| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Fix two comment typos reported by Codespell:
Error: ./src/syscalls.c:292: pseduo ==> pseudo
Error: ./src/gen_pfc.c:247: pseduo ==> pseudo
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit d5f77038335d523da509e0c246da8be794c511b7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 73be05e88623ebc6fcad3e04109c4fc47b7fc474)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the codeql github actions to the latest versions.
This version of the CodeQL Action was deprecated on January
18th, 2023, and is no longer updated or supported. For better
performance, improved security, and new features, upgrade to
v2. For more information, see
https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the actions/checkout plugin to v3. v2 utilizes Node.js 12
and is deprecated.
Node.js 12 actions are deprecated. Please update the following
actions to use Node.js 16: actions/checkout@v2. For more
information see:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.1
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 832b65b0fe408f538cf84b361eb7261eb7243b00)
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 7dc9a129eed538baf44b3154d476daa4053e2d6c)
|
|
|
|
|
|
|
|
| |
54-live-binary_tree.c had spaces rather than tabs on
three lines. Convert them to tabs.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit a379a4e5cb32d79e6098d25b51506c284c820c1a)
|
|
|
|
|
|
|
|
|
| |
Ever since the move to GH, the mailing list hasn't been very useful
or very popular so let's just drop it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 3c0dedd45713d7928c459b6523b78f4cfd435269)
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Add a test that exercises the binary tree optimization but
the seccomp filter has zero syscalls in it.
Related-bug: https://github.com/seccomp/libseccomp/issues/370
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 5731dd9f73df9025b2c8924e2f4ce78a7d94af00)
|
|
|
|
|
|
|
|
|
|
|
| |
SCMP_FLTATR_CTL_OPTIMIZE = 2 was not being set for test
53-sim-binary_tree.py. Set the optimization level to 2 to
ensure that the binary tree is being employed.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit c1c2e28520689779626dbbad8f11866b9b962748)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handle the unlikely case where a user has chosen the
binary tree optimization but has zero syscalls in their
filter.
Fixes: https://github.com/seccomp/libseccomp/issues/370
Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 2de3b87122c18b58b3e2b32ab2e81ac43774a7aa)
|
|
|
|
|
|
|
|
|
| |
Failure to update the apt repo could result in missing packages on
the remote apt repo server.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 7a28dfa86e684197aad2f858ed24a14d63313411)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, an early implementation of the binary tree optimization
used to enable the feature when the number of rules added was > 16.
The code was later changed to add and use SCMP_FLTATR_CTL_OPTIMIZE,
but the 54-live-binary_tree test case was left as is. So, despite
its name, it is not testing the binary tree.
Fix this, and remove the comment that referred to the old
implementation.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
[PM: restyled the "Fixes" tag]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 5731b3c338f8f18b1d2b3aa300bbcb97af0fb34c)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The text mentions two mailing lists, distros and oss-security, but only
provides a link to distros.
Add a link to oss-security.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 51b50f95e1fb717e4560818f8b90b7ebde314ad1)
|
|
|
|
|
|
|
|
|
|
| |
Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}`
because there is no such function name.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 819bd46e6b6604de654eca1a21268b0033a874e6)
|
|
|
|
|
|
|
|
|
|
| |
This enables the GitHub "Security / Code Scanning" tool using CodeQL.
* https://github.com/seccomp/libseccomp/security
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 929acb90c4a3d737c1335b52c7e37eabdf00f829)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better
across arch/ABIs" introduced the following warning. Let's fix it.
05-sim-long_jumps.c: In function ‘main’:
05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration]
68 | free(syscall);
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 092c686e1bc4a64d3f876349573ca66144fa3b73)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch primarily moves the test away from abstract syscall
numbers to honest-to-goodness actual syscalls which are present on
all currently supported arch/ABIs. This change should make it easier
to support this test across different platforms now and moving
forward.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 3c2da115b5b35222afbc62f27779832d47a34786)
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit ee3660f91879eb82eb1885a9a5688fec245dcfbf)
TJH - The sh ABIs aren't in the release-2.5 branch, so they have been
removed from this commit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should make it easier to ensure we have arch/ABIs added
properly to libseccomp.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 060a677ea5de077a7ae9f82b7142d388a1a336b6)
Conflicts:
src/arch-sh.c - Doesn't exist in release-2.5
src/syscalls.c - Minor merge conflict where ARCH_DEF() was
removed
|
|
|
|
|
|
|
|
|
|
|
| |
In the process of adding and consolidating the multiplexed syscalls
for MIPS I mistakenly dropped the O32 ABI offset, this patch restores
the offset value.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 68cc5bf3d85ddedbd9a43a44389c3593b517e6c5)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we have moved to the CSV based arch/ABI syscall table the
existing arch-syscall-check isn't as useful as it once was, but we
could definitely use a build-time check to ensure the syscall header
file is sync'd with the CSV arch/ABI syscall table.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit f046fd21e3274541021bff1f869bf2c9ef8d0b86)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that the seccomp-syscalls.h header file had gotten out of
sync with the syscalls.csv syscall table, this patch fixes this
disconnect.
The only edit that is somewhat interesting is that the oldwait4(2)
syscall probably never should have been included in the header file
as it appears to no longer exist (?).
Reported-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 3f47bba7c5c8cc18be80e625eedb2c1823233708)
|
|
|
|
|
|
|
|
|
| |
Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit 5532444587fa5f33a43179ca5cc710f1bb05f51f)
|
|
|
|
|
|
|
|
|
|
| |
Most places have this correct already, but a few missed the space
before the section number.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 1018a9e87489cafe0f26de080219dbde1f0fa993)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of .I lines causes spaces to be inserted before & after the word.
When words are before or after, that's fine, but when it's punctuation
like parentheses or commas, it looks weird. Switch to .IR and .RI to
tighten up the display.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 2cfc5bd29c90a2a9b03ff00ef81b5742a1acf506)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -EACCES return value from seccomp_rule_add* was added by commit
83989be02 (included into 2.5.0), which tells that this is "part of our
... API promise", so it needs to be documented accordingly. Add it.
Fixes: 83989be02
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 50da6c1c61c1237cc3af2240b294af66de505018)
|
|
|
|
|
|
|
|
|
|
|
| |
The python live test, 24-live-arg_allow.py, started failing on
Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python
quit() call is now invoking the munmap() syscall. To fix this,
allow the munmap() syscall in the test's seccomp filter.
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 4f34c6eb17c2ffcb0fce5911ddbc161d97517476)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 1d26fa1332ac8b7eeaa706f7febf343310a52160)
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 8489cff8092d3c53f1a261a9b637ebfaeec45650)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add BUGS section to seccomp_rule_add.3 and add a warning about
adding a seccomp filter to syscalls that are always expected to
succeed.
PowerPC's glibc behaves differently from other architectures and
will not return a negative number for the getpid() syscall.
Fixes: https://github.com/seccomp/libseccomp/issues/313
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit b9a8f3dbdfe84bfe7802bb9532253cc0a46b5b8a)
|
|
|
|
|
|
|
|
|
|
| |
The new get_notify_fd() method mimics the seccomp_notify_fd() C API
with similar behavior.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 8b34512de92decfd51fe900d23a82663711ca008)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65)
|
|
|
|
|
|
|
|
|
|
|
| |
Not only does this reduce the amount of duplicated code
significantly, it removes a lot of the "magic" numbers in the
code, and it happened to catch some bugs too.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc)
|
|
|
|
|
|
|
|
|
|
|
| |
This should help leverage the recent code coverage changes as well as
some changes to the test framework. We also add the generated HTML
coverage report to the "codecoverage" artifacts.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit c261232174c8432e12c39e2fc938a64d562de1d6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As documented in the function header:
"This function is to make it easier for developers to temporarily
add support for gcov/lcov to a test program; it likely should not
be used in the normal regression tests. Further, this should only
be necessary for the "live" tests."
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit cc8d19b69aaadff2172b04fa37d4995ae63e895a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is arguably the way it should have been done in the beginning
but TravisCI and Coveralls masked the need for proper standalone
code coverage tests.
With this change simply enabling code coverage during ./configure
and following with a code coverage build should generate proper
gcov/lcov data and a local HTML report, example:
% ./configure --enable-code-coverage
% make check-code-coverage
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit a415ef0938c2fc8139d45f89a722d132367077cc)
|
|
|
|
|
|
|
|
|
|
| |
This allows us to specify the test batches via environment variables
like we do other parts of the test configuration.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 72609f73cd95749e27f50f2c5a52bacdbb1a3c5a)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can now run multiple test types using the '-T' argument and
the LIBSECCOMP_TSTCFG_TYPE environment variable, for example:
% cd tests
% ./regression -T bpf-valgrind,live
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit b465f2329183adf9735c81e98500cee93eb720c9)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 255801bccf89343c684b2b94e85d9e0df484c133)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae)
|
|
|
|
|
|
|
|
|
|
|
| |
Travis CI has now been disabled. Delete the Travis CI
build status badge and display the Github Actions
continuous integration workflow badge.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 04245d933fad94625b45a4d100112a3483ed9292)
|