| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
It appears that '--indent-preprocessor' and
'--max-instatement-indent' are no longer supported command line
options, remove them.
Minor tweak to db_col_init() to appease astyle, no functional
changes.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Squelch the following warning, first noticed in GCC v13.1.1, but
possibly present earlier:
gen_bpf.c: In function '_gen_bpf_build_bpf':
gen_bpf.c:2083:21: warning: storing the address of local variable
'pseudo_arch' in '*state.arch'
[-Wdangling-pointer=]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The aim of arch-syscall-check test is to check for syscalls
missing implementation. It does so by comparing two files:
1) src/syscalls.csv
2) include/seccomp-syscalls.h
However, due to use of relative paths these files are not found
when doing a VPATH build. But, we can re-use an idea from GNU
coreutils and get an absolute path to the source dir. All that's
needed then is to prefix those two paths with the source dir
path.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using autoconf macros, one has to be careful because some
arguments as they may need additional escaping. In this
particular case, the second argument passed to
AC_DEFINE_UNQUOTED() is problematic as autoconf runs it in a
subshell resulting in 'yes' being interpreted as a name of a
variable instead of literal "yes" string. Putting quotes around
it lets shell know we want string comparison.
This problem was noticed with autoconf-2.71.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Detecting cython version runs cython needlessly many times (one
for AS_ECHO(), one for major and one for minor version
extraction). Speaking of AS_ECHO(), the argument needs escaping
as it's not a single shell word.
Instead of fixing the escaping, let's rework the check a bit so
that cython is executed just once and AS_ECHO() is then replaced
with AC_MSG_CHECKING() AC_MSG_RESULT() combo.
The need for escaping can be seen with newer autotools-2.71.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Drive-by fixes that should make the spell-checking CI happy.
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Just found out the missing bit while browsing the docs in preparation of
a pet project of mine.
Fixes: 6966ec7 ("arch: Add 64-bit LoongArch support")
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the LoongArch Toolchain Conventions [1], `__loongarch64`
is already deprecated for a while. What we care about here is the ABI
data model, so change the `__loongarch64` to `__loongarch_lp64` instead.
[1]: https://loongson.github.io/LoongArch-Documentation/LoongArch-toolchain-conventions-EN.html
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Fix two comment typos reported by Codespell:
Error: ./src/syscalls.c:292: pseduo ==> pseudo
Error: ./src/gen_pfc.c:247: pseduo ==> pseudo
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
[xen0n: LoongArch (and a few upcoming architectures / ABIs) does not
have fstat, so the fstat in 06-sim-actions is also being changed to
fstatfs for uniformity across the board.]
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an action, dependabot, that will periodically check GitHub Actions
dependencies. It is currently configured to run weekly. If dependabot
finds an update, it will open a pull request.
See here for more details:
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: added a trailing space to the "RFE:" prefix]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
LGTM is now deprecated [1]. Remove the LGTM badge and replace it with
a CodeQL badge.
[1] https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Felix Geyer <debfx@fobos.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the codeql github actions to the latest versions.
This version of the CodeQL Action was deprecated on January
18th, 2023, and is no longer updated or supported. For better
performance, improved security, and new features, upgrade to
v2. For more information, see
https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the actions/checkout plugin to v3. v2 utilizes Node.js 12
and is deprecated.
Node.js 12 actions are deprecated. Please update the following
actions to use Node.js 16: actions/checkout@v2. For more
information see:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.1
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
The SCMP_FLTATR_CTL_WAITKILL attribute requests that the
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the
seccomp(2) system call when possible, which is currently only when
the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a seccomp_precompute() API to precompute the seccomp
filter prior to calling seccomp_load() or similar functions. Not
only does this improve the performance of seccomp_load(), it ensures
that seccomp_load() is async-signal-safe if no additional changes
have been made since the filter was precomputed.
Python bindings, test, and manpage updates are included in this
patch.
One minor side effect of this change is that seccomp_export_bpf_mem()
now always return the length of the filter in the "len" function
parameter, even in cases where the passed buffer is too small.
Arguably seccomp_export_bpf_mem() should have always behaved this
way.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
shellcheck complains:
> In arch-syscall-validate line 785:
> sc_list=$((for abi in $abi_list; do
> ^-- SC1102 (error): Shells disambiguate $(( differently or not at all. For $(command substitution), add space after $( . For $((arithmetics)), fix parsing errors.
Another tool, shfmt, can't even parse the file:
> arch-syscall-validate:785:17: not a valid arithmetic operator: abi
Add a space to resolve this.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The arch-syscall-dump is almost always used from arch-syscall-validate
(the only exception I found is when -c and -l are given), so it makes
sense to check that it's available beforehand.
Without this patch, when arch-syscall-dump is not present, the script
produces lots of output with a few errors about the missing
./arch-syscall-dump hidden in the middle of it.
To keep things simple, we require arch-syscall-dump even when it is not
going to be used.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The python distutils package is deprecated. Utilize
setuptools and cythonize instead.
./setup.py:26: DeprecationWarning: The distutils
package is deprecated and slated for removal in
Python 3.12. Use setuptools or check PEP 632 [1] for
potential alternatives
[1] https://peps.python.org/pep-0632/
Fixes: https://github.com/seccomp/libseccomp/issues/372
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Mаltе Ηagemаnn <41237666+rusty-snake@users.noreply.github.com>
[PM: tweak subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds basic support for tracking what kernel introduced a
syscall for a given arch/ABI. It does not provide any of that kernel
version information, leaving only a SCMP_KV_UNDEF placeholder, nor
does it attempt to do anything meaningful with this new source of
information; this patch simply establishes a new syscalls.csv format
so that we can start properly recording the kernel versions.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
| |
54-live-binary_tree.c had spaces rather than tabs on
three lines. Convert them to tabs.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
| |
Ever since the move to GH, the mailing list hasn't been very useful
or very popular so let's just drop it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Add a test that exercises the binary tree optimization but
the seccomp filter has zero syscalls in it.
Related-bug: https://github.com/seccomp/libseccomp/issues/370
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
SCMP_FLTATR_CTL_OPTIMIZE = 2 was not being set for test
53-sim-binary_tree.py. Set the optimization level to 2 to
ensure that the binary tree is being employed.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Handle the unlikely case where a user has chosen the
binary tree optimization but has zero syscalls in their
filter.
Fixes: https://github.com/seccomp/libseccomp/issues/370
Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, an early implementation of the binary tree optimization
used to enable the feature when the number of rules added was > 16.
The code was later changed to add and use SCMP_FLTATR_CTL_OPTIMIZE,
but the 54-live-binary_tree test case was left as is. So, despite
its name, it is not testing the binary tree.
Fix this, and remove the comment that referred to the old
implementation.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
[PM: restyled the "Fixes" tag]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Failure to update the apt repo could result in missing packages on
the remote apt repo server.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[TJH: Also fixed a minor typo]
|
|
|
|
|
|
|
|
|
|
|
| |
The text mentions two mailing lists, distros and oss-security, but only
provides a link to distros.
Add a link to oss-security.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Lin, Yong Xiang <r888800009@gmail.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}`
because there is no such function name.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|