| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Because of the way libseccomp handles non-native arch translations we
can't use arbitrary syscalls, e.g. 1000; we need to use syscalls that
are defined in the libseccomp syscall tables. Unfortunately, changing
the syscalls from 1000/1001 to a defined syscall appears to break the
test so let's just limit it to x86_64 for now.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libseccomp utilizes a hash table to manage BPF blocks. It
currently employs MurmurHash3 where the key is the hashed values
of the BPF instruction blocks, the accumulator start, and the
accumulator end. This test was added because of a mishandled
hash collision reported by Tor in GitHub issue #148.
* https://github.com/seccomp/libseccomp/issues/148
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses a problem where dissimilar instruction blocks were
improperly hashed to the same value because we were not taking into
account the accumulator state.
See the GitHub issue below for more information:
* https://github.com/seccomp/libseccomp/issues/148
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
We want to be able to test proper ordering for both LT and GT
comparisons.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Based on some initial tests from Jann Horn.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Based on the recent 64-bit argument comparison fixes, we need to
update test 38-basic-pfc_coverage.
A special thanks to Jann Horn for bringing this problem to our
attention.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
We were mistakenly passing the wrong accumulator state (the state at
the start of the instruction block, not at the end) which was causing
us to generate unnecessary load instructions.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our approach to doing 64-bit comparisons using 32-bit operators was
just plain wrong, leading to a number of potential problems with
filters that used the LT, GT, LE, or GE operators. This patch fixes
this problem and a few other related issues that came to light in
the course of fixing the core problem.
A special thanks to Jann Horn for bringing this problem to our
attention.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
None of these are major, and they are all part of the tests, but we
should fix them regardless.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This return code was added in 4.14, so let's reflect that here.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
[PM: cleanup up some duplication with the existing SECCOMP_RET_LOG code]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
The kernel switched their defines to be more expressive like this, so let's
do the same. That will make it easy in future patches to copy and paste
definitions from the kernel :)
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
If both trees have prefixes that don't match, bail on the prune
operation.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Add "[+]all_32" and "[+]all_64" which work the same as the
little and big endian test filters.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Unfortunately a number of our automated tests fail because of the
x32 syscall bit, making low numbered syscalls invalid.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
We forgot to do this earlier, fix it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Verified on a 32-bit x86 Ubuntu 16.04.6 system.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
I had made this fix earlier when applying a patch, but forgot to
update the patch.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a longstanding issue with 32-bit to 64-bit sign extension
inadvertently resulting in bogus syscall argument extensions. This
patch introduces a new set of argument comparison macros which
limit the argument values to 32-bit values so that we don't run into
problems with sign extension.
We use the macro overloading proposed by Roman at
https://kecher.net/overloading-macros/ to retain the feature of these
macros being usable as static initializers.
Thanks to @jdstrand on GitHub for reporting the problem.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Key changes include:
* Added __NR_statx, __NR_io_pgetevents, and __NR_rseq syscalls
to seccomp.h.in
* mips architecture now generates some of its syscall header
files. Added logic to arch-syscall-validate to create these
headers
* ppc architecture now uses a syscall.tbl
* s390 now uses a syscall.tbl
This addresses GitHub issue #136
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit clarifies the error code when seccomp_arch_add() or
seccomp_merge() fails due to an endian mismatch. Previously,
libseccomp would return -EEXIST if the new architecture's
endianness did not match.
This addresses GitHub Issue #86 - BUG: seccomp_arch_add() returns
-EEXISTS on endian mismatch
Reported-by: Michael Vogt <michael.vogt@gmail.com>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
I forgot to add scmp_api_level to the .gitignore file.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a leak found by clang where we were not cleaning up properly in
the error path.
CC libseccomp_la-db.lo
db.c:2020:2: warning: Potential leak of memory pointed to by 'rule_s'
_db_snap_release(snap);
^~~~~~~~~~~~~~~~
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
We are currently testing under Ubuntu 14.XX with Travis CI, it's time
to update to a more recent version of Ubuntu.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Unfortunately the pseduo syscall number for subpage_prot() was
already in use by spu_run() so renumber it to a free pseduo syscall
number.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action. To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
github user @varqox reported that generating PFC will hang if the
libseccomp filter contains a syscalle with a priority but no rule
set. The root cause is the while() loop in gen_pfc.c that walks
through the filter's syscalls. It wasn't properly advancing
through the list when p_iter was invalid.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fix a comment in the test]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Fixes: https://github.com/seccomp/libseccomp/issues/119
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
[PM: used full URL in the fixes line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
I'm not particularly proud of the seccomp.pyx hack, but it works, and
enabling the python bindings during the distcheck is definitely the
"Greater Good".
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
In addition to converting the db_chain_* macros to functions, we also
move them into db.c and eliminate the unused macros/functions.
This change was originally suggested by Tom Hromatka
<tom.hromatka@oracle.com>.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
For an as yet unknown reason we keep seeing build failures due to the
code coverage tests despite there not being any noticeable failures.
Move the gcov testing to "after_success" so that failures won't mark
the build as failing.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Reported-by: Marek <deadbeef@popcount.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: James Cowgill <jcowgill@jcowgill.uk>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Add a test to improve the test coverage for db_chain_lt().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: stripped the conversion from a macro to function, kept the test]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note that as cited in the gist, this commit is not ready to be
committed yet. Specifically:
* investigate _db_tree_prune(), that likely needs some logic (lt/gt)
flipping to compensate for the changes in _db_tree_add()
* run the full regression test to ensure we aren't accidentally breaking
anything
* separate patch to add this test case to the regression tests
* separate patch to clear up the macros in src/db.h, see db_chain_lt() as
an example
Full gist is here:
https://gist.github.com/pcmoore/f644341a85c6ad7131a26f68f99e3fc6
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweak, testing has proven this commit is OK and necessary
to restore proper db ordering, also fix the 'make check-syntax' errors]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|