summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* all: fix comment typosrelease-2.5Tom Hromatka2023-03-292-2/+2
| | | | | | | | | Fix two comment typos reported by Codespell: Error: ./src/syscalls.c:292: pseduo ==> pseudo Error: ./src/gen_pfc.c:247: pseduo ==> pseudo Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit d5f77038335d523da509e0c246da8be794c511b7)
* RFE: Bump actions/upload-artifact from 2 to 3dependabot[bot]2023-02-071-1/+1
| | | | | | | | | | | | | | | | | | Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 73be05e88623ebc6fcad3e04109c4fc47b7fc474)
* github: Update to the latest codeql actionsTom Hromatka2023-02-021-3/+3
| | | | | | | | | | | | Update the codeql github actions to the latest versions. This version of the CodeQL Action was deprecated on January 18th, 2023, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/ Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* github: Update to the latest checkout actionTom Hromatka2023-02-022-5/+5
| | | | | | | | | | | | Update the actions/checkout plugin to v3. v2 utilizes Node.js 12 and is deprecated. Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: actions/checkout@v2. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.1 Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* all: release v2.5.4v2.5.4Tom Hromatka2022-04-211-1/+1
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* all: CHANGELOG update for release v2.5.4Tom Hromatka2022-04-211-0/+5
| | | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 832b65b0fe408f538cf84b361eb7261eb7243b00)
* docs: update the CREDITS fileTom Hromatka2022-04-211-0/+1
| | | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 7dc9a129eed538baf44b3154d476daa4053e2d6c)
* tests: Fix make check-syntax error in test 54Tom Hromatka2022-04-201-3/+3
| | | | | | | | 54-live-binary_tree.c had spaces rather than tabs on three lines. Convert them to tabs. Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit a379a4e5cb32d79e6098d25b51506c284c820c1a)
* doc: remove the mailing listPaul Moore2022-04-153-63/+24
| | | | | | | | | Ever since the move to GH, the mailing list hasn't been very useful or very popular so let's just drop it. Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 3c0dedd45713d7928c459b6523b78f4cfd435269)
* syscalls: update the syscall list for Linux v5.17Paul Moore2022-04-052-1/+7
| | | | Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: Add a binary tree test with zero syscallsTom Hromatka2022-03-185-3/+118
| | | | | | | | | | Add a test that exercises the binary tree optimization but the seccomp filter has zero syscalls in it. Related-bug: https://github.com/seccomp/libseccomp/issues/370 Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Acked-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit 5731dd9f73df9025b2c8924e2f4ce78a7d94af00)
* tests: fix 53-sim-binary_tree to use binary treeTom Hromatka2022-03-181-0/+1
| | | | | | | | | | | SCMP_FLTATR_CTL_OPTIMIZE = 2 was not being set for test 53-sim-binary_tree.py. Set the optimization level to 2 to ensure that the binary tree is being employed. Fixes: 38f04da84748 ("tests: add tests for the binary tree") Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Acked-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit c1c2e28520689779626dbbad8f11866b9b962748)
* bpf: pfc: Add handling for 0 syscalls in the binary treeTom Hromatka2022-03-182-0/+6
| | | | | | | | | | | | Handle the unlikely case where a user has chosen the binary tree optimization but has zero syscalls in their filter. Fixes: https://github.com/seccomp/libseccomp/issues/370 Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree") Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Acked-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit 2de3b87122c18b58b3e2b32ab2e81ac43774a7aa)
* github: ensure we update the apt repo before we install packagesPaul Moore2022-03-151-0/+2
| | | | | | | | | Failure to update the apt repo could result in missing packages on the remote apt repo server. Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 7a28dfa86e684197aad2f858ed24a14d63313411)
* tests: fix 54-live-binary_tree to use binary treeKir Kolyshkin2022-03-152-1/+4
| | | | | | | | | | | | | | | | | | | | Apparently, an early implementation of the binary tree optimization used to enable the feature when the number of rules added was > 16. The code was later changed to add and use SCMP_FLTATR_CTL_OPTIMIZE, but the 54-live-binary_tree test case was left as is. So, despite its name, it is not testing the binary tree. Fix this, and remove the comment that referred to the old implementation. Fixes: 38f04da84748 ("tests: add tests for the binary tree") Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> [PM: restyled the "Fixes" tag] Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 5731b3c338f8f18b1d2b3aa300bbcb97af0fb34c)
* docs: add link to oss-security to SECURITY.mdKir Kolyshkin2022-01-181-0/+1
| | | | | | | | | | | | The text mentions two mailing lists, distros and oss-security, but only provides a link to distros. Add a link to oss-security. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 51b50f95e1fb717e4560818f8b90b7ebde314ad1)
* doc: Correct mistakes in seccomp_attr_set.3Manabu Sugimoto2022-01-101-4/+4
| | | | | | | | | | Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}` because there is no such function name. Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 819bd46e6b6604de654eca1a21268b0033a874e6)
* github: enable CodeQL code scanning and analysisPaul Moore2022-01-101-0/+37
| | | | | | | | | | This enables the GitHub "Security / Code Scanning" tool using CodeQL. * https://github.com/seccomp/libseccomp/security Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 929acb90c4a3d737c1335b52c7e37eabdf00f829)
* all: release v2.5.3v2.5.3Tom Hromatka2021-11-051-1/+1
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* all: CHANGELOG update for release v2.5.3Tom Hromatka2021-11-051-0/+6
| | | | | Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* syscalls: update the syscall table to Linux v5.15Paul Moore2021-11-042-1/+4
| | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* tests: Fix warning in 05-sim-long_jumps.cTom Hromatka2021-11-011-0/+1
| | | | | | | | | | | | | Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better across arch/ABIs" introduced the following warning. Let's fix it. 05-sim-long_jumps.c: In function ‘main’: 05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration] 68 | free(syscall); Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 092c686e1bc4a64d3f876349573ca66144fa3b73)
* tests: improve 05-sim-long_jumps to work better across arch/ABIsPaul Moore2021-11-013-43/+52
| | | | | | | | | | | | | This patch primarily moves the test away from abstract syscall numbers to honest-to-goodness actual syscalls which are present on all currently supported arch/ABIs. This change should make it easier to support this test across different platforms now and moving forward. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 3c2da115b5b35222afbc62f27779832d47a34786)
* tests: add the mipsel and sh ABIs to test 30-sim-socket_syscallsPaul Moore2021-11-013-23/+49
| | | | | | | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit ee3660f91879eb82eb1885a9a5688fec245dcfbf) TJH - The sh ABIs aren't in the release-2.5 branch, so they have been removed from this commit
* arch: move the ARCH_DEF() calls into the arch/ABI specific filesPaul Moore2021-11-0117-30/+54
| | | | | | | | | | | | | | | This should make it easier to ensure we have arch/ABIs added properly to libseccomp. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 060a677ea5de077a7ae9f82b7142d388a1a336b6) Conflicts: src/arch-sh.c - Doesn't exist in release-2.5 src/syscalls.c - Minor merge conflict where ARCH_DEF() was removed
* mips: restore the 32-bit MIPS O32 ABI offsetPaul Moore2021-11-012-20/+61
| | | | | | | | | | | In the process of adding and consolidating the multiplexed syscalls for MIPS I mistakenly dropped the O32 ABI offset, this patch restores the offset value. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 68cc5bf3d85ddedbd9a43a44389c3593b517e6c5)
* arch: replace arch-syscall-check with something more usefulPaul Moore2021-10-294-225/+63
| | | | | | | | | | | | Now that we have moved to the CSV based arch/ABI syscall table the existing arch-syscall-check isn't as useful as it once was, but we could definitely use a build-time check to ensure the syscall header file is sync'd with the CSV arch/ABI syscall table. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit f046fd21e3274541021bff1f869bf2c9ef8d0b86)
* api: update seccomp-syscalls.hPaul Moore2021-10-291-6/+16
| | | | | | | | | | | | | | | | It appears that the seccomp-syscalls.h header file had gotten out of sync with the syscalls.csv syscall table, this patch fixes this disconnect. The only edit that is somewhat interesting is that the oldwait4(2) syscall probably never should have been included in the header file as it appears to no longer exist (?). Reported-by: Mike Frysinger <vapier@gentoo.org> Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 3f47bba7c5c8cc18be80e625eedb2c1823233708)
* tests: fix 11-basic-basic_errors on old kernels (API level < 5)Paul Moore2021-10-181-33/+39
| | | | | | | | | Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (imported from commit 5532444587fa5f33a43179ca5cc710f1bb05f51f)
* doc: fix spacing with man page referencesMike Frysinger2021-10-153-6/+5
| | | | | | | | | | Most places have this correct already, but a few missed the space before the section number. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 1018a9e87489cafe0f26de080219dbde1f0fa993)
* doc: fix spacing with .I and punctuationMike Frysinger2021-10-153-18/+17
| | | | | | | | | | | | Use of .I lines causes spaces to be inserted before & after the word. When words are before or after, that's fine, but when it's punctuation like parentheses or commas, it looks weird. Switch to .IR and .RI to tighten up the display. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 2cfc5bd29c90a2a9b03ff00ef81b5742a1acf506)
* doc: seccomp_rule_add.3: add -EACCES return valueKir Kolyshkin2021-10-081-0/+5
| | | | | | | | | | | | The -EACCES return value from seccomp_rule_add* was added by commit 83989be02 (included into 2.5.0), which tells that this is "part of our ... API promise", so it needs to be documented accordingly. Add it. Fixes: 83989be02 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 50da6c1c61c1237cc3af2240b294af66de505018)
* tests: Allow munmap() syscall in Python test #24v2.5.2Tom Hromatka2021-09-011-0/+1
| | | | | | | | | | | The python live test, 24-live-arg_allow.py, started failing on Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python quit() call is now invoking the munmap() syscall. To fix this, allow the munmap() syscall in the test's seccomp filter. Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 4f34c6eb17c2ffcb0fce5911ddbc161d97517476)
* all: release v2.5.2Tom Hromatka2021-08-311-1/+1
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* all: CHANGELOG update for release v2.5.2Tom Hromatka2021-08-311-0/+12
| | | | | | Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 1d26fa1332ac8b7eeaa706f7febf343310a52160)
* docs: update the CREDITS fileTom Hromatka2021-08-251-0/+3
| | | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (cherry picked from commit 8489cff8092d3c53f1a261a9b637ebfaeec45650)
* bpf: Fix typo in commentTom Hromatka2021-08-251-1/+1
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* syscalls: update to Linux v5.14-rc7Paul Moore2021-08-232-1/+13
| | | | Signed-off-by: Paul Moore <paul@paul-moore.com>
* doc: Add BUGS section to seccomp_rule_add.3Tom Hromatka2021-08-231-0/+18
| | | | | | | | | | | | | | | Add BUGS section to seccomp_rule_add.3 and add a warning about adding a seccomp filter to syscalls that are always expected to succeed. PowerPC's glibc behaves differently from other architectures and will not return a negative number for the getpid() syscall. Fixes: https://github.com/seccomp/libseccomp/issues/313 Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> (imported from commit b9a8f3dbdfe84bfe7802bb9532253cc0a46b5b8a)
* python: add the get_notify_fd() method to the SyscallFilter classPaul Moore2021-08-231-0/+13
| | | | | | | | | | The new get_notify_fd() method mimics the seccomp_notify_fd() C API with similar behavior. Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 8b34512de92decfd51fe900d23a82663711ca008)
* tests: various additions to improve code coveragePaul Moore2021-08-1215-64/+804
| | | | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65)
* arch: consolidate all of the multiplexed syscall handlingPaul Moore2021-08-1219-3422/+669
| | | | | | | | | | | Not only does this reduce the amount of duplicated code significantly, it removes a lot of the "magic" numbers in the code, and it happened to catch some bugs too. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc)
* github: tweak the GH Actions configurationPaul Moore2021-08-122-8/+16
| | | | | | | | | | | This should help leverage the recent code coverage changes as well as some changes to the test framework. We also add the generated HTML coverage report to the "codecoverage" artifacts. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit c261232174c8432e12c39e2fc938a64d562de1d6)
* tests: add a util_gcov_rules() utility functionPaul Moore2021-08-122-0/+42
| | | | | | | | | | | | | | As documented in the function header: "This function is to make it easier for developers to temporarily add support for gcov/lcov to a test program; it likely should not be used in the normal regression tests. Further, this should only be necessary for the "live" tests." Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit cc8d19b69aaadff2172b04fa37d4995ae63e895a)
* build: reorganize the code coverage targetsPaul Moore2021-08-123-20/+10
| | | | | | | | | | | | | | | | | | This is arguably the way it should have been done in the beginning but TravisCI and Coveralls masked the need for proper standalone code coverage tests. With this change simply enabling code coverage during ./configure and following with a code coverage build should generate proper gcov/lcov data and a local HTML report, example: % ./configure --enable-code-coverage % make check-code-coverage Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit a415ef0938c2fc8139d45f89a722d132367077cc)
* tests: add support for the LIBSECCOMP_TSTCFG_BATCHES env variablePaul Moore2021-08-121-0/+9
| | | | | | | | | | This allows us to specify the test batches via environment variables like we do other parts of the test configuration. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 72609f73cd95749e27f50f2c5a52bacdbb1a3c5a)
* tests: allow multiple test types using comma separated valuesPaul Moore2021-08-121-1/+18
| | | | | | | | | | | | | You can now run multiple test types using the '-T' argument and the LIBSECCOMP_TSTCFG_TYPE environment variable, for example: % cd tests % ./regression -T bpf-valgrind,live Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit b465f2329183adf9735c81e98500cee93eb720c9)
* ppc: add multiplexed syscall support to PPCPaul Moore2021-08-121-4/+526
| | | | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 255801bccf89343c684b2b94e85d9e0df484c133)
* mips: add multiplexed syscall support to MIPSPaul Moore2021-08-121-13/+495
| | | | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae)
* README: Display the Github Actions build status badgeTom Hromatka2021-08-121-1/+1
| | | | | | | | | | | Travis CI has now been disabled. Delete the Travis CI build status badge and display the Github Actions continuous integration workflow badge. Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (imported from commit 04245d933fad94625b45a4d100112a3483ed9292)
View Lorry Controller Status