| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Because TSYNC and NEW_LISTENER send information back via the
seccomp(...) return value, they can not be used at the same time. It
seems like the right thing to do is to always set the NEW_LISTENER
flag (as long as the API level supports it) unless the caller
explicitly sets TSYNC.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
We can't always rely on callers calling seccomp_api_get() before
using any API level gated functionality so let's force an API level
update in a few key places.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
This ensures clone3, getrlimit and setrlimit are defined for aarch64 - also
update syscalls.csv from 5.6.0 to pick up these new syscalls
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |\
| |
| | |
BUG: add ipc and socket multiplexing support to ppc64
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit enables TravisCI to run the automated
tests on powerpc64le.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit adds the ppc64le architecture to test
30-sim-socket_syscalls.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit adds the ppc64le architecture to test
36-sim-ipc_syscalls.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This commit adds support to ppc64 for ipc and socket
calls that are multiplexed.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
| |/
|
|
|
|
|
|
| |
For some reason the Travis CI build is failing to pip install the
cpp-coveralls package so let's skip it (we don't run the coveralls
portions on arm64 anyway).
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
Add some text to clarify that you can only have one comparison per
syscall argument in a given rule as well as better explain what
happens when you have multiple filters loaded.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
It is pointless to check the syntax of automatically generated files
so let's stop doing it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
This commit adds semtimedop() support to the s390
mux/demux functions - _s390_syscall_demux() and
_s390_syscall_mux().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following syscalls were missing from the s390 munge
functions - s390_syscall_resolve_name_munge() and
s390_syscall_resolve_num_munge():
msgctl, msgget, msgrcv, msgsnd, semctl, semget, and
semtimedop
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following syscalls were missing from the s390x munge
functions - s390x_syscall_resolve_name_munge() and
s390x_syscall_resolve_num_munge():
msgctl, msgget, msgrcv, msgsnd, semctl, semget, and
semtimedop
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The syscalls shmat, shmctl, and shmget are ipc syscalls on s390
and s390x. This causes test #53 to fail due to the syscall number
not matching up with the values in the *.tests file.
This commit removes the aforementioned ipc syscalls since they are
being tested in tests #36 and #37.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
The MIPS ABIs now use the parser friendly syscall.tbl format so make
use of that to simplify our code.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
We no longer need to do the complex substitutions we used to have to
do for ppc/ppc64.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Travis CI identified some problems in our config, this patch fixes
one of these problems.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Previously parisc64 was borrowing from parsic which led to problems
with the syscall table for parisc64. This patch properly splits the
two ABIs.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
We no longer need to correct the syscall offsets for x32, mips,
mips64, and mips64n32.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Travis CI uses "amd64" instead of "x86_64", fix the configuration.
* https://docs.travis-ci.com/user/environment-variables
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Since the move to gperf and the automatically generated syscall table
in CSV format, these manually maintained tables are no longer needed.
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Later patches will make use of this new syscall table format instead
of the manually maintained tables.
The new CSV syscall table was generated with the following command:
# ./arch-syscall-validate -c <kernel_source_dir> > syscalls.csv
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Commit c61950e1d972 ("arch: add missing parisc and parisc64 support
to arch-syscall-validate") forgot to add parisc64 support, this patch
fixes that.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
For some reason we completely forgot to add this ABIs to the
arch-syscall-validate script.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
Update the arch-syscall-validate script to be "CSV friendly" in
preparation for follow-up work to move the libseccomp internal
syscall tables into a single CVS file. In this process of making
this change, a number of unrelated problems with the script were
identified and fixed.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
There are no functional changes in this patch, just some minor
changes found by the lgtm.com service:
* four functions in tools/util.c were "hiding" a global variable
with a local variable ("arch")
* src/arch.c had an unnecessary check in an if-condition
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While we enable these additional architectures, we limit the code
coverage test to x86_64 and the clang/scan-build check to platforms
which support it.
It is worth noting that the ppc64le and s390x builds were not enabled
at this time due to Travis CI test failures that need to be
investigated.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
This appears to cause problems in the Travis CI with the aarch64
architecture.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Two fixes to ensure that test 53 runs correctly:
* remove a debug "print()" in the Python test
* use the native ABI in the Python test
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
Move -I${top_builddir}/include to toplevel so that it is available in all
subdirs. This is needed to find <seccomp.h> in the build directory, since
it is now a generated file.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously test 55, basic-pfc_binary_tree, used syscall numbers to
build a large binary tree. This is problematic on architectures
that have sparsely populated syscall numbers.
This commit modifies the test to use syscall names to build up a
realistic binary tree that should work on all architectures.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously test 53, sim-binary_tree, used syscall numbers to build
a large binary tree. This is problematic on architectures that
have sparsely populated syscall numbers.
This commit modifies the test to use syscall names to build up a
realistic binary tree that should work on all architectures.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This patch adds riscv64 support to arch-syscall-validate.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This patch adds support for riscv64 to arch-syscall-dump.c
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit 61108c050fd16ba13f0204f6ac3ca4cbeea86f58)
|
| |
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit fcb1395979f784387984e34752c07a5e8530c023)
|
| |
|
|
|
|
|
|
| |
This commit adds tests to ensure the validity of the
binary tree and the resultant pfc and bpf output.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a filter attribute, SCMP_FLTATR_CTL_OPTIMIZE,
to specify the optimization level of the seccomp filter:
0 - currently unused
1 - rules weighted by priority and complexity (default)
2 - binary tree sorted by syscall number
Several in-house customers have identified that their large
seccomp filters are slowing down their applications. Their
filters largely consist of simple allow/deny logic for many
syscalls (306 in one case) and for the most part don't utilize
argument filtering.
I modified gen_bpf.c and gen_pfc.c to utilize a cBPF binary tree
if the user has requested optimize level 2. I then timed
calling getppid() in a loop using one of my customer's seccomp
filters. I ran this loop one million times and recorded the min,
max, and mean times (in TSC ticks) to call getppid(). (I didn't
disable interrupts, so the max time was often large.) I chose
to report the minimum time because I feel it best represents the
actual time to traverse the syscall.
Test Case minimum TSC ticks to make syscall
----------------------------------------------------------------
seccomp disabled 138
getppid() at the front of 306-syscall seccomp filter 256
getppid() in middle of 306-syscall seccomp filter 516
getppid() at the end of the 306-syscall filter 1942
getppid() in a binary tree 312
As shown in the table above, a binary tree can signficantly improve
syscall performance in the average and worst case scenario for these
customers.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
This commit adds a function - _gen_bpf_insert() - that
inserts an instruction block into the BPF state and
creates the linked list connections for that newly-inserted
block.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
This commit splits out some init code and a lengthy
for-loop in _gen_bpf_arch() into its own function -
_gen_bpf_syscalls().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fixed style problems found by check-syntax]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
In _gen_bpf_arch(), there was an identical block of code to sort
the primary database syscalls and the secondary database
syscalls. This commit refactors those duplicated, inline loops
into a single function.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Andreas Schwab <schwab@suse.de>
[PM: minor macro shuffling in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
On s390, shmat, shmdt, shmget, and shmctl can be done either
via sockets or ipc. Prior to this commit, the s390 code only
supported these calls via sockets. This commit adds support
for both sockets and ipc.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
