diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-01-23 17:01:39 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2020-03-23 11:14:35 -0400 |
commit | 9b129c41ac1f43d373742697aa2faf6040b9dfab (patch) | |
tree | 25c69d113e954473adb7b5209c76b67773a383e9 | |
parent | f5b3166d6126f4a45b59d6af6780b5e00a0e9867 (diff) | |
download | libseccomp-9b129c41ac1f43d373742697aa2faf6040b9dfab.tar.gz |
arch: use gperf to generate a perfact hash to lookup syscall names
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
38 files changed, 1139 insertions, 223 deletions
diff --git a/.travis.yml b/.travis.yml index 7f54f00..a509652 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,6 +39,7 @@ addons: - valgrind - clang - lcov + - gperf env: global: diff --git a/configure.ac b/configure.ac index e8b77f2..40d9dcb 100644 --- a/configure.ac +++ b/configure.ac @@ -119,6 +119,11 @@ AC_DEFINE_UNQUOTED([ENABLE_PYTHON], [$(test "$enable_python" = yes && echo 1 || echo 0)], [Python bindings build flag.]) +AC_CHECK_TOOL(GPERF, gperf) +if test -z "$GPERF"; then + AC_MSG_ERROR([please install gperf]) +fi + dnl #### dnl coverity checks dnl #### diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h index d7eb383..2a4ebd3 100644 --- a/include/seccomp-syscalls.h +++ b/include/seccomp-syscalls.h @@ -274,6 +274,7 @@ #define __PNR_utimensat_time64 -10240 #define __PNR_ppoll -10241 #define __PNR_renameat -10242 +#define __PNR_riscv_flush_icache -10243 /* * libseccomp syscall definitions @@ -1507,6 +1508,12 @@ #define __SNR_restart_syscall __NR_restart_syscall +#ifdef __NR_riscv_flush_icache +#define __SNR_riscv_flush_icache __NR_riscv_flush_icache +#else +#define __SNR_riscv_flush_icache __PNR_riscv_flush_icache +#endif + #ifdef __NR_rmdir #define __SNR_rmdir __NR_rmdir #else diff --git a/src/.gitignore b/src/.gitignore index 530aec7..6b31a14 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -1,3 +1,5 @@ libseccomp.a arch-syscall-check arch-syscall-dump +syscalls.perf +syscalls.perf.c diff --git a/src/Makefile.am b/src/Makefile.am index 0a76ed0..bfe5e3d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -31,22 +31,25 @@ SOURCES_ALL = \ hash.h hash.c \ db.h db.c \ arch.c arch.h \ - arch-x86.h arch-x86.c arch-x86-syscalls.c \ - arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \ - arch-x32.h arch-x32.c arch-x32-syscalls.c \ - arch-arm.h arch-arm.c arch-arm-syscalls.c \ - arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c \ - arch-mips.h arch-mips.c arch-mips-syscalls.c \ - arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \ - arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \ - arch-parisc.h arch-parisc.c arch-parisc64.c arch-parisc-syscalls.c \ - arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \ - arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \ - arch-riscv64.h arch-riscv64.c arch-riscv64-syscalls.c \ - arch-s390.h arch-s390.c arch-s390-syscalls.c \ - arch-s390x.h arch-s390x.c arch-s390x-syscalls.c - -EXTRA_DIST = arch-syscall-validate syscalls.csv + arch-x86.h arch-x86.c \ + arch-x86_64.h arch-x86_64.c \ + arch-x32.h arch-x32.c \ + arch-arm.h arch-arm.c \ + arch-aarch64.h arch-aarch64.c \ + arch-mips.h arch-mips.c \ + arch-mips64.h arch-mips64.c \ + arch-mips64n32.h arch-mips64n32.c \ + arch-parisc.h arch-parisc.c arch-parisc64.c \ + arch-ppc.h arch-ppc.c \ + arch-ppc64.h arch-ppc64.c \ + arch-riscv64.h arch-riscv64.c \ + arch-s390.h arch-s390.c \ + arch-s390x.h arch-s390x.c \ + syscalls.h syscalls.c syscalls.perf.c + +EXTRA_DIST = \ + arch-syscall-validate arch-gperf-generate \ + syscalls.csv syscalls.perf.template TESTS = arch-syscall-check @@ -67,5 +70,15 @@ libseccomp_la_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ${CFLAGS} \ libseccomp_la_LDFLAGS = ${AM_LDFLAGS} ${CODE_COVERAGE_LDFLAGS} ${LDFLAGS} \ -version-number ${VERSION_MAJOR}:${VERSION_MINOR}:${VERSION_MICRO} +EXTRA_DIST += syscalls.perf.c syscalls.perf +CLEANFILES = syscalls.perf.c syscalls.perf + +syscalls.perf: syscalls.csv syscalls.perf.template + ${AM_V_GEN} ${srcdir}/arch-gperf-generate \ + ${srcdir}/syscalls.csv ${srcdir}/syscalls.perf.template + +syscalls.perf.c: syscalls.perf + ${GPERF} -m 100 --null-strings --pic -tCEG -T -S1 $< > $@ + check-build: ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS} diff --git a/src/arch-aarch64.h b/src/arch-aarch64.h index cde11cf..ed1877a 100644 --- a/src/arch-aarch64.h +++ b/src/arch-aarch64.h @@ -22,16 +22,8 @@ #ifndef _ARCH_AARCH64_H #define _ARCH_AARCH64_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_aarch64; - -int aarch64_syscall_resolve_name(const char *name); -const char *aarch64_syscall_resolve_num(int num); -const struct arch_syscall_def *aarch64_syscall_iterate(unsigned int spot); +ARCH_DECL(aarch64) #endif diff --git a/src/arch-arm.c b/src/arch-arm.c index c797f3f..3465111 100644 --- a/src/arch-arm.c +++ b/src/arch-arm.c @@ -26,13 +26,58 @@ #include "arch.h" #include "arch-arm.h" +#define __SCMP_NR_OABI_SYSCALL_BASE 0x900000 +#define __SCMP_ARM_NR_BASE 0x0f0000 + +/* NOTE: we currently only support the ARM EABI, more info at the URL below: + * -> http://wiki.embeddedarm.com/wiki/EABI_vs_OABI */ +#if 1 +#define __SCMP_NR_BASE 0 +#else +#define __SCMP_NR_BASE __SCMP_NR_OABI_SYSCALL_BASE +#endif + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int arm_syscall_resolve_name_munge(const char *name) +{ + int sys; + + sys = arm_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR) + return sys; + + return sys + __SCMP_NR_BASE; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *arm_syscall_resolve_num_munge(int num) +{ + return arm_syscall_resolve_num(num - __SCMP_NR_BASE); +} + const struct arch_def arch_def_arm = { .token = SCMP_ARCH_ARM, .token_bpf = AUDIT_ARCH_ARM, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = arm_syscall_resolve_name, - .syscall_resolve_num = arm_syscall_resolve_num, + .syscall_resolve_name = arm_syscall_resolve_name_munge, + .syscall_resolve_num = arm_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; diff --git a/src/arch-arm.h b/src/arch-arm.h index 9f675d8..34e6c91 100644 --- a/src/arch-arm.h +++ b/src/arch-arm.h @@ -22,16 +22,8 @@ #ifndef _ARCH_ARM_H #define _ARCH_ARM_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_arm; - -int arm_syscall_resolve_name(const char *name); -const char *arm_syscall_resolve_num(int num); -const struct arch_syscall_def *arm_syscall_iterate(unsigned int spot); +ARCH_DECL(arm) #endif diff --git a/src/arch-gperf-generate b/src/arch-gperf-generate new file mode 100755 index 0000000..9e6c000 --- /dev/null +++ b/src/arch-gperf-generate @@ -0,0 +1,40 @@ +#!/bin/bash + +# NOTE: changes to the arch_syscall_table struct in syscalls.h will affect +# this script/gperf - BEWARE! + +### +# helper functions + +function exit_usage() { + echo "usage: $0 <syscall_csv_file> <gperf_template>" + exit 1 +} + +### +# main + +# sanity check +[[ ! -r "$1" || ! -r "$2" ]] && exit_usage +sys_csv=$1 +gperf_tmpl=$2 + +sys_csv_tmp=$(mktemp -t generate_syscalls_XXXXXX) + +# filter and prepare the syscall csv file +cat $sys_csv | grep -v '^#' | nl -ba -s, -v0 | \ + sed -e 's/^[[:space:]]\+\([0-9]\+\),\([^,]\+\),\(.*\)/\2,\1,\3/' \ + -e ':repeat; {s|\([^,]\+\)\(.*\)[^_]PNR|\1\2,__PNR_\1|g;}; t repeat' \ + > $sys_csv_tmp +[[ $? -ne 0 ]] && exit 1 + +# create the gperf file +sed -e "/@@SYSCALLS_TABLE@@/r $sys_csv_tmp" \ + -e '/@@SYSCALLS_TABLE@@/d' \ + $gperf_tmpl > syscalls.perf +[[ $? -ne 0 ]] && exit 1 + +# cleanup +rm -f $sys_csv_tmp + +exit 0 diff --git a/src/arch-mips.c b/src/arch-mips.c index 1d1f4e2..f0e6a14 100644 --- a/src/arch-mips.c +++ b/src/arch-mips.c @@ -27,13 +27,50 @@ #include "arch.h" #include "arch-mips.h" +/* O32 ABI */ +#define __SCMP_NR_BASE 4000 + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int mips_syscall_resolve_name_munge(const char *name) +{ + int sys; + + sys = mips_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR) + return sys; + + return sys + __SCMP_NR_BASE; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *mips_syscall_resolve_num_munge(int num) +{ + return mips_syscall_resolve_num(num - __SCMP_NR_BASE); +} + const struct arch_def arch_def_mips = { .token = SCMP_ARCH_MIPS, .token_bpf = AUDIT_ARCH_MIPS, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_BIG, - .syscall_resolve_name = mips_syscall_resolve_name, - .syscall_resolve_num = mips_syscall_resolve_num, + .syscall_resolve_name = mips_syscall_resolve_name_munge, + .syscall_resolve_num = mips_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; @@ -43,8 +80,8 @@ const struct arch_def arch_def_mipsel = { .token_bpf = AUDIT_ARCH_MIPSEL, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = mips_syscall_resolve_name, - .syscall_resolve_num = mips_syscall_resolve_num, + .syscall_resolve_name = mips_syscall_resolve_name_munge, + .syscall_resolve_num = mips_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; diff --git a/src/arch-mips.h b/src/arch-mips.h index 51f86ce..c8752a8 100644 --- a/src/arch-mips.h +++ b/src/arch-mips.h @@ -23,17 +23,9 @@ #ifndef _ARCH_MIPS_H #define _ARCH_MIPS_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_mips; -extern const struct arch_def arch_def_mipsel; - -int mips_syscall_resolve_name(const char *name); -const char *mips_syscall_resolve_num(int num); -const struct arch_syscall_def *mips_syscall_iterate(unsigned int spot); +ARCH_DECL(mips) +ARCH_DECL(mipsel) #endif diff --git a/src/arch-mips64.c b/src/arch-mips64.c index f98982c..9707d1c 100644 --- a/src/arch-mips64.c +++ b/src/arch-mips64.c @@ -25,13 +25,50 @@ #include "arch.h" #include "arch-mips64.h" +/* 64 ABI */ +#define __SCMP_NR_BASE 5000 + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int mips64_syscall_resolve_name_munge(const char *name) +{ + int sys; + + sys = mips64_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR) + return sys; + + return sys + __SCMP_NR_BASE; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *mips64_syscall_resolve_num_munge(int num) +{ + return mips64_syscall_resolve_num(num - __SCMP_NR_BASE); +} + const struct arch_def arch_def_mips64 = { .token = SCMP_ARCH_MIPS64, .token_bpf = AUDIT_ARCH_MIPS64, .size = ARCH_SIZE_64, .endian = ARCH_ENDIAN_BIG, - .syscall_resolve_name = mips64_syscall_resolve_name, - .syscall_resolve_num = mips64_syscall_resolve_num, + .syscall_resolve_name = mips64_syscall_resolve_name_munge, + .syscall_resolve_num = mips64_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; @@ -41,8 +78,8 @@ const struct arch_def arch_def_mipsel64 = { .token_bpf = AUDIT_ARCH_MIPSEL64, .size = ARCH_SIZE_64, .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = mips64_syscall_resolve_name, - .syscall_resolve_num = mips64_syscall_resolve_num, + .syscall_resolve_name = mips64_syscall_resolve_name_munge, + .syscall_resolve_num = mips64_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; diff --git a/src/arch-mips64.h b/src/arch-mips64.h index 7f231ce..c8eaba8 100644 --- a/src/arch-mips64.h +++ b/src/arch-mips64.h @@ -23,17 +23,9 @@ #ifndef _ARCH_MIPS64_H #define _ARCH_MIPS64_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_mips64; -extern const struct arch_def arch_def_mipsel64; - -int mips64_syscall_resolve_name(const char *name); -const char *mips64_syscall_resolve_num(int num); -const struct arch_syscall_def *mips64_syscall_iterate(unsigned int spot); +ARCH_DECL(mips64) +ARCH_DECL(mipsel64) -#endif
\ No newline at end of file +#endif diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c index 90ead98..f8088ae 100644 --- a/src/arch-mips64n32.c +++ b/src/arch-mips64n32.c @@ -27,13 +27,50 @@ #include "arch.h" #include "arch-mips64n32.h" +/* N32 ABI */ +#define __SCMP_NR_BASE 6000 + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int mips64n32_syscall_resolve_name_munge(const char *name) +{ + int sys; + + sys = mips64n32_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR) + return sys; + + return sys + __SCMP_NR_BASE; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *mips64n32_syscall_resolve_num_munge(int num) +{ + return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE); +} + const struct arch_def arch_def_mips64n32 = { .token = SCMP_ARCH_MIPS64N32, .token_bpf = AUDIT_ARCH_MIPS64N32, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_BIG, - .syscall_resolve_name = mips64n32_syscall_resolve_name, - .syscall_resolve_num = mips64n32_syscall_resolve_num, + .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, + .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; @@ -43,8 +80,8 @@ const struct arch_def arch_def_mipsel64n32 = { .token_bpf = AUDIT_ARCH_MIPSEL64N32, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = mips64n32_syscall_resolve_name, - .syscall_resolve_num = mips64n32_syscall_resolve_num, + .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, + .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; diff --git a/src/arch-mips64n32.h b/src/arch-mips64n32.h index fd7e542..7f9146a 100644 --- a/src/arch-mips64n32.h +++ b/src/arch-mips64n32.h @@ -23,17 +23,9 @@ #ifndef _ARCH_MIPS64N32_H #define _ARCH_MIPS64N32_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_mips64n32; -extern const struct arch_def arch_def_mipsel64n32; - -int mips64n32_syscall_resolve_name(const char *name); -const char *mips64n32_syscall_resolve_num(int num); -const struct arch_syscall_def *mips64n32_syscall_iterate(unsigned int spot); +ARCH_DECL(mips64n32) +ARCH_DECL(mipsel64n32) #endif diff --git a/src/arch-parisc.h b/src/arch-parisc.h index d51a227..d65169c 100644 --- a/src/arch-parisc.h +++ b/src/arch-parisc.h @@ -22,17 +22,9 @@ #ifndef _ARCH_PARISC_H #define _ARCH_PARISC_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_parisc; -extern const struct arch_def arch_def_parisc64; - -int parisc_syscall_resolve_name(const char *name); -const char *parisc_syscall_resolve_num(int num); -const struct arch_syscall_def *parisc_syscall_iterate(unsigned int spot); +ARCH_DECL(parisc) +ARCH_DECL(parisc64) #endif diff --git a/src/arch-ppc.h b/src/arch-ppc.h index 0b5ffa5..f46aa1d 100644 --- a/src/arch-ppc.h +++ b/src/arch-ppc.h @@ -23,16 +23,8 @@ #ifndef _ARCH_PPC_H #define _ARCH_PPC_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_ppc; - -int ppc_syscall_resolve_name(const char *name); -const char *ppc_syscall_resolve_num(int num); -const struct arch_syscall_def *ppc_syscall_iterate(unsigned int spot); +ARCH_DECL(ppc) #endif diff --git a/src/arch-ppc64.h b/src/arch-ppc64.h index beb24f7..a0f7eb1 100644 --- a/src/arch-ppc64.h +++ b/src/arch-ppc64.h @@ -23,17 +23,9 @@ #ifndef _ARCH_PPC64_H #define _ARCH_PPC64_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_ppc64; -extern const struct arch_def arch_def_ppc64le; - -int ppc64_syscall_resolve_name(const char *name); -const char *ppc64_syscall_resolve_num(int num); -const struct arch_syscall_def *ppc64_syscall_iterate(unsigned int spot); +ARCH_DECL(ppc64) +ARCH_DECL(ppc64le) #endif diff --git a/src/arch-riscv64.h b/src/arch-riscv64.h index 16fca6b..96939f2 100644 --- a/src/arch-riscv64.h +++ b/src/arch-riscv64.h @@ -15,16 +15,8 @@ #ifndef _ARCH_RISCV64_H #define _ARCH_RISCV64_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_riscv64; - -int riscv64_syscall_resolve_name(const char *name); -const char *riscv64_syscall_resolve_num(int num); -const struct arch_syscall_def *riscv64_syscall_iterate(unsigned int spot); +ARCH_DECL(riscv64) #endif diff --git a/src/arch-s390.c b/src/arch-s390.c index 6c13368..68bc7e4 100644 --- a/src/arch-s390.c +++ b/src/arch-s390.c @@ -8,6 +8,8 @@ #include <string.h> #include <linux/audit.h> +#include "db.h" +#include "syscalls.h" #include "arch.h" #include "arch-s390.h" @@ -15,16 +17,131 @@ #define __s390_NR_socketcall 102 #define __s390_NR_ipc 117 -const struct arch_def arch_def_s390 = { - .token = SCMP_ARCH_S390, - .token_bpf = AUDIT_ARCH_S390, - .size = ARCH_SIZE_32, - .endian = ARCH_ENDIAN_BIG, - .syscall_resolve_name = s390_syscall_resolve_name, - .syscall_resolve_num = s390_syscall_resolve_num, - .syscall_rewrite = s390_syscall_rewrite, - .rule_add = s390_rule_add, -}; +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int s390_syscall_resolve_name_munge(const char *name) +{ + if (strcmp(name, "accept") == 0) + return __PNR_accept; + if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shmat") == 0) + return __PNR_shmat; + else if (strcmp(name, "shmdt") == 0) + return __PNR_shmdt; + else if (strcmp(name, "shmget") == 0) + return __PNR_shmget; + else if (strcmp(name, "shmctl") == 0) + return __PNR_shmctl; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + + return s390_syscall_resolve_name(name); +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *s390_syscall_resolve_num_munge(int num) +{ + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shmat) + return "shmat"; + else if (num == __PNR_shmdt) + return "shmdt"; + else if (num == __PNR_shmget) + return "shmget"; + else if (num == __PNR_shmctl) + return "shmctl"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + + return s390_syscall_resolve_num(num); +} /** * Convert a multiplexed pseudo syscall into a direct syscall @@ -448,3 +565,14 @@ add_return: free(rule_dup); return rc; } + +const struct arch_def arch_def_s390 = { + .token = SCMP_ARCH_S390, + .token_bpf = AUDIT_ARCH_S390, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, + .syscall_resolve_name = s390_syscall_resolve_name_munge, + .syscall_resolve_num = s390_syscall_resolve_num_munge, + .syscall_rewrite = s390_syscall_rewrite, + .rule_add = s390_rule_add, +}; diff --git a/src/arch-s390.h b/src/arch-s390.h index 61abaf9..3881ef3 100644 --- a/src/arch-s390.h +++ b/src/arch-s390.h @@ -6,24 +6,8 @@ #ifndef _ARCH_S390_H #define _ARCH_S390_H -#include <inttypes.h> - #include "arch.h" -#include "db.h" -#include "system.h" - -#define s390_arg_count_max 6 - -extern const struct arch_def arch_def_s390; -#define s390_arg_offset(x) (offsetof(struct seccomp_data, args[x])) - -int s390_syscall_resolve_name(const char *name); -const char *s390_syscall_resolve_num(int num); - -const struct arch_syscall_def *s390_syscall_iterate(unsigned int spot); - -int s390_syscall_rewrite(int *syscall); -int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule); +ARCH_DECL(s390) #endif diff --git a/src/arch-s390x.c b/src/arch-s390x.c index 8815e6a..c0d9fba 100644 --- a/src/arch-s390x.c +++ b/src/arch-s390x.c @@ -8,6 +8,8 @@ #include <string.h> #include <linux/audit.h> +#include "db.h" +#include "syscalls.h" #include "arch.h" #include "arch-s390x.h" @@ -15,16 +17,131 @@ #define __s390x_NR_socketcall 102 #define __s390x_NR_ipc 117 -const struct arch_def arch_def_s390x = { - .token = SCMP_ARCH_S390X, - .token_bpf = AUDIT_ARCH_S390X, - .size = ARCH_SIZE_64, - .endian = ARCH_ENDIAN_BIG, - .syscall_resolve_name = s390x_syscall_resolve_name, - .syscall_resolve_num = s390x_syscall_resolve_num, - .syscall_rewrite = s390x_syscall_rewrite, - .rule_add = s390x_rule_add, -}; +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int s390x_syscall_resolve_name_munge(const char *name) +{ + if (strcmp(name, "accept") == 0) + return __PNR_accept; + if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shmat") == 0) + return __PNR_shmat; + else if (strcmp(name, "shmdt") == 0) + return __PNR_shmdt; + else if (strcmp(name, "shmget") == 0) + return __PNR_shmget; + else if (strcmp(name, "shmctl") == 0) + return __PNR_shmctl; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + + return s390x_syscall_resolve_name(name); +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *s390x_syscall_resolve_num_munge(int num) +{ + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shmat) + return "shmat"; + else if (num == __PNR_shmdt) + return "shmdt"; + else if (num == __PNR_shmget) + return "shmget"; + else if (num == __PNR_shmctl) + return "shmctl"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + + return s390x_syscall_resolve_num(num); +} /** * Convert a multiplexed pseudo socket syscall into a direct syscall @@ -450,3 +567,14 @@ add_return: free(rule_dup); return rc; } + +const struct arch_def arch_def_s390x = { + .token = SCMP_ARCH_S390X, + .token_bpf = AUDIT_ARCH_S390X, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, + .syscall_resolve_name = s390x_syscall_resolve_name_munge, + .syscall_resolve_num = s390x_syscall_resolve_num_munge, + .syscall_rewrite = s390x_syscall_rewrite, + .rule_add = s390x_rule_add, +}; diff --git a/src/arch-s390x.h b/src/arch-s390x.h index 9fb087b..9592ec9 100644 --- a/src/arch-s390x.h +++ b/src/arch-s390x.h @@ -6,27 +6,8 @@ #ifndef _ARCH_S390X_H #define _ARCH_S390X_H -#include <inttypes.h> - #include "arch.h" -#include "db.h" -#include "system.h" - -#define s390x_arg_count_max 6 - -extern const struct arch_def arch_def_s390x; -#define s390x_arg_offset(x) (offsetof(struct seccomp_data, args[x])) - -#define s390x_arg_offset_lo(x) (s390x_arg_offset(x) + 4) -#define s390x_arg_offset_hi(x) (s390x_arg_offset(x)) - -int s390x_syscall_resolve_name(const char *name); -const char *s390x_syscall_resolve_num(int num); - -const struct arch_syscall_def *s390x_syscall_iterate(unsigned int spot); - -int s390x_syscall_rewrite(int *syscall); -int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule); +ARCH_DECL(s390x) #endif diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate index 6852782..4119963 100755 --- a/src/arch-syscall-validate +++ b/src/arch-syscall-validate @@ -766,7 +766,7 @@ function gen_csv() { # abi list # NOTE: the ordering here is dependent on the layout of the - # arch_syscall_def_internal struct in syscalls.h - BEWARE! + # arch_syscall_table struct in syscalls.h - BEWARE! abi_list="" abi_list+=" x86 x86_64 x32" abi_list+=" arm aarch64" diff --git a/src/arch-x32.c b/src/arch-x32.c index d45ac06..7b97fb3 100644 --- a/src/arch-x32.c +++ b/src/arch-x32.c @@ -26,14 +26,48 @@ #include "arch.h" #include "arch-x32.h" +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int x32_syscall_resolve_name_munge(const char *name) +{ + int sys; + + sys = x32_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR) + return sys; + + return sys + X32_SYSCALL_BIT; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *x32_syscall_resolve_num_munge(int num) +{ + return x32_syscall_resolve_num(num - X32_SYSCALL_BIT); +} + const struct arch_def arch_def_x32 = { .token = SCMP_ARCH_X32, /* NOTE: this seems odd but the kernel treats x32 like x86_64 here */ .token_bpf = AUDIT_ARCH_X86_64, .size = ARCH_SIZE_32, .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = x32_syscall_resolve_name, - .syscall_resolve_num = x32_syscall_resolve_num, + .syscall_resolve_name = x32_syscall_resolve_name_munge, + .syscall_resolve_num = x32_syscall_resolve_num_munge, .syscall_rewrite = NULL, .rule_add = NULL, }; diff --git a/src/arch-x32.h b/src/arch-x32.h index d166c3c..639fd20 100644 --- a/src/arch-x32.h +++ b/src/arch-x32.h @@ -22,18 +22,10 @@ #ifndef _ARCH_X32_H #define _ARCH_X32_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -#define X32_SYSCALL_BIT 0x40000000 - -extern const struct arch_def arch_def_x32; -int x32_syscall_resolve_name(const char *name); -const char *x32_syscall_resolve_num(int num); +#define X32_SYSCALL_BIT 0x40000000 -const struct arch_syscall_def *x32_syscall_iterate(unsigned int spot); +ARCH_DECL(x32) #endif diff --git a/src/arch-x86.c b/src/arch-x86.c index fc0deaa..2a4c074 100644 --- a/src/arch-x86.c +++ b/src/arch-x86.c @@ -24,6 +24,8 @@ #include <string.h> #include <linux/audit.h> +#include "db.h" +#include "syscalls.h" #include "arch.h" #include "arch-x86.h" @@ -31,16 +33,165 @@ #define __x86_NR_socketcall 102 #define __x86_NR_ipc 117 -const struct arch_def arch_def_x86 = { - .token = SCMP_ARCH_X86, - .token_bpf = AUDIT_ARCH_I386, - .size = ARCH_SIZE_32, - .endian = ARCH_ENDIAN_LITTLE, - .syscall_resolve_name = x86_syscall_resolve_name, - .syscall_resolve_num = x86_syscall_resolve_num, - .syscall_rewrite = x86_syscall_rewrite, - .rule_add = x86_rule_add, -}; +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int x86_syscall_resolve_name_munge(const char *name) +{ + if (strcmp(name, "accept") == 0) + return __PNR_accept; + else if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + + if (strcmp(name, "semop") == 0) + return __PNR_semop; + else if (strcmp(name, "semget") == 0) + return __PNR_semget; + else if (strcmp(name, "semctl") == 0) + return __PNR_semctl; + else if (strcmp(name, "semtimedop") == 0) + return __PNR_semtimedop; + else if (strcmp(name, "msgsnd") == 0) + return __PNR_msgsnd; + else if (strcmp(name, "msgrcv") == 0) + return __PNR_msgrcv; + else if (strcmp(name, "msgget") == 0) + return __PNR_msgget; + else if (strcmp(name, "msgctl") == 0) + return __PNR_msgctl; + else if (strcmp(name, "shmat") == 0) + return __PNR_shmat; + else if (strcmp(name, "shmdt") == 0) + return __PNR_shmdt; + else if (strcmp(name, "shmget") == 0) + return __PNR_shmget; + else if (strcmp(name, "shmctl") == 0) + return __PNR_shmctl; + + return x86_syscall_resolve_name(name); +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *x86_syscall_resolve_num_munge(int num) +{ + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + + if (num == __PNR_semop) + return "semop"; + else if (num == __PNR_semget) + return "semget"; + else if (num == __PNR_semctl) + return "semctl"; + else if (num == __PNR_semtimedop) + return "semtimedop"; + else if (num == __PNR_msgsnd) + return "msgsnd"; + else if (num == __PNR_msgrcv) + return "msgrcv"; + else if (num == __PNR_msgget) + return "msgget"; + else if (num == __PNR_msgctl) + return "msgctl"; + else if (num == __PNR_shmat) + return "shmat"; + else if (num == __PNR_shmdt) + return "shmdt"; + else if (num == __PNR_shmget) + return "shmget"; + else if (num == __PNR_shmctl) + return "shmctl"; + + return x86_syscall_resolve_num(num); +} /** * Convert a multiplexed pseudo syscall into a direct syscall @@ -461,3 +612,14 @@ add_return: free(rule_dup); return rc; } + +const struct arch_def arch_def_x86 = { + .token = SCMP_ARCH_X86, + .token_bpf = AUDIT_ARCH_I386, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = x86_syscall_resolve_name_munge, + .syscall_resolve_num = x86_syscall_resolve_num_munge, + .syscall_rewrite = x86_syscall_rewrite, + .rule_add = x86_rule_add, +}; diff --git a/src/arch-x86.h b/src/arch-x86.h index 4aa5e9b..a2e0b12 100644 --- a/src/arch-x86.h +++ b/src/arch-x86.h @@ -22,21 +22,8 @@ #ifndef _ARCH_X86_H #define _ARCH_X86_H -#include <stdbool.h> - #include "arch.h" -#include "db.h" -#include "system.h" - -extern const struct arch_def arch_def_x86; - -int x86_syscall_resolve_name(const char *name); -const char *x86_syscall_resolve_num(int num); - -const struct arch_syscall_def *x86_syscall_iterate(unsigned int spot); - -int x86_syscall_rewrite(int *syscall); -int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule); +ARCH_DECL(x86) #endif diff --git a/src/arch-x86_64.h b/src/arch-x86_64.h index c770d75..fcba125 100644 --- a/src/arch-x86_64.h +++ b/src/arch-x86_64.h @@ -22,16 +22,8 @@ #ifndef _ARCH_x86_64_H #define _ARCH_x86_64_H -#include <inttypes.h> - #include "arch.h" -#include "system.h" - -extern const struct arch_def arch_def_x86_64; - -int x86_64_syscall_resolve_name(const char *name); -const char *x86_64_syscall_resolve_num(int num); -const struct arch_syscall_def *x86_64_syscall_iterate(unsigned int spot); +ARCH_DECL(x86_64) #endif @@ -59,6 +59,13 @@ struct arch_def { /* arch_def for the current architecture */ extern const struct arch_def *arch_def_native; +/* macro to declare the arch specific structures and functions */ +#define ARCH_DECL(NAME) \ + extern const struct arch_def arch_def_##NAME; \ + int NAME##_syscall_resolve_name(const char *name); \ + const char *NAME##_syscall_resolve_num(int num); \ + const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot); + /* syscall name/num mapping */ struct arch_syscall_def { const char *name; diff --git a/src/syscalls.c b/src/syscalls.c new file mode 100644 index 0000000..7f813cd --- /dev/null +++ b/src/syscalls.c @@ -0,0 +1,55 @@ +/** + * Enhanced Seccomp x86_64 Syscall Table + * + * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + * gperf support: Giuseppe Scrivano <gscrivan@redhat.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ +#include <seccomp.h> +#include <string.h> + +#include "arch.h" +#include "syscalls.h" + +#define ARCH_DEF(NAME) \ + int NAME##_syscall_resolve_name(const char *name) \ + { \ + return syscall_resolve_name(name, OFFSET_ARCH(NAME)); \ + } \ + const char *NAME##_syscall_resolve_num(int num) \ + { \ + return syscall_resolve_num(num, OFFSET_ARCH(NAME)); \ + } \ + const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot) \ + { \ + return syscall_iterate(spot, OFFSET_ARCH(NAME)); \ + } + +ARCH_DEF(x86_64) +ARCH_DEF(arm) +ARCH_DEF(aarch64) +ARCH_DEF(mips64n32) +ARCH_DEF(mips64) +ARCH_DEF(mips) +ARCH_DEF(parisc) +ARCH_DEF(ppc64) +ARCH_DEF(ppc) +ARCH_DEF(s390) +ARCH_DEF(s390x) +ARCH_DEF(x32) +ARCH_DEF(x86) +ARCH_DEF(riscv64) diff --git a/src/syscalls.h b/src/syscalls.h new file mode 100644 index 0000000..d638733 --- /dev/null +++ b/src/syscalls.h @@ -0,0 +1,62 @@ +/** + * Enhanced Seccomp x86_64 Syscall Table + * + * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + * gperf support: Giuseppe Scrivano <gscrivan@redhat.com> + */ + +#ifndef _SYSCALLS_H +#define _SYSCALLS_H + +#include <stddef.h> + +#include "arch-aarch64.h" +#include "arch-arm.h" +#include "arch.h" +#include "arch-mips64.h" +#include "arch-mips64n32.h" +#include "arch-mips.h" +#include "arch-parisc.h" +#include "arch-ppc64.h" +#include "arch-ppc.h" +#include "arch-s390.h" +#include "arch-s390x.h" +#include "arch-x32.h" +#include "arch-x86_64.h" +#include "arch-x86.h" +#include "arch-x86.h" +#include "arch-riscv64.h" + +/* NOTE: changes to the arch_syscall_table layout may require changes to the + * generate_syscalls_perf.sh and arch-syscall-validate scripts */ +struct arch_syscall_table { + int name; + int index; + + /* each arch listed here must be defined in syscalls.c */ + /* NOTE: see the warning above - BEWARE! */ + int x86; + int x86_64; + int x32; + int arm; + int aarch64; + int mips; + int mips64; + int mips64n32; + int parisc; + int parisc64; + int ppc; + int ppc64; + int riscv64; + int s390; + int s390x; +}; +#define OFFSET_ARCH(NAME) offsetof(struct arch_syscall_table, NAME) + +/* defined in syscalls.perf.template */ +int syscall_resolve_name(const char *name, int offset); +const char *syscall_resolve_num(int num, int offset); +const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset); + +#endif diff --git a/src/syscalls.perf.template b/src/syscalls.perf.template new file mode 100644 index 0000000..f1fd3db --- /dev/null +++ b/src/syscalls.perf.template @@ -0,0 +1,82 @@ +%{ +/** + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Copyright (c) 2020 Red Hat <gscrivan@redhat.com> + * Authors: Paul Moore <paul@paul-moore.com> + * Giuseppe Scrivano <gscrivan@redhat.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <seccomp.h> +#include <string.h> +#include "syscalls.h" + +%} +struct arch_syscall_table; + +%% +@@SYSCALLS_TABLE@@ +%% + +static int syscall_get_offset_value(const struct arch_syscall_table *s, + int offset) +{ + return *(int *)((char *)s + offset); +} + +int syscall_resolve_name(const char *name, int offset) +{ + const struct arch_syscall_table *s; + + s = in_word_set(name, strlen(name)); + if (s == NULL) + return __NR_SCMP_ERROR; + + return syscall_get_offset_value(s, offset); +} + +const char *syscall_resolve_num(int num, int offset) +{ + unsigned int iter; + + for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) { + if (syscall_get_offset_value(&wordlist[iter], offset) == num) + return (stringpool + wordlist[iter].name); + } + + return NULL; +} + +const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset) +{ + unsigned int iter; + /* this is thread-unsafe, only use for testing */ + static struct arch_syscall_def arch_def; + + arch_def.name = NULL; + arch_def.num = __NR_SCMP_ERROR; + + for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) { + if (wordlist[iter].index == spot) { + arch_def.name = stringpool + wordlist[iter].name; + arch_def.num = syscall_get_offset_value(&wordlist[iter], + offset); + return &arch_def; + } + } + + return &arch_def; +} diff --git a/tests/.gitignore b/tests/.gitignore index bd00e14..c536766 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -61,3 +61,4 @@ util.pyc 53-sim-binary_tree 54-live-binary_tree 55-basic-pfc_binary_tree +56-basic-iterate_syscalls diff --git a/tests/56-basic-iterate_syscalls.c b/tests/56-basic-iterate_syscalls.c new file mode 100644 index 0000000..5e7ab67 --- /dev/null +++ b/tests/56-basic-iterate_syscalls.c @@ -0,0 +1,90 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2020 Red Hat <gscrivan@redhat.com> + * Author: Giuseppe Scrivano <gscrivan@redhat.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <stdio.h> + +#include <seccomp.h> + +unsigned int arch_list[] = { + SCMP_ARCH_NATIVE, + SCMP_ARCH_X86, + SCMP_ARCH_X86_64, + SCMP_ARCH_X32, + SCMP_ARCH_ARM, + SCMP_ARCH_AARCH64, + SCMP_ARCH_MIPS, + SCMP_ARCH_MIPS64, + SCMP_ARCH_MIPS64N32, + SCMP_ARCH_MIPSEL, + SCMP_ARCH_MIPSEL64, + SCMP_ARCH_MIPSEL64N32, + SCMP_ARCH_PPC, + SCMP_ARCH_PPC64, + SCMP_ARCH_PPC64LE, + SCMP_ARCH_S390, + SCMP_ARCH_S390X, + SCMP_ARCH_PARISC, + SCMP_ARCH_PARISC64, + SCMP_ARCH_RISCV64, + -1 +}; + +static int test_arch(int arch, int init) +{ + int n, iter = 0; + + for (iter = init; iter < init + 1000; iter++) { + char *name; + + name = seccomp_syscall_resolve_num_arch(arch, iter); + if (name == NULL) + continue; + + n = seccomp_syscall_resolve_name_arch(arch, name); + if (n != iter) + return 1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + int iter = 0; + + for (iter = 0; arch_list[iter] != -1; iter++) { + int init = 0; + if (arch_list[iter] == SCMP_ARCH_X32) + init = 0x40000000; + else if (arch_list[iter] == SCMP_ARCH_MIPS) + init = 4000; + else if (arch_list[iter] == SCMP_ARCH_MIPS64) + init = 5000; + else if (arch_list[iter] == SCMP_ARCH_MIPS64N32) + init = 6000; + if (test_arch(arch_list[iter], init) < 0) + return 1; + } + + return 0; +} diff --git a/tests/56-basic-iterate_syscalls.py b/tests/56-basic-iterate_syscalls.py new file mode 100755 index 0000000..77a5b89 --- /dev/null +++ b/tests/56-basic-iterate_syscalls.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2020 Red Hat <gscrivan@redhat.com> +# Author: Giuseppe Scrivano <gscrivan@redhat.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +arch_list = ["x86", + "x86_64", + "x32", + "arm", + "aarch64", + "mipsel", + "mipsel64", + "mipsel64n32", + "ppc64le", + "riscv64"] + +def test_arch(arch, init): + for i in range(init, init + 1000): + sys_name = resolve_syscall(arch, i) + if sys_name is None: + continue + n = resolve_syscall(i, sys_name) + if i != n: + raise RuntimeError("Test failure") + +def test(): + for i in arch_list: + init = 0 + if i == "x32": + init = 0x40000000 + elif i == "mipsel": + init = 4000 + elif i == "mipsel64": + init = 5000 + elif i == "mipsel64n32": + init = 6000 + test_arch(Arch(i), init) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/56-basic-iterate_syscalls.tests b/tests/56-basic-iterate_syscalls.tests new file mode 100644 index 0000000..a84415a --- /dev/null +++ b/tests/56-basic-iterate_syscalls.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2020 Red Hat <gscrivan@redhat.com> +# Author: Giuseppe Scrivano <gscrivan@redhat.com> +# + +test type: basic + +# Test command +56-basic-iterate_syscalls diff --git a/tests/Makefile.am b/tests/Makefile.am index 4bd19c8..a135278 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -94,7 +94,8 @@ check_PROGRAMS = \ 52-basic-load \ 53-sim-binary_tree \ 54-live-binary_tree \ - 55-basic-pfc_binary_tree + 55-basic-pfc_binary_tree \ + 56-basic-iterate_syscalls EXTRA_DIST_TESTPYTHON = \ util.py \ @@ -150,7 +151,8 @@ EXTRA_DIST_TESTPYTHON = \ 51-live-user_notification.py \ 52-basic-load.py \ 53-sim-binary_tree.py \ - 54-live-binary_tree.py + 54-live-binary_tree.py \ + 56-basic-iterate_syscalls.py EXTRA_DIST_TESTCFGS = \ 01-sim-allow.tests \ @@ -207,7 +209,8 @@ EXTRA_DIST_TESTCFGS = \ 52-basic-load.tests \ 53-sim-binary_tree.tests \ 54-live-binary_tree.tests \ - 55-basic-pfc_binary_tree.tests + 55-basic-pfc_binary_tree.tests \ + 56-basic-iterate_syscalls.tests EXTRA_DIST_TESTSCRIPTS = \ 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \ |