mirror of
https://github.com/RPCS3/rpcs3.git
synced 2025-08-03 14:50:40 +00:00
added selinux support with restricted permissions
This commit is contained in:
parent
d84fe592c8
commit
be15a1650b
4 changed files with 69 additions and 12 deletions
|
@ -14,6 +14,7 @@ elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
|
||||||
endif()
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
option(USE_RESTRICTED_SELINUX "compatibility mode for selinux restricted" OFF)
|
||||||
option(USE_NATIVE_INSTRUCTIONS "USE_NATIVE_INSTRUCTIONS makes rpcs3 compile with -march=native, which is useful for local builds, but not good for packages." ON)
|
option(USE_NATIVE_INSTRUCTIONS "USE_NATIVE_INSTRUCTIONS makes rpcs3 compile with -march=native, which is useful for local builds, but not good for packages." ON)
|
||||||
option(WITH_LLVM "Enable usage of LLVM library" ON)
|
option(WITH_LLVM "Enable usage of LLVM library" ON)
|
||||||
option(BUILD_LLVM "Build LLVM from git submodule" OFF)
|
option(BUILD_LLVM "Build LLVM from git submodule" OFF)
|
||||||
|
@ -137,6 +138,10 @@ if(NOT WIN32)
|
||||||
add_compile_options(-pthread)
|
add_compile_options(-pthread)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(USE_RESTRICTED_KELINUX)
|
||||||
|
add_compile_definitions(RESTRICTED_SELINUX)
|
||||||
|
endif()
|
||||||
|
|
||||||
# TODO: do real installation, including copying directory structure
|
# TODO: do real installation, including copying directory structure
|
||||||
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_RELEASE "${PROJECT_BINARY_DIR}/bin")
|
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_RELEASE "${PROJECT_BINARY_DIR}/bin")
|
||||||
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_DEBUG "${PROJECT_BINARY_DIR}/bin")
|
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_DEBUG "${PROJECT_BINARY_DIR}/bin")
|
||||||
|
|
|
@ -27,20 +27,66 @@ namespace utils
|
||||||
|
|
||||||
#include "Utilities/sync.h"
|
#include "Utilities/sync.h"
|
||||||
#include "Utilities/StrFmt.h"
|
#include "Utilities/StrFmt.h"
|
||||||
|
#include <sys/utsname.h>
|
||||||
|
|
||||||
#ifdef __linux__
|
#ifdef __linux__
|
||||||
static bool has_waitv()
|
|
||||||
{
|
|
||||||
static const bool s_has_waitv = []
|
|
||||||
{
|
|
||||||
syscall(SYS_futex_waitv, 0, 0, 0, 0, 0);
|
|
||||||
if (errno == ENOSYS)
|
|
||||||
return false;
|
|
||||||
return true;
|
|
||||||
}();
|
|
||||||
|
|
||||||
return s_has_waitv;
|
bool is_kernel_at_least(int required_major, int required_minor, int required_patch)
|
||||||
|
{
|
||||||
|
struct utsname buf {};
|
||||||
|
if (uname(&buf) == -1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
int major = 0, minor = 0, patch = 0;
|
||||||
|
const char* end = buf.release + sizeof(buf.release);
|
||||||
|
auto result = std::from_chars(buf.release, end, major, 10);
|
||||||
|
if (result.ec != std::errc{}) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
result = std::from_chars(result.ptr + 1, end, minor, 10);
|
||||||
|
if (result.ec != std::errc{}) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
result = std::from_chars(result.ptr + 1, end, patch, 10);
|
||||||
|
if (result.ec != std::errc{}) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (major > required_major || (major == required_major && (minor > required_minor || (minor == required_minor && patch >= required_patch)))) {
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool has_waitv() {
|
||||||
|
|
||||||
|
#ifdef RESTRICTED_SELINUX
|
||||||
|
|
||||||
|
return false;
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static const bool s_has_waitv = [] {
|
||||||
|
if (is_kernel_at_least(5, 15, 0)) {
|
||||||
|
// Kernel >= 5.15
|
||||||
|
printf("kernel >= 5.16");
|
||||||
|
syscall(SYS_futex_waitv, 0, 0, 0, 0, 0);
|
||||||
|
return errno != ENOSYS;
|
||||||
|
} else {
|
||||||
|
// Kernel < 5.15
|
||||||
|
printf("kernel <= 5.16");
|
||||||
|
syscall(SYS_futex, 0, FUTEX_WAIT, 0, nullptr, nullptr, 0);
|
||||||
|
return errno != ENOSYS;
|
||||||
|
}
|
||||||
|
}();
|
||||||
|
|
||||||
|
return s_has_waitv;
|
||||||
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <utility>
|
#include <utility>
|
||||||
|
|
|
@ -212,8 +212,7 @@ namespace utils
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#elif __linux__
|
#elif __linux__ && !RESTRICTED_SELINUX
|
||||||
|
|
||||||
m_previous_idle_times_per_cpu.resize(utils::get_thread_count(), 0.0);
|
m_previous_idle_times_per_cpu.resize(utils::get_thread_count(), 0.0);
|
||||||
m_previous_total_times_per_cpu.resize(utils::get_thread_count(), 0.0);
|
m_previous_total_times_per_cpu.resize(utils::get_thread_count(), 0.0);
|
||||||
|
|
||||||
|
|
|
@ -657,8 +657,15 @@ namespace utils
|
||||||
#else
|
#else
|
||||||
|
|
||||||
#ifdef __linux__
|
#ifdef __linux__
|
||||||
|
|
||||||
|
#ifdef RESTRICTED_SELINUX
|
||||||
|
//When trying to read low access files, the program breaks, so let's just use a default value.
|
||||||
|
if (const char c = '1'; c == '0' || c == '1')
|
||||||
|
{
|
||||||
|
#else
|
||||||
if (const char c = fs::file("/proc/sys/vm/overcommit_memory").read<char>(); c == '0' || c == '1')
|
if (const char c = fs::file("/proc/sys/vm/overcommit_memory").read<char>(); c == '0' || c == '1')
|
||||||
{
|
{
|
||||||
|
#endif
|
||||||
// Simply use memfd for overcommit memory
|
// Simply use memfd for overcommit memory
|
||||||
m_file = ensure(::memfd_create_("", 0), FN(x >= 0));
|
m_file = ensure(::memfd_create_("", 0), FN(x >= 0));
|
||||||
ensure(::ftruncate(m_file, m_size) >= 0);
|
ensure(::ftruncate(m_file, m_size) >= 0);
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue