| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
| |
[xen0n: LoongArch (and a few upcoming architectures / ABIs) does not
have fstat, so the fstat in 06-sim-actions is also being changed to
fstatfs for uniformity across the board.]
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Signed-off-by: WANG Xuerui <git@xen0n.name>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
| |
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The SCMP_FLTATR_CTL_WAITKILL attribute requests that the
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag be passed to the
seccomp(2) system call when possible, which is currently only when
the SECCOMP_FILTER_FLAG_NEW_LISTENER flag is also set.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a seccomp_precompute() API to precompute the seccomp
filter prior to calling seccomp_load() or similar functions. Not
only does this improve the performance of seccomp_load(), it ensures
that seccomp_load() is async-signal-safe if no additional changes
have been made since the filter was precomputed.
Python bindings, test, and manpage updates are included in this
patch.
One minor side effect of this change is that seccomp_export_bpf_mem()
now always return the length of the filter in the "len" function
parameter, even in cases where the passed buffer is too small.
Arguably seccomp_export_bpf_mem() should have always behaved this
way.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
54-live-binary_tree.c had spaces rather than tabs on
three lines. Convert them to tabs.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
| |
Add a test that exercises the binary tree optimization but
the seccomp filter has zero syscalls in it.
Related-bug: https://github.com/seccomp/libseccomp/issues/370
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
SCMP_FLTATR_CTL_OPTIMIZE = 2 was not being set for test
53-sim-binary_tree.py. Set the optimization level to 2 to
ensure that the binary tree is being employed.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, an early implementation of the binary tree optimization
used to enable the feature when the number of rules added was > 16.
The code was later changed to add and use SCMP_FLTATR_CTL_OPTIMIZE,
but the 54-live-binary_tree test case was left as is. So, despite
its name, it is not testing the binary tree.
Fix this, and remove the comment that referred to the old
implementation.
Fixes: 38f04da84748 ("tests: add tests for the binary tree")
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
[PM: restyled the "Fixes" tag]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Untrack `*.log` and `*.stats` files such as `01-sim-allow.c.{log,stats}`
intentionally because these files are generated in the `tests` directory
by running tests.
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3c2da115b5b35 "tests: improve 05-sim-long_jumps to work better
across arch/ABIs" introduced the following warning. Let's fix it.
05-sim-long_jumps.c: In function ‘main’:
05-sim-long_jumps.c:68:25: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration]
68 | free(syscall);
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch primarily moves the test away from abstract syscall
numbers to honest-to-goodness actual syscalls which are present on
all currently supported arch/ABIs. This change should make it easier
to support this test across different platforms now and moving
forward.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
| |
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
|
|
| |
In the process of adding and consolidating the multiplexed syscalls
for MIPS I mistakenly dropped the O32 ABI offset, this patch restores
the offset value.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
| |
Reported-by: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
Reported-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
|
|
|
| |
I forgot to amend my commit to include these fixes before pushing
the last update that was merged. Fix that now.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API to export to a fd is helpful, but for tools that want to
generate & read the BPF program, outputting to a buffer would be
much more helpful.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: rename seccomp_export_bpf_buf() to seccomp_export_bpf_mem()]
[PM: 'make check-syntax' fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The python live test, 24-live-arg_allow.py, started failing on
Python version 3.9.6+ on Fedora 34 and Ubuntu 20.10. The Python
quit() call is now invoking the munmap() syscall. To fix this,
allow the munmap() syscall in the test's seccomp filter.
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
|
|
|
|
| |
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As documented in the function header:
"This function is to make it easier for developers to temporarily
add support for gcov/lcov to a test program; it likely should not
be used in the normal regression tests. Further, this should only
be necessary for the "live" tests."
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is arguably the way it should have been done in the beginning
but TravisCI and Coveralls masked the need for proper standalone
code coverage tests.
With this change simply enabling code coverage during ./configure
and following with a code coverage build should generate proper
gcov/lcov data and a local HTML report, example:
% ./configure --enable-code-coverage
% make check-code-coverage
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This allows us to specify the test batches via environment variables
like we do other parts of the test configuration.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
You can now run multiple test types using the '-T' argument and
the LIBSECCOMP_TSTCFG_TYPE environment variable, for example:
% cd tests
% ./regression -T bpf-valgrind,live
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Initial support for seccomp for SuperH in Linux was added in 2.6.27-rc2,
support for SECCOMP_FILTER was added for Linux 5.9. This adds support
for SuperH in libseccomp, both for little-endian and big-endian mode.
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The LIBSECCOMP_TSTCFG_JOBS environment variable allows the caller to
specify the number of test jobs through the environment as opposed
to the command line. This is primarily useful for running the tests
through scripts or via the 'make check' command.
The LIBSECCOMP_TSTCFG_JOBS environment variable value behaves the
same as the '-j <JOBS>' command line argument.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf-sim-fuzz test type was always intended to be a fuzzer for the
generated BPF filters but the current implementation fuzzes the
simulator more than the filter itself. Due to this, let's bump down
the bpf-sim-fuzz iterations from 50 to 5, this is what we currently
do on Travis CI and it seems to be okay.
This change drops the number of tests by 1800 and the runtime from
4m7s to 3m35s on my test system running eight parallel jobs.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the beginning it didn't matter that we were running the regression
tests serially, but as we are now running +16k tests the run time is
getting rather long.
As there is no good reason why we can't run these tests in parallel,
let's add some basic support to do so. This patch adds support for
running multiple tests jobs at once using the '-j <NUM>' flag,
similar to the "make" command. If the number of jobs specified is
invalid/zero then it is set to the number of CPUs present on the
system. If the '-j <NUM>' flag is not specified then the tests are
executed in serial fashion as they are done now.
If the '-l <LOG>' option is specified the test run reverts to serial
execution regardless of the command line in order to preserve the log
output. While the normal console output is preserved regardless of
the number of jobs, the logfile output is handled differently and
this restriction was the easiest solution. We should consider
removing the '-l <LOG>' option at some point since output capture and
redirection is likely best handled by the shell anyway.
As far as the performance improvements are concerned, the results
speak for themselves. On my eight core laptop the runtime drops from
~14 minutes to ~4 minutes (!).
* Existing code, single threaded (14 minutes, 14 seconds)
% time -- ./regression -m c -m python
=============== Tue Jan 5 06:11:52 PM EST 2021 ===============
Regression Test Report ("regression -m c -m python")
batch name: 01-sim-allow
test mode: c
test type: bpf-sim
Test 01-sim-allow%%001-00001 result: SUCCESS
...
Test 58-live-tsync_notify%%001-00001 result: SKIPPED (must specify live tests)
Regression Test Summary
tests run: 16412
tests skipped: 130
tests passed: 16412
tests failed: 0
tests errored: 0
============================================================
real 854.37
user 693.87
sys 269.25
* Patched code, 8 jobs (4 minutes, 7 seconds)
% time -- ./regression -j 8 -m c -m python
=============== Tue Jan 5 06:27:56 PM EST 2021 ===============
Regression Test Report ("regression -j 8 -m c -m python")
batch name: 01-sim-allow
test mode: c
test type: bpf-sim
Test 01-sim-allow%%001-00001 result: SUCCESS
...
Test 58-live-tsync_notify%%001-00001 result: SKIPPED (must specify live tests)
Regression Test Summary
tests run: 16412
tests skipped: 130
tests passed: 16412
tests failed: 0
tests errored: 0
============================================================
real 246.96
user 966.08
sys 251.27
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
This fix is performing the same changes
bee43d3e884788569860a384e6a38357785a3995 was doing on test
51-live-user_notification on test 58-live-tsync_notify.
Signed-off-by: Michael Karcher <github@mkarcher.dialup.fu-berlin.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
Architectures like aarch64 and riscv64, and all future architectures that
use the generic syscall table, do not support the open and stat syscalls.
Use the openat and fstat syscalls instead.
Signed-off-by: Andreas Schwab <schwab@suse.de>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that requesting the seccomp userspace notifcation fd
more than once is a bad thing which causes the kernel to complain
(rightfully so for a variety of reasons). Unfortunately as we were
always requesting the notification fd whenever possible this results
in problems at filter load time.
Our solution is to move the notification fd out of the filter context
and into the global task context, using a newly created task_state
structure. This allows us to store, and retrieve the notification
outside the scope of an individual filter context. It also provides
some implementation improvements by giving us a convenient place to
stash all of the API level related support variables. We also extend
the seccomp_reset() API call to reset this internal global state when
passed a NULL filter context.
There is one potential case which we don't currently handle well:
threads. At the moment libseccomp is thread ignorant, and that works
well as the only global state up to this point was the currently
supported API level information which was common to all threads in a
process. Unfortunately, it appears that the notification fd need not
be common to all threads in a process, yet this patch treats it as if
it is common. I suspect this is a very unusual use case so I decided
to keep this patch simple and ignore this case, but in the future if
we need to support this properly we should be able to do so without
API changes by keeping an internal list of notification fds indexed
by gettid(2).
This fixes the GitHub issue below:
* https://github.com/seccomp/libseccomp/issues/273
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On an x32 based system, and perhaps other 32-bit systems, the magic
value in test 51-live-user_notification was too large and resulted
in a failed comparison even when the userspace notification mechanism
was working properly.
This patch addresses this problem by using the parent process's PID
for the magic number. For all arches/ABIs we know it is a valid
return value for getpid() while also being one of the few PIDs that
the child process should never legitimately get from a call to
getpid().
This patch also restricts the use of SCMP_SYS() to only the
libseccomp API calls. This should help us catch arches/ABIs that
don't implement getpid(). I'm also not sure we want to be
responsible for using SCMP_SYS() outside of the libseccomp API.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Test 53-sim-binary_tree removes the native architecture and
builds the binary tree on aarch64, ppc64le, and x86_64. But the
tests file was testing for "all" architectures which led to test
failures on other systems like s390x. This commit replaces the
"all" arch with only the architectures in the test.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
Make the "distcheck" happy by properly including the 57th python
test.
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The recent patch to remove PNR syscalls from the BPF
filter causes test 06-sim-actions%%005-00001 to fail
because aarch64 doesn't support the stat syscall. This
commit skips that check on aarch64 only.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that pseudo-syscalls are being removed from the resultant
BPF filter, we need to test for this in the simulated binary
tree test. This commit modifies the test to explicitly define
its supported architectures and updates the tests file to
handle PNR syscalls. Note that the aarch64 architecture does
not define many of the syscalls used in this test, and thus
these syscalls fall through to the default ALLOW action.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
| |
API level 6 allows callers to use both the TSYNC and notify APIs at
the same time. This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.
This patch also fixes some omissions in seccomp_api_set().
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel. It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.
If the attribute is zero, the library hides all of the system
failures under -ECANCELED.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
The basic idea is that the C functions should return negative values
on error and the terminal programs should return positive, non-zero
values on error.
Reported-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
| |
We need to limit our use of EINVAL to only indicate bad input to the
API functions. Bad input to internal functions is not a valid use
of EINVAL.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
It is likely a fools errand to try and provide kernel and libc errno
guarantees across different architectures, kernels, and libc
implementations so let's just punt on the problem and dump all of
these errors into the ECANCELED bucket.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
| |
This is part of our error code cleanup and API promise.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
| |
I've never wanted my code to be either a reminder or a source of
hurt for others, but it is possible that some older terminology used
in this repository may do just that. That's a bug we need to fix,
and hopefully this patch does just that.
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This commit adds the ppc64le architecture to test
30-sim-socket_syscalls.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This commit adds the ppc64le architecture to test
36-sim-ipc_syscalls.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The syscalls shmat, shmctl, and shmget are ipc syscalls on s390
and s390x. This causes test #53 to fail due to the syscall number
not matching up with the values in the *.tests file.
This commit removes the aforementioned ipc syscalls since they are
being tested in tests #36 and #37.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.
The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.
On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.
PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
other problems
* extracted the syscalls.csv and file deletions to other patches
to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
arch-gperf-generate
* fixed problems with automake's file packaging
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
This appears to cause problems in the Travis CI with the aarch64
architecture.
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
|
|
|
|
|
|
| |
Two fixes to ensure that test 53 runs correctly:
* remove a debug "print()" in the Python test
* use the native ABI in the Python test
Signed-off-by: Paul Moore <paul@paul-moore.com>
|