| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
Unless explicitly instructed via the SCMP_FLTATR_API_TSKIP attribute,
pseudo-syscalls should not be added to the BPF filter. Note that
as of this commit, pseudo-syscalls are displayed in the PFC filter.
Reported-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The arm and x32 architecture files were using arithmetic
to set/clear bits in their syscall numbers. This could
erroneously double add or double subtract these bits.
This commit uses bitwise logic to ensure the bits are
properly set/cleared.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
API level 6 allows callers to use both the TSYNC and notify APIs at
the same time. This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.
This patch also fixes some omissions in seccomp_api_set().
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this commit, _gen_bpf_build_bpf would mask some errors that
occurred in helper functions as EFAULT, even if they were not EFAULT to
begin with.
See https://github.com/seccomp/libseccomp/issues/240 for additional
information.
Signed-off-by: Tudor Brindus <me@tbrindus.ca>
[PM: fixed GitHub reference]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel. It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.
If the attribute is zero, the library hides all of the system
failures under -ECANCELED.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This really should have been done when the notification code was
merged. Looking at the code, the seccomp.h.in comments can apply
here so we're just going to do a cut-n-paste job.
We also fixup some formatting/consistency issues in the seccomp.h.in
comments.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This is one part of including error codes in our API promise, it
helps ensure we don't accidentally send an undocumented error code
to the caller.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
We need to limit our use of EINVAL to only indicate bad input to the
API functions. Bad input to internal functions is not a valid use
of EINVAL.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
It is likely a fools errand to try and provide kernel and libc errno
guarantees across different architectures, kernels, and libc
implementations so let's just punt on the problem and dump all of
these errors into the ECANCELED bucket.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This is part of our error code cleanup and API promise.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This should provide a nice clean display in the GitHub CSV viewer.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
I've never wanted my code to be either a reminder or a source of
hurt for others, but it is possible that some older terminology used
in this repository may do just that. That's a bug we need to fix,
and hopefully this patch does just that.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Because TSYNC and NEW_LISTENER send information back via the
seccomp(...) return value, they can not be used at the same time. It
seems like the right thing to do is to always set the NEW_LISTENER
flag (as long as the API level supports it) unless the caller
explicitly sets TSYNC.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
We can't always rely on callers calling seccomp_api_get() before
using any API level gated functionality so let's force an API level
update in a few key places.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
This ensures clone3, getrlimit and setrlimit are defined for aarch64 - also
update syscalls.csv from 5.6.0 to pick up these new syscalls
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This commit adds support to ppc64 for ipc and socket
calls that are multiplexed.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
This commit adds semtimedop() support to the s390
mux/demux functions - _s390_syscall_demux() and
_s390_syscall_mux().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The following syscalls were missing from the s390 munge
functions - s390_syscall_resolve_name_munge() and
s390_syscall_resolve_num_munge():
msgctl, msgget, msgrcv, msgsnd, semctl, semget, and
semtimedop
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The following syscalls were missing from the s390x munge
functions - s390x_syscall_resolve_name_munge() and
s390x_syscall_resolve_num_munge():
msgctl, msgget, msgrcv, msgsnd, semctl, semget, and
semtimedop
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
The MIPS ABIs now use the parser friendly syscall.tbl format so make
use of that to simplify our code.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
We no longer need to do the complex substitutions we used to have to
do for ppc/ppc64.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Previously parisc64 was borrowing from parsic which led to problems
with the syscall table for parisc64. This patch properly splits the
two ABIs.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
We no longer need to correct the syscall offsets for x32, mips,
mips64, and mips64n32.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Since the move to gperf and the automatically generated syscall table
in CSV format, these manually maintained tables are no longer needed.
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Later patches will make use of this new syscall table format instead
of the manually maintained tables.
The new CSV syscall table was generated with the following command:
# ./arch-syscall-validate -c <kernel_source_dir> > syscalls.csv
Reviewed-by: Tom Hromatka <tom.hromatka@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Commit c61950e1d972 ("arch: add missing parisc and parisc64 support
to arch-syscall-validate") forgot to add parisc64 support, this patch
fixes that.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
For some reason we completely forgot to add this ABIs to the
arch-syscall-validate script.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Update the arch-syscall-validate script to be "CSV friendly" in
preparation for follow-up work to move the libseccomp internal
syscall tables into a single CVS file. In this process of making
this change, a number of unrelated problems with the script were
identified and fixed.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
There are no functional changes in this patch, just some minor
changes found by the lgtm.com service:
* four functions in tools/util.c were "hiding" a global variable
with a local variable ("arch")
* src/arch.c had an unnecessary check in an if-condition
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Move -I${top_builddir}/include to toplevel so that it is available in all
subdirs. This is needed to find <seccomp.h> in the build directory, since
it is now a generated file.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch adds riscv64 support to arch-syscall-validate.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This patch adds support for riscv64 to arch-syscall-dump.c
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a filter attribute, SCMP_FLTATR_CTL_OPTIMIZE,
to specify the optimization level of the seccomp filter:
0 - currently unused
1 - rules weighted by priority and complexity (default)
2 - binary tree sorted by syscall number
Several in-house customers have identified that their large
seccomp filters are slowing down their applications. Their
filters largely consist of simple allow/deny logic for many
syscalls (306 in one case) and for the most part don't utilize
argument filtering.
I modified gen_bpf.c and gen_pfc.c to utilize a cBPF binary tree
if the user has requested optimize level 2. I then timed
calling getppid() in a loop using one of my customer's seccomp
filters. I ran this loop one million times and recorded the min,
max, and mean times (in TSC ticks) to call getppid(). (I didn't
disable interrupts, so the max time was often large.) I chose
to report the minimum time because I feel it best represents the
actual time to traverse the syscall.
Test Case minimum TSC ticks to make syscall
----------------------------------------------------------------
seccomp disabled 138
getppid() at the front of 306-syscall seccomp filter 256
getppid() in middle of 306-syscall seccomp filter 516
getppid() at the end of the 306-syscall filter 1942
getppid() in a binary tree 312
As shown in the table above, a binary tree can signficantly improve
syscall performance in the average and worst case scenario for these
customers.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a function - _gen_bpf_insert() - that
inserts an instruction block into the BPF state and
creates the linked list connections for that newly-inserted
block.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit splits out some init code and a lengthy
for-loop in _gen_bpf_arch() into its own function -
_gen_bpf_syscalls().
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fixed style problems found by check-syntax]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
In _gen_bpf_arch(), there was an identical block of code to sort
the primary database syscalls and the secondary database
syscalls. This commit refactors those duplicated, inline loops
into a single function.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Andreas Schwab <schwab@suse.de>
[PM: minor macro shuffling in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
On s390, shmat, shmdt, shmget, and shmctl can be done either
via sockets or ipc. Prior to this commit, the s390 code only
supported these calls via sockets. This commit adds support
for both sockets and ipc.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating a transaction can be very time consuming on large filters since we
create a duplicate filter tree iteratively using the rules supplied by the
caller. In an effort to speed this up we introduce the idea of shadow
transactions where on a successful transaction commit we preserve the old
transaction checkpoint and bring it up to date with the current filter and
save it for future use. The next time we start a new transaction we check
to see if a shadow transaction exists, if it does we use that instead of
creating a new transaction checkpoint from scratch.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Pay back some of the technical debt in db_col_rule_add(), no logic
changes in this patch, just removing some code duplication.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This is long overdue so quite a few changes, including tweaks to
support some newly direct wired syscalls which were previously
multiplexed.
We really need to make sure we update the syscall table more often.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
Fix the pydoc example so it's runnable.
Signed-off-by: Jonah Petri <jonah@petri.us>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fix subject line (add prefix)]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 8ad3638ea9023c3948976dfadebd1554380a31c9 effectively added libseccomp/
to the install path of the python extension.
This changed the import module name from "seccomp" to "libseccomp.seccomp",
breaking existing users.
Revert the install path like it was before 2.4.0
Signed-off-by: Felix Geyer <debfx@fobos.de>
[PM: tweaked the subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|