search

vn971 / rua

Build tool for Arch Linux providing control, review and jailed build options
GNU General Public License v3.0
424 stars 42 forks source link

You are building kernel with non-retpoline compiler. #150

Open sxul opened 3 years ago

sxul commented 3 years ago

I'm running rua install linux-xanmod, is rua not support build a linux kernel?

==> Starting build()...
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
  HYPERCALLS arch/x86/include/generated/asm/xen-hypercalls.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctls.h
  WRAP    arch/x86/include/generated/uapi/asm/ipcbuf.h
  WRAP    arch/x86/include/generated/uapi/asm/poll.h
You are building kernel with non-retpoline compiler.
  WRAP    arch/x86/include/generated/uapi/asm/param.h
  WRAP    arch/x86/include/generated/uapi/asm/resource.h
  WRAP    arch/x86/include/generated/uapi/asm/socket.h
  WRAP    arch/x86/include/generated/uapi/asm/sockios.h
  WRAP    arch/x86/include/generated/uapi/asm/termbits.h
  WRAP    arch/x86/include/generated/uapi/asm/termios.h
  WRAP    arch/x86/include/generated/uapi/asm/types.h
Please update your compiler.
make: *** [arch/x86/Makefile:338: checkbin] Error 1
make: *** Waiting for unfinished jobs....
==> ERROR: A failure occurred in build().
    Aborting...
Build failed with exit code 4 in /home/sxul07/.cache/rua/build/linux-xanmod
vn971 commented 3 years ago

Hey, guessing by the error log, this seems like a problem specific to the package (You are building kernel with non-retpoline compiler., Please update your compiler.)

sxul commented 3 years ago

Hey, guessing by the error log, this seems like a problem specific to the package (You are building kernel with non-retpoline compiler., Please update your compiler.)

emm, the point of the problem is that I can easily compile this package using yay or pakku or makepkg. only rua can't... I have no idea about this, but I can be sure it has nothing to do with the compiler version.

vn971 commented 3 years ago

Understood. Could it be that the build process made a forbidden syscall (restricted via the use of seccomp in rua)? If the kernel you're building with supports seccomp audit, you'd be able to see it with grep syscall /var/log/audit/audit.log

vn971 commented 3 years ago

https://wiki.archlinux.org/index.php/Audit_framework

sxul commented 3 years ago

Understood. Could it be that the build process made a forbidden syscall (restricted via the use of seccomp in rua)? If the kernel you're building with supports seccomp audit, you'd be able to see it with grep syscall /var/log/audit/audit.log

Sorry, I did not find any helpful information, maybe I did not configure the correct audit rules

vn971 commented 3 years ago

Thanks for the reply. It might be sufficient to check whether auditd runs from a systemd point of view, can you check it out? systemctl status auditd.service If it runs, and if there are no messages containing "syscall" after attempting to build a package, then the problem would not be due to syscalls

sxul commented 3 years ago

Thanks for the reply. It might be sufficient to check whether auditd runs from a systemd point of view, can you check it out? systemctl status auditd.service If it runs, and if there are no messages containing "syscall" after attempting to build a package, then the problem would not be due to syscalls

I try to enable auditd service systemctl enable --now auditd, and I did see some output including the ”syscall“ keyword in the log, but I can’t confirm that they are calls from rua. and these log are all sudo or whoami, I think they may be useless.

vn971 commented 3 years ago

@sxul do seccomp errors show up prior to starting the build? E.g. tail -Fn1000 /var/log/audit/audit.log | grep syscall, check if it's empty, then start build, check if things appear there.

I mean, it's not even easy to diagnose the build error reason anyway. Overall, the problem could arise from:

Essentially I'm using everything bwrap has to offer.

The exact description all security steps taken is here: https://github.com/vn971/rua/blob/master/res/wrap.sh#L13