| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit c842c2f6c203ad9da37ca60219172aa0be68d26a)
|
|
|
|
|
|
|
|
|
| |
Fixes #88
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[PM: fixed the incorrect x32 definition]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 4793ea990ea80ee26ed63e2a20723fdb417abf5b)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the necessary tweaks to support building against
Python v2.x and v3.x. In the process we also fix some problems with
the Python live tests; it is unclear when they broke, but they are
working now.
Tested on Python v2.7.13 and v3.6.0.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit ce5aea6a4ae7523b57ec13e2e6150aa5d83c1b4e)
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>(imported from commit 6fdeebac85d7605f9a9b5f0bc7bbb19cafea7969)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -1 syscall can be used by a tracing process to skip a syscall,
which up until Linux v4.8 was of no concern for libseccomp since the
seccomp filter was only executed at the start of the syscall and not
after the tracing process was notified, however recent kernels also
execute the seccomp filter after the tracing process finishes its
syscall handling; this caused problems on x86_64 systems that didn't
explicitly add an x32 architecture to their filters.
This patch fixes the x32 check to treat the -1 syscall like any other
syscall.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit ba73ee4f56e8ada7309345cbe08ebf358d60f7e7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Process tracers use a -1 syscall value to indicate that a syscall
should be skipped. This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1). Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.
More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit dc879990774b5fe0b5d3362ae592e8a5bb615fbb)
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of dynamically allocating a variable number of arguments,
include an array of ARG_COUNT_MAX elements directly in the struct.
Also perform a number of simplifications to the code with the
understanding that ARG_COUNT_MAX is an ABI independent value that
isn't variable.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit e3addce3794ddb6dc174d429da055296282df0e6)
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit a697763953670b7d9ce3375fe2d3c6fe87fb076c)
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 116b3c1a2e1db53cc35b74f30c080f5265faa674)
|
|
|
|
|
|
|
|
|
| |
A variety of updates to reflect changes in the Linux Kernel and
the library itself with the goal of making sure the syscall
checking scripts continue to work.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 486c16401ea59657750987b19641d4b8fcc972e2)
|
|
|
|
|
|
|
| |
validation
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit e58bfa9032a5e15e2081ddfdda040e7a29de58b9)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the following syscalls added in Linux v4.9:
- preadv2 and pwritev2
- pkey_mprotect, pkey_alloc, pkey_free
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
[PM: update subject line, description, and some whitespace]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit d9102f12fd39bd77151a1f630fcfc8c80f86c55c)
|
|
|
|
|
|
|
|
|
| |
Unfortunately we were only properly handling some of the multiplexed
ipc() syscalls, this patch correctly handles all of the ipc()
syscalls.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit a58deebd1ee7bedc47bb966ebeec699421e40c65)
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out the socket and ipc related syscalls are also multiplexed
on s390/s390x much like they are on 32-bit x86. Further making things
difficult is that starting with Linux 4.3 the socket syscalls are also
available as directly wired versions, much like 32-bit x86. This
patch attempts to fix all those problems.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 66282c31034e2bb442bd9dc862d6d814f0df2f98)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out there was still a few bugs with the 32-bit x86 socket
syscalls, especially on systems with older kernel headers installed.
This patch corrects these problems and perhaps more importantly,
returns the resolver API functions to returning the negative pseudo
syscall numbers in the case of 32-bit x86, this helps ensure things
continue to work as they did before as the API does not change.
It it important to note that libseccomp still generates filter code
for both multiplexed and direct socket syscalls regardless.
Signed-off-by: Paul Moore <paul@paul-moore.com>
(imported from commit 73d83e45efbe8c31067c97155162f17ca51b7435)
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Special thanks to those on the "Reported-by" line who helped test
this.
Reported-by: Marcin Juszkiewicz <mjuszkiewicz@redhat.com>
Reported-by: than <than@redhat.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Reported-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The seccomp() syscall was first added in Linux 3.17 so most systems
should now support this syscall. Most importantly, the use of the
seccomp() syscall enabled the thread sync functionality which isn't
possible with prctl(); although callers still need to enable the flag
per-filter as the thread sync default is disabled.
This patch also unified the return values of the sys_chk_*()
functions.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch also adds some extra checking to ensure this doesn't happen
again.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This will allow callers to dynamically query the libseccomp library
to determine the version information. We do not currently plan on
exposing this API via any of the supported language bindings.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Employer agnostic emails make things a lot easier in the long run so
make sure the paul-moore.com address is used whenever it makes sense.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This should help on systems that use alternate libc implementations.
Reported-by: anarchpenguin
Reported-by: Kylie McClain somasis@exherbo.org
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Linux 4.3 added direct-wired socket syscalls in addition to the
multiplexed socket syscalls available via socketcall(). This patch
causes libseccomp to generate filters for socket syscall methods on
x86 systems.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Create the infrastructure for arch/ABI specific rule creation that
allows us much more involved arch/ABI customization.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The arch specific filter rewrite code is going to need to become more
complex so move the low level rule addition code directly into the
arch layer instead of the db layer, but still keep the tree manipulation
code in the db layer.
This patch also creates a new arch specific rule_add() function table
entry and allows for this function to create multiple rules from a
single rule.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds basic transaction support to the db layer. The db
transactions allow callers to checkpoint a filter collection at the
current point in time and later rollback the filter collection if
necessary. There will be some overhead at the start of the
transaction to generate the checkpoint, but transaction commit and
abort rollbacks are guaranteed to succeed. Transactions may be
nested.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
This will be useful in future patches for rebuilding and manipulating
the filter.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We really should operate only on filter collections so move all the
individual DB filter operations out of api.c and into db.c.
There are likely other changes that can now be done to further clean
the code, but I'll leave that as future work.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
We need better support than this, but this commit should provide the
most basic support.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Some additional testing/work is needed to ensure everything works
correctly with the direct wired socket syscalls on x86.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
s390 and s390x gained quite a few new system calls:
- numa related system calls
- the separated socket system calls
- two more s390 specific pci mmio system calls
All architectures got the new membarrier and userfaultfd system calls.
This patch updates the s390 specific system call tables and updates other
architectures where needed.
Also remove some extra whitespace from the s390 specific system call tables.
Both 'make check' and './regression -T live' still work for s390 and s390x
after this update.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
| |
Fix a few problems with the arch-syscall-validate script, do some
minor cleanups, and ensure it works correctly against Linux v4.3.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It turns out that userspace behaves oddly when given an errno value
greater than MAX_ERRNO, so much so that the kernel seccomp mechanism
has started blocking filters with bad errno values. Let's try to
catch the problem at rule addition time to make things easier to
spot and fix.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
| |
Reported-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|\
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Because on S390x both __s390x__ and __s390__ are defined, the check
of __s390x__ must be before __s390__.
Signed-off-by: Jan Willeke <willeke@linux.vnet.ibm.com>
[PM: subject tweaks]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds support for S390 (32-bit) architecture.
Signed-off-by: Jan Willeke <willeke@linux.vnet.ibm.com>
[PM: rewrote the subject line, style fixes, s390x/s390 typo bugfixes]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds support for S390x (64-bit) architecture.
Signed-off-by: Jan Willeke <willeke@linux.vnet.ibm.com>
[PM: rewrote the subject line, style fixes]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use negative syscalls numbers to indicate syscalls that aren't
supported by a certain arch/ABI and unfortunately there were cases
where these bogus syscall values were finding their way into the
filter. This patch corrects this and adds a new test to check for
this in the future.
Reported-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
A typo was causing the return value from arch_fitler_rewrite() to be
ignored in cases where -EDOM was returned.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|