From f046fd21e3274541021bff1f869bf2c9ef8d0b86 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 27 Oct 2021 13:35:15 -0400 Subject: arch: replace arch-syscall-check with something more useful Now that we have moved to the CSV based arch/ABI syscall table the existing arch-syscall-check isn't as useful as it once was, but we could definitely use a build-time check to ensure the syscall header file is sync'd with the CSV arch/ABI syscall table. Acked-by: Tom Hromatka Signed-off-by: Paul Moore --- src/.gitignore | 1 - src/Makefile.am | 9 +- src/arch-syscall-check | 60 +++++++++++++ src/arch-syscall-check.c | 228 ----------------------------------------------- 4 files changed, 63 insertions(+), 235 deletions(-) create mode 100755 src/arch-syscall-check delete mode 100644 src/arch-syscall-check.c (limited to 'src') diff --git a/src/.gitignore b/src/.gitignore index 6b31a14..c5c656f 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -1,5 +1,4 @@ libseccomp.a -arch-syscall-check arch-syscall-dump syscalls.perf syscalls.perf.c diff --git a/src/Makefile.am b/src/Makefile.am index 04e7ba5..1ff0ee7 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -46,20 +46,17 @@ SOURCES_ALL = \ syscalls.h syscalls.c syscalls.perf.c EXTRA_DIST = \ - arch-syscall-validate arch-gperf-generate \ - syscalls.csv syscalls.perf.template + arch-syscall-validate arch-syscall-check \ + arch-gperf-generate syscalls.csv syscalls.perf.template TESTS = arch-syscall-check -check_PROGRAMS = arch-syscall-check arch-syscall-dump +check_PROGRAMS = arch-syscall-dump lib_LTLIBRARIES = libseccomp.la arch_syscall_dump_SOURCES = arch-syscall-dump.c ${SOURCES_ALL} -arch_syscall_check_SOURCES = arch-syscall-check.c ${SOURCES_ALL} -arch_syscall_check_CFLAGS = ${AM_CFLAGS} - libseccomp_la_SOURCES = ${SOURCES_ALL} libseccomp_la_CPPFLAGS = ${AM_CPPFLAGS} ${CODE_COVERAGE_CPPFLAGS} libseccomp_la_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ${CFLAGS} \ diff --git a/src/arch-syscall-check b/src/arch-syscall-check new file mode 100755 index 0000000..ae67daa --- /dev/null +++ b/src/arch-syscall-check @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# libseccomp syscall build-time checking script +# +# Copyright (c) 2021 Microsoft Corporation. +# +# Author: Paul Moore +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see . +# + +SYSCALL_CSV="./syscalls.csv" +SYSCALL_HDR="../include/seccomp-syscalls.h" + +function check_snr() { + (export LC_ALL=C; diff \ + --label "CSV ($SYSCALL_CSV)" --label "HDR ($SYSCALL_HDR)" -u \ + <(tail -n+2 $SYSCALL_CSV | cut -d',' -f1 | sort -u) \ + <(grep __SNR_ $SYSCALL_HDR | awk '{ print $2 }' | \ + sed -e 's/^__SNR_//' | sort -u)) + return $? +} + +function check_pnr() { + # NOTE: we don't care if we have __PNR_ define that isn't needed, we + # likely want to preserve those values so they aren't mistakenly + # reused by a new __PNR_ in the future + (export LC_ALL=C; diff \ + <(tail -n+2 $SYSCALL_CSV | grep "PNR" | cut -d',' -f1 | \ + sort -u) \ + <(grep "#define __PNR_" $SYSCALL_HDR | awk '{ print $2 }' | \ + sed -e 's/^__PNR_//' | sort -u) | \ + grep "^<") + [[ $? -eq 1 ]] && return 0 || return 1 +} + +rc=0 + +echo ">>> CHECKING FOR MISSING __SNR_syscall VALUES" +check_snr +rc=$(( $rc + $? )) + +echo ">>> CHECKING FOR MISSING __PNR_syscall VALUES" +check_pnr +rc=$(( $rc + $? )) + +exit $rc diff --git a/src/arch-syscall-check.c b/src/arch-syscall-check.c deleted file mode 100644 index 987ef55..0000000 --- a/src/arch-syscall-check.c +++ /dev/null @@ -1,228 +0,0 @@ -/** - * Enhanced Seccomp Architecture Sycall Checker - * - * Copyright (c) 2014 Red Hat - * Author: Paul Moore - * - */ - -/* - * This library is free software; you can redistribute it and/or modify it - * under the terms of version 2.1 of the GNU Lesser General Public License as - * published by the Free Software Foundation. - * - * This library is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License - * for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this library; if not, see . - */ - -#include -#include -#include - -#include "arch.h" -#include "arch-x86.h" -#include "arch-x86_64.h" -#include "arch-x32.h" -#include "arch-arm.h" -#include "arch-aarch64.h" -#include "arch-mips.h" -#include "arch-mips64.h" -#include "arch-mips64n32.h" -#include "arch-parisc.h" -#include "arch-ppc.h" -#include "arch-ppc64.h" -#include "arch-s390.h" -#include "arch-s390x.h" -#include "arch-sh.h" - -/** - * compare the syscall values - * @param str_miss the other bad architectures - * @param syscall the syscall string to compare against - * @param arch_name the name of the arch being tested - * @param arch_sys the syscall name to compare - * - * Compare the syscall names and update @str_miss if necessary. - * - */ -void syscall_check(char *str_miss, const char *syscall, - const char *arch_name, const struct arch_syscall_def *sys) -{ - if (strcmp(syscall, sys->name)) { - if (str_miss[0] != '\0') - strcat(str_miss, ","); - strcat(str_miss, arch_name); - } -} - -/** - * main - */ -int main(int argc, char *argv[]) -{ - int i_x86 = 0; - int i_x86_64 = 0; - int i_x32 = 0; - int i_arm = 0; - int i_aarch64 = 0; - int i_mips = 0; - int i_mips64 = 0; - int i_mips64n32 = 0; - int i_parisc = 0; - int i_ppc = 0; - int i_ppc64 = 0; - int i_s390 = 0; - int i_s390x = 0; - int i_sh = 0; - char str_miss[256]; - const char *sys_name; - const struct arch_syscall_def *sys; - - do { - str_miss[0] = '\0'; - sys = x86_syscall_iterate(i_x86); - if (sys == NULL || sys->name == NULL) { - printf("FAULT\n"); - return 1; - } - sys_name = sys->name; - - /* check each arch using x86 as the reference */ - syscall_check(str_miss, sys_name, "x86_64", - x86_64_syscall_iterate(i_x86_64)); - syscall_check(str_miss, sys_name, "x32", - x32_syscall_iterate(i_x32)); - syscall_check(str_miss, sys_name, "arm", - arm_syscall_iterate(i_arm)); - syscall_check(str_miss, sys_name, "aarch64", - aarch64_syscall_iterate(i_aarch64)); - syscall_check(str_miss, sys_name, "mips", - mips_syscall_iterate(i_mips)); - syscall_check(str_miss, sys_name, "mips64", - mips64_syscall_iterate(i_mips64)); - syscall_check(str_miss, sys_name, "mips64n32", - mips64n32_syscall_iterate(i_mips64n32)); - syscall_check(str_miss, sys_name, "parisc", - parisc_syscall_iterate(i_parisc)); - syscall_check(str_miss, sys_name, "ppc", - ppc_syscall_iterate(i_ppc)); - syscall_check(str_miss, sys_name, "ppc64", - ppc64_syscall_iterate(i_ppc64)); - syscall_check(str_miss, sys_name, "s390", - s390_syscall_iterate(i_s390)); - syscall_check(str_miss, sys_name, "s390x", - s390x_syscall_iterate(i_s390x)); - syscall_check(str_miss, sys_name, "sh", - sh_syscall_iterate(i_sh)); - - /* output the results */ - printf("%s: ", sys_name); - if (str_miss[0] != '\0') { - printf("MISS(%s)\n", str_miss); - return 1; - } else - printf("OK\n"); - - /* next */ - if (x86_syscall_iterate(i_x86 + 1)->name) - i_x86++; - if (!x86_64_syscall_iterate(++i_x86_64)->name) - i_x86_64 = -1; - if (!x32_syscall_iterate(++i_x32)->name) - i_x32 = -1; - if (!arm_syscall_iterate(++i_arm)->name) - i_arm = -1; - if (!aarch64_syscall_iterate(++i_aarch64)->name) - i_aarch64 = -1; - if (!mips_syscall_iterate(++i_mips)->name) - i_mips = -1; - if (!mips64_syscall_iterate(++i_mips64)->name) - i_mips64 = -1; - if (!mips64n32_syscall_iterate(++i_mips64n32)->name) - i_mips64n32 = -1; - if (!parisc_syscall_iterate(++i_parisc)->name) - i_parisc = -1; - if (!ppc_syscall_iterate(++i_ppc)->name) - i_ppc = -1; - if (!ppc64_syscall_iterate(++i_ppc64)->name) - i_ppc64 = -1; - if (!s390_syscall_iterate(++i_s390)->name) - i_s390 = -1; - if (!s390x_syscall_iterate(++i_s390x)->name) - i_s390x = -1; - if (!sh_syscall_iterate(++i_sh)->name) - i_sh = -1; - } while (i_x86_64 >= 0 && i_x32 >= 0 && - i_arm >= 0 && i_aarch64 >= 0 && - i_mips >= 0 && i_mips64 >= 0 && i_mips64n32 >= 0 && - i_parisc >= 0 && - i_ppc >= 0 && i_ppc64 >= 0 && - i_s390 >= 0 && i_s390x >= 0 && i_sh >= 0); - - /* check for any leftovers */ - sys = x86_syscall_iterate(i_x86 + 1); - if (sys->name) { - printf("ERROR, x86 has additional syscalls\n"); - return 1; - } - if (i_x86_64 >= 0) { - printf("ERROR, x86_64 has additional syscalls\n"); - return 1; - } - if (i_x32 >= 0) { - printf("ERROR, x32 has additional syscalls\n"); - return 1; - } - if (i_arm >= 0) { - printf("ERROR, arm has additional syscalls\n"); - return 1; - } - if (i_aarch64 >= 0) { - printf("ERROR, aarch64 has additional syscalls\n"); - return 1; - } - if (i_mips >= 0) { - printf("ERROR, mips has additional syscalls\n"); - return 1; - } - if (i_mips64 >= 0) { - printf("ERROR, mips64 has additional syscalls\n"); - return 1; - } - if (i_mips64n32 >= 0) { - printf("ERROR, mips64n32 has additional syscalls\n"); - return 1; - } - if (i_parisc >= 0) { - printf("ERROR, parisc has additional syscalls\n"); - return 1; - } - if (i_ppc >= 0) { - printf("ERROR, ppc has additional syscalls\n"); - return 1; - } - if (i_ppc64 >= 0) { - printf("ERROR, ppc64 has additional syscalls\n"); - return 1; - } - if (i_s390 >= 0) { - printf("ERROR, s390 has additional syscalls\n"); - return 1; - } - if (i_s390x >= 0) { - printf("ERROR, s390x has additional syscalls\n"); - return 1; - } - if (i_sh >= 0) { - printf("ERROR, sh has additional syscalls\n"); - return 1; - } - - /* if we made it here, all is good */ - return 0; -} -- cgit v1.2.1