Bug 837888

Summary: add ARM support to libseccomp
Product: [Fedora] Fedora Reporter: Peter Robinson <pbrobinson>
Component: libseccompAssignee: Paul Moore <pmoore>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: blc, pmoore
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: other   
OS: Unspecified   
Fixed In Version: libseccomp-2.1.0-0.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-16 02:06:41 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 245418    

Description Peter Robinson 2012-07-05 13:53:31 EDT
libseccomp is FTBFS on ARM due to the following error

gcc -I/builddir/build/BUILD/libseccomp-0.1.0 -I/builddir/build/BUILD/libseccomp-0.1.0/include -MM -MF arch.d arch.c;
arch.c:38:2: error: #error the arch code needs to know about your machine type
make[1]: Leaving directory `/builddir/build/BUILD/libseccomp-0.1.0/src'

I'm not sure if it's that ARM isn't supported yet or that it just needs configuration to specify the arch.

Comment 1 Paul Moore 2012-07-05 14:19:04 EDT
Unfortunately, in order to make the libseccomp API architecture independent, part of the library need to be made architecture dependent; the good news is that the architecture dependent code is rather small and self contained.

Would it be possible for you to grant me access on an ARM system?  If so, I could add the necessary ARM bits to libseccomp.  If that isn't possible, would you be willing to test a series of patches to libseccomp on your ARM system?
Comment 2 Peter Robinson 2012-07-05 14:28:39 EDT
Red Hat has a number of ARM devices they can give you access to, not being a Red Hat employee I can't do that, but I've added Brendan to the CC: and he can sort that for you.
Comment 3 Paul Moore 2012-07-05 14:38:24 EDT
Great, thanks for the connection.  I'll follow up with Brendan and update the BZ when I've got something to share.
Comment 4 Paul Moore 2012-07-10 15:42:18 EDT
Unfortunately, the upstream kernel does not have the necessary functionality to make libseccomp useful on ARM (see HAVE_ARCH_SECCOMP_FILTER).  I'm going to mark libseccomp as x86/x86_64 only via ExclusiveArch to solve this in the short term; when the ARM kernel adds the necessary support we can revisit this.
Comment 5 Paul Moore 2012-07-10 15:52:39 EDT
Scratch build:

* http://koji.fedoraproject.org/koji/taskinfo?taskID=4231825

Package patch:

diff --git a/libseccomp.spec b/libseccomp.spec
index d88b80d..f0695aa 100644
--- a/libseccomp.spec
+++ b/libseccomp.spec
@@ -1,7 +1,8 @@
 Summary: Enhanced seccomp library
 Name: libseccomp
 Version: 0.1.0
-Release: 0%{?dist}
+Release: 1%{?dist}
+ExclusiveArch: %{ix86} x86_64
 License: LGPLv2
 Group: System Environment/Libraries
 Source: http://downloads.sf.net/project/libseccomp/%{name}-%{version}.tar.gz
@@ -62,6 +63,8 @@ make DESTDIR="%{buildroot}" install
+* Tue Jul 10 2012 Paul Moore <pmoore@redhat.com> - 0.1.0-1
+- Limit package to x86/x86_64 platforms (RHBZ #837888)
 * Tue Jun 12 2012 Paul Moore <pmoore@redhat.com> - 0.1.0-0
 - Initial version
Comment 6 Paul Moore 2012-07-10 16:02:29 EDT
Committed to the Fedora repository (a912323351377d8fdfd98ee811c96ebce33ebf5d) and built successfully on i686 and x86_64.  This should at least resolve the build failure in such a way as that RPM will be smart and recognize that it shouldn't build libseccomp on ARM.

* http://koji.fedoraproject.org/koji/taskinfo?taskID=4231835

Should we close this bug for now?  We can revisit the issue when the ARM kernel gains the necessary support.
Comment 7 Peter Robinson 2012-07-10 18:13:53 EDT
OK, that's cool. Are there any packages that have hard dependencies on or will have hard deps (linked against) in the F-18 timeframe that may impact this as well?

Is there any links that detail or document the ARCH_SECCOMP_FILTER kernel requirements so we can document it?
Comment 8 Paul Moore 2012-07-11 10:27:34 EDT
As or right now there are no other packages that rely on libseccomp, although I do expect QEMU to gain libseccomp support in the F18 timeframe; however, that should be easy enough to make architecture dependent at build/configure time.

Below is a snippet from the Documentation/prctl/seccomp_filter.txt file in the Linux Kernel source tree; it provides the basic on information on the architecture dependent SECCOMP_FILTER code.

  Adding architecture support
  See arch/Kconfig for the authoritative requirements.  In general, if an
  architecture supports both ptrace_event and seccomp, it will be able to
  support seccomp filter with minor fixup: SIGSYS support and seccomp return
  value checking.  Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER
  to its arch-specific Kconfig.

I'm going to go ahead and close this bug, we'll revisit the issue when the kernel gains the necessary support.
Comment 9 Peter Robinson 2012-11-02 12:57:41 EDT
It looks like seccomp kernel support for ARM will be in 3.8 

Comment 10 Paul Moore 2012-11-02 15:36:45 EDT
Great.  I figured it would only be a matter of time ...

I'm going to reopen this bug so we can track this work.
Comment 11 Peter Robinson 2012-12-18 15:52:39 EST
It's landed in 3.8 based on cross referencing the patches at the link below and what's in kernel master now.

Comment 12 Peter Robinson 2013-02-06 02:14:13 EST
I looked at the libseccomp 2.0.0 release and while it has mentions of other arches it's not clear whether other arches are actually supported in the release.
Comment 13 Paul Moore 2013-02-06 10:59:01 EST
The libseccomp 2.0.0 release didn't mention support for new architectures but rather new APIs, and lots of under-the-covers improvements, to make it easier to deal with multiple and non-native architectures.  In short, the 2.0.0 release lays the foundation for adding new architectures but doesn't actually add any new architectures, that will be coming in future 2.x releases.

Also, as a FYI, RFC patches to add support for ARM were posted to the libseccomp mailing list last week.  I'm currently working on some new "live" tests for automated testing framework that will allow us to better qualify/validate libseccomp on a given architecture (the current tests are all simulator based).
Comment 14 Paul Moore 2013-02-07 16:37:59 EST
A quick update: it appears that the 3.8-rcX kernels aren't booting on Fedora ARM at present; until that is fixed we're blocked.
Comment 15 Peter Robinson 2013-02-07 18:10:21 EST
please be more specific. What HW? They work fine in the koji buildroots.
Comment 16 Paul Moore 2013-02-07 18:16:38 EST
Earlier on the RH #arm IRC channel I asked around if any of the farm systems were booting 3.8-rcX yet and the answer was "no, not yet".
Comment 17 Peter Robinson 2013-02-07 18:27:15 EST
that's not the same, most of the farm systems run stable not rawhide
Comment 18 Paul Moore 2013-02-07 18:31:49 EST
Okay, well let me rephrase then: until I get access to an ARM system running 3.8 I'm blocked.  At present the only option I am aware of is the ARM farm, if you know of another option please let me know.
Comment 19 Fedora End Of Life 2013-04-03 15:39:37 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 20 Paul Moore 2013-06-11 14:58:16 EDT
I just pushed an update to libseccomp to both F19 and Rawhide, libseccomp-2.1.0-0, which should resolve this issue by adding support for ARM.
Comment 21 Fedora Update System 2013-06-13 18:26:58 EDT
libseccomp-2.1.0-0.fc19 has been submitted as an update for Fedora 19.
Comment 22 Fedora Update System 2013-06-14 19:14:36 EDT
Package libseccomp-2.1.0-0.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libseccomp-2.1.0-0.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 23 Fedora Update System 2013-06-16 02:06:41 EDT
libseccomp-2.1.0-0.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.