| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The LIBSECCOMP_TSTCFG_JOBS environment variable allows the caller to
specify the number of test jobs through the environment as opposed
to the command line. This is primarily useful for running the tests
through scripts or via the 'make check' command.
The LIBSECCOMP_TSTCFG_JOBS environment variable value behaves the
same as the '-j <JOBS>' command line argument.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf-sim-fuzz test type was always intended to be a fuzzer for the
generated BPF filters but the current implementation fuzzes the
simulator more than the filter itself. Due to this, let's bump down
the bpf-sim-fuzz iterations from 50 to 5, this is what we currently
do on Travis CI and it seems to be okay.
This change drops the number of tests by 1800 and the runtime from
4m7s to 3m35s on my test system running eight parallel jobs.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the beginning it didn't matter that we were running the regression
tests serially, but as we are now running +16k tests the run time is
getting rather long.
As there is no good reason why we can't run these tests in parallel,
let's add some basic support to do so. This patch adds support for
running multiple tests jobs at once using the '-j <NUM>' flag,
similar to the "make" command. If the number of jobs specified is
invalid/zero then it is set to the number of CPUs present on the
system. If the '-j <NUM>' flag is not specified then the tests are
executed in serial fashion as they are done now.
If the '-l <LOG>' option is specified the test run reverts to serial
execution regardless of the command line in order to preserve the log
output. While the normal console output is preserved regardless of
the number of jobs, the logfile output is handled differently and
this restriction was the easiest solution. We should consider
removing the '-l <LOG>' option at some point since output capture and
redirection is likely best handled by the shell anyway.
As far as the performance improvements are concerned, the results
speak for themselves. On my eight core laptop the runtime drops from
~14 minutes to ~4 minutes (!).
* Existing code, single threaded (14 minutes, 14 seconds)
% time -- ./regression -m c -m python
=============== Tue Jan 5 06:11:52 PM EST 2021 ===============
Regression Test Report ("regression -m c -m python")
batch name: 01-sim-allow
test mode: c
test type: bpf-sim
Test 01-sim-allow%%001-00001 result: SUCCESS
...
Test 58-live-tsync_notify%%001-00001 result: SKIPPED (must specify live tests)
Regression Test Summary
tests run: 16412
tests skipped: 130
tests passed: 16412
tests failed: 0
tests errored: 0
============================================================
real 854.37
user 693.87
sys 269.25
* Patched code, 8 jobs (4 minutes, 7 seconds)
% time -- ./regression -j 8 -m c -m python
=============== Tue Jan 5 06:27:56 PM EST 2021 ===============
Regression Test Report ("regression -j 8 -m c -m python")
batch name: 01-sim-allow
test mode: c
test type: bpf-sim
Test 01-sim-allow%%001-00001 result: SUCCESS
...
Test 58-live-tsync_notify%%001-00001 result: SKIPPED (must specify live tests)
Regression Test Summary
tests run: 16412
tests skipped: 130
tests passed: 16412
tests failed: 0
tests errored: 0
============================================================
real 246.96
user 966.08
sys 251.27
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 4bf70431a339a2886ab8c82e9a45378f30c6e6c7)
|
| |
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit afd6f3db9aaa1176523ed5948993ca1b7f430795)
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 6b286c2e8e43de76746346b8eab855311915f5aa ("api: add API level 6")
introduced the API level 6 but had a typo and used 5 in the manpage.
This commit just fixes the typo using API level 6 in the manpage.
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
| |
Some people may not be familiar with GPG keys, subkeys, and
fingerprints; while a full explanation is beyond the scope of our
README file, at least provides some hints and a link to the GPG
website for more information.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Document the usage of SCMP_ACT_NOTIFY in seccomp_rule_add.3
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This patch updates the code for the newly added spell checking.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
This fix is performing the same changes
bee43d3e884788569860a384e6a38357785a3995 was doing on test
51-live-user_notification on test 58-live-tsync_notify.
Signed-off-by: Michael Karcher <github@mkarcher.dialup.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
Architectures like aarch64 and riscv64, and all future architectures that
use the generic syscall table, do not support the open and stat syscalls.
Use the openat and fstat syscalls instead.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of arches/ABIs have either syscall offsets (the MIPS
family) or specific bits (x32) which are applied to their normal
syscall numbers. We generally handle that via "munging" in
libseccomp, and it works reasonably well. Unfortunately we were
applying this munging process to the negative pseudo syscall
numbers as well and this was causing problems.
This patch fixes the various offset/bit arches/ABIs by not applying
the munging to the negative pseudo syscall numbers.
This resolves GH issue #284:
* https://github.com/seccomp/libseccomp/issues/284
Reported-by: Harald van Dijk <harald@gigawatt.nl>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes how we handle the notification fd by only
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
in it. We also augment the seccomp_reset(NULL, ...) behavior so
that it closes the notification fd before resetting the global
state; applications that need to keep their notification fd open
across a call to seccomp_reset(NULL, ...) can simply dup() it.
Although one would have to wonder why the application would be
calling seccomp_reset(NULL, ...) in that case.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that requesting the seccomp userspace notifcation fd
more than once is a bad thing which causes the kernel to complain
(rightfully so for a variety of reasons). Unfortunately as we were
always requesting the notification fd whenever possible this results
in problems at filter load time.
Our solution is to move the notification fd out of the filter context
and into the global task context, using a newly created task_state
structure. This allows us to store, and retrieve the notification
outside the scope of an individual filter context. It also provides
some implementation improvements by giving us a convenient place to
stash all of the API level related support variables. We also extend
the seccomp_reset() API call to reset this internal global state when
passed a NULL filter context.
There is one potential case which we don't currently handle well:
threads. At the moment libseccomp is thread ignorant, and that works
well as the only global state up to this point was the currently
supported API level information which was common to all threads in a
process. Unfortunately, it appears that the notification fd need not
be common to all threads in a process, yet this patch treats it as if
it is common. I suspect this is a very unusual use case so I decided
to keep this patch simple and ignore this case, but in the future if
we need to support this properly we should be able to do so without
API changes by keeping an internal list of notification fds indexed
by gettid(2).
This fixes the GitHub issue below:
* https://github.com/seccomp/libseccomp/issues/273
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On an x32 based system, and perhaps other 32-bit systems, the magic
value in test 51-live-user_notification was too large and resulted
in a failed comparison even when the userspace notification mechanism
was working properly.
This patch addresses this problem by using the parent process's PID
for the magic number. For all arches/ABIs we know it is a valid
return value for getpid() while also being one of the few PIDs that
the child process should never legitimately get from a call to
getpid().
This patch also restricts the use of SCMP_SYS() to only the
libseccomp API calls. This should help us catch arches/ABIs that
don't implement getpid(). I'm also not sure we want to be
responsible for using SCMP_SYS() outside of the libseccomp API.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the MIPS GCC compiler defines a "mips" cpp macro
which was resulting in build failures on MIPS so we need to
undefine the "mips" macro during build. As this should be safe
to do in all architectures, just add it to the compiler flags by
default.
This was reported in the following GH issue:
* https://github.com/seccomp/libseccomp/issues/274
Reported-by: Rongwei Zhang <pudh4418@gmail.com>
Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Test 53-sim-binary_tree removes the native architecture and
builds the binary tree on aarch64, ppc64le, and x86_64. But the
tests file was testing for "all" architectures which led to test
failures on other systems like s390x. This commit replaces the
"all" arch with only the architectures in the test.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Make the "distcheck" happy by properly including the 57th python
test.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Identified via Coverity, make sure we are checking the correct
pointer depth when dealing with double pointers.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
This commit documents the usage of SCMP_FLTATR_CTL_OPTIMIZE in the
seccomp_attr_set.3 man page.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libseccomp performs a translation step when adding a raw syscall value
to a multi-architecture filter. For instance, when adding __NR_open
(syscall value 2 on x86-64) to a filter containing x86 and x86-64 where
the native ABI is x86-64, the x86 BPF branch will use the value 5
(__NR_open on x86).
This commit adds explicit documentation for the translation step.
Refs https://github.com/seccomp/libseccomp/issues/259.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
The recent patch to remove PNR syscalls from the BPF
filter causes test 06-sim-actions%%005-00001 to fail
because aarch64 doesn't support the stat syscall. This
commit skips that check on aarch64 only.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now that pseudo-syscalls are being removed from the resultant
BPF filter, we need to test for this in the simulated binary
tree test. This commit modifies the test to explicitly define
its supported architectures and updates the tests file to
handle PNR syscalls. Note that the aarch64 architecture does
not define many of the syscalls used in this test, and thus
these syscalls fall through to the default ALLOW action.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
Unless explicitly instructed via the SCMP_FLTATR_API_TSKIP attribute,
pseudo-syscalls should not be added to the BPF filter. Note that
as of this commit, pseudo-syscalls are displayed in the PFC filter.
Reported-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The arm and x32 architecture files were using arithmetic
to set/clear bits in their syscall numbers. This could
erroneously double add or double subtract these bits.
This commit uses bitwise logic to ensure the bits are
properly set/cleared.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a syscall is used in a multi-architecture filter, the syscall must
exist in all the architectures, or -EOPNOTSUPP is returned. For example,
epoll_wait_old has value 215 in x86-64, but does not exist in x86.
Trying to add a filter rule including it in a x86-64/x86 filter will
fail.
This commit clarifies that libseccomp will reject a rule containing such
a case.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
API level 6 allows callers to use both the TSYNC and notify APIs at
the same time. This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.
This patch also fixes some omissions in seccomp_api_set().
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this commit, _gen_bpf_build_bpf would mask some errors that
occurred in helper functions as EFAULT, even if they were not EFAULT to
begin with.
See https://github.com/seccomp/libseccomp/issues/240 for additional
information.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
[PM: fixed GitHub reference]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel. It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.
If the attribute is zero, the library hides all of the system
failures under -ECANCELED.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This really should have been done when the notification code was
merged. Looking at the code, the seccomp.h.in comments can apply
here so we're just going to do a cut-n-paste job.
We also fixup some formatting/consistency issues in the seccomp.h.in
comments.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
The basic idea is that the C functions should return negative values
on error and the terminal programs should return positive, non-zero
values on error.
Reported-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is one part of including error codes in our API promise, it
helps ensure we don't accidentally send an undocumented error code
to the caller.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
We need to limit our use of EINVAL to only indicate bad input to the
API functions. Bad input to internal functions is not a valid use
of EINVAL.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
It is likely a fools errand to try and provide kernel and libc errno
guarantees across different architectures, kernels, and libc
implementations so let's just punt on the problem and dump all of
these errors into the ECANCELED bucket.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This is part of our error code cleanup and API promise.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This should provide a nice clean display in the GitHub CSV viewer.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
I've never wanted my code to be either a reminder or a source of
hurt for others, but it is possible that some older terminology used
in this repository may do just that. That's a bug we need to fix,
and hopefully this patch does just that.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
