| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The SCMP_FLTATR_CTL_WAITKILL attribute requests that the
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the
seccomp(2) system call when possible, which is currently only when
the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a seccomp_precompute() API to precompute the seccomp
filter prior to calling seccomp_load() or similar functions. Not
only does this improve the performance of seccomp_load(), it ensures
that seccomp_load() is async-signal-safe if no additional changes
have been made since the filter was precomputed.
Python bindings, test, and manpage updates are included in this
patch.
One minor side effect of this change is that seccomp_export_bpf_mem()
now always return the length of the filter in the "len" function
parameter, even in cases where the passed buffer is too small.
Arguably seccomp_export_bpf_mem() should have always behaved this
way.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that the seccomp-syscalls.h header file had gotten out of
sync with the syscalls.csv syscall table, this patch fixes this
disconnect.
The only edit that is somewhat interesting is that the oldwait4(2)
syscall probably never should have been included in the header file
as it appears to no longer exist (?).
Reported-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The syscall has been added a while ago so we should support resolving
it, too.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Initial support for seccomp for SuperH in Linux was added in 2.6.27-rc2,
support for SECCOMP_FILTER was added for Linux 5.9. This adds support
for SuperH in libseccomp, both for little-endian and big-endian mode.
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch updates the code for the newly added spell checking.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
API level 6 allows callers to use both the TSYNC and notify APIs at
the same time. This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.
This patch also fixes some omissions in seccomp_api_set().
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel. It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.
If the attribute is zero, the library hides all of the system
failures under -ECANCELED.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This really should have been done when the notification code was
merged. Looking at the code, the seccomp.h.in comments can apply
here so we're just going to do a cut-n-paste job.
We also fixup some formatting/consistency issues in the seccomp.h.in
comments.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a filter attribute, SCMP_FLTATR_CTL_OPTIMIZE,
to specify the optimization level of the seccomp filter:
0 - currently unused
1 - rules weighted by priority and complexity (default)
2 - binary tree sorted by syscall number
Several in-house customers have identified that their large
seccomp filters are slowing down their applications. Their
filters largely consist of simple allow/deny logic for many
syscalls (306 in one case) and for the most part don't utilize
argument filtering.
I modified gen_bpf.c and gen_pfc.c to utilize a cBPF binary tree
if the user has requested optimize level 2. I then timed
calling getppid() in a loop using one of my customer's seccomp
filters. I ran this loop one million times and recorded the min,
max, and mean times (in TSC ticks) to call getppid(). (I didn't
disable interrupts, so the max time was often large.) I chose
to report the minimum time because I feel it best represents the
actual time to traverse the syscall.
Test Case minimum TSC ticks to make syscall
----------------------------------------------------------------
seccomp disabled 138
getppid() at the front of 306-syscall seccomp filter 256
getppid() in middle of 306-syscall seccomp filter 516
getppid() at the end of the 306-syscall filter 1942
getppid() in a binary tree 312
As shown in the table above, a binary tree can signficantly improve
syscall performance in the average and worst case scenario for these
customers.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Andreas Schwab <schwab@suse.de>
[PM: minor macro shuffling in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Commit bf747eb21e428c2b3ead6ebcca27951b681963a0 accidentally removed the
__SNR_ppoll definition. Add it back, using a PNR value if disabled in
the kernel headers.
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This is long overdue so quite a few changes, including tweaks to
support some newly direct wired syscalls which were previously
multiplexed.
We really need to make sure we update the syscall table more often.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Without this, anything which includes "seccomp.h" will fail when using a build version of libseccomp.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: tweaked the subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically libseccomp has created a __NR_x definition for every
syscall it supports, even those that aren't valid for a given ABI.
While this seemed like a good idea at the time, it turned out to have
some unwanted and nasty side effects. This patch finally corrects
this problem.
The basic approach is quite simple: move the SCMP_SYS() macro to use
__SNR_x values instead of __NR_x values. The unfortunate side effect
of this change is that instead of just worrying about #defines for the
__PNR_x values we now have to have a __SNR_x define for *every*
syscall. The good news is that after this patch that should only be
a few new syscalls every year - a very manageable task.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
The kernel explicitly disallows setting both TSYNC and NEW_LISTENER
at the same time, so catch this and block it in libseccomp.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is heavily based on an earlier patchset by Tycho
Andersen. I took Tycho's patch and incorporated the requested changes
from the review, fixed some corner case bugs, and simplified the API
a bit.
Kernel 5.0 includes the new user notification return code. Here's all the
infrastructure to handle that.
The idea behind the user notification return code is that the filter stops
the syscall, and forwards it to a "listener fd" that is created when
installing a filter. Then then some userspace task can listen and process
events accordingly by taking some (or no) action in userspace, and then
returning a value from the command.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
I had made this fix earlier when applying a patch, but forgot to
update the patch.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a longstanding issue with 32-bit to 64-bit sign extension
inadvertently resulting in bogus syscall argument extensions. This
patch introduces a new set of argument comparison macros which
limit the argument values to 32-bit values so that we don't run into
problems with sign extension.
We use the macro overloading proposed by Roman at
https://kecher.net/overloading-macros/ to retain the feature of these
macros being usable as static initializers.
Thanks to @jdstrand on GitHub for reporting the problem.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Key changes include:
* Added __NR_statx, __NR_io_pgetevents, and __NR_rseq syscalls
to seccomp.h.in
* mips architecture now generates some of its syscall header
files. Added logic to arch-syscall-validate to create these
headers
* ppc architecture now uses a syscall.tbl
* s390 now uses a syscall.tbl
This addresses GitHub issue #136
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Unfortunately the pseduo syscall number for subpage_prot() was
already in use by spu_run() so renumber it to a free pseduo syscall
number.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action. To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Reported-by: Marek <deadbeef@popcount.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Extend libseccomp to support SECCOMP_RET_LOG, which is intended to
log the syscall before allowing it.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Extend libseccomp to support SECCOMP_FILTER_FLAG_LOG, which is intended
to cause log events for all actions taken by a filter except for
SCMP_ACT_ALLOW actions. This is done via a new filter attribute called
SCMP_FLTATR_CTL_LOG that is off by default.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the concept of "API levels" which are a way of
indicating what functionality is supported at runtime. There are two
new API functions added, as explained by the manpage:
"The seccomp_api_get() function returns an integer representing the
functionality ("API level") provided by the current running kernel.
It is important to note that while seccomp_api_get() can be called
multiple times, the kernel is only probed the first time to see
what functionality is supported, all following calls to
seccomp_api_get() return a cached value.
The seccomp_api_set() function allows callers to force the API
level to the provided value; however, this is almost always a bad
idea and use of this function is strongly discouraged."
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Process tracers use a -1 syscall value to indicate that a syscall
should be skipped. This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1). Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.
More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Refined `seccomp_arch_add` to be more verbose about return code `-EEXIST`
in case of existing arch in filter. Adding this information helps developers
write code to safely ignore the ret code in this case.
Signed-off-by: Jiannan Guo <guojiannan1101@gmail.com>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the following syscalls added in Linux v4.9:
- preadv2 and pwritev2
- pkey_mprotect, pkey_alloc, pkey_free
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
[PM: update subject line, description, and some whitespace]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch (v4) adds support for the parisc and parisc64 architectures
to libseccomp.
I didn't split up the patch, because it's pretty trivial.
Those parisc-specific files gets added:
src/arch-parisc-syscalls.c
src/arch-parisc.c
src/arch-parisc.h
src/arch-parisc64.c
All other changes are trivial because they simply add parisc-specific
case statements in variouse switch statements.
I did ran a "make check" on x86-64 and parisc and all testcases succeeded.
All live testcases succeed as well when running "./regression -T live".
The patch applies cleanly to current libseccomp git head.
Changes between v4 and v3 of this patch:
- Added parisc arch to arch-syscall-check.c and fixup syscall table as
needed
- Fixed copyright notices in parisc files as suggested by Mike Frysinger
Changes between v3 and v2 of this patch:
- Stripped out patch which reports if a check was skipped because
valgrind isn't installed.
- Added tuxcall pseudo syscall for 19-sim-missing_syscalls testcase
- Added sysmips pseudo syscall for 29-sim-pseudo_syscall testcase
Changes between v2 and v1 of this patch:
- Enabled seccomp mode 2 regression tests on parisc. Kernel support for
hppa was added in kernel 4.6-rc1 and backported into the kernel v4.5.2
stable series.
Signed-off-by: Helge Deller <deller@gmx.de>
[PM: corrected a number or errors from 'make check-syntax']
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This will allow callers to dynamically query the libseccomp library
to determine the version information. We do not currently plan on
exposing this API via any of the supported language bindings.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Employer agnostic emails make things a lot easier in the long run so
make sure the paul-moore.com address is used whenever it makes sense.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from system.c:26:0:
../include/seccomp.h:1250:0: warning: "__NR_cacheflush" redefined
#define __NR_cacheflush __PNR_cacheflush
^
In file included from ../include/seccomp.h:27:0,
from system.c:26:
/usr/mips64-unknown-linux-gnu/usr/include/asm/unistd.h:934:0:
note: this is the location of the previous definition
#define __NR_cacheflush (__NR_Linux + 197)
Reported-by: Mike Frysinger <vapier@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Linux 4.3 added direct-wired socket syscalls in addition to the
multiplexed socket syscalls available via socketcall(). This patch
causes libseccomp to generate filters for socket syscall methods on
x86 systems.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
s390 and s390x gained quite a few new system calls:
- numa related system calls
- the separated socket system calls
- two more s390 specific pci mmio system calls
All architectures got the new membarrier and userfaultfd system calls.
This patch updates the s390 specific system call tables and updates other
architectures where needed.
Also remove some extra whitespace from the s390 specific system call tables.
Both 'make check' and './regression -T live' still work for s390 and s390x
after this update.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|