From fb4b0465abbd96e6d342e5606c61c919c99a82ff Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Fri, 6 Dec 2019 14:28:13 -0500 Subject: seccomp: real syscall numbers are >= 0 Real syscall numbers start at 0. The fake seccomp values seem to be strictly less than 0. Fixes: 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f --- src/basic/missing_syscall.h | 32 ++++++++++++++++---------------- src/test/test-seccomp.c | 20 ++++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h index cbda3f7c60..41164ea7d0 100644 --- a/src/basic/missing_syscall.h +++ b/src/basic/missing_syscall.h @@ -35,7 +35,7 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old) #if !HAVE_MEMFD_CREATE /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_memfd_create && __NR_memfd_create > 0) +# if ! (defined __NR_memfd_create && __NR_memfd_create >= 0) # if defined __NR_memfd_create # undef __NR_memfd_create # endif @@ -82,7 +82,7 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { #if !HAVE_GETRANDOM /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_getrandom && __NR_getrandom > 0) +# if ! (defined __NR_getrandom && __NR_getrandom >= 0) # if defined __NR_getrandom # undef __NR_getrandom # endif @@ -145,7 +145,7 @@ static inline pid_t missing_gettid(void) { #if !HAVE_NAME_TO_HANDLE_AT /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at > 0) +# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0) # if defined __NR_name_to_handle_at # undef __NR_name_to_handle_at # endif @@ -186,7 +186,7 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil #if !HAVE_SETNS /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_setns && __NR_setns > 0) +# if ! (defined __NR_setns && __NR_setns >= 0) # if defined __NR_setns # undef __NR_setns # endif @@ -227,7 +227,7 @@ static inline pid_t raw_getpid(void) { #if !HAVE_RENAMEAT2 /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_renameat2 && __NR_renameat2 > 0) +# if ! (defined __NR_renameat2 && __NR_renameat2 >= 0) # if defined __NR_renameat2 # undef __NR_renameat2 # endif @@ -276,7 +276,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c #if !HAVE_KCMP static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { -# if defined __NR_kcmp && __NR_kcmp > 0 +# if defined __NR_kcmp && __NR_kcmp >= 0 return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); # else errno = ENOSYS; @@ -291,7 +291,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i #if !HAVE_KEYCTL static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { -# if defined __NR_keyctl && __NR_keyctl > 0 +# if defined __NR_keyctl && __NR_keyctl >= 0 return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); # else errno = ENOSYS; @@ -302,7 +302,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg } static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { -# if defined __NR_add_key && __NR_add_key > 0 +# if defined __NR_add_key && __NR_add_key >= 0 return syscall(__NR_add_key, type, description, payload, plen, ringid); # else errno = ENOSYS; @@ -313,7 +313,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip } static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { -# if defined __NR_request_key && __NR_request_key > 0 +# if defined __NR_request_key && __NR_request_key >= 0 return syscall(__NR_request_key, type, description, callout_info, destringid); # else errno = ENOSYS; @@ -328,7 +328,7 @@ static inline key_serial_t missing_request_key(const char *type, const char *des #if !HAVE_COPY_FILE_RANGE /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_copy_file_range && __NR_copy_file_range > 0) +# if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0) # if defined __NR_copy_file_range # undef __NR_copy_file_range # endif @@ -370,7 +370,7 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in, #if !HAVE_BPF /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_bpf && __NR_bpf > 0) +# if ! (defined __NR_bpf && __NR_bpf >= 0) # if defined __NR_bpf # undef __NR_bpf # endif @@ -411,7 +411,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { #ifndef __IGNORE_pkey_mprotect /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect > 0) +# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0) # if defined __NR_pkey_mprotect # undef __NR_pkey_mprotect # endif @@ -447,7 +447,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { #if !HAVE_STATX /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_statx && __NR_statx > 0) +# if ! (defined __NR_statx && __NR_statx >= 0) # if defined __NR_statx # undef __NR_statx # endif @@ -498,7 +498,7 @@ enum { static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, unsigned long maxnode) { long i; -# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 +# if defined __NR_set_mempolicy && __NR_set_mempolicy >= 0 i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); # else errno = ENOSYS; @@ -529,7 +529,7 @@ static inline long missing_get_mempolicy(int *mode, unsigned long *nodemask, #if !HAVE_PIDFD_OPEN /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_pidfd_open && __NR_pidfd_open > 0) +# if ! (defined __NR_pidfd_open && __NR_pidfd_open >= 0) # if defined __NR_pidfd_open # undef __NR_pidfd_open # endif @@ -547,7 +547,7 @@ static inline int pidfd_open(pid_t pid, unsigned flags) { #if !HAVE_PIDFD_SEND_SIGNAL /* may be (invalid) negative number due to libseccomp, see PR 13319 */ -# if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal > 0) +# if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0) # if defined __NR_pidfd_send_signal # undef __NR_pidfd_send_signal # endif diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 69b1c788aa..75566199e3 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -29,7 +29,7 @@ #include "virt.h" /* __NR_socket may be invalid due to libseccomp */ -#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) +#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, * and we can't restrict it hence via seccomp. */ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 @@ -305,14 +305,14 @@ static void test_protect_sysctl(void) { assert_se(pid >= 0); if (pid == 0) { -#if defined __NR__sysctl && __NR__sysctl > 0 +#if defined __NR__sysctl && __NR__sysctl >= 0 assert_se(syscall(__NR__sysctl, NULL) < 0); assert_se(errno == EFAULT); #endif assert_se(seccomp_protect_sysctl() >= 0); -#if defined __NR__sysctl && __NR__sysctl > 0 +#if defined __NR__sysctl && __NR__sysctl >= 0 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); assert_se(errno == EPERM); #endif @@ -347,14 +347,14 @@ static void test_protect_syslog(void) { assert_se(pid >= 0); if (pid == 0) { -#if defined __NR_syslog && __NR_syslog > 0 +#if defined __NR_syslog && __NR_syslog >= 0 assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0); assert_se(errno == EINVAL); #endif assert_se(seccomp_protect_syslog() >= 0); -#if defined __NR_syslog && __NR_syslog > 0 +#if defined __NR_syslog && __NR_syslog >= 0 assert_se(syscall(__NR_syslog, 0, 0, 0) < 0); assert_se(errno == EPERM); #endif @@ -684,7 +684,7 @@ static void test_load_syscall_filter_set_raw(void) { assert_se(poll(NULL, 0, 0) == 0); assert_se(s = hashmap_new(NULL)); -#if defined __NR_access && __NR_access > 0 +#if defined __NR_access && __NR_access >= 0 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); #else assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); @@ -700,7 +700,7 @@ static void test_load_syscall_filter_set_raw(void) { s = hashmap_free(s); assert_se(s = hashmap_new(NULL)); -#if defined __NR_access && __NR_access > 0 +#if defined __NR_access && __NR_access >= 0 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); #else assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); @@ -716,7 +716,7 @@ static void test_load_syscall_filter_set_raw(void) { s = hashmap_free(s); assert_se(s = hashmap_new(NULL)); -#if defined __NR_poll && __NR_poll > 0 +#if defined __NR_poll && __NR_poll >= 0 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); #else assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); @@ -733,7 +733,7 @@ static void test_load_syscall_filter_set_raw(void) { s = hashmap_free(s); assert_se(s = hashmap_new(NULL)); -#if defined __NR_poll && __NR_poll > 0 +#if defined __NR_poll && __NR_poll >= 0 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); #else assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); @@ -811,7 +811,7 @@ static int real_open(const char *path, int flags, mode_t mode) { * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On * other architectures, let's just fall back to the glibc call. */ -#if defined __NR_open && __NR_open > 0 +#if defined __NR_open && __NR_open >= 0 return (int) syscall(__NR_open, path, flags, mode); #else return open(path, flags, mode); -- cgit v1.2.1