| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
We no longer need to do the complex substitutions we used to have to
do for ppc/ppc64.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Travis CI identified some problems in our config, this patch fixes
one of these problems.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Previously parisc64 was borrowing from parsic which led to problems
with the syscall table for parisc64. This patch properly splits the
two ABIs.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
We no longer need to correct the syscall offsets for x32, mips,
mips64, and mips64n32.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Travis CI uses "amd64" instead of "x86_64", fix the configuration.
* https://docs.travis-ci.com/user/environment-variables
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Since the move to gperf and the automatically generated syscall table
in CSV format, these manually maintained tables are no longer needed.
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Later patches will make use of this new syscall table format instead
of the manually maintained tables.
The new CSV syscall table was generated with the following command:
# ./arch-syscall-validate -c <kernel_source_dir> > syscalls.csv
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Commit c61950e1d972 ("arch: add missing parisc and parisc64 support
to arch-syscall-validate") forgot to add parisc64 support, this patch
fixes that.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
For some reason we completely forgot to add this ABIs to the
arch-syscall-validate script.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Update the arch-syscall-validate script to be "CSV friendly" in
preparation for follow-up work to move the libseccomp internal
syscall tables into a single CVS file. In this process of making
this change, a number of unrelated problems with the script were
identified and fixed.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
There are no functional changes in this patch, just some minor
changes found by the lgtm.com service:
* four functions in tools/util.c were "hiding" a global variable
with a local variable ("arch")
* src/arch.c had an unnecessary check in an if-condition
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we enable these additional architectures, we limit the code
coverage test to x86_64 and the clang/scan-build check to platforms
which support it.
It is worth noting that the ppc64le and s390x builds were not enabled
at this time due to Travis CI test failures that need to be
investigated.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This appears to cause problems in the Travis CI with the aarch64
architecture.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Two fixes to ensure that test 53 runs correctly:
* remove a debug "print()" in the Python test
* use the native ABI in the Python test
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Move -I${top_builddir}/include to toplevel so that it is available in all
subdirs. This is needed to find <seccomp.h> in the build directory, since
it is now a generated file.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously test 55, basic-pfc_binary_tree, used syscall numbers to
build a large binary tree. This is problematic on architectures
that have sparsely populated syscall numbers.
This commit modifies the test to use syscall names to build up a
realistic binary tree that should work on all architectures.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously test 53, sim-binary_tree, used syscall numbers to build
a large binary tree. This is problematic on architectures that
have sparsely populated syscall numbers.
This commit modifies the test to use syscall names to build up a
realistic binary tree that should work on all architectures.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch adds riscv64 support to arch-syscall-validate.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch adds support for riscv64 to arch-syscall-dump.c
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit 61108c050fd16ba13f0204f6ac3ca4cbeea86f58)
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit fcb1395979f784387984e34752c07a5e8530c023)
|
|
|
|
|
|
|
|
| |
This commit adds tests to ensure the validity of the
binary tree and the resultant pfc and bpf output.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a filter attribute, SCMP_FLTATR_CTL_OPTIMIZE,
to specify the optimization level of the seccomp filter:
0 - currently unused
1 - rules weighted by priority and complexity (default)
2 - binary tree sorted by syscall number
Several in-house customers have identified that their large
seccomp filters are slowing down their applications. Their
filters largely consist of simple allow/deny logic for many
syscalls (306 in one case) and for the most part don't utilize
argument filtering.
I modified gen_bpf.c and gen_pfc.c to utilize a cBPF binary tree
if the user has requested optimize level 2. I then timed
calling getppid() in a loop using one of my customer's seccomp
filters. I ran this loop one million times and recorded the min,
max, and mean times (in TSC ticks) to call getppid(). (I didn't
disable interrupts, so the max time was often large.) I chose
to report the minimum time because I feel it best represents the
actual time to traverse the syscall.
Test Case minimum TSC ticks to make syscall
----------------------------------------------------------------
seccomp disabled 138
getppid() at the front of 306-syscall seccomp filter 256
getppid() in middle of 306-syscall seccomp filter 516
getppid() at the end of the 306-syscall filter 1942
getppid() in a binary tree 312
As shown in the table above, a binary tree can signficantly improve
syscall performance in the average and worst case scenario for these
customers.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a function - _gen_bpf_insert() - that
inserts an instruction block into the BPF state and
creates the linked list connections for that newly-inserted
block.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit splits out some init code and a lengthy
for-loop in _gen_bpf_arch() into its own function -
_gen_bpf_syscalls().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fixed style problems found by check-syntax]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
In _gen_bpf_arch(), there was an identical block of code to sort
the primary database syscalls and the secondary database
syscalls. This commit refactors those duplicated, inline loops
into a single function.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Andreas Schwab <schwab@suse.de>
[PM: minor macro shuffling in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
On s390, shmat, shmdt, shmget, and shmctl can be done either
via sockets or ipc. Prior to this commit, the s390 code only
supported these calls via sockets. This commit adds support
for both sockets and ipc.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Shuffle the sections around to make it more clear that the "Explain
Your Work" and "Sign Your Work" sections apply to both email and GH
workflows.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the live python tests failed in the TravisCI environment
because the nightly python version changed in a subtle way that made
the `cython` install unreliable. This change reverts to a stable
version of python that is able to install cython reliably.
Signed-off-by: Chris Waldon <chris.waldon@ibm.com>
[PM: edits to the commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Chris Waldon <chris.waldon@ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Chris Waldon <chris.waldon@ibm.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Chris Waldon <chris.waldon@ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
We recently changed how libseccomp handles syscall numbers that are
not defined natively, but we missed test #15.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Python 2.x is going EOL very soon, so let's require Python 3.x now
and attempt to use the explicitly marked Python 3.x tools first.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not force static link of tools, it breaks build with:
BR2_SHARED_LIBS=y
Patch retrieved from
https://git.buildroot.net/buildroot/tree/package/libseccomp/0001-remove-static.patch and slighly updated to work with 2.3.3
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: also removed the '-static' from the scmp_api_level build]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Oddly, going from 16.04 to 18.04 results in about a 0.8% reduction
in code coverage.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a bit controversial as historically we've refrained from
doing any tests that rely on the host kernel in the non-live tests,
but I think enough time has past that we can do a simple
seccomp_load() and not break the world's build/test platforms.
The obvious big advantage is we are now testing the basic
prctl()/seccomp() filter load infrastructure as part of the main
regression test run.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
The clang compiler complains of a potential memory leak, this patch
fixes it.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Commit bf747eb21e428c2b3ead6ebcca27951b681963a0 accidentally removed the
__SNR_ppoll definition. Add it back, using a PNR value if disabled in
the kernel headers.
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating a transaction can be very time consuming on large filters since we
create a duplicate filter tree iteratively using the rules supplied by the
caller. In an effort to speed this up we introduce the idea of shadow
transactions where on a successful transaction commit we preserve the old
transaction checkpoint and bring it up to date with the current filter and
save it for future use. The next time we start a new transaction we check
to see if a shadow transaction exists, if it does we use that instead of
creating a new transaction checkpoint from scratch.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Pay back some of the technical debt in db_col_rule_add(), no logic
changes in this patch, just removing some code duplication.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit aa80299301a9c21a82f5d96911df5a2fbfaf17dd)
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This is long overdue so quite a few changes, including tweaks to
support some newly direct wired syscalls which were previously
multiplexed.
We really need to make sure we update the syscall table more often.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|