The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).
The LSM allows configuring a whitelist policy of permitted from:to uid
transitions. The policy is enforced upon calls to setuid(2) and related
syscalls.
Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies
A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).
A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).
See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
In 5.0er these function were removed from the public interface also zfs needs
them for AVX/AES-NI support. Without this patch for example throughput on a
encrypted zfs dataset drops to 200 MB/s from 1.2 GB/s. These functions were
removed as their was no user within the linux kernel tree itself.
Requires a minor tweak to the deadlock detector patch (the file was
renamed in the upstream repo).
bcc now also wants a copy of libbpf, which it doesn't have in the source
release tarball. Clone a copy from GiHub that's synchronized with the
release, and put it in place.
Tested on Linux 5.1 (with bpftrace as well).
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Newer versions of perf in Linux 5.1+ support disassembling and
annotating eBPF programs inside the kernel. In order to do this, it uses
libbfd's support for bpf disassembly. There are two parts: libopcodes
and libbfd.
The 'perf' build system seems to expect libopcodes/libbfd to go "hand in
hand" -- always together, if one or the other is installed. If the build
system detects libbfd is available, then an import of <dis-asm.h> is
performed, but this fails since it wasn't in the buildInput. Fixing this
should be an easy, backwards-compatible change.
Fixes #60891, allowing linuxPackages_testing.perf to build again
(currently kernel version 5.1.0-rc7).
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Update bpftrace to the latest pre-release, with a real version number.
The most notable change now is that bpftrace can use a stable version of
the 'bcc' toolchain in order to build, meaning no more hacks are needed
to clone the source code and fix up the build system, etc. This
simplifies things greatly and removes the old bcc-source patch.
Similarly, we can remove our custom gtests patch (which disabled the
build) by just passing -DBUILD_TESTING=FALSE when running cmake. This
was also added upstream recently.
However, something does still need to be fixed, at a cost: bpftrace
requires the kernel -dev package because it wants both objects and
include directories (some files are only shipped in one or the other).
Therefore, we remove the dependency on linuxHeaders and instead use
kernel.dev as the sole input to the build.
This is both a positive and a negative: the positive is that tools work
without annoying fatal errors, and that the bpf toolchain is
synchronized to the linuxPackages.kernel derivation it was built
against. The downside is that the .dev expression is much heavier as a
dependency, so bpftrace is now closer to 700mb in closure size. (This
especially hurts across kernel upgrades requiring a whole new rebuild,
especially if you have existing nixos generations that won't GC, etc.)
We probably want to slim this down substantially in the future (and
there may be a few ways to do that), but as this will probably also
touch bcc, and as a first cut of the pre-releases, this is probably fine
while we work out other kinks.
Signed-off-by: Austin Seipp <aseipp@pobox.com>