diff options
33 files changed, 1313 insertions, 49 deletions
diff --git a/include/seccomp.h.in b/include/seccomp.h.in index 08eae61..adab19a 100644 --- a/include/seccomp.h.in +++ b/include/seccomp.h.in @@ -173,6 +173,12 @@ struct scmp_arg_cmp { #define SCMP_ARCH_PPC64LE AUDIT_ARCH_PPC64LE /** + * The S390 architecture tokens + */ +#define SCMP_ARCH_S390 AUDIT_ARCH_S390 +#define SCMP_ARCH_S390X AUDIT_ARCH_S390X + +/** * Convert a syscall name into the associated syscall number * @param x the syscall name */ @@ -1526,6 +1532,31 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); #define __NR_switch_endian __PNR_switch_endian #endif /* __NR_switch_endian */ +#define __PNR_get_mempolicy -10192 +#ifndef __NR_get_mempolicy +#define __NR_get_mempolicy __PNR_get_mempolicy +#endif /* __NR_get_mempolicy */ + +#define __PNR_move_pages -10193 +#ifndef __NR_move_pages +#define __NR_move_pages __PNR_move_pages +#endif /* __NR_move_pages */ + +#define __PNR_mbind -10194 +#ifndef __NR_mbind +#define __NR_mbind __PNR_mbind +#endif /* __NR_mbind */ + +#define __PNR_set_mempolicy -10195 +#ifndef __NR_set_mempolicy +#define __NR_set_mempolicy __PNR_set_mempolicy +#endif /* __NR_set_mempolicy */ + +#define __PNR_s390_runtime_instr -10196 +#ifndef __NR_s390_runtime_instr +#define __NR_s390_runtime_instr __PNR_s390_runtime_instr +#endif /* __NR_s390_runtime_instr */ + #ifdef __cplusplus } #endif diff --git a/src/Makefile.am b/src/Makefile.am index 23d9a91..ba9b9f4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -32,7 +32,9 @@ SOURCES_ARCH = \ arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \ arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \ arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \ - arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c + arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \ + arch-s390.h arch-s390.c arch-s390-syscalls.c \ + arch-s390x.h arch-s390x.c arch-s390x-syscalls.c SOURCES_GEN = \ api.c system.h system.c \ diff --git a/src/arch-aarch64-syscalls.c b/src/arch-aarch64-syscalls.c index 43d77ad..9ac1dd0 100644 --- a/src/arch-aarch64-syscalls.c +++ b/src/arch-aarch64-syscalls.c @@ -296,6 +296,7 @@ const struct arch_syscall_def aarch64_syscall_table[] = { \ { "rt_sigtimedwait", 137 }, { "rt_tgsigqueueinfo", 240 }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", 125 }, { "sched_get_priority_min", 126 }, { "sched_getaffinity", 123 }, diff --git a/src/arch-arm-syscalls.c b/src/arch-arm-syscalls.c index 211bbec..c4fd31e 100644 --- a/src/arch-arm-syscalls.c +++ b/src/arch-arm-syscalls.c @@ -308,6 +308,7 @@ const struct arch_syscall_def arm_syscall_table[] = { \ { "rt_sigtimedwait", (__NR_SYSCALL_BASE + 177) }, { "rt_tgsigqueueinfo", (__NR_SYSCALL_BASE + 363) }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", (__NR_SYSCALL_BASE + 159) }, { "sched_get_priority_min", (__NR_SYSCALL_BASE + 160) }, { "sched_getaffinity", (__NR_SYSCALL_BASE + 242) }, diff --git a/src/arch-mips-syscalls.c b/src/arch-mips-syscalls.c index 1fe9315..ae5ebf7 100644 --- a/src/arch-mips-syscalls.c +++ b/src/arch-mips-syscalls.c @@ -300,6 +300,7 @@ const struct arch_syscall_def mips_syscall_table[] = { \ { "rt_sigtimedwait", (__NR_SYSCALL_BASE + 197) }, { "rt_tgsigqueueinfo", (__NR_SYSCALL_BASE + 332) }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", (__NR_SYSCALL_BASE + 163) }, { "sched_get_priority_min", (__NR_SYSCALL_BASE + 164) }, { "sched_getaffinity", (__NR_SYSCALL_BASE + 240) }, diff --git a/src/arch-mips64-syscalls.c b/src/arch-mips64-syscalls.c index 493fe87..baffe20 100644 --- a/src/arch-mips64-syscalls.c +++ b/src/arch-mips64-syscalls.c @@ -300,6 +300,7 @@ const struct arch_syscall_def mips64_syscall_table[] = { \ { "rt_sigtimedwait", (__NR_SYSCALL_BASE + 126) }, { "rt_tgsigqueueinfo", (__NR_SYSCALL_BASE + 291) }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", (__NR_SYSCALL_BASE + 143) }, { "sched_get_priority_min", (__NR_SYSCALL_BASE + 144) }, { "sched_getaffinity", (__NR_SYSCALL_BASE + 196) }, diff --git a/src/arch-mips64n32-syscalls.c b/src/arch-mips64n32-syscalls.c index e1cbf5c..dd6966e 100644 --- a/src/arch-mips64n32-syscalls.c +++ b/src/arch-mips64n32-syscalls.c @@ -300,6 +300,7 @@ const struct arch_syscall_def mips64n32_syscall_table[] = { \ { "rt_sigtimedwait", (__NR_SYSCALL_BASE + 126) }, { "rt_tgsigqueueinfo", (__NR_SYSCALL_BASE + 295) }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", (__NR_SYSCALL_BASE + 143) }, { "sched_get_priority_min", (__NR_SYSCALL_BASE + 144) }, { "sched_getaffinity", (__NR_SYSCALL_BASE + 196) }, diff --git a/src/arch-ppc-syscalls.c b/src/arch-ppc-syscalls.c index 92fa1c3..8ddb750 100644 --- a/src/arch-ppc-syscalls.c +++ b/src/arch-ppc-syscalls.c @@ -297,6 +297,7 @@ const struct arch_syscall_def ppc_syscall_table[] = { \ { "rt_sigtimedwait", 176 }, { "rt_tgsigqueueinfo", 322 }, { "rtas", 255 }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", 159 }, { "sched_get_priority_min", 160 }, { "sched_getaffinity", 223 }, diff --git a/src/arch-ppc64-syscalls.c b/src/arch-ppc64-syscalls.c index b23d743..d9060f4 100644 --- a/src/arch-ppc64-syscalls.c +++ b/src/arch-ppc64-syscalls.c @@ -297,6 +297,7 @@ const struct arch_syscall_def ppc64_syscall_table[] = { \ { "rt_sigtimedwait", 176 }, { "rt_tgsigqueueinfo", 322 }, { "rtas", 255 }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", 159 }, { "sched_get_priority_min", 160 }, { "sched_getaffinity", 223 }, diff --git a/src/arch-s390-syscalls.c b/src/arch-s390-syscalls.c new file mode 100644 index 0000000..4da63ed --- /dev/null +++ b/src/arch-s390-syscalls.c @@ -0,0 +1,492 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#include <string.h> + +#include <seccomp.h> + +#include "arch.h" +#include "arch-s390.h" + +/* NOTE: based on Linux 4.2-rc5 */ +const struct arch_syscall_def s390_syscall_table[] = { \ + { "_llseek", 140 }, + { "_newselect", 142 }, + { "_sysctl", 149 }, + { "accept", __PNR_accept }, + { "accept4", __PNR_accept4 }, + { "access", 33 }, + { "acct", 51 }, + { "add_key", 278 }, + { "adjtimex", 124 }, + { "afs_syscall", 137 }, + { "alarm", 27 }, + { "arm_fadvise64_64", __PNR_arm_fadvise64_64 }, + { "arm_sync_file_range", __PNR_arm_sync_file_range }, + { "arch_prctl", __PNR_arch_prctl }, + { "bdflush", 134 }, + { "bind", __PNR_bind }, + { "bpf", 351 }, + { "break", __PNR_break }, + { "breakpoint", __PNR_breakpoint }, + { "brk", 45 }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, + { "capget", 184 }, + { "capset", 185 }, + { "chdir", 12 }, + { "chmod", 15 }, + { "chown", 182 }, + { "chown32", 212 }, + { "chroot", 61 }, + { "clock_adjtime", 337 }, + { "clock_getres", 261 }, + { "clock_gettime", 260 }, + { "clock_nanosleep", 262 }, + { "clock_settime", 259 }, + { "clone", 120 }, + { "close", 6 }, + { "connect", __PNR_connect }, + { "creat", 8 }, + { "create_module", 127 }, + { "delete_module", 129 }, + { "dup", 41 }, + { "dup2", 63 }, + { "dup3", 326 }, + { "epoll_create", 249 }, + { "epoll_create1", 327 }, + { "epoll_ctl", 250 }, + { "epoll_ctl_old", __PNR_epoll_ctl_old }, + { "epoll_pwait", 312 }, + { "epoll_wait", 251 }, + { "epoll_wait_old", __PNR_epoll_wait_old }, + { "eventfd", 318 }, + { "eventfd2", 323 }, + { "execve", 11 }, + { "execveat", 354 }, + { "exit", 1 }, + { "exit_group", 248 }, + { "faccessat", 300 }, + { "fadvise64", 253 }, + { "fadvise64_64", 264 }, + { "fallocate", 314 }, + { "fanotify_init", 332 }, + { "fanotify_mark", 333 }, + { "fchdir", 133 }, + { "fchmod", 94 }, + { "fchmodat", 299 }, + { "fchown", 95 }, + { "fchown32", 207 }, + { "fchownat", 291 }, + { "fcntl", 55 }, + { "fcntl64", 221 }, + { "fdatasync", 148 }, + { "fgetxattr", 229 }, + { "finit_module", 344 }, + { "flistxattr", 232 }, + { "flock", 143 }, + { "fork", 2 }, + { "fremovexattr", 235 }, + { "fsetxattr", 226 }, + { "fstat", 108 }, + { "fstat64", 197 }, + { "fstatat64", 293 }, + { "fstatfs", 100 }, + { "fstatfs64", 266 }, + { "fsync", 118 }, + { "ftime", __PNR_ftime }, + { "ftruncate", 93 }, + { "ftruncate64", 194 }, + { "futex", 238 }, + { "futimesat", 292 }, + { "get_kernel_syms", 130 }, + { "get_mempolicy", __PNR_get_mempolicy }, + { "get_robust_list" , 305 }, + { "get_thread_area", __PNR_get_thread_area }, + { "getcpu", 311 }, + { "getcwd", 183 }, + { "getdents", 141 }, + { "getdents64", 220 }, + { "getegid", 50 }, + { "getegid32", 202 }, + { "geteuid", 49 }, + { "geteuid32", 201 }, + { "getgid", 47 }, + { "getgid32", 200 }, + { "getgroups", 80 }, + { "getgroups32", 205 }, + { "getitimer", 105 }, + { "getpeername", __PNR_getpeername }, + { "getpgid", 132 }, + { "getpgrp", 65 }, + { "getpid", 20 }, + { "getpmsg", 188 }, + { "getppid", 64 }, + { "getpriority", 96 }, + { "getrandom", 349 }, + { "getresgid", 171 }, + { "getresgid32", 211 }, + { "getresuid", 165 }, + { "getresuid32", 209 }, + { "getrlimit", 76 }, + { "getrusage", 77 }, + { "getsid", 147 }, + { "getsockname", __PNR_getsockname }, + { "getsockopt", __PNR_getsockopt }, + { "gettid", 236 }, + { "gettimeofday", 78 }, + { "getuid", 24 }, + { "getuid32", 199 }, + { "getxattr", 227 }, + { "gtty", __PNR_gtty }, + { "idle", 112 }, + { "init_module", 128 }, + { "inotify_add_watch" , 285 }, + { "inotify_init", 284 }, + { "inotify_init1", 324 }, + { "inotify_rm_watch" , 286 }, + { "io_cancel", 247 }, + { "io_destroy", 244 }, + { "io_getevents", 245 }, + { "io_setup", 243 }, + { "io_submit", 246 }, + { "ioctl", 54 }, + { "ioperm", 101 }, + { "iopl", __PNR_iopl }, + { "ioprio_get", 283 }, + { "ioprio_set", 282 }, + { "ipc", 117 }, + { "kcmp", 343 }, + { "kexec_file_load", __PNR_kexec_file_load }, + { "kexec_load", 277 }, + { "keyctl", 280 }, + { "kill", 37 }, + { "lchown", 16 }, + { "lchown32", 198 }, + { "lgetxattr", 228 }, + { "link", 9 }, + { "linkat", 296 }, + { "listen", __PNR_listen }, + { "listxattr", 230 }, + { "llistxattr", 231 }, + { "lock", __PNR_lock }, + { "lookup_dcookie", 110 }, + { "lremovexattr", 234 }, + { "lseek", 19 }, + { "lsetxattr", 225 }, + { "lstat", 107 }, + { "lstat64", 196 }, + { "madvise", 219 }, + { "mbind", __PNR_mbind }, + { "memfd_create", 350 }, + { "migrate_pages", __PNR_migrate_pages}, + { "mincore", 218 }, + { "mkdir", 39 }, + { "mkdirat", 289 }, + { "mknod", 14 }, + { "mknodat", 290 }, + { "mlock", 150 }, + { "mlockall", 152 }, + { "mmap", 90 }, + { "mmap2", 192 }, + { "modify_ldt", __PNR_modify_ldt }, + { "mount", 21 }, + { "move_pages", __PNR_move_pages}, + { "mprotect", 125 }, + { "mpx", __PNR_mpx }, + { "mq_getsetattr", 276 }, + { "mq_notify", 275 }, + { "mq_open", 271 }, + { "mq_timedreceive" , 274 }, + { "mq_timedsend", 273 }, + { "mq_unlink", 272 }, + { "mremap", 163 }, + { "msgctl", __PNR_msgctl }, + { "msgget", __PNR_msgget }, + { "msgrcv", __PNR_msgrcv }, + { "msgsnd", __PNR_msgsnd }, + { "msync", 144 }, + { "multiplexer", __PNR_multiplexer }, + { "munlock", 151 }, + { "munlockall", 153 }, + { "munmap", 91 }, + { "name_to_handle_at", 335 }, + { "nanosleep", 162 }, + { "newfstatat", __NR_newfstatat }, + { "nfsservctl", 169 }, + { "nice", 34 }, + { "oldfstat", __PNR_oldfstat }, + { "oldlstat", __PNR_oldlstat }, + { "oldolduname", __PNR_oldolduname }, + { "oldstat", __PNR_oldstat }, + { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, + { "open", 5 }, + { "open_by_handle_at", 336 }, + { "openat", 288 }, + { "pause", 29 }, + { "pciconfig_iobase", __PNR_pciconfig_iobase }, + { "pciconfig_read", __PNR_pciconfig_read }, + { "pciconfig_write", __PNR_pciconfig_write }, + { "perf_event_open", 331 }, + { "personality", 136 }, + { "pipe", 42 }, + { "pipe2", 325 }, + { "pivot_root", 217 }, + { "poll", 168 }, + { "ppoll", 302 }, + { "prctl", 172 }, + { "pread64", 180 }, + { "preadv", 328 }, + { "prlimit64", 334 }, + { "process_vm_readv", 340 }, + { "process_vm_writev", 341 }, + { "prof", __PNR_prof }, + { "profil", __PNR_profil }, + { "pselect6", 301 }, + { "ptrace", 26 }, + { "putpmsg", 189 }, + { "pwrite64", 181 }, + { "pwritev", 329 }, + { "query_module", 167 }, + { "quotactl", 131 }, + { "read", 3 }, + { "readahead", 222 }, + { "readdir", 89 }, + { "readlink", 85 }, + { "readlinkat", 298 }, + { "readv", 145 }, + { "reboot", 88 }, + { "recv", __PNR_recv }, + { "recvfrom", __PNR_recvfrom }, + { "recvmmsg", __PNR_recvmmsg }, + { "recvmsg", __PNR_recvmsg }, + { "remap_file_pages", 267 }, + { "removexattr", 233 }, + { "rename", 38 }, + { "renameat", 295 }, + { "renameat2", 347 }, + { "request_key", 279 }, + { "restart_syscall", 7 }, + { "rmdir", 40 }, + { "rt_sigaction", 174 }, + { "rt_sigpending", 176 }, + { "rt_sigprocmask", 175 }, + { "rt_sigqueueinfo", 178 }, + { "rt_sigreturn", 173 }, + { "rt_sigsuspend", 179 }, + { "rt_sigtimedwait", 177 }, + { "rt_tgsigqueueinfo", 330 }, + { "rtas", __PNR_rtas }, + { "s390_runtime_instr", 342 }, + { "sched_get_priority_max", 159 }, + { "sched_get_priority_min", 160 }, + { "sched_getaffinity" , 240 }, + { "sched_getattr", 346 }, + { "sched_getparam", 155 }, + { "sched_getscheduler", 157 }, + { "sched_rr_get_interval", 161 }, + { "sched_setaffinity" , 239 }, + { "sched_setattr", 345 }, + { "sched_setparam", 154 }, + { "sched_setscheduler", 156 }, + { "sched_yield", 158 }, + { "seccomp", 348 }, + { "security", __PNR_security }, + { "select", __PNR_select }, + { "semctl", __PNR_semctl }, + { "semget", __PNR_semget }, + { "semop", __PNR_semop }, + { "semtimedop", __PNR_semtimedop }, + { "send", __PNR_send }, + { "sendfile", 187 }, + { "sendfile64", 223 }, + { "sendmmsg", __PNR_sendmmsg }, + { "sendmsg", __PNR_sendmsg }, + { "sendto", __PNR_sendto }, + { "set_mempolicy", __PNR_set_mempolicy }, + { "set_robust_list" , 304 }, + { "set_thread_area", __PNR_set_thread_area }, + { "set_tid_address", 252 }, + { "set_tls", __PNR_set_tls }, + { "setdomainname", 121 }, + { "setfsgid", 139 }, + { "setfsgid32", 216 }, + { "setfsuid", 138 }, + { "setfsuid32", 215 }, + { "setgid", 46 }, + { "setgid32", 214 }, + { "setgroups", 81 }, + { "setgroups32", 206 }, + { "sethostname", 74 }, + { "setitimer", 104 }, + { "setns", 339 }, + { "setpgid", 57 }, + { "setpriority", 97 }, + { "setregid", 71 }, + { "setregid32", 204 }, + { "setresgid", 170 }, + { "setresgid32", 210 }, + { "setresuid", 164 }, + { "setresuid32", 208 }, + { "setreuid", 70 }, + { "setreuid32", 203 }, + { "setrlimit", 75 }, + { "setsid", 66 }, + { "setsockopt", __PNR_setsockopt }, + { "settimeofday", 79 }, + { "setuid", 23 }, + { "setuid32", 213 }, + { "setxattr", 224 }, + { "sgetmask", __PNR_sgetmask }, + { "shmat", __PNR_shmat }, + { "shmctl", __PNR_shmctl }, + { "shmdt", __PNR_shmdt }, + { "shmget", __PNR_shmget }, + { "shutdown", __PNR_shutdown }, + { "sigaction", 67 }, + { "sigaltstack", 186 }, + { "signal", 48 }, + { "signalfd", 316 }, + { "signalfd4", 322 }, + { "sigpending", 73 }, + { "sigprocmask", 126 }, + { "sigreturn", 119 }, + { "sigsuspend", 72 }, + { "socket", __PNR_socket }, + { "socketcall", 102 }, + { "socketpair", __PNR_socketpair }, + { "splice", 306 }, + { "spu_create", __PNR_spu_create }, + { "spu_run", __PNR_spu_run }, + { "ssetmask", __PNR_ssetmask }, + { "stat", 106 }, + { "stat64", 195 }, + { "statfs", 99 }, + { "statfs64", 265 }, + { "stime", 25 }, + { "stty", __PNR_stty }, + { "subpage_prot", __PNR_subpage_prot }, + { "swapcontext", __PNR_swapcontext }, + { "swapoff", 115 }, + { "swapon", 87 }, + { "switch_endian", __PNR_switch_endian }, + { "symlink", 83 }, + { "symlinkat", 297 }, + { "sync", 36 }, + { "sync_file_range" , 307 }, + { "sync_file_range2", __PNR_sync_file_range2 }, + { "syncfs", 338 }, + { "syscall", __PNR_syscall }, + { "sys_debug_setcontext", __PNR_sys_debug_setcontext }, + { "sysfs", 135 }, + { "sysinfo", 116 }, + { "syslog", 103 }, + { "sysmips", __PNR_sysmips }, + { "tee", 308 }, + { "tgkill", 241 }, + { "time", 13 }, + { "timer_create", 254 }, + { "timer_delete", 258 }, + { "timer_getoverrun", 257 }, + { "timer_gettime", 256 }, + { "timer_settime", 255 }, + { "timerfd", 317 }, + { "timerfd_create", 319 }, + { "timerfd_gettime", 321 }, + { "timerfd_settime", 320 }, + { "times", 43 }, + { "tkill", 237 }, + { "truncate", 92 }, + { "truncate64", 193 }, + { "tuxcall", __PNR_tuxcall }, + { "ugetrlimit", 191 }, + { "ulimit", __PNR_ulimit }, + { "umask", 60 }, + { "umount", 22 }, + { "umount2", 52 }, + { "uname", 122 }, + { "unlink", 10 }, + { "unlinkat", 294 }, + { "unshare", 303 }, + { "uselib", 86 }, + { "usr26", __PNR_usr26 }, + { "usr32", __PNR_usr32 }, + { "ustat", 62 }, + { "utime", 30 }, + { "utimensat", 315 }, + { "utimes", 313 }, + { "vfork", 190 }, + { "vhangup", 111 }, + { "vm86", __PNR_vm86 }, + { "vm86old", __PNR_vm86old }, + { "vmsplice", 309 }, + { "vserver", __PNR_vserver }, + { "wait4", 114 }, + { "waitid", 281 }, + { "waitpid", __PNR_waitpid }, + { "write", 4 }, + { "writev", 146 }, + { NULL, __NR_SCMP_ERROR }, +}; + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int s390_syscall_resolve_name(const char *name) +{ + unsigned int iter; + const struct arch_syscall_def *table = s390_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].name != NULL; iter++) { + if (strcmp(name, table[iter].name) == 0) + return table[iter].num; + } + + return __NR_SCMP_ERROR; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *s390_syscall_resolve_num(int num) +{ + unsigned int iter; + const struct arch_syscall_def *table = s390_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { + if (num == table[iter].num) + return table[iter].name; + } + + return NULL; +} +/** + * Iterate through the syscall table and return the syscall name + * @param spot the offset into the syscall table + * + * Return the syscall name at position @spot or NULL on failure. This function + * should only ever be used internally by libseccomp. + * + */ +const char *s390_syscall_iterate_name(unsigned int spot) +{ + /* XXX - no safety checks here */ + return s390_syscall_table[spot].name; +} diff --git a/src/arch-s390.c b/src/arch-s390.c new file mode 100644 index 0000000..5aa36fe --- /dev/null +++ b/src/arch-s390.c @@ -0,0 +1,18 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#include <stdlib.h> +#include <errno.h> +#include <linux/audit.h> + +#include "arch.h" +#include "arch-s390.h" + +const struct arch_def arch_def_s390 = { + .token = SCMP_ARCH_S390, + .token_bpf = AUDIT_ARCH_S390, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +}; diff --git a/src/arch-s390.h b/src/arch-s390.h new file mode 100644 index 0000000..71ba260 --- /dev/null +++ b/src/arch-s390.h @@ -0,0 +1,23 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#ifndef _ARCH_s390_H +#define _ARCH_s390_H + +#include <inttypes.h> + +#include "arch.h" +#include "system.h" + +#define s390_arg_count_max 6 + +extern const struct arch_def arch_def_s390; +#define s390_arg_offset(x) (offsetof(struct seccomp_data, args[x])) + +int s390_syscall_resolve_name(const char *name); +const char *s390_syscall_resolve_num(int num); +const char *s390_syscall_iterate_name(unsigned int spot); + +#endif diff --git a/src/arch-s390x-syscalls.c b/src/arch-s390x-syscalls.c new file mode 100644 index 0000000..50596cb --- /dev/null +++ b/src/arch-s390x-syscalls.c @@ -0,0 +1,493 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#include <string.h> + +#include <seccomp.h> + +#include "arch.h" +#include "arch-s390x.h" + +/* NOTE: based on Linux 4.2-rc5 */ +const struct arch_syscall_def s390x_syscall_table[] = { \ + { "_llseek", __PNR__llseek }, + { "_newselect", __PNR__newselect }, + { "_sysctl", 149 }, + { "accept", __PNR_accept }, + { "accept4", __PNR_accept4 }, + { "access", 33 }, + { "acct", 51 }, + { "add_key", 278 }, + { "adjtimex", 124 }, + { "afs_syscall", 137 }, + { "alarm", 27 }, + { "arm_fadvise64_64", __PNR_arm_fadvise64_64 }, + { "arm_sync_file_range", __PNR_arm_sync_file_range }, + { "arch_prctl", __PNR_arch_prctl }, + { "bdflush", 134 }, + { "bind", __PNR_bind }, + { "bpf", 351 }, + { "break", __PNR_break }, + { "breakpoint", __PNR_breakpoint }, + { "brk", 45 }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, + { "capget", 184 }, + { "capset", 185 }, + { "chdir", 12 }, + { "chmod", 15 }, + { "chown", 212 }, + { "chown32", __PNR_chown32 }, + { "chroot", 61 }, + { "clock_adjtime", 337 }, + { "clock_getres", 261 }, + { "clock_gettime", 260 }, + { "clock_nanosleep", 262 }, + { "clock_settime", 259 }, + { "clone", 120 }, + { "close", 6 }, + { "connect", __PNR_connect }, + { "creat", 8 }, + { "create_module", 127 }, + { "delete_module", 129 }, + { "dup", 41 }, + { "dup2", 63 }, + { "dup3", 326 }, + { "epoll_create", 249 }, + { "epoll_create1", 327 }, + { "epoll_ctl", 250 }, + { "epoll_ctl_old", __PNR_epoll_ctl_old }, + { "epoll_pwait", 312 }, + { "epoll_wait", 251 }, + { "epoll_wait_old", __PNR_epoll_wait_old }, + { "eventfd", 318 }, + { "eventfd2", 323 }, + { "execve", 11 }, + { "execveat", 354 }, + { "exit", 1 }, + { "exit_group", 248 }, + { "faccessat", 300 }, + { "fadvise64", 253 }, + { "fadvise64_64", __PNR_fadvise64_64 }, + { "fallocate", 314 }, + { "fanotify_init", 332 }, + { "fanotify_mark", 333 }, + { "fchdir", 133 }, + { "fchmod", 94 }, + { "fchmodat", 299 }, + { "fchown", 207 }, + { "fchown32", __PNR_fchown32 }, + { "fchownat", 291 }, + { "fcntl", 55 }, + { "fcntl64", __PNR_fcntl64 }, + { "fdatasync", 148 }, + { "fgetxattr", 229 }, + { "finit_module", 344 }, + { "flistxattr", 232 }, + { "flock", 143 }, + { "fork", 2 }, + { "fremovexattr", 235 }, + { "fsetxattr", 226 }, + { "fstat", 108 }, + { "fstat64", __PNR_fstat64 }, + { "fstatat64", __PNR_fstatat64 }, + { "fstatfs", 100 }, + { "fstatfs64", 266 }, + { "fsync", 118 }, + { "ftime", __PNR_ftime }, + { "ftruncate", 93 }, + { "ftruncate64", __PNR_ftruncate64 }, + { "futex", 238 }, + { "futimesat", 292 }, + { "get_kernel_syms", 130 }, + { "get_mempolicy", __PNR_get_mempolicy }, + { "get_robust_list" , 305 }, + { "get_thread_area", __PNR_get_thread_area }, + { "getcpu", 311 }, + { "getcwd", 183 }, + { "getdents", 141 }, + { "getdents64", 220 }, + { "getegid", 202 }, + { "getegid32", __PNR_getegid32 }, + { "geteuid", 201 }, + { "geteuid32", __PNR_geteuid32 }, + { "getgid", 200 }, + { "getgid32", __PNR_getgid32 }, + { "getgroups", 205 }, + { "getgroups32", __PNR_getgroups32 }, + { "getitimer", 105 }, + { "getpeername", __PNR_getpeername }, + { "getpgid", 132 }, + { "getpgrp", 65 }, + { "getpid", 20 }, + { "getpmsg", 188 }, + { "getppid", 64 }, + { "getpriority", 96 }, + { "getrandom", 349 }, + { "getresgid", 211 }, + { "getresgid32", __PNR_getresgid32 }, + { "getresuid", 209 }, + { "getresuid32", __PNR_getresuid32 }, + { "getrlimit", 191 }, + { "getrusage", 77 }, + { "getsid", 147 }, + { "getsockname", __PNR_getsockname }, + { "getsockopt", __PNR_getsockopt }, + { "gettid", 236 }, + { "gettimeofday", 78 }, + { "getuid", 199 }, + { "getuid32", __PNR_getuid32 }, + { "getxattr", 227 }, + { "gtty", __PNR_gtty }, + { "idle", 112 }, + { "init_module", 128 }, + { "inotify_add_watch" , 285 }, + { "inotify_init", 284 }, + { "inotify_init1", 324 }, + { "inotify_rm_watch" , 286 }, + { "io_cancel", 247 }, + { "io_destroy", 244 }, + { "io_getevents", 245 }, + { "io_setup", 243 }, + { "io_submit", 246 }, + { "ioctl", 54 }, + { "ioperm", __PNR_ioperm}, + { "iopl", __PNR_iopl }, + { "ioprio_get", 283 }, + { "ioprio_set", 282 }, + { "ipc", 117 }, + { "kcmp", 343 }, + { "kexec_file_load", __PNR_kexec_file_load }, + { "kexec_load", 277 }, + { "keyctl", 280 }, + { "kill", 37 }, + { "lchown", 198 }, + { "lchown32", __PNR_lchown32 }, + { "lgetxattr", 228 }, + { "link", 9 }, + { "linkat", 296 }, + { "listen", __PNR_listen }, + { "listxattr", 230 }, + { "llistxattr", 231 }, + { "lock", __PNR_lock }, + { "lookup_dcookie", 110 }, + { "lremovexattr", 234 }, + { "lseek", 19 }, + { "lsetxattr", 225 }, + { "lstat", 107 }, + { "lstat64", __PNR_lstat64 }, + { "madvise", 219 }, + { "mbind", __PNR_mbind }, + { "memfd_create", 350 }, + { "migrate_pages", __PNR_migrate_pages }, + { "mincore", 218 }, + { "mkdir", 39 }, + { "mkdirat", 289 }, + { "mknod", 14 }, + { "mknodat", 290 }, + { "mlock", 150 }, + { "mlockall", 152 }, + { "mmap", 90 }, + { "mmap2", __PNR_mmap2 }, + { "modify_ldt", __PNR_modify_ldt }, + { "mount", 21 }, + { "move_pages", __PNR_move_pages }, + { "mprotect", 125 }, + { "mpx", __PNR_mpx }, + { "mq_getsetattr", 276 }, + { "mq_notify", 275 }, + { "mq_open", 271 }, + { "mq_timedreceive" , 274 }, + { "mq_timedsend", 273 }, + { "mq_unlink", 272 }, + { "mremap", 163 }, + { "msgctl", __PNR_msgctl }, + { "msgget", __PNR_msgget }, + { "msgrcv", __PNR_msgrcv }, + { "msgsnd", __PNR_msgsnd }, + { "msync", 144 }, + { "multiplexer", __PNR_multiplexer }, + { "munlock", 151 }, + { "munlockall", 153 }, + { "munmap", 91 }, + { "name_to_handle_at", 335 }, + { "nanosleep", 162 }, + { "newfstatat", 293 }, + { "nfsservctl", 169 }, + { "nice", 34 }, + { "oldfstat", __PNR_oldfstat }, + { "oldlstat", __PNR_oldlstat }, + { "oldolduname", __PNR_oldolduname }, + { "oldstat", __PNR_oldstat }, + { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, + { "open", 5 }, + { "open_by_handle_at", 336 }, + { "openat", 288 }, + { "pause", 29 }, + { "pciconfig_iobase", __PNR_pciconfig_iobase }, + { "pciconfig_read", __PNR_pciconfig_read }, + { "pciconfig_write", __PNR_pciconfig_write }, + { "perf_event_open", 331 }, + { "personality", 136 }, + { "pipe", 42 }, + { "pipe2", 325 }, + { "pivot_root", 217 }, + { "poll", 168 }, + { "ppoll", 302 }, + { "prctl", 172 }, + { "pread64", 180 }, + { "preadv", 328 }, + { "prlimit64", 334 }, + { "process_vm_readv", 340 }, + { "process_vm_writev", 341 }, + { "prof", __PNR_prof }, + { "profil", __PNR_profil }, + { "pselect6", 301 }, + { "ptrace", 26 }, + { "putpmsg", 189 }, + { "pwrite64", 181 }, + { "pwritev", 329 }, + { "query_module", 167 }, + { "quotactl", 131 }, + { "read", 3 }, + { "readahead", 222 }, + { "readdir", 89 }, + { "readlink", 85 }, + { "readlinkat", 298 }, + { "readv", 145 }, + { "reboot", 88 }, + { "recv", __PNR_recv }, + { "recvfrom", __PNR_recvfrom }, + { "recvmmsg", __PNR_recvmmsg }, + { "recvmsg", __PNR_recvmsg }, + { "remap_file_pages", 267 }, + { "removexattr", 233 }, + { "rename", 38 }, + { "renameat", 295 }, + { "renameat2", 347 }, + { "request_key", 279 }, + { "restart_syscall", 7 }, + { "rmdir", 40 }, + { "rt_sigaction", 174 }, + { "rt_sigpending", 176 }, + { "rt_sigprocmask", 175 }, + { "rt_sigqueueinfo", 178 }, + { "rt_sigreturn", 173 }, + { "rt_sigsuspend", 179 }, + { "rt_sigtimedwait", 177 }, + { "rt_tgsigqueueinfo", 330 }, + { "rtas", __PNR_rtas }, + { "s390_runtime_instr", 342 }, + { "sched_get_priority_max", 159 }, + { "sched_get_priority_min", 160 }, + { "sched_getaffinity" , 240 }, + { "sched_getattr", 346 }, + { "sched_getparam", 155 }, + { "sched_getscheduler", 157 }, + { "sched_rr_get_interval", 161 }, + { "sched_setaffinity" , 239 }, + { "sched_setattr", 345 }, + { "sched_setparam", 154 }, + { "sched_setscheduler", 156 }, + { "sched_yield", 158 }, + { "seccomp", 348 }, + { "security", __PNR_security }, + { "select", 142 }, + { "semctl", __PNR_semctl }, + { "semget", __PNR_semget }, + { "semop", __PNR_semop }, + { "semtimedop", __PNR_semtimedop }, + { "send", __PNR_send }, + { "sendfile", 187 }, + { "sendfile64", __PNR_sendfile64 }, + { "sendmmsg", __PNR_sendmmsg }, + { "sendmsg", __PNR_sendmsg }, + { "sendto", __PNR_sendto }, + { "set_mempolicy", __PNR_set_mempolicy }, + { "set_robust_list" , 304 }, + { "set_thread_area", __PNR_set_thread_area }, + { "set_tid_address", 252 }, + { "set_tls", __PNR_set_tls }, + { "setdomainname", 121 }, + { "setfsgid", 216 }, + { "setfsgid32", __PNR_setfsgid32 }, + { "setfsuid", 215 }, + { "setfsuid32", __PNR_setfsuid32 }, + { "setgid", 214 }, + { "setgid32", __PNR_setgid32 }, + { "setgroups", 206 }, + { "setgroups32", __PNR_setgroups32 }, + { "sethostname", 74 }, + { "setitimer", 104 }, + { "setns", 339 }, + { "setpgid", 57 }, + { "setpriority", 97 }, + { "setregid", 204 }, + { "setregid32", __PNR_setregid32 }, + { "setresgid", 210 }, + { "setresgid32", __PNR_setresgid32 }, + { "setresuid", 208 }, + { "setresuid32", __PNR_setresuid32 }, + { "setreuid", 203 }, + { "setreuid32", __PNR_setreuid32 }, + { "setrlimit", 75 }, + { "setsid", 66 }, + { "setsockopt", __PNR_setsockopt }, + { "settimeofday", 79 }, + { "setuid", 213 }, + { "setuid32", __PNR_setuid32 }, + { "setxattr", 224 }, + { "sgetmask", __PNR_sgetmask }, + { "shmat", __PNR_shmat }, + { "shmctl", __PNR_shmctl }, + { "shmdt", __PNR_shmdt }, + { "shmget", __PNR_shmget }, + { "shutdown", __PNR_shutdown }, + { "sigaction", 67 }, + { "sigaltstack", 186 }, + { "signal", 48 }, + { "signalfd", 316 }, + { "signalfd4", 322 }, + { "sigpending", 73 }, + { "sigprocmask", 126 }, + { "sigreturn", 119 }, + { "sigsuspend", 72 }, + { "socket", __PNR_socket }, + { "socketcall", 102 }, + { "socketpair", __PNR_socketpair }, + { "splice", 306 }, + { "spu_create", __PNR_spu_create }, + { "spu_run", __PNR_spu_run }, + { "ssetmask", __PNR_ssetmask }, + { "stat", 106 }, + { "stat64", __PNR_stat64 }, + { "statfs", 99 }, + { "statfs64", 265 }, + { "stime", __PNR_stime }, + { "stty", __PNR_stty }, + { "subpage_prot", __PNR_subpage_prot }, + { "swapcontext", __PNR_swapcontext }, + { "swapoff", 115 }, + { "swapon", 87 }, + { "switch_endian", __PNR_switch_endian }, + { "symlink", 83 }, + { "symlinkat", 297 }, + { "sync", 36 }, + { "sync_file_range" , 307 }, + { "sync_file_range2", __PNR_sync_file_range2 }, + { "syncfs", 338 }, + { "syscall", __PNR_syscall }, + { "sys_debug_setcontext", __PNR_sys_debug_setcontext }, + { "sysfs", 135 }, + { "sysinfo", 116 }, + { "syslog", 103 }, + { "sysmips", __PNR_sysmips }, + { "tee", 308 }, + { "tgkill", 241 }, + { "time", __PNR_time }, + { "timer_create", 254 }, + { "timer_delete", 258 }, + { "timer_getoverrun", 257 }, + { "timer_gettime", 256 }, + { "timer_settime", 255 }, + { "timerfd", 317 }, + { "timerfd_create", 319 }, + { "timerfd_gettime", 321 }, + { "timerfd_settime", 320 }, + { "times", 43 }, + { "tkill", 237 }, + { "truncate", 92 }, + { "truncate64", __PNR_truncate64 }, + { "tuxcall", __PNR_tuxcall }, + { "ugetrlimit", __PNR_ugetrlimit }, + { "ulimit", __PNR_ulimit }, + { "umask", 60 }, + { "umount", 22 }, + { "umount2", 52 }, + { "uname", 122 }, + { "unlink", 10 }, + { "unlinkat", 294 }, + { "unshare", 303 }, + { "uselib", 86 }, + { "usr26", __PNR_usr26 }, + { "usr32", __PNR_usr32 }, + { "ustat", 62 }, + { "utime", 30 }, + { "utimensat", 315 }, + { "utimes", 313 }, + { "vfork", 190 }, + { "vhangup", 111 }, + { "vm86", __PNR_vm86 }, + { "vm86old", __PNR_vm86old }, + { "vmsplice", 309 }, + { "vserver", __PNR_vserver }, + { "wait4", 114 }, + { "waitid", 281 }, + { "waitpid", __PNR_waitpid }, + { "write", 4 }, + { "writev", 146 }, + { NULL, __NR_SCMP_ERROR }, +}; + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int s390x_syscall_resolve_name(const char *name) +{ + unsigned int iter; + const struct arch_syscall_def *table = s390x_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].name != NULL; iter++) { + if (strcmp(name, table[iter].name) == 0) + return table[iter].num; + } + + return __NR_SCMP_ERROR; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *s390x_syscall_resolve_num(int num) +{ + unsigned int iter; + const struct arch_syscall_def *table = s390x_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { + if (num == table[iter].num) + return table[iter].name; + } + + return NULL; +} + +/** + * Iterate through the syscall table and return the syscall name + * @param spot the offset into the syscall table + * + * Return the syscall name at position @spot or NULL on failure. This function + * should only ever be used internally by libseccomp. + * + */ +const char *s390x_syscall_iterate_name(unsigned int spot) +{ + /* XXX - no safety checks here */ + return s390x_syscall_table[spot].name; +} diff --git a/src/arch-s390x.c b/src/arch-s390x.c new file mode 100644 index 0000000..23c711c --- /dev/null +++ b/src/arch-s390x.c @@ -0,0 +1,18 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#include <stdlib.h> +#include <errno.h> +#include <linux/audit.h> + +#include "arch.h" +#include "arch-s390x.h" + +const struct arch_def arch_def_s390x = { + .token = SCMP_ARCH_S390X, + .token_bpf = AUDIT_ARCH_S390X, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, +}; diff --git a/src/arch-s390x.h b/src/arch-s390x.h new file mode 100644 index 0000000..054044b --- /dev/null +++ b/src/arch-s390x.h @@ -0,0 +1,26 @@ +/* + * Copyright 2015 IBM + * Author: Jan Willeke <willeke@linux.vnet.com.com> + */ + +#ifndef _ARCH_s390x_H +#define _ARCH_s390x_H + +#include <inttypes.h> + +#include "arch.h" +#include "system.h" + +#define s390x_arg_count_max 6 + +extern const struct arch_def arch_def_s390x; +#define s390x_arg_offset(x) (offsetof(struct seccomp_data, args[x])) + +#define s390x_arg_offset_lo(x) (s390x_arg_offset(x) + 4) +#define s390x_arg_offset_hi(x) (s390x_arg_offset(x)) + +int s390x_syscall_resolve_name(const char *name); +const char *s390x_syscall_resolve_num(int num); +const char *s390x_syscall_iterate_name(unsigned int spot); +const char *s390x_syscall_iterate_name(unsigned int spot); +#endif diff --git a/src/arch-syscall-check.c b/src/arch-syscall-check.c index 8682483..9668aec 100644 --- a/src/arch-syscall-check.c +++ b/src/arch-syscall-check.c @@ -33,8 +33,10 @@ #include "arch-mips.h" #include "arch-mips64.h" #include "arch-mips64n32.h" -#include "arch-ppc64.h" #include "arch-ppc.h" +#include "arch-ppc64.h" +#include "arch-s390.h" +#include "arch-s390x.h" /** * compare the syscall values @@ -69,8 +71,10 @@ int main(int argc, char *argv[]) int i_mips = 0; int i_mips64 = 0; int i_mips64n32 = 0; - int i_ppc64 = 0; int i_ppc = 0; + int i_ppc64 = 0; + int i_s390 = 0; + int i_s390x = 0; const char *sys_name; char str_miss[256]; @@ -97,10 +101,14 @@ int main(int argc, char *argv[]) mips64_syscall_iterate_name(i_mips64)); syscall_check(str_miss, sys_name, "mips64n32", mips64n32_syscall_iterate_name(i_mips64n32)); - syscall_check(str_miss, sys_name, "ppc64", - ppc64_syscall_iterate_name(i_ppc64)); syscall_check(str_miss, sys_name, "ppc", ppc_syscall_iterate_name(i_ppc)); + syscall_check(str_miss, sys_name, "ppc64", + ppc64_syscall_iterate_name(i_ppc64)); + syscall_check(str_miss, sys_name, "s390", + s390_syscall_iterate_name(i_s390)); + syscall_check(str_miss, sys_name, "s390x", + s390x_syscall_iterate_name(i_s390x)); /* output the results */ printf("%s: ", sys_name); @@ -127,14 +135,19 @@ int main(int argc, char *argv[]) i_mips64 = -1; if (!mips64n32_syscall_iterate_name(++i_mips64n32)) i_mips64n32 = -1; - if (!ppc64_syscall_iterate_name(++i_ppc64)) - i_ppc64 = -1; if (!ppc_syscall_iterate_name(++i_ppc)) i_ppc = -1; + if (!ppc64_syscall_iterate_name(++i_ppc64)) + i_ppc64 = -1; + if (!s390_syscall_iterate_name(++i_s390)) + i_s390 = -1; + if (!s390x_syscall_iterate_name(++i_s390x)) + i_s390x = -1; } while (i_x86_64 >= 0 && i_x32 >= 0 && i_arm >= 0 && i_aarch64 >= 0 && i_mips >= 0 && i_mips64 >= 0 && i_mips64n32 >= 0 && - i_ppc64 >= 0 && i_ppc >= 0); + i_ppc >= 0 && i_ppc64 >= 0 && + i_s390 >= 0 && i_s390x >= 0); /* check for any leftovers */ sys_name = x86_syscall_iterate_name(i_x86 + 1); @@ -177,14 +190,23 @@ int main(int argc, char *argv[]) mips64n32_syscall_iterate_name(i_mips64n32)); return 1; } + if (i_ppc >= 0) { + printf("%s: ERROR, ppc has additional syscalls\n", + ppc_syscall_iterate_name(i_ppc)); + } if (i_ppc64 >= 0) { printf("%s: ERROR, ppc64 has additional syscalls\n", ppc64_syscall_iterate_name(i_ppc64)); return 1; } - if (i_ppc >= 0) { - printf("%s: ERROR, ppc has additional syscalls\n", - ppc_syscall_iterate_name(i_ppc)); + if (i_s390 >= 0) { + printf("%s: ERROR, s390 has additional syscalls\n", + s390_syscall_iterate_name(i_s390)); + return 1; + } + if (i_s390x >= 0) { + printf("%s: ERROR, s390x has additional syscalls\n", + s390x_syscall_iterate_name(i_s390x)); return 1; } diff --git a/src/arch-syscall-dump.c b/src/arch-syscall-dump.c index 62992e7..4534aec 100644 --- a/src/arch-syscall-dump.c +++ b/src/arch-syscall-dump.c @@ -38,8 +38,10 @@ #include "arch-mips64.h" #include "arch-mips64n32.h" #include "arch-aarch64.h" -#include "arch-ppc64.h" #include "arch-ppc.h" +#include "arch-ppc64.h" +#include "arch-s390.h" +#include "arch-s390x.h" /** * Print the usage information to stderr and exit @@ -114,13 +116,19 @@ int main(int argc, char *argv[]) case SCMP_ARCH_MIPSEL64N32: sys_name = mips64n32_syscall_iterate_name(iter); break; + case SCMP_ARCH_PPC: + sys_name = ppc_syscall_iterate_name(iter); + break; case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: sys_name = ppc64_syscall_iterate_name(iter); break; - case SCMP_ARCH_PPC: - sys_name = ppc_syscall_iterate_name(iter); + case SCMP_ARCH_S390: + sys_name = s390_syscall_iterate_name(iter); + break; + case SCMP_ARCH_S390X: + sys_name = s390x_syscall_iterate_name(iter); break; - default: /* invalid arch */ exit_usage(argv[0]); diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate index ba5cd89..89cce3a 100755 --- a/src/arch-syscall-validate +++ b/src/arch-syscall-validate @@ -319,6 +319,29 @@ function dump_lib_mips64n32() { } # +# Dump the ppc system syscall table +# +# Arguments: +# 1 path to the kernel source +# +# Dump the architecture's syscall table to stdout. +# +function dump_sys_ppc() { + gcc -E -dM $1/arch/powerpc/include/uapi/asm/unistd.h | \ + grep "^#define __NR_" | sort | \ + sed -e 's/#define[ \t]\+__NR_\([a-z0-9_]\+\)[ \t]\+\([0-9]\+\)/\1\t\2/' +} + +# +# Dump the ppc library syscall table +# +# Dump the library's syscall table to stdout. +# +function dump_lib_ppc() { + $LIB_SYS_DUMP -a ppc | sed -e '/[^\t]\+\t-[0-9]\+/d' +} + +# # Dump the ppc64 system syscall table # # Arguments: @@ -342,26 +365,47 @@ function dump_lib_ppc64() { } # -# Dump the ppc system syscall table +# Dump the s390 system syscall table # # Arguments: # 1 path to the kernel source # # Dump the architecture's syscall table to stdout. # -function dump_sys_ppc() { - gcc -E -dM $1/arch/powerpc/include/uapi/asm/unistd.h | \ - grep "^#define __NR_" | sort | \ - sed -e 's/#define[ \t]\+__NR_\([a-z0-9_]\+\)[ \t]\+\([0-9]\+\)/\1\t\2/' +function dump_sys_s390() { + gcc -dM -m31 -E $1/arch/s390/include/uapi/asm/unistd.h | grep __NR | \ + sed 's/#define __NR_//g' | sed 's/ /\t/g' | sort } # -# Dump the ppc library syscall table +# Dump the s390 library syscall table # # Dump the library's syscall table to stdout. # -function dump_lib_ppc() { - $LIB_SYS_DUMP -a ppc | sed -e '/[^\t]\+\t-[0-9]\+/d' +function dump_lib_s390() { + $LIB_SYS_DUMP -a s390 | grep -v - | sort +} + +# +# Dump the s390x system syscall table +# +# Arguments: +# 1 path to the kernel source +# +# Dump the architecture's syscall table to stdout. +# +function dump_sys_s390x() { + gcc -dM -E $1/arch/s390/include/uapi/asm/unistd.h | grep __NR | \ + sed 's/#define __NR_//g' | sed 's/ /\t/g' | sort +} + +# +# Dump the s390x library syscall table +# +# Dump the library's syscall table to stdout. +# +function dump_lib_s390x() { + $LIB_SYS_DUMP -a s390x | grep -v - | sort } # @@ -399,11 +443,17 @@ function dump_sys() { mips64n32) dump_sys_mips64n32 "$2" ;; + ppc) + dump_sys_ppc "$2" + ;; ppc64) dump_sys_ppc64 "$2" ;; - ppc) - dump_sys_ppc "$2" + s390) + dump_sys_s390 "$2" + ;; + s390x) + dump_sys_s390x "$2" ;; *) echo "" @@ -445,11 +495,17 @@ function dump_lib() { mips64n32) dump_lib_mips64n32 ;; + ppc) + dump_lib_ppc "$2" + ;; ppc64) dump_lib_ppc64 "$2" ;; - ppc) - dump_lib_ppc "$2" + s390) + dump_lib_s390 "$2" + ;; + s390x) + dump_lib_s390x "$2" ;; *) echo "" @@ -497,7 +553,12 @@ shift $(($OPTIND - 1)) # defaults if [[ $opt_arches == "" ]]; then - opt_arches="x86 x86_64 x32 arm aarch64 mips mips64 mips64n32 ppc pcc64" + opt_arches=" \ + x86 x86_64 x32 \ + arm aarch64 \ + mips mips64 mips64n32 \ + ppc pcc64 \ + s390 s390x" fi # sanity checks diff --git a/src/arch-x32-syscalls.c b/src/arch-x32-syscalls.c index 66a58a1..d6ea9d4 100644 --- a/src/arch-x32-syscalls.c +++ b/src/arch-x32-syscalls.c @@ -296,6 +296,7 @@ const struct arch_syscall_def x32_syscall_table[] = { \ { "rt_sigtimedwait", (X32_SYSCALL_BIT + 523) }, { "rt_tgsigqueueinfo", (X32_SYSCALL_BIT + 536) }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", (X32_SYSCALL_BIT + 146) }, { "sched_get_priority_min", (X32_SYSCALL_BIT + 147) }, { "sched_getaffinity", (X32_SYSCALL_BIT + 204) }, diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c index 53f7cfa..b6665aa 100644 --- a/src/arch-x86-syscalls.c +++ b/src/arch-x86-syscalls.c @@ -296,6 +296,7 @@ const struct arch_syscall_def x86_syscall_table[] = { \ { "rt_sigtimedwait", 177 }, { "rt_tgsigqueueinfo", 335 }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", 159 }, { "sched_get_priority_min", 160 }, { "sched_getaffinity", 242 }, diff --git a/src/arch-x86_64-syscalls.c b/src/arch-x86_64-syscalls.c index b50ec23..90cc21f 100644 --- a/src/arch-x86_64-syscalls.c +++ b/src/arch-x86_64-syscalls.c @@ -296,6 +296,7 @@ const struct arch_syscall_def x86_64_syscall_table[] = { \ { "rt_sigtimedwait", 128 }, { "rt_tgsigqueueinfo", 297 }, { "rtas", __PNR_rtas }, + { "s390_runtime_instr", __PNR_s390_runtime_instr }, { "sched_get_priority_max", 146 }, { "sched_get_priority_min", 147 }, { "sched_getaffinity", 204 }, @@ -38,8 +38,10 @@ #include "arch-mips.h" #include "arch-mips64.h" #include "arch-mips64n32.h" -#include "arch-ppc64.h" #include "arch-ppc.h" +#include "arch-ppc64.h" +#include "arch-s390.h" +#include "arch-s390x.h" #include "system.h" #define default_arg_count_max 6 @@ -84,6 +86,10 @@ const struct arch_def *arch_def_native = &arch_def_ppc64le; #endif #elif __PPC__ const struct arch_def *arch_def_native = &arch_def_ppc; +#elif __s390x__ /* s390x must be checked before s390 */ +const struct arch_def *arch_def_native = &arch_def_s390x; +#elif __s390__ +const struct arch_def *arch_def_native = &arch_def_s390; #else #error the arch code needs to know about your machine type #endif /* machine type guess */ @@ -132,12 +138,16 @@ const struct arch_def *arch_def_lookup(uint32_t token) return &arch_def_mips64n32; case SCMP_ARCH_MIPSEL64N32: return &arch_def_mipsel64n32; + case SCMP_ARCH_PPC: + return &arch_def_ppc; case SCMP_ARCH_PPC64: return &arch_def_ppc64; case SCMP_ARCH_PPC64LE: return &arch_def_ppc64le; - case SCMP_ARCH_PPC: - return &arch_def_ppc; + case SCMP_ARCH_S390: + return &arch_def_s390; + case SCMP_ARCH_S390X: + return &arch_def_s390x; } return NULL; @@ -174,12 +184,16 @@ const struct arch_def *arch_def_lookup_name(const char *arch_name) return &arch_def_mips64n32; else if (strcmp(arch_name, "mipsel64n32") == 0) return &arch_def_mipsel64n32; + else if (strcmp(arch_name, "ppc") == 0) + return &arch_def_ppc; else if (strcmp(arch_name, "ppc64") == 0) return &arch_def_ppc64; else if (strcmp(arch_name, "ppc64le") == 0) return &arch_def_ppc64le; - else if (strcmp(arch_name, "ppc") == 0) - return &arch_def_ppc; + else if (strcmp(arch_name, "s390") == 0) + return &arch_def_s390; + else if (strcmp(arch_name, "s390x") == 0) + return &arch_def_s390x; return NULL; } @@ -298,11 +312,15 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) case SCMP_ARCH_MIPS64N32: case SCMP_ARCH_MIPSEL64N32: return mips64n32_syscall_resolve_name(name); + case SCMP_ARCH_PPC: + return ppc_syscall_resolve_name(name); case SCMP_ARCH_PPC64: case SCMP_ARCH_PPC64LE: return ppc64_syscall_resolve_name(name); - case SCMP_ARCH_PPC: - return ppc_syscall_resolve_name(name); + case SCMP_ARCH_S390: + return s390_syscall_resolve_name(name); + case SCMP_ARCH_S390X: + return s390x_syscall_resolve_name(name); } return __NR_SCMP_ERROR; @@ -340,11 +358,15 @@ const char *arch_syscall_resolve_num(const struct arch_def *arch, int num) case SCMP_ARCH_MIPS64N32: case SCMP_ARCH_MIPSEL64N32: return mips64n32_syscall_resolve_num(num); + case SCMP_ARCH_PPC: + return ppc_syscall_resolve_num(num); case SCMP_ARCH_PPC64: case SCMP_ARCH_PPC64LE: return ppc64_syscall_resolve_num(num); - case SCMP_ARCH_PPC: - return ppc_syscall_resolve_num(num); + case SCMP_ARCH_S390: + return s390_syscall_resolve_num(num); + case SCMP_ARCH_S390X: + return s390x_syscall_resolve_num(num); } return NULL; diff --git a/src/gen_pfc.c b/src/gen_pfc.c index 4f2ee4f..ae8361f 100644 --- a/src/gen_pfc.c +++ b/src/gen_pfc.c @@ -71,6 +71,10 @@ static const char *_pfc_arch(const struct arch_def *arch) return "mips64n32"; case SCMP_ARCH_MIPSEL64N32: return "mipsel64n32"; + case SCMP_ARCH_S390X: + return "s390x"; + case SCMP_ARCH_S390: + return "s390"; default: return "UNKNOWN"; } diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd index e9c0f6a..1f29c5f 100644 --- a/src/python/libseccomp.pxd +++ b/src/python/libseccomp.pxd @@ -38,9 +38,11 @@ cdef extern from "seccomp.h": SCMP_ARCH_MIPSEL SCMP_ARCH_MIPSEL64 SCMP_ARCH_MIPSEL64N32 + SCMP_ARCH_PPC SCMP_ARCH_PPC64 SCMP_ARCH_PPC64LE - SCMP_ARCH_PPC + SCMP_ARCH_S390 + SCMP_ARCH_S390X cdef enum scmp_filter_attr: SCMP_FLTATR_ACT_DEFAULT diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 18360a7..2d753a9 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -165,9 +165,11 @@ cdef class Arch: MIPSEL = libseccomp.SCMP_ARCH_MIPSEL MIPSEL64 = libseccomp.SCMP_ARCH_MIPSEL64 MIPSEL64N32 = libseccomp.SCMP_ARCH_MIPSEL64N32 + PPC = libseccomp.SCMP_ARCH_PPC PPC64 = libseccomp.SCMP_ARCH_PPC64 PPC64LE = libseccomp.SCMP_ARCH_PPC64LE - PPC = libseccomp.SCMP_ARCH_PPC + S390 = libseccomp.SCMP_ARCH_S390 + S390X = libseccomp.SCMP_ARCH_S390X def __cinit__(self, arch=libseccomp.SCMP_ARCH_NATIVE): """ Initialize the architecture object. @@ -203,12 +205,16 @@ cdef class Arch: self._token = libseccomp.SCMP_ARCH_MIPSEL64 elif arch == libseccomp.SCMP_ARCH_MIPSEL64N32: self._token = libseccomp.SCMP_ARCH_MIPSEL64N32 + elif arch == libseccomp.SCMP_ARCH_PPC: + self._token = libseccomp.SCMP_ARCH_PPC elif arch == libseccomp.SCMP_ARCH_PPC64: self._token = libseccomp.SCMP_ARCH_PPC64 elif arch == libseccomp.SCMP_ARCH_PPC64LE: self._token = libseccomp.SCMP_ARCH_PPC64LE - elif arch == libseccomp.SCMP_ARCH_PPC: - self._token = libseccomp.SCMP_ARCH_PPC + elif arch == libseccomp.SCMP_ARCH_S390: + self._token = libseccomp.SCMP_ARCH_S390 + elif arch == libseccomp.SCMP_ARCH_S390X: + self._token = libseccomp.SCMP_ARCH_S390X else: self._token = 0; elif isinstance(arch, basestring): diff --git a/tests/20-live-basic_die.py b/tests/20-live-basic_die.py index c9f437f..4d5b914 100755 --- a/tests/20-live-basic_die.py +++ b/tests/20-live-basic_die.py @@ -34,6 +34,7 @@ def test(): util.install_trap() f = SyscallFilter(action) f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") f.add_rule(ALLOW, "exit_group") f.load() try: diff --git a/tests/21-live-basic_allow.py b/tests/21-live-basic_allow.py index 97dd61a..df79c9d 100755 --- a/tests/21-live-basic_allow.py +++ b/tests/21-live-basic_allow.py @@ -46,6 +46,8 @@ def test(): f.add_rule(ALLOW, "close") f.add_rule(ALLOW, "rt_sigaction") f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") + f.add_rule(ALLOW, "brk") f.add_rule(ALLOW, "exit_group") f.load() try: diff --git a/tests/26-sim-arch_all_be_basic.c b/tests/26-sim-arch_all_be_basic.c index 91fcbea..d2c191c 100644 --- a/tests/26-sim-arch_all_be_basic.c +++ b/tests/26-sim-arch_all_be_basic.c @@ -52,10 +52,16 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64n32")); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc")); + if (rc != 0) + goto out; rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64")); if (rc != 0) goto out; - rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc")); + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390x")); if (rc != 0) goto out; diff --git a/tests/26-sim-arch_all_be_basic.py b/tests/26-sim-arch_all_be_basic.py index 1537013..b0b660a 100755 --- a/tests/26-sim-arch_all_be_basic.py +++ b/tests/26-sim-arch_all_be_basic.py @@ -33,8 +33,10 @@ def test(args): f.add_arch(Arch("mips")) f.add_arch(Arch("mips64")) f.add_arch(Arch("mips64n32")) - f.add_arch(Arch("ppc64")) f.add_arch(Arch("ppc")) + f.add_arch(Arch("ppc64")) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) diff --git a/tests/regression b/tests/regression index 6bf6ea3..53d26b2 100755 --- a/tests/regression +++ b/tests/regression @@ -28,7 +28,8 @@ GLBL_ARCH_LE_SUPPORT=" \ ppc64le" GLBL_ARCH_BE_SUPPORT=" \ mips mips64 mips64n32 \ - ppc64 ppc" + ppc ppc64 \ + s390 s390x" GLBL_SYS_ARCH="../tools/scmp_arch_detect" GLBL_SYS_RESOLVER="../tools/scmp_sys_resolver" @@ -700,7 +701,7 @@ function run_test_live() { # setup the arch specific return values case "$arch" in - x86|x86_64|x32|arm|aarch64|ppc64|ppc64le|ppc) + x86|x86_64|x32|arm|aarch64|ppc|ppc64|ppc64le|ppc|s390|s390x) rc_kill=159 rc_allow=160 rc_trap=161 diff --git a/tools/scmp_arch_detect.c b/tools/scmp_arch_detect.c index 03644c6..51c45c9 100644 --- a/tools/scmp_arch_detect.c +++ b/tools/scmp_arch_detect.c @@ -99,14 +99,20 @@ int main(int argc, char *argv[]) case SCMP_ARCH_MIPSEL64N32: printf("mipsel64n32\n"); break; + case SCMP_ARCH_PPC: + printf("ppc\n"); + break; case SCMP_ARCH_PPC64: printf("ppc64\n"); break; case SCMP_ARCH_PPC64LE: printf("ppc64le\n"); break; - case SCMP_ARCH_PPC: - printf("ppc\n"); + case SCMP_ARCH_S390: + printf("s390\n"); + break; + case SCMP_ARCH_S390X: + printf("s390x\n"); break; default: printf("unknown\n"); diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c index 6b70105..ddd216c 100644 --- a/tools/scmp_bpf_sim.c +++ b/tools/scmp_bpf_sim.c @@ -265,12 +265,16 @@ int main(int argc, char *argv[]) arch = AUDIT_ARCH_MIPS64N32; else if (strcmp(optarg, "mipsel64n32") == 0) arch = AUDIT_ARCH_MIPSEL64N32; + else if (strcmp(optarg, "ppc") == 0) + arch = AUDIT_ARCH_PPC; else if (strcmp(optarg, "ppc64") == 0) arch = AUDIT_ARCH_PPC64; else if (strcmp(optarg, "ppc64le") == 0) arch = AUDIT_ARCH_PPC64LE; - else if (strcmp(optarg, "ppc") == 0) - arch = AUDIT_ARCH_PPC; + else if (strcmp(optarg, "s390") == 0) + arch = AUDIT_ARCH_S390; + else if (strcmp(optarg, "s390x") == 0) + arch = AUDIT_ARCH_S390X; else exit_fault(EINVAL); break; diff --git a/tools/util.c b/tools/util.c index a52c865..5b21559 100644 --- a/tools/util.c +++ b/tools/util.c @@ -70,6 +70,10 @@ #endif #elif __PPC__ #define ARCH_NATIVE AUDIT_ARCH_PPC +#elif __s390x__ /* s390x must be checked before s390 */ +#define ARCH_NATIVE AUDIT_ARCH_S390X +#elif __s390__ +#define ARCH_NATIVE AUDIT_ARCH_S390 #else #error the simulator code needs to know about your machine type #endif |