| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Failure to update the apt repo could result in missing packages on
the remote apt repo server.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[TJH: Also fixed a minor typo]
|
|
|
|
|
|
|
|
|
|
|
| |
The text mentions two mailing lists, distros and oss-security, but only
provides a link to distros.
Add a link to oss-security.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Lin, Yong Xiang <r888800009@gmail.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}`
because there is no such function name.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
This enables the GitHub "Security / Code Scanning" tool using CodeQL.
* https://github.com/seccomp/libseccomp/security
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
Untrack `*.log` and `*.stats` files such as `01-sim-allow.c.{log,stats}`
intentionally because these files are generated in the `tests` directory
by running tests.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better
across arch/ABIs" introduced the following warning. Let's fix it.
05-sim-long_jumps.c: In function ‘main’:
05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration]
68 | free(syscall);
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch primarily moves the test away from abstract syscall
numbers to honest-to-goodness actual syscalls which are present on
all currently supported arch/ABIs. This change should make it easier
to support this test across different platforms now and moving
forward.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
This should make it easier to ensure we have arch/ABIs added
properly to libseccomp.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
In the process of adding and consolidating the multiplexed syscalls
for MIPS I mistakenly dropped the O32 ABI offset, this patch restores
the offset value.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
Now that we have moved to the CSV based arch/ABI syscall table the
existing arch-syscall-check isn't as useful as it once was, but we
could definitely use a build-time check to ensure the syscall header
file is sync'd with the CSV arch/ABI syscall table.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that the seccomp-syscalls.h header file had gotten out of
sync with the syscalls.csv syscall table, this patch fixes this
disconnect.
The only edit that is somewhat interesting is that the oldwait4(2)
syscall probably never should have been included in the header file
as it appears to no longer exist (?).
Reported-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
| |
Most places have this correct already, but a few missed the space
before the section number.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Use of .I lines causes spaces to be inserted before & after the word.
When words are before or after, that's fine, but when it's punctuation
like parentheses or commas, it looks weird. Switch to .IR and .RI to
tighten up the display.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
I forgot to amend my commit to include these fixes before pushing
the last update that was merged. Fix that now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The -EACCES return value from seccomp_rule_add* was added by commit
83989be02 (included into 2.5.0), which tells that this is "part of our
... API promise", so it needs to be documented accordingly. Add it.
Fixes: 83989be02
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
The == is a bashism and not in POSIX, so switch to standard =.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The python live test, 24-live-arg_allow.py, started failing on
Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python
quit() call is now invoking the munmap() syscall. To fix this,
allow the munmap() syscall in the test's seccomp filter.
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|\
| |
| | |
all: CHANGELOG update for release v2.5.2
|
|/
|
|
|
| |
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add BUGS section to seccomp_rule_add.3 and add a warning about
adding a seccomp filter to syscalls that are always expected to
succeed.
PowerPC's glibc behaves differently from other architectures and
will not return a negative number for the getpid() syscall.
Fixes: https://github.com/seccomp/libseccomp/issues/313
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
| |
The new get_notify_fd() method mimics the seccomp_notify_fd() C API
with similar behavior.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Not only does this reduce the amount of duplicated code
significantly, it removes a lot of the "magic" numbers in the
code, and it happened to catch some bugs too.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
This should help leverage the recent code coverage changes as well as
some changes to the test framework. We also add the generated HTML
coverage report to the "codecoverage" artifacts.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As documented in the function header:
"This function is to make it easier for developers to temporarily
add support for gcov/lcov to a test program; it likely should not
be used in the normal regression tests. Further, this should only
be necessary for the "live" tests."
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is arguably the way it should have been done in the beginning
but TravisCI and Coveralls masked the need for proper standalone
code coverage tests.
With this change simply enabling code coverage during ./configure
and following with a code coverage build should generate proper
gcov/lcov data and a local HTML report, example:
% ./configure --enable-code-coverage
% make check-code-coverage
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This allows us to specify the test batches via environment variables
like we do other parts of the test configuration.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
You can now run multiple test types using the '-T' argument and
the LIBSECCOMP_TSTCFG_TYPE environment variable, for example:
% cd tests
% ./regression -T bpf-valgrind,live
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Travis CI has now been disabled. Delete the Travis CI
build status badge and display the Github Actions
continuous integration workflow badge.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Add Github Actions workflow and actions to run the automated
libseccomp tests and gather code coverage metrics.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Delete the unused variable 'len' from scmp_bpf_disasm.
scan-build identified the following two warnings:
scmp_bpf_disasm.c:304:10: warning: Although the value stored to 'len'
is used in the enclosing expression, the value is never actually read
from 'len'
while ((len = fread(&bpf, sizeof(bpf), 1, file))) {
scmp_bpf_disasm.c:441:10: warning: Although the value stored to 'len' is
used in the enclosing expression, the value is never actually read from
'len'
while ((len = fread(&bpf, sizeof(bpf), 1, file))) {
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Disable Travis CI by deleting the .travis.yml file. Subsequent
commits will enable the Github Actions continuous integration.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The syscall has been added a while ago so we should support resolving
it, too.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
In order to help reduce confusion by those who closely follow the
libseccomp repository on GitHub, push new release tags as late in the
release process as possible.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|