the Kernel config from a vanilla installation of Raspbian Stretch with the latest stable Kernel (showing only the relevant part): $ uname -r
4.14.62-v7+
$ zegrep "APPARMOR|SECURITY|SECCOMP" /proc/config.gz
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
[...]
# CONFIG_SECURITY is not set
[...] One can see that SECCOMP is activated 👍 And one can see that none of the Kernel MAC are configured, not even as module. |
I compiled a kernel as described here:
https://www.raspberrypi.org/documentation/linux/kernel/building.md
This kernel would not boot properly on Arch Linux with systemd 231. The problem and its solution is described here:
https://www.danand.de/index.php/2016-08/solution-to-systemd-231-seccomp-error-on-allwinner-soc/
With these kernel options, systemd 231 worked well for me:
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_OABI_COMPAT=n
The text was updated successfully, but these errors were encountered: