libseccomp-0.3.0/.cargo_vcs_info.json0000644000000001500000000000100131500ustar { "git": { "sha1": "e4bcb2a844385382d00dbe963e67e52566780079" }, "path_in_vcs": "libseccomp" }libseccomp-0.3.0/Cargo.toml0000644000000023550000000000100111570ustar # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies. # # If you are reading this file be aware that the original Cargo.toml # will likely look very different (and much more reasonable). # See Cargo.toml.orig for the original contents. [package] edition = "2018" name = "libseccomp" version = "0.3.0" authors = ["Manabu Sugimoto "] description = "Rust Language Bindings for the libseccomp Library" readme = "README.md" keywords = [ "bindings", "seccomp", "linux", "containers", "security", ] categories = [ "os", "api-bindings", ] license = "MIT OR Apache-2.0" repository = "https://github.com/libseccomp-rs/libseccomp-rs" [package.metadata.docs.rs] rustc-args = [ "--cfg", "docsrs", ] [dependencies.bitflags] version = "1.3.2" [dependencies.cfg-if] version = "1.0.0" optional = true [dependencies.libc] version = "0.2.108" [dependencies.libseccomp-sys] version = "0.2.1" [build-dependencies.pkg-config] version = "0.3.19" [features] const-syscall = ["cfg-if"] libseccomp-0.3.0/Cargo.toml.orig000064400000000000000000000013210072674642500146600ustar 00000000000000[package] name = "libseccomp" version = "0.3.0" authors = ["Manabu Sugimoto "] license = "MIT OR Apache-2.0" description = "Rust Language Bindings for the libseccomp Library" repository = "https://github.com/libseccomp-rs/libseccomp-rs" keywords = ["bindings", "seccomp", "linux", "containers", "security"] categories = ["os", "api-bindings"] edition = "2018" readme = "../README.md" [dependencies] bitflags = "1.3.2" cfg-if = { version = "1.0.0", optional = true } libc = "0.2.108" libseccomp-sys = { version = "0.2.1", path = "../libseccomp-sys" } [build-dependencies] pkg-config = "0.3.19" [package.metadata.docs.rs] rustc-args = ["--cfg", "docsrs"] [features] const-syscall = ["cfg-if"] libseccomp-0.3.0/LICENSE000064400000000000000000000002370072674642500130030ustar 00000000000000This crate is licensed under either of - "Apache License, Version 2.0, (See LICENSE-APACHE file); or - "MIT license" (See LICENSE-MIT file), at your option. libseccomp-0.3.0/LICENSE-APACHE000064400000000000000000000264440072674642500137320ustar 00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.libseccomp-0.3.0/LICENSE-MIT000064400000000000000000000020660072674642500134340ustar 00000000000000MIT License Copyright (c) 2021 Sony Group Corporation Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.libseccomp-0.3.0/README.md000064400000000000000000000113360072674642500132570ustar 00000000000000# libseccomp-rs [![build-test](https://github.com/libseccomp-rs/libseccomp-rs/actions/workflows/build-test.yaml/badge.svg?branch=main)](https://github.com/libseccomp-rs/libseccomp-rs/actions/workflows/build-test.yaml) [![Latest release on crates.io](https://img.shields.io/crates/v/libseccomp.svg)](https://crates.io/crates/libseccomp) [![Documentation on docs.rs](https://docs.rs/libseccomp/badge.svg)](https://docs.rs/libseccomp) [![codecov](https://codecov.io/gh/libseccomp-rs/libseccomp-rs/branch/main/graph/badge.svg)](https://codecov.io/gh/libseccomp-rs/libseccomp-rs) Rust Language Bindings for the libseccomp Library The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers. The libseccomp-rs provides a Rust based interface to the libseccomp library. This repository contains libseccomp and libseccomp-sys crates that enable developers to use the libseccomp API in Rust. * **libseccomp**: High-level safe API * **libseccomp-sys**: Low-level unsafe API [CHANGELOG](https://github.com/libseccomp-rs/libseccomp-rs/blob/main/CHANGELOG.md) ## Example Create and load a single seccomp rule: ```rust use libseccomp::*; fn main() -> Result<(), Box> { // Creates and returns a new filter context. let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?; // Adds an architecture to the filter. filter.add_arch(ScmpArch::X8664)?; // Returns the number of a syscall by name. let syscall = ScmpSyscall::from_name("dup3")?; // Adds a single rule for an unconditional action on the syscall. filter.add_rule(ScmpAction::Errno(10), syscall)?; // Loads the filter context into the kernel. filter.load()?; // The dup3 fails by the seccomp rule. assert_eq!( unsafe { libc::dup3(0, 100, libc::O_CLOEXEC) } as i32, -libc::EPERM ); assert_eq!(std::io::Error::last_os_error().raw_os_error().unwrap(), 10); Ok(()) } ``` ## Requirements Before using the libseccomp crate, you need to install the libseccomp library for your system. The libseccomp library version 2.4 or newer is required. ### Installing the libseccomp library from a package e.g. Debian-based Linux ``` sh $ sudo apt install libseccomp-dev ``` ### Building and installing the libseccomp library from sources If you want to build the libseccomp library from an official release tarball instead of the package, you should follow the quick step. ```sh $ LIBSECCOMP_VERSION=2.5.3 $ wget https://github.com/seccomp/libseccomp/releases/download/v${LIBSECCOMP_VERSION}/libseccomp-${LIBSECCOMP_VERSION}.tar.gz $ tar xvf libseccomp-${LIBSECCOMP_VERSION}.tar.gz $ cd libseccomp-${LIBSECCOMP_VERSION} $ ./configure $ make $ sudo make install ``` For more details, see the [libseccomp library repository](https://github.com/seccomp/libseccomp). ## Setup If you use the libseccomp crate with dynamically linked the libseccomp library, you do not need additional settings. However, if you want to use the libseccomp crate against musl-libc with statically linked the libseccomp library, you have to set the `LIBSECCOMP_LINK_TYPE` and `LIBSECCOMP_LIB_PATH` environment variables as follows. ```sh $ export LIBSECCOMP_LINK_TYPE=static $ export LIBSECCOMP_LIB_PATH="the path of the directory containing libseccomp.a (e.g. /usr/lib)" ``` > **Note**: > To build the libseccomp crate against musl-libc, you need to build the libseccomp library manually for musl-libc > or use a musl-based distribution that provides a package for the statically-linked libseccomp library Now, add the following to your `Cargo.toml` to start building the libseccomp crate. ```toml [dependencies] libseccomp = "0.3.0" ``` ## Testing the crate The libseccomp crate provides a number of unit tests. If you want to run the standard regression tests, you can execute the following command. ``` sh $ make test ``` ## How to contribute Anyone is welcome to join and contribute code, documentation, and use cases. For details on how to contribute to the libseccomp-rs project, please see the [contributing document](https://github.com/libseccomp-rs/libseccomp-rs/blob/main/CONTRIBUTING.md). ## License This crate is licensed under: - MIT License (see LICENSE-MIT); or - Apache 2.0 License (see LICENSE-APACHE), at your option. Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in libseccomp-rs by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions. libseccomp-0.3.0/build.rs000064400000000000000000000015460072674642500134470ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use std::{env, path}; const LIBSECCOMP_LIB_PATH: &str = "LIBSECCOMP_LIB_PATH"; fn main() { println!("cargo:rerun-if-env-changed={}", LIBSECCOMP_LIB_PATH); if let Ok(path) = env::var(LIBSECCOMP_LIB_PATH) { println!("cargo:rustc-link-search=native={}", path); let pkgconfig = path::Path::new(&path).join("pkgconfig"); env::set_var("PKG_CONFIG_PATH", pkgconfig); } let target = env::var("TARGET").unwrap_or_default(); let host = env::var("HOST").unwrap_or_default(); if target != host { env::set_var("PKG_CONFIG_ALLOW_CROSS", "1"); } if pkg_config::Config::new() .atleast_version("2.5.0") .probe("libseccomp") .is_ok() { println!("cargo:rustc-cfg=libseccomp_v2_5"); } } libseccomp-0.3.0/src/action.rs000064400000000000000000000115040072674642500144070ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::ErrorKind::*; use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::convert::TryInto; /// Represents an action to be taken on a filter rule match in the libseccomp. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub enum ScmpAction { /// Kills the process. KillProcess, /// Kills the thread. KillThread, /// Throws a SIGSYS signal. Trap, /// Triggers a userspace notification. /// NOTE: This action is only usable when the libseccomp API level 6 /// or higher is supported. Notify, /// Returns the specified error code. /// NOTE: You can only use integers from 0 to `u16::MAX`. Errno(i32), /// Notifies a tracing process with the specified value. Trace(u16), /// Allows the syscall to be executed after the action has been logged. Log, /// Allows the syscall to be executed. Allow, } impl ScmpAction { pub(crate) fn to_sys(self) -> u32 { match self { Self::KillProcess => SCMP_ACT_KILL_PROCESS, Self::KillThread => SCMP_ACT_KILL_THREAD, Self::Trap => SCMP_ACT_TRAP, Self::Notify => SCMP_ACT_NOTIFY, Self::Errno(x) => SCMP_ACT_ERRNO(x as u16), Self::Trace(x) => SCMP_ACT_TRACE(x), Self::Log => SCMP_ACT_LOG, Self::Allow => SCMP_ACT_ALLOW, } } pub(crate) fn from_sys(val: u32) -> Result { match val & SCMP_ACT_MASK { SCMP_ACT_KILL_PROCESS => Ok(Self::KillProcess), SCMP_ACT_KILL_THREAD => Ok(Self::KillThread), SCMP_ACT_TRAP => Ok(Self::Trap), SCMP_ACT_NOTIFY => Ok(Self::Notify), SCMP_ACT_ERRNO_MASK => Ok(Self::Errno(val as u16 as i32)), SCMP_ACT_TRACE_MASK => Ok(Self::Trace(val as u16)), SCMP_ACT_LOG => Ok(Self::Log), SCMP_ACT_ALLOW => Ok(Self::Allow), _ => Err(SeccompError::new(ParseError)), } } /// Converts string seccomp action to `ScmpAction`. /// /// # Arguments /// /// * `action` - A string action, e.g. `SCMP_ACT_*`. /// /// See the [`seccomp_rule_add(3)`] man page for details on valid action values. /// /// [`seccomp_rule_add(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_rule_add.3.html /// /// # Errors /// /// If an invalid action is specified or a value on `"SCMP_ACT_TRACE"` is not in the /// range from 0 to `u16::MAX`, an error will be returned. pub fn from_str(action: &str, val: Option) -> Result { match action { "SCMP_ACT_KILL_PROCESS" => Ok(Self::KillProcess), "SCMP_ACT_KILL_THREAD" | "SCMP_ACT_KILL" => Ok(Self::KillThread), "SCMP_ACT_TRAP" => Ok(Self::Trap), "SCMP_ACT_NOTIFY" => Ok(Self::Notify), "SCMP_ACT_ERRNO" => match val { Some(v) => Ok(Self::Errno(v)), None => Err(SeccompError::new(ParseError)), }, "SCMP_ACT_TRACE" => match val { Some(v) => Ok(Self::Trace(v.try_into()?)), None => Err(SeccompError::new(ParseError)), }, "SCMP_ACT_LOG" => Ok(Self::Log), "SCMP_ACT_ALLOW" => Ok(Self::Allow), _ => Err(SeccompError::new(ParseError)), } } } #[cfg(test)] mod tests { use super::*; #[test] fn test_parse_action() { let test_data = [ ("SCMP_ACT_KILL_PROCESS", ScmpAction::KillProcess), ("SCMP_ACT_KILL_THREAD", ScmpAction::KillThread), ("SCMP_ACT_KILL", ScmpAction::KillThread), ("SCMP_ACT_TRAP", ScmpAction::Trap), ("SCMP_ACT_NOTIFY", ScmpAction::Notify), ("SCMP_ACT_ERRNO", ScmpAction::Errno(10)), ("SCMP_ACT_TRACE", ScmpAction::Trace(10)), ("SCMP_ACT_LOG", ScmpAction::Log), ("SCMP_ACT_ALLOW", ScmpAction::Allow), ]; for data in test_data { if data.0 == "SCMP_ACT_ERRNO" || data.0 == "SCMP_ACT_TRACE" { assert_eq!( ScmpAction::from_sys(ScmpAction::from_str(data.0, Some(10)).unwrap().to_sys()) .unwrap(), data.1 ); } else { assert_eq!( ScmpAction::from_sys(ScmpAction::from_str(data.0, None).unwrap().to_sys()) .unwrap(), data.1 ); } } assert!(ScmpAction::from_str("SCMP_ACT_ERRNO", None).is_err()); assert!(ScmpAction::from_str("SCMP_ACT_TRACE", None).is_err()); assert!(ScmpAction::from_str("SCMP_INVALID_FLAG", None).is_err()); assert!(ScmpAction::from_sys(0x00010000).is_err()); } } libseccomp-0.3.0/src/api.rs000064400000000000000000000076340072674642500137140ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use super::cvt; use crate::error::{Result, SeccompError}; use crate::version::ensure_supported_version; use crate::{check_version, ScmpVersion}; use libseccomp_sys::*; /// Sets the API level forcibly. /// /// General use of this function is strongly discouraged. /// See the [`seccomp_api_get(3)`] man page for details on available API levels. /// /// [`seccomp_api_get(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_api_get.3.html /// /// This function corresponds to /// [`seccomp_api_set`](https://www.man7.org/linux/man-pages/man3/seccomp_api_set.3.html). /// /// # Arguments /// /// * `level` - The API level /// /// # Errors /// /// If the API level can not be detected due to the library being older than v2.4.0, /// an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// set_api(1)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_api(level: u32) -> Result<()> { cvt(unsafe { seccomp_api_set(level) })?; Ok(()) } /// Gets the API level supported by the system. /// /// See the [`seccomp_api_get(3)`] man page for details on available API levels. /// /// [`seccomp_api_get(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_api_get.3.html /// /// This function corresponds to /// [`seccomp_api_get`](https://www.man7.org/linux/man-pages/man3/seccomp_api_get.3.html). /// /// # Examples /// /// ``` /// # use libseccomp::*; /// set_api(1)?; /// assert_eq!(get_api(), 1); /// # Ok::<(), Box>(()) /// ``` pub fn get_api() -> u32 { unsafe { seccomp_api_get() } } /// Checks that both the libseccomp API level and the libseccomp version being /// used are equal to or greater than the specified API level and version. /// /// This function returns `Ok(true)` if both the libseccomp API level and the /// libseccomp version are equal to or greater than the specified API level and /// version, `Ok(false)` otherwise. /// /// # Arguments /// /// * `min_level` - The libseccomp API level you want to check /// * `expected` - The libseccomp version you want to check /// /// # Errors /// /// If an issue is encountered getting the current API level or version, /// an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// assert!(check_api(3, ScmpVersion::from((2, 4, 0)))?); /// # Ok::<(), Box>(()) /// ``` pub fn check_api(min_level: u32, expected: ScmpVersion) -> Result { let level = get_api(); if level >= min_level && check_version(expected)? { Ok(true) } else { Ok(false) } } /// Ensures that both the libseccomp API level and the libseccomp version are /// equal to or greater than the specified API level and version. /// /// # Arguments /// /// * `msg` - An arbitrary non-empty operation description, used as a part /// of the error message returned. /// * `min_level` - The libseccomp API level you want to check /// * `expected` - The libseccomp version you want to check /// /// # Errors /// /// If the libseccomp API level and the libseccomp version being used are less than /// the specified version, an error will be returned. pub(crate) fn ensure_supported_api(msg: &str, min_level: u32, expected: ScmpVersion) -> Result<()> { let level = get_api(); if level >= min_level { ensure_supported_version(msg, expected) } else { let current = ScmpVersion::current()?; Err(SeccompError::with_msg(format!( "{} requires libseccomp >= {} and API level >= {} (current version: {}, API level: {})", msg, expected, min_level, current, level ))) } } #[cfg(test)] mod tests { use super::*; #[test] fn test_ensure_supported_api() { assert!(ensure_supported_api("test", 3, ScmpVersion::from((2, 4, 0))).is_ok()); assert!(ensure_supported_api("test", 100, ScmpVersion::from((2, 4, 0))).is_err()); } } libseccomp-0.3.0/src/arch.rs000064400000000000000000000161150072674642500140520ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::ErrorKind::*; use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::str::FromStr; /// Represents a CPU architecture. /// Seccomp can restrict syscalls on a per-architecture basis. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub enum ScmpArch { /// The native architecture token Native, /// The x86 (32-bit) architecture token X86, /// The x86-64 (64-bit) architecture token X8664, /// The x32 (32-bit x86_64) architecture token X32, /// The ARM architecture token Arm, /// The AARCH64 architecture token Aarch64, /// The MIPS architecture token Mips, /// The MIPS (64-bit) architecture token Mips64, /// The MIPS64N32 architecture token Mips64N32, /// The MIPSEL architecture token Mipsel, /// The MIPSEL (64-bit) architecture token Mipsel64, /// The MIPSEL64N32 architecture token Mipsel64N32, /// The PowerPC architecture token Ppc, /// The PowerPC (64-bit) architecture token Ppc64, /// The PowerPC64LE architecture token Ppc64Le, /// The S390 architecture token S390, /// The S390X architecture token S390X, /// The PA-RISC hppa architecture token Parisc, /// The PA-RISC (64-bit) hppa architecture token Parisc64, /// The RISC-V architecture token Riscv64, } impl ScmpArch { pub(crate) fn to_sys(self) -> u32 { match self { Self::Native => SCMP_ARCH_NATIVE, Self::X86 => SCMP_ARCH_X86, Self::X8664 => SCMP_ARCH_X86_64, Self::X32 => SCMP_ARCH_X32, Self::Arm => SCMP_ARCH_ARM, Self::Aarch64 => SCMP_ARCH_AARCH64, Self::Mips => SCMP_ARCH_MIPS, Self::Mips64 => SCMP_ARCH_MIPS64, Self::Mips64N32 => SCMP_ARCH_MIPS64N32, Self::Mipsel => SCMP_ARCH_MIPSEL, Self::Mipsel64 => SCMP_ARCH_MIPSEL64, Self::Mipsel64N32 => SCMP_ARCH_MIPSEL64N32, Self::Ppc => SCMP_ARCH_PPC, Self::Ppc64 => SCMP_ARCH_PPC64, Self::Ppc64Le => SCMP_ARCH_PPC64LE, Self::S390 => SCMP_ARCH_S390, Self::S390X => SCMP_ARCH_S390X, Self::Parisc => SCMP_ARCH_PARISC, Self::Parisc64 => SCMP_ARCH_PARISC64, Self::Riscv64 => SCMP_ARCH_RISCV64, } } pub(crate) fn from_sys(arch: u32) -> Result { match arch { SCMP_ARCH_NATIVE => Ok(Self::Native), SCMP_ARCH_X86 => Ok(Self::X86), SCMP_ARCH_X86_64 => Ok(Self::X8664), SCMP_ARCH_X32 => Ok(Self::X32), SCMP_ARCH_ARM => Ok(Self::Arm), SCMP_ARCH_AARCH64 => Ok(Self::Aarch64), SCMP_ARCH_MIPS => Ok(Self::Mips), SCMP_ARCH_MIPS64 => Ok(Self::Mips64), SCMP_ARCH_MIPS64N32 => Ok(Self::Mips64N32), SCMP_ARCH_MIPSEL => Ok(Self::Mipsel), SCMP_ARCH_MIPSEL64 => Ok(Self::Mipsel64), SCMP_ARCH_MIPSEL64N32 => Ok(Self::Mipsel64N32), SCMP_ARCH_PPC => Ok(Self::Ppc), SCMP_ARCH_PPC64 => Ok(Self::Ppc64), SCMP_ARCH_PPC64LE => Ok(Self::Ppc64Le), SCMP_ARCH_S390 => Ok(Self::S390), SCMP_ARCH_S390X => Ok(Self::S390X), SCMP_ARCH_PARISC => Ok(Self::Parisc), SCMP_ARCH_PARISC64 => Ok(Self::Parisc64), SCMP_ARCH_RISCV64 => Ok(Self::Riscv64), _ => Err(SeccompError::new(ParseError)), } } /// Returns the system's native architecture. /// /// This function corresponds to /// [`seccomp_arch_native`](https://man7.org/linux/man-pages/man3/seccomp_arch_native.3.html). /// /// # Panics /// /// This function panics if it can not get the native architecture. pub fn native() -> Self { Self::from_sys(unsafe { seccomp_arch_native() }).expect("Could not get native architecture") } } impl FromStr for ScmpArch { type Err = SeccompError; /// Converts string seccomp architecture to `ScmpArch`. /// /// # Arguments /// /// * `arch` - A string architecture, e.g. `SCMP_ARCH_*`. /// /// See the [`seccomp_arch_add(3)`] man page for details on valid architecture values. /// /// [`seccomp_arch_add(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_arch_add.3.html /// /// # Errors /// /// If an invalid architecture is specified, an error will be returned. fn from_str(arch: &str) -> Result { match arch { "SCMP_ARCH_NATIVE" => Ok(Self::Native), "SCMP_ARCH_X86" => Ok(Self::X86), "SCMP_ARCH_X86_64" => Ok(Self::X8664), "SCMP_ARCH_X32" => Ok(Self::X32), "SCMP_ARCH_ARM" => Ok(Self::Arm), "SCMP_ARCH_AARCH64" => Ok(Self::Aarch64), "SCMP_ARCH_MIPS" => Ok(Self::Mips), "SCMP_ARCH_MIPS64" => Ok(Self::Mips64), "SCMP_ARCH_MIPS64N32" => Ok(Self::Mips64N32), "SCMP_ARCH_MIPSEL" => Ok(Self::Mipsel), "SCMP_ARCH_MIPSEL64" => Ok(Self::Mipsel64), "SCMP_ARCH_MIPSEL64N32" => Ok(Self::Mipsel64N32), "SCMP_ARCH_PPC" => Ok(Self::Ppc), "SCMP_ARCH_PPC64" => Ok(Self::Ppc64), "SCMP_ARCH_PPC64LE" => Ok(Self::Ppc64Le), "SCMP_ARCH_S390" => Ok(Self::S390), "SCMP_ARCH_S390X" => Ok(Self::S390X), "SCMP_ARCH_PARISC" => Ok(Self::Parisc), "SCMP_ARCH_PARISC64" => Ok(Self::Parisc64), "SCMP_ARCH_RISCV64" => Ok(Self::Riscv64), _ => Err(SeccompError::new(ParseError)), } } } #[cfg(test)] mod tests { use super::*; #[test] fn test_parse_arch() { let test_data = [ ("SCMP_ARCH_NATIVE", ScmpArch::Native), ("SCMP_ARCH_X86", ScmpArch::X86), ("SCMP_ARCH_X86_64", ScmpArch::X8664), ("SCMP_ARCH_X32", ScmpArch::X32), ("SCMP_ARCH_ARM", ScmpArch::Arm), ("SCMP_ARCH_AARCH64", ScmpArch::Aarch64), ("SCMP_ARCH_MIPS", ScmpArch::Mips), ("SCMP_ARCH_MIPS64", ScmpArch::Mips64), ("SCMP_ARCH_MIPS64N32", ScmpArch::Mips64N32), ("SCMP_ARCH_MIPSEL", ScmpArch::Mipsel), ("SCMP_ARCH_MIPSEL64", ScmpArch::Mipsel64), ("SCMP_ARCH_MIPSEL64N32", ScmpArch::Mipsel64N32), ("SCMP_ARCH_PPC", ScmpArch::Ppc), ("SCMP_ARCH_PPC64", ScmpArch::Ppc64), ("SCMP_ARCH_PPC64LE", ScmpArch::Ppc64Le), ("SCMP_ARCH_S390", ScmpArch::S390), ("SCMP_ARCH_S390X", ScmpArch::S390X), ("SCMP_ARCH_PARISC", ScmpArch::Parisc), ("SCMP_ARCH_PARISC64", ScmpArch::Parisc64), ("SCMP_ARCH_RISCV64", ScmpArch::Riscv64), ]; for data in test_data { assert_eq!( ScmpArch::from_sys(ScmpArch::from_str(data.0).unwrap().to_sys()).unwrap(), data.1 ); } assert!(ScmpArch::from_str("SCMP_INVALID_FLAG").is_err()); assert!(ScmpArch::from_sys(1).is_err()); } } libseccomp-0.3.0/src/arg_compare.rs000064400000000000000000000131220072674642500154070ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::ScmpCompareOp; use libseccomp_sys::*; /// Represents a rule in a libseccomp filter context. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[repr(transparent)] pub struct ScmpArgCompare(scmp_arg_cmp); impl ScmpArgCompare { /// Creates and returns a new condition to attach to a filter rule. /// /// The rule will match if the comparison of argument `arg` (zero-indexed argument /// of the syscall) with the value provided by `datum` using the compare operator /// provided by `op` is true. /// /// You can use the [`scmp_cmp!`](crate::scmp_cmp) macro instead of this to create /// `ScmpArgCompare` in a more elegant way. /// /// # Arguments /// /// * `arg` - The number of the argument /// * `op` - A comparison operator /// * `datum` - A value to compare to #[must_use] pub const fn new(arg: u32, op: ScmpCompareOp, datum: u64) -> Self { if let ScmpCompareOp::MaskedEqual(mask) = op { Self(scmp_arg_cmp { arg, op: op.to_sys(), datum_a: mask, datum_b: datum, }) } else { Self(scmp_arg_cmp { arg, op: op.to_sys(), datum_a: datum, datum_b: 0, }) } } } impl From for scmp_arg_cmp { fn from(v: ScmpArgCompare) -> scmp_arg_cmp { v.0 } } impl From<&ScmpArgCompare> for scmp_arg_cmp { fn from(v: &ScmpArgCompare) -> scmp_arg_cmp { v.0 } } #[rustfmt::skip] #[doc(hidden)] #[macro_export] macro_rules! __private_scmp_cmp_arg { (arg0) => { 0 }; (arg1) => { 1 }; (arg2) => { 2 }; (arg3) => { 3 }; (arg4) => { 4 }; (arg5) => { 5 }; } /// A macro to create [`ScmpArgCompare`] in a more elegant way. /// /// ``` /// use libseccomp::{ScmpArgCompare, ScmpCompareOp, scmp_cmp}; /// /// assert_eq!( /// scmp_cmp!($arg0 != 123), /// ScmpArgCompare::new(0, ScmpCompareOp::NotEqual, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg1 < 123), /// ScmpArgCompare::new(1, ScmpCompareOp::Less, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg2 <= 123), /// ScmpArgCompare::new(2, ScmpCompareOp::LessOrEqual, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg3 == 123), /// ScmpArgCompare::new(3, ScmpCompareOp::Equal, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg4 >= 123), /// ScmpArgCompare::new(4, ScmpCompareOp::GreaterEqual, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg5 > 123), /// ScmpArgCompare::new(5, ScmpCompareOp::Greater, 123), /// ); /// assert_eq!( /// scmp_cmp!($arg0 & 0x0f0 == 123), /// ScmpArgCompare::new(0, ScmpCompareOp::MaskedEqual(0x0f0), 123), /// ); /// ``` #[macro_export] macro_rules! scmp_cmp { ($_:tt $arg:tt != $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::NotEqual, $datum, ) }; ($_:tt $arg:tt < $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::Less, $datum, ) }; ($_:tt $arg:tt <= $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::LessOrEqual, $datum, ) }; ($_:tt $arg:tt == $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::Equal, $datum, ) }; ($_:tt $arg:tt >= $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::GreaterEqual, $datum, ) }; ($_:tt $arg:tt > $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::Greater, $datum, ) }; ($_:tt $arg:tt & $mask:tt == $datum:expr) => { $crate::ScmpArgCompare::new( $crate::__private_scmp_cmp_arg!($arg), $crate::ScmpCompareOp::MaskedEqual( #[allow(unused_parens)] $mask, ), $datum, ) }; } #[cfg(test)] mod tests { use super::*; #[test] fn test_scmpargcompare() { assert_eq!( ScmpArgCompare::new(0, ScmpCompareOp::NotEqual, 8), ScmpArgCompare(scmp_arg_cmp { arg: 0, op: scmp_compare::SCMP_CMP_NE, datum_a: 8, datum_b: 0, }) ); assert_eq!( ScmpArgCompare::new(0, ScmpCompareOp::MaskedEqual(0b0010), 2), ScmpArgCompare(scmp_arg_cmp { arg: 0, op: scmp_compare::SCMP_CMP_MASKED_EQ, datum_a: 0b0010, datum_b: 2, }) ); assert_eq!( scmp_arg_cmp::from(ScmpArgCompare::new(0, ScmpCompareOp::NotEqual, 8)), scmp_arg_cmp { arg: 0, op: scmp_compare::SCMP_CMP_NE, datum_a: 8, datum_b: 0, } ); assert_eq!( scmp_arg_cmp::from(&ScmpArgCompare::new(0, ScmpCompareOp::NotEqual, 8)), scmp_arg_cmp { arg: 0, op: scmp_compare::SCMP_CMP_NE, datum_a: 8, datum_b: 0, } ); } } libseccomp-0.3.0/src/compare_op.rs000064400000000000000000000063410072674642500152610ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::ErrorKind::*; use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::str::FromStr; /// Represents a comparison operator which can be used in a filter rule. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub enum ScmpCompareOp { /// Not equal NotEqual, /// Less than Less, /// Less than or equal LessOrEqual, /// Equal Equal, /// Greater than or equal GreaterEqual, /// Greater than Greater, /// Masked equality /// /// This works like `Equal` with the exception that the syscall argument is /// masked with `mask` via an bitwise AND (i.e. you can check specific bits in the /// argument). MaskedEqual(#[doc = "mask"] u64), } impl ScmpCompareOp { pub(crate) const fn to_sys(self) -> scmp_compare { match self { Self::NotEqual => scmp_compare::SCMP_CMP_NE, Self::Less => scmp_compare::SCMP_CMP_LT, Self::LessOrEqual => scmp_compare::SCMP_CMP_LE, Self::Equal => scmp_compare::SCMP_CMP_EQ, Self::GreaterEqual => scmp_compare::SCMP_CMP_GE, Self::Greater => scmp_compare::SCMP_CMP_GT, Self::MaskedEqual(_) => scmp_compare::SCMP_CMP_MASKED_EQ, } } } impl FromStr for ScmpCompareOp { type Err = SeccompError; /// Converts string seccomp comparison operator to `ScmpCompareOp`. /// /// # Arguments /// /// * `cmp_op` - A string comparison operator, e.g. `SCMP_CMP_*`. /// /// See the [`seccomp_rule_add(3)`] man page for details on valid comparison operator values. /// /// [`seccomp_rule_add(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_rule_add.3.html /// /// # Errors /// /// If an invalid comparison operator is specified, an error will be returned. fn from_str(cmp_op: &str) -> Result { match cmp_op { "SCMP_CMP_NE" => Ok(Self::NotEqual), "SCMP_CMP_LT" => Ok(Self::Less), "SCMP_CMP_LE" => Ok(Self::LessOrEqual), "SCMP_CMP_EQ" => Ok(Self::Equal), "SCMP_CMP_GE" => Ok(Self::GreaterEqual), "SCMP_CMP_GT" => Ok(Self::Greater), "SCMP_CMP_MASKED_EQ" => Ok(Self::MaskedEqual(u64::default())), _ => Err(SeccompError::new(ParseError)), } } } #[cfg(test)] mod tests { use super::*; #[test] fn test_parse_compare_op() { let test_data = [ ("SCMP_CMP_NE", ScmpCompareOp::NotEqual), ("SCMP_CMP_LT", ScmpCompareOp::Less), ("SCMP_CMP_LE", ScmpCompareOp::LessOrEqual), ("SCMP_CMP_EQ", ScmpCompareOp::Equal), ("SCMP_CMP_GE", ScmpCompareOp::GreaterEqual), ("SCMP_CMP_GT", ScmpCompareOp::Greater), ( "SCMP_CMP_MASKED_EQ", ScmpCompareOp::MaskedEqual(u64::default()), ), ]; for data in test_data { assert_eq!( ScmpCompareOp::from_str(data.0).unwrap().to_sys(), data.1.to_sys() ); } assert!(ScmpCompareOp::from_str("SCMP_INVALID_FLAG").is_err()); } } libseccomp-0.3.0/src/error.rs000064400000000000000000000302010072674642500142560ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use std::borrow::Cow; use std::error::Error; use std::fmt; use std::ops::Deref; pub(crate) type Result = std::result::Result; // ParseError message const PARSE_ERROR: &str = "Parse error by invalid argument"; /// Errnos returned by the libseccomp API. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] // https://github.com/seccomp/libseccomp/blob/3c0dedd45713d7928c459b6523b78f4cfd435269/src/api.c#L60 pub enum SeccompErrno { /// The library doesn't permit the particular operation. EACCES, /// There was a system failure beyond the control of libseccomp. ECANCELED, /// Architecture/ABI specific failure. EDOM, /// Failure regrading the existence of argument. EEXIST, /// Internal libseccomp failure. EFAULT, /// Invalid input to the libseccomp API. EINVAL, /// No matching entry found. ENOENT, /// Unable to allocate enough memory to perform the requested operation. ENOMEM, /// The library doesn't support the particular operation. EOPNOTSUPP, /// Provided buffer is too small. ERANGE, /// Unable to load the filter due to thread issues. ESRCH, } impl SeccompErrno { fn strerror(&self) -> &'static str { use SeccompErrno::*; match self { EACCES => "The library doesn't permit the particular operation", ECANCELED => "There was a system failure beyond the control of libseccomp", EDOM => "Architecture/ABI specific failure", EEXIST => "Failure regrading the existence of argument", EFAULT => "Internal libseccomp failure", EINVAL => "Invalid input to the libseccomp API", ENOENT => "No matching entry found", ENOMEM => "Unable to allocate enough memory to perform the requested operation", EOPNOTSUPP => "The library doesn't support the particular operation", ERANGE => "Provided buffer is too small", ESRCH => "Unable to load the filter due to thread issues", } } } impl fmt::Display for SeccompErrno { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.write_str(self.strerror()) } } /// A list specifying different categories of error. #[derive(Debug, PartialEq, Eq, Hash)] #[non_exhaustive] pub(crate) enum ErrorKind { /// An error that represents error code on failure of the libseccomp API. Errno(SeccompErrno), /// A parse error occurred while trying to convert a value. ParseError, /// A lower-level error that is caused by an error from a lower-level module. Source, /// A custom error that does not fall under any other error kind. Common(Cow<'static, str>), } /// The error type for libseccomp operations. pub struct SeccompError { kind: ErrorKind, source: Option>, } impl SeccompError { pub(crate) fn new(kind: ErrorKind) -> Self { Self { kind, source: None } } pub(crate) fn with_source(kind: ErrorKind, source: E) -> Self where E: Error + Send + Sync + 'static, { Self { kind, source: Some(Box::new(source)), } } pub(crate) fn with_msg(msg: M) -> Self where M: Into>, { Self { kind: ErrorKind::Common(msg.into()), source: None, } } #[allow(dead_code)] pub(crate) fn with_msg_and_source(msg: M, source: E) -> Self where M: Into>, E: Error + Send + Sync + 'static, { Self { kind: ErrorKind::Common(msg.into()), source: Some(Box::new(source)), } } pub(crate) fn from_errno(raw_errno: i32) -> Self { let seccomp_errno = match -raw_errno { libc::EACCES => SeccompErrno::EACCES, libc::ECANCELED => SeccompErrno::ECANCELED, libc::EDOM => SeccompErrno::EDOM, libc::EEXIST => SeccompErrno::EEXIST, libc::EFAULT => SeccompErrno::EFAULT, libc::EINVAL => SeccompErrno::EINVAL, libc::ENOENT => SeccompErrno::ENOENT, libc::ENOMEM => SeccompErrno::ENOMEM, libc::EOPNOTSUPP => SeccompErrno::EOPNOTSUPP, libc::ERANGE => SeccompErrno::ERANGE, libc::ESRCH => SeccompErrno::ESRCH, _ => { return Self::with_msg(format!( "libseccomp-rs error: errno {} not handled.", raw_errno, )) } }; Self::new(ErrorKind::Errno(seccomp_errno)) } /// Query the errno returned by the libseccomp API. pub fn errno(&self) -> Option { if let ErrorKind::Errno(errno) = self.kind { Some(errno) } else { None } } fn msg(&self) -> Cow<'_, str> { match &self.kind { ErrorKind::Errno(e) => e.strerror().into(), ErrorKind::Common(s) => s.deref().into(), ErrorKind::ParseError => PARSE_ERROR.into(), ErrorKind::Source => self.source.as_ref().unwrap().to_string().into(), } } } impl fmt::Display for SeccompError { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { let msg = self.msg(); match &self.source { Some(source) if self.kind != ErrorKind::Source => { write!(f, "{} caused by: {}", msg, source) } Some(_) | None => { write!(f, "{}", msg) } } } } impl fmt::Debug for SeccompError { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("Error") .field("kind", &self.kind) .field("source", &self.source) .field("message", &self.msg()) .finish() } } impl Error for SeccompError { fn source(&self) -> Option<&(dyn Error + 'static)> { match &self.source { Some(error) => Some(error.as_ref()), None => None, } } } /* Does not work without specialization (RFC 1210) or negative trait bounds impl From for SeccompError { fn from(err: T) -> Self { Self::with_source(ErrorKind::Source, err) } } */ macro_rules! impl_seccomperror_from { ($errty:ty) => { impl From<$errty> for SeccompError { fn from(err: $errty) -> Self { Self::with_source(ErrorKind::Source, err) } } }; } impl_seccomperror_from!(std::ffi::NulError); impl_seccomperror_from!(std::num::TryFromIntError); impl_seccomperror_from!(std::str::Utf8Error); #[cfg(test)] mod tests { use super::ErrorKind::*; use super::*; use std::ffi::CString; const TEST_ERR_MSG: &str = "test error"; const TEST_NULL_STR: &str = "f\0oo"; const NULL_ERR_MSG: &str = "nul byte found in provided data at position: 1"; #[test] fn test_msg() { let null_err = CString::new(TEST_NULL_STR).unwrap_err(); // Errno assert_eq!( SeccompError::from_errno(-libc::EACCES).msg(), SeccompErrno::EACCES.strerror() ); assert_eq!( SeccompError::from_errno(-libc::ECANCELED).msg(), SeccompErrno::ECANCELED.strerror() ); assert_eq!( SeccompError::from_errno(-libc::EDOM).msg(), SeccompErrno::EDOM.strerror() ); assert_eq!( SeccompError::from_errno(-libc::EEXIST).msg(), SeccompErrno::EEXIST.strerror() ); assert_eq!( SeccompError::from_errno(-libc::EFAULT).msg(), SeccompErrno::EFAULT.strerror() ); assert_eq!( SeccompError::from_errno(-libc::EINVAL).msg(), SeccompErrno::EINVAL.strerror() ); assert_eq!( SeccompError::from_errno(-libc::ENOENT).msg(), SeccompErrno::ENOENT.strerror() ); assert_eq!( SeccompError::from_errno(-libc::ENOMEM).msg(), SeccompErrno::ENOMEM.strerror() ); assert_eq!( SeccompError::new(Errno(SeccompErrno::EOPNOTSUPP)).msg(), SeccompErrno::EOPNOTSUPP.strerror(), ); assert_eq!( SeccompError::from_errno(-libc::ERANGE).msg(), SeccompErrno::ERANGE.strerror() ); assert_eq!( SeccompError::from_errno(-libc::ESRCH).msg(), SeccompErrno::ESRCH.strerror() ); assert_eq!( SeccompError::from_errno(-libc::EPIPE).msg(), format!("libseccomp-rs error: errno {} not handled.", -libc::EPIPE) ); // Common assert_eq!( SeccompError::new(Common(TEST_ERR_MSG.into())).msg(), TEST_ERR_MSG ); // ParseError assert_eq!(SeccompError::new(ParseError).msg(), PARSE_ERROR); // Source assert_eq!( SeccompError::with_source(Source, null_err).msg(), NULL_ERR_MSG ); } #[test] fn test_source() { let null_err = CString::new(TEST_NULL_STR).unwrap_err(); assert!(SeccompError::new(Errno(SeccompErrno::EACCES)) .source() .is_none()); assert!( SeccompError::with_source(Errno(SeccompErrno::EACCES), null_err) .source() .is_some() ); } #[test] fn test_from() { let null_err = CString::new(TEST_NULL_STR).unwrap_err(); let scmp_err = SeccompError::from(null_err.clone()); assert_eq!(scmp_err.kind, ErrorKind::Source); assert_eq!(scmp_err.source().unwrap().to_string(), null_err.to_string()); } #[test] fn test_display() { let null_err = CString::new(TEST_NULL_STR).unwrap_err(); // Errno without source assert_eq!( format!("{}", SeccompError::new(Errno(SeccompErrno::EACCES))), SeccompErrno::EACCES.strerror() ); // Errno with source assert_eq!( format!( "{}", SeccompError::with_source(Errno(SeccompErrno::EACCES), null_err.clone()) ), format!( "{} caused by: {}", SeccompErrno::EACCES.strerror(), NULL_ERR_MSG ) ); // Common without source assert_eq!( format!("{}", SeccompError::new(Common(TEST_ERR_MSG.into()))), TEST_ERR_MSG ); // Common with source assert_eq!( format!( "{}", SeccompError::with_source(Common(TEST_ERR_MSG.into()), null_err.clone()) ), format!("{} caused by: {}", TEST_ERR_MSG, NULL_ERR_MSG) ); // Parse without source assert_eq!(format!("{}", SeccompError::new(ParseError)), PARSE_ERROR); // Parse with source assert_eq!( format!( "{}", SeccompError::with_source(ParseError, null_err.clone()) ), format!("{} caused by: {}", PARSE_ERROR, NULL_ERR_MSG) ); // Source assert_eq!( format!("{}", SeccompError::with_source(ErrorKind::Source, null_err)), NULL_ERR_MSG ); } #[test] fn test_debug() { let null_err = CString::new(TEST_NULL_STR).unwrap_err(); // Errno without source assert_eq!( format!("{:?}", SeccompError::new(Errno(SeccompErrno::EACCES))), format!( "Error {{ kind: Errno({}), source: {}, message: \"{}\" }}", "EACCES", "None", SeccompErrno::EACCES.strerror() ) ); // Errno with source assert_eq!( format!( "{:?}", SeccompError::with_source(Errno(SeccompErrno::EACCES), null_err), ), format!( "Error {{ kind: Errno({}), source: {}, message: \"{}\" }}", "EACCES", "Some(NulError(1, [102, 0, 111, 111]))", SeccompErrno::EACCES.strerror() ) ); } } libseccomp-0.3.0/src/filter_attr.rs000064400000000000000000000112160072674642500154510ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::ErrorKind::*; use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::str::FromStr; /// Represents filter attributes. /// /// You can set/get the attributes of a filter context with /// [`ScmpFilterContext::set_filter_attr`](crate::ScmpFilterContext::set_filter_attr) /// and [`ScmpFilterContext::get_filter_attr`](crate::ScmpFilterContext::get_filter_attr) /// methods. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub enum ScmpFilterAttr { /// The default filter action as specified in the call to seccomp reset. ActDefault, /// The filter action taken when the loaded filter does not /// match the architecture of the executing application. ActBadArch, /// A flag to specify if the NO_NEW_PRIVS functionality should /// be enabled before loading the seccomp filter into the kernel. CtlNnp, /// A flag to specify if the kernel should attempt to /// synchronize the filters across all threads on seccomp load. CtlTsync, /// A flag to specify if the libseccomp should allow filter rules /// to be created for the -1 syscall. ApiTskip, /// A flag to specify if the kernel should log all filter /// actions taken except for the [`ScmpAction::Allow`](crate::ScmpAction::Allow) action. CtlLog, /// A flag to disable Speculative Store Bypass mitigations for /// this filter. CtlSsb, /// A flag to specify the optimization level of the seccomp /// filter. CtlOptimize, /// A flag to specify if the libseccomp should pass system error /// codes back to the caller instead of the default -ECANCELED. ApiSysRawRc, } impl ScmpFilterAttr { pub(crate) fn to_sys(self) -> scmp_filter_attr { match self { Self::ActDefault => scmp_filter_attr::SCMP_FLTATR_ACT_DEFAULT, Self::ActBadArch => scmp_filter_attr::SCMP_FLTATR_ACT_BADARCH, Self::CtlNnp => scmp_filter_attr::SCMP_FLTATR_CTL_NNP, Self::CtlTsync => scmp_filter_attr::SCMP_FLTATR_CTL_TSYNC, Self::ApiTskip => scmp_filter_attr::SCMP_FLTATR_API_TSKIP, Self::CtlLog => scmp_filter_attr::SCMP_FLTATR_CTL_LOG, Self::CtlSsb => scmp_filter_attr::SCMP_FLTATR_CTL_SSB, Self::CtlOptimize => scmp_filter_attr::SCMP_FLTATR_CTL_OPTIMIZE, Self::ApiSysRawRc => scmp_filter_attr::SCMP_FLTATR_API_SYSRAWRC, } } } impl FromStr for ScmpFilterAttr { type Err = SeccompError; /// Converts string seccomp filter attribute to `ScmpFilterAttr`. /// /// # Arguments /// /// * `attr` - A string filter attribute, e.g. `SCMP_FLTATR_*`. /// /// See the [`seccomp_attr_set(3)`] man page for details on valid filter attribute values. /// /// [`seccomp_attr_set(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_attr_set.3.html /// /// # Errors /// /// If an invalid filter attribute is specified, an error will be returned. fn from_str(attr: &str) -> Result { match attr { "SCMP_FLTATR_ACT_DEFAULT" => Ok(Self::ActDefault), "SCMP_FLTATR_ACT_BADARCH" => Ok(Self::ActBadArch), "SCMP_FLTATR_CTL_NNP" => Ok(Self::CtlNnp), "SCMP_FLTATR_CTL_TSYNC" => Ok(Self::CtlTsync), "SCMP_FLTATR_API_TSKIP" => Ok(Self::ApiTskip), "SCMP_FLTATR_CTL_LOG" => Ok(Self::CtlLog), "SCMP_FLTATR_CTL_SSB" => Ok(Self::CtlSsb), "SCMP_FLTATR_CTL_OPTIMIZE" => Ok(Self::CtlOptimize), "SCMP_FLTATR_API_SYSRAWRC" => Ok(Self::ApiSysRawRc), _ => Err(SeccompError::new(ParseError)), } } } #[cfg(test)] mod tests { use super::*; #[test] fn test_parse_filter_attr() { let test_data = [ ("SCMP_FLTATR_ACT_DEFAULT", ScmpFilterAttr::ActDefault), ("SCMP_FLTATR_ACT_BADARCH", ScmpFilterAttr::ActBadArch), ("SCMP_FLTATR_CTL_NNP", ScmpFilterAttr::CtlNnp), ("SCMP_FLTATR_CTL_TSYNC", ScmpFilterAttr::CtlTsync), ("SCMP_FLTATR_API_TSKIP", ScmpFilterAttr::ApiTskip), ("SCMP_FLTATR_CTL_LOG", ScmpFilterAttr::CtlLog), ("SCMP_FLTATR_CTL_SSB", ScmpFilterAttr::CtlSsb), ("SCMP_FLTATR_CTL_OPTIMIZE", ScmpFilterAttr::CtlOptimize), ("SCMP_FLTATR_API_SYSRAWRC", ScmpFilterAttr::ApiSysRawRc), ]; for data in test_data { assert_eq!( ScmpFilterAttr::from_str(data.0).unwrap().to_sys(), data.1.to_sys() ); } assert!(ScmpFilterAttr::from_str("SCMP_INVALID_FLAG").is_err()); } } libseccomp-0.3.0/src/filter_context.rs000064400000000000000000001213130072674642500161630ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::api::ensure_supported_api; use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::os::unix::io::AsRawFd; use std::ptr::NonNull; use crate::*; const MINUS_EEXIST: i32 = -libc::EEXIST; /// **Represents a filter context in the libseccomp.** #[derive(Debug)] pub struct ScmpFilterContext { ctx: NonNull, } impl ScmpFilterContext { /// Creates and returns a new filter context. /// /// This initializes the internal seccomp filter state and should /// be called before any other functions in this crate to ensure the filter /// state is initialized. /// /// This function returns a valid filter context. /// /// This function corresponds to /// [`seccomp_init`](https://man7.org/linux/man-pages/man3/seccomp_init.3.html). /// /// # Arguments /// /// * `default_action` - A default action to be taken for syscalls which match no rules in the filter /// /// # Errors /// /// If the filter context can not be created, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # Ok::<(), Box>(()) /// ``` pub fn new_filter(default_action: ScmpAction) -> Result { let ctx_ptr = unsafe { seccomp_init(default_action.to_sys()) }; let ctx = NonNull::new(ctx_ptr) .ok_or_else(|| SeccompError::with_msg("Could not create new filter"))?; Ok(Self { ctx }) } /// Merges two filters. /// /// In order to merge two seccomp filters, both filters must have the same /// attribute values and no overlapping architectures. /// If successful, the `src` seccomp filter is released and all internal memory /// associated with the filter is freed. /// /// This function corresponds to /// [`seccomp_merge`](https://man7.org/linux/man-pages/man3/seccomp_merge.3.html). /// /// # Arguments /// /// * `src` - A seccomp filter that will be merged into the filter this is called on. /// /// # Errors /// /// If merging the filters fails, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx1 = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let mut ctx2 = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// if !ctx1.is_arch_present(ScmpArch::X8664)? { /// ctx1.add_arch(ScmpArch::X8664)?; /// ctx1.remove_arch(ScmpArch::Native)?; /// } /// if !ctx2.is_arch_present(ScmpArch::Aarch64)? { /// ctx2.add_arch(ScmpArch::Aarch64)?; /// ctx2.remove_arch(ScmpArch::Native)?; /// } /// ctx1.merge(ctx2)?; /// # Ok::<(), Box>(()) /// ``` pub fn merge(&mut self, src: Self) -> Result<()> { cvt(unsafe { seccomp_merge(self.ctx.as_ptr(), src.ctx.as_ptr()) })?; // The src filter is already released. std::mem::forget(src); Ok(()) } /// Checks if an architecture is present in a filter. /// /// If a filter contains an architecture, it uses its default action for /// syscalls which do not match rules in it, and its rules can match syscalls /// for that ABI. /// If a filter does not contain an architecture, all syscalls made to that /// kernel ABI will fail with the filter's default Bad Architecture Action /// (by default, killing the proc). /// /// This function returns `Ok(true)` if the architecture is present in the filter, /// `Ok(false)` otherwise. /// /// This function corresponds to /// [`seccomp_arch_exist`](https://man7.org/linux/man-pages/man3/seccomp_arch_exist.3.html). /// /// # Arguments /// /// * `arch` - An architecture token /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered calling to the libseccomp API, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.add_arch(ScmpArch::Aarch64)?; /// assert!(ctx.is_arch_present(ScmpArch::Aarch64)?); /// # Ok::<(), Box>(()) /// ``` pub fn is_arch_present(&self, arch: ScmpArch) -> Result { match unsafe { seccomp_arch_exist(self.ctx.as_ptr(), arch.to_sys()) } { 0 => Ok(true), MINUS_EEXIST => Ok(false), errno => Err(SeccompError::from_errno(errno)), } } /// Adds an architecture to the filter. /// /// This function returns `Ok(true)` if the architecture was added to the /// filter and `Ok(false)` if the architecture was already present in the /// filter. /// /// This function corresponds to /// [`seccomp_arch_add`](https://man7.org/linux/man-pages/man3/seccomp_arch_add.3.html). /// /// # Arguments /// /// * `arch` - An architecture token /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered adding the architecture, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.add_arch(ScmpArch::X86)?; /// # Ok::<(), Box>(()) /// ``` pub fn add_arch(&mut self, arch: ScmpArch) -> Result { match unsafe { seccomp_arch_add(self.ctx.as_ptr(), arch.to_sys()) } { 0 => Ok(true), MINUS_EEXIST => Ok(false), errno => Err(SeccompError::from_errno(errno)), } } /// Removes an architecture from the filter. /// /// This function returns `Ok(true)` if the architecture was removed from /// the filter and `Ok(false)` if the architecture wasn't present in the /// filter. /// /// This function corresponds to /// [`seccomp_arch_remove`](https://man7.org/linux/man-pages/man3/seccomp_arch_remove.3.html). /// /// # Arguments /// /// * `arch` - An architecture token /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered removing the architecture, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.add_arch(ScmpArch::X86)?; /// ctx.remove_arch(ScmpArch::X86)?; /// # Ok::<(), Box>(()) /// ``` pub fn remove_arch(&mut self, arch: ScmpArch) -> Result { match unsafe { seccomp_arch_remove(self.ctx.as_ptr(), arch.to_sys()) } { 0 => Ok(true), MINUS_EEXIST => Ok(false), errno => Err(SeccompError::from_errno(errno)), } } /// Adds a single rule for an unconditional action on a syscall. /// /// If the specified rule needs to be rewritten due to architecture specifics, /// it will be rewritten without notification. /// /// This function corresponds to /// [`seccomp_rule_add`](https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html). /// /// # Arguments /// /// * `action` - An action to be taken on the call being made /// * `syscall` - The number of syscall /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered adding the rule, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("ptrace")?; /// ctx.add_rule(ScmpAction::Errno(libc::EPERM), syscall)?; /// # Ok::<(), Box>(()) /// ``` pub fn add_rule>(&mut self, action: ScmpAction, syscall: S) -> Result<()> { self.add_rule_conditional(action, syscall, &[]) } /// Adds a single rule for a conditional action on a syscall. /// /// If the specified rule needs to be rewritten due to architecture specifics, /// it will be rewritten without notification. /// Comparators are AND'd together (i.e. all must match for the rule to match). /// You can only compare each argument once in a single rule. /// /// This function corresponds to /// [`seccomp_rule_add_array`](https://man7.org/linux/man-pages/man3/seccomp_rule_add_array.3.html). /// /// # Arguments /// /// * `action` - An action to be taken on the call being made /// * `syscall` - The number of syscall /// * `comparators` - An array of the rule in a seccomp filter /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered adding the rule, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("open")?; /// ctx.add_rule_conditional( /// ScmpAction::Errno(libc::EPERM), /// syscall, /// &[scmp_cmp!($arg1 & (libc::O_TRUNC as u64) == libc::O_TRUNC as u64)], /// )?; /// # Ok::<(), Box>(()) /// ``` pub fn add_rule_conditional>( &mut self, action: ScmpAction, syscall: S, comparators: &[ScmpArgCompare], ) -> Result<()> { cvt(unsafe { seccomp_rule_add_array( self.ctx.as_ptr(), action.to_sys(), syscall.into().to_sys(), comparators.len() as u32, comparators.as_ptr().cast::(), ) }) } /// Adds a single rule for an unconditional action on a syscall. /// /// The functions will attempt to add the rule exactly as specified so it may /// behave differently on different architectures. /// If the specified rule can not be represented on the architecture, /// the function will fail. /// /// This function corresponds to /// [`seccomp_rule_add_exact`](https://man7.org/linux/man-pages/man3/seccomp_rule_add_exact.3.html). /// /// # Arguments /// /// * `action` - An action to be taken on the call being made /// * `syscall` - The number of syscall /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered adding the rule, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("dup3")?; /// ctx.add_rule_exact(ScmpAction::KillThread, syscall)?; /// # Ok::<(), Box>(()) /// ``` pub fn add_rule_exact>( &mut self, action: ScmpAction, syscall: S, ) -> Result<()> { self.add_rule_conditional_exact(action, syscall, &[]) } /// Adds a single rule for a conditional action on a syscall. /// /// The functions will attempt to add the rule exactly as specified so it may /// behave differently on different architectures. /// If the specified rule can not be represented on the architecture, /// the function will fail. /// /// This function corresponds to /// [`seccomp_rule_add_exact_array`](https://man7.org/linux/man-pages/man3/seccomp_rule_add_exact_array.3.html). /// /// # Arguments /// /// * `action` - An action to be taken on the call being made /// * `syscall` - The number of syscall /// * `comparators` - An array of the rule in a seccomp filter /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered adding the rule, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("socket")?; /// ctx.add_rule_conditional_exact( /// ScmpAction::Errno(libc::EPERM), /// syscall, /// &[scmp_cmp!($arg1 != libc::AF_UNIX as u64)], /// )?; /// # Ok::<(), Box>(()) /// ``` pub fn add_rule_conditional_exact>( &mut self, action: ScmpAction, syscall: S, comparators: &[ScmpArgCompare], ) -> Result<()> { cvt(unsafe { seccomp_rule_add_exact_array( self.ctx.as_ptr(), action.to_sys(), syscall.into().to_sys(), comparators.len() as u32, comparators.as_ptr().cast::(), ) }) } /// Loads a filter context into the kernel. /// /// If the function succeeds, the new filter will be active when the function returns. /// /// This function corresponds to /// [`seccomp_load`](https://man7.org/linux/man-pages/man3/seccomp_load.3.html). /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered loading the rule, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("dup3")?; /// ctx.add_rule(ScmpAction::KillThread, syscall)?; /// ctx.load()?; /// # Ok::<(), Box>(()) /// ``` pub fn load(&self) -> Result<()> { cvt(unsafe { seccomp_load(self.ctx.as_ptr()) }) } /// Sets a syscall's priority. /// /// This provides a priority hint to the seccomp filter generator in the libseccomp /// such that higher priority syscalls are placed earlier in the seccomp filter code /// so that they incur less overhead at the expense of lower priority syscalls. /// /// This function corresponds to /// [`seccomp_syscall_priority`](https://man7.org/linux/man-pages/man3/seccomp_syscall_priority.3.html). /// /// # Arguments /// /// * `syscall` - The number of syscall /// * `priority` - The priority parameter that is an 8-bit value ranging from 0 to 255; /// a higher value represents a higher priority. /// /// # Errors /// /// If this function is called with an invalid filter or the number of syscall /// is invalid, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let syscall = ScmpSyscall::from_name("open")?; /// ctx.set_syscall_priority(syscall, 100)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_syscall_priority>( &mut self, syscall: S, priority: u8, ) -> Result<()> { cvt(unsafe { seccomp_syscall_priority(self.ctx.as_ptr(), syscall.into().to_sys(), priority) }) } /// Gets a raw filter attribute value. /// /// The seccomp filter attributes are tunable values that affect how the library behaves /// when generating and loading the seccomp filter into the kernel. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Arguments /// /// * `attr` - A seccomp filter attribute /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered retrieving the attribute, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// assert_ne!(ctx.get_filter_attr(ScmpFilterAttr::CtlNnp)?, 0); /// # Ok::<(), Box>(()) /// ``` pub fn get_filter_attr(&self, attr: ScmpFilterAttr) -> Result { let mut attribute: u32 = 0; cvt(unsafe { seccomp_attr_get(self.ctx.as_ptr(), attr.to_sys(), &mut attribute) })?; Ok(attribute) } /// Gets the default action as specified in the call to /// [`new_filter()`](ScmpFilterContext::new_filter) or [`reset()`](ScmpFilterContext::reset). /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered getting the action, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let action = ctx.get_act_default()?; /// assert_eq!(action, ScmpAction::Allow); /// # Ok::<(), Box>(()) /// ``` pub fn get_act_default(&self) -> Result { let ret = self.get_filter_attr(ScmpFilterAttr::ActDefault)?; ScmpAction::from_sys(ret) } /// Gets the default action taken when the loaded filter does not match the architecture /// of the executing application. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered getting the action, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// let action = ctx.get_act_badarch()?; /// assert_eq!(action, ScmpAction::KillThread); /// # Ok::<(), Box>(()) /// ``` pub fn get_act_badarch(&self) -> Result { let ret = self.get_filter_attr(ScmpFilterAttr::ActBadArch)?; ScmpAction::from_sys(ret) } /// Gets the current state of the [`ScmpFilterAttr::CtlNnp`] attribute. /// /// This function returns `Ok(true)` if the [`ScmpFilterAttr::CtlNnp`] attribute is set to on the filter being /// loaded, `Ok(false)` otherwise. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered getting the current state, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_nnp(false)?; /// assert!(!ctx.get_ctl_nnp()?); /// # Ok::<(), Box>(()) /// ``` pub fn get_ctl_nnp(&self) -> Result { let ret = self.get_filter_attr(ScmpFilterAttr::CtlNnp)?; Ok(ret != 0) } /// Deprecated alias for [`ScmpFilterContext::get_ctl_nnp()`]. #[deprecated(since = "0.2.3", note = "Use ScmpFilterContext::get_ctl_nnp().")] pub fn get_no_new_privs_bit(&self) -> Result { self.get_ctl_nnp() } /// Gets the current state of the [`ScmpFilterAttr::CtlTsync`] attribute. /// /// This function returns `Ok(true)` if the [`ScmpFilterAttr::CtlTsync`] attribute set to on the filter being /// loaded, `Ok(false)` otherwise. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// getting the current state, or the libseccomp API level is less than 2, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_tsync(true)?; /// assert!(ctx.get_ctl_tsync()?); /// # Ok::<(), Box>(()) /// ``` pub fn get_ctl_tsync(&self) -> Result { ensure_supported_api("get_ctl_tsync", 2, ScmpVersion::from((2, 2, 0)))?; let ret = self.get_filter_attr(ScmpFilterAttr::CtlTsync)?; Ok(ret != 0) } /// Gets the current state of the [`ScmpFilterAttr::CtlLog`] attribute. /// /// This function returns `Ok(true)` if the [`ScmpFilterAttr::CtlLog`] attribute set to on the filter being /// loaded, `Ok(false)` otherwise. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// getting the current state, or the libseccomp API level is less than 3, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_log(true)?; /// assert!(ctx.get_ctl_log()?); /// # Ok::<(), Box>(()) /// ``` pub fn get_ctl_log(&self) -> Result { ensure_supported_api("get_ctl_log", 3, ScmpVersion::from((2, 4, 0)))?; let ret = self.get_filter_attr(ScmpFilterAttr::CtlLog)?; Ok(ret != 0) } /// Gets the current state of the [`ScmpFilterAttr::CtlSsb`] attribute. /// /// This function returns `Ok(true)` if the [`ScmpFilterAttr::CtlSsb`] attribute set to on the filter being /// loaded, `Ok(false)` otherwise. /// The [`ScmpFilterAttr::CtlSsb`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// getting the current state, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0))).unwrap() { /// ctx.set_ctl_ssb(false)?; /// assert!(!ctx.get_ctl_ssb()?); /// # } /// # Ok::<(), Box>(()) /// ``` pub fn get_ctl_ssb(&self) -> Result { ensure_supported_api("get_ctl_ssb", 4, ScmpVersion::from((2, 5, 0)))?; let ret = self.get_filter_attr(ScmpFilterAttr::CtlSsb)?; Ok(ret != 0) } /// Gets the current optimization level of the [`ScmpFilterAttr::CtlOptimize`] attribute. /// /// See [`set_ctl_optimize()`](ScmpFilterContext::set_ctl_optimize) for more details about /// the optimization level. /// The [`ScmpFilterAttr::CtlOptimize`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// getting the current state, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0)))? { /// ctx.set_ctl_optimize(2)?; /// assert_eq!(ctx.get_ctl_optimize()?, 2); /// # } /// # Ok::<(), Box>(()) /// ``` pub fn get_ctl_optimize(&self) -> Result { ensure_supported_api("get_ctl_optimize", 4, ScmpVersion::from((2, 5, 0)))?; let ret = self.get_filter_attr(ScmpFilterAttr::CtlOptimize)?; Ok(ret) } /// Gets the current state of the [`ScmpFilterAttr::ApiSysRawRc`] attribute. /// /// This function returns `Ok(true)` if the [`ScmpFilterAttr::ApiSysRawRc`] attribute set to on the filter /// being loaded, `Ok(false)` otherwise. /// The [`ScmpFilterAttr::ApiSysRawRc`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// This function corresponds to /// [`seccomp_attr_get`](https://man7.org/linux/man-pages/man3/seccomp_attr_get.3.html). /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// getting the current state, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0)))? { /// ctx.set_api_sysrawrc(true)?; /// assert!(ctx.get_api_sysrawrc()?); /// # } /// # Ok::<(), Box>(()) /// ``` pub fn get_api_sysrawrc(&self) -> Result { ensure_supported_api("get_api_sysrawrc", 4, ScmpVersion::from((2, 5, 0)))?; let ret = self.get_filter_attr(ScmpFilterAttr::ApiSysRawRc)?; Ok(ret != 0) } /// Sets a raw filter attribute value. /// /// The seccomp filter attributes are tunable values that affect how the library behaves /// when generating and loading the seccomp filter into the kernel. /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `attr` - A seccomp filter attribute /// * `value` - A value of or the parameter of the attribute /// /// See the [`seccomp_attr_set(3)`] man page for details on available attribute values. /// /// [`seccomp_attr_set(3)`]: https://www.man7.org/linux/man-pages/man3/seccomp_attr_set.3.html /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered setting the attribute, an error will be returned. pub fn set_filter_attr(&mut self, attr: ScmpFilterAttr, value: u32) -> Result<()> { cvt(unsafe { seccomp_attr_set(self.ctx.as_ptr(), attr.to_sys(), value) }) } /// Sets the default action taken when the loaded filter does not match the architecture /// of the executing application. /// /// Defaults to on (`action` == [`ScmpAction::KillThread`]). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `action` - An action to be taken on a syscall for an architecture not in the filter. /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered setting the attribute, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_act_badarch(ScmpAction::KillProcess)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_act_badarch(&mut self, action: ScmpAction) -> Result<()> { self.set_filter_attr(ScmpFilterAttr::ActBadArch, action.to_sys()) } /// Sets the state of the [`ScmpFilterAttr::CtlNnp`] attribute which will be applied /// on filter load. /// /// Settings this to off (`state` == `false`) means that loading the seccomp filter /// into the kernel fill fail if the `CAP_SYS_ADMIN` is missing. /// /// Defaults to on (`state` == `true`). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `state` - A state flag to specify whether the [`ScmpFilterAttr::CtlNnp`] attribute should be enabled /// /// # Errors /// /// If this function is called with an invalid filter or an issue is /// encountered setting the attribute, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_nnp(false)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_ctl_nnp(&mut self, state: bool) -> Result<()> { self.set_filter_attr(ScmpFilterAttr::CtlNnp, state.into()) } /// Deprecated alias for [`ScmpFilterContext::set_ctl_nnp()`]. #[deprecated(since = "0.2.3", note = "Use ScmpFilterContext::set_ctl_nnp().")] pub fn set_no_new_privs_bit(&mut self, state: bool) -> Result<()> { self.set_ctl_nnp(state) } /// Sets the state of the [`ScmpFilterAttr::CtlTsync`] attribute which will be applied /// on filter load. /// /// Settings this to on (`state` == `true`) means that the kernel should attempt to synchronize the filters /// across all threads on [`ScmpFilterContext::load()`]. /// If the kernel is unable to synchronize all of the thread then the load operation will fail. /// The [`ScmpFilterAttr::CtlTsync`] attribute is only usable when the libseccomp API level 2 or higher /// is supported. /// If the libseccomp API level is less than 6, the [`ScmpFilterAttr::CtlTsync`] attribute is unusable /// with the userspace notification API simultaneously. /// /// Defaults to off (`state` == `false`). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `state` - A state flag to specify whether the [`ScmpFilterAttr::CtlTsync`] attribute should be enabled /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// setting the attribute, or the libseccomp API level is less than 2, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_tsync(true)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_ctl_tsync(&mut self, state: bool) -> Result<()> { ensure_supported_api("set_ctl_tsync", 2, ScmpVersion::from((2, 2, 0)))?; self.set_filter_attr(ScmpFilterAttr::CtlTsync, state.into()) } /// Sets the state of the [`ScmpFilterAttr::CtlLog`] attribute which will be applied on filter load. /// /// Settings this to on (`state` == `true`) means that the kernel should log all filter /// actions taken except for the [`ScmpAction::Allow`] action. /// The [`ScmpFilterAttr::CtlLog`] attribute is only usable when the libseccomp API level 3 or higher /// is supported. /// /// Defaults to off (`state` == `false`). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `state` - A state flag to specify whether the [`ScmpFilterAttr::CtlLog`] attribute should /// be enabled /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// setting the attribute, or the libseccomp API level is less than 3, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.set_ctl_log(true)?; /// # Ok::<(), Box>(()) /// ``` pub fn set_ctl_log(&mut self, state: bool) -> Result<()> { ensure_supported_api("set_ctl_log", 3, ScmpVersion::from((2, 4, 0)))?; self.set_filter_attr(ScmpFilterAttr::CtlLog, state.into()) } /// Sets the state of the [`ScmpFilterAttr::CtlSsb`] attribute which will be applied on filter load. /// /// Settings this to on (`state` == `true`) disables Speculative Store Bypass mitigations for the filter. /// The [`ScmpFilterAttr::CtlSsb`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// Defaults to off (`state` == `false`). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `state` - A state flag to specify whether the [`ScmpFilterAttr::CtlSsb`] attribute should /// be enabled /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// setting the attribute, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0))).unwrap() { /// ctx.set_ctl_ssb(false)?; /// # } /// # Ok::<(), Box>(()) /// ``` pub fn set_ctl_ssb(&mut self, state: bool) -> Result<()> { ensure_supported_api("set_ctl_ssb", 4, ScmpVersion::from((2, 5, 0)))?; self.set_filter_attr(ScmpFilterAttr::CtlSsb, state.into()) } /// Sets the [`ScmpFilterAttr::CtlOptimize`] level which will be applied on filter load. /// /// By default the libseccomp generates a set of sequential "if" statements for each rule in the filter. /// [`set_syscall_priority()`](ScmpFilterContext::set_syscall_priority) can be used to prioritize the /// order for the default cause. The binary tree optimization sorts by syscall numbers and generates /// consistent O(log n) filter traversal for every rule in the filter. The binary tree may be advantageous /// for large filters. Note that [`set_syscall_priority()`](ScmpFilterContext::set_syscall_priority) is /// ignored when `level` == `2`. /// The [`ScmpFilterAttr::CtlOptimize`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// The different optimization levels are described below: /// * `0` - Reserved value, not currently used. /// * `1` - Rules sorted by priority and complexity (DEFAULT). /// * `2` - Binary tree sorted by syscall number. /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `level` - The optimization level of the filter /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// setting the attribute, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0)))? { /// ctx.set_ctl_optimize(2)?; /// # } /// # Ok::<(), Box>(()) /// ``` pub fn set_ctl_optimize(&mut self, level: u32) -> Result<()> { ensure_supported_api("set_ctl_optimize", 4, ScmpVersion::from((2, 5, 0)))?; self.set_filter_attr(ScmpFilterAttr::CtlOptimize, level) } /// Sets the state of the [`ScmpFilterAttr::ApiSysRawRc`] attribute which will be applied on filter load. /// /// Settings this to on (`state` == `true`) means that the libseccomp should pass system error codes /// back to the caller instead of the default -ECANCELED. /// The [`ScmpFilterAttr::ApiSysRawRc`] attribute is only usable when the libseccomp API level 4 or higher /// is supported. /// /// Defaults to off (`state` == `false`). /// /// This function corresponds to /// [`seccomp_attr_set`](https://man7.org/linux/man-pages/man3/seccomp_attr_set.3.html). /// /// # Arguments /// /// * `state` - A state flag to specify whether the [`ScmpFilterAttr::ApiSysRawRc`] attribute should /// be enabled /// /// # Errors /// /// If this function is called with an invalid filter, an issue is encountered /// setting the attribute, or the libseccomp API level is less than 4, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// # if check_api(4, ScmpVersion::from((2, 5, 0)))? { /// ctx.set_api_sysrawrc(true)?; /// # } /// # Ok::<(), Box>(()) /// ``` pub fn set_api_sysrawrc(&mut self, state: bool) -> Result<()> { ensure_supported_api("set_api_sysrawrc", 4, ScmpVersion::from((2, 5, 0)))?; self.set_filter_attr(ScmpFilterAttr::ApiSysRawRc, state.into()) } /// Outputs PFC(Pseudo Filter Code)-formatted, human-readable dump of a filter context's rules to a file. /// /// This function corresponds to /// [`seccomp_export_pfc`](https://man7.org/linux/man-pages/man3/seccomp_export_pfc.3.html). /// /// # Arguments /// /// * `fd` - A file descriptor to write to (must be open for writing) /// /// # Errors /// /// If this function is called with an invalid filter or writing to the file fails, /// an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// # use std::io::{stdout}; /// let ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.export_pfc(&mut stdout())?; /// # Ok::<(), Box>(()) /// ``` pub fn export_pfc(&self, fd: &mut T) -> Result<()> { cvt(unsafe { seccomp_export_pfc(self.ctx.as_ptr(), fd.as_raw_fd()) }) } /// Outputs BPF(Berkeley Packet Filter)-formatted, kernel-readable dump of a /// filter context's rules to a file. /// /// This function corresponds to /// [`seccomp_export_bpf`](https://man7.org/linux/man-pages/man3/seccomp_export_bpf.3.html). /// /// # Arguments /// /// * `fd` - A file descriptor to write to (must be open for writing) /// /// # Errors /// /// If this function is called with an invalid filter or writing to the file fails, /// an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// # use std::io::{stdout}; /// let ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.export_bpf(&mut stdout())?; /// # Ok::<(), Box>(()) /// ``` pub fn export_bpf(&self, fd: &mut T) -> Result<()> { cvt(unsafe { seccomp_export_bpf(self.ctx.as_ptr(), fd.as_raw_fd()) }) } /// Resets a filter context, removing all its existing state. /// /// This function corresponds to /// [`seccomp_reset`](https://man7.org/linux/man-pages/man3/seccomp_reset.3.html). /// /// # Arguments /// /// * `action` - A new default action to be taken for syscalls which do not match /// /// # Errors /// /// If this function is called with an invalid filter or an issue is encountered /// resetting the filter, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow)?; /// ctx.reset(ScmpAction::KillThread)?; /// # Ok::<(), Box>(()) /// ``` pub fn reset(&mut self, action: ScmpAction) -> Result<()> { cvt(unsafe { seccomp_reset(self.ctx.as_ptr(), action.to_sys()) }) } /// Gets a raw pointer of a seccomp filter. /// /// This function returns a raw pointer to the [`scmp_filter_ctx`]. /// The caller must ensure that the filter outlives the pointer this function returns, /// or else it will end up pointing to garbage. /// You may only modify the filter referenced by the pointer with functions intended /// for this (the once provided by [`libseccomp_sys`] crate). #[must_use] pub fn as_ptr(&self) -> scmp_filter_ctx { self.ctx.as_ptr() } } impl Drop for ScmpFilterContext { /// Releases a filter context, freeing its memory. /// /// After calling this function, the given filter is no longer valid and cannot be used. /// /// This function corresponds to /// [`seccomp_release`](https://man7.org/linux/man-pages/man3/seccomp_release.3.html). fn drop(&mut self) { unsafe { seccomp_release(self.ctx.as_ptr()) } } } #[cfg(test)] mod tests { use super::*; #[test] fn test_as_ptr() { let ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); assert_eq!(ctx.as_ptr(), ctx.ctx.as_ptr()); } } libseccomp-0.3.0/src/functions.rs000064400000000000000000000054430072674642500151470ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::cvt; use crate::error::Result; use crate::{ScmpArch, ScmpSyscall, ScmpVersion}; use libseccomp_sys::*; /// Resets the libseccomp library's global state. /// /// This function resets the (internal) global state of the libseccomp library, /// this includes any notification file descriptors retrieved by /// [`get_notify_fd`](crate::ScmpFilterContext::get_notify_fd). /// Normally you do not need this but it may be required to continue using /// the libseccomp library after a `fork()`/`clone()` to ensure the API level /// and user notification state is properly reset. /// /// This function corresponds to /// [`seccomp_reset`](https://man7.org/linux/man-pages/man3/seccomp_reset.3.html). /// /// # Errors /// /// If the linked libseccomp library is older than v2.5.1 this function will /// return an error. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// # if check_version(ScmpVersion::from((2, 5, 1)))? { /// reset_global_state()?; /// # } /// # Ok::<(), Box>(()) /// ``` pub fn reset_global_state() -> Result<()> { cvt(unsafe { seccomp_reset(std::ptr::null_mut(), 0) }) } /// Retrieves the name of a syscall from its number for a given architecture. /// /// This function returns a string containing the name of the syscall. /// /// # Arguments /// /// * `arch` - A valid architecture token /// * `syscall` - The number of syscall /// /// # Errors /// /// If the syscall is unrecognized or an issue occurs or an issue is /// encountered getting the name of the syscall, an error will be returned. #[deprecated(since = "0.2.3", note = "Use ScmpSyscall::get_name_by_arch instead.")] pub fn get_syscall_name_from_arch(arch: ScmpArch, syscall: i32) -> Result { ScmpSyscall::from_sys(syscall).get_name_by_arch(arch) } /// Gets the number of a syscall by name for a given architecture's ABI. /// /// This function returns the number of the syscall. /// /// # Arguments /// /// * `name` - The name of a syscall /// * `arch` - An architecture token as `Option` type /// If arch argument is `None`, the functions returns the number of a syscall /// on the kernel's native architecture. /// /// # Errors /// /// If an invalid string for the syscall name is specified or a syscall with that /// name is not found, an error will be returned. #[deprecated(since = "0.2.3", note = "Use ScmpSyscall::from_name* instead.")] pub fn get_syscall_from_name(name: &str, arch: Option) -> Result { Ok(ScmpSyscall::from_name_by_arch(name, arch.unwrap_or(ScmpArch::Native))?.to_sys()) } /// Deprecated alias for [`ScmpVersion::current()`]. #[deprecated(since = "0.2.0", note = "Use ScmpVersion::current().")] pub fn get_library_version() -> Result { ScmpVersion::current() } libseccomp-0.3.0/src/lib.rs000064400000000000000000000053220072674642500137010ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // //! Rust Language Bindings for the libseccomp Library //! //! The libseccomp library provides an easy to use, platform independent, interface to //! the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to //! abstract away the underlying BPF based syscall filter language and present a more //! conventional function-call based filtering interface that should be familiar to, and //! easily adopted by, application developers. //! //! The libseccomp crate is a high-level safe API for the libseccomp library. //! //! # Examples //! //! ```rust //! use libseccomp::*; //! //! fn main() -> Result<(), Box> { //! let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?; //! let syscall = ScmpSyscall::from_name("getuid")?; //! //! filter.add_arch(ScmpArch::X8664)?; //! filter.add_rule(ScmpAction::Errno(1), syscall)?; //! filter.load()?; //! //! Ok(()) //! } //! ``` //! ```rust //! use libseccomp::*; //! //! fn main() -> Result<(), Box> { //! let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?; //! let syscall = ScmpSyscall::from_name("dup3")?; //! let cmp = ScmpArgCompare::new(0, ScmpCompareOp::Equal, 1); //! //! filter.add_arch(ScmpArch::X8664)?; //! filter.add_rule_conditional(ScmpAction::Errno(libc::EPERM), syscall, &[cmp])?; //! filter.load()?; //! //! Ok(()) //! } //! ``` //! //! # Features //! //! - `const-syscall`: Allow creating of `ScmpSyscall` in a `const`-context. #![warn(rust_2018_idioms)] #![deny(missing_debug_implementations)] #![deny(missing_docs)] #![deny(unsafe_op_in_unsafe_fn)] #![warn(clippy::inefficient_to_string)] #![warn(clippy::string_to_string)] #![warn(clippy::semicolon_if_nothing_returned)] #![warn(clippy::clone_on_ref_ptr)] #![warn(clippy::unwrap_in_result)] #![cfg_attr(docsrs, feature(doc_cfg))] /// Errors pub mod error; mod action; mod api; mod arch; mod arg_compare; mod compare_op; mod filter_attr; mod filter_context; mod functions; #[cfg(any(libseccomp_v2_5, doc))] mod notify; mod syscall; mod version; use error::{Result, SeccompError}; pub use action::ScmpAction; pub use api::{check_api, get_api, set_api}; pub use arch::ScmpArch; pub use arg_compare::ScmpArgCompare; pub use compare_op::ScmpCompareOp; pub use filter_attr::ScmpFilterAttr; pub use filter_context::ScmpFilterContext; pub use functions::*; #[cfg(any(libseccomp_v2_5, doc))] pub use notify::*; pub use syscall::ScmpSyscall; pub use version::{check_version, ScmpVersion}; fn cvt(ret: i32) -> Result<()> { if ret == 0 { Ok(()) } else { Err(SeccompError::from_errno(ret)) } } libseccomp-0.3.0/src/notify.rs000064400000000000000000000313260072674642500144460ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use super::cvt; use crate::api::ensure_supported_api; use crate::error::{Result, SeccompError}; use crate::{ScmpArch, ScmpFilterContext, ScmpSyscall, ScmpVersion}; use bitflags::bitflags; use libseccomp_sys::*; use std::ops::BitOr; use std::os::unix::io::RawFd; fn get_errno() -> i32 { std::io::Error::last_os_error().raw_os_error().unwrap_or(0) } /// Checks the libseccomp API level and the libseccomp version for /// the userspace notification. /// /// This function succeeds if the libseccomp API level and the libseccomp /// version being used are equal to or greater than 6 and 2.5.0. /// /// # Errors /// /// If both the libseccomp API level and the libseccomp version being used are /// less than 6 and 2.5.0, an error will be returned. fn notify_supported() -> Result<()> { ensure_supported_api("seccomp notification", 6, ScmpVersion::from((2, 5, 0)))?; Ok(()) } /// Represents a file descriptor used for the userspace notification. pub type ScmpFd = RawFd; bitflags! { /// Userspace notification response flags pub struct ScmpNotifRespFlags: u32 { /// Tells the kernel to continue executing the system call that triggered the /// notification. Must only be used when the notification response's error and value is 0. const CONTINUE = SECCOMP_USER_NOTIF_FLAG_CONTINUE; } } impl ScmpNotifRespFlags { /// Convert from underlying bit representation, preserving all bits (even those not corresponding to a defined flag). // https://github.com/bitflags/bitflags/issues/263 #[must_use] pub fn from_bits_preserve(bits: u32) -> Self { Self { bits } } } /// Userspace notification response flag /// /// Tells the kernel to continue executing the system call that triggered the /// notification. Must only be used when the notification response's error is 0. #[deprecated( since = "0.3.0", note = "Use ScmpNotifRespFlags::CONTINUE or ScmpNotifRespFlags::CONTINUE.bits" )] pub const NOTIF_FLAG_CONTINUE: u32 = ScmpNotifRespFlags::CONTINUE.bits; impl ScmpFilterContext { /// Gets a file descriptor for the userspace notification associated with the /// given filter context. /// /// Such a file descriptor is only valid after the filter has been loaded /// and only when the filter uses the [`crate::ScmpAction::Notify`] action. /// The file descriptor can be used to retrieve and respond to notifications /// associated with the filter (see [`ScmpNotifReq::receive()`], /// [`ScmpNotifResp::respond()`], and [`notify_id_valid()`]). /// /// **Note**: This file descriptor is shared between all threads. /// /// This function returns a raw file descriptor for the userspace notification. /// /// This function corresponds to /// [`seccomp_notify_fd`](https://man7.org/linux/man-pages/man3/seccomp_notify_fd.3.html). /// /// # Errors /// /// If an issue is encountered getting the file descriptor, /// an error will be returned. pub fn get_notify_fd(&self) -> Result { notify_supported()?; let ret = unsafe { seccomp_notify_fd(self.as_ptr()) }; if ret < 0 { return Err(SeccompError::from_errno(ret)); } Ok(ret) } } /// Describes the system call context that triggered a notification. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub struct ScmpNotifData { /// The syscall number pub syscall: ScmpSyscall, /// The filter architecture pub arch: ScmpArch, /// Address of the instruction that triggered a notification pub instr_pointer: u64, /// Arguments (up to 6) for the syscall pub args: [u64; 6], } impl ScmpNotifData { fn from_sys(data: seccomp_data) -> Result { Ok(Self { syscall: ScmpSyscall::from(data.nr), arch: ScmpArch::from_sys(data.arch)?, instr_pointer: data.instruction_pointer, args: data.args, }) } } /// Represents a userspace notification request. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub struct ScmpNotifReq { /// Notification ID pub id: u64, /// Process that triggered the notification event pub pid: u32, /// Filter flags (see seccomp(2)) pub flags: u32, /// System call context that triggered the notification pub data: ScmpNotifData, } impl ScmpNotifReq { fn from_sys(req: seccomp_notif) -> Result { Ok(Self { id: req.id, pid: req.pid, flags: req.flags, data: ScmpNotifData::from_sys(req.data)?, }) } /// Retrieves a userspace notification from a filter whose /// [`crate::ScmpAction::Notify`] action has triggered. /// /// The caller is expected to process the notification and return a /// response via [`ScmpNotifResp::respond()`]. Each invocation of /// this function returns one notification. /// As multiple notifications may be pending at any time, this function is /// normally called within a polling loop. /// /// This function returns a userspace notification request. /// /// This function corresponds to /// [`seccomp_notify_receive`](https://man7.org/linux/man-pages/man3/seccomp_notify_receive.3.html). /// /// # Arguments /// /// * `fd` - A file descriptor for the userspace notification /// /// # Errors /// /// If an issue is encountered getting a notification request, /// an error will be returned. pub fn receive(fd: ScmpFd) -> Result { notify_supported()?; let mut req_ptr: *mut seccomp_notif = std::ptr::null_mut(); // We only use the request here; the response is unused. cvt(unsafe { seccomp_notify_alloc(&mut req_ptr, std::ptr::null_mut()) })?; loop { let ret = unsafe { seccomp_notify_receive(fd, req_ptr) }; let errno = get_errno(); if ret == 0 { break; } else if errno == libc::EINTR { continue; } else { unsafe { seccomp_notify_free(req_ptr, std::ptr::null_mut()) }; return Err(SeccompError::from_errno(ret)); } } // Copy notify request before freeing the memory. let req = seccomp_notif { id: unsafe { (*req_ptr).id }, pid: unsafe { (*req_ptr).pid }, flags: unsafe { (*req_ptr).flags }, data: unsafe { (*req_ptr).data }, }; unsafe { seccomp_notify_free(req_ptr, std::ptr::null_mut()) }; Self::from_sys(req) } } /// Represents a userspace notification response. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[non_exhaustive] pub struct ScmpNotifResp { /// Notification ID (must match the corresponding `ScmpNotifReq` ID) pub id: u64, /// Return value for the syscall that created the notification. /// Only relevant if the error is 0. pub val: i64, /// An error code. /// Must be 0 if no error occurred, or an error constant from package /// syscall (e.g., `libc::EPERM`, etc). In the latter case, it's used /// as an error return from the syscall that created the notification. pub error: i32, /// Userspace notification response flag pub flags: u32, } impl ScmpNotifResp { unsafe fn to_sys(self, resp: *mut seccomp_notif_resp) { unsafe { (*resp).id = self.id; (*resp).val = self.val; (*resp).error = self.error; (*resp).flags = self.flags; } } /// Creates `ScmpNotifResp` from the specified arguments. /// /// It is recommended to use the convenient functions [`new_val`](ScmpNotifResp::new_val), /// [`new_error`](ScmpNotifResp::new_error) and [`new_continue`](ScmpNotifResp::new_continue) /// rather than this function. /// /// # Arguments /// /// * `id` - Notification ID /// * `val` - Return value for the syscall that created the notification /// * `error` - An error code /// * `flags` - Userspace notification response flag #[must_use] pub fn new(id: u64, val: i64, error: i32, flags: u32) -> Self { Self { id, val, error, flags, } } /// Creates `ScmpNotifResp` for a spoofed success response. /// /// # Arguments /// /// * `id` - Notification ID /// * `val` - Return value for the syscall that created the notification /// * `flags` - Reserved for future use, specify as `ScmpNotifRespFlags::empty()`. /// /// # Examples /// /// ```ignore /// let resp = ScmpNotifResp::new_val(req.id, val, ScmpNotifRespFlags::empty()); /// ``` #[must_use] pub fn new_val(id: u64, val: i64, flags: ScmpNotifRespFlags) -> Self { Self { id, val, error: 0, flags: flags.bits, } } /// Creates `ScmpNotifResp` for a spoofed error response. /// /// # Arguments /// /// * `id` - Notification ID /// * `error` - An *negative* error code /// * `flags` - Reserved for future use, specify as `ScmpNotifRespFlags::empty()`. /// /// # Examples /// /// ```ignore /// let resp = ScmpNotifResp::new_error(req.id, error, ScmpNotifRespFlags::empty()); /// ``` #[must_use] pub fn new_error(id: u64, error: i32, flags: ScmpNotifRespFlags) -> Self { debug_assert!(error.is_negative()); Self { id, val: 0, error, flags: flags.bits, } } /// Creates `ScmpNotifResp` which continues the syscall execution. /// /// # Arguments /// /// * `id` - Notification ID /// * `flags` - Reserved for future use, specify as `ScmpNotifRespFlags::empty()`. /// /// # Examples /// /// ```ignore /// let resp = ScmpNotifResp::new_continue(req.id, ScmpNotifRespFlags::empty()); /// ``` #[must_use] pub fn new_continue(id: u64, flags: ScmpNotifRespFlags) -> Self { Self { id, val: 0, error: 0, flags: ScmpNotifRespFlags::CONTINUE.bitor(flags).bits, } } /// Responds to a userspace notification retrieved via [`ScmpNotifReq::receive()`]. /// /// The response ID must match that of the corresponding notification retrieved /// via [`ScmpNotifReq::receive()`]. /// /// This function corresponds to /// [`seccomp_notify_respond`](https://man7.org/linux/man-pages/man3/seccomp_notify_respond.3.html). /// /// # Arguments /// /// * `fd` - A file descriptor for the userspace notification /// /// # Errors /// /// If an issue is encountered responding a notification, /// an error will be returned. pub fn respond(&self, fd: ScmpFd) -> Result<()> { notify_supported()?; let mut resp_ptr: *mut seccomp_notif_resp = std::ptr::null_mut(); // We only use the response here; the request is unused. cvt(unsafe { seccomp_notify_alloc(std::ptr::null_mut(), &mut resp_ptr) })?; unsafe { self.to_sys(resp_ptr) }; loop { let ret = unsafe { seccomp_notify_respond(fd, resp_ptr) }; let errno = get_errno(); if ret == 0 { break; } else if errno == libc::EINTR { continue; } else { unsafe { seccomp_notify_free(std::ptr::null_mut(), resp_ptr) }; return Err(SeccompError::from_errno(ret)); } } unsafe { seccomp_notify_free(std::ptr::null_mut(), resp_ptr) }; Ok(()) } } /// Checks if a userspace notification is still valid. /// /// A return value of `Ok` means the notification is still valid. /// Otherwise the notification is not valid. This can be used to mitigate /// time-of-check-time-of-use (TOCTOU) attacks as described in [`seccomp_notify_id_valid(2)`]. /// /// [`seccomp_notify_id_valid(2)`]: https://man7.org/linux/man-pages/man3/seccomp_notify_id_valid.3.html /// /// This function corresponds to /// [`seccomp_notify_id_valid`](https://man7.org/linux/man-pages/man3/seccomp_notify_id_valid.3.html). /// /// # Arguments /// /// * `fd` - A file descriptor for the userspace notification /// * `id` - Notification ID /// /// # Errors /// /// If the notification ID is invalid, an error will be returned. pub fn notify_id_valid(fd: ScmpFd, id: u64) -> Result<()> { notify_supported()?; loop { let ret = unsafe { seccomp_notify_id_valid(fd, id) }; let errno = get_errno(); if ret == 0 { break; } else if errno == libc::EINTR { continue; } else { return Err(SeccompError::from_errno(ret)); } } Ok(()) } libseccomp-0.3.0/src/syscall/aarch64.rs000064400000000000000000000276040072674642500160440ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", -10026), ("_newselect", -10032), ("_sysctl", -10080), ("accept", 202), ("accept4", 242), ("access", -10147), ("acct", 89), ("add_key", 217), ("adjtimex", 171), ("afs_syscall", -10091), ("alarm", -10148), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", -10002), ("bind", 200), ("bpf", 280), ("break", -10003), ("breakpoint", -10182), ("brk", 214), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 90), ("capset", 91), ("chdir", 49), ("chmod", -10149), ("chown", -10150), ("chown32", -10004), ("chroot", 51), ("clock_adjtime", 266), ("clock_adjtime64", -10212), ("clock_getres", 114), ("clock_getres_time64", -10213), ("clock_gettime", 113), ("clock_gettime64", -10214), ("clock_nanosleep", 115), ("clock_nanosleep_time64", -10215), ("clock_settime", 112), ("clock_settime64", -10216), ("clone", 220), ("clone3", 435), ("close", 57), ("close_range", 436), ("connect", 203), ("copy_file_range", 285), ("creat", -10151), ("create_module", -10074), ("delete_module", 106), ("dup", 23), ("dup2", -10152), ("dup3", 24), ("epoll_create", -10153), ("epoll_create1", 20), ("epoll_ctl", 21), ("epoll_ctl_old", -10005), ("epoll_pwait", 22), ("epoll_pwait2", 441), ("epoll_wait", -10154), ("epoll_wait_old", -10006), ("eventfd", -10155), ("eventfd2", 19), ("execve", 221), ("execveat", 281), ("exit", 93), ("exit_group", 94), ("faccessat", 48), ("faccessat2", 439), ("fadvise64", 223), ("fadvise64_64", -10007), ("fallocate", 47), ("fanotify_init", 262), ("fanotify_mark", 263), ("fchdir", 50), ("fchmod", 52), ("fchmodat", 53), ("fchown", 55), ("fchown32", -10008), ("fchownat", 54), ("fcntl", 25), ("fcntl64", -10009), ("fdatasync", 83), ("fgetxattr", 10), ("finit_module", 273), ("flistxattr", 13), ("flock", 32), ("fork", -10156), ("fremovexattr", 16), ("fsconfig", 431), ("fsetxattr", 7), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 80), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 44), ("fstatfs64", -10012), ("fsync", 82), ("ftime", -10013), ("ftruncate", 46), ("ftruncate64", -10014), ("futex", 98), ("futex_time64", -10222), ("futimesat", -10157), ("get_kernel_syms", -10075), ("get_mempolicy", 236), ("get_robust_list", 100), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 168), ("getcwd", 17), ("getdents", -10158), ("getdents64", 61), ("getegid", 177), ("getegid32", -10015), ("geteuid", 175), ("geteuid32", -10016), ("getgid", 176), ("getgid32", -10017), ("getgroups", 158), ("getgroups32", -10018), ("getitimer", 102), ("getpeername", 205), ("getpgid", 155), ("getpgrp", -10159), ("getpid", 172), ("getpmsg", -10093), ("getppid", 173), ("getpriority", 141), ("getrandom", 278), ("getresgid", 150), ("getresgid32", -10019), ("getresuid", 148), ("getresuid32", -10020), ("getrlimit", 163), ("getrusage", 165), ("getsid", 156), ("getsockname", 204), ("getsockopt", 209), ("gettid", 178), ("gettimeofday", 169), ("getuid", 174), ("getuid32", -10021), ("getxattr", 8), ("gtty", -10022), ("idle", -10023), ("init_module", 105), ("inotify_add_watch", 27), ("inotify_init", -10160), ("inotify_init1", 26), ("inotify_rm_watch", 28), ("io_cancel", 3), ("io_destroy", 1), ("io_getevents", 4), ("io_pgetevents", 292), ("io_pgetevents_time64", -10223), ("io_setup", 0), ("io_submit", 2), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 29), ("ioperm", -10094), ("iopl", -10095), ("ioprio_get", 31), ("ioprio_set", 30), ("ipc", -10024), ("kcmp", 272), ("kexec_file_load", 294), ("kexec_load", 104), ("keyctl", 219), ("kill", 129), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", -10161), ("lchown32", -10025), ("lgetxattr", 9), ("link", -10162), ("linkat", 37), ("listen", 201), ("listxattr", 11), ("llistxattr", 12), ("lock", -10027), ("lookup_dcookie", 18), ("lremovexattr", 15), ("lseek", 62), ("lsetxattr", 6), ("lstat", -10163), ("lstat64", -10028), ("madvise", 233), ("mbind", 235), ("membarrier", 283), ("memfd_create", 279), ("memfd_secret", 447), ("migrate_pages", 238), ("mincore", 232), ("mkdir", -10164), ("mkdirat", 34), ("mknod", -10165), ("mknodat", 33), ("mlock", 228), ("mlock2", 284), ("mlockall", 230), ("mmap", 222), ("mmap2", -10029), ("modify_ldt", -10098), ("mount", 40), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 239), ("mprotect", 226), ("mpx", -10030), ("mq_getsetattr", 185), ("mq_notify", 184), ("mq_open", 180), ("mq_timedreceive", 183), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 182), ("mq_timedsend_time64", -10226), ("mq_unlink", 181), ("mremap", 216), ("msgctl", 187), ("msgget", 186), ("msgrcv", 188), ("msgsnd", 189), ("msync", 227), ("multiplexer", -10186), ("munlock", 229), ("munlockall", 231), ("munmap", 215), ("name_to_handle_at", 264), ("nanosleep", 101), ("newfstatat", 79), ("nfsservctl", 42), ("nice", -10033), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", -10166), ("open_by_handle_at", 265), ("open_tree", 428), ("openat", 56), ("openat2", 437), ("pause", -10167), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 241), ("personality", 92), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", -10168), ("pipe2", 59), ("pivot_root", 41), ("pkey_alloc", 289), ("pkey_free", 290), ("pkey_mprotect", 288), ("poll", -10169), ("ppoll", 73), ("ppoll_time64", -10230), ("prctl", 167), ("pread64", 67), ("preadv", 69), ("preadv2", 286), ("prlimit64", 261), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 270), ("process_vm_writev", 271), ("prof", -10039), ("profil", -10040), ("pselect6", 72), ("pselect6_time64", -10231), ("ptrace", 117), ("putpmsg", -10099), ("pwrite64", 68), ("pwritev", 70), ("pwritev2", 287), ("query_module", -10078), ("quotactl", 60), ("quotactl_fd", 443), ("read", 63), ("readahead", 213), ("readdir", -10041), ("readlink", -10170), ("readlinkat", 78), ("readv", 65), ("reboot", 142), ("recv", -110), ("recvfrom", 207), ("recvmmsg", 243), ("recvmmsg_time64", -10232), ("recvmsg", 212), ("remap_file_pages", 234), ("removexattr", 14), ("rename", -10171), ("renameat", 38), ("renameat2", 276), ("request_key", 218), ("restart_syscall", 128), ("riscv_flush_icache", -10243), ("rmdir", -10172), ("rseq", 293), ("rt_sigaction", 134), ("rt_sigpending", 136), ("rt_sigprocmask", 135), ("rt_sigqueueinfo", 138), ("rt_sigreturn", 139), ("rt_sigsuspend", 133), ("rt_sigtimedwait", 137), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 240), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 125), ("sched_get_priority_min", 126), ("sched_getaffinity", 123), ("sched_getattr", 275), ("sched_getparam", 121), ("sched_getscheduler", 120), ("sched_rr_get_interval", 127), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 122), ("sched_setattr", 274), ("sched_setparam", 118), ("sched_setscheduler", 119), ("sched_yield", 124), ("seccomp", 277), ("security", -10042), ("select", -10101), ("semctl", 191), ("semget", 190), ("semop", 193), ("semtimedop", 192), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 71), ("sendfile64", -10043), ("sendmmsg", 269), ("sendmsg", 211), ("sendto", 206), ("set_mempolicy", 237), ("set_robust_list", 99), ("set_thread_area", -10079), ("set_tid_address", 96), ("set_tls", -10183), ("setdomainname", 162), ("setfsgid", 152), ("setfsgid32", -10044), ("setfsuid", 151), ("setfsuid32", -10045), ("setgid", 144), ("setgid32", -10046), ("setgroups", 159), ("setgroups32", -10047), ("sethostname", 161), ("setitimer", 103), ("setns", 268), ("setpgid", 154), ("setpriority", 140), ("setregid", 143), ("setregid32", -10048), ("setresgid", 149), ("setresgid32", -10049), ("setresuid", 147), ("setresuid32", -10050), ("setreuid", 145), ("setreuid32", -10051), ("setrlimit", 164), ("setsid", 157), ("setsockopt", 208), ("settimeofday", 170), ("setuid", 146), ("setuid32", -10052), ("setxattr", 5), ("sgetmask", -10053), ("shmat", 196), ("shmctl", 195), ("shmdt", 197), ("shmget", 194), ("shutdown", 210), ("sigaction", -10054), ("sigaltstack", 132), ("signal", -10055), ("signalfd", -10173), ("signalfd4", 74), ("sigpending", -10056), ("sigprocmask", -10057), ("sigreturn", -10058), ("sigsuspend", -10059), ("socket", 198), ("socketcall", -10060), ("socketpair", 199), ("splice", 76), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", -10174), ("stat64", -10062), ("statfs", 43), ("statfs64", -10063), ("statx", 291), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 225), ("swapon", 224), ("switch_endian", -10191), ("symlink", -10175), ("symlinkat", 36), ("sync", 81), ("sync_file_range", 84), ("sync_file_range2", -10089), ("syncfs", 267), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", -10145), ("sysinfo", 179), ("syslog", 116), ("sysmips", -10106), ("tee", 77), ("tgkill", 131), ("time", -10108), ("timer_create", 107), ("timer_delete", 111), ("timer_getoverrun", 109), ("timer_gettime", 108), ("timer_gettime64", -10236), ("timer_settime", 110), ("timer_settime64", -10237), ("timerfd", -10107), ("timerfd_create", 85), ("timerfd_gettime", 87), ("timerfd_gettime64", -10238), ("timerfd_settime", 86), ("timerfd_settime64", -10239), ("times", 153), ("tkill", 130), ("truncate", 45), ("truncate64", -10066), ("tuxcall", -10067), ("ugetrlimit", -10068), ("ulimit", -10069), ("umask", 166), ("umount", -10070), ("umount2", 39), ("uname", 160), ("unlink", -10176), ("unlinkat", 35), ("unshare", 97), ("uselib", -10081), ("userfaultfd", 282), ("usr26", -10184), ("usr32", -10185), ("ustat", -10177), ("utime", -10178), ("utimensat", 88), ("utimensat_time64", -10240), ("utimes", -10179), ("vfork", -10102), ("vhangup", 58), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 75), ("vserver", -10082), ("wait4", 260), ("waitid", 95), ("waitpid", -10073), ("write", 64), ("writev", 66), ]; libseccomp-0.3.0/src/syscall/arm.rs000064400000000000000000000272000072674642500153630ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", 140), ("_newselect", 142), ("_sysctl", 149), ("accept", 285), ("accept4", 366), ("access", 33), ("acct", 51), ("add_key", 309), ("adjtimex", 124), ("afs_syscall", -10091), ("alarm", -10148), ("arch_prctl", -10001), ("arm_fadvise64_64", 270), ("arm_sync_file_range", 341), ("bdflush", 134), ("bind", 282), ("bpf", 386), ("break", -10003), ("breakpoint", 983041), ("brk", 45), ("cachectl", -10103), ("cacheflush", 983042), ("capget", 184), ("capset", 185), ("chdir", 12), ("chmod", 15), ("chown", 182), ("chown32", 212), ("chroot", 61), ("clock_adjtime", 372), ("clock_adjtime64", 405), ("clock_getres", 264), ("clock_getres_time64", 406), ("clock_gettime", 263), ("clock_gettime64", 403), ("clock_nanosleep", 265), ("clock_nanosleep_time64", 407), ("clock_settime", 262), ("clock_settime64", 404), ("clone", 120), ("clone3", 435), ("close", 6), ("close_range", 436), ("connect", 283), ("copy_file_range", 391), ("creat", 8), ("create_module", -10074), ("delete_module", 129), ("dup", 41), ("dup2", 63), ("dup3", 358), ("epoll_create", 250), ("epoll_create1", 357), ("epoll_ctl", 251), ("epoll_ctl_old", -10005), ("epoll_pwait", 346), ("epoll_pwait2", 441), ("epoll_wait", 252), ("epoll_wait_old", -10006), ("eventfd", 351), ("eventfd2", 356), ("execve", 11), ("execveat", 387), ("exit", 1), ("exit_group", 248), ("faccessat", 334), ("faccessat2", 439), ("fadvise64", -10092), ("fadvise64_64", -10007), ("fallocate", 352), ("fanotify_init", 367), ("fanotify_mark", 368), ("fchdir", 133), ("fchmod", 94), ("fchmodat", 333), ("fchown", 95), ("fchown32", 207), ("fchownat", 325), ("fcntl", 55), ("fcntl64", 221), ("fdatasync", 148), ("fgetxattr", 231), ("finit_module", 379), ("flistxattr", 234), ("flock", 143), ("fork", 2), ("fremovexattr", 237), ("fsconfig", 431), ("fsetxattr", 228), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 108), ("fstat64", 197), ("fstatat64", 327), ("fstatfs", 100), ("fstatfs64", 267), ("fsync", 118), ("ftime", -10013), ("ftruncate", 93), ("ftruncate64", 194), ("futex", 240), ("futex_time64", 422), ("futimesat", 326), ("get_kernel_syms", -10075), ("get_mempolicy", 320), ("get_robust_list", 339), ("get_thread_area", -10076), ("get_tls", 983046), ("getcpu", 345), ("getcwd", 183), ("getdents", 141), ("getdents64", 217), ("getegid", 50), ("getegid32", 202), ("geteuid", 49), ("geteuid32", 201), ("getgid", 47), ("getgid32", 200), ("getgroups", 80), ("getgroups32", 205), ("getitimer", 105), ("getpeername", 287), ("getpgid", 132), ("getpgrp", 65), ("getpid", 20), ("getpmsg", -10093), ("getppid", 64), ("getpriority", 96), ("getrandom", 384), ("getresgid", 171), ("getresgid32", 211), ("getresuid", 165), ("getresuid32", 209), ("getrlimit", -10180), ("getrusage", 77), ("getsid", 147), ("getsockname", 286), ("getsockopt", 295), ("gettid", 224), ("gettimeofday", 78), ("getuid", 24), ("getuid32", 199), ("getxattr", 229), ("gtty", -10022), ("idle", -10023), ("init_module", 128), ("inotify_add_watch", 317), ("inotify_init", 316), ("inotify_init1", 360), ("inotify_rm_watch", 318), ("io_cancel", 247), ("io_destroy", 244), ("io_getevents", 245), ("io_pgetevents", 399), ("io_pgetevents_time64", 416), ("io_setup", 243), ("io_submit", 246), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 54), ("ioperm", -10094), ("iopl", -10095), ("ioprio_get", 315), ("ioprio_set", 314), ("ipc", -10024), ("kcmp", 378), ("kexec_file_load", 401), ("kexec_load", 347), ("keyctl", 311), ("kill", 37), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 16), ("lchown32", 198), ("lgetxattr", 230), ("link", 9), ("linkat", 330), ("listen", 284), ("listxattr", 232), ("llistxattr", 233), ("lock", -10027), ("lookup_dcookie", 249), ("lremovexattr", 236), ("lseek", 19), ("lsetxattr", 227), ("lstat", 107), ("lstat64", 196), ("madvise", 220), ("mbind", 319), ("membarrier", 389), ("memfd_create", 385), ("memfd_secret", -10244), ("migrate_pages", 400), ("mincore", 219), ("mkdir", 39), ("mkdirat", 323), ("mknod", 14), ("mknodat", 324), ("mlock", 150), ("mlock2", 390), ("mlockall", 152), ("mmap", -10181), ("mmap2", 192), ("modify_ldt", -10098), ("mount", 21), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 344), ("mprotect", 125), ("mpx", -10030), ("mq_getsetattr", 279), ("mq_notify", 278), ("mq_open", 274), ("mq_timedreceive", 277), ("mq_timedreceive_time64", 419), ("mq_timedsend", 276), ("mq_timedsend_time64", 418), ("mq_unlink", 275), ("mremap", 163), ("msgctl", 304), ("msgget", 303), ("msgrcv", 302), ("msgsnd", 301), ("msync", 144), ("multiplexer", -10186), ("munlock", 151), ("munlockall", 153), ("munmap", 91), ("name_to_handle_at", 370), ("nanosleep", 162), ("newfstatat", -10031), ("nfsservctl", 169), ("nice", 34), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", 5), ("open_by_handle_at", 371), ("open_tree", 428), ("openat", 322), ("openat2", 437), ("pause", 29), ("pciconfig_iobase", 271), ("pciconfig_read", 272), ("pciconfig_write", 273), ("perf_event_open", 364), ("personality", 136), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 42), ("pipe2", 359), ("pivot_root", 218), ("pkey_alloc", 395), ("pkey_free", 396), ("pkey_mprotect", 394), ("poll", 168), ("ppoll", 336), ("ppoll_time64", 414), ("prctl", 172), ("pread64", 180), ("preadv", 361), ("preadv2", 392), ("prlimit64", 369), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 376), ("process_vm_writev", 377), ("prof", -10039), ("profil", -10040), ("pselect6", 335), ("pselect6_time64", 413), ("ptrace", 26), ("putpmsg", -10099), ("pwrite64", 181), ("pwritev", 362), ("pwritev2", 393), ("query_module", -10078), ("quotactl", 131), ("quotactl_fd", 443), ("read", 3), ("readahead", 225), ("readdir", -10041), ("readlink", 85), ("readlinkat", 332), ("readv", 145), ("reboot", 88), ("recv", 291), ("recvfrom", 292), ("recvmmsg", 365), ("recvmmsg_time64", 417), ("recvmsg", 297), ("remap_file_pages", 253), ("removexattr", 235), ("rename", 38), ("renameat", 329), ("renameat2", 382), ("request_key", 310), ("restart_syscall", 0), ("riscv_flush_icache", -10243), ("rmdir", 40), ("rseq", 398), ("rt_sigaction", 174), ("rt_sigpending", 176), ("rt_sigprocmask", 175), ("rt_sigqueueinfo", 178), ("rt_sigreturn", 173), ("rt_sigsuspend", 179), ("rt_sigtimedwait", 177), ("rt_sigtimedwait_time64", 421), ("rt_tgsigqueueinfo", 363), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 159), ("sched_get_priority_min", 160), ("sched_getaffinity", 242), ("sched_getattr", 381), ("sched_getparam", 155), ("sched_getscheduler", 157), ("sched_rr_get_interval", 161), ("sched_rr_get_interval_time64", 423), ("sched_setaffinity", 241), ("sched_setattr", 380), ("sched_setparam", 154), ("sched_setscheduler", 156), ("sched_yield", 158), ("seccomp", 383), ("security", -10042), ("select", -10101), ("semctl", 300), ("semget", 299), ("semop", 298), ("semtimedop", 312), ("semtimedop_time64", 420), ("send", 289), ("sendfile", 187), ("sendfile64", 239), ("sendmmsg", 374), ("sendmsg", 296), ("sendto", 290), ("set_mempolicy", 321), ("set_robust_list", 338), ("set_thread_area", -10079), ("set_tid_address", 256), ("set_tls", 983045), ("setdomainname", 121), ("setfsgid", 139), ("setfsgid32", 216), ("setfsuid", 138), ("setfsuid32", 215), ("setgid", 46), ("setgid32", 214), ("setgroups", 81), ("setgroups32", 206), ("sethostname", 74), ("setitimer", 104), ("setns", 375), ("setpgid", 57), ("setpriority", 97), ("setregid", 71), ("setregid32", 204), ("setresgid", 170), ("setresgid32", 210), ("setresuid", 164), ("setresuid32", 208), ("setreuid", 70), ("setreuid32", 203), ("setrlimit", 75), ("setsid", 66), ("setsockopt", 294), ("settimeofday", 79), ("setuid", 23), ("setuid32", 213), ("setxattr", 226), ("sgetmask", -10053), ("shmat", 305), ("shmctl", 308), ("shmdt", 306), ("shmget", 307), ("shutdown", 293), ("sigaction", 67), ("sigaltstack", 186), ("signal", -10055), ("signalfd", 349), ("signalfd4", 355), ("sigpending", 73), ("sigprocmask", 126), ("sigreturn", 119), ("sigsuspend", 72), ("socket", 281), ("socketcall", -10060), ("socketpair", 288), ("splice", 340), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", 106), ("stat64", 195), ("statfs", 99), ("statfs64", 266), ("statx", 397), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 115), ("swapon", 87), ("switch_endian", -10191), ("symlink", 83), ("symlinkat", 331), ("sync", 36), ("sync_file_range", -10100), ("sync_file_range2", -10089), ("syncfs", 373), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", 135), ("sysinfo", 116), ("syslog", 103), ("sysmips", -10106), ("tee", 342), ("tgkill", 268), ("time", -10108), ("timer_create", 257), ("timer_delete", 261), ("timer_getoverrun", 260), ("timer_gettime", 259), ("timer_gettime64", 408), ("timer_settime", 258), ("timer_settime64", 409), ("timerfd", -10107), ("timerfd_create", 350), ("timerfd_gettime", 354), ("timerfd_gettime64", 410), ("timerfd_settime", 353), ("timerfd_settime64", 411), ("times", 43), ("tkill", 238), ("truncate", 92), ("truncate64", 193), ("tuxcall", -10067), ("ugetrlimit", 191), ("ulimit", -10069), ("umask", 60), ("umount", -10070), ("umount2", 52), ("uname", 122), ("unlink", 10), ("unlinkat", 328), ("unshare", 337), ("uselib", 86), ("userfaultfd", 388), ("usr26", 983043), ("usr32", 983044), ("ustat", 62), ("utime", -10178), ("utimensat", 348), ("utimensat_time64", 412), ("utimes", 269), ("vfork", 190), ("vhangup", 111), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 343), ("vserver", 313), ("wait4", 114), ("waitid", 280), ("waitpid", -10073), ("write", 4), ("writev", 146), ]; libseccomp-0.3.0/src/syscall/mips.rs000064400000000000000000000301060072674642500155530ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", 4140), ("_newselect", 4142), ("_sysctl", 4153), ("accept", -105), ("accept4", -118), ("access", 4033), ("acct", 4051), ("add_key", 4280), ("adjtimex", 4124), ("afs_syscall", 4137), ("alarm", 4027), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", 4134), ("bind", -102), ("bpf", 4355), ("break", 4017), ("breakpoint", -10182), ("brk", 4045), ("cachectl", 4148), ("cacheflush", 4147), ("capget", 4204), ("capset", 4205), ("chdir", 4012), ("chmod", 4015), ("chown", 4202), ("chown32", -10004), ("chroot", 4061), ("clock_adjtime", 4341), ("clock_adjtime64", 4405), ("clock_getres", 4264), ("clock_getres_time64", 4406), ("clock_gettime", 4263), ("clock_gettime64", 4403), ("clock_nanosleep", 4265), ("clock_nanosleep_time64", 4407), ("clock_settime", 4262), ("clock_settime64", 4404), ("clone", 4120), ("clone3", 4435), ("close", 4006), ("close_range", 4436), ("connect", -103), ("copy_file_range", 4360), ("creat", 4008), ("create_module", 4127), ("delete_module", 4129), ("dup", 4041), ("dup2", 4063), ("dup3", 4327), ("epoll_create", 4248), ("epoll_create1", 4326), ("epoll_ctl", 4249), ("epoll_ctl_old", -10005), ("epoll_pwait", 4313), ("epoll_pwait2", 4441), ("epoll_wait", 4250), ("epoll_wait_old", -10006), ("eventfd", 4319), ("eventfd2", 4325), ("execve", 4011), ("execveat", 4356), ("exit", 4001), ("exit_group", 4246), ("faccessat", 4300), ("faccessat2", 4439), ("fadvise64", 4254), ("fadvise64_64", -10007), ("fallocate", 4320), ("fanotify_init", 4336), ("fanotify_mark", 4337), ("fchdir", 4133), ("fchmod", 4094), ("fchmodat", 4299), ("fchown", 4095), ("fchown32", -10008), ("fchownat", 4291), ("fcntl", 4055), ("fcntl64", 4220), ("fdatasync", 4152), ("fgetxattr", 4229), ("finit_module", 4348), ("flistxattr", 4232), ("flock", 4143), ("fork", 4002), ("fremovexattr", 4235), ("fsconfig", 4431), ("fsetxattr", 4226), ("fsmount", 4432), ("fsopen", 4430), ("fspick", 4433), ("fstat", 4108), ("fstat64", 4215), ("fstatat64", 4293), ("fstatfs", 4100), ("fstatfs64", 4256), ("fsync", 4118), ("ftime", 4035), ("ftruncate", 4093), ("ftruncate64", 4212), ("futex", 4238), ("futex_time64", 4422), ("futimesat", 4292), ("get_kernel_syms", 4130), ("get_mempolicy", 4269), ("get_robust_list", 4310), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 4312), ("getcwd", 4203), ("getdents", 4141), ("getdents64", 4219), ("getegid", 4050), ("getegid32", -10015), ("geteuid", 4049), ("geteuid32", -10016), ("getgid", 4047), ("getgid32", -10017), ("getgroups", 4080), ("getgroups32", -10018), ("getitimer", 4105), ("getpeername", -107), ("getpgid", 4132), ("getpgrp", 4065), ("getpid", 4020), ("getpmsg", 4208), ("getppid", 4064), ("getpriority", 4096), ("getrandom", 4353), ("getresgid", 4191), ("getresgid32", -10019), ("getresuid", 4186), ("getresuid32", -10020), ("getrlimit", 4076), ("getrusage", 4077), ("getsid", 4151), ("getsockname", -106), ("getsockopt", -115), ("gettid", 4222), ("gettimeofday", 4078), ("getuid", 4024), ("getuid32", -10021), ("getxattr", 4227), ("gtty", 4032), ("idle", 4112), ("init_module", 4128), ("inotify_add_watch", 4285), ("inotify_init", 4284), ("inotify_init1", 4329), ("inotify_rm_watch", 4286), ("io_cancel", 4245), ("io_destroy", 4242), ("io_getevents", 4243), ("io_pgetevents", 4368), ("io_pgetevents_time64", 4416), ("io_setup", 4241), ("io_submit", 4244), ("io_uring_enter", 4426), ("io_uring_register", 4427), ("io_uring_setup", 4425), ("ioctl", 4054), ("ioperm", 4101), ("iopl", 4110), ("ioprio_get", 4315), ("ioprio_set", 4314), ("ipc", 4117), ("kcmp", 4347), ("kexec_file_load", -10111), ("kexec_load", 4311), ("keyctl", 4282), ("kill", 4037), ("landlock_add_rule", 4445), ("landlock_create_ruleset", 4444), ("landlock_restrict_self", 4446), ("lchown", 4016), ("lchown32", -10025), ("lgetxattr", 4228), ("link", 4009), ("linkat", 4296), ("listen", -104), ("listxattr", 4230), ("llistxattr", 4231), ("lock", 4053), ("lookup_dcookie", 4247), ("lremovexattr", 4234), ("lseek", 4019), ("lsetxattr", 4225), ("lstat", 4107), ("lstat64", 4214), ("madvise", 4218), ("mbind", 4268), ("membarrier", 4358), ("memfd_create", 4354), ("memfd_secret", -10244), ("migrate_pages", 4287), ("mincore", 4217), ("mkdir", 4039), ("mkdirat", 4289), ("mknod", 4014), ("mknodat", 4290), ("mlock", 4154), ("mlock2", 4359), ("mlockall", 4156), ("mmap", 4090), ("mmap2", 4210), ("modify_ldt", 4123), ("mount", 4021), ("mount_setattr", 4442), ("move_mount", 4429), ("move_pages", 4308), ("mprotect", 4125), ("mpx", 4056), ("mq_getsetattr", 4276), ("mq_notify", 4275), ("mq_open", 4271), ("mq_timedreceive", 4274), ("mq_timedreceive_time64", 4419), ("mq_timedsend", 4273), ("mq_timedsend_time64", 4418), ("mq_unlink", 4272), ("mremap", 4167), ("msgctl", -214), ("msgget", -213), ("msgrcv", -212), ("msgsnd", -211), ("msync", 4144), ("multiplexer", -10186), ("munlock", 4155), ("munlockall", 4157), ("munmap", 4091), ("name_to_handle_at", 4339), ("nanosleep", 4166), ("newfstatat", -10031), ("nfsservctl", 4189), ("nice", 4034), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", 4005), ("open_by_handle_at", 4340), ("open_tree", 4428), ("openat", 4288), ("openat2", 4437), ("pause", 4029), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 4333), ("personality", 4136), ("pidfd_getfd", 4438), ("pidfd_open", 4434), ("pidfd_send_signal", 4424), ("pipe", 4042), ("pipe2", 4328), ("pivot_root", 4216), ("pkey_alloc", 4364), ("pkey_free", 4365), ("pkey_mprotect", 4363), ("poll", 4188), ("ppoll", 4302), ("ppoll_time64", 4414), ("prctl", 4192), ("pread64", 4200), ("preadv", 4330), ("preadv2", 4361), ("prlimit64", 4338), ("process_madvise", 4440), ("process_mrelease", 4448), ("process_vm_readv", 4345), ("process_vm_writev", 4346), ("prof", 4044), ("profil", 4098), ("pselect6", 4301), ("pselect6_time64", 4413), ("ptrace", 4026), ("putpmsg", 4209), ("pwrite64", 4201), ("pwritev", 4331), ("pwritev2", 4362), ("query_module", 4187), ("quotactl", 4131), ("quotactl_fd", 4443), ("read", 4003), ("readahead", 4223), ("readdir", 4089), ("readlink", 4085), ("readlinkat", 4298), ("readv", 4145), ("reboot", 4088), ("recv", -110), ("recvfrom", -112), ("recvmmsg", -119), ("recvmmsg_time64", 4417), ("recvmsg", -117), ("remap_file_pages", 4251), ("removexattr", 4233), ("rename", 4038), ("renameat", 4295), ("renameat2", 4351), ("request_key", 4281), ("restart_syscall", 4253), ("riscv_flush_icache", -10243), ("rmdir", 4040), ("rseq", 4367), ("rt_sigaction", 4194), ("rt_sigpending", 4196), ("rt_sigprocmask", 4195), ("rt_sigqueueinfo", 4198), ("rt_sigreturn", 4193), ("rt_sigsuspend", 4199), ("rt_sigtimedwait", 4197), ("rt_sigtimedwait_time64", 4421), ("rt_tgsigqueueinfo", 4332), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 4163), ("sched_get_priority_min", 4164), ("sched_getaffinity", 4240), ("sched_getattr", 4350), ("sched_getparam", 4159), ("sched_getscheduler", 4161), ("sched_rr_get_interval", 4165), ("sched_rr_get_interval_time64", 4423), ("sched_setaffinity", 4239), ("sched_setattr", 4349), ("sched_setparam", 4158), ("sched_setscheduler", 4160), ("sched_yield", 4162), ("seccomp", 4352), ("security", -10042), ("select", -10101), ("semctl", -203), ("semget", -202), ("semop", -201), ("semtimedop", -204), ("semtimedop_time64", 4420), ("send", -109), ("sendfile", 4207), ("sendfile64", 4237), ("sendmmsg", -120), ("sendmsg", -116), ("sendto", -111), ("set_mempolicy", 4270), ("set_robust_list", 4309), ("set_thread_area", 4283), ("set_tid_address", 4252), ("set_tls", -10183), ("setdomainname", 4121), ("setfsgid", 4139), ("setfsgid32", -10044), ("setfsuid", 4138), ("setfsuid32", -10045), ("setgid", 4046), ("setgid32", -10046), ("setgroups", 4081), ("setgroups32", -10047), ("sethostname", 4074), ("setitimer", 4104), ("setns", 4344), ("setpgid", 4057), ("setpriority", 4097), ("setregid", 4071), ("setregid32", -10048), ("setresgid", 4190), ("setresgid32", -10049), ("setresuid", 4185), ("setresuid32", -10050), ("setreuid", 4070), ("setreuid32", -10051), ("setrlimit", 4075), ("setsid", 4066), ("setsockopt", -114), ("settimeofday", 4079), ("setuid", 4023), ("setuid32", -10052), ("setxattr", 4224), ("sgetmask", 4068), ("shmat", -221), ("shmctl", -224), ("shmdt", -222), ("shmget", -223), ("shutdown", -113), ("sigaction", 4067), ("sigaltstack", 4206), ("signal", 4048), ("signalfd", 4317), ("signalfd4", 4324), ("sigpending", 4073), ("sigprocmask", 4126), ("sigreturn", 4119), ("sigsuspend", 4072), ("socket", -101), ("socketcall", 4102), ("socketpair", -108), ("splice", 4304), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", 4069), ("stat", 4106), ("stat64", 4213), ("statfs", 4099), ("statfs64", 4255), ("statx", 4366), ("stime", 4025), ("stty", 4031), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 4115), ("swapon", 4087), ("switch_endian", -10191), ("symlink", 4083), ("symlinkat", 4297), ("sync", 4036), ("sync_file_range", 4305), ("sync_file_range2", -10089), ("syncfs", 4342), ("sys_debug_setcontext", -10191), ("syscall", 4000), ("sysfs", 4135), ("sysinfo", 4116), ("syslog", 4103), ("sysmips", 4149), ("tee", 4306), ("tgkill", 4266), ("time", 4013), ("timer_create", 4257), ("timer_delete", 4261), ("timer_getoverrun", 4260), ("timer_gettime", 4259), ("timer_gettime64", 4408), ("timer_settime", 4258), ("timer_settime64", 4409), ("timerfd", 4318), ("timerfd_create", 4321), ("timerfd_gettime", 4322), ("timerfd_gettime64", 4410), ("timerfd_settime", 4323), ("timerfd_settime64", 4411), ("times", 4043), ("tkill", 4236), ("truncate", 4092), ("truncate64", 4211), ("tuxcall", -10067), ("ugetrlimit", -10068), ("ulimit", 4058), ("umask", 4060), ("umount", 4022), ("umount2", 4052), ("uname", 4122), ("unlink", 4010), ("unlinkat", 4294), ("unshare", 4303), ("uselib", 4086), ("userfaultfd", 4357), ("usr26", -10184), ("usr32", -10185), ("ustat", 4062), ("utime", 4030), ("utimensat", 4316), ("utimensat_time64", 4412), ("utimes", 4267), ("vfork", -10102), ("vhangup", 4111), ("vm86", 4113), ("vm86old", -10072), ("vmsplice", 4307), ("vserver", 4277), ("wait4", 4114), ("waitid", 4278), ("waitpid", 4007), ("write", 4004), ("writev", 4146), ]; libseccomp-0.3.0/src/syscall/mips64.rs000064400000000000000000000303060072674642500157270ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", -10026), ("_newselect", 5022), ("_sysctl", 5152), ("accept", 5042), ("accept4", 5293), ("access", 5020), ("acct", 5158), ("add_key", 5239), ("adjtimex", 5154), ("afs_syscall", 5176), ("alarm", 5037), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", -10002), ("bind", 5048), ("bpf", 5315), ("break", -10003), ("breakpoint", -10182), ("brk", 5012), ("cachectl", 5198), ("cacheflush", 5197), ("capget", 5123), ("capset", 5124), ("chdir", 5078), ("chmod", 5088), ("chown", 5090), ("chown32", -10004), ("chroot", 5156), ("clock_adjtime", 5300), ("clock_adjtime64", -10212), ("clock_getres", 5223), ("clock_getres_time64", -10213), ("clock_gettime", 5222), ("clock_gettime64", -10214), ("clock_nanosleep", 5224), ("clock_nanosleep_time64", -10215), ("clock_settime", 5221), ("clock_settime64", -10216), ("clone", 5055), ("clone3", 5435), ("close", 5003), ("close_range", 5436), ("connect", 5041), ("copy_file_range", 5320), ("creat", 5083), ("create_module", 5167), ("delete_module", 5169), ("dup", 5031), ("dup2", 5032), ("dup3", 5286), ("epoll_create", 5207), ("epoll_create1", 5285), ("epoll_ctl", 5208), ("epoll_ctl_old", -10005), ("epoll_pwait", 5272), ("epoll_pwait2", 5441), ("epoll_wait", 5209), ("epoll_wait_old", -10006), ("eventfd", 5278), ("eventfd2", 5284), ("execve", 5057), ("execveat", 5316), ("exit", 5058), ("exit_group", 5205), ("faccessat", 5259), ("faccessat2", 5439), ("fadvise64", 5215), ("fadvise64_64", -10007), ("fallocate", 5279), ("fanotify_init", 5295), ("fanotify_mark", 5296), ("fchdir", 5079), ("fchmod", 5089), ("fchmodat", 5258), ("fchown", 5091), ("fchown32", -10008), ("fchownat", 5250), ("fcntl", 5070), ("fcntl64", -10009), ("fdatasync", 5073), ("fgetxattr", 5185), ("finit_module", 5307), ("flistxattr", 5188), ("flock", 5071), ("fork", 5056), ("fremovexattr", 5191), ("fsconfig", 5431), ("fsetxattr", 5182), ("fsmount", 5432), ("fsopen", 5430), ("fspick", 5433), ("fstat", 5005), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 5135), ("fstatfs64", -10012), ("fsync", 5072), ("ftime", -10013), ("ftruncate", 5075), ("ftruncate64", -10014), ("futex", 5194), ("futex_time64", -10222), ("futimesat", 5251), ("get_kernel_syms", 5170), ("get_mempolicy", 5228), ("get_robust_list", 5269), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 5271), ("getcwd", 5077), ("getdents", 5076), ("getdents64", 5308), ("getegid", 5106), ("getegid32", -10015), ("geteuid", 5105), ("geteuid32", -10016), ("getgid", 5102), ("getgid32", -10017), ("getgroups", 5113), ("getgroups32", -10018), ("getitimer", 5035), ("getpeername", 5051), ("getpgid", 5119), ("getpgrp", 5109), ("getpid", 5038), ("getpmsg", 5174), ("getppid", 5108), ("getpriority", 5137), ("getrandom", 5313), ("getresgid", 5118), ("getresgid32", -10019), ("getresuid", 5116), ("getresuid32", -10020), ("getrlimit", 5095), ("getrusage", 5096), ("getsid", 5122), ("getsockname", 5050), ("getsockopt", 5054), ("gettid", 5178), ("gettimeofday", 5094), ("getuid", 5100), ("getuid32", -10021), ("getxattr", 5183), ("gtty", -10022), ("idle", -10023), ("init_module", 5168), ("inotify_add_watch", 5244), ("inotify_init", 5243), ("inotify_init1", 5288), ("inotify_rm_watch", 5245), ("io_cancel", 5204), ("io_destroy", 5201), ("io_getevents", 5202), ("io_pgetevents", 5328), ("io_pgetevents_time64", -10223), ("io_setup", 5200), ("io_submit", 5203), ("io_uring_enter", 5426), ("io_uring_register", 5427), ("io_uring_setup", 5425), ("ioctl", 5015), ("ioperm", -10094), ("iopl", -10095), ("ioprio_get", 5274), ("ioprio_set", 5273), ("ipc", -10024), ("kcmp", 5306), ("kexec_file_load", -10111), ("kexec_load", 5270), ("keyctl", 5241), ("kill", 5060), ("landlock_add_rule", 5445), ("landlock_create_ruleset", 5444), ("landlock_restrict_self", 5446), ("lchown", 5092), ("lchown32", -10025), ("lgetxattr", 5184), ("link", 5084), ("linkat", 5255), ("listen", 5049), ("listxattr", 5186), ("llistxattr", 5187), ("lock", -10027), ("lookup_dcookie", 5206), ("lremovexattr", 5190), ("lseek", 5008), ("lsetxattr", 5181), ("lstat", 5006), ("lstat64", -10028), ("madvise", 5027), ("mbind", 5227), ("membarrier", 5318), ("memfd_create", 5314), ("memfd_secret", -10244), ("migrate_pages", 5246), ("mincore", 5026), ("mkdir", 5081), ("mkdirat", 5248), ("mknod", 5131), ("mknodat", 5249), ("mlock", 5146), ("mlock2", 5319), ("mlockall", 5148), ("mmap", 5009), ("mmap2", -10029), ("modify_ldt", -10098), ("mount", 5160), ("mount_setattr", 5442), ("move_mount", 5429), ("move_pages", 5267), ("mprotect", 5010), ("mpx", -10030), ("mq_getsetattr", 5235), ("mq_notify", 5234), ("mq_open", 5230), ("mq_timedreceive", 5233), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 5232), ("mq_timedsend_time64", -10226), ("mq_unlink", 5231), ("mremap", 5024), ("msgctl", 5069), ("msgget", 5066), ("msgrcv", 5068), ("msgsnd", 5067), ("msync", 5025), ("multiplexer", -10186), ("munlock", 5147), ("munlockall", 5149), ("munmap", 5011), ("name_to_handle_at", 5298), ("nanosleep", 5034), ("newfstatat", 5252), ("nfsservctl", 5173), ("nice", -10033), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", 5002), ("open_by_handle_at", 5299), ("open_tree", 5428), ("openat", 5247), ("openat2", 5437), ("pause", 5033), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 5292), ("personality", 5132), ("pidfd_getfd", 5438), ("pidfd_open", 5434), ("pidfd_send_signal", 5424), ("pipe", 5021), ("pipe2", 5287), ("pivot_root", 5151), ("pkey_alloc", 5324), ("pkey_free", 5325), ("pkey_mprotect", 5323), ("poll", 5007), ("ppoll", 5261), ("ppoll_time64", -10230), ("prctl", 5153), ("pread64", 5016), ("preadv", 5289), ("preadv2", 5321), ("prlimit64", 5297), ("process_madvise", 5440), ("process_mrelease", 5448), ("process_vm_readv", 5304), ("process_vm_writev", 5305), ("prof", -10039), ("profil", -10040), ("pselect6", 5260), ("pselect6_time64", -10231), ("ptrace", 5099), ("putpmsg", 5175), ("pwrite64", 5017), ("pwritev", 5290), ("pwritev2", 5322), ("query_module", 5171), ("quotactl", 5172), ("quotactl_fd", 5443), ("read", 5000), ("readahead", 5179), ("readdir", -10041), ("readlink", 5087), ("readlinkat", 5257), ("readv", 5018), ("reboot", 5164), ("recv", -110), ("recvfrom", 5044), ("recvmmsg", 5294), ("recvmmsg_time64", -10232), ("recvmsg", 5046), ("remap_file_pages", 5210), ("removexattr", 5189), ("rename", 5080), ("renameat", 5254), ("renameat2", 5311), ("request_key", 5240), ("restart_syscall", 5213), ("riscv_flush_icache", -10243), ("rmdir", 5082), ("rseq", 5327), ("rt_sigaction", 5013), ("rt_sigpending", 5125), ("rt_sigprocmask", 5014), ("rt_sigqueueinfo", 5127), ("rt_sigreturn", 5211), ("rt_sigsuspend", 5128), ("rt_sigtimedwait", 5126), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 5291), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 5143), ("sched_get_priority_min", 5144), ("sched_getaffinity", 5196), ("sched_getattr", 5310), ("sched_getparam", 5140), ("sched_getscheduler", 5142), ("sched_rr_get_interval", 5145), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 5195), ("sched_setattr", 5309), ("sched_setparam", 5139), ("sched_setscheduler", 5141), ("sched_yield", 5023), ("seccomp", 5312), ("security", -10042), ("select", -10101), ("semctl", 5064), ("semget", 5062), ("semop", 5063), ("semtimedop", 5214), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 5039), ("sendfile64", -10043), ("sendmmsg", 5302), ("sendmsg", 5045), ("sendto", 5043), ("set_mempolicy", 5229), ("set_robust_list", 5268), ("set_thread_area", 5242), ("set_tid_address", 5212), ("set_tls", -10183), ("setdomainname", 5166), ("setfsgid", 5121), ("setfsgid32", -10044), ("setfsuid", 5120), ("setfsuid32", -10045), ("setgid", 5104), ("setgid32", -10046), ("setgroups", 5114), ("setgroups32", -10047), ("sethostname", 5165), ("setitimer", 5036), ("setns", 5303), ("setpgid", 5107), ("setpriority", 5138), ("setregid", 5112), ("setregid32", -10048), ("setresgid", 5117), ("setresgid32", -10049), ("setresuid", 5115), ("setresuid32", -10050), ("setreuid", 5111), ("setreuid32", -10051), ("setrlimit", 5155), ("setsid", 5110), ("setsockopt", 5053), ("settimeofday", 5159), ("setuid", 5103), ("setuid32", -10052), ("setxattr", 5180), ("sgetmask", -10053), ("shmat", 5029), ("shmctl", 5030), ("shmdt", 5065), ("shmget", 5028), ("shutdown", 5047), ("sigaction", -10054), ("sigaltstack", 5129), ("signal", -10055), ("signalfd", 5276), ("signalfd4", 5283), ("sigpending", -10056), ("sigprocmask", -10057), ("sigreturn", -10058), ("sigsuspend", -10059), ("socket", 5040), ("socketcall", -10060), ("socketpair", 5052), ("splice", 5263), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", 5004), ("stat64", -10062), ("statfs", 5134), ("statfs64", -10063), ("statx", 5326), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 5163), ("swapon", 5162), ("switch_endian", -10191), ("symlink", 5086), ("symlinkat", 5256), ("sync", 5157), ("sync_file_range", 5264), ("sync_file_range2", -10089), ("syncfs", 5301), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", 5136), ("sysinfo", 5097), ("syslog", 5101), ("sysmips", 5199), ("tee", 5265), ("tgkill", 5225), ("time", -10108), ("timer_create", 5216), ("timer_delete", 5220), ("timer_getoverrun", 5219), ("timer_gettime", 5218), ("timer_gettime64", -10236), ("timer_settime", 5217), ("timer_settime64", -10237), ("timerfd", 5277), ("timerfd_create", 5280), ("timerfd_gettime", 5281), ("timerfd_gettime64", -10238), ("timerfd_settime", 5282), ("timerfd_settime64", -10239), ("times", 5098), ("tkill", 5192), ("truncate", 5074), ("truncate64", -10066), ("tuxcall", -10067), ("ugetrlimit", -10068), ("ulimit", -10069), ("umask", 5093), ("umount", -10070), ("umount2", 5161), ("uname", 5061), ("unlink", 5085), ("unlinkat", 5253), ("unshare", 5262), ("uselib", -10081), ("userfaultfd", 5317), ("usr26", -10184), ("usr32", -10185), ("ustat", 5133), ("utime", 5130), ("utimensat", 5275), ("utimensat_time64", -10240), ("utimes", 5226), ("vfork", -10102), ("vhangup", 5150), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 5266), ("vserver", 5236), ("wait4", 5059), ("waitid", 5237), ("waitpid", -10073), ("write", 5001), ("writev", 5019), ]; libseccomp-0.3.0/src/syscall/powerpc.rs000064400000000000000000000270530072674642500162710ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", 140), ("_newselect", 142), ("_sysctl", 149), ("accept", -105), ("accept4", -118), ("access", 33), ("acct", 51), ("add_key", 269), ("adjtimex", 124), ("afs_syscall", 137), ("alarm", 27), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", 134), ("bind", -102), ("bpf", 361), ("break", 17), ("breakpoint", -10182), ("brk", 45), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 183), ("capset", 184), ("chdir", 12), ("chmod", 15), ("chown", 181), ("chown32", -10004), ("chroot", 61), ("clock_adjtime", 347), ("clock_adjtime64", 405), ("clock_getres", 247), ("clock_getres_time64", 406), ("clock_gettime", 246), ("clock_gettime64", 403), ("clock_nanosleep", 248), ("clock_nanosleep_time64", 407), ("clock_settime", 245), ("clock_settime64", 404), ("clone", 120), ("clone3", 435), ("close", 6), ("close_range", 436), ("connect", -103), ("copy_file_range", 379), ("creat", 8), ("create_module", 127), ("delete_module", 129), ("dup", 41), ("dup2", 63), ("dup3", 316), ("epoll_create", 236), ("epoll_create1", 315), ("epoll_ctl", 237), ("epoll_ctl_old", -10005), ("epoll_pwait", 303), ("epoll_pwait2", 441), ("epoll_wait", 238), ("epoll_wait_old", -10006), ("eventfd", 307), ("eventfd2", 314), ("execve", 11), ("execveat", 362), ("exit", 1), ("exit_group", 234), ("faccessat", 298), ("faccessat2", 439), ("fadvise64", 233), ("fadvise64_64", 254), ("fallocate", 309), ("fanotify_init", 323), ("fanotify_mark", 324), ("fchdir", 133), ("fchmod", 94), ("fchmodat", 297), ("fchown", 95), ("fchown32", -10008), ("fchownat", 289), ("fcntl", 55), ("fcntl64", 204), ("fdatasync", 148), ("fgetxattr", 214), ("finit_module", 353), ("flistxattr", 217), ("flock", 143), ("fork", 2), ("fremovexattr", 220), ("fsconfig", 431), ("fsetxattr", 211), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 108), ("fstat64", 197), ("fstatat64", 291), ("fstatfs", 100), ("fstatfs64", 253), ("fsync", 118), ("ftime", 35), ("ftruncate", 93), ("ftruncate64", 194), ("futex", 221), ("futex_time64", 422), ("futimesat", 290), ("get_kernel_syms", 130), ("get_mempolicy", 260), ("get_robust_list", 299), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 302), ("getcwd", 182), ("getdents", 141), ("getdents64", 202), ("getegid", 50), ("getegid32", -10015), ("geteuid", 49), ("geteuid32", -10016), ("getgid", 47), ("getgid32", -10017), ("getgroups", 80), ("getgroups32", -10018), ("getitimer", 105), ("getpeername", -107), ("getpgid", 132), ("getpgrp", 65), ("getpid", 20), ("getpmsg", 187), ("getppid", 64), ("getpriority", 96), ("getrandom", 359), ("getresgid", 170), ("getresgid32", -10019), ("getresuid", 165), ("getresuid32", -10020), ("getrlimit", 76), ("getrusage", 77), ("getsid", 147), ("getsockname", -106), ("getsockopt", -115), ("gettid", 207), ("gettimeofday", 78), ("getuid", 24), ("getuid32", -10021), ("getxattr", 212), ("gtty", 32), ("idle", 112), ("init_module", 128), ("inotify_add_watch", 276), ("inotify_init", 275), ("inotify_init1", 318), ("inotify_rm_watch", 277), ("io_cancel", 231), ("io_destroy", 228), ("io_getevents", 229), ("io_pgetevents", 388), ("io_pgetevents_time64", 416), ("io_setup", 227), ("io_submit", 230), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 54), ("ioperm", 101), ("iopl", 110), ("ioprio_get", 274), ("ioprio_set", 273), ("ipc", 117), ("kcmp", 354), ("kexec_file_load", 382), ("kexec_load", 268), ("keyctl", 271), ("kill", 37), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 16), ("lchown32", -10025), ("lgetxattr", 213), ("link", 9), ("linkat", 294), ("listen", -104), ("listxattr", 215), ("llistxattr", 216), ("lock", 53), ("lookup_dcookie", 235), ("lremovexattr", 219), ("lseek", 19), ("lsetxattr", 210), ("lstat", 107), ("lstat64", 196), ("madvise", 205), ("mbind", 259), ("membarrier", 365), ("memfd_create", 360), ("memfd_secret", -10244), ("migrate_pages", 258), ("mincore", 206), ("mkdir", 39), ("mkdirat", 287), ("mknod", 14), ("mknodat", 288), ("mlock", 150), ("mlock2", 378), ("mlockall", 152), ("mmap", 90), ("mmap2", 192), ("modify_ldt", 123), ("mount", 21), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 301), ("mprotect", 125), ("mpx", 56), ("mq_getsetattr", 267), ("mq_notify", 266), ("mq_open", 262), ("mq_timedreceive", 265), ("mq_timedreceive_time64", 419), ("mq_timedsend", 264), ("mq_timedsend_time64", 418), ("mq_unlink", 263), ("mremap", 163), ("msgctl", -214), ("msgget", -213), ("msgrcv", -212), ("msgsnd", -211), ("msync", 144), ("multiplexer", 201), ("munlock", 151), ("munlockall", 153), ("munmap", 91), ("name_to_handle_at", 345), ("nanosleep", 162), ("newfstatat", -10031), ("nfsservctl", 168), ("nice", 34), ("oldfstat", 28), ("oldlstat", 84), ("oldolduname", 59), ("oldstat", 18), ("olduname", 109), ("open", 5), ("open_by_handle_at", 346), ("open_tree", 428), ("openat", 286), ("openat2", 437), ("pause", 29), ("pciconfig_iobase", 200), ("pciconfig_read", 198), ("pciconfig_write", 199), ("perf_event_open", 319), ("personality", 136), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 42), ("pipe2", 317), ("pivot_root", 203), ("pkey_alloc", 384), ("pkey_free", 385), ("pkey_mprotect", 386), ("poll", 167), ("ppoll", 281), ("ppoll_time64", 414), ("prctl", 171), ("pread64", 179), ("preadv", 320), ("preadv2", 380), ("prlimit64", 325), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 351), ("process_vm_writev", 352), ("prof", 44), ("profil", 98), ("pselect6", 280), ("pselect6_time64", 413), ("ptrace", 26), ("putpmsg", 188), ("pwrite64", 180), ("pwritev", 321), ("pwritev2", 381), ("query_module", 166), ("quotactl", 131), ("quotactl_fd", 443), ("read", 3), ("readahead", 191), ("readdir", 89), ("readlink", 85), ("readlinkat", 296), ("readv", 145), ("reboot", 88), ("recv", -110), ("recvfrom", -112), ("recvmmsg", -119), ("recvmmsg_time64", 417), ("recvmsg", -117), ("remap_file_pages", 239), ("removexattr", 218), ("rename", 38), ("renameat", 293), ("renameat2", 357), ("request_key", 270), ("restart_syscall", 0), ("riscv_flush_icache", -10243), ("rmdir", 40), ("rseq", 387), ("rt_sigaction", 173), ("rt_sigpending", 175), ("rt_sigprocmask", 174), ("rt_sigqueueinfo", 177), ("rt_sigreturn", 172), ("rt_sigsuspend", 178), ("rt_sigtimedwait", 176), ("rt_sigtimedwait_time64", 421), ("rt_tgsigqueueinfo", 322), ("rtas", 255), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 159), ("sched_get_priority_min", 160), ("sched_getaffinity", 223), ("sched_getattr", 356), ("sched_getparam", 155), ("sched_getscheduler", 157), ("sched_rr_get_interval", 161), ("sched_rr_get_interval_time64", 423), ("sched_setaffinity", 222), ("sched_setattr", 355), ("sched_setparam", 154), ("sched_setscheduler", 156), ("sched_yield", 158), ("seccomp", 358), ("security", -10042), ("select", 82), ("semctl", -203), ("semget", -202), ("semop", -201), ("semtimedop", -204), ("semtimedop_time64", 420), ("send", -109), ("sendfile", 186), ("sendfile64", 226), ("sendmmsg", -120), ("sendmsg", -116), ("sendto", -111), ("set_mempolicy", 261), ("set_robust_list", 300), ("set_thread_area", -10079), ("set_tid_address", 232), ("set_tls", -10183), ("setdomainname", 121), ("setfsgid", 139), ("setfsgid32", -10044), ("setfsuid", 138), ("setfsuid32", -10045), ("setgid", 46), ("setgid32", -10046), ("setgroups", 81), ("setgroups32", -10047), ("sethostname", 74), ("setitimer", 104), ("setns", 350), ("setpgid", 57), ("setpriority", 97), ("setregid", 71), ("setregid32", -10048), ("setresgid", 169), ("setresgid32", -10049), ("setresuid", 164), ("setresuid32", -10050), ("setreuid", 70), ("setreuid32", -10051), ("setrlimit", 75), ("setsid", 66), ("setsockopt", -114), ("settimeofday", 79), ("setuid", 23), ("setuid32", -10052), ("setxattr", 209), ("sgetmask", 68), ("shmat", -221), ("shmctl", -224), ("shmdt", -222), ("shmget", -223), ("shutdown", -113), ("sigaction", 67), ("sigaltstack", 185), ("signal", 48), ("signalfd", 305), ("signalfd4", 313), ("sigpending", 73), ("sigprocmask", 126), ("sigreturn", 119), ("sigsuspend", 72), ("socket", -101), ("socketcall", 102), ("socketpair", -108), ("splice", 283), ("spu_create", 279), ("spu_run", 278), ("ssetmask", 69), ("stat", 106), ("stat64", 195), ("statfs", 99), ("statfs64", 252), ("statx", 383), ("stime", 25), ("stty", 31), ("subpage_prot", 310), ("swapcontext", 249), ("swapoff", 115), ("swapon", 87), ("switch_endian", 363), ("symlink", 83), ("symlinkat", 295), ("sync", 36), ("sync_file_range", -10100), ("sync_file_range2", 308), ("syncfs", 348), ("sys_debug_setcontext", 256), ("syscall", -10090), ("sysfs", 135), ("sysinfo", 116), ("syslog", 103), ("sysmips", -10106), ("tee", 284), ("tgkill", 250), ("time", 13), ("timer_create", 240), ("timer_delete", 244), ("timer_getoverrun", 243), ("timer_gettime", 242), ("timer_gettime64", 408), ("timer_settime", 241), ("timer_settime64", 409), ("timerfd", -10107), ("timerfd_create", 306), ("timerfd_gettime", 312), ("timerfd_gettime64", 410), ("timerfd_settime", 311), ("timerfd_settime64", 411), ("times", 43), ("tkill", 208), ("truncate", 92), ("truncate64", 193), ("tuxcall", 225), ("ugetrlimit", 190), ("ulimit", 58), ("umask", 60), ("umount", 22), ("umount2", 52), ("uname", 122), ("unlink", 10), ("unlinkat", 292), ("unshare", 282), ("uselib", 86), ("userfaultfd", 364), ("usr26", -10184), ("usr32", -10185), ("ustat", 62), ("utime", 30), ("utimensat", 304), ("utimensat_time64", 412), ("utimes", 251), ("vfork", 189), ("vhangup", 111), ("vm86", 113), ("vm86old", -10072), ("vmsplice", 285), ("vserver", -10082), ("wait4", 114), ("waitid", 272), ("waitpid", 7), ("write", 4), ("writev", 146), ]; libseccomp-0.3.0/src/syscall/powerpc64.rs000064400000000000000000000272020072674642500164370ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", 140), ("_newselect", 142), ("_sysctl", 149), ("accept", -105), ("accept4", -118), ("access", 33), ("acct", 51), ("add_key", 269), ("adjtimex", 124), ("afs_syscall", 137), ("alarm", 27), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", 134), ("bind", -102), ("bpf", 361), ("break", 17), ("breakpoint", -10182), ("brk", 45), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 183), ("capset", 184), ("chdir", 12), ("chmod", 15), ("chown", 181), ("chown32", -10004), ("chroot", 61), ("clock_adjtime", 347), ("clock_adjtime64", -10212), ("clock_getres", 247), ("clock_getres_time64", -10213), ("clock_gettime", 246), ("clock_gettime64", -10214), ("clock_nanosleep", 248), ("clock_nanosleep_time64", -10215), ("clock_settime", 245), ("clock_settime64", -10216), ("clone", 120), ("clone3", 435), ("close", 6), ("close_range", 436), ("connect", -103), ("copy_file_range", 379), ("creat", 8), ("create_module", 127), ("delete_module", 129), ("dup", 41), ("dup2", 63), ("dup3", 316), ("epoll_create", 236), ("epoll_create1", 315), ("epoll_ctl", 237), ("epoll_ctl_old", -10005), ("epoll_pwait", 303), ("epoll_pwait2", 441), ("epoll_wait", 238), ("epoll_wait_old", -10006), ("eventfd", 307), ("eventfd2", 314), ("execve", 11), ("execveat", 362), ("exit", 1), ("exit_group", 234), ("faccessat", 298), ("faccessat2", 439), ("fadvise64", 233), ("fadvise64_64", -10007), ("fallocate", 309), ("fanotify_init", 323), ("fanotify_mark", 324), ("fchdir", 133), ("fchmod", 94), ("fchmodat", 297), ("fchown", 95), ("fchown32", -10008), ("fchownat", 289), ("fcntl", 55), ("fcntl64", -10009), ("fdatasync", 148), ("fgetxattr", 214), ("finit_module", 353), ("flistxattr", 217), ("flock", 143), ("fork", 2), ("fremovexattr", 220), ("fsconfig", 431), ("fsetxattr", 211), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 108), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 100), ("fstatfs64", 253), ("fsync", 118), ("ftime", 35), ("ftruncate", 93), ("ftruncate64", -10014), ("futex", 221), ("futex_time64", -10222), ("futimesat", 290), ("get_kernel_syms", 130), ("get_mempolicy", 260), ("get_robust_list", 299), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 302), ("getcwd", 182), ("getdents", 141), ("getdents64", 202), ("getegid", 50), ("getegid32", -10015), ("geteuid", 49), ("geteuid32", -10016), ("getgid", 47), ("getgid32", -10017), ("getgroups", 80), ("getgroups32", -10018), ("getitimer", 105), ("getpeername", -107), ("getpgid", 132), ("getpgrp", 65), ("getpid", 20), ("getpmsg", 187), ("getppid", 64), ("getpriority", 96), ("getrandom", 359), ("getresgid", 170), ("getresgid32", -10019), ("getresuid", 165), ("getresuid32", -10020), ("getrlimit", 76), ("getrusage", 77), ("getsid", 147), ("getsockname", -106), ("getsockopt", -115), ("gettid", 207), ("gettimeofday", 78), ("getuid", 24), ("getuid32", -10021), ("getxattr", 212), ("gtty", 32), ("idle", 112), ("init_module", 128), ("inotify_add_watch", 276), ("inotify_init", 275), ("inotify_init1", 318), ("inotify_rm_watch", 277), ("io_cancel", 231), ("io_destroy", 228), ("io_getevents", 229), ("io_pgetevents", 388), ("io_pgetevents_time64", -10223), ("io_setup", 227), ("io_submit", 230), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 54), ("ioperm", 101), ("iopl", 110), ("ioprio_get", 274), ("ioprio_set", 273), ("ipc", 117), ("kcmp", 354), ("kexec_file_load", 382), ("kexec_load", 268), ("keyctl", 271), ("kill", 37), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 16), ("lchown32", -10025), ("lgetxattr", 213), ("link", 9), ("linkat", 294), ("listen", -104), ("listxattr", 215), ("llistxattr", 216), ("lock", 53), ("lookup_dcookie", 235), ("lremovexattr", 219), ("lseek", 19), ("lsetxattr", 210), ("lstat", 107), ("lstat64", -10028), ("madvise", 205), ("mbind", 259), ("membarrier", 365), ("memfd_create", 360), ("memfd_secret", -10244), ("migrate_pages", 258), ("mincore", 206), ("mkdir", 39), ("mkdirat", 287), ("mknod", 14), ("mknodat", 288), ("mlock", 150), ("mlock2", 378), ("mlockall", 152), ("mmap", 90), ("mmap2", -10029), ("modify_ldt", 123), ("mount", 21), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 301), ("mprotect", 125), ("mpx", 56), ("mq_getsetattr", 267), ("mq_notify", 266), ("mq_open", 262), ("mq_timedreceive", 265), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 264), ("mq_timedsend_time64", -10226), ("mq_unlink", 263), ("mremap", 163), ("msgctl", -214), ("msgget", -213), ("msgrcv", -212), ("msgsnd", -211), ("msync", 144), ("multiplexer", 201), ("munlock", 151), ("munlockall", 153), ("munmap", 91), ("name_to_handle_at", 345), ("nanosleep", 162), ("newfstatat", 291), ("nfsservctl", 168), ("nice", 34), ("oldfstat", 28), ("oldlstat", 84), ("oldolduname", 59), ("oldstat", 18), ("olduname", 109), ("open", 5), ("open_by_handle_at", 346), ("open_tree", 428), ("openat", 286), ("openat2", 437), ("pause", 29), ("pciconfig_iobase", 200), ("pciconfig_read", 198), ("pciconfig_write", 199), ("perf_event_open", 319), ("personality", 136), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 42), ("pipe2", 317), ("pivot_root", 203), ("pkey_alloc", 384), ("pkey_free", 385), ("pkey_mprotect", 386), ("poll", 167), ("ppoll", 281), ("ppoll_time64", -10230), ("prctl", 171), ("pread64", 179), ("preadv", 320), ("preadv2", 380), ("prlimit64", 325), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 351), ("process_vm_writev", 352), ("prof", 44), ("profil", 98), ("pselect6", 280), ("pselect6_time64", -10231), ("ptrace", 26), ("putpmsg", 188), ("pwrite64", 180), ("pwritev", 321), ("pwritev2", 381), ("query_module", 166), ("quotactl", 131), ("quotactl_fd", 443), ("read", 3), ("readahead", 191), ("readdir", 89), ("readlink", 85), ("readlinkat", 296), ("readv", 145), ("reboot", 88), ("recv", -110), ("recvfrom", -112), ("recvmmsg", -119), ("recvmmsg_time64", -10232), ("recvmsg", -117), ("remap_file_pages", 239), ("removexattr", 218), ("rename", 38), ("renameat", 293), ("renameat2", 357), ("request_key", 270), ("restart_syscall", 0), ("riscv_flush_icache", -10243), ("rmdir", 40), ("rseq", 387), ("rt_sigaction", 173), ("rt_sigpending", 175), ("rt_sigprocmask", 174), ("rt_sigqueueinfo", 177), ("rt_sigreturn", 172), ("rt_sigsuspend", 178), ("rt_sigtimedwait", 176), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 322), ("rtas", 255), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 159), ("sched_get_priority_min", 160), ("sched_getaffinity", 223), ("sched_getattr", 356), ("sched_getparam", 155), ("sched_getscheduler", 157), ("sched_rr_get_interval", 161), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 222), ("sched_setattr", 355), ("sched_setparam", 154), ("sched_setscheduler", 156), ("sched_yield", 158), ("seccomp", 358), ("security", -10042), ("select", 82), ("semctl", -203), ("semget", -202), ("semop", -201), ("semtimedop", -204), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 186), ("sendfile64", -10043), ("sendmmsg", -120), ("sendmsg", -116), ("sendto", -111), ("set_mempolicy", 261), ("set_robust_list", 300), ("set_thread_area", -10079), ("set_tid_address", 232), ("set_tls", -10183), ("setdomainname", 121), ("setfsgid", 139), ("setfsgid32", -10044), ("setfsuid", 138), ("setfsuid32", -10045), ("setgid", 46), ("setgid32", -10046), ("setgroups", 81), ("setgroups32", -10047), ("sethostname", 74), ("setitimer", 104), ("setns", 350), ("setpgid", 57), ("setpriority", 97), ("setregid", 71), ("setregid32", -10048), ("setresgid", 169), ("setresgid32", -10049), ("setresuid", 164), ("setresuid32", -10050), ("setreuid", 70), ("setreuid32", -10051), ("setrlimit", 75), ("setsid", 66), ("setsockopt", -114), ("settimeofday", 79), ("setuid", 23), ("setuid32", -10052), ("setxattr", 209), ("sgetmask", 68), ("shmat", -221), ("shmctl", -224), ("shmdt", -222), ("shmget", -223), ("shutdown", -113), ("sigaction", 67), ("sigaltstack", 185), ("signal", 48), ("signalfd", 305), ("signalfd4", 313), ("sigpending", 73), ("sigprocmask", 126), ("sigreturn", 119), ("sigsuspend", 72), ("socket", -101), ("socketcall", 102), ("socketpair", -108), ("splice", 283), ("spu_create", 279), ("spu_run", 278), ("ssetmask", 69), ("stat", 106), ("stat64", -10062), ("statfs", 99), ("statfs64", 252), ("statx", 383), ("stime", 25), ("stty", 31), ("subpage_prot", 310), ("swapcontext", 249), ("swapoff", 115), ("swapon", 87), ("switch_endian", 363), ("symlink", 83), ("symlinkat", 295), ("sync", 36), ("sync_file_range", -10100), ("sync_file_range2", 308), ("syncfs", 348), ("sys_debug_setcontext", 256), ("syscall", -10090), ("sysfs", 135), ("sysinfo", 116), ("syslog", 103), ("sysmips", -10106), ("tee", 284), ("tgkill", 250), ("time", 13), ("timer_create", 240), ("timer_delete", 244), ("timer_getoverrun", 243), ("timer_gettime", 242), ("timer_gettime64", -10236), ("timer_settime", 241), ("timer_settime64", -10237), ("timerfd", -10107), ("timerfd_create", 306), ("timerfd_gettime", 312), ("timerfd_gettime64", -10238), ("timerfd_settime", 311), ("timerfd_settime64", -10239), ("times", 43), ("tkill", 208), ("truncate", 92), ("truncate64", -10066), ("tuxcall", 225), ("ugetrlimit", 190), ("ulimit", 58), ("umask", 60), ("umount", 22), ("umount2", 52), ("uname", 122), ("unlink", 10), ("unlinkat", 292), ("unshare", 282), ("uselib", 86), ("userfaultfd", 364), ("usr26", -10184), ("usr32", -10185), ("ustat", 62), ("utime", 30), ("utimensat", 304), ("utimensat_time64", -10240), ("utimes", 251), ("vfork", 189), ("vhangup", 111), ("vm86", 113), ("vm86old", -10072), ("vmsplice", 285), ("vserver", -10082), ("wait4", 114), ("waitid", 272), ("waitpid", 7), ("write", 4), ("writev", 146), ]; libseccomp-0.3.0/src/syscall/riscv64.rs000064400000000000000000000276100072674642500161110ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", -10026), ("_newselect", -10032), ("_sysctl", -10080), ("accept", 202), ("accept4", 242), ("access", -10147), ("acct", 89), ("add_key", 217), ("adjtimex", 171), ("afs_syscall", -10091), ("alarm", -10148), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", -10002), ("bind", 200), ("bpf", 280), ("break", -10003), ("breakpoint", -10182), ("brk", 214), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 90), ("capset", 91), ("chdir", 49), ("chmod", -10149), ("chown", -10150), ("chown32", -10004), ("chroot", 51), ("clock_adjtime", 266), ("clock_adjtime64", -10212), ("clock_getres", 114), ("clock_getres_time64", -10213), ("clock_gettime", 113), ("clock_gettime64", -10214), ("clock_nanosleep", 115), ("clock_nanosleep_time64", -10215), ("clock_settime", 112), ("clock_settime64", -10216), ("clone", 220), ("clone3", 435), ("close", 57), ("close_range", 436), ("connect", 203), ("copy_file_range", 285), ("creat", -10151), ("create_module", -10074), ("delete_module", 106), ("dup", 23), ("dup2", -10152), ("dup3", 24), ("epoll_create", -10153), ("epoll_create1", 20), ("epoll_ctl", 21), ("epoll_ctl_old", -10005), ("epoll_pwait", 22), ("epoll_pwait2", 441), ("epoll_wait", -10154), ("epoll_wait_old", -10006), ("eventfd", -10155), ("eventfd2", 19), ("execve", 221), ("execveat", 281), ("exit", 93), ("exit_group", 94), ("faccessat", 48), ("faccessat2", 439), ("fadvise64", 223), ("fadvise64_64", -10007), ("fallocate", 47), ("fanotify_init", 262), ("fanotify_mark", 263), ("fchdir", 50), ("fchmod", 52), ("fchmodat", 53), ("fchown", 55), ("fchown32", -10008), ("fchownat", 54), ("fcntl", 25), ("fcntl64", -10009), ("fdatasync", 83), ("fgetxattr", 10), ("finit_module", 273), ("flistxattr", 13), ("flock", 32), ("fork", -10156), ("fremovexattr", 16), ("fsconfig", 431), ("fsetxattr", 7), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 80), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 44), ("fstatfs64", -10012), ("fsync", 82), ("ftime", -10013), ("ftruncate", 46), ("ftruncate64", -10014), ("futex", 98), ("futex_time64", -10222), ("futimesat", -10157), ("get_kernel_syms", -10075), ("get_mempolicy", 236), ("get_robust_list", 100), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 168), ("getcwd", 17), ("getdents", -10158), ("getdents64", 61), ("getegid", 177), ("getegid32", -10015), ("geteuid", 175), ("geteuid32", -10016), ("getgid", 176), ("getgid32", -10017), ("getgroups", 158), ("getgroups32", -10018), ("getitimer", 102), ("getpeername", 205), ("getpgid", 155), ("getpgrp", -10159), ("getpid", 172), ("getpmsg", -10093), ("getppid", 173), ("getpriority", 141), ("getrandom", 278), ("getresgid", 150), ("getresgid32", -10019), ("getresuid", 148), ("getresuid32", -10020), ("getrlimit", 163), ("getrusage", 165), ("getsid", 156), ("getsockname", 204), ("getsockopt", 209), ("gettid", 178), ("gettimeofday", 169), ("getuid", 174), ("getuid32", -10021), ("getxattr", 8), ("gtty", -10022), ("idle", -10023), ("init_module", 105), ("inotify_add_watch", 27), ("inotify_init", -10160), ("inotify_init1", 26), ("inotify_rm_watch", 28), ("io_cancel", 3), ("io_destroy", 1), ("io_getevents", 4), ("io_pgetevents", 292), ("io_pgetevents_time64", -10223), ("io_setup", 0), ("io_submit", 2), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 29), ("ioperm", -10094), ("iopl", -10095), ("ioprio_get", 31), ("ioprio_set", 30), ("ipc", -10024), ("kcmp", 272), ("kexec_file_load", 294), ("kexec_load", 104), ("keyctl", 219), ("kill", 129), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", -10161), ("lchown32", -10025), ("lgetxattr", 9), ("link", -10162), ("linkat", 37), ("listen", 201), ("listxattr", 11), ("llistxattr", 12), ("lock", -10027), ("lookup_dcookie", 18), ("lremovexattr", 15), ("lseek", 62), ("lsetxattr", 6), ("lstat", -10163), ("lstat64", -10028), ("madvise", 233), ("mbind", 235), ("membarrier", 283), ("memfd_create", 279), ("memfd_secret", -10244), ("migrate_pages", 238), ("mincore", 232), ("mkdir", -10164), ("mkdirat", 34), ("mknod", -10165), ("mknodat", 33), ("mlock", 228), ("mlock2", 284), ("mlockall", 230), ("mmap", 222), ("mmap2", -10029), ("modify_ldt", -10098), ("mount", 40), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 239), ("mprotect", 226), ("mpx", -10030), ("mq_getsetattr", 185), ("mq_notify", 184), ("mq_open", 180), ("mq_timedreceive", 183), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 182), ("mq_timedsend_time64", -10226), ("mq_unlink", 181), ("mremap", 216), ("msgctl", 187), ("msgget", 186), ("msgrcv", 188), ("msgsnd", 189), ("msync", 227), ("multiplexer", -10186), ("munlock", 229), ("munlockall", 231), ("munmap", 215), ("name_to_handle_at", 264), ("nanosleep", 101), ("newfstatat", 79), ("nfsservctl", 42), ("nice", -10033), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", -10166), ("open_by_handle_at", 265), ("open_tree", 428), ("openat", 56), ("openat2", 437), ("pause", -10167), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 241), ("personality", 92), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", -10168), ("pipe2", 59), ("pivot_root", 41), ("pkey_alloc", 289), ("pkey_free", 290), ("pkey_mprotect", 288), ("poll", -10169), ("ppoll", 73), ("ppoll_time64", -10230), ("prctl", 167), ("pread64", 67), ("preadv", 69), ("preadv2", 286), ("prlimit64", 261), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 270), ("process_vm_writev", 271), ("prof", -10039), ("profil", -10040), ("pselect6", 72), ("pselect6_time64", -10231), ("ptrace", 117), ("putpmsg", -10099), ("pwrite64", 68), ("pwritev", 70), ("pwritev2", 287), ("query_module", -10078), ("quotactl", 60), ("quotactl_fd", 443), ("read", 63), ("readahead", 213), ("readdir", -10041), ("readlink", -10170), ("readlinkat", 78), ("readv", 65), ("reboot", 142), ("recv", -110), ("recvfrom", 207), ("recvmmsg", 243), ("recvmmsg_time64", -10232), ("recvmsg", 212), ("remap_file_pages", 234), ("removexattr", 14), ("rename", -10171), ("renameat", -10242), ("renameat2", 276), ("request_key", 218), ("restart_syscall", 128), ("riscv_flush_icache", 259), ("rmdir", -10172), ("rseq", 293), ("rt_sigaction", 134), ("rt_sigpending", 136), ("rt_sigprocmask", 135), ("rt_sigqueueinfo", 138), ("rt_sigreturn", 139), ("rt_sigsuspend", 133), ("rt_sigtimedwait", 137), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 240), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 125), ("sched_get_priority_min", 126), ("sched_getaffinity", 123), ("sched_getattr", 275), ("sched_getparam", 121), ("sched_getscheduler", 120), ("sched_rr_get_interval", 127), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 122), ("sched_setattr", 274), ("sched_setparam", 118), ("sched_setscheduler", 119), ("sched_yield", 124), ("seccomp", 277), ("security", -10042), ("select", -10101), ("semctl", 191), ("semget", 190), ("semop", 193), ("semtimedop", 192), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 71), ("sendfile64", -10043), ("sendmmsg", 269), ("sendmsg", 211), ("sendto", 206), ("set_mempolicy", 237), ("set_robust_list", 99), ("set_thread_area", -10079), ("set_tid_address", 96), ("set_tls", -10183), ("setdomainname", 162), ("setfsgid", 152), ("setfsgid32", -10044), ("setfsuid", 151), ("setfsuid32", -10045), ("setgid", 144), ("setgid32", -10046), ("setgroups", 159), ("setgroups32", -10047), ("sethostname", 161), ("setitimer", 103), ("setns", 268), ("setpgid", 154), ("setpriority", 140), ("setregid", 143), ("setregid32", -10048), ("setresgid", 149), ("setresgid32", -10049), ("setresuid", 147), ("setresuid32", -10050), ("setreuid", 145), ("setreuid32", -10051), ("setrlimit", 164), ("setsid", 157), ("setsockopt", 208), ("settimeofday", 170), ("setuid", 146), ("setuid32", -10052), ("setxattr", 5), ("sgetmask", -10053), ("shmat", 196), ("shmctl", 195), ("shmdt", 197), ("shmget", 194), ("shutdown", 210), ("sigaction", -10054), ("sigaltstack", 132), ("signal", -10055), ("signalfd", -10173), ("signalfd4", 74), ("sigpending", -10056), ("sigprocmask", -10057), ("sigreturn", -10058), ("sigsuspend", -10059), ("socket", 198), ("socketcall", -10060), ("socketpair", 199), ("splice", 76), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", -10174), ("stat64", -10062), ("statfs", 43), ("statfs64", -10063), ("statx", 291), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 225), ("swapon", 224), ("switch_endian", -10191), ("symlink", -10175), ("symlinkat", 36), ("sync", 81), ("sync_file_range", 84), ("sync_file_range2", -10089), ("syncfs", 267), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", -10145), ("sysinfo", 179), ("syslog", 116), ("sysmips", -10106), ("tee", 77), ("tgkill", 131), ("time", -10108), ("timer_create", 107), ("timer_delete", 111), ("timer_getoverrun", 109), ("timer_gettime", 108), ("timer_gettime64", -10236), ("timer_settime", 110), ("timer_settime64", -10237), ("timerfd", -10107), ("timerfd_create", 85), ("timerfd_gettime", 87), ("timerfd_gettime64", -10238), ("timerfd_settime", 86), ("timerfd_settime64", -10239), ("times", 153), ("tkill", 130), ("truncate", 45), ("truncate64", -10066), ("tuxcall", -10067), ("ugetrlimit", -10068), ("ulimit", -10069), ("umask", 166), ("umount", -10070), ("umount2", 39), ("uname", 160), ("unlink", -10176), ("unlinkat", 35), ("unshare", 97), ("uselib", -10081), ("userfaultfd", 282), ("usr26", -10184), ("usr32", -10185), ("ustat", -10177), ("utime", -10178), ("utimensat", 88), ("utimensat_time64", -10240), ("utimes", -10179), ("vfork", -10102), ("vhangup", 58), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 75), ("vserver", -10082), ("wait4", 260), ("waitid", 95), ("waitpid", -10073), ("write", 64), ("writev", 66), ]; libseccomp-0.3.0/src/syscall/s390x.rs000064400000000000000000000274030072674642500154770ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", -10026), ("_newselect", -10032), ("_sysctl", 149), ("accept", -105), ("accept4", -118), ("access", 33), ("acct", 51), ("add_key", 278), ("adjtimex", 124), ("afs_syscall", 137), ("alarm", 27), ("arch_prctl", -10001), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", 134), ("bind", -102), ("bpf", 351), ("break", -10003), ("breakpoint", -10182), ("brk", 45), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 184), ("capset", 185), ("chdir", 12), ("chmod", 15), ("chown", 212), ("chown32", -10004), ("chroot", 61), ("clock_adjtime", 337), ("clock_adjtime64", -10212), ("clock_getres", 261), ("clock_getres_time64", -10213), ("clock_gettime", 260), ("clock_gettime64", -10214), ("clock_nanosleep", 262), ("clock_nanosleep_time64", -10215), ("clock_settime", 259), ("clock_settime64", -10216), ("clone", 120), ("clone3", 435), ("close", 6), ("close_range", 436), ("connect", -103), ("copy_file_range", 375), ("creat", 8), ("create_module", 127), ("delete_module", 129), ("dup", 41), ("dup2", 63), ("dup3", 326), ("epoll_create", 249), ("epoll_create1", 327), ("epoll_ctl", 250), ("epoll_ctl_old", -10005), ("epoll_pwait", 312), ("epoll_pwait2", 441), ("epoll_wait", 251), ("epoll_wait_old", -10006), ("eventfd", 318), ("eventfd2", 323), ("execve", 11), ("execveat", 354), ("exit", 1), ("exit_group", 248), ("faccessat", 300), ("faccessat2", 439), ("fadvise64", 253), ("fadvise64_64", -10007), ("fallocate", 314), ("fanotify_init", 332), ("fanotify_mark", 333), ("fchdir", 133), ("fchmod", 94), ("fchmodat", 299), ("fchown", 207), ("fchown32", -10008), ("fchownat", 291), ("fcntl", 55), ("fcntl64", -10009), ("fdatasync", 148), ("fgetxattr", 229), ("finit_module", 344), ("flistxattr", 232), ("flock", 143), ("fork", 2), ("fremovexattr", 235), ("fsconfig", 431), ("fsetxattr", 226), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 108), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 100), ("fstatfs64", 266), ("fsync", 118), ("ftime", -10013), ("ftruncate", 93), ("ftruncate64", -10014), ("futex", 238), ("futex_time64", -10222), ("futimesat", 292), ("get_kernel_syms", 130), ("get_mempolicy", 269), ("get_robust_list", 305), ("get_thread_area", -10076), ("get_tls", -10204), ("getcpu", 311), ("getcwd", 183), ("getdents", 141), ("getdents64", 220), ("getegid", 202), ("getegid32", -10015), ("geteuid", 201), ("geteuid32", -10016), ("getgid", 200), ("getgid32", -10017), ("getgroups", 205), ("getgroups32", -10018), ("getitimer", 105), ("getpeername", -107), ("getpgid", 132), ("getpgrp", 65), ("getpid", 20), ("getpmsg", 188), ("getppid", 64), ("getpriority", 96), ("getrandom", 349), ("getresgid", 211), ("getresgid32", -10019), ("getresuid", 209), ("getresuid32", -10020), ("getrlimit", 191), ("getrusage", 77), ("getsid", 147), ("getsockname", -106), ("getsockopt", -115), ("gettid", 236), ("gettimeofday", 78), ("getuid", 199), ("getuid32", -10021), ("getxattr", 227), ("gtty", -10022), ("idle", 112), ("init_module", 128), ("inotify_add_watch", 285), ("inotify_init", 284), ("inotify_init1", 324), ("inotify_rm_watch", 286), ("io_cancel", 247), ("io_destroy", 244), ("io_getevents", 245), ("io_pgetevents", 382), ("io_pgetevents_time64", -10223), ("io_setup", 243), ("io_submit", 246), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 54), ("ioperm", -10094), ("iopl", -10095), ("ioprio_get", 283), ("ioprio_set", 282), ("ipc", 117), ("kcmp", 343), ("kexec_file_load", 381), ("kexec_load", 277), ("keyctl", 280), ("kill", 37), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 198), ("lchown32", -10025), ("lgetxattr", 228), ("link", 9), ("linkat", 296), ("listen", -104), ("listxattr", 230), ("llistxattr", 231), ("lock", -10027), ("lookup_dcookie", 110), ("lremovexattr", 234), ("lseek", 19), ("lsetxattr", 225), ("lstat", 107), ("lstat64", -10028), ("madvise", 219), ("mbind", 268), ("membarrier", 356), ("memfd_create", 350), ("memfd_secret", -10244), ("migrate_pages", 287), ("mincore", 218), ("mkdir", 39), ("mkdirat", 289), ("mknod", 14), ("mknodat", 290), ("mlock", 150), ("mlock2", 374), ("mlockall", 152), ("mmap", 90), ("mmap2", -10029), ("modify_ldt", -10098), ("mount", 21), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 310), ("mprotect", 125), ("mpx", -10030), ("mq_getsetattr", 276), ("mq_notify", 275), ("mq_open", 271), ("mq_timedreceive", 274), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 273), ("mq_timedsend_time64", -10226), ("mq_unlink", 272), ("mremap", 163), ("msgctl", -214), ("msgget", -213), ("msgrcv", -212), ("msgsnd", -211), ("msync", 144), ("multiplexer", -10186), ("munlock", 151), ("munlockall", 153), ("munmap", 91), ("name_to_handle_at", 335), ("nanosleep", 162), ("newfstatat", 293), ("nfsservctl", 169), ("nice", 34), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", 5), ("open_by_handle_at", 336), ("open_tree", 428), ("openat", 288), ("openat2", 437), ("pause", 29), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 331), ("personality", 136), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 42), ("pipe2", 325), ("pivot_root", 217), ("pkey_alloc", 385), ("pkey_free", 386), ("pkey_mprotect", 384), ("poll", 168), ("ppoll", 302), ("ppoll_time64", -10230), ("prctl", 172), ("pread64", 180), ("preadv", 328), ("preadv2", 376), ("prlimit64", 334), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 340), ("process_vm_writev", 341), ("prof", -10039), ("profil", -10040), ("pselect6", 301), ("pselect6_time64", -10231), ("ptrace", 26), ("putpmsg", 189), ("pwrite64", 181), ("pwritev", 329), ("pwritev2", 377), ("query_module", 167), ("quotactl", 131), ("quotactl_fd", 443), ("read", 3), ("readahead", 222), ("readdir", 89), ("readlink", 85), ("readlinkat", 298), ("readv", 145), ("reboot", 88), ("recv", -110), ("recvfrom", -112), ("recvmmsg", -119), ("recvmmsg_time64", -10232), ("recvmsg", -117), ("remap_file_pages", 267), ("removexattr", 233), ("rename", 38), ("renameat", 295), ("renameat2", 347), ("request_key", 279), ("restart_syscall", 7), ("riscv_flush_icache", -10243), ("rmdir", 40), ("rseq", 383), ("rt_sigaction", 174), ("rt_sigpending", 176), ("rt_sigprocmask", 175), ("rt_sigqueueinfo", 178), ("rt_sigreturn", 173), ("rt_sigsuspend", 179), ("rt_sigtimedwait", 177), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 330), ("rtas", -10187), ("s390_guarded_storage", 378), ("s390_pci_mmio_read", 353), ("s390_pci_mmio_write", 352), ("s390_runtime_instr", 342), ("s390_sthyi", 380), ("sched_get_priority_max", 159), ("sched_get_priority_min", 160), ("sched_getaffinity", 240), ("sched_getattr", 346), ("sched_getparam", 155), ("sched_getscheduler", 157), ("sched_rr_get_interval", 161), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 239), ("sched_setattr", 345), ("sched_setparam", 154), ("sched_setscheduler", 156), ("sched_yield", 158), ("seccomp", 348), ("security", -10042), ("select", 142), ("semctl", -203), ("semget", -202), ("semop", -201), ("semtimedop", -204), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 187), ("sendfile64", -10043), ("sendmmsg", -120), ("sendmsg", -116), ("sendto", -111), ("set_mempolicy", 270), ("set_robust_list", 304), ("set_thread_area", -10079), ("set_tid_address", 252), ("set_tls", -10183), ("setdomainname", 121), ("setfsgid", 216), ("setfsgid32", -10044), ("setfsuid", 215), ("setfsuid32", -10045), ("setgid", 214), ("setgid32", -10046), ("setgroups", 206), ("setgroups32", -10047), ("sethostname", 74), ("setitimer", 104), ("setns", 339), ("setpgid", 57), ("setpriority", 97), ("setregid", 204), ("setregid32", -10048), ("setresgid", 210), ("setresgid32", -10049), ("setresuid", 208), ("setresuid32", -10050), ("setreuid", 203), ("setreuid32", -10051), ("setrlimit", 75), ("setsid", 66), ("setsockopt", -114), ("settimeofday", 79), ("setuid", 213), ("setuid32", -10052), ("setxattr", 224), ("sgetmask", -10053), ("shmat", -221), ("shmctl", -224), ("shmdt", -222), ("shmget", -223), ("shutdown", -113), ("sigaction", 67), ("sigaltstack", 186), ("signal", 48), ("signalfd", 316), ("signalfd4", 322), ("sigpending", 73), ("sigprocmask", 126), ("sigreturn", 119), ("sigsuspend", 72), ("socket", -101), ("socketcall", 102), ("socketpair", -108), ("splice", 306), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", 106), ("stat64", -10062), ("statfs", 99), ("statfs64", 265), ("statx", 379), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 115), ("swapon", 87), ("switch_endian", -10191), ("symlink", 83), ("symlinkat", 297), ("sync", 36), ("sync_file_range", 307), ("sync_file_range2", -10089), ("syncfs", 338), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", 135), ("sysinfo", 116), ("syslog", 103), ("sysmips", -10106), ("tee", 308), ("tgkill", 241), ("time", -10108), ("timer_create", 254), ("timer_delete", 258), ("timer_getoverrun", 257), ("timer_gettime", 256), ("timer_gettime64", -10236), ("timer_settime", 255), ("timer_settime64", -10237), ("timerfd", 317), ("timerfd_create", 319), ("timerfd_gettime", 321), ("timerfd_gettime64", -10238), ("timerfd_settime", 320), ("timerfd_settime64", -10239), ("times", 43), ("tkill", 237), ("truncate", 92), ("truncate64", -10066), ("tuxcall", -10067), ("ugetrlimit", -10068), ("ulimit", -10069), ("umask", 60), ("umount", 22), ("umount2", 52), ("uname", 122), ("unlink", 10), ("unlinkat", 294), ("unshare", 303), ("uselib", 86), ("userfaultfd", 355), ("usr26", -10184), ("usr32", -10185), ("ustat", 62), ("utime", 30), ("utimensat", 315), ("utimensat_time64", -10240), ("utimes", 313), ("vfork", 190), ("vhangup", 111), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 309), ("vserver", -10082), ("wait4", 114), ("waitid", 281), ("waitpid", -10073), ("write", 4), ("writev", 146), ]; libseccomp-0.3.0/src/syscall/x86.rs000064400000000000000000000270070072674642500152360ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", 140), ("_newselect", 142), ("_sysctl", 149), ("accept", -105), ("accept4", -118), ("access", 33), ("acct", 51), ("add_key", 286), ("adjtimex", 124), ("afs_syscall", 137), ("alarm", 27), ("arch_prctl", 384), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", 134), ("bind", -102), ("bpf", 357), ("break", 17), ("breakpoint", -10182), ("brk", 45), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 184), ("capset", 185), ("chdir", 12), ("chmod", 15), ("chown", 182), ("chown32", 212), ("chroot", 61), ("clock_adjtime", 343), ("clock_adjtime64", 405), ("clock_getres", 266), ("clock_getres_time64", 406), ("clock_gettime", 265), ("clock_gettime64", 403), ("clock_nanosleep", 267), ("clock_nanosleep_time64", 407), ("clock_settime", 264), ("clock_settime64", 404), ("clone", 120), ("clone3", 435), ("close", 6), ("close_range", 436), ("connect", -103), ("copy_file_range", 377), ("creat", 8), ("create_module", 127), ("delete_module", 129), ("dup", 41), ("dup2", 63), ("dup3", 330), ("epoll_create", 254), ("epoll_create1", 329), ("epoll_ctl", 255), ("epoll_ctl_old", -10005), ("epoll_pwait", 319), ("epoll_pwait2", 441), ("epoll_wait", 256), ("epoll_wait_old", -10006), ("eventfd", 323), ("eventfd2", 328), ("execve", 11), ("execveat", 358), ("exit", 1), ("exit_group", 252), ("faccessat", 307), ("faccessat2", 439), ("fadvise64", 250), ("fadvise64_64", 272), ("fallocate", 324), ("fanotify_init", 338), ("fanotify_mark", 339), ("fchdir", 133), ("fchmod", 94), ("fchmodat", 306), ("fchown", 95), ("fchown32", 207), ("fchownat", 298), ("fcntl", 55), ("fcntl64", 221), ("fdatasync", 148), ("fgetxattr", 231), ("finit_module", 350), ("flistxattr", 234), ("flock", 143), ("fork", 2), ("fremovexattr", 237), ("fsconfig", 431), ("fsetxattr", 228), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 108), ("fstat64", 197), ("fstatat64", 300), ("fstatfs", 100), ("fstatfs64", 269), ("fsync", 118), ("ftime", 35), ("ftruncate", 93), ("ftruncate64", 194), ("futex", 240), ("futex_time64", 422), ("futimesat", 299), ("get_kernel_syms", 130), ("get_mempolicy", 275), ("get_robust_list", 312), ("get_thread_area", 244), ("get_tls", -10204), ("getcpu", 318), ("getcwd", 183), ("getdents", 141), ("getdents64", 220), ("getegid", 50), ("getegid32", 202), ("geteuid", 49), ("geteuid32", 201), ("getgid", 47), ("getgid32", 200), ("getgroups", 80), ("getgroups32", 205), ("getitimer", 105), ("getpeername", -107), ("getpgid", 132), ("getpgrp", 65), ("getpid", 20), ("getpmsg", 188), ("getppid", 64), ("getpriority", 96), ("getrandom", 355), ("getresgid", 171), ("getresgid32", 211), ("getresuid", 165), ("getresuid32", 209), ("getrlimit", 76), ("getrusage", 77), ("getsid", 147), ("getsockname", -106), ("getsockopt", -115), ("gettid", 224), ("gettimeofday", 78), ("getuid", 24), ("getuid32", 199), ("getxattr", 229), ("gtty", 32), ("idle", 112), ("init_module", 128), ("inotify_add_watch", 292), ("inotify_init", 291), ("inotify_init1", 332), ("inotify_rm_watch", 293), ("io_cancel", 249), ("io_destroy", 246), ("io_getevents", 247), ("io_pgetevents", 385), ("io_pgetevents_time64", 416), ("io_setup", 245), ("io_submit", 248), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 54), ("ioperm", 101), ("iopl", 110), ("ioprio_get", 290), ("ioprio_set", 289), ("ipc", 117), ("kcmp", 349), ("kexec_file_load", -10111), ("kexec_load", 283), ("keyctl", 288), ("kill", 37), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 16), ("lchown32", 198), ("lgetxattr", 230), ("link", 9), ("linkat", 303), ("listen", -104), ("listxattr", 232), ("llistxattr", 233), ("lock", 53), ("lookup_dcookie", 253), ("lremovexattr", 236), ("lseek", 19), ("lsetxattr", 227), ("lstat", 107), ("lstat64", 196), ("madvise", 219), ("mbind", 274), ("membarrier", 375), ("memfd_create", 356), ("memfd_secret", 447), ("migrate_pages", 294), ("mincore", 218), ("mkdir", 39), ("mkdirat", 296), ("mknod", 14), ("mknodat", 297), ("mlock", 150), ("mlock2", 376), ("mlockall", 152), ("mmap", 90), ("mmap2", 192), ("modify_ldt", 123), ("mount", 21), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 317), ("mprotect", 125), ("mpx", 56), ("mq_getsetattr", 282), ("mq_notify", 281), ("mq_open", 277), ("mq_timedreceive", 280), ("mq_timedreceive_time64", 419), ("mq_timedsend", 279), ("mq_timedsend_time64", 418), ("mq_unlink", 278), ("mremap", 163), ("msgctl", -214), ("msgget", -213), ("msgrcv", -212), ("msgsnd", -211), ("msync", 144), ("multiplexer", -10186), ("munlock", 151), ("munlockall", 153), ("munmap", 91), ("name_to_handle_at", 341), ("nanosleep", 162), ("newfstatat", -10031), ("nfsservctl", 169), ("nice", 34), ("oldfstat", 28), ("oldlstat", 84), ("oldolduname", 59), ("oldstat", 18), ("olduname", 109), ("open", 5), ("open_by_handle_at", 342), ("open_tree", 428), ("openat", 295), ("openat2", 437), ("pause", 29), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 336), ("personality", 136), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 42), ("pipe2", 331), ("pivot_root", 217), ("pkey_alloc", 381), ("pkey_free", 382), ("pkey_mprotect", 380), ("poll", 168), ("ppoll", 309), ("ppoll_time64", 414), ("prctl", 172), ("pread64", 180), ("preadv", 333), ("preadv2", 378), ("prlimit64", 340), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 347), ("process_vm_writev", 348), ("prof", 44), ("profil", 98), ("pselect6", 308), ("pselect6_time64", 413), ("ptrace", 26), ("putpmsg", 189), ("pwrite64", 181), ("pwritev", 334), ("pwritev2", 379), ("query_module", 167), ("quotactl", 131), ("quotactl_fd", 443), ("read", 3), ("readahead", 225), ("readdir", 89), ("readlink", 85), ("readlinkat", 305), ("readv", 145), ("reboot", 88), ("recv", -110), ("recvfrom", -112), ("recvmmsg", -119), ("recvmmsg_time64", 417), ("recvmsg", -117), ("remap_file_pages", 257), ("removexattr", 235), ("rename", 38), ("renameat", 302), ("renameat2", 353), ("request_key", 287), ("restart_syscall", 0), ("riscv_flush_icache", -10243), ("rmdir", 40), ("rseq", 386), ("rt_sigaction", 174), ("rt_sigpending", 176), ("rt_sigprocmask", 175), ("rt_sigqueueinfo", 178), ("rt_sigreturn", 173), ("rt_sigsuspend", 179), ("rt_sigtimedwait", 177), ("rt_sigtimedwait_time64", 421), ("rt_tgsigqueueinfo", 335), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 159), ("sched_get_priority_min", 160), ("sched_getaffinity", 242), ("sched_getattr", 352), ("sched_getparam", 155), ("sched_getscheduler", 157), ("sched_rr_get_interval", 161), ("sched_rr_get_interval_time64", 423), ("sched_setaffinity", 241), ("sched_setattr", 351), ("sched_setparam", 154), ("sched_setscheduler", 156), ("sched_yield", 158), ("seccomp", 354), ("security", -10042), ("select", 82), ("semctl", -203), ("semget", -202), ("semop", -201), ("semtimedop", -204), ("semtimedop_time64", 420), ("send", -109), ("sendfile", 187), ("sendfile64", 239), ("sendmmsg", -120), ("sendmsg", -116), ("sendto", -111), ("set_mempolicy", 276), ("set_robust_list", 311), ("set_thread_area", 243), ("set_tid_address", 258), ("set_tls", -10183), ("setdomainname", 121), ("setfsgid", 139), ("setfsgid32", 216), ("setfsuid", 138), ("setfsuid32", 215), ("setgid", 46), ("setgid32", 214), ("setgroups", 81), ("setgroups32", 206), ("sethostname", 74), ("setitimer", 104), ("setns", 346), ("setpgid", 57), ("setpriority", 97), ("setregid", 71), ("setregid32", 204), ("setresgid", 170), ("setresgid32", 210), ("setresuid", 164), ("setresuid32", 208), ("setreuid", 70), ("setreuid32", 203), ("setrlimit", 75), ("setsid", 66), ("setsockopt", -114), ("settimeofday", 79), ("setuid", 23), ("setuid32", 213), ("setxattr", 226), ("sgetmask", 68), ("shmat", -221), ("shmctl", -224), ("shmdt", -222), ("shmget", -223), ("shutdown", -113), ("sigaction", 67), ("sigaltstack", 186), ("signal", 48), ("signalfd", 321), ("signalfd4", 327), ("sigpending", 73), ("sigprocmask", 126), ("sigreturn", 119), ("sigsuspend", 72), ("socket", -101), ("socketcall", 102), ("socketpair", -108), ("splice", 313), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", 69), ("stat", 106), ("stat64", 195), ("statfs", 99), ("statfs64", 268), ("statx", 383), ("stime", 25), ("stty", 31), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 115), ("swapon", 87), ("switch_endian", -10191), ("symlink", 83), ("symlinkat", 304), ("sync", 36), ("sync_file_range", 314), ("sync_file_range2", -10089), ("syncfs", 344), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", 135), ("sysinfo", 116), ("syslog", 103), ("sysmips", -10106), ("tee", 315), ("tgkill", 270), ("time", 13), ("timer_create", 259), ("timer_delete", 263), ("timer_getoverrun", 262), ("timer_gettime", 261), ("timer_gettime64", 408), ("timer_settime", 260), ("timer_settime64", 409), ("timerfd", -10107), ("timerfd_create", 322), ("timerfd_gettime", 326), ("timerfd_gettime64", 410), ("timerfd_settime", 325), ("timerfd_settime64", 411), ("times", 43), ("tkill", 238), ("truncate", 92), ("truncate64", 193), ("tuxcall", -10067), ("ugetrlimit", 191), ("ulimit", 58), ("umask", 60), ("umount", 22), ("umount2", 52), ("uname", 122), ("unlink", 10), ("unlinkat", 301), ("unshare", 310), ("uselib", 86), ("userfaultfd", 374), ("usr26", -10184), ("usr32", -10185), ("ustat", 62), ("utime", 30), ("utimensat", 320), ("utimensat_time64", 412), ("utimes", 271), ("vfork", 190), ("vhangup", 111), ("vm86", 166), ("vm86old", 113), ("vmsplice", 316), ("vserver", 273), ("wait4", 114), ("waitid", 284), ("waitpid", 7), ("write", 4), ("writev", 146), ]; libseccomp-0.3.0/src/syscall/x86_64.rs000064400000000000000000000273340072674642500155520ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // pub const SYSCALLS: &[(&str, i32)] = &[ ("_llseek", -10026), ("_newselect", -10032), ("_sysctl", 156), ("accept", 43), ("accept4", 288), ("access", 21), ("acct", 163), ("add_key", 248), ("adjtimex", 159), ("afs_syscall", 183), ("alarm", 37), ("arch_prctl", 158), ("arm_fadvise64_64", -10083), ("arm_sync_file_range", -10084), ("bdflush", -10002), ("bind", 49), ("bpf", 321), ("break", -10003), ("breakpoint", -10182), ("brk", 12), ("cachectl", -10103), ("cacheflush", -10104), ("capget", 125), ("capset", 126), ("chdir", 80), ("chmod", 90), ("chown", 92), ("chown32", -10004), ("chroot", 161), ("clock_adjtime", 305), ("clock_adjtime64", -10212), ("clock_getres", 229), ("clock_getres_time64", -10213), ("clock_gettime", 228), ("clock_gettime64", -10214), ("clock_nanosleep", 230), ("clock_nanosleep_time64", -10215), ("clock_settime", 227), ("clock_settime64", -10216), ("clone", 56), ("clone3", 435), ("close", 3), ("close_range", 436), ("connect", 42), ("copy_file_range", 326), ("creat", 85), ("create_module", 174), ("delete_module", 176), ("dup", 32), ("dup2", 33), ("dup3", 292), ("epoll_create", 213), ("epoll_create1", 291), ("epoll_ctl", 233), ("epoll_ctl_old", 214), ("epoll_pwait", 281), ("epoll_pwait2", 441), ("epoll_wait", 232), ("epoll_wait_old", 215), ("eventfd", 284), ("eventfd2", 290), ("execve", 59), ("execveat", 322), ("exit", 60), ("exit_group", 231), ("faccessat", 269), ("faccessat2", 439), ("fadvise64", 221), ("fadvise64_64", -10007), ("fallocate", 285), ("fanotify_init", 300), ("fanotify_mark", 301), ("fchdir", 81), ("fchmod", 91), ("fchmodat", 268), ("fchown", 93), ("fchown32", -10008), ("fchownat", 260), ("fcntl", 72), ("fcntl64", -10009), ("fdatasync", 75), ("fgetxattr", 193), ("finit_module", 313), ("flistxattr", 196), ("flock", 73), ("fork", 57), ("fremovexattr", 199), ("fsconfig", 431), ("fsetxattr", 190), ("fsmount", 432), ("fsopen", 430), ("fspick", 433), ("fstat", 5), ("fstat64", -10010), ("fstatat64", -10011), ("fstatfs", 138), ("fstatfs64", -10012), ("fsync", 74), ("ftime", -10013), ("ftruncate", 77), ("ftruncate64", -10014), ("futex", 202), ("futex_time64", -10222), ("futimesat", 261), ("get_kernel_syms", 177), ("get_mempolicy", 239), ("get_robust_list", 274), ("get_thread_area", 211), ("get_tls", -10204), ("getcpu", 309), ("getcwd", 79), ("getdents", 78), ("getdents64", 217), ("getegid", 108), ("getegid32", -10015), ("geteuid", 107), ("geteuid32", -10016), ("getgid", 104), ("getgid32", -10017), ("getgroups", 115), ("getgroups32", -10018), ("getitimer", 36), ("getpeername", 52), ("getpgid", 121), ("getpgrp", 111), ("getpid", 39), ("getpmsg", 181), ("getppid", 110), ("getpriority", 140), ("getrandom", 318), ("getresgid", 120), ("getresgid32", -10019), ("getresuid", 118), ("getresuid32", -10020), ("getrlimit", 97), ("getrusage", 98), ("getsid", 124), ("getsockname", 51), ("getsockopt", 55), ("gettid", 186), ("gettimeofday", 96), ("getuid", 102), ("getuid32", -10021), ("getxattr", 191), ("gtty", -10022), ("idle", -10023), ("init_module", 175), ("inotify_add_watch", 254), ("inotify_init", 253), ("inotify_init1", 294), ("inotify_rm_watch", 255), ("io_cancel", 210), ("io_destroy", 207), ("io_getevents", 208), ("io_pgetevents", 333), ("io_pgetevents_time64", -10223), ("io_setup", 206), ("io_submit", 209), ("io_uring_enter", 426), ("io_uring_register", 427), ("io_uring_setup", 425), ("ioctl", 16), ("ioperm", 173), ("iopl", 172), ("ioprio_get", 252), ("ioprio_set", 251), ("ipc", -10024), ("kcmp", 312), ("kexec_file_load", 320), ("kexec_load", 246), ("keyctl", 250), ("kill", 62), ("landlock_add_rule", 445), ("landlock_create_ruleset", 444), ("landlock_restrict_self", 446), ("lchown", 94), ("lchown32", -10025), ("lgetxattr", 192), ("link", 86), ("linkat", 265), ("listen", 50), ("listxattr", 194), ("llistxattr", 195), ("lock", -10027), ("lookup_dcookie", 212), ("lremovexattr", 198), ("lseek", 8), ("lsetxattr", 189), ("lstat", 6), ("lstat64", -10028), ("madvise", 28), ("mbind", 237), ("membarrier", 324), ("memfd_create", 319), ("memfd_secret", 447), ("migrate_pages", 256), ("mincore", 27), ("mkdir", 83), ("mkdirat", 258), ("mknod", 133), ("mknodat", 259), ("mlock", 149), ("mlock2", 325), ("mlockall", 151), ("mmap", 9), ("mmap2", -10029), ("modify_ldt", 154), ("mount", 165), ("mount_setattr", 442), ("move_mount", 429), ("move_pages", 279), ("mprotect", 10), ("mpx", -10030), ("mq_getsetattr", 245), ("mq_notify", 244), ("mq_open", 240), ("mq_timedreceive", 243), ("mq_timedreceive_time64", -10225), ("mq_timedsend", 242), ("mq_timedsend_time64", -10226), ("mq_unlink", 241), ("mremap", 25), ("msgctl", 71), ("msgget", 68), ("msgrcv", 70), ("msgsnd", 69), ("msync", 26), ("multiplexer", -10186), ("munlock", 150), ("munlockall", 152), ("munmap", 11), ("name_to_handle_at", 303), ("nanosleep", 35), ("newfstatat", 262), ("nfsservctl", 180), ("nice", -10033), ("oldfstat", -10034), ("oldlstat", -10035), ("oldolduname", -10036), ("oldstat", -10037), ("olduname", -10038), ("open", 2), ("open_by_handle_at", 304), ("open_tree", 428), ("openat", 257), ("openat2", 437), ("pause", 34), ("pciconfig_iobase", -10086), ("pciconfig_read", -10087), ("pciconfig_write", -10088), ("perf_event_open", 298), ("personality", 135), ("pidfd_getfd", 438), ("pidfd_open", 434), ("pidfd_send_signal", 424), ("pipe", 22), ("pipe2", 293), ("pivot_root", 155), ("pkey_alloc", 330), ("pkey_free", 331), ("pkey_mprotect", 329), ("poll", 7), ("ppoll", 271), ("ppoll_time64", -10230), ("prctl", 157), ("pread64", 17), ("preadv", 295), ("preadv2", 327), ("prlimit64", 302), ("process_madvise", 440), ("process_mrelease", 448), ("process_vm_readv", 310), ("process_vm_writev", 311), ("prof", -10039), ("profil", -10040), ("pselect6", 270), ("pselect6_time64", -10231), ("ptrace", 101), ("putpmsg", 182), ("pwrite64", 18), ("pwritev", 296), ("pwritev2", 328), ("query_module", 178), ("quotactl", 179), ("quotactl_fd", 443), ("read", 0), ("readahead", 187), ("readdir", -10041), ("readlink", 89), ("readlinkat", 267), ("readv", 19), ("reboot", 169), ("recv", -110), ("recvfrom", 45), ("recvmmsg", 299), ("recvmmsg_time64", -10232), ("recvmsg", 47), ("remap_file_pages", 216), ("removexattr", 197), ("rename", 82), ("renameat", 264), ("renameat2", 316), ("request_key", 249), ("restart_syscall", 219), ("riscv_flush_icache", -10243), ("rmdir", 84), ("rseq", 334), ("rt_sigaction", 13), ("rt_sigpending", 127), ("rt_sigprocmask", 14), ("rt_sigqueueinfo", 129), ("rt_sigreturn", 15), ("rt_sigsuspend", 130), ("rt_sigtimedwait", 128), ("rt_sigtimedwait_time64", -10233), ("rt_tgsigqueueinfo", 297), ("rtas", -10187), ("s390_guarded_storage", -10205), ("s390_pci_mmio_read", -10197), ("s390_pci_mmio_write", -10198), ("s390_runtime_instr", -10196), ("s390_sthyi", -10206), ("sched_get_priority_max", 146), ("sched_get_priority_min", 147), ("sched_getaffinity", 204), ("sched_getattr", 315), ("sched_getparam", 143), ("sched_getscheduler", 145), ("sched_rr_get_interval", 148), ("sched_rr_get_interval_time64", -10234), ("sched_setaffinity", 203), ("sched_setattr", 314), ("sched_setparam", 142), ("sched_setscheduler", 144), ("sched_yield", 24), ("seccomp", 317), ("security", 185), ("select", 23), ("semctl", 66), ("semget", 64), ("semop", 65), ("semtimedop", 220), ("semtimedop_time64", -10235), ("send", -109), ("sendfile", 40), ("sendfile64", -10043), ("sendmmsg", 307), ("sendmsg", 46), ("sendto", 44), ("set_mempolicy", 238), ("set_robust_list", 273), ("set_thread_area", 205), ("set_tid_address", 218), ("set_tls", -10183), ("setdomainname", 171), ("setfsgid", 123), ("setfsgid32", -10044), ("setfsuid", 122), ("setfsuid32", -10045), ("setgid", 106), ("setgid32", -10046), ("setgroups", 116), ("setgroups32", -10047), ("sethostname", 170), ("setitimer", 38), ("setns", 308), ("setpgid", 109), ("setpriority", 141), ("setregid", 114), ("setregid32", -10048), ("setresgid", 119), ("setresgid32", -10049), ("setresuid", 117), ("setresuid32", -10050), ("setreuid", 113), ("setreuid32", -10051), ("setrlimit", 160), ("setsid", 112), ("setsockopt", 54), ("settimeofday", 164), ("setuid", 105), ("setuid32", -10052), ("setxattr", 188), ("sgetmask", -10053), ("shmat", 30), ("shmctl", 31), ("shmdt", 67), ("shmget", 29), ("shutdown", 48), ("sigaction", -10054), ("sigaltstack", 131), ("signal", -10055), ("signalfd", 282), ("signalfd4", 289), ("sigpending", -10056), ("sigprocmask", -10057), ("sigreturn", -10058), ("sigsuspend", -10059), ("socket", 41), ("socketcall", -10060), ("socketpair", 53), ("splice", 275), ("spu_create", -10188), ("spu_run", -10189), ("ssetmask", -10061), ("stat", 4), ("stat64", -10062), ("statfs", 137), ("statfs64", -10063), ("statx", 332), ("stime", -10064), ("stty", -10065), ("subpage_prot", -10207), ("swapcontext", -10190), ("swapoff", 168), ("swapon", 167), ("switch_endian", -10191), ("symlink", 88), ("symlinkat", 266), ("sync", 162), ("sync_file_range", 277), ("sync_file_range2", -10089), ("syncfs", 306), ("sys_debug_setcontext", -10191), ("syscall", -10090), ("sysfs", 139), ("sysinfo", 99), ("syslog", 103), ("sysmips", -10106), ("tee", 276), ("tgkill", 234), ("time", 201), ("timer_create", 222), ("timer_delete", 226), ("timer_getoverrun", 225), ("timer_gettime", 224), ("timer_gettime64", -10236), ("timer_settime", 223), ("timer_settime64", -10237), ("timerfd", -10107), ("timerfd_create", 283), ("timerfd_gettime", 287), ("timerfd_gettime64", -10238), ("timerfd_settime", 286), ("timerfd_settime64", -10239), ("times", 100), ("tkill", 200), ("truncate", 76), ("truncate64", -10066), ("tuxcall", 184), ("ugetrlimit", -10068), ("ulimit", -10069), ("umask", 95), ("umount", -10070), ("umount2", 166), ("uname", 63), ("unlink", 87), ("unlinkat", 263), ("unshare", 272), ("uselib", 134), ("userfaultfd", 323), ("usr26", -10184), ("usr32", -10185), ("ustat", 136), ("utime", 132), ("utimensat", 280), ("utimensat_time64", -10240), ("utimes", 235), ("vfork", 58), ("vhangup", 153), ("vm86", -10071), ("vm86old", -10072), ("vmsplice", 278), ("vserver", 236), ("wait4", 61), ("waitid", 247), ("waitpid", -10073), ("write", 1), ("writev", 20), ]; libseccomp-0.3.0/src/syscall.rs000064400000000000000000000233340072674642500146100ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::{Result, SeccompError}; use crate::ScmpArch; use libseccomp_sys::*; use std::ffi::{CStr, CString}; use std::fmt; #[cfg(feature = "const-syscall")] cfg_if::cfg_if! { if #[cfg(target_arch = "x86_64")] { mod x86_64; use x86_64::SYSCALLS; } else if #[cfg(target_arch = "aarch64")] { mod aarch64; use aarch64::SYSCALLS; } else if #[cfg(target_arch = "arm")] { mod arm; use arm::SYSCALLS; } else if #[cfg(target_arch = "mips")] { mod mips; use mips::SYSCALLS; } else if #[cfg(target_arch = "mips64")] { mod mips64; use mips64::SYSCALLS; } else if #[cfg(target_arch = "powerpc")] { mod powerpc; use powerpc::SYSCALLS; } else if #[cfg(target_arch = "powerpc64")] { mod powerpc64; use powerpc64::SYSCALLS; } else if #[cfg(target_arch = "riscv64")] { mod riscv64; use riscv64::SYSCALLS; } else if #[cfg(target_arch = "s390x")] { mod s390x; use s390x::SYSCALLS; } else if #[cfg(target_arch = "x86")] { mod x86; use x86::SYSCALLS; } else { compile_error!("Looks like your target_arch is not supported by libseccomp."); } } /// Represents a syscall number. #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)] pub struct ScmpSyscall { nr: i32, } impl ScmpSyscall { pub(crate) fn to_sys(self) -> i32 { self.nr } pub(crate) fn from_sys(nr: i32) -> Self { Self { nr } } /// Resolves a syscall name to `ScmpSyscall`. /// /// This function returns a `ScmpSyscall` that can be passed to /// [`add_rule`](crate::ScmpFilterContext::add_rule) like functions. /// Or `ScmpSyscall::from(libseccomp_sys::__NR_SCMP_ERROR)` if name is unknown. /// /// Unlike [`from_name`](Self::from_name) this function does not any FFI call /// and can therefore be `const`. /// /// # Arguments /// /// * `name` - The name of a syscall /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let syscall = ScmpSyscall::new("chroot"); /// ``` #[cfg(feature = "const-syscall")] pub const fn new(name: &str) -> Self { let mut i = 0; let nr = loop { if i >= SYSCALLS.len() { break libseccomp_sys::__NR_SCMP_ERROR; } if strcmp(SYSCALLS[i].0, name) { break SYSCALLS[i].1; } i += 1; }; Self { nr } } /// Resolves a syscall name to `ScmpSyscall`. /// /// This function returns a `ScmpSyscall` that can be passed to /// [`add_rule`](crate::ScmpFilterContext::add_rule) like functions. /// /// This function corresponds to /// [`seccomp_syscall_resolve_name`](https://man7.org/linux/man-pages/man3/seccomp_syscall_resolve_name.3.html). /// /// # Arguments /// /// * `name` - The name of a syscall /// /// # Errors /// /// If an invalid string for the syscall name is specified or a syscall with that /// name is not found, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let syscall = ScmpSyscall::from_name("chroot")?; /// # Ok::<(), Box>(()) /// ``` pub fn from_name(name: &str) -> Result { Self::from_name_by_arch(name, ScmpArch::Native) } /// Resolves a syscall name to `ScmpSyscall`. /// /// NOTE: If you call this function with a foreign architecture token and pass the result /// to [`add_rule*`](crate::ScmpFilterContext::add_rule) functions you get unexpected results. /// /// This function returns a `ScmpSyscall` for the specified architecture. /// /// This function corresponds to /// [`seccomp_syscall_resolve_name_arch`](https://man7.org/linux/man-pages/man3/seccomp_syscall_resolve_name_arch.3.html). /// /// # Arguments /// /// * `name` - The name of a syscall /// * `arch` - An architecture token /// /// # Errors /// /// If an invalid string for the syscall name is specified or a syscall with that /// name is not found, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let syscall = ScmpSyscall::from_name_by_arch("chroot", ScmpArch::Aarch64)?; /// # Ok::<(), Box>(()) /// ``` pub fn from_name_by_arch(name: &str, arch: ScmpArch) -> Result { let name_c = CString::new(name)?; let nr = unsafe { seccomp_syscall_resolve_name_arch(arch.to_sys(), name_c.as_ptr()) }; if nr == __NR_SCMP_ERROR { return Err(SeccompError::with_msg(format!( "Could not resolve syscall name {}", name ))); } Ok(Self { nr }) } /// Resolves a syscall name to `ScmpSyscall`. /// /// This function returns a `ScmpSyscall` for the specified architecture /// rewritten if necessary. /// /// This function corresponds to /// [`seccomp_syscall_resolve_name_rewrite`](https://man7.org/linux/man-pages/man3/seccomp_syscall_resolve_name_rewrite.3.html). /// /// # Arguments /// /// * `name` - The name of a syscall /// * `arch` - An architecture token /// /// # Errors /// /// If an invalid string for the syscall name is specified or a syscall with that /// name is not found, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// let syscall = ScmpSyscall::from_name_by_arch_rewrite("socketcall", ScmpArch::X32)?; /// # Ok::<(), Box>(()) /// ``` pub fn from_name_by_arch_rewrite(name: &str, arch: ScmpArch) -> Result { let name_c = CString::new(name)?; let nr = unsafe { seccomp_syscall_resolve_name_rewrite(arch.to_sys(), name_c.as_ptr()) }; if nr == __NR_SCMP_ERROR { return Err(SeccompError::with_msg(format!( "Could not resolve syscall name {}", name ))); } Ok(Self { nr }) } /// Resolves this `ScmpSyscall` to it's name for the native architecture. /// /// This function returns a string containing the name of the syscall. /// /// This function corresponds to /// [`seccomp_syscall_resolve_num_arch`](https://man7.org/linux/man-pages/man3/seccomp_syscall_resolve_num_arch.3.html). /// /// # Errors /// /// If the syscall is unrecognized or an issue is encountered getting the /// name of the syscall, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// assert_eq!(ScmpSyscall::from_name("mount")?.get_name()?, String::from("mount")); /// # Ok::<(), Box>(()) /// ``` pub fn get_name(self) -> Result { Self::get_name_by_arch(self, ScmpArch::Native) } /// Resolves this `ScmpSyscall` to it's name for a given architecture. /// /// This function returns a string containing the name of the syscall. /// /// This function corresponds to /// [`seccomp_syscall_resolve_num_arch`](https://man7.org/linux/man-pages/man3/seccomp_syscall_resolve_num_arch.3.html). /// /// # Arguments /// /// * `arch` - A valid architecture token /// /// # Errors /// /// If the syscall is unrecognized or an issue is encountered getting the /// name of the syscall, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// assert_eq!( /// ScmpSyscall::from_name_by_arch("mount", ScmpArch::Mips)? /// .get_name_by_arch(ScmpArch::Mips)?, /// String::from("mount"), /// ); /// # Ok::<(), Box>(()) /// ``` pub fn get_name_by_arch(self, arch: ScmpArch) -> Result { let ret = unsafe { seccomp_syscall_resolve_num_arch(arch.to_sys(), self.to_sys()) }; if ret.is_null() { return Err(SeccompError::with_msg(format!( "Could not resolve syscall number {}", self.nr ))); } let name = unsafe { CStr::from_ptr(ret) }.to_str()?.to_string(); unsafe { libc::free(ret as *mut libc::c_void) }; Ok(name) } } impl From for ScmpSyscall { /// Creates a `ScmpSyscall` from the specified syscall number. /// /// # Arguments /// /// * `nr` - The number of syscall fn from(nr: i32) -> Self { Self::from_sys(nr) } } impl From for i32 { /// Gets the syscall number of a syscall. /// /// # Arguments /// /// * `syscall` - The syscall fn from(syscall: ScmpSyscall) -> i32 { syscall.nr } } impl PartialEq for ScmpSyscall { fn eq(&self, other: &i32) -> bool { self.nr == *other } } impl PartialEq for i32 { fn eq(&self, other: &ScmpSyscall) -> bool { *self == other.nr } } impl fmt::Display for ScmpSyscall { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "{}", self.nr) } } /// Compare two strings /// /// This is a helper function because `&str == &str` is not `const` yet. /// /// This function returns the same as `lhs == rhs`. #[cfg(feature = "const-syscall")] const fn strcmp(lhs: &str, rhs: &str) -> bool { if lhs.len() != rhs.len() { return false; } let (lhs, rhs) = (lhs.as_bytes(), rhs.as_bytes()); let mut i = 0; while i < lhs.len() && i < rhs.len() { if lhs[i] != rhs[i] { return false; } i += 1; } true } libseccomp-0.3.0/src/version.rs000064400000000000000000000077450072674642500146330ustar 00000000000000// SPDX-License-Identifier: Apache-2.0 or MIT // // Copyright 2021 Sony Group Corporation // use crate::error::{Result, SeccompError}; use libseccomp_sys::*; use std::fmt; /// Represents the version information of the libseccomp library. #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub struct ScmpVersion { /// The major version pub major: u32, /// The minor version pub minor: u32, /// The micro version pub micro: u32, } impl ScmpVersion { /// Gets the version of the currently loaded libseccomp library. /// /// This function returns `ScmpVersion` that represents the currently /// loaded libseccomp version. /// /// This function corresponds to /// [`seccomp_version`](https://man7.org/linux/man-pages/man3/seccomp_version.3.html). /// /// # Errors /// /// If this function encounters an issue while getting the version, /// an error will be returned. pub fn current() -> Result { if let Some(version) = unsafe { seccomp_version().as_ref() } { Ok(Self { major: version.major, minor: version.minor, micro: version.micro, }) } else { Err(SeccompError::with_msg("Could not get libseccomp version")) } } } impl From<(u32, u32, u32)> for ScmpVersion { /// Creates a `ScmpVersion` from the specified arbitrary version. /// /// # Arguments /// /// * `version` - A tuple that represents the version of the libseccomp library. /// The index 0, 1, and 2 represent `major`, `minor`, and `micro` respectively. fn from(version: (u32, u32, u32)) -> Self { Self { major: version.0, minor: version.1, micro: version.2, } } } impl fmt::Display for ScmpVersion { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "{}.{}.{}", self.major, self.minor, self.micro) } } /// Checks that the libseccomp version being used is equal to or greater than /// the specified version. /// /// This function returns `Ok(true)` if the libseccomp version is equal to /// or greater than the specified version, `Ok(false)` otherwise. /// /// # Arguments /// /// * `expected` - The libseccomp version you want to check /// /// # Errors /// /// If an issue is encountered getting the current version, an error will be returned. /// /// # Examples /// /// ``` /// # use libseccomp::*; /// check_version(ScmpVersion::from((2, 4, 0)))?; /// # Ok::<(), Box>(()) /// ``` pub fn check_version(expected: ScmpVersion) -> Result { let current = ScmpVersion::current()?; if current.major == expected.major && (current.minor > expected.minor || (current.minor == expected.minor && current.micro >= expected.micro)) { Ok(true) } else { Ok(false) } } /// Ensures that the libseccomp version is equal to or greater than the /// specified version. /// /// # Arguments /// /// * `msg` - An arbitrary non-empty operation description, used as a part /// of the error message returned. /// * `expected` - The libseccomp version you want to check /// /// # Errors /// /// If the libseccomp version being used is less than the specified version, /// an error will be returned. // This function will not be used if the libseccomp version is less than 2.5.0. pub(crate) fn ensure_supported_version(msg: &str, expected: ScmpVersion) -> Result<()> { if check_version(expected)? { Ok(()) } else { let current = ScmpVersion::current()?; Err(SeccompError::with_msg(format!( "{} requires libseccomp >= {} (current version: {})", msg, expected, current, ))) } } #[cfg(test)] mod tests { use super::*; #[test] fn test_ensure_supported_version() { assert!(ensure_supported_version("test", ScmpVersion::from((2, 4, 0))).is_ok()); assert!(ensure_supported_version("test", ScmpVersion::from((100, 100, 100))).is_err()); } } libseccomp-0.3.0/tests/global_reset.rs000064400000000000000000000003550072674642500161510ustar 00000000000000use libseccomp::*; #[test] fn test_reset_global_state() { if check_version(ScmpVersion::from((2, 5, 1))).unwrap() { assert!(reset_global_state().is_ok()); } else { assert!(reset_global_state().is_err()); } } libseccomp-0.3.0/tests/known_syscall_names.rs000064400000000000000000000204000072674642500175510ustar 00000000000000pub const KNOWN_SYSCALL_NAMES: &[&str] = &[ "_llseek", "_newselect", "_sysctl", "accept", "accept4", "access", "acct", "add_key", "adjtimex", "afs_syscall", "alarm", "arch_prctl", "arm_fadvise64_64", "arm_sync_file_range", "bdflush", "bind", "bpf", "break", "breakpoint", "brk", "cachectl", "cacheflush", "capget", "capset", "chdir", "chmod", "chown", "chown32", "chroot", "clock_adjtime", "clock_adjtime64", "clock_getres", "clock_getres_time64", "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64", "clock_settime", "clock_settime64", "clone", "clone3", "close", "close_range", "connect", "copy_file_range", "creat", "create_module", "delete_module", "dup", "dup2", "dup3", "epoll_create", "epoll_create1", "epoll_ctl", "epoll_ctl_old", "epoll_pwait", "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group", "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fallocate", "fanotify_init", "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchown", "fchown32", "fchownat", "fcntl", "fcntl64", "fdatasync", "fgetxattr", "finit_module", "flistxattr", "flock", "fork", "fremovexattr", "fsconfig", "fsetxattr", "fsmount", "fsopen", "fspick", "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync", "ftime", "ftruncate", "ftruncate64", "futex", "futex_time64", // libseccomp v2.5.5: "futex_waitv", "futimesat", "get_kernel_syms", "get_mempolicy", "get_robust_list", "get_thread_area", "get_tls", "getcpu", "getcwd", "getdents", "getdents64", "getegid", "getegid32", "geteuid", "geteuid32", "getgid", "getgid32", "getgroups", "getgroups32", "getitimer", "getpeername", "getpgid", "getpgrp", "getpid", "getpmsg", "getppid", "getpriority", "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32", "getrlimit", "getrusage", "getsid", "getsockname", "getsockopt", "gettid", "gettimeofday", "getuid", "getuid32", "getxattr", "gtty", "idle", "init_module", "inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch", "io_cancel", "io_destroy", "io_getevents", "io_pgetevents", "io_pgetevents_time64", "io_setup", "io_submit", "io_uring_enter", "io_uring_register", "io_uring_setup", "ioctl", "ioperm", "iopl", "ioprio_get", "ioprio_set", "ipc", "kcmp", "kexec_file_load", "kexec_load", "keyctl", "kill", "landlock_add_rule", "landlock_create_ruleset", "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", "link", "linkat", "listen", "listxattr", "llistxattr", "lock", "lookup_dcookie", "lremovexattr", "lseek", "lsetxattr", "lstat", "lstat64", "madvise", "mbind", "membarrier", "memfd_create", "memfd_secret", "migrate_pages", "mincore", "mkdir", "mkdirat", "mknod", "mknodat", "mlock", "mlock2", "mlockall", "mmap", "mmap2", "modify_ldt", "mount", "mount_setattr", "move_mount", "move_pages", "mprotect", "mpx", "mq_getsetattr", "mq_notify", "mq_open", "mq_timedreceive", "mq_timedreceive_time64", "mq_timedsend", "mq_timedsend_time64", "mq_unlink", "mremap", "msgctl", "msgget", "msgrcv", "msgsnd", "msync", "multiplexer", "munlock", "munlockall", "munmap", "name_to_handle_at", "nanosleep", "newfstatat", "nfsservctl", "nice", "oldfstat", "oldlstat", "oldolduname", "oldstat", "olduname", "open", "open_by_handle_at", "open_tree", "openat", "openat2", "pause", "pciconfig_iobase", "pciconfig_read", "pciconfig_write", "perf_event_open", "personality", "pidfd_getfd", "pidfd_open", "pidfd_send_signal", "pipe", "pipe2", "pivot_root", "pkey_alloc", "pkey_free", "pkey_mprotect", "poll", "ppoll", "ppoll_time64", "prctl", "pread64", "preadv", "preadv2", "prlimit64", "process_madvise", "process_mrelease", "process_vm_readv", "process_vm_writev", "prof", "profil", "pselect6", "pselect6_time64", "ptrace", "putpmsg", "pwrite64", "pwritev", "pwritev2", "query_module", "quotactl", "quotactl_fd", "read", "readahead", "readdir", "readlink", "readlinkat", "readv", "reboot", "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg", "remap_file_pages", "removexattr", "rename", "renameat", "renameat2", "request_key", "restart_syscall", "riscv_flush_icache", "rmdir", "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo", "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "rtas", "s390_guarded_storage", "s390_pci_mmio_read", "s390_pci_mmio_write", "s390_runtime_instr", "s390_sthyi", "sched_get_priority_max", "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", "sched_getscheduler", "sched_rr_get_interval", "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler", "sched_yield", "seccomp", "security", "select", "semctl", "semget", "semop", "semtimedop", "semtimedop_time64", "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto", "set_mempolicy", // libseccomp v2.5.5: "set_mempolicy_home_node", "set_robust_list", "set_thread_area", "set_tid_address", "set_tls", "setdomainname", "setfsgid", "setfsgid32", "setfsuid", "setfsuid32", "setgid", "setgid32", "setgroups", "setgroups32", "sethostname", "setitimer", "setns", "setpgid", "setpriority", "setregid", "setregid32", "setresgid", "setresgid32", "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit", "setsid", "setsockopt", "settimeofday", "setuid", "setuid32", "setxattr", "sgetmask", "shmat", "shmctl", "shmdt", "shmget", "shutdown", "sigaction", "sigaltstack", "signal", "signalfd", "signalfd4", "sigpending", "sigprocmask", "sigreturn", "sigsuspend", "socket", "socketcall", "socketpair", "splice", "spu_create", "spu_run", "ssetmask", "stat", "stat64", "statfs", "statfs64", "statx", "stime", "stty", "subpage_prot", "swapcontext", "swapoff", "swapon", "switch_endian", "symlink", "symlinkat", "sync", "sync_file_range", "sync_file_range2", "syncfs", "sys_debug_setcontext", "syscall", "sysfs", "sysinfo", "syslog", "sysmips", "tee", "tgkill", "time", "timer_create", "timer_delete", "timer_getoverrun", "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64", "timerfd", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", "timerfd_settime", "timerfd_settime64", "times", "tkill", "truncate", "truncate64", "tuxcall", "ugetrlimit", "ulimit", "umask", "umount", "umount2", "uname", "unlink", "unlinkat", "unshare", "uselib", "userfaultfd", "usr26", "usr32", "ustat", "utime", "utimensat", "utimensat_time64", "utimes", "vfork", "vhangup", "vm86", "vm86old", "vmsplice", "vserver", "wait4", "waitid", "waitpid", "write", "writev", ]; libseccomp-0.3.0/tests/notify.rs000064400000000000000000000072460072674642500150250ustar 00000000000000#![cfg(libseccomp_v2_5)] use libc::{dup3, O_CLOEXEC}; use libseccomp::*; use std::thread; macro_rules! skip_if_not_supported { () => { if !check_api(6, ScmpVersion::from((2, 5, 0))).unwrap() { println!("Skip tests for userspace notification"); return; } }; } #[derive(Debug)] struct TestData { syscall: ScmpSyscall, args: Vec, arch: ScmpArch, resp_val: i64, resp_err: i32, resp_flags: u32, expected_val: i64, } #[test] fn test_user_notification() { skip_if_not_supported!(); let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); let syscall = ScmpSyscall::from_name("dup3").unwrap(); let arch = ScmpArch::native(); ctx.add_arch(arch).unwrap(); ctx.add_rule(ScmpAction::Notify, syscall).unwrap(); let tests = &[ TestData { syscall, args: vec![0, 100, O_CLOEXEC as u64], arch, resp_val: 10, resp_err: 0, resp_flags: 0, expected_val: 10, }, TestData { syscall, args: vec![0, 100, O_CLOEXEC as u64], arch, resp_val: 0, resp_err: -1, resp_flags: 0, expected_val: -1, }, TestData { syscall, args: vec![0, 100, O_CLOEXEC as u64], arch, resp_val: 0, resp_err: 0, resp_flags: ScmpNotifRespFlags::CONTINUE.bits(), expected_val: 100, }, ]; ctx.load().unwrap(); let fd = ctx.get_notify_fd().unwrap(); let mut handlers = vec![]; for test in tests.iter() { let args: (i32, i32, i32) = ( test.args[0] as i32, test.args[1] as i32, test.args[2] as i32, ); handlers.push(thread::spawn(move || unsafe { dup3(args.0, args.1, args.2) })); let req = ScmpNotifReq::receive(fd).unwrap(); // Checks architecture assert_eq!(req.data.arch, test.arch); // Checks the number of syscall assert_eq!(req.data.syscall, test.syscall); // Checks syscall arguments for (i, test_val) in test.args.iter().enumerate() { assert_eq!(&req.data.args[i], test_val); } // Checks TOCTOU assert!(notify_id_valid(fd, req.id).is_ok()); let resp = ScmpNotifResp::new(req.id, test.resp_val, test.resp_err, test.resp_flags); resp.respond(fd).unwrap(); } // Checks return value for (i, handler) in handlers.into_iter().enumerate() { let ret_val = handler.join().unwrap(); assert_eq!(tests[i].expected_val as i32, ret_val); } } #[test] fn test_resp_new() { assert_eq!( ScmpNotifResp::new_val(1234, 1, ScmpNotifRespFlags::empty()), ScmpNotifResp::new(1234, 1, 0, 0), ); assert_eq!( ScmpNotifResp::new_error(1234, -2, ScmpNotifRespFlags::empty()), ScmpNotifResp::new(1234, 0, -2, 0), ); assert_eq!( ScmpNotifResp::new_continue(1234, ScmpNotifRespFlags::empty()), ScmpNotifResp::new(1234, 0, 0, ScmpNotifRespFlags::CONTINUE.bits()), ); } #[test] fn test_error() { skip_if_not_supported!(); let ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); let resp = ScmpNotifResp::new(0, 0, 0, 0); assert!(ctx.get_notify_fd().is_err()); assert!(ScmpNotifReq::receive(0).is_err()); assert!(resp.respond(0).is_err()); assert!(notify_id_valid(0, 0).is_err()); } #[test] fn resp_flags_from_bits_preserve() { assert_eq!( ScmpNotifRespFlags::from_bits_preserve(u32::MAX).bits(), u32::MAX ); } libseccomp-0.3.0/tests/tests.rs000064400000000000000000000246640072674642500146620ustar 00000000000000use libseccomp::*; use std::io::{stdout, Error}; #[cfg(feature = "const-syscall")] mod known_syscall_names; macro_rules! syscall_assert { ($e1: expr, $e2: expr) => { let mut errno: i32 = 0; if $e1 < 0 { errno = -Error::last_os_error().raw_os_error().unwrap() } assert_eq!(errno, $e2); }; } #[test] fn test_check_version() { assert!(check_version(ScmpVersion::from((2, 4, 0))).unwrap()); assert!(!check_version(ScmpVersion::from((100, 100, 100))).unwrap()); } #[test] fn test_check_api() { assert!(check_api(3, ScmpVersion::from((2, 4, 0))).unwrap()); assert!(!check_api(100, ScmpVersion::from((2, 4, 0))).unwrap()); } #[test] #[allow(deprecated)] fn test_get_library_version() { let ret = ScmpVersion::current().unwrap(); assert_eq!(ret, get_library_version().unwrap()); println!( "test_get_library_version: {}.{}.{}", ret.major, ret.minor, ret.micro ); } #[test] fn test_scmparch_native() { let ret = ScmpArch::native(); println!("test_get_native_arch: native arch is {:?}", ret); } #[test] fn test_get_api() { let ret = get_api(); println!("test_get_api: Got API level of {}", ret); } #[test] fn test_set_api() { set_api(1).unwrap(); assert_eq!(get_api(), 1); assert!(set_api(1000).is_err()); } #[test] fn test_set_syscall_priority() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::KillThread).unwrap(); let syscall = ScmpSyscall::from_name("open").unwrap(); let priority = 100; assert!(ctx.set_syscall_priority(syscall, priority).is_ok()); assert!(ctx.set_syscall_priority(-1, priority).is_err()); } #[test] #[allow(deprecated)] fn test_filter_attributes() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::KillThread).unwrap(); // Test for CtlNnp ctx.set_ctl_nnp(false).unwrap(); let ret = ctx.get_ctl_nnp().unwrap(); assert!(!ret); ctx.set_no_new_privs_bit(true).unwrap(); assert!(ctx.get_no_new_privs_bit().unwrap()); // Test for ActBadArch let test_actions = [ ScmpAction::Trap, ScmpAction::Errno(libc::EACCES), ScmpAction::Trace(10), ]; for action in test_actions { ctx.set_act_badarch(action).unwrap(); let ret = ctx.get_act_badarch().unwrap(); assert_eq!(ret, action); } // Test for ActDefault let ret = ctx.get_act_default().unwrap(); assert_eq!(ret, ScmpAction::KillThread); // Test for CtlLog if check_api(3, ScmpVersion::from((2, 4, 0))).unwrap() { ctx.set_ctl_log(true).unwrap(); let ret = ctx.get_ctl_log().unwrap(); assert!(ret); } else { assert!(ctx.set_ctl_log(true).is_err()); assert!(ctx.get_ctl_log().is_err()); } // Test for CtlSsb if check_api(4, ScmpVersion::from((2, 5, 0))).unwrap() { ctx.set_ctl_ssb(true).unwrap(); let ret = ctx.get_ctl_ssb().unwrap(); assert!(ret); } else { assert!(ctx.set_ctl_ssb(true).is_err()); assert!(ctx.get_ctl_ssb().is_err()); } // Test for CtlOptimize let opt_level = 2; if check_api(4, ScmpVersion::from((2, 5, 0))).unwrap() { ctx.set_ctl_optimize(opt_level).unwrap(); let ret = ctx.get_ctl_optimize().unwrap(); assert_eq!(ret, opt_level); } else { assert!(ctx.set_ctl_optimize(opt_level).is_err()); assert!(ctx.get_ctl_optimize().is_err()); } // Test for ApiSysRawRc if check_api(4, ScmpVersion::from((2, 5, 0))).unwrap() { ctx.set_api_sysrawrc(true).unwrap(); let ret = ctx.get_api_sysrawrc().unwrap(); assert!(ret); } else { assert!(ctx.set_api_sysrawrc(true).is_err()); assert!(ctx.get_api_sysrawrc().is_err()); } // Test for CtlTsync if check_api(2, ScmpVersion::from((2, 2, 0))).unwrap() { ctx.set_ctl_tsync(true).unwrap(); let ret = ctx.get_ctl_tsync().unwrap(); assert!(ret); } else { assert!(ctx.set_ctl_tsync(true).is_err()); assert!(ctx.get_ctl_tsync().is_err()); } } #[test] fn test_filter_reset() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::KillThread).unwrap(); ctx.reset(ScmpAction::Allow).unwrap(); let action = ctx.get_act_default().unwrap(); let expected_action = ScmpAction::Allow; assert_eq!(expected_action, action); } #[test] fn test_syscall_i32() { assert_eq!(4_i32, i32::from(ScmpSyscall::from(4))); } #[test] fn test_syscall_eq_i32() { assert_eq!(ScmpSyscall::from(4), 4); assert_eq!(4, ScmpSyscall::from(4)); assert_ne!(ScmpSyscall::from(4), 5); assert_ne!(4, ScmpSyscall::from(5)); } #[test] #[allow(deprecated)] fn test_get_syscall_name_from_arch() { assert_eq!( "openat", ScmpSyscall::from(56) .get_name_by_arch(ScmpArch::Aarch64) .unwrap() ); assert!(ScmpSyscall::from(10_000).get_name().is_err()); assert!(ScmpSyscall::from(-1).get_name().is_err()); assert_eq!( get_syscall_name_from_arch(ScmpArch::Native, 5).unwrap(), ScmpSyscall::from(5).get_name().unwrap(), ); assert_eq!( get_syscall_name_from_arch(ScmpArch::Aarch64, 5).unwrap(), ScmpSyscall::from(5) .get_name_by_arch(ScmpArch::Aarch64) .unwrap(), ); } #[test] #[allow(deprecated)] fn test_get_syscall_from_name() { assert_eq!( ScmpSyscall::from_name_by_arch("openat", ScmpArch::Aarch64).unwrap(), 56, ); assert_eq!( ScmpSyscall::from_name_by_arch_rewrite("socket", ScmpArch::X86).unwrap(), 102, ); assert!(ScmpSyscall::from_name("no_syscall").is_err()); assert!(ScmpSyscall::from_name("null\0byte").is_err()); assert!(ScmpSyscall::from_name_by_arch_rewrite("no_syscall", ScmpArch::X32).is_err()); assert!(ScmpSyscall::from_name_by_arch_rewrite("null\0byte", ScmpArch::X32).is_err()); assert_eq!( get_syscall_from_name("openat", None).unwrap(), ScmpSyscall::from_name("openat").unwrap(), ); assert_eq!( get_syscall_from_name("openat", Some(ScmpArch::Aarch64)).unwrap(), ScmpSyscall::from_name_by_arch("openat", ScmpArch::Aarch64).unwrap(), ); } #[test] #[cfg(feature = "const-syscall")] fn test_syscall_new() { for name in known_syscall_names::KNOWN_SYSCALL_NAMES { if let Ok(nr) = ScmpSyscall::from_name(name) { assert_eq!(ScmpSyscall::new(name), nr); } } assert_eq!(ScmpSyscall::new(""), libseccomp_sys::__NR_SCMP_ERROR); assert_eq!( ScmpSyscall::new("unkown_syscall"), libseccomp_sys::__NR_SCMP_ERROR, ); } #[test] fn test_display_syscall() { assert_eq!(format!("{}", ScmpSyscall::from(4)), "4"); } #[test] fn test_arch_functions() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); ctx.add_arch(ScmpArch::X86).unwrap(); let ret = ctx.is_arch_present(ScmpArch::X86).unwrap(); assert!(ret); ctx.remove_arch(ScmpArch::X86).unwrap(); let ret = ctx.is_arch_present(ScmpArch::X86).unwrap(); assert!(!ret); } #[test] fn test_merge_filters() { let mut ctx1 = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); let mut ctx2 = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); let native_arch = ScmpArch::native(); let mut prospective_arch = ScmpArch::Aarch64; if native_arch == ScmpArch::Aarch64 { prospective_arch = ScmpArch::X8664; } ctx2.add_arch(prospective_arch).unwrap(); // In order to merge two filters, both filters must have no // overlapping architectures. // Therefore, need to remove the native arch. ctx2.remove_arch(native_arch).unwrap(); ctx1.merge(ctx2).unwrap(); let ret = ctx1.is_arch_present(prospective_arch).unwrap(); assert!(ret); } #[test] fn test_export_functions() { let ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); assert!(ctx.export_bpf(&mut stdout()).is_ok()); assert!(ctx.export_bpf(&mut -1).is_err()); assert!(ctx.export_pfc(&mut stdout()).is_ok()); assert!(ctx.export_pfc(&mut -1).is_err()); } #[test] fn test_rule_add_load() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); ctx.add_arch(ScmpArch::Native).unwrap(); let syscall = ScmpSyscall::from_name("dup3").unwrap(); ctx.add_rule(ScmpAction::Errno(10), syscall).unwrap(); ctx.load().unwrap(); syscall_assert!(unsafe { libc::dup3(0, 100, libc::O_CLOEXEC) }, -10); } #[test] fn test_rule_add_array_load() { let mut cmps: Vec = Vec::new(); let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); ctx.add_arch(ScmpArch::Native).unwrap(); let syscall = ScmpSyscall::from_name("process_vm_readv").unwrap(); let cmp1 = ScmpArgCompare::new(0, ScmpCompareOp::Equal, 10); let cmp2 = ScmpArgCompare::new(2, ScmpCompareOp::Equal, 20); cmps.push(cmp1); cmps.push(cmp2); ctx.add_rule_conditional(ScmpAction::Errno(111), syscall, &cmps) .unwrap(); ctx.load().unwrap(); syscall_assert!( unsafe { libc::process_vm_readv(10, std::ptr::null(), 0, std::ptr::null(), 0, 0) }, 0 ); syscall_assert!( unsafe { libc::process_vm_readv(10, std::ptr::null(), 20, std::ptr::null(), 0, 0) }, -111 ); } #[test] fn test_rule_add_exact_load() { let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); ctx.add_arch(ScmpArch::Native).unwrap(); let syscall = ScmpSyscall::from_name("dup3").unwrap(); ctx.add_rule_exact(ScmpAction::Errno(10), syscall).unwrap(); ctx.load().unwrap(); syscall_assert!(unsafe { libc::dup3(0, 100, libc::O_CLOEXEC) }, -10); } #[test] fn test_rule_add_exact_array_load() { let mut cmps: Vec = Vec::new(); let mut ctx = ScmpFilterContext::new_filter(ScmpAction::Allow).unwrap(); ctx.add_arch(ScmpArch::Native).unwrap(); let syscall = ScmpSyscall::from_name("process_vm_readv").unwrap(); let cmp1 = ScmpArgCompare::new(0, ScmpCompareOp::Equal, 10); let cmp2 = ScmpArgCompare::new(2, ScmpCompareOp::Equal, 20); cmps.push(cmp1); cmps.push(cmp2); ctx.add_rule_conditional_exact(ScmpAction::Errno(111), syscall, &cmps) .unwrap(); ctx.load().unwrap(); syscall_assert!( unsafe { libc::process_vm_readv(10, std::ptr::null(), 0, std::ptr::null(), 0, 0) }, 0 ); syscall_assert!( unsafe { libc::process_vm_readv(10, std::ptr::null(), 20, std::ptr::null(), 0, 0) }, -111 ); }