| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better
across arch/ABIs" introduced the following warning. Let's fix it.
05-sim-long_jumps.c: In function ‘main’:
05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration]
68 | free(syscall);
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 092c686e1bc4a64d3f876349573ca66144fa3b73)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch primarily moves the test away from abstract syscall
numbers to honest-to-goodness actual syscalls which are present on
all currently supported arch/ABIs. This change should make it easier
to support this test across different platforms now and moving
forward.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 3c2da115b5b35222afbc62f27779832d47a34786)
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit ee3660f91879eb82eb1885a9a5688fec245dcfbf)
TJH - The sh ABIs aren't in the release-2.5 branch, so they have been
removed from this commit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should make it easier to ensure we have arch/ABIs added
properly to libseccomp.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 060a677ea5de077a7ae9f82b7142d388a1a336b6)
Conflicts:
src/arch-sh.c - Doesn't exist in release-2.5
src/syscalls.c - Minor merge conflict where ARCH_DEF() was
removed
|
|
|
|
|
|
|
|
|
|
|
| |
In the process of adding and consolidating the multiplexed syscalls
for MIPS I mistakenly dropped the O32 ABI offset, this patch restores
the offset value.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 68cc5bf3d85ddedbd9a43a44389c3593b517e6c5)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we have moved to the CSV based arch/ABI syscall table the
existing arch-syscall-check isn't as useful as it once was, but we
could definitely use a build-time check to ensure the syscall header
file is sync'd with the CSV arch/ABI syscall table.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit f046fd21e3274541021bff1f869bf2c9ef8d0b86)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that the seccomp-syscalls.h header file had gotten out of
sync with the syscalls.csv syscall table, this patch fixes this
disconnect.
The only edit that is somewhat interesting is that the oldwait4(2)
syscall probably never should have been included in the header file
as it appears to no longer exist (?).
Reported-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 3f47bba7c5c8cc18be80e625eedb2c1823233708)
|
|
|
|
|
|
|
|
|
| |
Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit 5532444587fa5f33a43179ca5cc710f1bb05f51f)
|
|
|
|
|
|
|
|
|
|
| |
Most places have this correct already, but a few missed the space
before the section number.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 1018a9e87489cafe0f26de080219dbde1f0fa993)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use of .I lines causes spaces to be inserted before & after the word.
When words are before or after, that's fine, but when it's punctuation
like parentheses or commas, it looks weird. Switch to .IR and .RI to
tighten up the display.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 2cfc5bd29c90a2a9b03ff00ef81b5742a1acf506)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -EACCES return value from seccomp_rule_add* was added by commit
83989be02 (included into 2.5.0), which tells that this is "part of our
... API promise", so it needs to be documented accordingly. Add it.
Fixes: 83989be02
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 50da6c1c61c1237cc3af2240b294af66de505018)
|
|
|
|
|
|
|
|
|
|
|
| |
The python live test, 24-live-arg_allow.py, started failing on
Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python
quit() call is now invoking the munmap() syscall. To fix this,
allow the munmap() syscall in the test's seccomp filter.
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 4f34c6eb17c2ffcb0fce5911ddbc161d97517476)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 1d26fa1332ac8b7eeaa706f7febf343310a52160)
|
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 8489cff8092d3c53f1a261a9b637ebfaeec45650)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add BUGS section to seccomp_rule_add.3 and add a warning about
adding a seccomp filter to syscalls that are always expected to
succeed.
PowerPC's glibc behaves differently from other architectures and
will not return a negative number for the getpid() syscall.
Fixes: https://github.com/seccomp/libseccomp/issues/313
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(imported from commit b9a8f3dbdfe84bfe7802bb9532253cc0a46b5b8a)
|
|
|
|
|
|
|
|
|
|
| |
The new get_notify_fd() method mimics the seccomp_notify_fd() C API
with similar behavior.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 8b34512de92decfd51fe900d23a82663711ca008)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65)
|
|
|
|
|
|
|
|
|
|
|
| |
Not only does this reduce the amount of duplicated code
significantly, it removes a lot of the "magic" numbers in the
code, and it happened to catch some bugs too.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc)
|
|
|
|
|
|
|
|
|
|
|
| |
This should help leverage the recent code coverage changes as well as
some changes to the test framework. We also add the generated HTML
coverage report to the "codecoverage" artifacts.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit c261232174c8432e12c39e2fc938a64d562de1d6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As documented in the function header:
"This function is to make it easier for developers to temporarily
add support for gcov/lcov to a test program; it likely should not
be used in the normal regression tests. Further, this should only
be necessary for the "live" tests."
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit cc8d19b69aaadff2172b04fa37d4995ae63e895a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is arguably the way it should have been done in the beginning
but TravisCI and Coveralls masked the need for proper standalone
code coverage tests.
With this change simply enabling code coverage during ./configure
and following with a code coverage build should generate proper
gcov/lcov data and a local HTML report, example:
% ./configure --enable-code-coverage
% make check-code-coverage
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit a415ef0938c2fc8139d45f89a722d132367077cc)
|
|
|
|
|
|
|
|
|
|
| |
This allows us to specify the test batches via environment variables
like we do other parts of the test configuration.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 72609f73cd95749e27f50f2c5a52bacdbb1a3c5a)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can now run multiple test types using the '-T' argument and
the LIBSECCOMP_TSTCFG_TYPE environment variable, for example:
% cd tests
% ./regression -T bpf-valgrind,live
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit b465f2329183adf9735c81e98500cee93eb720c9)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 255801bccf89343c684b2b94e85d9e0df484c133)
|
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae)
|
|
|
|
|
|
|
|
|
|
|
| |
Travis CI has now been disabled. Delete the Travis CI
build status badge and display the Github Actions
continuous integration workflow badge.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 04245d933fad94625b45a4d100112a3483ed9292)
|
|
|
|
|
|
|
|
|
|
| |
Add Github Actions workflow and actions to run the automated
libseccomp tests and gather code coverage metrics.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit fe068413adf3956a96d63aade3dbf7d556afd877)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Delete the unused variable 'len' from scmp_bpf_disasm.
scan-build identified the following two warnings:
scmp_bpf_disasm.c:304:10: warning: Although the value stored to 'len'
is used in the enclosing expression, the value is never actually read
from 'len'
while ((len = fread(&bpf, sizeof(bpf), 1, file))) {
scmp_bpf_disasm.c:441:10: warning: Although the value stored to 'len' is
used in the enclosing expression, the value is never actually read from
'len'
while ((len = fread(&bpf, sizeof(bpf), 1, file))) {
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 947ecc884d5c503c08fd10d580cb6b353fa0f31a)
|
|
|
|
|
|
|
|
|
|
| |
Disable Travis CI by deleting the .travis.yml file. Subsequent
commits will enable the Github Actions continuous integration.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit dc775c014880cebb0087fb130d0163ff6f56e912)
|
|
|
|
|
|
|
|
|
|
|
| |
The syscall has been added a while ago so we should support resolving
it, too.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 01e5750e7c84bb14e5a5410c924bed519209db06)
|
|
|
|
|
|
|
|
|
| |
In order to help reduce confusion by those who closely follow the
libseccomp repository on GitHub, push new release tags as late in the
release process as possible.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Due to additional ABIs in main we can't do a simple backport or copy
of the syscall table so we are generating it directly in the
release-2.5 branch.
This patch also fixes the missing faccessat2() #defines in the
seccomp-syscalls.h header file.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for
SECCOMP_IOCTL_NOTIF_ID_VALID") changed the public definition of
SECCOMP_IOCTL_NOTIF_ID_VALID for correctness sake because it had the
wrong direction (no current functional change). If libseccomp is built
against kernel headers after this commit but is run on a kernel that was
built prior to this commit, then the ioctl will always return -1 EINVAL
and thus seccomp_notify_id_valid will incorrectly return -ENOENT.
Copy the (now non-public) definition of the old ioctl number and try it
if the ioctl with the number from the kernel headers fails with -1
EINVAL.
Also, update the fallback definition of SECCOMP_IOCTL_NOTIF_ID_VALID to
the new value.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Max Rees <maxcrees@me.com>
[PM: tweak some vertical whitespace, subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 83d7b022fa7ef8c24516cc668efc879e5398403f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is custom for C functions to return a negative integer to denote
an error. This should not be done with main() though, as the return
value is used as an exit code, which is a byte (unsigned char), so
return -1 becomes 255, which is unconventional.
Fix examples where main returns -1 to return 1.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 6d5a0bb22c8162c167900a47d57ebdeeb22ff8c0)
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit d5ad8369233322072eb0df0f9f507d94f6c88cf0)
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6b286c2e8e43de76746346b8eab855311915f5aa ("api: add API level 6")
introduced the API level 6 but had a typo and used 5 in the manpage.
This commit just fixes the typo using API level 6 in the manpage.
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some people may not be familiar with GPG keys, subkeys, and
fingerprints; while a full explanation is beyond the scope of our
README file, at least provides some hints and a link to the GPG
website for more information.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit e76d47bc45f30a3dcda125e080bd73d97b8c3bb0)
|
|
|
|
|
|
|
|
| |
Document the usage of SCMP_ACT_NOTIFY in seccomp_rule_add.3
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 8826022c0b7dd01a09973596750f038334780aad)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the MIPS GCC compiler defines a "mips" cpp macro
which was resulting in build failures on MIPS so we need to
undefine the "mips" macro during build. As this should be safe
to do in all architectures, just add it to the compiler flags by
default.
This was reported in the following GH issue:
* https://github.com/seccomp/libseccomp/issues/274
Reported-by: Rongwei Zhang <pudh4418@gmail.com>
Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 5cd9059618a0810ee47c21e6b44c5a876b75e23d)
|
|
|
|
|
|
|
| |
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit ff6923163174ed156c4c0645961e602396298df9)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fix is performing the same changes
bee43d3e884788569860a384e6a38357785a3995 was doing on test
51-live-user_notification on test 58-live-tsync_notify.
Signed-off-by: Michael Karcher <github@mkarcher.dialup.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit f0686d9de911e7ffcdc7364566c1d146e44657c2)
|
|
|
|
|
|
|
|
|
|
|
| |
Architectures like aarch64 and riscv64, and all future architectures that
use the generic syscall table, do not support the open and stat syscalls.
Use the openat and fstat syscalls instead.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit a317fabc1fd915f19f7e7326bf7dcb77493f1210)
|