| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
It appears that '--indent-preprocessor' and
'--max-instatement-indent' are no longer supported command line
options, remove them.
Minor tweak to db_col_init() to appease astyle, no functional
changes.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Squelch the following warning, first noticed in GCC v13.1.1, but
possibly present earlier:
gen_bpf.c: In function '_gen_bpf_build_bpf':
gen_bpf.c:2083:21: warning: storing the address of local variable
'pseudo_arch' in '*state.arch'
[-Wdangling-pointer=]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The aim of arch-syscall-check test is to check for syscalls
missing implementation. It does so by comparing two files:
1) src/syscalls.csv
2) include/seccomp-syscalls.h
However, due to use of relative paths these files are not found
when doing a VPATH build. But, we can re-use an idea from GNU
coreutils and get an absolute path to the source dir. All that's
needed then is to prefix those two paths with the source dir
path.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Drive-by fixes that should make the spell-checking CI happy.
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to the LoongArch Toolchain Conventions [1], `__loongarch64`
is already deprecated for a while. What we care about here is the ABI
data model, so change the `__loongarch64` to `__loongarch_lp64` instead.
[1]: https://loongson.github.io/LoongArch-Documentation/LoongArch-toolchain-conventions-EN.html
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
Fix two comment typos reported by Codespell:
Error: ./src/syscalls.c:292: pseduo ==> pseudo
Error: ./src/gen_pfc.c:247: pseduo ==> pseudo
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
The SCMP_FLTATR_CTL_WAITKILL attribute requests that the
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the
seccomp(2) system call when possible, which is currently only when
the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a seccomp_precompute() API to precompute the seccomp
filter prior to calling seccomp_load() or similar functions. Not
only does this improve the performance of seccomp_load(), it ensures
that seccomp_load() is async-signal-safe if no additional changes
have been made since the filter was precomputed.
Python bindings, test, and manpage updates are included in this
patch.
One minor side effect of this change is that seccomp_export_bpf_mem()
now always return the length of the filter in the "len" function
parameter, even in cases where the passed buffer is too small.
Arguably seccomp_export_bpf_mem() should have always behaved this
way.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
shellcheck complains:
> In arch-syscall-validate line 785:
> sc_list=$((for abi in $abi_list; do
> ^-- SC1102 (error): Shells disambiguate $(( differently or not at all. For $(command substitution), add space after $( . For $((arithmetics)), fix parsing errors.
Another tool, shfmt, can't even parse the file:
> arch-syscall-validate:785:17: not a valid arithmetic operator: abi
Add a space to resolve this.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The arch-syscall-dump is almost always used from arch-syscall-validate
(the only exception I found is when -c and -l are given), so it makes
sense to check that it's available beforehand.
Without this patch, when arch-syscall-dump is not present, the script
produces lots of output with a few errors about the missing
./arch-syscall-dump hidden in the middle of it.
To keep things simple, we require arch-syscall-dump even when it is not
going to be used.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
| |
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The python distutils package is deprecated. Utilize
setuptools and cythonize instead.
./setup.py:26: DeprecationWarning: The distutils
package is deprecated and slated for removal in
Python 3.12. Use setuptools or check PEP 632 [1] for
potential alternatives
[1] https://peps.python.org/pep-0632/
Fixes: https://github.com/seccomp/libseccomp/issues/372
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds basic support for tracking what kernel introduced a
syscall for a given arch/ABI. It does not provide any of that kernel
version information, leaving only a SCMP_KV_UNDEF placeholder, nor
does it attempt to do anything meaningful with this new source of
information; this patch simply establishes a new syscalls.csv format
so that we can start properly recording the kernel versions.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Handle the unlikely case where a user has chosen the
binary tree optimization but has zero syscalls in their
filter.
Fixes: https://github.com/seccomp/libseccomp/issues/370
Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
| |
This should make it easier to ensure we have arch/ABIs added
properly to libseccomp.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
| |
In the process of adding and consolidating the multiplexed syscalls
for MIPS I mistakenly dropped the O32 ABI offset, this patch restores
the offset value.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
|
|
|
|
|
|
| |
Now that we have moved to the CSV based arch/ABI syscall table the
existing arch-syscall-check isn't as useful as it once was, but we
could definitely use a build-time check to ensure the syscall header
file is sync'd with the CSV arch/ABI syscall table.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
I forgot to amend my commit to include these fixes before pushing
the last update that was merged. Fix that now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
The == is a bashism and not in POSIX, so switch to standard =.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
| |
The new get_notify_fd() method mimics the seccomp_notify_fd() C API
with similar behavior.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
| |
Not only does this reduce the amount of duplicated code
significantly, it removes a lot of the "magic" numbers in the
code, and it happened to catch some bugs too.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is arguably the way it should have been done in the beginning
but TravisCI and Coveralls masked the need for proper standalone
code coverage tests.
With this change simply enabling code coverage during ./configure
and following with a code coverage build should generate proper
gcov/lcov data and a local HTML report, example:
% ./configure --enable-code-coverage
% make check-code-coverage
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
| |
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
The calloc function from the stdlib already sets the memory to 0.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
it was reported by clang with the option -fsanitize=memory:
Uninitialized bytes in MemcmpInterceptorCommon at offset 0 inside [0x7070000002a0, 56)
==3791089==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x482a2c in memcmp (fuzzer+0x482a2c)
#1 0x7fed2f120ebb in _hsh_add src/libseccomp/src/gen_bpf.c:598:9
#2 0x7fed2f121715 in _gen_bpf_action_hsh src/libseccomp/src/gen_bpf.c:796:6
#3 0x7fed2f121a53 in _gen_bpf_node src/libseccomp/src/gen_bpf.c:831:11
#4 0x7fed2f121a53 in _gen_bpf_chain.isra.0 src/libseccomp/src/gen_bpf.c:1072:13
#5 0x7fed2f121f16 in _gen_bpf_chain_lvl_res src/libseccomp/src/gen_bpf.c:977:12
#6 0x7fed2f121c74 in _gen_bpf_chain.isra.0 src/libseccomp/src/gen_bpf.c:1124:12
#7 0x7fed2f12253c in _gen_bpf_syscall src/libseccomp/src/gen_bpf.c:1520:10
#8 0x7fed2f12253c in _gen_bpf_syscalls src/libseccomp/src/gen_bpf.c:1615:18
#9 0x7fed2f12253c in _gen_bpf_arch src/libseccomp/src/gen_bpf.c:1683:7
#10 0x7fed2f12253c in _gen_bpf_build_bpf src/libseccomp/src/gen_bpf.c:2056:11
#11 0x7fed2f12253c in gen_bpf_generate src/libseccomp/src/gen_bpf.c:2321:7
#12 0x7fed2f11f41c in seccomp_export_bpf src/libseccomp/src/api.c:724:7
Uninitialized value was created by a heap allocation
#0 0x4547ef in realloc (fuzzer+0x4547ef)
#1 0x7fed2f121244 in _blk_resize src/libseccomp/src/gen_bpf.c:362:8
#2 0x7fed2f121244 in _blk_append src/libseccomp/src/gen_bpf.c:394:6
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
| |
Initial support for seccomp for SuperH in Linux was added in 2.6.27-rc2,
support for SECCOMP_FILTER was added for Linux 5.9. This adds support
for SuperH in libseccomp, both for little-endian and big-endian mode.
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel commit 47e33c05f9f0 ("seccomp: Fix ioctl number for
SECCOMP_IOCTL_NOTIF_ID_VALID") changed the public definition of
SECCOMP_IOCTL_NOTIF_ID_VALID for correctness sake because it had the
wrong direction (no current functional change). If libseccomp is built
against kernel headers after this commit but is run on a kernel that was
built prior to this commit, then the ioctl will always return -1 EINVAL
and thus seccomp_notify_id_valid will incorrectly return -ENOENT.
Copy the (now non-public) definition of the old ioctl number and try it
if the ioctl with the number from the kernel headers fails with -1
EINVAL.
Also, update the fallback definition of SECCOMP_IOCTL_NOTIF_ID_VALID to
the new value.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Max Rees <maxcrees@me.com>
[PM: tweak some vertical whitespace, subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
| |
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
This patch updates the code for the newly added spell checking.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of arches/ABIs have either syscall offsets (the MIPS
family) or specific bits (x32) which are applied to their normal
syscall numbers. We generally handle that via "munging" in
libseccomp, and it works reasonably well. Unfortunately we were
applying this munging process to the negative pseudo syscall
numbers as well and this was causing problems.
This patch fixes the various offset/bit arches/ABIs by not applying
the munging to the negative pseudo syscall numbers.
This resolves GH issue #284:
* https://github.com/seccomp/libseccomp/issues/284
Reported-by: Harald van Dijk <harald@gigawatt.nl>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes how we handle the notification fd by only
requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
in it. We also augment the seccomp_reset(NULL, ...) behavior so
that it closes the notification fd before resetting the global
state; applications that need to keep their notification fd open
across a call to seccomp_reset(NULL, ...) can simply dup() it.
Although one would have to wonder why the application would be
calling seccomp_reset(NULL, ...) in that case.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that requesting the seccomp userspace notifcation fd
more than once is a bad thing which causes the kernel to complain
(rightfully so for a variety of reasons). Unfortunately as we were
always requesting the notification fd whenever possible this results
in problems at filter load time.
Our solution is to move the notification fd out of the filter context
and into the global task context, using a newly created task_state
structure. This allows us to store, and retrieve the notification
outside the scope of an individual filter context. It also provides
some implementation improvements by giving us a convenient place to
stash all of the API level related support variables. We also extend
the seccomp_reset() API call to reset this internal global state when
passed a NULL filter context.
There is one potential case which we don't currently handle well:
threads. At the moment libseccomp is thread ignorant, and that works
well as the only global state up to this point was the currently
supported API level information which was common to all threads in a
process. Unfortunately, it appears that the notification fd need not
be common to all threads in a process, yet this patch treats it as if
it is common. I suspect this is a very unusual use case so I decided
to keep this patch simple and ignore this case, but in the future if
we need to support this properly we should be able to do so without
API changes by keeping an internal list of notification fds indexed
by gettid(2).
This fixes the GitHub issue below:
* https://github.com/seccomp/libseccomp/issues/273
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the MIPS GCC compiler defines a "mips" cpp macro
which was resulting in build failures on MIPS so we need to
undefine the "mips" macro during build. As this should be safe
to do in all architectures, just add it to the compiler flags by
default.
This was reported in the following GH issue:
* https://github.com/seccomp/libseccomp/issues/274
Reported-by: Rongwei Zhang <pudh4418@gmail.com>
Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
| |
|
|
|
|
|
| |
Identified via Coverity, make sure we are checking the correct
pointer depth when dealing with double pointers.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
