| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
WORK IN PROGRESS, DO NOT SHIP
XXX - manpage needed
XXX - tests needed
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Process tracers use a -1 syscall value to indicate that a syscall
should be skipped. This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1). Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.
More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Some logic in the implementation of `seccomp_add_arch` can never
be reached and `arch_def_lookup` was called redundantly.
Signed-off-by: Jiannan Guo <guojiannan1101@gmail.com>
[PM: update subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This will allow callers to dynamically query the libseccomp library
to determine the version information. We do not currently plan on
exposing this API via any of the supported language bindings.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Employer agnostic emails make things a lot easier in the long run so
make sure the paul-moore.com address is used whenever it makes sense.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
We really should operate only on filter collections so move all the
individual DB filter operations out of api.c and into db.c.
There are likely other changes that can now be done to further clean
the code, but I'll leave that as future work.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We use negative syscalls numbers to indicate syscalls that aren't
supported by a certain arch/ABI and unfortunately there were cases
where these bogus syscall values were finding their way into the
filter. This patch corrects this and adds a new test to check for
this in the future.
Reported-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
A typo was causing the return value from arch_fitler_rewrite() to be
ignored in cases where -EDOM was returned.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
| |
Reported-by: Brian Cain <brian.cain@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Also display the build revision to make things easier when submitting
builds for scanning.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
The thread sync functionality and the SECCOMP_FILTER_FLAG_TSYNC flag
makes an appearance in Linux 3.17.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
The new seccomp() syscall makes an appearance in Linux 3.17.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Change the API name to seccomp_syscall_resolve_name_rewrite().
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
This patch also converts the seccomp.resolve_syscall() method to use
the new resolution API.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
As requested by the systemd developers and used by our own tools.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
In order to add architectures with byte ordering that differs from the
native architecture it is necessary to remove all architectures from a
filter.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
At some point we may want to expand __NR_SCMP_ERROR out to different
error codes, but for right now this seems okay.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Set -fvisibility=hidden and explicitly unhide public APIs. This overrides
it with -fvisibility=default for Python because otherwise initseccomp
gets hidden and the module won't load.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
(minor style fixes and macro renames)
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The wrong variable name was erroneous failing the function
seccomp_syscall_priority() when trying to set a priority on a negative
(pseudo-syscall) is added.
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Make it more obvious that these variables are booleans.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Unfortunately, the x32 ABI shares the same architecture token with
x86_64 in the kernel so we need to separate the arch token we use
in the BPF filter with the arch token we use for idenitfying the
arch/ABI to libseccomp callers.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We currently have a bug where an architecture that mangles the filter
chain could affect the filter chain of other architectures. This
patch corrects this problem by ensuring that each architecture that
mangles the filter chain does so only with a private copy of the
filter chain.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
This patch ensures that you can create non-native filters using
syscalls not present in the native architecture.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
Similar to the existing seccomp_syscall_resolve_name() function, but
they work for arbitrary architectures (assuming libseccomp support of
course) and not just the native architecture.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
In C we add seccomp_arch_native(void), in Python we add Arch.system().
Both functions return an architecture token value.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add the seccomp_arch_add() and seccomp_arch_remove() functions to add
and remove architectures from the filter. This patch also adds the
seccomp_merge() function which merges two filter contexts together
assuming there is no architecture conflicts.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
Certain operations don't make sense with multiple architectures so
we disable them only when more than one architecture has been added
to the given filter.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to support systems that can run applications from multiple
architectures we need to be able to support multiple filter DBs; were
calling this "filter collections". This patch adds the basic
collection support such that it passes all of the existing tests;
further work may be necessary once we start using the multiple filter
capabilities.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Add the arch_syscall_translate() function which converts the syscall
table from the native architecture to the desired architecture.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Provide syscall name to syscall number resolution.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
Now that we are allowing users to specify a filter DB via the public
API we should so some simple checking to ensure the passed DB is
valid.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IMPORTANT: WILL CAUSE BREAKAGE WITH v0.1.x API
The current API relies on the library storing internal state about
the filter context. While this is okay in several cases, it may
cause problems in others, e.g. threaded applications.
Since the bulk of the library already operates on a filter context,
known as "struct db_filter", this patch simply adds an additional
parameter to the public API, exporting this context as an opaque
context/handle.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions were originally intended as a debugging tool for
developers (both application and libseccomp), but recent discussions
have led me to believe that at some point in the future libseccomp
will likely support the import/export of seccomp policy. While I
hate changing the API, we haven't released libseccomp yet so we are
still free to make what changes we need and I think this rename puts
us in a better position for the future.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Also shorten SCMP_FLTATR_CTL_NNP_ON to just SCMP_FLTATR_CTL_NNP.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
It turns out the kernel required either CAP_SYS_ADMIN or
NO_NEW_PRIVS, so not signaling an error on prctl(NO_NEW_PRIVS) isn't
all that useful.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
| |
Allow developers to disable setting NO_NEW_PRIVS on filter load
and have seccomp_load() fail if setting NO_NEW_PRIVS fails. The
default is to set NO_NEW_PRIVS but do not fail on error.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Attempt to enable NO_NEW_PRIVS before loading the seccomp filter but
don't consider it an error condition if it doesn't work.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Move the default action into the filter attribute mechanism.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
| |
Fix some problems where we return "errno" instead of "-errno".
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From the libseccomp-discuss mailing list:
On Monday, April 09, 2012 06:06:51 PM Paul Moore wrote:
> Hello,
>
> It was suggested on the libseccomp announcement thread that we
> relicense the library from GPLv2 to LGPLv2.1. In my opinion this
> makes sense and I recommend we relicense the library, can I have
> your permission to relicense your contributions?
>
> * LGPLv2.1
> -> http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
On Tuesday, April 10, 2012 10:07:37 AM Eric Paris wrote:
> You have my permission to relicense to LGPL.
On Tuesday, April 10, 2012 10:27:39 AM Ashley Lai wrote:
> Yes, you have my permission to relicense to LGPL.
On Tuesday, April 10, 2012 11:48:14 AM Corey Bryant wrote:
> We (IBM) have OSSC approval now. You have my approval to
> relicense my contributions to LGPLv2.1.
On Tuesday, April 10, 2012 12:57:25 PM Eduardo Otubo wrote:
> On Tue, Apr 10, 2012 at 11:48:14AM -0400, Corey Bryant wrote:
> > We (IBM) have OSSC approval now. You have my approval to
> > relicense my contributions to LGPLv2.1.
>
> Exactly, not a problem for me.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
While va_args are nice, testing has proven them to be unreliable
with respect to datum types and this is causing some real problems
on 64 bit architectures.
This patch resolves this by moving the individual argument, op, and
datum values into a structure that can be created by the SCMP_CMP()
and SCMP_A{0-6}() macros.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes seccomp_rule_add() operate slightly differently
which should make it more useful form an arch independence point of
view; if a filter rule needs to be rewritten for a particular arch
and the full rule can not be preserved, the function no longer
fails. While this may be less secure in the stricktest sense, it
should make the library much more usable.
Also, the seccomp_rule_add_exact() function was added with the older
behavior.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present we fail if we can't completely preserve the caller's
filter, while admirable, this does require some knowledge of the
architecture to ensure you're adding a "correct" rule.
In keeping with our goal of architecture independence, we want to
add the ability to do "best effort" rewrites that preserve as much
of the original filter rule as possible.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Support user specified syscall priority hinting and add two tests
for syscall priorities.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This doesn't actually connect the API call with the underlying bits
in the filter DB code, that will come in a later patch. This patch
is here to establish the API only.
CHANGELOG
-v2
* Change priority value to uint8_t from uint16_t to allow for
potential rule priorities at some point in the future.
-v1
* Initial version.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This will make the API function comments visible to developers when
libseccomp is installed on their system. This patch also adds some
doxygen style comments to a few things that were not commented in
seccomp.h.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|