added selinux support with restricted permissions

2025-04-21 03:55:32 +00:00 · 2024-12-05 13:20:17 -03:00 · 2024-12-05 13:20:17 -03:00 · be15a1650b
commit be15a1650b
parent d84fe592c8
4 changed files with 69 additions and 12 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -14,6 +14,7 @@ elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
    endif()
 endif()

+option(USE_RESTRICTED_SELINUX "compatibility mode for selinux restricted" OFF)
 option(USE_NATIVE_INSTRUCTIONS "USE_NATIVE_INSTRUCTIONS makes rpcs3 compile with -march=native, which is useful for local builds, but not good for packages." ON)
 option(WITH_LLVM "Enable usage of LLVM library" ON)
 option(BUILD_LLVM "Build LLVM from git submodule" OFF)
@ -137,6 +138,10 @@ if(NOT WIN32)
    add_compile_options(-pthread)
 endif()

+if(USE_RESTRICTED_KELINUX)
+    add_compile_definitions(RESTRICTED_SELINUX)
+endif()
+
 # TODO: do real installation, including copying directory structure
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_RELEASE "${PROJECT_BINARY_DIR}/bin")
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_DEBUG "${PROJECT_BINARY_DIR}/bin")
--- a/rpcs3/util/atomic.cpp
+++ b/rpcs3/util/atomic.cpp
@ -27,20 +27,66 @@ namespace utils

 #include "Utilities/sync.h"
 #include "Utilities/StrFmt.h"
+#include <sys/utsname.h>

 #ifdef __linux__
-static bool has_waitv()
-{
-	static const bool s_has_waitv = []
-	{
-		syscall(SYS_futex_waitv, 0, 0, 0, 0, 0);
-		if (errno == ENOSYS)
-			return false;
-		return true;
-	}();

-	return s_has_waitv;
+bool is_kernel_at_least(int required_major, int required_minor, int required_patch)
+    {
+    struct utsname buf {};
+    if (uname(&buf) == -1) {
+        return false;
+    }
+
+    int major = 0, minor = 0, patch = 0;
+    const char* end = buf.release + sizeof(buf.release);
+    auto result = std::from_chars(buf.release, end, major, 10);
+    if (result.ec != std::errc{}) {
+        return false;
+    }
+
+    result = std::from_chars(result.ptr + 1, end, minor, 10);
+    if (result.ec != std::errc{}) {
+        return false;
+    }
+
+    result = std::from_chars(result.ptr + 1, end, patch, 10);
+    if (result.ec != std::errc{}) {
+        return false;
+    }
+
+    if (major > required_major || (major == required_major && (minor > required_minor || (minor == required_minor && patch >= required_patch)))) {
+        return true;
+    } else {
+        return false;
+    }
 }
+
+static bool has_waitv() {
+
+#ifdef RESTRICTED_SELINUX
+
+return false;
+
+#endif
+
+    static const  bool s_has_waitv = [] {
+        if (is_kernel_at_least(5, 15, 0)) {
+            // Kernel >= 5.15
+            printf("kernel >= 5.16");
+            syscall(SYS_futex_waitv, 0, 0, 0, 0, 0);
+            return errno != ENOSYS;
+        } else {
+            // Kernel < 5.15
+            printf("kernel <= 5.16");
+            syscall(SYS_futex, 0, FUTEX_WAIT, 0, nullptr, nullptr, 0);
+            return errno != ENOSYS;
+        }
+    }();
+
+    return s_has_waitv;
+}
+
 #endif

 #include <utility>
--- a/rpcs3/util/cpu_stats.cpp
+++ b/rpcs3/util/cpu_stats.cpp
@ -212,8 +212,7 @@ namespace utils
 			}
 		}

-#elif __linux__
-
+#elif __linux__ && !RESTRICTED_SELINUX
 		m_previous_idle_times_per_cpu.resize(utils::get_thread_count(), 0.0);
 		m_previous_total_times_per_cpu.resize(utils::get_thread_count(), 0.0);

--- a/rpcs3/util/vm_native.cpp
+++ b/rpcs3/util/vm_native.cpp
@ -657,8 +657,15 @@ namespace utils
 #else

 #ifdef __linux__
+
+#ifdef RESTRICTED_SELINUX
+                //When trying to read low access files, the program breaks, so let's just use a default value.
+                if (const char c = '1'; c == '0' || c == '1')
+                {
+#else
 		if (const char c = fs::file("/proc/sys/vm/overcommit_memory").read<char>(); c == '0' || c == '1')
 		{
+#endif
 			// Simply use memfd for overcommit memory
 			m_file = ensure(::memfd_create_("", 0), FN(x >= 0));
 			ensure(::ftruncate(m_file, m_size) >= 0);