summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* github: ensure we update the apt repo before we install packagesPaul Moore2022-03-151-0/+2
| | | | | | | Failure to update the apt repo could result in missing packages on the remote apt repo server. Signed-off-by: Paul Moore <paul@paul-moore.com>
* docs: consolidate security vulnerability handling in SECURITY.mdPaul Moore2022-02-101-6/+2
| | | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> [TJH: Also fixed a minor typo]
* docs: add link to oss-security to SECURITY.mdKir Kolyshkin2022-01-181-0/+1
| | | | | | | | | | | The text mentions two mailing lists, distros and oss-security, but only provides a link to distros. Add a link to oss-security. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* doc: Fix typo in README.mdLin, Yong Xiang2022-01-101-1/+1
| | | | | Signed-off-by: Lin, Yong Xiang <r888800009@gmail.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* doc: Correct mistakes in seccomp_attr_set.3Manabu Sugimoto2022-01-101-4/+4
| | | | | | | | | Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}` because there is no such function name. Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* github: enable codespell checksPaul Moore2022-01-101-0/+13
| | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* github: enable CodeQL code scanning and analysisPaul Moore2022-01-101-0/+37
| | | | | | | | | This enables the GitHub "Security / Code Scanning" tool using CodeQL. * https://github.com/seccomp/libseccomp/security Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* tests: Add *.log and *.stats to .gitignoreManabu Sugimoto2022-01-101-0/+2
| | | | | | | | | | Untrack `*.log` and `*.stats` files such as `01-sim-allow.c.{log,stats}` intentionally because these files are generated in the `tests` directory by running tests. Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com> Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* doc,pyx,tests: Fix some typosManabu Sugimoto2022-01-053-5/+5
| | | | | | Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* github: fix a typo in the GH actions setupPaul Moore2021-12-301-1/+1
| | | | Signed-off-by: Paul Moore <paul@paul-moore.com>
* all: CHANGELOG update for release v2.5.3Tom Hromatka2021-11-051-0/+6
| | | | | Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* syscalls: update the syscall table to Linux v5.15Paul Moore2021-11-042-1/+4
| | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* tests: Fix warning in 05-sim-long_jumps.cTom Hromatka2021-11-011-0/+1
| | | | | | | | | | | | Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better across arch/ABIs" introduced the following warning. Let's fix it. 05-sim-long_jumps.c: In function ‘main’: 05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration] 68 | free(syscall); Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* tests: improve 05-sim-long_jumps to work better across arch/ABIsPaul Moore2021-11-013-43/+52
| | | | | | | | | | | | This patch primarily moves the test away from abstract syscall numbers to honest-to-goodness actual syscalls which are present on all currently supported arch/ABIs. This change should make it easier to support this test across different platforms now and moving forward. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* tests: add the mipsel and sh ABIs to test 30-sim-socket_syscallsPaul Moore2021-11-013-23/+58
| | | | | | Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* arch: move the ARCH_DEF() calls into the arch/ABI specific filesPaul Moore2021-11-0118-31/+56
| | | | | | | | | This should make it easier to ensure we have arch/ABIs added properly to libseccomp. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* mips: restore the 32-bit MIPS O32 ABI offsetPaul Moore2021-11-012-20/+61
| | | | | | | | | | In the process of adding and consolidating the multiplexed syscalls for MIPS I mistakenly dropped the O32 ABI offset, this patch restores the offset value. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* arch: replace arch-syscall-check with something more usefulPaul Moore2021-10-294-235/+63
| | | | | | | | | | Now that we have moved to the CSV based arch/ABI syscall table the existing arch-syscall-check isn't as useful as it once was, but we could definitely use a build-time check to ensure the syscall header file is sync'd with the CSV arch/ABI syscall table. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* api: update seccomp-syscalls.hPaul Moore2021-10-281-6/+16
| | | | | | | | | | | | | | It appears that the seccomp-syscalls.h header file had gotten out of sync with the syscalls.csv syscall table, this patch fixes this disconnect. The only edit that is somewhat interesting is that the oldwait4(2) syscall probably never should have been included in the header file as it appears to no longer exist (?). Reported-by: Mike Frysinger <vapier@gentoo.org> Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: fix 11-basic-basic_errors on old kernels (API level < 5)Paul Moore2021-10-181-33/+39
| | | | | | | Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de> Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* doc: fix spacing with man page referencesMike Frysinger2021-10-153-6/+5
| | | | | | | | Most places have this correct already, but a few missed the space before the section number. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
* doc: fix spacing with .I and punctuationMike Frysinger2021-10-153-18/+17
| | | | | | | | | | Use of .I lines causes spaces to be inserted before & after the word. When words are before or after, that's fine, but when it's punctuation like parentheses or commas, it looks weird. Switch to .IR and .RI to tighten up the display. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
* api: add missing reviewer fixesMike Frysinger2021-10-132-2/+4
| | | | | | | | I forgot to amend my commit to include these fixes before pushing the last update that was merged. Fix that now. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
* api: extend BPF export API to write to a memory bufferMike Frysinger2021-10-089-0/+139
| | | | | | | | | | | | The API to export to a fd is helpful, but for tools that want to generate & read the BPF program, outputting to a buffer would be much more helpful. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> [PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()] [PM: 'make check-syntax' fixes] Signed-off-by: Paul Moore <paul@paul-moore.com>
* doc: seccomp_rule_add.3: add -EACCES return valueKir Kolyshkin2021-10-081-0/+5
| | | | | | | | | | The -EACCES return value from seccomp_rule_add* was added by commit 83989be02 (included into 2.5.0), which tells that this is "part of our ... API promise", so it needs to be documented accordingly. Add it. Fixes: 83989be02 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* python: fix `[` bashismMike Frysinger2021-09-281-2/+2
| | | | | | | The == is a bashism and not in POSIX, so switch to standard =. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: Allow munmap() syscall in Python test #24Tom Hromatka2021-09-011-0/+1
| | | | | | | | | | The python live test, 24-live-arg_allow.py, started failing on Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python quit() call is now invoking the munmap() syscall. To fix this, allow the munmap() syscall in the test's seccomp filter. Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* Merge pull request #334 from drakenclimber/issues/v2.5.2-changelogTom Hromatka2021-08-311-0/+12
|\ | | | | all: CHANGELOG update for release v2.5.2
| * all: CHANGELOG update for release v2.5.2Tom Hromatka2021-08-311-0/+12
|/ | | | | Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* docs: update the CREDITS fileTom Hromatka2021-08-251-0/+3
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* bpf: Fix typo in commentTom Hromatka2021-08-251-1/+1
| | | | Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* syscalls: update to Linux v5.14-rc7Paul Moore2021-08-232-1/+13
| | | | Signed-off-by: Paul Moore <paul@paul-moore.com>
* doc: Add BUGS section to seccomp_rule_add.3Tom Hromatka2021-08-231-0/+18
| | | | | | | | | | | | | Add BUGS section to seccomp_rule_add.3 and add a warning about adding a seccomp filter to syscalls that are always expected to succeed. PowerPC's glibc behaves differently from other architectures and will not return a negative number for the getpid() syscall. Fixes: https://github.com/seccomp/libseccomp/issues/313 Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
* python: add the get_notify_fd() method to the SyscallFilter classPaul Moore2021-08-231-0/+13
| | | | | | | | The new get_notify_fd() method mimics the seccomp_notify_fd() C API with similar behavior. Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: various additions to improve code coveragePaul Moore2021-08-1215-64/+847
| | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* arch: consolidate all of the multiplexed syscall handlingPaul Moore2021-08-1220-3943/+685
| | | | | | | | | Not only does this reduce the amount of duplicated code significantly, it removes a lot of the "magic" numbers in the code, and it happened to catch some bugs too. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* github: tweak the GH Actions configurationPaul Moore2021-08-122-8/+16
| | | | | | | | | This should help leverage the recent code coverage changes as well as some changes to the test framework. We also add the generated HTML coverage report to the "codecoverage" artifacts. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: add a util_gcov_rules() utility functionPaul Moore2021-08-122-0/+42
| | | | | | | | | | | | As documented in the function header: "This function is to make it easier for developers to temporarily add support for gcov/lcov to a test program; it likely should not be used in the normal regression tests. Further, this should only be necessary for the "live" tests." Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* build: reorganize the code coverage targetsPaul Moore2021-08-123-20/+10
| | | | | | | | | | | | | | | | This is arguably the way it should have been done in the beginning but TravisCI and Coveralls masked the need for proper standalone code coverage tests. With this change simply enabling code coverage during ./configure and following with a code coverage build should generate proper gcov/lcov data and a local HTML report, example: % ./configure --enable-code-coverage % make check-code-coverage Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: add support for the LIBSECCOMP_TSTCFG_BATCHES env variablePaul Moore2021-08-121-0/+9
| | | | | | | | This allows us to specify the test batches via environment variables like we do other parts of the test configuration. Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tests: allow multiple test types using comma separated valuesPaul Moore2021-08-121-1/+18
| | | | | | | | | | | You can now run multiple test types using the '-T' argument and the LIBSECCOMP_TSTCFG_TYPE environment variable, for example: % cd tests % ./regression -T bpf-valgrind,live Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* ppc: add multiplexed syscall support to PPCPaul Moore2021-08-121-4/+526
| | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* sh: add multiplexed syscall support to SHPaul Moore2021-08-121-8/+528
| | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* mips: add multiplexed syscall support to MIPSPaul Moore2021-08-121-13/+495
| | | | | Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* README: Display the Github Actions build status badgeTom Hromatka2021-07-261-1/+1
| | | | | | | | | Travis CI has now been disabled. Delete the Travis CI build status badge and display the Github Actions continuous integration workflow badge. Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* github: Add continuous integration workflowTom Hromatka2021-07-262-0/+138
| | | | | | | | Add Github Actions workflow and actions to run the automated libseccomp tests and gather code coverage metrics. Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* tools: fix scan-build warnings in scmp_bpf_disasmTom Hromatka2021-07-261-4/+2
| | | | | | | | | | | | | | | | | | | Delete the unused variable 'len' from scmp_bpf_disasm. scan-build identified the following two warnings: scmp_bpf_disasm.c:304:10: warning: Although the value stored to 'len' is used in the enclosing expression, the value is never actually read from 'len' while ((len = fread(&bpf, sizeof(bpf), 1, file))) { scmp_bpf_disasm.c:441:10: warning: Although the value stored to 'len' is used in the enclosing expression, the value is never actually read from 'len' while ((len = fread(&bpf, sizeof(bpf), 1, file))) { Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* travis: Disable Travis CITom Hromatka2021-07-261-85/+0
| | | | | | | | Disable Travis CI by deleting the .travis.yml file. Subsequent commits will enable the Github Actions continuous integration. Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* syscalls: add close_range() syscallSascha Grunert2021-07-191-0/+2
| | | | | | | | | | The syscall has been added a while ago so we should support resolving it, too. Signed-off-by: Sascha Grunert <sgrunert@redhat.com> Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>
* docs: update RELEASE_PROCESS.md to push the release tag as late as possiblePaul Moore2021-04-281-4/+7
| | | | | | | | | In order to help reduce confusion by those who closely follow the libseccomp repository on GitHub, push new release tags as late in the release process as possible. Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
View Lorry Controller Status