| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
Just found out the missing bit while browsing the docs in preparation of
a pet project of mine.
Fixes: 6966ec7 ("arch: Add 64-bit LoongArch support")
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Felix Geyer <debfx@fobos.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The SCMP_FLTATR_CTL_WAITKILL attribute requests that the
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the
seccomp(2) system call when possible, which is currently only when
the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a seccomp_precompute() API to precompute the seccomp
filter prior to calling seccomp_load() or similar functions. Not
only does this improve the performance of seccomp_load(), it ensures
that seccomp_load() is async-signal-safe if no additional changes
have been made since the filter was precomputed.
Python bindings, test, and manpage updates are included in this
patch.
One minor side effect of this change is that seccomp_export_bpf_mem()
now always return the length of the filter in the "len" function
parameter, even in cases where the passed buffer is too small.
Arguably seccomp_export_bpf_mem() should have always behaved this
way.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Mаltе Ηagemаnn <41237666+rusty-snake@users.noreply.github.com>
[PM: tweak subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Ever since the move to GH, the mailing list hasn't been very useful
or very popular so let's just drop it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[TJH: Also fixed a minor typo]
|
|
|
|
|
|
|
|
|
| |
Correct `seccomp_filter_{init,reset}` to `seccomp_{init,reset}`
because there is no such function name.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Most places have this correct already, but a few missed the space
before the section number.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Use of .I lines causes spaces to be inserted before & after the word.
When words are before or after, that's fine, but when it's punctuation
like parentheses or commas, it looks weird. Switch to .IR and .RI to
tighten up the display.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The -EACCES return value from seccomp_rule_add* was added by commit
83989be02 (included into 2.5.0), which tells that this is "part of our
... API promise", so it needs to be documented accordingly. Add it.
Fixes: 83989be02
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add BUGS section to seccomp_rule_add.3 and add a warning about
adding a seccomp filter to syscalls that are always expected to
succeed.
PowerPC's glibc behaves differently from other architectures and
will not return a negative number for the getpid() syscall.
Fixes: https://github.com/seccomp/libseccomp/issues/313
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
In order to help reduce confusion by those who closely follow the
libseccomp repository on GitHub, push new release tags as late in the
release process as possible.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Initial support for seccomp for SuperH in Linux was added in 2.6.27-rc2,
support for SECCOMP_FILTER was added for Linux 5.9. This adds support
for SuperH in libseccomp, both for little-endian and big-endian mode.
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is custom for C functions to return a negative integer to denote
an error. This should not be done with main() though, as the return
value is used as an exit code, which is a byte (unsigned char), so
return -1 becomes 255, which is unconventional.
Fix examples where main returns -1 to return 1.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6b286c2e8e43de76746346b8eab855311915f5aa ("api: add API level 6")
introduced the API level 6 but had a typo and used 5 in the manpage.
This commit just fixes the typo using API level 6 in the manpage.
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
| |
Document the usage of SCMP_ACT_NOTIFY in seccomp_rule_add.3
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes how we handle the notification fd by only
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
in it. We also augment the seccomp_reset(NULL, ...) behavior so
that it closes the notification fd before resetting the global
state; applications that need to keep their notification fd open
across a call to seccomp_reset(NULL, ...) can simply dup() it.
Although one would have to wonder why the application would be
calling seccomp_reset(NULL, ...) in that case.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that requesting the seccomp userspace notifcation fd
more than once is a bad thing which causes the kernel to complain
(rightfully so for a variety of reasons). Unfortunately as we were
always requesting the notification fd whenever possible this results
in problems at filter load time.
Our solution is to move the notification fd out of the filter context
and into the global task context, using a newly created task_state
structure. This allows us to store, and retrieve the notification
outside the scope of an individual filter context. It also provides
some implementation improvements by giving us a convenient place to
stash all of the API level related support variables. We also extend
the seccomp_reset() API call to reset this internal global state when
passed a NULL filter context.
There is one potential case which we don't currently handle well:
threads. At the moment libseccomp is thread ignorant, and that works
well as the only global state up to this point was the currently
supported API level information which was common to all threads in a
process. Unfortunately, it appears that the notification fd need not
be common to all threads in a process, yet this patch treats it as if
it is common. I suspect this is a very unusual use case so I decided
to keep this patch simple and ignore this case, but in the future if
we need to support this properly we should be able to do so without
API changes by keeping an internal list of notification fds indexed
by gettid(2).
This fixes the GitHub issue below:
* https://github.com/seccomp/libseccomp/issues/273
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This commit documents the usage of SCMP_FLTATR_CTL_OPTIMIZE in the
seccomp_attr_set.3 man page.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libseccomp performs a translation step when adding a raw syscall value
to a multi-architecture filter. For instance, when adding __NR_open
(syscall value 2 on x86-64) to a filter containing x86 and x86-64 where
the native ABI is x86-64, the x86 BPF branch will use the value 5
(__NR_open on x86).
This commit adds explicit documentation for the translation step.
Refs https://github.com/seccomp/libseccomp/issues/259.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a syscall is used in a multi-architecture filter, the syscall must
exist in all the architectures, or -EOPNOTSUPP is returned. For example,
epoll_wait_old has value 215 in x86-64, but does not exist in x86.
Trying to add a filter rule including it in a x86-64/x86 filter will
fail.
This commit clarifies that libseccomp will reject a rule containing such
a case.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
API level 6 allows callers to use both the TSYNC and notify APIs at
the same time. This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.
This patch also fixes some omissions in seccomp_api_set().
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel. It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.
If the attribute is zero, the library hides all of the system
failures under -ECANCELED.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Add some text to clarify that you can only have one comparison per
syscall argument in a given rule as well as better explain what
happens when you have multiple filters loaded.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Chris Waldon <chris.waldon@ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
A number of updates mainly focused on paving the way for multiple
maintainers and making better use of the GitHub vulnerability
reporting tools.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is heavily based on an earlier patchset by Tycho
Andersen. I took Tycho's patch and incorporated the requested changes
from the review, fixed some corner case bugs, and simplified the API
a bit.
Kernel 5.0 includes the new user notification return code. Here's all the
infrastructure to handle that.
The idea behind the user notification return code is that the filter stops
the syscall, and forwards it to a "listener fd" that is created when
installing a filter. Then then some userspace task can listen and process
events accordingly by taking some (or no) action in userspace, and then
returning a value from the command.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
The idea is that any administrative/process docs should go in doc/admin.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a longstanding issue with 32-bit to 64-bit sign extension
inadvertently resulting in bogus syscall argument extensions. This
patch introduces a new set of argument comparison macros which
limit the argument values to 32-bit values so that we don't run into
problems with sign extension.
We use the macro overloading proposed by Roman at
https://kecher.net/overloading-macros/ to retain the feature of these
macros being usable as static initializers.
Thanks to @jdstrand on GitHub for reporting the problem.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action. To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: James Cowgill <jcowgill@jcowgill.uk>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Extend libseccomp to support SECCOMP_RET_LOG, which is intended to
log the syscall before allowing it.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Extend libseccomp to support SECCOMP_FILTER_FLAG_LOG, which is intended
to cause log events for all actions taken by a filter except for
SCMP_ACT_ALLOW actions. This is done via a new filter attribute called
SCMP_FLTATR_CTL_LOG that is off by default.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the concept of "API levels" which are a way of
indicating what functionality is supported at runtime. There are two
new API functions added, as explained by the manpage:
"The seccomp_api_get() function returns an integer representing the
functionality ("API level") provided by the current running kernel.
It is important to note that while seccomp_api_get() can be called
multiple times, the kernel is only probed the first time to see
what functionality is supported, all following calls to
seccomp_api_get() return a cached value.
The seccomp_api_set() function allows callers to force the API
level to the provided value; however, this is almost always a bad
idea and use of this function is strongly discouraged."
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This commit also adds a .mailmap file and updates the RELEASE_PROCESS
document to use the new script.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Process tracers use a -1 syscall value to indicate that a syscall
should be skipped. This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1). Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.
More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80
Signed-off-by: Paul Moore <paul@paul-moore.com>
|