debian/0000775000000000000000000000000013424162145007172 5ustar debian/changelog0000664000000000000000000001507313424162114011046 0ustar libseccomp (2.1.1-1ubuntu1~trusty5) trusty-security; urgency=medium * No change rebuild for trusty-security -- Jamie Strandboge Tue, 29 Jan 2019 23:39:20 +0000 libseccomp (2.1.1-1ubuntu1~trusty4) trusty-proposed; urgency=medium * debian/libseccomp-dev.install: include static library (LP: #1703580) -- Michael Vogt Tue, 11 Jul 2017 12:22:18 +0200 libseccomp (2.1.1-1ubuntu1~trusty3) trusty-proposed; urgency=medium * Cherrypick various bpf fixes to support argument filtering on 64-bit (LP: #1653487) - debian/patches/bpf-use-state-arch.patch: use state->arch instead of db->arch in _gen_bpf_arch() - debian/patches/db-require-filters-to-share-endianess.patch: require all filters in a collection to share the same endianess - debian/patches/resolve-issues-caused-by-be.patch: resolve issues caused by big endian systems - debian/patches/bpf-accumulator-check.patch: test the bpf accumulator checking logic - debian/patches/bpf-track-accumulator-state.patch: track accumulator state and reload it when necessary. This is the fix for LP: #1653487. The previous patches are required by this patch. - debian/patches/ensure-simulator-has-valid-arch.patch: ensure the simulator always has a valid architecture value. This fixes a regression in the testsuite introduced by resolve-issues-caused-by-be.patch - debian/patches/bpf-accumulator-check-indep.patch: fix a regression in the testsuite introduced by bpf-accumulator-check.patch - debian/patches/fix-audit-arch-i386.patch: fix arch token for 32-bit x86 not being defined correctly for the tools -- Jamie Strandboge Wed, 04 Jan 2017 21:11:30 +0000 libseccomp (2.1.1-1ubuntu1~trusty1) trusty-proposed; urgency=medium * Bring libseccomp 2.1.1-1ubuntu1~vivid2, from Ubuntu 14.10, to Ubuntu 14.04 and add a couple patches to account for new syscalls found in the 4.4 based hardware enablement kernel. This allows for proper snap seccomp confinement on Ubuntu 14.04 when using the hardware enablement kernel (LP: #1450642) - debian/patches/add-membarrier-and-userfaultfd.patch: Add membarrier and userfaultfd syscalls - debian/patches/add-mlock2.patch: Add mlock2 syscall - debian/tests/data/all-except-s390-4.4.filter: Add autopkgtest that verifies all syscalls found in the 4.4 kernel, except for the s390 specific syscalls, are supported by libseccomp. The s390 specific syscalls are not needed since this version of libseccomp does not support the s390 architecture. - debian/tests/test-filter: Skip the getrandom filter tests since SYS_getrandom is not defined in 14.04 environment and the getrandom(2) syscall is not even available in the 14.04 release kernel. -- Tyler Hicks Thu, 15 Dec 2016 23:26:30 +0000 libseccomp (2.1.1-1ubuntu1~vivid2) vivid-proposed; urgency=medium * add-finit-module.patch: add finit_module syscalls to x86 and x86-64 syscall tables * update syscalls for modern kernels (skipping MIPS) - update syscalls for 3.16: + update-x86-syscall-table.patch + update-x86_64-syscall-table.patch + update-arm-syscall-table.patch + update-x32-syscall-table.patch + sync-syscall-table-entries.patch + sync-syscall-table-entries-fixtypo.patch - update syscalls for 3.17: + sync-syscall-table-entries-3.17.patch - update syscalls for 3.19: + sync-syscall-table-entries-3.19.patch - LP: #1450642 * fix-segfault-with-unknown.patch: fix segfault when find unknown syscall * debian/patches/add-missing-arm-private-syscalls.path: add missing private ARM syscalls * add autopkgtests for scmp_sys_resolver and filter testing and SYS_getrandom() testing -- Jamie Strandboge Fri, 08 May 2015 17:10:14 -0400 libseccomp (2.1.1-1) unstable; urgency=low * New upstream release (Closes: 733293). * copyright: add a few missed people. * rules: adjusted for new test target. * libseccomp2.symbols: drop accidentally exported functions. * control: - bump standards, no changes needed. - add armel target -- Kees Cook Sat, 12 Apr 2014 10:44:22 -0700 libseccomp (2.1.0+dfsg-1) unstable; urgency=low * Rebuild source package without accidental binaries (Closes: 725617). - debian/watch: mangle upstream version check. * debian/rules: make tests non-fatal while upstream fixes them (Closes: 721292). -- Kees Cook Sun, 06 Oct 2013 15:05:51 -0700 libseccomp (2.1.0-1) unstable; urgency=low * New upstream release (Closes: 718398): - dropped debian/patches/manpage-dashes.patch: taken upstream. - dropped debian/patches/include-unistd.patch: not needed. - debian/patches/testsuite-x86-write.patch: taken upstream. - ABI bump: moved from libseccomp1 to libseccomp2. * debian/control: - added Arch: armhf, now supported upstream. - added seccomp binary package for helper tools. * Added debian/patches/manpage-typo.patch: spelling fix. * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling. -- Kees Cook Tue, 13 Aug 2013 00:02:01 -0700 libseccomp (1.0.1-2) unstable; urgency=low * debian/rules: enable testsuite at build time, thanks to Stéphane Graber (Closes: 698803). * Added debian/patches/include-unistd.patch: detect location of asm/unistd.h correctly. * Added debian/patches/testsuite-x86-write.patch: skip the "write" syscall correctly on x86. * debian/control: bump standards to 3.9.4, no changes needed. -- Kees Cook Wed, 23 Jan 2013 13:11:53 -0800 libseccomp (1.0.1-1) unstable; urgency=low * New upstream release. * debian/control: only build on amd64 and i386 (Closes: 687368). -- Kees Cook Fri, 07 Dec 2012 11:38:03 -0800 libseccomp (1.0.0-1) unstable; urgency=low * New upstream release. - bump ABI. - drop build verbosity patch, use upstream V=1 instead. * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471). * debian/patches/pkgconfig-macro.patch: use literals for macro. -- Kees Cook Fri, 03 Aug 2012 16:59:41 -0700 libseccomp (0.1.0-1) unstable; urgency=low * New upstream release. - drop patches taken upstream: - libexecdir.patch - pass-flags.patch -- Kees Cook Fri, 08 Jun 2012 12:32:22 -0700 libseccomp (0.0.0~20120605-1) unstable; urgency=low * Initial release (Closes: #676257). -- Kees Cook Tue, 05 Jun 2012 11:28:07 -0700 debian/control0000664000000000000000000000306713131123332010571 0ustar Source: libseccomp Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Kees Cook Build-Depends: debhelper (>= 9), linux-libc-dev Standards-Version: 3.9.5 Homepage: https://sourceforge.net/projects/libseccomp/ XS-Testsuite: autopkgtest Package: libseccomp-dev Section: libdevel Architecture: i386 amd64 armhf armel Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends} Suggests: seccomp Description: high level interface to Linux seccomp filter (development files) This library provides a high level interface to constructing, analyzing and installing seccomp filters via a BPF passed to the Linux Kernel's prctl() syscall. . This package contains the development files. Package: libseccomp2 Architecture: i386 amd64 armhf armel Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Description: high level interface to Linux seccomp filter This library provides a high level interface to constructing, analyzing and installing seccomp filters via a BPF passed to the Linux Kernel's prctl() syscall. Package: seccomp Section: utils Architecture: i386 amd64 armhf armel Depends: ${shlibs:Depends}, ${misc:Depends} Suggests: libseccomp-dev Description: helper tools for high level interface to Linux seccomp filter Provides helper tools for interacting with libseccomp. Currently, only a single tool exists, providing a way to easily enumerate syscalls across the supported architectures. debian/docs0000664000000000000000000000000711763447673010062 0ustar README debian/libseccomp2.install0000664000000000000000000000002412202356715012761 0ustar usr/lib/*/lib*.so.* debian/rules0000775000000000000000000000111013131123332010231 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) # Enable verbose build details. export V=1 %: dh $@ --parallel override_dh_auto_clean: $(MAKE) dist-clean rm -f regression.out override_dh_auto_configure: ./configure --prefix=/usr \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) override_dh_auto_test: ifeq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) make check 2>&1 | tee regression.out && \ grep -q "^ tests failed: 0" regression.out || true endif debian/patches/0000775000000000000000000000000013131123332010607 5ustar debian/patches/fix-segfault-with-unknown.patch0000664000000000000000000000165212520516041016704 0ustar From 2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 6 Jan 2014 16:43:51 -0500 Subject: [PATCH] tools: fix a segfault for invalid syscall numbers Signed-off-by: Paul Moore --- tools/scmp_sys_resolver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libseccomp-2.1.1/tools/scmp_sys_resolver.c =================================================================== --- libseccomp-2.1.1.orig/tools/scmp_sys_resolver.c +++ libseccomp-2.1.1/tools/scmp_sys_resolver.c @@ -91,7 +91,7 @@ int main(int argc, char *argv[]) if (isdigit(argv[optind][0]) || argv[optind][0] == '-') { sys_num = atoi(argv[optind]); sys_name = arch_syscall_resolve_num(arch, sys_num); - printf("%s\n", sys_name); + printf("%s\n", (sys_name ? sys_name : "UNKNOWN")); } else { sys_num = arch_syscall_resolve_name(arch, argv[optind]); if (translate != 0) debian/patches/ensure-simulator-has-valid-arch.patch0000664000000000000000000000274513033274207017750 0ustar From 1c3b1b6c241ed64868f8bb7712b65217f548a38f Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 11 Feb 2014 10:11:13 -0500 Subject: [PATCH] tools: ensure the simulator always has a valid architecture value Without this fix the bpf-sim-fuzz tests might fail as they do not explicitly set the architecture value as part of the test framework. Reported-by: Markos Chandras Signed-off-by: Paul Moore --- tools/scmp_bpf_sim.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c index 3312408..b6caccb 100644 --- a/tools/scmp_bpf_sim.c +++ b/tools/scmp_bpf_sim.c @@ -38,6 +38,20 @@ #include "bpf.h" +#if __i386__ +#define ARCH_NATIVE AUDIT_ARCH_X86 +#elif __x86_64__ +#ifdef __ILP32__ +#define ARCH_NATIVE AUDIT_ARCH_X86_64 +#else +#define ARCH_NATIVE AUDIT_ARCH_X86_64 +#endif /* __ILP32__ */ +#elif __arm__ +#define ARCH_NATIVE AUDIT_ARCH_ARM +#else +#error the simulator code needs to know about your machine type +#endif /* machine type guess */ + #define BPF_PRG_MAX_LEN 4096 /** @@ -287,8 +301,9 @@ int main(int argc, char *argv[]) struct seccomp_data sys_data; struct bpf_program bpf_prg; - /* clear the syscall record */ + /* initialize the syscall record */ memset(&sys_data, 0, sizeof(sys_data)); + sys_data.arch = ARCH_NATIVE; /* parse the command line */ while ((opt = getopt(argc, argv, "a:f:h:s:v0:1:2:3:4:5:")) > 0) { debian/patches/pkgconfig-macro.patch0000664000000000000000000000206112202355041014677 0ustar Description: this bash trick doesn't work for some reason, so just replace with the needed literal "libseccomp.pc" instead. Author: Kees Cook Index: libseccomp-2.1.0/macros.mk =================================================================== --- libseccomp-2.1.0.orig/macros.mk 2013-08-13 00:02:48.756235141 -0700 +++ libseccomp-2.1.0/macros.mk 2013-08-13 00:02:48.752235086 -0700 @@ -185,15 +185,13 @@ ifeq ($(V),0) INSTALL_PC_MACRO = \ - @echo " INSTALL $$(cat /proc/$$$$/cmdline | awk '{print $$(NF)}')" \ - " ($(INSTALL_LIB_DIR)/pkgconfig)"; + @echo " INSTALL libseccomp.pc ($(INSTALL_LIB_DIR)/pkgconfig)"; endif INSTALL_PC_MACRO += \ $(INSTALL) -o $(INSTALL_OWNER) -g $(INSTALL_GROUP) \ -d "$(INSTALL_LIB_DIR)/pkgconfig"; \ $(INSTALL) -o $(INSTALL_OWNER) -g $(INSTALL_GROUP) -m 0644 \ - "$$(cat /proc/$$$$/cmdline | awk '{print $$(NF)}')" \ - "$(INSTALL_LIB_DIR)/pkgconfig"; \# + "libseccomp.pc" "$(INSTALL_LIB_DIR)/pkgconfig"; \# ifeq ($(V),0) INSTALL_INC_MACRO = @echo " INSTALL $^ ($(INSTALL_INC_DIR))"; debian/patches/sync-syscall-table-entries-3.17.patch0000664000000000000000000002263312520513763017420 0ustar From 6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 19 Aug 2014 22:19:51 -0400 Subject: [PATCH] arch: update the syscall tables to 3.17-rc1+ Signed-off-by: Paul Moore --- include/seccomp.h.in | 15 +++++++++++++++ src/arch-arm-syscalls.c | 6 +++++- src/arch-mips-syscalls.c | 6 +++++- src/arch-mips64-syscalls.c | 8 ++++++-- src/arch-mips64n32-syscalls.c | 6 +++++- src/arch-x32-syscalls.c | 12 ++++++++---- src/arch-x86-syscalls.c | 8 ++++++-- src/arch-x86_64-syscalls.c | 8 ++++++-- 8 files changed, 56 insertions(+), 13 deletions(-) Index: libseccomp-2.1.1/include/seccomp.h.in =================================================================== --- libseccomp-2.1.1.orig/include/seccomp.h.in +++ libseccomp-2.1.1/include/seccomp.h.in @@ -1182,6 +1182,21 @@ int seccomp_export_bpf(const scmp_filter #define __NR_timerfd __PNR_timerfd #endif /* __NR_timerfd */ +#define __PNR_getrandom -10109 +#ifndef __NR_getrandom +#define __NR_getrandom __PNR_getrandom +#endif /* __NR_time */ + +#define __PNR_memfd_create -10110 +#ifndef __NR_memfd_create +#define __NR_memfd_create __PNR_memfd_create +#endif /* __NR_memfd_create */ + +#define __PNR_kexec_file_load -10111 +#ifndef __NR_kexec_file_load +#define __NR_kexec_file_load __PNR_kexec_file_load +#endif /* __NR_kexec_file_load */ + #ifdef __cplusplus } #endif Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -36,7 +36,7 @@ #define __NR_SYSCALL_BASE __NR_OABI_SYSCALL_BASE #endif -/* NOTE: based on Linux 3.16-rc1 */ +/* NOTE: based on Linux 3.17-rc1+ */ const struct arch_syscall_def arm_syscall_table[] = { \ /* NOTE: arm_sync_file_range() and sync_file_range2() share values */ { "_llseek", (__NR_SYSCALL_BASE + 140) }, @@ -149,6 +149,7 @@ const struct arch_syscall_def arm_syscal { "getpmsg", __PNR_getpmsg }, { "getppid", (__NR_SYSCALL_BASE + 64) }, { "getpriority", (__NR_SYSCALL_BASE + 96) }, + { "getrandom", (__NR_SYSCALL_BASE + 384) }, { "getresgid", (__NR_SYSCALL_BASE + 171) }, { "getresgid32", (__NR_SYSCALL_BASE + 211) }, { "getresuid", (__NR_SYSCALL_BASE + 165) }, @@ -182,6 +183,7 @@ const struct arch_syscall_def arm_syscal { "ioprio_set", (__NR_SYSCALL_BASE + 314) }, { "ipc", (__NR_SYSCALL_BASE + 117) }, { "kcmp", (__NR_SYSCALL_BASE + 378) }, + { "kexec_file_load", __PNR_kexec_file_load }, { "kexec_load", (__NR_SYSCALL_BASE + 347) }, { "keyctl", (__NR_SYSCALL_BASE + 311) }, { "kill", (__NR_SYSCALL_BASE + 37) }, @@ -202,6 +204,7 @@ const struct arch_syscall_def arm_syscal { "lstat64", (__NR_SYSCALL_BASE + 196) }, { "madvise", (__NR_SYSCALL_BASE + 220) }, { "mbind", (__NR_SYSCALL_BASE + 319) }, + { "memfd_create", (__NR_SYSCALL_BASE + 385) }, { "migrate_pages", __PNR_migrate_pages }, { "mincore", (__NR_SYSCALL_BASE + 219) }, { "mkdir", (__NR_SYSCALL_BASE + 39) }, @@ -310,6 +313,7 @@ const struct arch_syscall_def arm_syscal { "sched_setparam", (__NR_SYSCALL_BASE + 154) }, { "sched_setscheduler", (__NR_SYSCALL_BASE + 156) }, { "sched_yield", (__NR_SYSCALL_BASE + 158) }, + { "seccomp", (__NR_SYSCALL_BASE + 383) }, { "security", __PNR_security }, { "select", (__NR_SYSCALL_BASE + 82) }, { "semctl", (__NR_SYSCALL_BASE + 300) }, Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x32.h" -/* NOTE: based on Linux 3.16-rc1 */ +/* NOTE: based on Linux 3.17-rc1+ */ const struct arch_syscall_def x32_syscall_table[] = { \ { "_sysctl", __PNR__sysctl }, { "accept", (X32_SYSCALL_BIT + 43) }, @@ -136,6 +136,7 @@ const struct arch_syscall_def x32_syscal { "getpmsg", (X32_SYSCALL_BIT + 181) }, { "getppid", (X32_SYSCALL_BIT + 110) }, { "getpriority", (X32_SYSCALL_BIT + 140) }, + { "getrandom", (X32_SYSCALL_BIT + 318) }, { "getresgid", (X32_SYSCALL_BIT + 120) }, { "getresgid32", __PNR_getresgid32 }, { "getresuid", (X32_SYSCALL_BIT + 118) }, @@ -160,8 +161,8 @@ const struct arch_syscall_def x32_syscal { "io_cancel", (X32_SYSCALL_BIT + 210) }, { "io_destroy", (X32_SYSCALL_BIT + 207) }, { "io_getevents", (X32_SYSCALL_BIT + 208) }, - { "io_setup", (X32_SYSCALL_BIT + 206) }, - { "io_submit", (X32_SYSCALL_BIT + 209) }, + { "io_setup", (X32_SYSCALL_BIT + 543) }, + { "io_submit", (X32_SYSCALL_BIT + 544) }, { "ioctl", (X32_SYSCALL_BIT + 514) }, { "ioperm", (X32_SYSCALL_BIT + 173) }, { "iopl", (X32_SYSCALL_BIT + 172) }, @@ -169,6 +170,7 @@ const struct arch_syscall_def x32_syscal { "ioprio_set", (X32_SYSCALL_BIT + 251) }, { "ipc", __PNR_ipc }, { "kcmp", (X32_SYSCALL_BIT + 312) }, + { "kexec_file_load", (X32_SYSCALL_BIT + 320) }, { "kexec_load", (X32_SYSCALL_BIT + 528) }, { "keyctl", (X32_SYSCALL_BIT + 250) }, { "kill", (X32_SYSCALL_BIT + 62) }, @@ -189,6 +191,7 @@ const struct arch_syscall_def x32_syscal { "lstat64", __PNR_lstat64 }, { "madvise", (X32_SYSCALL_BIT + 28) }, { "mbind", (X32_SYSCALL_BIT + 237) }, + { "memfd_create", (X32_SYSCALL_BIT + 319) }, { "migrate_pages", (X32_SYSCALL_BIT + 256) }, { "mincore", (X32_SYSCALL_BIT + 27) }, { "mkdir", (X32_SYSCALL_BIT + 83) }, @@ -273,7 +276,7 @@ const struct arch_syscall_def x32_syscal { "removexattr", (X32_SYSCALL_BIT + 197) }, { "rename", (X32_SYSCALL_BIT + 82) }, { "renameat", (X32_SYSCALL_BIT + 264) }, - { "renameat2", __PNR_renameat2 }, + { "renameat2", (X32_SYSCALL_BIT + 316) }, { "request_key", (X32_SYSCALL_BIT + 249) }, { "restart_syscall", (X32_SYSCALL_BIT + 219) }, { "rmdir", (X32_SYSCALL_BIT + 84) }, @@ -297,6 +300,7 @@ const struct arch_syscall_def x32_syscal { "sched_setparam", (X32_SYSCALL_BIT + 142) }, { "sched_setscheduler", (X32_SYSCALL_BIT + 144) }, { "sched_yield", (X32_SYSCALL_BIT + 24) }, + { "seccomp", (X32_SYSCALL_BIT + 317) }, { "security", (X32_SYSCALL_BIT + 185) }, { "select", (X32_SYSCALL_BIT + 23) }, { "semctl", (X32_SYSCALL_BIT + 66) }, Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x86_64.h" -/* NOTE: based on Linux 3.16-rc1 */ +/* NOTE: based on Linux 3.17-rc1+ */ const struct arch_syscall_def x86_64_syscall_table[] = { \ { "_llseek", __PNR__llseek }, { "_newselect", __PNR__newselect }, @@ -138,6 +138,7 @@ const struct arch_syscall_def x86_64_sys { "getpmsg", 181 }, { "getppid", 110 }, { "getpriority", 140 }, + { "getrandom", 318 }, { "getresgid", 120 }, { "getresgid32", __PNR_getresgid32 }, { "getresuid", 118 }, @@ -171,6 +172,7 @@ const struct arch_syscall_def x86_64_sys { "ioprio_set", 251 }, { "ipc", __PNR_ipc }, { "kcmp", 312 }, + { "kexec_file_load", 320 }, { "kexec_load", 246 }, { "keyctl", 250 }, { "kill", 62 }, @@ -191,6 +193,7 @@ const struct arch_syscall_def x86_64_sys { "lstat64", __PNR_lstat64 }, { "madvise", 28 }, { "mbind", 237 }, + { "memfd_create", 319 }, { "migrate_pages", 256 }, { "mincore", 27 }, { "mkdir", 83 }, @@ -275,7 +278,7 @@ const struct arch_syscall_def x86_64_sys { "removexattr", 197 }, { "rename", 82 }, { "renameat", 264 }, - { "renameat2", __PNR_renameat2 }, + { "renameat2", 316 }, { "request_key", 249 }, { "restart_syscall", 219 }, { "rmdir", 84 }, @@ -299,6 +302,7 @@ const struct arch_syscall_def x86_64_sys { "sched_setparam", 142 }, { "sched_setscheduler", 144 }, { "sched_yield", 24 }, + { "seccomp", 317 }, { "security", 185 }, { "select", 23 }, { "semctl", 66 }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x86.h" -/* NOTE: based on Linux 3.16-rc1 */ +/* NOTE: based on Linux 3.17-rc1+ */ static const struct arch_syscall_def x86_syscall_table[] = { \ { "_llseek", 140 }, { "_newselect", 142 }, @@ -138,6 +138,7 @@ static const struct arch_syscall_def x86 { "getpmsg", 188 }, { "getppid", 64 }, { "getpriority", 96 }, + { "getrandom", 355 }, { "getresgid", 171 }, { "getresgid32", 211 }, { "getresuid", 165 }, @@ -171,6 +172,7 @@ static const struct arch_syscall_def x86 { "ioprio_set", 289 }, { "ipc", 117 }, { "kcmp", 349 }, + { "kexec_file_load", __PNR_kexec_file_load }, { "kexec_load", 283 }, { "keyctl", 288 }, { "kill", 37 }, @@ -191,6 +193,7 @@ static const struct arch_syscall_def x86 { "lstat64", 196 }, { "madvise", 219 }, { "mbind", 274 }, + { "memfd_create", 356 }, { "migrate_pages", 294 }, { "mincore", 218 }, { "mkdir", 39 }, @@ -275,7 +278,7 @@ static const struct arch_syscall_def x86 { "removexattr", 235 }, { "rename", 38 }, { "renameat", 302 }, - { "renameat2", __PNR_renameat2 }, + { "renameat2", 353 }, { "request_key", 287 }, { "restart_syscall", 0 }, { "rmdir", 40 }, @@ -299,6 +302,7 @@ static const struct arch_syscall_def x86 { "sched_setparam", 154 }, { "sched_setscheduler", 156 }, { "sched_yield", 158 }, + { "seccomp", 354 }, { "security", __PNR_security }, { "select", 82 }, { "semctl", __PNR_semctl }, debian/patches/update-x86_64-syscall-table.patch0000664000000000000000000000277312520511721016620 0ustar From 3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 25 Jun 2014 11:35:40 -0400 Subject: [PATCH] arch: update the x86_64 syscall table Signed-off-by: Paul Moore --- src/arch-x86_64-syscalls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -26,8 +26,9 @@ #include "arch.h" #include "arch-x86_64.h" -/* NOTE: based on Linux 3.4.7 */ +/* NOTE: based on Linux 3.16-rc1 */ const struct arch_syscall_def x86_64_syscall_table[] = { \ + { "_sysctl", 156 }, { "accept", 43 }, { "accept4", 288 }, { "access", 21 }, @@ -286,10 +287,12 @@ const struct arch_syscall_def x86_64_sys { "sched_get_priority_max", 146 }, { "sched_get_priority_min", 147 }, { "sched_getaffinity", 204 }, + { "sched_getattr", 315 }, { "sched_getparam", 143 }, { "sched_getscheduler", 145 }, { "sched_rr_get_interval", 148 }, { "sched_setaffinity", 203 }, + { "sched_setattr", 314 }, { "sched_setparam", 142 }, { "sched_setscheduler", 144 }, { "sched_yield", 24 }, @@ -373,7 +376,6 @@ const struct arch_syscall_def x86_64_sys { "sync_file_range2", __PNR_sync_file_range2 }, { "syncfs", 306 }, { "syscall", __PNR_syscall }, - { "_sysctl", 156 }, { "sysfs", 139 }, { "sysinfo", 99 }, { "syslog", 103 }, debian/patches/bpf-use-state-arch.patch0000664000000000000000000000430513033267635015244 0ustar From 9ca83f455562fe8a972823d0e101cc71a8063547 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sat, 8 Feb 2014 10:24:05 -0500 Subject: [PATCH] bpf: use state->arch instead of db->arch in _gen_bpf_arch() Signed-off-by: Paul Moore Index: libseccomp-2.1.1/src/gen_bpf.c =================================================================== --- libseccomp-2.1.1.orig/src/gen_bpf.c +++ libseccomp-2.1.1/src/gen_bpf.c @@ -1149,8 +1149,8 @@ static struct bpf_blk *_gen_bpf_arch(str } } - if ((db->arch->token == SCMP_ARCH_X86_64 || - db->arch->token == SCMP_ARCH_X32) && (db_secondary == NULL)) + if ((state->arch->token == SCMP_ARCH_X86_64 || + state->arch->token == SCMP_ARCH_X32) && (db_secondary == NULL)) acc_reset = false; else acc_reset = true; @@ -1186,14 +1186,14 @@ static struct bpf_blk *_gen_bpf_arch(str } /* additional ABI filtering */ - if ((db->arch->token == SCMP_ARCH_X86_64 || - db->arch->token == SCMP_ARCH_X32) && (db_secondary == NULL)) { + if ((state->arch->token == SCMP_ARCH_X86_64 || + state->arch->token == SCMP_ARCH_X32) && (db_secondary == NULL)) { _BPF_INSTR(instr, BPF_LD + BPF_ABS, _BPF_JMP_NO, _BPF_JMP_NO, _BPF_SYSCALL); b_new = _blk_append(state, NULL, &instr); if (b_new == NULL) goto arch_failure; - if (db->arch->token == SCMP_ARCH_X86_64) { + if (state->arch->token == SCMP_ARCH_X86_64) { /* filter out x32 */ _BPF_INSTR(instr, BPF_JMP + BPF_JGE, _BPF_JMP_NXT(blk_cnt++), _BPF_JMP_NO, @@ -1202,7 +1202,7 @@ static struct bpf_blk *_gen_bpf_arch(str instr.jf = _BPF_JMP_HSH(b_head->hash); else instr.jf = _BPF_JMP_HSH(state->def_hsh); - } else if (db->arch->token == SCMP_ARCH_X32) { + } else if (state->arch->token == SCMP_ARCH_X32) { /* filter out x86_64 */ _BPF_INSTR(instr, BPF_JMP + BPF_JGE, _BPF_JMP_NO, _BPF_JMP_NXT(blk_cnt++), @@ -1229,7 +1229,7 @@ static struct bpf_blk *_gen_bpf_arch(str /* do the ABI/architecture check */ _BPF_INSTR(instr, BPF_JMP + BPF_JEQ, _BPF_JMP_NO, _BPF_JMP_NXT(blk_cnt++), - _BPF_K(db->arch->token_bpf)); + _BPF_K(state->arch->token_bpf)); if (b_head != NULL) instr.jt = _BPF_JMP_HSH(b_head->hash); else debian/patches/add-mlock2.patch0000664000000000000000000000426213024347352013564 0ustar Subject: Add mlock2 syscall Backport only the portion of the upstream libseccomp commit that added the mlock2 syscall. Author: Paul Moore Origin: backport, https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -218,6 +218,7 @@ const struct arch_syscall_def arm_syscal { "mknod", (__NR_SYSCALL_BASE + 14) }, { "mknodat", (__NR_SYSCALL_BASE + 324) }, { "mlock", (__NR_SYSCALL_BASE + 150) }, + { "mlock2", (__NR_SYSCALL_BASE + 390) }, { "mlockall", (__NR_SYSCALL_BASE + 152) }, { "mmap", (__NR_SYSCALL_BASE + 90) }, { "mmap2", (__NR_SYSCALL_BASE + 192) }, Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -202,6 +202,7 @@ const struct arch_syscall_def x32_syscal { "mknod", (X32_SYSCALL_BIT + 133) }, { "mknodat", (X32_SYSCALL_BIT + 259) }, { "mlock", (X32_SYSCALL_BIT + 149) }, + { "mlock2", (X32_SYSCALL_BIT + 325) }, { "mlockall", (X32_SYSCALL_BIT + 151) }, { "mmap", (X32_SYSCALL_BIT + 9) }, { "mmap2", __PNR_mmap2 }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -204,6 +204,7 @@ static const struct arch_syscall_def x86 { "mknod", 14 }, { "mknodat", 297 }, { "mlock", 150 }, + { "mlock2", 376 }, { "mlockall", 152 }, { "mmap", 90 }, { "mmap2", 192 }, Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -204,6 +204,7 @@ const struct arch_syscall_def x86_64_sys { "mknod", 133 }, { "mknodat", 259 }, { "mlock", 149 }, + { "mlock2", 325 }, { "mlockall", 151 }, { "mmap", 9 }, { "mmap2", __PNR_mmap2 }, debian/patches/resolve-issues-caused-by-be.patch0000664000000000000000000004305013033271234017066 0ustar From 61fee77783fd458739eb6104f13d53bddfa389ac Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sun, 9 Feb 2014 07:51:04 -0500 Subject: [PATCH] all: resolve issues caused by big endian systems There are two major issues resolved in this patch: proper support for generating BPF on big endian systems, and ensuring we build the BPF correctly when the host system does not share the same endianess as the target platform. Relevant discussion in LKML regarding BPF on big endian systems: https://lkml.org/lkml/2012/4/8/87 Inspired by an earlier patch from Markos Chandras. Signed-off-by: Paul Moore Index: libseccomp-2.1.1/src/arch-arm.h =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm.h +++ libseccomp-2.1.1/src/arch-arm.h @@ -31,6 +31,8 @@ extern const struct arch_def arch_def_arm; +#define arm_arg_offset(x) (offsetof(struct seccomp_data, args[x])) + int arm_syscall_resolve_name(const char *name); const char *arm_syscall_resolve_num(int num); Index: libseccomp-2.1.1/src/arch-x32.h =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32.h +++ libseccomp-2.1.1/src/arch-x32.h @@ -33,6 +33,8 @@ extern const struct arch_def arch_def_x32; +#define x32_arg_offset(x) (offsetof(struct seccomp_data, args[x])) + int x32_syscall_resolve_name(const char *name); const char *x32_syscall_resolve_num(int num); Index: libseccomp-2.1.1/src/arch-x86.h =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86.h +++ libseccomp-2.1.1/src/arch-x86.h @@ -32,6 +32,8 @@ extern const struct arch_def arch_def_x86; +#define x86_arg_offset(x) (offsetof(struct seccomp_data, args[x])) + int x86_syscall_resolve_name(const char *name); const char *x86_syscall_resolve_num(int num); Index: libseccomp-2.1.1/src/arch-x86_64.h =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64.h +++ libseccomp-2.1.1/src/arch-x86_64.h @@ -31,8 +31,9 @@ extern const struct arch_def arch_def_x86_64; -#define x86_64_arg_offset_lo(x) (arch_arg_offset(x)) -#define x86_64_arg_offset_hi(x) (arch_arg_offset(x) + 4) +#define x86_64_arg_offset(x) (offsetof(struct seccomp_data, args[x])) +#define x86_64_arg_offset_lo(x) (x86_64_arg_offset(x)) +#define x86_64_arg_offset_hi(x) (x86_64_arg_offset(x) + 4) int x86_64_syscall_resolve_name(const char *name); const char *x86_64_syscall_resolve_num(int num); Index: libseccomp-2.1.1/src/arch.c =================================================================== --- libseccomp-2.1.1.orig/src/arch.c +++ libseccomp-2.1.1/src/arch.c @@ -158,6 +158,32 @@ int arch_arg_offset_hi(const struct arch } /** + * Determine the argument offset + * @param arch the architecture definition + * @param arg the argument number + * + * Determine the correct offset for the given argument based on the + * architecture definition. Returns the offset on success, negative values on + * failure. + * + */ +int arch_arg_offset(const struct arch_def *arch, unsigned int arg) +{ + switch (arch->token) { + case SCMP_ARCH_X86: + return x86_arg_offset(arg); + case SCMP_ARCH_X86_64: + return x86_64_arg_offset(arg); + case SCMP_ARCH_X32: + return x32_arg_offset(arg); + case SCMP_ARCH_ARM: + return arm_arg_offset(arg); + default: + return -EDOM; + } +} + +/** * Resolve a syscall name to a number * @param arch the architecture definition * @param name the syscall name Index: libseccomp-2.1.1/src/arch.h =================================================================== --- libseccomp-2.1.1.orig/src/arch.h +++ libseccomp-2.1.1/src/arch.h @@ -81,17 +81,9 @@ const struct arch_def *arch_def_lookup(u int arch_arg_count_max(const struct arch_def *arch); -/** - * Determine the argument offset - * @param _arg the argument number - * - * Return the correct offset of the given argument. - * - */ -#define arch_arg_offset(_arg) (offsetof(struct seccomp_data, args[_arg])) - int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg); int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg); +int arch_arg_offset(const struct arch_def *arch, unsigned int arg); int arch_syscall_resolve_name(const struct arch_def *arch, const char *name); const char *arch_syscall_resolve_num(const struct arch_def *arch, int num); Index: libseccomp-2.1.1/src/db.c =================================================================== --- libseccomp-2.1.1.orig/src/db.c +++ libseccomp-2.1.1/src/db.c @@ -995,7 +995,7 @@ static struct db_sys_list *_db_rule_gen_ memset(c_iter, 0, sizeof(*c_iter)); c_iter->refcnt = 1; c_iter->arg = chain[iter].arg; - c_iter->arg_offset = arch_arg_offset(c_iter->arg); + c_iter->arg_offset = arch_arg_offset(arch, c_iter->arg); c_iter->op = chain[iter].op; c_iter->mask = chain[iter].mask; c_iter->datum = chain[iter].datum; Index: libseccomp-2.1.1/src/gen_bpf.c =================================================================== --- libseccomp-2.1.1.orig/src/gen_bpf.c +++ libseccomp-2.1.1/src/gen_bpf.c @@ -26,6 +26,11 @@ #include #include +#ifndef _BSD_SOURCE +#define _BSD_SOURCE +#endif +#include + #include #include "arch.h" @@ -65,6 +70,8 @@ struct bpf_jump { } tgt; enum bpf_jump_type type; }; +#define _BPF_OP(a,x) \ + (_htot16(a,x)) #define _BPF_JMP_NO \ ((struct bpf_jump) { .type = TGT_NONE }) #define _BPF_JMP_NXT(x) \ @@ -77,8 +84,8 @@ struct bpf_jump { ((struct bpf_jump) { .type = TGT_PTR_BLK, .tgt = { .blk = (x) } }) #define _BPF_JMP_HSH(x) \ ((struct bpf_jump) { .type = TGT_PTR_HSH, .tgt = { .hash = (x) } }) -#define _BPF_K(x) \ - ((struct bpf_jump) { .type = TGT_K, .tgt = { .imm_k = (x) } }) +#define _BPF_K(a,x) \ + ((struct bpf_jump) { .type = TGT_K, .tgt = { .imm_k = _htot32(a,x) } }) #define _BPF_JMP_MAX 255 #define _BPF_JMP_MAX_RET 255 @@ -89,7 +96,7 @@ struct bpf_instr { struct bpf_jump k; }; #define _BPF_OFFSET_SYSCALL (offsetof(struct seccomp_data, nr)) -#define _BPF_SYSCALL _BPF_K(_BPF_OFFSET_SYSCALL) +#define _BPF_SYSCALL(a) _BPF_K(a,_BPF_OFFSET_SYSCALL) struct bpf_blk { struct bpf_instr *blks; @@ -172,6 +179,38 @@ static struct bpf_blk *_hsh_remove(struc static struct bpf_blk *_hsh_find(const struct bpf_state *state, uint64_t h_val); /** + * Convert a 16-bit host integer into the target's endianess + * @param arch the architecture definition + * @param val the 16-bit integer + * + * Convert the endianess of the supplied value and return it to the caller. + * + */ +uint16_t _htot16(const struct arch_def *arch, uint16_t val) +{ + if (arch->endian == ARCH_ENDIAN_LITTLE) + return htole16(val); + else + return htobe16(val); +} + +/** + * Convert a 32-bit host integer into the target's endianess + * @param arch the architecture definition + * @param val the 32-bit integer + * + * Convert the endianess of the supplied value and return it to the caller. + * + */ +uint32_t _htot32(const struct arch_def *arch, uint32_t val) +{ + if (arch->endian == ARCH_ENDIAN_LITTLE) + return htole32(val); + else + return htobe32(val); +} + +/** * Free the BPF instruction block * @param state the BPF state * @param blk the BPF instruction block @@ -627,7 +666,8 @@ static struct bpf_blk *_gen_bpf_action(s { struct bpf_instr instr; - _BPF_INSTR(instr, BPF_RET, _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(action)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_RET), + _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(state->arch, action)); return _blk_append(state, blk, &instr); } @@ -701,8 +741,9 @@ static struct bpf_blk *_gen_bpf_node(str /* reload the accumulator */ a_state->offset = acc_offset; a_state->mask = ARG_MASK_MAX; - _BPF_INSTR(instr, BPF_LD + BPF_ABS, - _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(acc_offset)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, acc_offset)); blk = _blk_append(state, blk, &instr); if (blk == NULL) goto node_failure; @@ -710,8 +751,9 @@ static struct bpf_blk *_gen_bpf_node(str if (acc_mask != a_state->mask) { /* apply the bitmask */ a_state->mask = acc_mask; - _BPF_INSTR(instr, BPF_ALU + BPF_AND, - _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(acc_mask)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_ALU + BPF_AND), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, acc_mask)); blk = _blk_append(state, blk, &instr); if (blk == NULL) goto node_failure; @@ -721,16 +763,19 @@ static struct bpf_blk *_gen_bpf_node(str switch (node->op) { case SCMP_CMP_MASKED_EQ: case SCMP_CMP_EQ: - _BPF_INSTR(instr, BPF_JMP + BPF_JEQ, - _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(node->datum)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JEQ), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, node->datum)); break; case SCMP_CMP_GT: - _BPF_INSTR(instr, BPF_JMP + BPF_JGT, - _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(node->datum)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JGT), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, node->datum)); break; case SCMP_CMP_GE: - _BPF_INSTR(instr, BPF_JMP + BPF_JGE, - _BPF_JMP_NO, _BPF_JMP_NO, _BPF_K(node->datum)); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JGE), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, node->datum)); break; case SCMP_CMP_NE: case SCMP_CMP_LT: @@ -1021,8 +1066,9 @@ static struct bpf_blk *_gen_bpf_syscall( /* setup the accumulator state */ if (acc_reset) { - _BPF_INSTR(instr, BPF_LD + BPF_ABS, _BPF_JMP_NO, _BPF_JMP_NO, - _BPF_SYSCALL); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_SYSCALL(state->arch)); blk_s = _blk_append(state, NULL, &instr); if (blk_s == NULL) return NULL; @@ -1040,9 +1086,9 @@ static struct bpf_blk *_gen_bpf_syscall( return NULL; /* syscall check */ - _BPF_INSTR(instr, BPF_JMP + BPF_JEQ, + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JEQ), _BPF_JMP_HSH(blk_c->hash), _BPF_JMP_HSH(nxt_hash), - _BPF_K(sys->num)); + _BPF_K(state->arch, sys->num)); blk_s = _blk_append(state, blk_s, &instr); if (blk_s == NULL) return NULL; @@ -1188,25 +1234,27 @@ static struct bpf_blk *_gen_bpf_arch(str /* additional ABI filtering */ if ((state->arch->token == SCMP_ARCH_X86_64 || state->arch->token == SCMP_ARCH_X32) && (db_secondary == NULL)) { - _BPF_INSTR(instr, BPF_LD + BPF_ABS, _BPF_JMP_NO, _BPF_JMP_NO, - _BPF_SYSCALL); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), + _BPF_JMP_NO, _BPF_JMP_NO, _BPF_SYSCALL(state->arch)); b_new = _blk_append(state, NULL, &instr); if (b_new == NULL) goto arch_failure; if (state->arch->token == SCMP_ARCH_X86_64) { /* filter out x32 */ - _BPF_INSTR(instr, BPF_JMP + BPF_JGE, + _BPF_INSTR(instr, + _BPF_OP(state->arch, BPF_JMP + BPF_JGE), _BPF_JMP_NXT(blk_cnt++), _BPF_JMP_NO, - _BPF_K(X32_SYSCALL_BIT)); + _BPF_K(state->arch, X32_SYSCALL_BIT)); if (b_head != NULL) instr.jf = _BPF_JMP_HSH(b_head->hash); else instr.jf = _BPF_JMP_HSH(state->def_hsh); } else if (state->arch->token == SCMP_ARCH_X32) { /* filter out x86_64 */ - _BPF_INSTR(instr, BPF_JMP + BPF_JGE, + _BPF_INSTR(instr, + _BPF_OP(state->arch, BPF_JMP + BPF_JGE), _BPF_JMP_NO, _BPF_JMP_NXT(blk_cnt++), - _BPF_K(X32_SYSCALL_BIT)); + _BPF_K(state->arch, X32_SYSCALL_BIT)); if (b_head != NULL) instr.jt = _BPF_JMP_HSH(b_head->hash); else @@ -1227,9 +1275,9 @@ static struct bpf_blk *_gen_bpf_arch(str } /* do the ABI/architecture check */ - _BPF_INSTR(instr, BPF_JMP + BPF_JEQ, + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JEQ), _BPF_JMP_NO, _BPF_JMP_NXT(blk_cnt++), - _BPF_K(state->arch->token_bpf)); + _BPF_K(state->arch, state->arch->token_bpf)); if (b_head != NULL) instr.jt = _BPF_JMP_HSH(b_head->hash); else @@ -1382,7 +1430,8 @@ static int _gen_bpf_build_jmp(struct bpf if (b_tgt == blk) return -EFAULT; - if (b_tgt->blk_cnt == 1 && b_tgt->blks[0].op == BPF_RET) { + if (b_tgt->blk_cnt == 1 && + b_tgt->blks[0].op == _BPF_OP(state->arch, BPF_RET)) { rc = _gen_bpf_build_jmp_ret(state, blk, offset, b_tgt); if (rc == 1) return 1; @@ -1416,7 +1465,7 @@ static int _gen_bpf_build_jmp(struct bpf return -EFAULT; /* we need to insert a long jump - create one */ - _BPF_INSTR(instr, BPF_JMP + BPF_JA, + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_JMP + BPF_JA), _BPF_JMP_NO, _BPF_JMP_NO, _BPF_JMP_HSH(tgt_hash)); b_new = _blk_append(state, NULL, &instr); if (b_new == NULL) @@ -1461,10 +1510,16 @@ static int _gen_bpf_build_bpf(struct bpf struct bpf_blk *b_badarch, *b_default; struct bpf_blk *b_head = NULL, *b_tail = NULL, *b_iter, *b_new, *b_jmp; struct db_filter *db_secondary = NULL; + struct arch_def pseudo_arch; if (col->filter_cnt == 0) return -EINVAL; + /* create a fake architecture definition for use in the early stages */ + memset(&pseudo_arch, 0, sizeof(pseudo_arch)); + pseudo_arch.endian = col->endian; + state->arch = &pseudo_arch; + /* generate the badarch action */ b_badarch = _gen_bpf_action(state, NULL, state->attr->act_badarch); if (b_badarch == NULL) @@ -1483,8 +1538,9 @@ static int _gen_bpf_build_bpf(struct bpf state->def_hsh = b_default->hash; /* load the architecture token/number */ - _BPF_INSTR(instr, BPF_LD + BPF_ABS, _BPF_JMP_NO, _BPF_JMP_NO, - _BPF_K(offsetof(struct seccomp_data, arch))); + _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, offsetof(struct seccomp_data, arch))); b_head = _blk_append(state, NULL, &instr); if (b_head == NULL) return -ENOMEM; @@ -1532,6 +1588,9 @@ static int _gen_bpf_build_bpf(struct bpf b_tail->next = b_badarch; b_tail = b_badarch; + /* reset the state to the pseudo_arch for the final resolution */ + state->arch = &pseudo_arch; + /* resolve any TGT_NXT jumps at the top level */ b_iter = b_head; do { @@ -1684,7 +1743,7 @@ static int _gen_bpf_build_bpf(struct bpf } if (b_jmp == NULL) goto build_bpf_free_blks; - i_iter->k = _BPF_K(jmp_len); + i_iter->k = _BPF_K(state->arch, jmp_len); } } Index: libseccomp-2.1.1/tools/scmp_bpf_sim.c =================================================================== --- libseccomp-2.1.1.orig/tools/scmp_bpf_sim.c +++ libseccomp-2.1.1/tools/scmp_bpf_sim.c @@ -31,6 +31,11 @@ #include #include +#ifndef _BSD_SOURCE +#define _BSD_SOURCE +#endif +#include + #include "bpf.h" #define BPF_PRG_MAX_LEN 4096 @@ -51,6 +56,54 @@ struct bpf_program { static unsigned int opt_verbose = 0; /** + * Convert a 16-bit target integer into the host's endianess + * @param arch the architecture token + * @param val the 16-bit integer + * + * Convert the endianess of the supplied value and return it to the caller. + * + */ +uint16_t _ttoh16(uint32_t arch, uint16_t val) +{ + if (arch & __AUDIT_ARCH_LE) + return le16toh(val); + else + return be16toh(val); +} + +/** + * Convert a 32-bit target integer into the host's endianess + * @param arch the architecture token + * @param val the 32-bit integer + * + * Convert the endianess of the supplied value and return it to the caller. + * + */ +uint32_t _ttoh32(uint32_t arch, uint32_t val) +{ + if (arch & __AUDIT_ARCH_LE) + return le32toh(val); + else + return be32toh(val); +} + +/** + * Convert a 32-bit host integer into the target's endianess + * @param arch the architecture token + * @param val the 32-bit integer + * + * Convert the endianess of the supplied value and return it to the caller. + * + */ +uint32_t _htot32(uint32_t arch, uint32_t val) +{ + if (arch & __AUDIT_ARCH_LE) + return htole32(val); + else + return htobe32(val); +} + +/** * Print the usage information to stderr and exit * @param program the name of the current program being invoked * @@ -152,6 +205,10 @@ static void bpf_execute(const struct bpf struct sim_state state; bpf_instr_raw *bpf; unsigned char *sys_data_b = (unsigned char *)sys_data; + uint16_t code; + uint8_t jt; + uint8_t jf; + uint32_t k; /* initialize the machine state */ ip_c = 0; @@ -163,42 +220,48 @@ static void bpf_execute(const struct bpf ip_c = ip; bpf = &prg->i[ip++]; - switch (bpf->code) { + code = _ttoh16(sys_data->arch, bpf->code); + jt = bpf->jt; + jf = bpf->jf; + k = _ttoh32(sys_data->arch, bpf->k); + + switch (code) { case BPF_LD+BPF_W+BPF_ABS: - if (bpf->k < BPF_SYSCALL_MAX) - state.acc = *((uint32_t *)&sys_data_b[bpf->k]); - else + if (bpf->k < BPF_SYSCALL_MAX) { + uint32_t val = *((uint32_t *)&sys_data_b[k]); + state.acc = _htot32(sys_data->arch, val); + } else exit_error(ERANGE, ip_c); break; case BPF_ALU+BPF_OR+BPF_K: - state.acc |= bpf->k; + state.acc |= k; break; case BPF_ALU+BPF_AND+BPF_K: - state.acc &= bpf->k; + state.acc &= k; break; case BPF_JMP+BPF_JA: - ip += bpf->k; + ip += k; break; case BPF_JMP+BPF_JEQ+BPF_K: - if (state.acc == bpf->k) - ip += bpf->jt; + if (state.acc == k) + ip += jt; else - ip += bpf->jf; + ip += jf; break; case BPF_JMP+BPF_JGT+BPF_K: - if (state.acc > bpf->k) - ip += bpf->jt; + if (state.acc > k) + ip += jt; else - ip += bpf->jf; + ip += jf; break; case BPF_JMP+BPF_JGE+BPF_K: - if (state.acc >= bpf->k) - ip += bpf->jt; + if (state.acc >= k) + ip += jt; else - ip += bpf->jf; + ip += jf; break; case BPF_RET+BPF_K: - end_action(bpf->k, ip_c); + end_action(k, ip_c); break; default: /* since we don't support the full bpf language just debian/patches/db-require-filters-to-share-endianess.patch0000664000000000000000000000420213033271153021030 0ustar From 206da04b8b2366d9efb963569bb89fe82ed2d1ba Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sun, 9 Feb 2014 07:29:26 -0500 Subject: [PATCH] db: require all filters in a collection to share the same endianess There is almost no good reason why you would need to create a single filter which included architectures/ABIs that did not share the same endianess so explicitly disallow it. Signed-off-by: Paul Moore --- src/db.c | 12 ++++++++++++ src/db.h | 1 + 2 files changed, 13 insertions(+) diff --git a/src/db.c b/src/db.c index 345a654..e59e0c5 100644 --- a/src/db.c +++ b/src/db.c @@ -392,6 +392,9 @@ void db_col_reset(struct db_filter_col *col, uint32_t def_action) free(col->filters); col->filters = NULL; + /* set the endianess to undefined */ + col->endian = 0; + /* set the default attribute values */ col->attr.act_default = def_action; col->attr.act_badarch = SCMP_ACT_KILL; @@ -477,6 +480,10 @@ int db_col_merge(struct db_filter_col *col_dst, struct db_filter_col *col_src) unsigned int iter_a, iter_b; struct db_filter **dbs; + /* verify that the endianess is a match */ + if (col_dst->endian != col_src->endian) + return -EEXIST; + /* make sure we don't have any arch/filter collisions */ for (iter_a = 0; iter_a < col_dst->filter_cnt; iter_a++) { for (iter_b = 0; iter_b < col_src->filter_cnt; iter_b++) { @@ -613,6 +620,9 @@ int db_col_db_add(struct db_filter_col *col, struct db_filter *db) { struct db_filter **dbs; + if (col->endian != 0 && col->endian != db->arch->endian) + return -EEXIST; + if (db_col_arch_exist(col, db->arch->token)) return -EEXIST; @@ -623,6 +633,8 @@ int db_col_db_add(struct db_filter_col *col, struct db_filter *db) col->filters = dbs; col->filter_cnt++; col->filters[col->filter_cnt - 1] = db; + if (col->endian == 0) + col->endian = db->arch->endian; return 0; } diff --git a/src/db.h b/src/db.h index c0472a5..29a4f17 100644 --- a/src/db.h +++ b/src/db.h @@ -145,6 +145,7 @@ struct db_filter_col { struct db_filter_attr attr; /* individual filters */ + int endian; struct db_filter **filters; unsigned int filter_cnt; }; debian/patches/sync-syscall-table-entries-fixtypo.patch0000664000000000000000000000137012520512613020516 0ustar From 76739812a3e23182504cde43403ddb9921e0e05a Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 27 Jun 2014 17:50:43 -0400 Subject: [PATCH] api: fix a typo in the header file Signed-off-by: Paul Moore --- include/seccomp.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libseccomp-2.1.1/include/seccomp.h.in =================================================================== --- libseccomp-2.1.1.orig/include/seccomp.h.in +++ libseccomp-2.1.1/include/seccomp.h.in @@ -1180,7 +1180,7 @@ int seccomp_export_bpf(const scmp_filter #define __PNR_timerfd -10107 #ifndef __NR_timerfd #define __NR_timerfd __PNR_timerfd -#endif /* __NR_sysmips */ +#endif /* __NR_timerfd */ #ifdef __cplusplus } debian/patches/add-finit-module.patch0000664000000000000000000000261312520517463014771 0ustar From 64152018ffdf971efefd84466db4a92002bb8b15 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Mon, 23 Jun 2014 16:19:49 -0500 Subject: [PATCH] add finit_module syscalls to x86 and x86-64 syscall tables Signed-off-by: Serge Hallyn Signed-off-by: Paul Moore --- src/arch-x86-syscalls.c | 2 +- src/arch-x86_64-syscalls.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -92,7 +92,7 @@ const struct arch_syscall_def x86_64_sys { "fcntl64", __PNR_fcntl64 }, { "fdatasync", 75 }, { "fgetxattr", 193 }, - { "finit_module", __PNR_finit_module }, + { "finit_module", 313 }, { "flistxattr", 196 }, { "flock", 73 }, { "fork", 57 }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -92,7 +92,7 @@ static const struct arch_syscall_def x86 { "fcntl64", 221 }, { "fdatasync", 148 }, { "fgetxattr", 231 }, - { "finit_module", __PNR_finit_module }, + { "finit_module", 350 }, { "flistxattr", 234 }, { "flock", 143 }, { "fork", 2 }, debian/patches/update-x86-syscall-table.patch0000664000000000000000000000402712520514236016305 0ustar From 9186136be7696ed63a8ddc06c9b397057abc5c75 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 25 Jun 2014 11:30:51 -0400 Subject: [PATCH] arch: update the x86 syscall table Signed-off-by: Paul Moore --- src/arch-x86-syscalls.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -26,8 +26,11 @@ #include "arch.h" #include "arch-x86.h" -/* NOTE: based on Linux 3.4.7 */ +/* NOTE: based on Linux 3.16-rc1 */ static const struct arch_syscall_def x86_syscall_table[] = { \ + { "_llseek", 140 }, + { "_newselect", 142 }, + { "_sysctl", 149 }, { "accept", __PNR_accept }, { "accept4", __PNR_accept4 }, { "access", 33 }, @@ -177,7 +180,6 @@ static const struct arch_syscall_def x86 { "listen", __PNR_listen }, { "listxattr", 232 }, { "llistxattr", 233 }, - { "_llseek", 140 }, { "lock", 53 }, { "lookup_dcookie", 253 }, { "lremovexattr", 236 }, @@ -219,7 +221,6 @@ static const struct arch_syscall_def x86 { "munmap", 91 }, { "name_to_handle_at", 341 }, { "nanosleep", 162 }, - { "_newselect", 142 }, { "newfstatat", __PNR_newfstatat }, { "nfsservctl", 169 }, { "nice", 34 }, @@ -286,10 +287,12 @@ static const struct arch_syscall_def x86 { "sched_get_priority_max", 159 }, { "sched_get_priority_min", 160 }, { "sched_getaffinity", 242 }, + { "sched_getattr", 352 }, { "sched_getparam", 155 }, { "sched_getscheduler", 157 }, { "sched_rr_get_interval", 161 }, { "sched_setaffinity", 241 }, + { "sched_setattr", 351 }, { "sched_setparam", 154 }, { "sched_setscheduler", 156 }, { "sched_yield", 158 }, @@ -373,7 +376,6 @@ static const struct arch_syscall_def x86 { "sync_file_range2", __PNR_sync_file_range2 }, { "syncfs", 344 }, { "syscall", __PNR_syscall }, - { "_sysctl", 149 }, { "sysfs", 135 }, { "sysinfo", 116 }, { "syslog", 103 }, debian/patches/bpf-track-accumulator-state.patch0000664000000000000000000002756113033267602017161 0ustar From eece06525d58d08fe6bb20e5f635eb02fd8d6eee Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 6 May 2015 15:36:24 -0400 Subject: [PATCH] bpf: track accumulator state and reload it when necessary It turns out there are a few corner cases where we incorrectly generate seccomp BPF due to poor accumulator state tracking for each BPF instruction block. This patch adds accumulator state tracking such that we know what any given instruction block expects from the accumulator and what value it leaves in the accumulator when it is finished. This allows us to veryify the accumulator state when assembling the instruction blocks into the final BPF program and if necessary we can insert accumulator load/mask instructions to maintain the proper accumulator state. Reported-by: Matthew Heon Signed-off-by: Paul Moore (imported from commit b43a7dde03f96ce6a291eb58f620c5d2b7700b51) Index: libseccomp-2.1.1/src/gen_bpf.c =================================================================== --- libseccomp-2.1.1.orig/src/gen_bpf.c +++ libseccomp-2.1.1/src/gen_bpf.c @@ -48,6 +48,14 @@ struct acc_state { int32_t offset; uint32_t mask; }; +#define _ACC_STATE(x,y) \ + (struct acc_state){ .offset = (x), .mask = (y) } +#define _ACC_STATE_OFFSET(x) \ + _ACC_STATE(x,ARG_MASK_MAX) +#define _ACC_STATE_UNDEF \ + _ACC_STATE_OFFSET(-1) +#define _ACC_CMP_EQ(x,y) \ + ((x).offset == (y).offset && (x).mask == (y).mask) enum bpf_jump_type { TGT_NONE = 0, @@ -97,12 +105,19 @@ struct bpf_instr { }; #define _BPF_OFFSET_SYSCALL (offsetof(struct seccomp_data, nr)) #define _BPF_SYSCALL(a) _BPF_K(a,_BPF_OFFSET_SYSCALL) +#define _BPF_OFFSET_ARCH (offsetof(struct seccomp_data, arch)) +#define _BPF_ARCH(a) _BPF_K(a,_BPF_OFFSET_ARCH) struct bpf_blk { + /* bpf instructions */ struct bpf_instr *blks; unsigned int blk_cnt; unsigned int blk_alloc; + /* accumulator state */ + struct acc_state acc_start; + struct acc_state acc_end; + /* priority - higher is better */ unsigned int priority; @@ -119,7 +134,6 @@ struct bpf_blk { struct bpf_blk *hash_nxt; struct bpf_blk *prev, *next; struct bpf_blk *lvl_prv, *lvl_nxt; - struct acc_state acc_state; }; #define _BLK_MSZE(x) \ ((x)->blk_cnt * sizeof(*((x)->blks))) @@ -288,12 +302,70 @@ static void _blk_free(struct bpf_state * } /** + * Allocate and initialize a new instruction block + * + * Allocate a new BPF instruction block and perform some very basic + * initialization. Returns a pointer to the block on success, NULL on failure. + * + */ +static struct bpf_blk *_blk_alloc(void) +{ + struct bpf_blk *blk; + + blk = malloc(sizeof(*blk)); + if (blk == NULL) + return NULL; + + memset(blk, 0, sizeof(*blk)); + blk->flag_unique = true; + blk->acc_start = _ACC_STATE_UNDEF; + blk->acc_end = _ACC_STATE_UNDEF; + + return blk; +} + +/** + * Resize an instruction block + * @param state the BPF state + * @param blk the existing instruction block, or NULL + * @param size_add the minimum amount of instructions to add + * + * Resize the given instruction block such that it is at least as large as the + * current size plus @size_add. Returns a pointer to the block on success, + * NULL on failure. + * + */ +static struct bpf_blk *_blk_resize(struct bpf_state *state, + struct bpf_blk *blk, + unsigned int size_add) +{ + unsigned int size_adj = (AINC_BLK > size_add ? AINC_BLK : size_add); + struct bpf_instr *new; + + if (blk == NULL) + return NULL; + + if ((blk->blk_cnt + size_adj) <= blk->blk_alloc) + return blk; + + blk->blk_alloc += size_adj; + new = realloc(blk->blks, blk->blk_alloc * sizeof(*(blk->blks))); + if (new == NULL) { + _blk_free(state, blk); + return NULL; + } + blk->blks = new; + + return blk; +} + +/** * Append a new BPF instruction to an instruction block * @param state the BPF state * @param blk the existing instruction block, or NULL * @param instr the new instruction * - * Add the new BPF instruction to the end of the give instruction block. If + * Add the new BPF instruction to the end of the given instruction block. If * the given instruction block is NULL, a new block will be allocated. Returns * a pointer to the block on success, NULL on failure, and in the case of * failure the instruction block is free'd. @@ -303,30 +375,48 @@ static struct bpf_blk *_blk_append(struc struct bpf_blk *blk, const struct bpf_instr *instr) { - struct bpf_instr *new; - if (blk == NULL) { - blk = malloc(sizeof(*blk)); + blk = _blk_alloc(); if (blk == NULL) return NULL; - memset(blk, 0, sizeof(*blk)); - blk->flag_unique = true; - } - if ((blk->blk_cnt + 1) > blk->blk_alloc) { - blk->blk_alloc += AINC_BLK; - new = realloc(blk->blks, blk->blk_alloc * sizeof(*(blk->blks))); - if (new == NULL) { - _blk_free(state, blk); - return NULL; - } - blk->blks = new; } + + if (_blk_resize(state, blk, 1) == NULL) + return NULL; memcpy(&blk->blks[blk->blk_cnt++], instr, sizeof(*instr)); return blk; } /** + * Prepend a new BPF instruction to an instruction block + * @param state the BPF state + * @param blk the existing instruction block, or NULL + * @param instr the new instruction + * + * Add the new BPF instruction to the start of the given instruction block. + * If the given instruction block is NULL, a new block will be allocated. + * Returns a pointer to the block on success, NULL on failure, and in the case + * of failure the instruction block is free'd. + * + */ +static struct bpf_blk *_blk_prepend(struct bpf_state *state, + struct bpf_blk *blk, + const struct bpf_instr *instr) +{ + /* empty - we can treat this like a normal append operation */ + if (blk == NULL || blk->blk_cnt == 0) + return _blk_append(state, blk, instr); + + if (_blk_resize(state, blk, 1) == NULL) + return NULL; + memmove(&blk->blks[1], &blk->blks[0], blk->blk_cnt++ * sizeof(*instr)); + memcpy(&blk->blks[0], instr, sizeof(*instr)); + + return blk; +} + +/** * Append a block of BPF instructions to the final BPF program * @param prg the BPF program * @param blk the BPF instruction block @@ -713,9 +803,13 @@ static struct bpf_blk *_gen_bpf_node(str int32_t acc_offset; uint32_t acc_mask; uint64_t act_t_hash = 0, act_f_hash = 0; - struct bpf_blk *blk = NULL, *b_act; + struct bpf_blk *blk, *b_act; struct bpf_instr instr; - struct acc_state a_state_orig = *a_state; + + blk = _blk_alloc(); + if (blk == NULL) + return NULL; + blk->acc_start = *a_state; /* generate the action blocks */ if (node->act_t_flg) { @@ -747,6 +841,8 @@ static struct bpf_blk *_gen_bpf_node(str blk = _blk_append(state, blk, &instr); if (blk == NULL) goto node_failure; + /* we're not dependent on the accumulator anymore */ + blk->acc_start = _ACC_STATE_UNDEF; } if (acc_mask != a_state->mask) { /* apply the bitmask */ @@ -804,7 +900,7 @@ static struct bpf_blk *_gen_bpf_node(str goto node_failure; blk->node = node; - blk->acc_state = a_state_orig; + blk->acc_end = *a_state; return blk; node_failure: @@ -859,7 +955,7 @@ static struct bpf_blk *_gen_bpf_chain_lv case TGT_PTR_DB: node = (struct db_arg_chain_tree *)i_iter->jt.tgt.db; b_new = _gen_bpf_chain(state, sys, node, - nxt_jump, &blk->acc_state); + nxt_jump, &blk->acc_start); if (b_new == NULL) return NULL; i_iter->jt = _BPF_JMP_HSH(b_new->hash); @@ -885,7 +981,7 @@ static struct bpf_blk *_gen_bpf_chain_lv case TGT_PTR_DB: node = (struct db_arg_chain_tree *)i_iter->jf.tgt.db; b_new = _gen_bpf_chain(state, sys, node, - nxt_jump, &blk->acc_state); + nxt_jump, &blk->acc_start); if (b_new == NULL) return NULL; i_iter->jf = _BPF_JMP_HSH(b_new->hash); @@ -938,6 +1034,7 @@ static struct bpf_blk *_gen_bpf_chain(st const struct db_arg_chain_tree *c_iter; unsigned int iter; struct bpf_jump nxt_jump_tmp; + struct acc_state acc = *a_state; if (chain == NULL) { b_head = _gen_bpf_action(state, NULL, sys->action); @@ -952,7 +1049,7 @@ static struct bpf_blk *_gen_bpf_chain(st /* build all of the blocks for this level */ do { - b_iter = _gen_bpf_node(state, c_iter, a_state); + b_iter = _gen_bpf_node(state, c_iter, &acc); if (b_iter == NULL) goto chain_failure; if (b_head != NULL) { @@ -1056,7 +1153,7 @@ static struct bpf_blk *_gen_bpf_syscall( { int rc; struct bpf_instr instr; - struct bpf_blk *blk_c, *blk_s = NULL; + struct bpf_blk *blk_c, *blk_s; struct bpf_jump def_jump; struct acc_state a_state; @@ -1064,20 +1161,27 @@ static struct bpf_blk *_gen_bpf_syscall( memset(&def_jump, 0, sizeof(def_jump)); def_jump = _BPF_JMP_HSH(state->def_hsh); + blk_s = _blk_alloc(); + if (blk_s == NULL) + return NULL; + /* setup the accumulator state */ if (acc_reset) { _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), _BPF_JMP_NO, _BPF_JMP_NO, _BPF_SYSCALL(state->arch)); - blk_s = _blk_append(state, NULL, &instr); + blk_s = _blk_append(state, blk_s, &instr); if (blk_s == NULL) return NULL; - a_state.offset = _BPF_OFFSET_SYSCALL; - a_state.mask = ARG_MASK_MAX; + /* we've loaded the syscall ourselves */ + a_state = _ACC_STATE_OFFSET(_BPF_OFFSET_SYSCALL); + blk_s->acc_start = _ACC_STATE_UNDEF; + blk_s->acc_end = _ACC_STATE_OFFSET(_BPF_OFFSET_SYSCALL); } else { - /* set the accumulator state to an unknown value */ - a_state.offset = -1; - a_state.mask = ARG_MASK_MAX; + /* we rely on someone else to load the syscall */ + a_state = _ACC_STATE_UNDEF; + blk_s->acc_start = _ACC_STATE_OFFSET(_BPF_OFFSET_SYSCALL); + blk_s->acc_end = _ACC_STATE_OFFSET(_BPF_OFFSET_SYSCALL); } /* generate the argument chains */ @@ -1239,6 +1343,7 @@ static struct bpf_blk *_gen_bpf_arch(str b_new = _blk_append(state, NULL, &instr); if (b_new == NULL) goto arch_failure; + b_new->acc_end = _ACC_STATE_OFFSET(_BPF_OFFSET_SYSCALL); if (state->arch->token == SCMP_ARCH_X86_64) { /* filter out x32 */ _BPF_INSTR(instr, @@ -1539,11 +1644,11 @@ static int _gen_bpf_build_bpf(struct bpf /* load the architecture token/number */ _BPF_INSTR(instr, _BPF_OP(state->arch, BPF_LD + BPF_ABS), - _BPF_JMP_NO, _BPF_JMP_NO, - _BPF_K(state->arch, offsetof(struct seccomp_data, arch))); + _BPF_JMP_NO, _BPF_JMP_NO, _BPF_ARCH(state->arch)); b_head = _blk_append(state, NULL, &instr); if (b_head == NULL) return -ENOMEM; + b_head->acc_end = _ACC_STATE_OFFSET(_BPF_OFFSET_ARCH); rc = _hsh_add(state, &b_head, 1); if (rc < 0) return rc; @@ -1634,6 +1739,37 @@ static int _gen_bpf_build_bpf(struct bpf b_jmp = _hsh_find_once(state, i_iter->k.tgt.hash); if (b_jmp != NULL) { + /* do we need to reload the accumulator? */ + if ((b_jmp->acc_start.offset != -1) && + !_ACC_CMP_EQ(b_iter->acc_end, + b_jmp->acc_start)) { + if (b_jmp->acc_start.mask != ARG_MASK_MAX) { + _BPF_INSTR(instr, + _BPF_OP(state->arch, + BPF_ALU + BPF_AND), + _BPF_JMP_NO, + _BPF_JMP_NO, + _BPF_K(state->arch, + b_jmp->acc_start.mask)); + b_jmp = _blk_prepend(state, + b_jmp, + &instr); + if (b_jmp == NULL) + return -EFAULT; + } + _BPF_INSTR(instr, + _BPF_OP(state->arch, + BPF_LD + BPF_ABS), + _BPF_JMP_NO, _BPF_JMP_NO, + _BPF_K(state->arch, + b_jmp->acc_start.offset)); + b_jmp = _blk_prepend(state, + b_jmp, &instr); + if (b_jmp == NULL) + return -EFAULT; + /* not reliant on the accumulator */ + b_jmp->acc_start = _ACC_STATE_UNDEF; + } /* insert the new block after this block */ b_jmp->prev = b_iter; b_jmp->next = b_iter->next; @@ -1650,6 +1786,7 @@ static int _gen_bpf_build_bpf(struct bpf b_iter = b_iter->prev; } while (b_iter != NULL); + /* NOTE - from here to the end of the function we need to fail via the * the build_bpf_free_blks label, not just return an error; see * the _gen_bpf_build_jmp() function for details */ debian/patches/build-ldflags.patch0000664000000000000000000000267612202363662014366 0ustar Description: LIBFLAGS are for libraries, LDFLAGS are for linker arguments. Author: Kees Cook Index: libseccomp-2.1.0/macros.mk =================================================================== --- libseccomp-2.1.0.orig/macros.mk 2013-08-13 00:55:29.615739819 -0700 +++ libseccomp-2.1.0/macros.mk 2013-08-13 01:00:12.123634186 -0700 @@ -136,7 +136,7 @@ ifeq ($(V),0) COMPILE_EXEC = @echo " CC $@"; endif -COMPILE_EXEC += $(GCC) $(CFLAGS) $(CPPFLAGS) -o $@ $< $(LDFLAGS); +COMPILE_EXEC += $(GCC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBFLAGS); ifeq ($(V),0) ARCHIVE = @echo " AR $@"; Index: libseccomp-2.1.0/tools/Makefile =================================================================== --- libseccomp-2.1.0.orig/tools/Makefile 2013-05-29 11:46:02.000000000 -0700 +++ libseccomp-2.1.0/tools/Makefile 2013-08-13 00:58:11.025965101 -0700 @@ -32,7 +32,7 @@ include $(TOPDIR)/configure.mk include $(TOPDIR)/install.mk -LDFLAGS := ../src/libseccomp.a +LIBFLAGS := ../src/libseccomp.a TOOLS = scmp_bpf_disasm \ scmp_bpf_sim \ Index: libseccomp-2.1.0/tests/Makefile =================================================================== --- libseccomp-2.1.0.orig/tests/Makefile 2013-05-23 13:53:11.000000000 -0700 +++ libseccomp-2.1.0/tests/Makefile 2013-08-13 00:59:44.707256337 -0700 @@ -34,7 +34,7 @@ OBJS = util.o -LDFLAGS := ../src/libseccomp.a $(OBJS) +LIBFLAGS := ../src/libseccomp.a $(OBJS) TEST_PRIVATE = 00-test debian/patches/fix-audit-arch-i386.patch0000664000000000000000000000104613033472027015136 0ustar Origin: backport, 6e8f16e0a95a38d5988b68950e996c20eb84865c Description: fix arch token for 32-bit x86 not being defined correctly for the tools Index: libseccomp-2.1.1/tools/scmp_bpf_sim.c =================================================================== --- libseccomp-2.1.1.orig/tools/scmp_bpf_sim.c +++ libseccomp-2.1.1/tools/scmp_bpf_sim.c @@ -39,7 +39,7 @@ #include "bpf.h" #if __i386__ -#define ARCH_NATIVE AUDIT_ARCH_X86 +#define ARCH_NATIVE AUDIT_ARCH_I386 #elif __x86_64__ #ifdef __ILP32__ #define ARCH_NATIVE AUDIT_ARCH_X86_64 debian/patches/sync-syscall-table-entries.patch0000664000000000000000000001672012520512451017023 0ustar From c6205d9600983aa3fa68ca952b7624f2fec86718 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 25 Jun 2014 12:28:57 -0400 Subject: [PATCH] arch: sync the syscall table entries Signed-off-by: Paul Moore --- include/seccomp.h.in | 25 +++++++++++++++++++++++++ src/arch-arm-syscalls.c | 4 ++++ src/arch-x32-syscalls.c | 5 +++++ src/arch-x86-syscalls.c | 5 +++++ src/arch-x86_64-syscalls.c | 9 +++++++-- 5 files changed, 46 insertions(+), 2 deletions(-) Index: libseccomp-2.1.1/include/seccomp.h.in =================================================================== --- libseccomp-2.1.1.orig/include/seccomp.h.in +++ libseccomp-2.1.1/include/seccomp.h.in @@ -1157,6 +1157,31 @@ int seccomp_export_bpf(const scmp_filter #define __NR_sync_file_range __PNR_sync_file_range #endif /* __NR_sync_file_range */ +#define __PNR_cachectl -10103 +#ifndef __NR_cachectl +#define __NR_cachectl __PNR_cachectl +#endif /* __NR_cachectl */ + +#define __PNR_cacheflush -10104 +#ifndef __NR_cacheflush +#define __NR_cacheflush __PNR_cacheflush +#endif /* __NR_cacheflush */ + +#define __PNR_renameat2 -10105 +#ifndef __NR_renameat2 +#define __NR_renameat2 __PNR_renameat2 +#endif /* __NR_renameat2 */ + +#define __PNR_sysmips -10106 +#ifndef __NR_sysmips +#define __NR_sysmips __PNR_sysmips +#endif /* __NR_sysmips */ + +#define __PNR_timerfd -10107 +#ifndef __NR_timerfd +#define __NR_timerfd __PNR_timerfd +#endif /* __NR_sysmips */ + #ifdef __cplusplus } #endif Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -57,6 +57,8 @@ const struct arch_syscall_def arm_syscal { "bind", (__NR_SYSCALL_BASE + 282) }, { "break", __PNR_break }, { "brk", (__NR_SYSCALL_BASE + 45) }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, { "capget", (__NR_SYSCALL_BASE + 184) }, { "capset", (__NR_SYSCALL_BASE + 185) }, { "chdir", (__NR_SYSCALL_BASE + 12) }, @@ -391,6 +393,7 @@ const struct arch_syscall_def arm_syscal { "sysfs", (__NR_SYSCALL_BASE + 135) }, { "sysinfo", (__NR_SYSCALL_BASE + 116) }, { "syslog", (__NR_SYSCALL_BASE + 103) }, + { "sysmips", __PNR_sysmips }, { "tee", (__NR_SYSCALL_BASE + 342) }, { "tgkill", (__NR_SYSCALL_BASE + 268) }, { "time", (__NR_SYSCALL_BASE + 13) }, @@ -399,6 +402,7 @@ const struct arch_syscall_def arm_syscal { "timer_getoverrun", (__NR_SYSCALL_BASE + 260) }, { "timer_gettime", (__NR_SYSCALL_BASE + 259) }, { "timer_settime", (__NR_SYSCALL_BASE + 258) }, + { "timerfd", __PNR_timerfd }, { "timerfd_create", (__NR_SYSCALL_BASE + 350) }, { "timerfd_gettime", (__NR_SYSCALL_BASE + 354) }, { "timerfd_settime", (__NR_SYSCALL_BASE + 353) }, Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -44,6 +44,8 @@ const struct arch_syscall_def x32_syscal { "bind", (X32_SYSCALL_BIT + 49) }, { "break", __PNR_break }, { "brk", (X32_SYSCALL_BIT + 12) }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, { "capget", (X32_SYSCALL_BIT + 125) }, { "capset", (X32_SYSCALL_BIT + 126) }, { "chdir", (X32_SYSCALL_BIT + 80) }, @@ -271,6 +273,7 @@ const struct arch_syscall_def x32_syscal { "removexattr", (X32_SYSCALL_BIT + 197) }, { "rename", (X32_SYSCALL_BIT + 82) }, { "renameat", (X32_SYSCALL_BIT + 264) }, + { "renameat2", __PNR_renameat2 }, { "request_key", (X32_SYSCALL_BIT + 249) }, { "restart_syscall", (X32_SYSCALL_BIT + 219) }, { "rmdir", (X32_SYSCALL_BIT + 84) }, @@ -377,6 +380,7 @@ const struct arch_syscall_def x32_syscal { "sysfs", (X32_SYSCALL_BIT + 139) }, { "sysinfo", (X32_SYSCALL_BIT + 99) }, { "syslog", (X32_SYSCALL_BIT + 103) }, + { "sysmips", __PNR_sysmips }, { "tee", (X32_SYSCALL_BIT + 276) }, { "tgkill", (X32_SYSCALL_BIT + 234) }, { "time", (X32_SYSCALL_BIT + 201) }, @@ -385,6 +389,7 @@ const struct arch_syscall_def x32_syscal { "timer_getoverrun", (X32_SYSCALL_BIT + 225) }, { "timer_gettime", (X32_SYSCALL_BIT + 224) }, { "timer_settime", (X32_SYSCALL_BIT + 223) }, + { "timerfd", __PNR_timerfd }, { "timerfd_create", (X32_SYSCALL_BIT + 283) }, { "timerfd_gettime", (X32_SYSCALL_BIT + 287) }, { "timerfd_settime", (X32_SYSCALL_BIT + 286) }, Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -28,6 +28,8 @@ /* NOTE: based on Linux 3.16-rc1 */ const struct arch_syscall_def x86_64_syscall_table[] = { \ + { "_llseek", __PNR__llseek }, + { "_newselect", __PNR__newselect }, { "_sysctl", 156 }, { "accept", 43 }, { "accept4", 288 }, @@ -44,6 +46,8 @@ const struct arch_syscall_def x86_64_sys { "bind", 49 }, { "break", __PNR_break }, { "brk", 12 }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, { "capget", 125 }, { "capset", 126 }, { "chdir", 80 }, @@ -178,7 +182,6 @@ const struct arch_syscall_def x86_64_sys { "listen", 50 }, { "listxattr", 194 }, { "llistxattr", 195 }, - { "_llseek", __PNR__llseek }, { "lock", __PNR_lock }, { "lookup_dcookie", 212 }, { "lremovexattr", 198 }, @@ -220,7 +223,6 @@ const struct arch_syscall_def x86_64_sys { "munmap", 11 }, { "name_to_handle_at", 303 }, { "nanosleep", 35 }, - { "_newselect", __PNR__newselect }, { "newfstatat", 262 }, { "nfsservctl", 180 }, { "nice", __PNR_nice }, @@ -273,6 +275,7 @@ const struct arch_syscall_def x86_64_sys { "removexattr", 197 }, { "rename", 82 }, { "renameat", 264 }, + { "renameat2", __PNR_renameat2 }, { "request_key", 249 }, { "restart_syscall", 219 }, { "rmdir", 84 }, @@ -379,6 +382,7 @@ const struct arch_syscall_def x86_64_sys { "sysfs", 139 }, { "sysinfo", 99 }, { "syslog", 103 }, + { "sysmips", __PNR_sysmips }, { "tee", 276 }, { "tgkill", 234 }, { "time", 201 }, @@ -387,6 +391,7 @@ const struct arch_syscall_def x86_64_sys { "timer_getoverrun", 225 }, { "timer_gettime", 224 }, { "timer_settime", 223 }, + { "timerfd", __PNR_timerfd }, { "timerfd_create", 283 }, { "timerfd_gettime", 287 }, { "timerfd_settime", 286 }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -46,6 +46,8 @@ static const struct arch_syscall_def x86 { "bind", __PNR_bind }, { "break", 17 }, { "brk", 45 }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, { "capget", 184 }, { "capset", 185 }, { "chdir", 12 }, @@ -273,6 +275,7 @@ static const struct arch_syscall_def x86 { "removexattr", 235 }, { "rename", 38 }, { "renameat", 302 }, + { "renameat2", __PNR_renameat2 }, { "request_key", 287 }, { "restart_syscall", 0 }, { "rmdir", 40 }, @@ -379,6 +382,7 @@ static const struct arch_syscall_def x86 { "sysfs", 135 }, { "sysinfo", 116 }, { "syslog", 103 }, + { "sysmips", __PNR_sysmips }, { "tee", 315 }, { "tgkill", 270 }, { "time", 13 }, @@ -387,6 +391,7 @@ static const struct arch_syscall_def x86 { "timer_getoverrun", 262 }, { "timer_gettime", 261 }, { "timer_settime", 260 }, + { "timerfd", __PNR_timerfd }, { "timerfd_create", 322 }, { "timerfd_gettime", 326 }, { "timerfd_settime", 325 }, debian/patches/series0000664000000000000000000000140613131123332012025 0ustar pkgconfig-macro.patch manpage-typo.patch build-ldflags.patch add-finit-module.patch update-x86-syscall-table.patch update-x86_64-syscall-table.patch update-arm-syscall-table.patch update-x32-syscall-table.patch sync-syscall-table-entries.patch sync-syscall-table-entries-fixtypo.patch sync-syscall-table-entries-3.17.patch sync-syscall-table-entries-3.19.patch fix-segfault-with-unknown.patch add-missing-arm-private-syscalls.patch add-membarrier-and-userfaultfd.patch add-mlock2.patch bpf-use-state-arch.patch db-require-filters-to-share-endianess.patch resolve-issues-caused-by-be.patch bpf-accumulator-check.patch bpf-track-accumulator-state.patch ensure-simulator-has-valid-arch.patch bpf-accumulator-check-indep.patch fix-audit-arch-i386.patch install-static-lib.patch debian/patches/sync-syscall-table-entries-3.19.patch0000664000000000000000000001271212520513561017413 0ustar From 7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 9 Feb 2015 12:25:23 -0500 Subject: [PATCH] all: update syscall tables for Linux v3.19 Signed-off-by: Paul Moore --- include/seccomp.h.in | 4 ++-- src/arch-aarch64-syscalls.c | 6 ++++-- src/arch-arm-syscalls.c | 4 +++- src/arch-mips-syscalls.c | 8 +++++--- src/arch-mips64-syscalls.c | 8 +++++--- src/arch-mips64n32-syscalls.c | 8 +++++--- src/arch-x32-syscalls.c | 4 +++- src/arch-x86-syscalls.c | 4 +++- src/arch-x86_64-syscalls.c | 4 +++- 9 files changed, 33 insertions(+), 17 deletions(-) Index: libseccomp-2.1.1/include/seccomp.h.in =================================================================== --- libseccomp-2.1.1.orig/include/seccomp.h.in +++ libseccomp-2.1.1/include/seccomp.h.in @@ -1185,12 +1185,12 @@ int seccomp_export_bpf(const scmp_filter #define __PNR_getrandom -10109 #ifndef __NR_getrandom #define __NR_getrandom __PNR_getrandom -#endif /* __NR_time */ +#endif /* __NR_getrandom - NO LONGER NEEDED */ #define __PNR_memfd_create -10110 #ifndef __NR_memfd_create #define __NR_memfd_create __PNR_memfd_create -#endif /* __NR_memfd_create */ +#endif /* __NR_memfd_create - NO LONGER NEEDED */ #define __PNR_kexec_file_load -10111 #ifndef __NR_kexec_file_load Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -36,7 +36,7 @@ #define __NR_SYSCALL_BASE __NR_OABI_SYSCALL_BASE #endif -/* NOTE: based on Linux 3.17-rc1+ */ +/* NOTE: based on Linux 3.19 */ const struct arch_syscall_def arm_syscall_table[] = { \ /* NOTE: arm_sync_file_range() and sync_file_range2() share values */ { "_llseek", (__NR_SYSCALL_BASE + 140) }, @@ -55,6 +55,7 @@ const struct arch_syscall_def arm_syscal { "arch_prctl", __PNR_arch_prctl }, { "bdflush", (__NR_SYSCALL_BASE + 134) }, { "bind", (__NR_SYSCALL_BASE + 282) }, + { "bpf", (__NR_SYSCALL_BASE + 386) }, { "break", __PNR_break }, { "brk", (__NR_SYSCALL_BASE + 45) }, { "cachectl", __PNR_cachectl }, @@ -90,6 +91,7 @@ const struct arch_syscall_def arm_syscal { "eventfd", (__NR_SYSCALL_BASE + 351) }, { "eventfd2", (__NR_SYSCALL_BASE + 356) }, { "execve", (__NR_SYSCALL_BASE + 11) }, + { "execveat", (__NR_SYSCALL_BASE + 387) }, { "exit", (__NR_SYSCALL_BASE + 1) }, { "exit_group", (__NR_SYSCALL_BASE + 248) }, { "faccessat", (__NR_SYSCALL_BASE + 334) }, Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x32.h" -/* NOTE: based on Linux 3.17-rc1+ */ +/* NOTE: based on Linux 3.19 */ const struct arch_syscall_def x32_syscall_table[] = { \ { "_sysctl", __PNR__sysctl }, { "accept", (X32_SYSCALL_BIT + 43) }, @@ -42,6 +42,7 @@ const struct arch_syscall_def x32_syscal { "arch_prctl", (X32_SYSCALL_BIT + 158) }, { "bdflush", __PNR_bdflush }, { "bind", (X32_SYSCALL_BIT + 49) }, + { "bpf", (X32_SYSCALL_BIT + 321) }, { "break", __PNR_break }, { "brk", (X32_SYSCALL_BIT + 12) }, { "cachectl", __PNR_cachectl }, @@ -77,6 +78,7 @@ const struct arch_syscall_def x32_syscal { "eventfd", (X32_SYSCALL_BIT + 284) }, { "eventfd2", (X32_SYSCALL_BIT + 290) }, { "execve", (X32_SYSCALL_BIT + 520) }, + { "execveat", (X32_SYSCALL_BIT + 545) }, { "exit", (X32_SYSCALL_BIT + 60) }, { "exit_group", (X32_SYSCALL_BIT + 231) }, { "faccessat", (X32_SYSCALL_BIT + 269) }, Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x86_64.h" -/* NOTE: based on Linux 3.17-rc1+ */ +/* NOTE: based on Linux 3.19 */ const struct arch_syscall_def x86_64_syscall_table[] = { \ { "_llseek", __PNR__llseek }, { "_newselect", __PNR__newselect }, @@ -44,6 +44,7 @@ const struct arch_syscall_def x86_64_sys { "arch_prctl", 158 }, { "bdflush", __PNR_bdflush }, { "bind", 49 }, + { "bpf", 321 }, { "break", __PNR_break }, { "brk", 12 }, { "cachectl", __PNR_cachectl }, @@ -79,6 +80,7 @@ const struct arch_syscall_def x86_64_sys { "eventfd", 284 }, { "eventfd2", 290 }, { "execve", 59 }, + { "execveat", 322 }, { "exit", 60 }, { "exit_group", 231 }, { "faccessat", 269 }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -26,7 +26,7 @@ #include "arch.h" #include "arch-x86.h" -/* NOTE: based on Linux 3.17-rc1+ */ +/* NOTE: based on Linux 3.19 */ static const struct arch_syscall_def x86_syscall_table[] = { \ { "_llseek", 140 }, { "_newselect", 142 }, @@ -44,6 +44,7 @@ static const struct arch_syscall_def x86 { "arch_prctl", __PNR_arch_prctl }, { "bdflush", 134 }, { "bind", __PNR_bind }, + { "bpf", 357 }, { "break", 17 }, { "brk", 45 }, { "cachectl", __PNR_cachectl }, @@ -79,6 +80,7 @@ static const struct arch_syscall_def x86 { "eventfd", 323 }, { "eventfd2", 328 }, { "execve", 11 }, + { "execveat", 358 }, { "exit", 1 }, { "exit_group", 252 }, { "faccessat", 307 }, debian/patches/install-static-lib.patch0000664000000000000000000000111613131123332015326 0ustar Index: libseccomp-2.1.1/src/Makefile =================================================================== --- libseccomp-2.1.1.orig/src/Makefile +++ libseccomp-2.1.1/src/Makefile @@ -83,6 +83,11 @@ install: $(LIB_SHARED) $(ECHO) ">> INFO: installing from $$dir/"; \ $(MAKE) -C $$dir install; \ done + # install static lib as well + $(INSTALL) -o $(INSTALL_OWNER) -g $(INSTALL_GROUP) \ + -d "$(INSTALL_LIB_DIR)"; \ + $(INSTALL) -o $(INSTALL_OWNER) -g $(INSTALL_GROUP) -m 0755 \ + $(LIB_STATIC) "$(INSTALL_LIB_DIR)"; \ clean: $(RM) $(DEPS) $(OBJS) $(LIB_STATIC) libseccomp.so.* debian/patches/add-membarrier-and-userfaultfd.patch0000664000000000000000000001006613024360164017577 0ustar Subject: Add membarrier and userfaultfd syscalls Backport only the portion of the upstream libseccomp commit that added the membarrier and userfaultfd syscalls. Origin: backport, https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee Author: Heiko Carstens Index: libseccomp-2.1.1/include/seccomp.h.in =================================================================== --- libseccomp-2.1.1.orig/include/seccomp.h.in +++ libseccomp-2.1.1/include/seccomp.h.in @@ -1197,6 +1197,16 @@ int seccomp_export_bpf(const scmp_filter #define __NR_kexec_file_load __PNR_kexec_file_load #endif /* __NR_kexec_file_load */ +#define __PNR_membarrier -10199 +#ifndef __NR_membarrier +#define __NR_membarrier __PNR_membarrier +#endif /* __NR_membarrier */ + +#define __PNR_userfaultfd -10200 +#ifndef __NR_userfaultfd +#define __NR_userfaultfd __PNR_userfaultfd +#endif /* __NR_userfaultfd */ + #ifdef __cplusplus } #endif Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -209,6 +209,7 @@ const struct arch_syscall_def arm_syscal { "lstat64", (__NR_SYSCALL_BASE + 196) }, { "madvise", (__NR_SYSCALL_BASE + 220) }, { "mbind", (__NR_SYSCALL_BASE + 319) }, + { "membarrier", (__NR_SYSCALL_BASE + 389) }, { "memfd_create", (__NR_SYSCALL_BASE + 385) }, { "migrate_pages", __PNR_migrate_pages }, { "mincore", (__NR_SYSCALL_BASE + 219) }, @@ -433,6 +434,7 @@ const struct arch_syscall_def arm_syscal { "uselib", (__NR_SYSCALL_BASE + 86) }, { "usr26", (__ARM_NR_BASE + 3) }, { "usr32", (__ARM_NR_BASE + 4) }, + { "userfaultfd", (__NR_SYSCALL_BASE + 388) }, { "ustat", (__NR_SYSCALL_BASE + 62) }, { "utime", (__NR_SYSCALL_BASE + 30) }, { "utimensat", (__NR_SYSCALL_BASE + 348) }, Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -193,6 +193,7 @@ const struct arch_syscall_def x32_syscal { "lstat64", __PNR_lstat64 }, { "madvise", (X32_SYSCALL_BIT + 28) }, { "mbind", (X32_SYSCALL_BIT + 237) }, + { "membarrier", (X32_SYSCALL_BIT + 324) }, { "memfd_create", (X32_SYSCALL_BIT + 319) }, { "migrate_pages", (X32_SYSCALL_BIT + 256) }, { "mincore", (X32_SYSCALL_BIT + 27) }, @@ -414,6 +415,7 @@ const struct arch_syscall_def x32_syscal { "unlinkat", (X32_SYSCALL_BIT + 263) }, { "unshare", (X32_SYSCALL_BIT + 272) }, { "uselib", __PNR_uselib }, + { "userfaultfd", (X32_SYSCALL_BIT + 323) }, { "ustat", (X32_SYSCALL_BIT + 136) }, { "utime", (X32_SYSCALL_BIT + 132) }, { "utimensat", (X32_SYSCALL_BIT + 280) }, Index: libseccomp-2.1.1/src/arch-x86-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86-syscalls.c +++ libseccomp-2.1.1/src/arch-x86-syscalls.c @@ -195,6 +195,7 @@ static const struct arch_syscall_def x86 { "lstat64", 196 }, { "madvise", 219 }, { "mbind", 274 }, + { "membarrier", 375 }, { "memfd_create", 356 }, { "migrate_pages", 294 }, { "mincore", 218 }, @@ -416,6 +417,7 @@ static const struct arch_syscall_def x86 { "unlinkat", 301 }, { "unshare", 310 }, { "uselib", 86 }, + { "userfaultfd", 374 }, { "ustat", 62 }, { "utime", 30 }, { "utimensat", 320 }, Index: libseccomp-2.1.1/src/arch-x86_64-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x86_64-syscalls.c +++ libseccomp-2.1.1/src/arch-x86_64-syscalls.c @@ -195,6 +195,7 @@ const struct arch_syscall_def x86_64_sys { "lstat64", __PNR_lstat64 }, { "madvise", 28 }, { "mbind", 237 }, + { "membarrier", 324 }, { "memfd_create", 319 }, { "migrate_pages", 256 }, { "mincore", 27 }, @@ -416,6 +417,7 @@ const struct arch_syscall_def x86_64_sys { "unlinkat", 263 }, { "unshare", 272 }, { "uselib", 134 }, + { "userfaultfd", 323 }, { "ustat", 136 }, { "utime", 132 }, { "utimensat", 280 }, debian/patches/add-missing-arm-private-syscalls.patch0000664000000000000000000000357712520516376020142 0ustar Author: Jamie Strandboge Description: add missing private ARM calls from usr/include/arm-linux-gnueabihf/asm/unistd.h Forwarded: no Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -36,6 +36,8 @@ #define __NR_SYSCALL_BASE __NR_OABI_SYSCALL_BASE #endif +#define __ARM_NR_BASE (__NR_SYSCALL_BASE+0x0f0000) + /* NOTE: based on Linux 3.19 */ const struct arch_syscall_def arm_syscall_table[] = { \ /* NOTE: arm_sync_file_range() and sync_file_range2() share values */ @@ -57,9 +59,10 @@ const struct arch_syscall_def arm_syscal { "bind", (__NR_SYSCALL_BASE + 282) }, { "bpf", (__NR_SYSCALL_BASE + 386) }, { "break", __PNR_break }, + { "breakpoint", (__ARM_NR_BASE + 1) }, { "brk", (__NR_SYSCALL_BASE + 45) }, { "cachectl", __PNR_cachectl }, - { "cacheflush", __PNR_cacheflush }, + { "cacheflush", (__ARM_NR_BASE + 2) }, { "capget", (__NR_SYSCALL_BASE + 184) }, { "capset", (__NR_SYSCALL_BASE + 185) }, { "chdir", (__NR_SYSCALL_BASE + 12) }, @@ -358,6 +361,7 @@ const struct arch_syscall_def arm_syscal { "setsid", (__NR_SYSCALL_BASE + 66) }, { "setsockopt", (__NR_SYSCALL_BASE + 294) }, { "settimeofday", (__NR_SYSCALL_BASE + 79) }, + { "set_tls", (__ARM_NR_BASE + 5) }, { "setuid", (__NR_SYSCALL_BASE + 23) }, { "setuid32", (__NR_SYSCALL_BASE + 213) }, { "setxattr", (__NR_SYSCALL_BASE + 226) }, @@ -427,6 +431,8 @@ const struct arch_syscall_def arm_syscal { "unlinkat", (__NR_SYSCALL_BASE + 328) }, { "unshare", (__NR_SYSCALL_BASE + 337) }, { "uselib", (__NR_SYSCALL_BASE + 86) }, + { "usr26", (__ARM_NR_BASE + 3) }, + { "usr32", (__ARM_NR_BASE + 4) }, { "ustat", (__NR_SYSCALL_BASE + 62) }, { "utime", (__NR_SYSCALL_BASE + 30) }, { "utimensat", (__NR_SYSCALL_BASE + 348) }, debian/patches/update-x32-syscall-table.patch0000664000000000000000000004405712520512317016301 0ustar Origin: backport, ac6802b300922ef2ad3e95e2c80f89b575073aeb Description: last hunk missing from upstream because it was added to support testsuite features not found in this version of seccomp From ac6802b300922ef2ad3e95e2c80f89b575073aeb Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 25 Jun 2014 11:57:33 -0400 Subject: [PATCH] arch: update the x32 syscall table It turns out there are enough differences between x86_64 and x32 that unique syscall tables are warranted. Signed-off-by: Paul Moore --- src/arch-x32-syscalls.c | 424 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 413 insertions(+), 11 deletions(-) Index: libseccomp-2.1.1/src/arch-x32-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-x32-syscalls.c +++ libseccomp-2.1.1/src/arch-x32-syscalls.c @@ -24,9 +24,403 @@ #include #include "arch.h" -#include "arch-x86_64.h" #include "arch-x32.h" +/* NOTE: based on Linux 3.16-rc1 */ +const struct arch_syscall_def x32_syscall_table[] = { \ + { "_sysctl", __PNR__sysctl }, + { "accept", (X32_SYSCALL_BIT + 43) }, + { "accept4", (X32_SYSCALL_BIT + 288) }, + { "access", (X32_SYSCALL_BIT + 21) }, + { "acct", (X32_SYSCALL_BIT + 163) }, + { "add_key", (X32_SYSCALL_BIT + 248) }, + { "adjtimex", (X32_SYSCALL_BIT + 159) }, + { "afs_syscall", (X32_SYSCALL_BIT + 183) }, + { "alarm", (X32_SYSCALL_BIT + 37) }, + { "arm_fadvise64_64", __PNR_arm_fadvise64_64 }, + { "arm_sync_file_range", __PNR_arm_sync_file_range }, + { "arch_prctl", (X32_SYSCALL_BIT + 158) }, + { "bdflush", __PNR_bdflush }, + { "bind", (X32_SYSCALL_BIT + 49) }, + { "break", __PNR_break }, + { "brk", (X32_SYSCALL_BIT + 12) }, + { "capget", (X32_SYSCALL_BIT + 125) }, + { "capset", (X32_SYSCALL_BIT + 126) }, + { "chdir", (X32_SYSCALL_BIT + 80) }, + { "chmod", (X32_SYSCALL_BIT + 90) }, + { "chown", (X32_SYSCALL_BIT + 92) }, + { "chown32", __PNR_chown32 }, + { "chroot", (X32_SYSCALL_BIT + 161) }, + { "clock_adjtime", (X32_SYSCALL_BIT + 305) }, + { "clock_getres", (X32_SYSCALL_BIT + 229) }, + { "clock_gettime", (X32_SYSCALL_BIT + 228) }, + { "clock_nanosleep", (X32_SYSCALL_BIT + 230) }, + { "clock_settime", (X32_SYSCALL_BIT + 227) }, + { "clone", (X32_SYSCALL_BIT + 56) }, + { "close", (X32_SYSCALL_BIT + 3) }, + { "connect", (X32_SYSCALL_BIT + 42) }, + { "creat", (X32_SYSCALL_BIT + 85) }, + { "create_module", __PNR_create_module }, + { "delete_module", (X32_SYSCALL_BIT + 176) }, + { "dup", (X32_SYSCALL_BIT + 32) }, + { "dup2", (X32_SYSCALL_BIT + 33) }, + { "dup3", (X32_SYSCALL_BIT + 292) }, + { "epoll_create", (X32_SYSCALL_BIT + 213) }, + { "epoll_create1", (X32_SYSCALL_BIT + 291) }, + { "epoll_ctl", (X32_SYSCALL_BIT + 233) }, + { "epoll_ctl_old", __PNR_epoll_ctl_old }, + { "epoll_pwait", (X32_SYSCALL_BIT + 281) }, + { "epoll_wait", (X32_SYSCALL_BIT + 232) }, + { "epoll_wait_old", __PNR_epoll_wait_old }, + { "eventfd", (X32_SYSCALL_BIT + 284) }, + { "eventfd2", (X32_SYSCALL_BIT + 290) }, + { "execve", (X32_SYSCALL_BIT + 520) }, + { "exit", (X32_SYSCALL_BIT + 60) }, + { "exit_group", (X32_SYSCALL_BIT + 231) }, + { "faccessat", (X32_SYSCALL_BIT + 269) }, + { "fadvise64", (X32_SYSCALL_BIT + 221) }, + { "fadvise64_64", __PNR_fadvise64_64 }, + { "fallocate", (X32_SYSCALL_BIT + 285) }, + { "fanotify_init", (X32_SYSCALL_BIT + 300) }, + { "fanotify_mark", (X32_SYSCALL_BIT + 301) }, + { "fchdir", (X32_SYSCALL_BIT + 81) }, + { "fchmod", (X32_SYSCALL_BIT + 91) }, + { "fchmodat", (X32_SYSCALL_BIT + 268) }, + { "fchown", (X32_SYSCALL_BIT + 93) }, + { "fchown32", __PNR_fchown32 }, + { "fchownat", (X32_SYSCALL_BIT + 260) }, + { "fcntl", (X32_SYSCALL_BIT + 72) }, + { "fcntl64", __PNR_fcntl64 }, + { "fdatasync", (X32_SYSCALL_BIT + 75) }, + { "fgetxattr", (X32_SYSCALL_BIT + 193) }, + { "finit_module", (X32_SYSCALL_BIT + 313) }, + { "flistxattr", (X32_SYSCALL_BIT + 196) }, + { "flock", (X32_SYSCALL_BIT + 73) }, + { "fork", (X32_SYSCALL_BIT + 57) }, + { "fremovexattr", (X32_SYSCALL_BIT + 199) }, + { "fsetxattr", (X32_SYSCALL_BIT + 190) }, + { "fstat", (X32_SYSCALL_BIT + 5) }, + { "fstat64", __PNR_fstat64 }, + { "fstatat64", __PNR_fstatat64 }, + { "fstatfs", (X32_SYSCALL_BIT + 138) }, + { "fstatfs64", __PNR_fstatfs64 }, + { "fsync", (X32_SYSCALL_BIT + 74) }, + { "ftime", __PNR_ftime }, + { "ftruncate", (X32_SYSCALL_BIT + 77) }, + { "ftruncate64", __PNR_ftruncate64 }, + { "futex", (X32_SYSCALL_BIT + 202) }, + { "futimesat", (X32_SYSCALL_BIT + 261) }, + { "get_kernel_syms", __PNR_get_kernel_syms }, + { "get_mempolicy", (X32_SYSCALL_BIT + 239) }, + { "get_robust_list", (X32_SYSCALL_BIT + 531) }, + { "get_thread_area", __PNR_get_thread_area }, + { "getcpu", (X32_SYSCALL_BIT + 309) }, + { "getcwd", (X32_SYSCALL_BIT + 79) }, + { "getdents", (X32_SYSCALL_BIT + 78) }, + { "getdents64", (X32_SYSCALL_BIT + 217) }, + { "getegid", (X32_SYSCALL_BIT + 108) }, + { "getegid32", __PNR_getegid32 }, + { "geteuid", (X32_SYSCALL_BIT + 107) }, + { "geteuid32", __PNR_geteuid32 }, + { "getgid", (X32_SYSCALL_BIT + 104) }, + { "getgid32", __PNR_getgid32 }, + { "getgroups", (X32_SYSCALL_BIT + 115) }, + { "getgroups32", __PNR_getgroups32 }, + { "getitimer", (X32_SYSCALL_BIT + 36) }, + { "getpeername", (X32_SYSCALL_BIT + 52) }, + { "getpgid", (X32_SYSCALL_BIT + 121) }, + { "getpgrp", (X32_SYSCALL_BIT + 111) }, + { "getpid", (X32_SYSCALL_BIT + 39) }, + { "getpmsg", (X32_SYSCALL_BIT + 181) }, + { "getppid", (X32_SYSCALL_BIT + 110) }, + { "getpriority", (X32_SYSCALL_BIT + 140) }, + { "getresgid", (X32_SYSCALL_BIT + 120) }, + { "getresgid32", __PNR_getresgid32 }, + { "getresuid", (X32_SYSCALL_BIT + 118) }, + { "getresuid32", __PNR_getresuid32 }, + { "getrlimit", (X32_SYSCALL_BIT + 97) }, + { "getrusage", (X32_SYSCALL_BIT + 98) }, + { "getsid", (X32_SYSCALL_BIT + 124) }, + { "getsockname", (X32_SYSCALL_BIT + 51) }, + { "getsockopt", (X32_SYSCALL_BIT + 542) }, + { "gettid", (X32_SYSCALL_BIT + 186) }, + { "gettimeofday", (X32_SYSCALL_BIT + 96) }, + { "getuid", (X32_SYSCALL_BIT + 102) }, + { "getuid32", __PNR_getuid32 }, + { "getxattr", (X32_SYSCALL_BIT + 191) }, + { "gtty", __PNR_gtty }, + { "idle", __PNR_idle }, + { "init_module", (X32_SYSCALL_BIT + 175) }, + { "inotify_add_watch", (X32_SYSCALL_BIT + 254) }, + { "inotify_init", (X32_SYSCALL_BIT + 253) }, + { "inotify_init1", (X32_SYSCALL_BIT + 294) }, + { "inotify_rm_watch", (X32_SYSCALL_BIT + 255) }, + { "io_cancel", (X32_SYSCALL_BIT + 210) }, + { "io_destroy", (X32_SYSCALL_BIT + 207) }, + { "io_getevents", (X32_SYSCALL_BIT + 208) }, + { "io_setup", (X32_SYSCALL_BIT + 206) }, + { "io_submit", (X32_SYSCALL_BIT + 209) }, + { "ioctl", (X32_SYSCALL_BIT + 514) }, + { "ioperm", (X32_SYSCALL_BIT + 173) }, + { "iopl", (X32_SYSCALL_BIT + 172) }, + { "ioprio_get", (X32_SYSCALL_BIT + 252) }, + { "ioprio_set", (X32_SYSCALL_BIT + 251) }, + { "ipc", __PNR_ipc }, + { "kcmp", (X32_SYSCALL_BIT + 312) }, + { "kexec_load", (X32_SYSCALL_BIT + 528) }, + { "keyctl", (X32_SYSCALL_BIT + 250) }, + { "kill", (X32_SYSCALL_BIT + 62) }, + { "lchown", (X32_SYSCALL_BIT + 94) }, + { "lchown32", __PNR_lchown32 }, + { "lgetxattr", (X32_SYSCALL_BIT + 192) }, + { "link", (X32_SYSCALL_BIT + 86) }, + { "linkat", (X32_SYSCALL_BIT + 265) }, + { "listen", (X32_SYSCALL_BIT + 50) }, + { "listxattr", (X32_SYSCALL_BIT + 194) }, + { "llistxattr", (X32_SYSCALL_BIT + 195) }, + { "lock", __PNR_lock }, + { "lookup_dcookie", (X32_SYSCALL_BIT + 212) }, + { "lremovexattr", (X32_SYSCALL_BIT + 198) }, + { "lseek", (X32_SYSCALL_BIT + 8) }, + { "lsetxattr", (X32_SYSCALL_BIT + 189) }, + { "lstat", (X32_SYSCALL_BIT + 6) }, + { "lstat64", __PNR_lstat64 }, + { "madvise", (X32_SYSCALL_BIT + 28) }, + { "mbind", (X32_SYSCALL_BIT + 237) }, + { "migrate_pages", (X32_SYSCALL_BIT + 256) }, + { "mincore", (X32_SYSCALL_BIT + 27) }, + { "mkdir", (X32_SYSCALL_BIT + 83) }, + { "mkdirat", (X32_SYSCALL_BIT + 258) }, + { "mknod", (X32_SYSCALL_BIT + 133) }, + { "mknodat", (X32_SYSCALL_BIT + 259) }, + { "mlock", (X32_SYSCALL_BIT + 149) }, + { "mlockall", (X32_SYSCALL_BIT + 151) }, + { "mmap", (X32_SYSCALL_BIT + 9) }, + { "mmap2", __PNR_mmap2 }, + { "modify_ldt", (X32_SYSCALL_BIT + 154) }, + { "mount", (X32_SYSCALL_BIT + 165) }, + { "move_pages", (X32_SYSCALL_BIT + 533) }, + { "mprotect", (X32_SYSCALL_BIT + 10) }, + { "mpx", __PNR_mpx }, + { "mq_getsetattr", (X32_SYSCALL_BIT + 245) }, + { "mq_notify", (X32_SYSCALL_BIT + 527) }, + { "mq_open", (X32_SYSCALL_BIT + 240) }, + { "mq_timedreceive", (X32_SYSCALL_BIT + 243) }, + { "mq_timedsend", (X32_SYSCALL_BIT + 242) }, + { "mq_unlink", (X32_SYSCALL_BIT + 241) }, + { "mremap", (X32_SYSCALL_BIT + 25) }, + { "msgctl", (X32_SYSCALL_BIT + 71) }, + { "msgget", (X32_SYSCALL_BIT + 68) }, + { "msgrcv", (X32_SYSCALL_BIT + 70) }, + { "msgsnd", (X32_SYSCALL_BIT + 69) }, + { "msync", (X32_SYSCALL_BIT + 26) }, + { "munlock", (X32_SYSCALL_BIT + 150) }, + { "munlockall", (X32_SYSCALL_BIT + 152) }, + { "munmap", (X32_SYSCALL_BIT + 11) }, + { "name_to_handle_at", (X32_SYSCALL_BIT + 303) }, + { "nanosleep", (X32_SYSCALL_BIT + 35) }, + { "newfstatat", (X32_SYSCALL_BIT + 262) }, + { "nfsservctl", __PNR_nfsservctl }, + { "nice", __PNR_nice }, + { "oldfstat", __PNR_oldfstat }, + { "oldlstat", __PNR_oldlstat }, + { "oldolduname", __PNR_oldolduname }, + { "oldstat", __PNR_oldstat }, + { "olduname", __PNR_olduname }, + { "open", (X32_SYSCALL_BIT + 2) }, + { "open_by_handle_at", (X32_SYSCALL_BIT + 304) }, + { "openat", (X32_SYSCALL_BIT + 257) }, + { "pause", (X32_SYSCALL_BIT + 34) }, + { "pciconfig_iobase", __PNR_pciconfig_iobase }, + { "pciconfig_read", __PNR_pciconfig_read }, + { "pciconfig_write", __PNR_pciconfig_write }, + { "perf_event_open", (X32_SYSCALL_BIT + 298) }, + { "personality", (X32_SYSCALL_BIT + 135) }, + { "pipe", (X32_SYSCALL_BIT + 22) }, + { "pipe2", (X32_SYSCALL_BIT + 293) }, + { "pivot_root", (X32_SYSCALL_BIT + 155) }, + { "poll", (X32_SYSCALL_BIT + 7) }, + { "ppoll", (X32_SYSCALL_BIT + 271) }, + { "prctl", (X32_SYSCALL_BIT + 157) }, + { "pread64", (X32_SYSCALL_BIT + 17) }, + { "preadv", (X32_SYSCALL_BIT + 534) }, + { "prlimit64", (X32_SYSCALL_BIT + 302) }, + { "process_vm_readv", (X32_SYSCALL_BIT + 539) }, + { "process_vm_writev", (X32_SYSCALL_BIT + 540) }, + { "prof", __PNR_prof }, + { "profil", __PNR_profil }, + { "pselect6", (X32_SYSCALL_BIT + 270) }, + { "ptrace", (X32_SYSCALL_BIT + 521) }, + { "putpmsg", (X32_SYSCALL_BIT + 182) }, + { "pwrite64", (X32_SYSCALL_BIT + 18) }, + { "pwritev", (X32_SYSCALL_BIT + 535) }, + { "query_module", __PNR_query_module }, + { "quotactl", (X32_SYSCALL_BIT + 179) }, + { "read", (X32_SYSCALL_BIT + 0) }, + { "readahead", (X32_SYSCALL_BIT + 187) }, + { "readdir", __PNR_readdir }, + { "readlink", (X32_SYSCALL_BIT + 89) }, + { "readlinkat", (X32_SYSCALL_BIT + 267) }, + { "readv", (X32_SYSCALL_BIT + 515) }, + { "reboot", (X32_SYSCALL_BIT + 169) }, + { "recv", __PNR_recv }, + { "recvfrom", (X32_SYSCALL_BIT + 517) }, + { "recvmmsg", (X32_SYSCALL_BIT + 537) }, + { "recvmsg", (X32_SYSCALL_BIT + 519) }, + { "remap_file_pages", (X32_SYSCALL_BIT + 216) }, + { "removexattr", (X32_SYSCALL_BIT + 197) }, + { "rename", (X32_SYSCALL_BIT + 82) }, + { "renameat", (X32_SYSCALL_BIT + 264) }, + { "request_key", (X32_SYSCALL_BIT + 249) }, + { "restart_syscall", (X32_SYSCALL_BIT + 219) }, + { "rmdir", (X32_SYSCALL_BIT + 84) }, + { "rt_sigaction", (X32_SYSCALL_BIT + 512) }, + { "rt_sigpending", (X32_SYSCALL_BIT + 522) }, + { "rt_sigprocmask", (X32_SYSCALL_BIT + 14) }, + { "rt_sigqueueinfo", (X32_SYSCALL_BIT + 524) }, + { "rt_sigreturn", (X32_SYSCALL_BIT + 513) }, + { "rt_sigsuspend", (X32_SYSCALL_BIT + 130) }, + { "rt_sigtimedwait", (X32_SYSCALL_BIT + 523) }, + { "rt_tgsigqueueinfo", (X32_SYSCALL_BIT + 536) }, + { "sched_get_priority_max", (X32_SYSCALL_BIT + 146) }, + { "sched_get_priority_min", (X32_SYSCALL_BIT + 147) }, + { "sched_getaffinity", (X32_SYSCALL_BIT + 204) }, + { "sched_getattr", (X32_SYSCALL_BIT + 315) }, + { "sched_getparam", (X32_SYSCALL_BIT + 143) }, + { "sched_getscheduler", (X32_SYSCALL_BIT + 145) }, + { "sched_rr_get_interval", (X32_SYSCALL_BIT + 148) }, + { "sched_setaffinity", (X32_SYSCALL_BIT + 203) }, + { "sched_setattr", (X32_SYSCALL_BIT + 314) }, + { "sched_setparam", (X32_SYSCALL_BIT + 142) }, + { "sched_setscheduler", (X32_SYSCALL_BIT + 144) }, + { "sched_yield", (X32_SYSCALL_BIT + 24) }, + { "security", (X32_SYSCALL_BIT + 185) }, + { "select", (X32_SYSCALL_BIT + 23) }, + { "semctl", (X32_SYSCALL_BIT + 66) }, + { "semget", (X32_SYSCALL_BIT + 64) }, + { "semop", (X32_SYSCALL_BIT + 65) }, + { "semtimedop", (X32_SYSCALL_BIT + 220) }, + { "send", __PNR_send }, + { "sendfile", (X32_SYSCALL_BIT + 40) }, + { "sendfile64", __PNR_sendfile64 }, + { "sendmmsg", (X32_SYSCALL_BIT + 538) }, + { "sendmsg", (X32_SYSCALL_BIT + 518) }, + { "sendto", (X32_SYSCALL_BIT + 44) }, + { "set_mempolicy", (X32_SYSCALL_BIT + 238) }, + { "set_robust_list", (X32_SYSCALL_BIT + 530) }, + { "set_thread_area", __PNR_set_thread_area }, + { "set_tid_address", (X32_SYSCALL_BIT + 218) }, + { "setdomainname", (X32_SYSCALL_BIT + 171) }, + { "setfsgid", (X32_SYSCALL_BIT + 123) }, + { "setfsgid32", __PNR_setfsgid32 }, + { "setfsuid", (X32_SYSCALL_BIT + 122) }, + { "setfsuid32", __PNR_setfsuid32 }, + { "setgid", (X32_SYSCALL_BIT + 106) }, + { "setgid32", __PNR_setgid32 }, + { "setgroups", (X32_SYSCALL_BIT + 116) }, + { "setgroups32", __PNR_setgroups32 }, + { "sethostname", (X32_SYSCALL_BIT + 170) }, + { "setitimer", (X32_SYSCALL_BIT + 38) }, + { "setns", (X32_SYSCALL_BIT + 308) }, + { "setpgid", (X32_SYSCALL_BIT + 109) }, + { "setpriority", (X32_SYSCALL_BIT + 141) }, + { "setregid", (X32_SYSCALL_BIT + 114) }, + { "setregid32", __PNR_setregid32 }, + { "setresgid", (X32_SYSCALL_BIT + 119) }, + { "setresgid32", __PNR_setresgid32 }, + { "setresuid", (X32_SYSCALL_BIT + 117) }, + { "setresuid32", __PNR_setresuid32 }, + { "setreuid", (X32_SYSCALL_BIT + 113) }, + { "setreuid32", __PNR_setreuid32 }, + { "setrlimit", (X32_SYSCALL_BIT + 160) }, + { "setsid", (X32_SYSCALL_BIT + 112) }, + { "setsockopt", (X32_SYSCALL_BIT + 541) }, + { "settimeofday", (X32_SYSCALL_BIT + 164) }, + { "setuid", (X32_SYSCALL_BIT + 105) }, + { "setuid32", __PNR_setuid32 }, + { "setxattr", (X32_SYSCALL_BIT + 188) }, + { "sgetmask", __PNR_sgetmask }, + { "shmat", (X32_SYSCALL_BIT + 30) }, + { "shmctl", (X32_SYSCALL_BIT + 31) }, + { "shmdt", (X32_SYSCALL_BIT + 67) }, + { "shmget", (X32_SYSCALL_BIT + 29) }, + { "shutdown", (X32_SYSCALL_BIT + 48) }, + { "sigaction", __PNR_sigaction }, + { "sigaltstack", (X32_SYSCALL_BIT + 525) }, + { "signal", __PNR_signal }, + { "signalfd", (X32_SYSCALL_BIT + 282) }, + { "signalfd4", (X32_SYSCALL_BIT + 289) }, + { "sigpending", __PNR_sigpending }, + { "sigprocmask", __PNR_sigprocmask }, + { "sigreturn", __PNR_sigreturn }, + { "sigsuspend", __PNR_sigsuspend }, + { "socket", (X32_SYSCALL_BIT + 41) }, + { "socketcall", __PNR_socketcall }, + { "socketpair", (X32_SYSCALL_BIT + 53) }, + { "splice", (X32_SYSCALL_BIT + 275) }, + { "ssetmask", __PNR_ssetmask }, + { "stat", (X32_SYSCALL_BIT + 4) }, + { "stat64", __PNR_stat64 }, + { "statfs", (X32_SYSCALL_BIT + 137) }, + { "statfs64", __PNR_statfs64 }, + { "stime", __PNR_stime }, + { "stty", __PNR_stty }, + { "swapoff", (X32_SYSCALL_BIT + 168) }, + { "swapon", (X32_SYSCALL_BIT + 167) }, + { "symlink", (X32_SYSCALL_BIT + 88) }, + { "symlinkat", (X32_SYSCALL_BIT + 266) }, + { "sync", (X32_SYSCALL_BIT + 162) }, + { "sync_file_range", (X32_SYSCALL_BIT + 277) }, + { "sync_file_range2", __PNR_sync_file_range2 }, + { "syncfs", (X32_SYSCALL_BIT + 306) }, + { "syscall", __PNR_syscall }, + { "sysfs", (X32_SYSCALL_BIT + 139) }, + { "sysinfo", (X32_SYSCALL_BIT + 99) }, + { "syslog", (X32_SYSCALL_BIT + 103) }, + { "tee", (X32_SYSCALL_BIT + 276) }, + { "tgkill", (X32_SYSCALL_BIT + 234) }, + { "time", (X32_SYSCALL_BIT + 201) }, + { "timer_create", (X32_SYSCALL_BIT + 526) }, + { "timer_delete", (X32_SYSCALL_BIT + 226) }, + { "timer_getoverrun", (X32_SYSCALL_BIT + 225) }, + { "timer_gettime", (X32_SYSCALL_BIT + 224) }, + { "timer_settime", (X32_SYSCALL_BIT + 223) }, + { "timerfd_create", (X32_SYSCALL_BIT + 283) }, + { "timerfd_gettime", (X32_SYSCALL_BIT + 287) }, + { "timerfd_settime", (X32_SYSCALL_BIT + 286) }, + { "times", (X32_SYSCALL_BIT + 100) }, + { "tkill", (X32_SYSCALL_BIT + 200) }, + { "truncate", (X32_SYSCALL_BIT + 76) }, + { "truncate64", __PNR_truncate64 }, + { "tuxcall", (X32_SYSCALL_BIT + 184) }, + { "ugetrlimit", __PNR_ugetrlimit }, + { "ulimit", __PNR_ulimit }, + { "umask", (X32_SYSCALL_BIT + 95) }, + { "umount", __PNR_umount }, + { "umount2", (X32_SYSCALL_BIT + 166) }, + { "uname", (X32_SYSCALL_BIT + 63) }, + { "unlink", (X32_SYSCALL_BIT + 87) }, + { "unlinkat", (X32_SYSCALL_BIT + 263) }, + { "unshare", (X32_SYSCALL_BIT + 272) }, + { "uselib", __PNR_uselib }, + { "ustat", (X32_SYSCALL_BIT + 136) }, + { "utime", (X32_SYSCALL_BIT + 132) }, + { "utimensat", (X32_SYSCALL_BIT + 280) }, + { "utimes", (X32_SYSCALL_BIT + 235) }, + { "vfork", (X32_SYSCALL_BIT + 58) }, + { "vhangup", (X32_SYSCALL_BIT + 153) }, + { "vm86", __PNR_vm86 }, + { "vm86old", __PNR_vm86old }, + { "vmsplice", (X32_SYSCALL_BIT + 532) }, + { "vserver", __PNR_vserver }, + { "wait4", (X32_SYSCALL_BIT + 61) }, + { "waitid", (X32_SYSCALL_BIT + 529) }, + { "waitpid", __PNR_waitpid }, + { "write", (X32_SYSCALL_BIT + 1) }, + { "writev", (X32_SYSCALL_BIT + 516) }, + { NULL, __NR_SCMP_ERROR}, +}; + /** * Resolve a syscall name to a number * @param name the syscall name @@ -38,13 +432,16 @@ */ int x32_syscall_resolve_name(const char *name) { - int syscall; + unsigned int iter; + const struct arch_syscall_def *table = x32_syscall_table; - syscall = x86_64_syscall_resolve_name(name); - if (syscall >= 0) - syscall |= X32_SYSCALL_BIT; + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].name != NULL; iter++) { + if (strcmp(name, table[iter].name) == 0) + return table[iter].num; + } - return syscall; + return __NR_SCMP_ERROR; } /** @@ -58,10 +455,14 @@ int x32_syscall_resolve_name(const char */ const char *x32_syscall_resolve_num(int num) { - int syscall = num; + unsigned int iter; + const struct arch_syscall_def *table = x32_syscall_table; - if (syscall >= 0) - syscall &= (~X32_SYSCALL_BIT); + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { + if (num == table[iter].num) + return table[iter].name; + } - return x86_64_syscall_resolve_num(syscall); + return NULL; } debian/patches/manpage-typo.patch0000664000000000000000000000132012202360673014236 0ustar Description: fix typo in manpage, noticed by lintian. Author: Kees Cook Index: libseccomp-2.1.0/doc/man/man1/scmp_sys_resolver.1 =================================================================== --- libseccomp-2.1.0.orig/doc/man/man1/scmp_sys_resolver.1 2013-05-29 11:46:16.000000000 -0700 +++ libseccomp-2.1.0/doc/man/man1/scmp_sys_resolver.1 2013-08-13 00:34:46.002565608 -0700 @@ -37,7 +37,7 @@ values are "x86", "x86_64", "x32", and "arm". .TP .B \-t -If neccessary, translate the system call name to the proper system call number, +If necessary, translate the system call name to the proper system call number, even if the system call name is different, e.g. socket(2) on x86. .TP .B \-h debian/patches/update-arm-syscall-table.patch0000664000000000000000000000716212520512046016437 0ustar From 689f19e7488535c775c1db415b8d9895905ef8dd Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 25 Jun 2014 11:39:38 -0400 Subject: [PATCH] arch: update the arm syscall table Signed-off-by: Paul Moore --- src/arch-arm-syscalls.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) Index: libseccomp-2.1.1/src/arch-arm-syscalls.c =================================================================== --- libseccomp-2.1.1.orig/src/arch-arm-syscalls.c +++ libseccomp-2.1.1/src/arch-arm-syscalls.c @@ -36,9 +36,12 @@ #define __NR_SYSCALL_BASE __NR_OABI_SYSCALL_BASE #endif -/* NOTE: based on Linux 3.8.0-rc5 */ +/* NOTE: based on Linux 3.16-rc1 */ const struct arch_syscall_def arm_syscall_table[] = { \ /* NOTE: arm_sync_file_range() and sync_file_range2() share values */ + { "_llseek", (__NR_SYSCALL_BASE + 140) }, + { "_newselect", (__NR_SYSCALL_BASE + 142) }, + { "_sysctl", (__NR_SYSCALL_BASE + 149) }, { "accept", (__NR_SYSCALL_BASE + 285) }, { "accept4", (__NR_SYSCALL_BASE + 366) }, { "access", (__NR_SYSCALL_BASE + 33) }, @@ -176,7 +179,7 @@ const struct arch_syscall_def arm_syscal { "ioprio_get", (__NR_SYSCALL_BASE + 315) }, { "ioprio_set", (__NR_SYSCALL_BASE + 314) }, { "ipc", (__NR_SYSCALL_BASE + 117) }, - { "kcmp", __PNR_kcmp }, + { "kcmp", (__NR_SYSCALL_BASE + 378) }, { "kexec_load", (__NR_SYSCALL_BASE + 347) }, { "keyctl", (__NR_SYSCALL_BASE + 311) }, { "kill", (__NR_SYSCALL_BASE + 37) }, @@ -188,7 +191,6 @@ const struct arch_syscall_def arm_syscal { "listen", (__NR_SYSCALL_BASE + 284) }, { "listxattr", (__NR_SYSCALL_BASE + 232) }, { "llistxattr", (__NR_SYSCALL_BASE + 233) }, - { "_llseek", (__NR_SYSCALL_BASE + 140) }, { "lock", __PNR_lock }, { "lookup_dcookie", (__NR_SYSCALL_BASE + 249) }, { "lremovexattr", (__NR_SYSCALL_BASE + 236) }, @@ -230,7 +232,6 @@ const struct arch_syscall_def arm_syscal { "munmap", (__NR_SYSCALL_BASE + 91) }, { "name_to_handle_at", (__NR_SYSCALL_BASE + 370) }, { "nanosleep", (__NR_SYSCALL_BASE + 162) }, - { "_newselect", (__NR_SYSCALL_BASE + 142) }, { "newfstatat", __PNR_newfstatat }, { "nfsservctl", (__NR_SYSCALL_BASE + 169) }, { "nice", (__NR_SYSCALL_BASE + 34) }, @@ -283,6 +284,7 @@ const struct arch_syscall_def arm_syscal { "removexattr", (__NR_SYSCALL_BASE + 235) }, { "rename", (__NR_SYSCALL_BASE + 38) }, { "renameat", (__NR_SYSCALL_BASE + 329) }, + { "renameat2", (__NR_SYSCALL_BASE + 382) }, { "request_key", (__NR_SYSCALL_BASE + 310) }, { "restart_syscall", (__NR_SYSCALL_BASE + 0) }, { "rmdir", (__NR_SYSCALL_BASE + 40) }, @@ -297,10 +299,12 @@ const struct arch_syscall_def arm_syscal { "sched_get_priority_max", (__NR_SYSCALL_BASE + 159) }, { "sched_get_priority_min", (__NR_SYSCALL_BASE + 160) }, { "sched_getaffinity", (__NR_SYSCALL_BASE + 242) }, + { "sched_getattr", (__NR_SYSCALL_BASE + 381) }, { "sched_getparam", (__NR_SYSCALL_BASE + 155) }, { "sched_getscheduler", (__NR_SYSCALL_BASE + 157) }, { "sched_rr_get_interval", (__NR_SYSCALL_BASE + 161) }, { "sched_setaffinity", (__NR_SYSCALL_BASE + 241) }, + { "sched_setattr", (__NR_SYSCALL_BASE + 380) }, { "sched_setparam", (__NR_SYSCALL_BASE + 154) }, { "sched_setscheduler", (__NR_SYSCALL_BASE + 156) }, { "sched_yield", (__NR_SYSCALL_BASE + 158) }, @@ -384,7 +388,6 @@ const struct arch_syscall_def arm_syscal { "sync_file_range2", (__NR_SYSCALL_BASE + 341) }, { "syncfs", (__NR_SYSCALL_BASE + 373) }, { "syscall", (__NR_SYSCALL_BASE + 113) }, - { "_sysctl", (__NR_SYSCALL_BASE + 149) }, { "sysfs", (__NR_SYSCALL_BASE + 135) }, { "sysinfo", (__NR_SYSCALL_BASE + 116) }, { "syslog", (__NR_SYSCALL_BASE + 103) }, debian/patches/bpf-accumulator-check-indep.patch0000664000000000000000000001355413033276057017112 0ustar From 77b18477a4a26ae82fed15c0a1f6150709770b40 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 1 Jul 2015 13:50:34 -0400 Subject: [PATCH] tests: make 27-sim-bpf_blk_state architecture independent Using any of the socket related syscalls is always problematic, use a generic syscall number for this test since it isn't syscall specific. Reported-by: Jan Willeke Signed-off-by: Paul Moore (imported from commit 37a609498a218c370e86d34470a21d0d98db3b4f) --- tests/27-sim-bpf_blk_state.c | 26 +++++++++++++------------- tests/27-sim-bpf_blk_state.py | 26 +++++++++++++------------- tests/27-sim-bpf_blk_state.tests | 8 ++++---- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/tests/27-sim-bpf_blk_state.c b/tests/27-sim-bpf_blk_state.c index 39c53dd..fd69044 100644 --- a/tests/27-sim-bpf_blk_state.c +++ b/tests/27-sim-bpf_blk_state.c @@ -40,55 +40,55 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 3)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 4)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 5)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 6)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 7)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 8)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 9)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 11)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 12)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 13)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 14)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_EQ, 15)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, SCMP_A0(SCMP_CMP_GE, 16)); if (rc != 0) goto out; diff --git a/tests/27-sim-bpf_blk_state.py b/tests/27-sim-bpf_blk_state.py index 647c549..ff53ac9 100755 --- a/tests/27-sim-bpf_blk_state.py +++ b/tests/27-sim-bpf_blk_state.py @@ -30,19 +30,19 @@ def test(args): f = SyscallFilter(ALLOW) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 3)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 4)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 5)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 6)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 7)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 8)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 9)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 11)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 12)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 13)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 14)) - f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 15)) - f.add_rule_exactly(KILL, "socket", Arg(0, GE, 16)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 3)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 4)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 5)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 6)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 7)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 8)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 9)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 11)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 12)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 13)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 14)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 15)) + f.add_rule_exactly(KILL, 1000, Arg(0, GE, 16)) return f args = util.get_opt() diff --git a/tests/27-sim-bpf_blk_state.tests b/tests/27-sim-bpf_blk_state.tests index dd72b05..a4a8ae1 100644 --- a/tests/27-sim-bpf_blk_state.tests +++ b/tests/27-sim-bpf_blk_state.tests @@ -8,10 +8,10 @@ test type: bpf-sim # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -27-sim-bpf_blk_state +x86_64 socket 0-2 N N N N N ALLOW -27-sim-bpf_blk_state +x86_64 socket 3-9 N N N N N KILL -27-sim-bpf_blk_state +x86_64 socket 10 N N N N N ALLOW -27-sim-bpf_blk_state +x86_64 socket 11-32 N N N N N KILL +27-sim-bpf_blk_state all 1000 0-2 N N N N N ALLOW +27-sim-bpf_blk_state all 1000 3-9 N N N N N KILL +27-sim-bpf_blk_state all 1000 10 N N N N N ALLOW +27-sim-bpf_blk_state all 1000 11-32 N N N N N KILL test type: bpf-sim-fuzz debian/patches/bpf-accumulator-check.patch0000664000000000000000000001572513033267432016014 0ustar From 19e6c4aeca9818c4b288b09911dfa4be9a831236 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 6 May 2015 15:36:04 -0400 Subject: [PATCH] tests: test the bpf accumulator checking logic When building the BPF filter code we need to ensure that we take the state of the BPF state machine accumulator into account. This test creates a situation where the BPF filter code generator needs to perform some extra work to ensure the accumulator state is correct. This test is based on a bug reproducer by Matthew Heon. Signed-off-by: Paul Moore (imported from commit 4992bc217387c44dfbd9a4d290cdc42ba098b124) Index: libseccomp-2.1.1/tests/27-sim-bpf_blk_state.c =================================================================== --- /dev/null +++ libseccomp-2.1.1/tests/27-sim-bpf_blk_state.c @@ -0,0 +1,103 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2015 Red Hat + * Author: Paul Moore + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ + +#include +#include + +#include + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 4)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 5)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 6)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 7)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 8)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 9)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 11)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 12)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 13)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 14)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 15)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_GE, 16)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} Index: libseccomp-2.1.1/tests/27-sim-bpf_blk_state.py =================================================================== --- /dev/null +++ libseccomp-2.1.1/tests/27-sim-bpf_blk_state.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2015 Red Hat +# Author: Paul Moore +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see . +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 3)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 4)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 5)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 6)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 7)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 8)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 9)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 11)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 12)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 13)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 14)) + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 15)) + f.add_rule_exactly(KILL, "socket", Arg(0, GE, 16)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; Index: libseccomp-2.1.1/tests/27-sim-bpf_blk_state.tests =================================================================== --- /dev/null +++ libseccomp-2.1.1/tests/27-sim-bpf_blk_state.tests @@ -0,0 +1,24 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2015 Red Hat +# Author: Paul Moore &2 exit 1 fi if [ ! -d "$ADTTMP" ]; then echo "Could not find ADTTMP ($ADTTMP)" >&2 exit 1 fi exe="$ADTTMP/exe" run_filter() { if [ ! -x "$exe" ]; then gcc -o "$exe" ./debian/tests/src/test-seccomp.c -lseccomp fi filter="$1" exe2="$ADTTMP/getrandom" if [ "`basename $filter`" = "getrandom.fail_filter" ]; then echo "SKIPPED $filter: SYS_getrandom is not defined in 14.04 environments" exit 1 if [ ! -x "$exe2" ]; then gcc -o "$exe2" ./debian/tests/src/getrandom.c fi "$exe" "$filter" "$exe2" elif [ "`basename $filter`" = "getrandom.filter" ]; then echo "SKIPPED $filter: SYS_getrandom is not defined in 14.04 environments" exit 0 if [ ! -x "$exe2" ]; then gcc -o "$exe2" ./debian/tests/src/getrandom.c fi "$exe" "$filter" "$exe2" else "$exe" "$filter" /bin/date fi } failed= # expected pass for i in ./debian/tests/data/*.filter ; do echo "= $i =" run_filter $i || { echo "FAIL: expected to pass" failed="yes" } done # expected fail for i in ./debian/tests/data/*.fail_filter ; do echo "= $i =" run_filter $i 2>&1 && { echo "FAIL: expected to error" failed="yes" } done echo "" if [ "$failed" = "yes" ]; then echo FAIL exit 1 fi echo PASS debian/tests/control0000664000000000000000000000016112521752267011744 0ustar Tests: test-filter test-scmp_sys_resolver Restrictions: allow-stderr Depends: @, build-essential, linux-libc-dev debian/tests/src/0000775000000000000000000000000013024622653011124 5ustar debian/tests/src/test-seccomp.c0000664000000000000000000000764412521740062013705 0ustar /* * Copyright (C) 2015 Canonical Ltd * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License version 3 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * Based on ubuntu-core-launcher from: lp:ubuntu-core-launcher * * gcc -o test-seccomp test-seccomp.c -lseccomp */ #include #include #include #include #include #include #include #include void die(const char *msg, ...) { va_list va; va_start(va, msg); vfprintf(stderr, msg, va); va_end(va); fprintf(stderr, "\n"); exit(1); } void debug(const char *msg, ...) { va_list va; va_start(va, msg); fprintf(stderr, "DEBUG: "); vfprintf(stderr, msg, va); fprintf(stderr, "\n"); va_end(va); } // strip whitespace from the end of the given string (inplace) size_t trim_right(char *s, size_t slen) { while(slen > 0 && isspace(s[slen - 1])) { s[--slen] = 0; } return slen; } int seccomp_load_filters(const char *profile_path) { debug("seccomp_load_filters %s", profile_path); int rc = 0; int syscall_nr = -1; scmp_filter_ctx ctx = NULL; FILE *f = NULL; size_t lineno = 0; ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) return ENOMEM; f = fopen(profile_path, "r"); if (f == NULL) { fprintf(stderr, "Can not open %s (%s)\n", profile_path, strerror(errno)); return -1; } // 80 characters + '\n' + '\0' char buf[82]; while (fgets(buf, sizeof(buf), f) != NULL) { size_t len; lineno++; // comment, ignore if(buf[0] == '#') continue; // ensure the entire line was read len = strlen(buf); if (len == 0) continue; else if (buf[len - 1] != '\n' && len > (sizeof(buf) - 2)) { fprintf(stderr, "seccomp filter line %zu was too long (%zu characters max)\n", lineno, sizeof(buf) - 2); rc = -1; goto out; } // kill final newline len = trim_right(buf, len); if (len == 0) continue; // check for special "@unrestricted" command if (strncmp(buf, "@unrestricted", sizeof(buf)) == 0) goto out; // syscall not available on this arch/kernel // as this is a syscall whitelist its ok and the error can be ignored syscall_nr = seccomp_syscall_resolve_name(buf); if (syscall_nr == __NR_SCMP_ERROR) continue; // a normal line with a syscall rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); if (rc != 0) { rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); if (rc != 0) { fprintf(stderr, "seccomp_rule_add failed with %i for '%s'\n", rc, buf); goto out; } } } // load it into the kernel rc = seccomp_load(ctx); if (rc != 0) { fprintf(stderr, "seccomp_load failed with %i\n", rc); goto out; } out: if (f != NULL) { fclose(f); } seccomp_release(ctx); return rc; } int main(int argc, char **argv) { int rc; const int NR_ARGS = 1; if(argc < NR_ARGS+1) die("Usage: %s ", argv[0]); const char *filter = argv[1]; const char *binary = argv[2]; // set seccomp rc = seccomp_load_filters(filter); if (rc != 0) die("seccomp_load_filters failed with %i\n", rc); // and exec the new binary argv[NR_ARGS] = (char*)binary, execv(binary, (char *const*)&argv[NR_ARGS+1]); perror("execv failed"); return 1; } debian/tests/src/getrandom.c0000664000000000000000000000102412521751152013243 0ustar #include #include #include #include #include #include int main (void) { int ret; int buflen = 256; char buf[buflen]; buf[0] = '\0'; ret = syscall(SYS_getrandom, buf, buflen, 0); if (ret < 0) { printf("FAIL (error)\n"); return ret; } if (ret == buflen) { printf("PASS\n"); return 0; } printf("FAIL (short read: %i)\n", ret); return 1; failure: errno = EIO; return -1; } debian/tests/data/0000775000000000000000000000000013024610502011234 5ustar debian/tests/data/safe.filter0000664000000000000000000000534712520765544013413 0ustar accept accept4 access alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bind breakpoint brk cacheflush capget chdir chmod clock_getres clock_gettime clock_nanosleep clone close connect creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit _exit exit_group faccessat fadvise64 fadvise64_64 fallocate fchdir fchmod fchmodat fcntl fcntl64 fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fstatvfs fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_mempolicy getpeername getpgid getpgrp getpid getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioprio_get io_setup io_submit ipc kill lgetxattr link linkat listen listxattr llistxattr llseek _llseek lremovexattr lseek lsetxattr lstat lstat64 madvise mbind mincore mkdir mkdirat mlock mlockall mmap mmap2 mprotect mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat _newselect oldfstat oldlstat oldolduname oldstat olduname oldwait4 open openat pause pipe pipe2 poll ppoll prctl pread pread64 preadv prlimit64 pselect pselect6 pwrite pwrite64 pwritev read readahead readdir readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setscheduler sched_yield select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setitimer set_mempolicy setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address set_tls setxattr shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend sigtimedwait sigwaitinfo socket socketpair splice stat stat64 statfs statfs64 statvfs symlink symlinkat sync sync_file_range sync_file_range2 syncfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat usr26 usr32 ustat utime utimensat utimes vfork vmsplice wait4 waitid waitpid write writev debian/tests/data/all-except-s390-4.4.filter0000664000000000000000000001037313024610502015504 0ustar # all syscalls from 4.4 except for s390_runtime_instr, s390_pci_mmio_read, and # s390_pci_mmio_write. libseccomp 2.1.1 only supports arm, x32, x86_64, and x86 # architectures so the s390 related syscalls are not needed. accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range BASE bdflush bind bpf break breakpoint brk cacheflush capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm iopl ioprio_get ioprio_set io_setup io_submit ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr _llseek lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync multiplexer munlock munlockall munmap name_to_handle_at nanosleep newfstatat _newselect nfsservctl nice OABI_SYSCALL_BASE oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pipe pipe2 pivot_root poll ppoll prctl pread64 preadv prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rtas rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo #s390_pci_mmio_read #s390_pci_mmio_write #s390_runtime_instr sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday set_tls setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice spu_create spu_run ssetmask stat stat64 statfs statfs64 stime stty subpage_prot swapcontext swapoff swapon switch_endian symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall SYSCALL_BASE _sysctl sys_debug_setcontext sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd usr26 usr32 ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev debian/tests/data/all-3.19.filter0000664000000000000000000000767312520740073013627 0ustar # all syscalls from 3.19 syscalls: accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break breakpoint brk cacheflush capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm iopl ioprio_get ioprio_set io_setup io_submit ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr _llseek lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync multiplexer munlock munlockall munmap name_to_handle_at nanosleep newfstatat _newselect nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pipe pipe2 pivot_root poll ppoll prctl pread64 preadv prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rtas rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday set_tls setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice spu_create spu_run ssetmask stat stat64 statfs statfs64 stime stty subpage_prot swapcontext swapoff swapon switch_endian symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall _sysctl sys_debug_setcontext sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib usr26 usr32 ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev debian/tests/data/getrandom.fail_filter0000664000000000000000000000545112521751242015433 0ustar # 'safe' syscalls as allowed by snappy, but missing 'open' accept accept4 access alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bind breakpoint brk cacheflush capget chdir chmod clock_getres clock_gettime clock_nanosleep clone close connect creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fchdir fchmod fchmodat fcntl fcntl64 fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fstatvfs fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_mempolicy getpeername getpgid getpgrp getpid getppid getpriority # omit this to cause failures # getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioprio_get io_setup io_submit ipc kill lgetxattr link linkat listen listxattr llistxattr llseek lremovexattr lseek lsetxattr lstat lstat64 madvise mbind mincore mkdir mkdirat mlock mlockall mmap mmap2 mprotect mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat oldfstat oldlstat oldolduname oldstat olduname oldwait4 open openat pause pipe pipe2 poll ppoll prctl pread pread64 preadv prlimit64 pselect pselect6 pwrite pwrite64 pwritev read readahead readdir readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setscheduler sched_yield select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setitimer set_mempolicy setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address set_tls setxattr shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend sigtimedwait sigwaitinfo socket socketpair splice stat stat64 statfs statfs64 statvfs symlink symlinkat sync sync_file_range sync_file_range2 syncfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat usr26 usr32 ustat utime utimensat utimes vfork vmsplice wait4 waitid waitpid write writev debian/tests/data/open.fail_filter0000664000000000000000000000545412520740073014416 0ustar # 'safe' syscalls as allowed by snappy, but missing 'open' accept accept4 access alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bind breakpoint brk cacheflush capget chdir chmod clock_getres clock_gettime clock_nanosleep clone close connect creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fchdir fchmod fchmodat fcntl fcntl64 fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fstatvfs fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_mempolicy getpeername getpgid getpgrp getpid getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioprio_get io_setup io_submit ipc kill lgetxattr link linkat listen listxattr llistxattr llseek lremovexattr lseek lsetxattr lstat lstat64 madvise mbind mincore mkdir mkdirat mlock mlockall mmap mmap2 mprotect mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat oldfstat oldlstat oldolduname oldstat olduname oldwait4 # omit this for causing failures # open openat pause pipe pipe2 poll ppoll prctl pread pread64 preadv prlimit64 pselect pselect6 pwrite pwrite64 pwritev read readahead readdir readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setscheduler sched_yield select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setitimer set_mempolicy setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address set_tls setxattr shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend sigtimedwait sigwaitinfo socket socketpair splice stat stat64 statfs statfs64 statvfs symlink symlinkat sync sync_file_range sync_file_range2 syncfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat usr26 usr32 ustat utime utimensat utimes vfork vmsplice wait4 waitid waitpid write writev debian/tests/data/unrestricted.filter0000664000000000000000000000001612520740073015162 0ustar @unrestricted debian/tests/data/getrandom.filter0000664000000000000000000000534712521752000014435 0ustar accept accept4 access alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bind breakpoint brk cacheflush capget chdir chmod clock_getres clock_gettime clock_nanosleep clone close connect creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit _exit exit_group faccessat fadvise64 fadvise64_64 fallocate fchdir fchmod fchmodat fcntl fcntl64 fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fstatvfs fsync ftime ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_mempolicy getpeername getpgid getpgrp getpid getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioprio_get io_setup io_submit ipc kill lgetxattr link linkat listen listxattr llistxattr llseek _llseek lremovexattr lseek lsetxattr lstat lstat64 madvise mbind mincore mkdir mkdirat mlock mlockall mmap mmap2 mprotect mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat _newselect oldfstat oldlstat oldolduname oldstat olduname oldwait4 open openat pause pipe pipe2 poll ppoll prctl pread pread64 preadv prlimit64 pselect pselect6 pwrite pwrite64 pwritev read readahead readdir readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setscheduler sched_yield select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setitimer set_mempolicy setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address set_tls setxattr shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend sigtimedwait sigwaitinfo socket socketpair splice stat stat64 statfs statfs64 statvfs symlink symlinkat sync sync_file_range sync_file_range2 syncfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat usr26 usr32 ustat utime utimensat utimes vfork vmsplice wait4 waitid waitpid write writev debian/tests/test-scmp_sys_resolver0000664000000000000000000000224612521737707015032 0ustar #!/bin/sh # ------------------------------------------------------------------ # # Copyright (C) 2015 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ set -e failed= test_range() { low=$1 high=$2 echo "Testing syscalls $low-$high" for i in `seq $low $high` ; do res=`scmp_sys_resolver $i` || { echo "'$i' failed" failed="yes" } if [ "$res" = "UNKNOWN" ]; then continue fi res2=`scmp_sys_resolver $res` || { echo "'$res' failed" failed="yes" } if [ "$res2" != "$i" ]; then echo "FAIL: $i ($res) != $res ($res2)" failed="yes" else echo "pass: $i ($res) == $res ($res2)" fi done } echo "= normal range =" test_range 0 1024 echo "" echo "= arm private =" test_range 983000 984024 echo "" echo "" if [ "$failed" = "yes" ]; then echo FAIL exit 1 fi echo PASS debian/seccomp.manpages0000664000000000000000000000004012202361526012327 0ustar debian/tmp/usr/share/man/man1/* debian/watch0000664000000000000000000000021412224363202010212 0ustar # See uscan(1) for format version=3 opts=dversionmangle=s/\+dfsg// \ http://sf.net/libseccomp/libseccomp-(.*)\.tar\.gz \ debian uupdate debian/source/0000775000000000000000000000000011763451601010474 5ustar debian/source/format0000664000000000000000000000001411763447673011720 0ustar 3.0 (quilt) debian/copyright0000664000000000000000000000265112257124774011142 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: libseccomp Source: https://sourceforge.net/projects/libseccomp/ Files: * Copyright: 2012 Paul Moore 2012 Ashley Lai 2012 Corey Bryant 2012 Eduardo Otubo 2012 Eric Paris License: LGPL-2.0+ Files: tests/22-sim-basic_chains_array.tests Copyright: 2013 Vitaly Shukela License: LGPL-2.0+ Files: src/hash.* Copyright: 2006 Bob Jenkins License: LGPL-2.0+ Files: debian/* Copyright: 2012 Kees Cook License: LGPL-2.0+ License: LGPL-2.0+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU Lesser General Public License can be found in "/usr/share/common-licenses/LGPL-2". debian/libseccomp-dev.manpages0000664000000000000000000000004012202361512013565 0ustar debian/tmp/usr/share/man/man3/* debian/seccomp.install0000664000000000000000000000001212202361554012202 0ustar usr/bin/*