From: Felix Geyer Date: Sun, 3 Oct 2021 21:26:59 +0000 (+0100) Subject: Import libseccomp_2.5.2-2.debian.tar.xz X-Git-Tag: archive/raspbian/2.5.2-2+rpi1^2~5^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5453e06975c0987586a4e73b8f7b44b10cd1fdaa;p=libseccomp.git Import libseccomp_2.5.2-2.debian.tar.xz [dgit import tarball libseccomp 2.5.2-2 libseccomp_2.5.2-2.debian.tar.xz] --- 5453e06975c0987586a4e73b8f7b44b10cd1fdaa diff --git a/changelog b/changelog new file mode 100644 index 0000000..9b9f834 --- /dev/null +++ b/changelog @@ -0,0 +1,335 @@ +libseccomp (2.5.2-2) unstable; urgency=medium + + * Revert mips and powerpc multiplexed syscall handling. + - Fixes test suite failures. (Closes: #994285) + + -- Felix Geyer Sun, 03 Oct 2021 23:26:59 +0200 + +libseccomp (2.5.2-1) unstable; urgency=medium + + * New upstream release. + * Update watch file. + + -- Felix Geyer Tue, 07 Sep 2021 11:14:34 +0200 + +libseccomp (2.5.1-1) unstable; urgency=medium + + * New upstream release. + * Drop all patches as they have been applied upstream. + + -- Felix Geyer Mon, 21 Dec 2020 10:50:30 +0100 + +libseccomp (2.5.0-3) unstable; urgency=medium + + * Cherry-pick patch from the 2.5 branch to fix test error on mips: + - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch + + -- Felix Geyer Sun, 08 Nov 2020 19:59:21 +0100 + +libseccomp (2.5.0-2) unstable; urgency=medium + + * Upload to unstable. + * Cherry-pick patches from the 2.5 branch to fix build and test errors: + - build_undefine_mips_to_prevent_build_problems.patch + - tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch + + -- Felix Geyer Sun, 08 Nov 2020 15:49:41 +0100 + +libseccomp (2.5.0-1) experimental; urgency=medium + + * New upstream release. + - Build-depend on gperf. + - Update symbols file. + * Remove patches that have been applied upstream: + - cython3.patch + - riscv64_support.patch + * Cherry-pick patches from the 2.5 branch: + - all_only_request_the_userspace_notification_fd_once.patch + - system_change_our_notification_fd_handling.patch + + -- Felix Geyer Sat, 24 Oct 2020 13:58:28 +0200 + +libseccomp (2.4.4-1) unstable; urgency=medium + + * Team upload. + + [ Debian Janitor ] + * Set upstream metadata fields: Repository, Repository-Browse. + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository. + + [ Felix Geyer ] + * New upstream release. + * Download and verify orig gpg signature. + + -- Felix Geyer Sun, 20 Sep 2020 19:03:41 +0200 + +libseccomp (2.4.3-1) unstable; urgency=medium + + * New upstream release. + * Drop patches that have been applied upstream: + - tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch + - api_define__SNR_ppoll_again.patch + * Cherry-pick support for the riscv64 architecture. (Closes: #952386) + - Add riscv64_support.patch + + -- Felix Geyer Thu, 12 Mar 2020 23:35:13 +0100 + +libseccomp (2.4.2-2) unstable; urgency=medium + + [ Christian Ehrhardt ] + * d/rules: fix potential FTFBS after full python3 switch + * d/t/control: drop python2 test following the removal of the package + + [ Felix Geyer ] + * Remove build-dependency on valgrind for mips64el as it's broken there. + * Backport patch to define __SNR_ppoll again. + - Add api_define__SNR_ppoll_again.patch + * Replace custom patch for cython3 with the upstream fix. + + -- Felix Geyer Fri, 15 Nov 2019 18:12:53 +0100 + +libseccomp (2.4.2-1) unstable; urgency=medium + + [ Christian Ehrhardt ] + * New upstream release 2.4.2 for compatibility with newer kernels and + fixing FTBFS (LP: #1849785). + - drop d/p/python_install_dir.patch (now upstream) + - d/rules: adapt to python 3.8 lacking the m modifier on includes + see https://wiki.debian.org/Python/Python3.8 + - d/p/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch: fix + build time test on arm64 + + [ Felix Geyer ] + * Drop Python 2 bindings. (Closes: #936917) + - Add cython3.patch to use the Python 3 cython variant. + + -- Felix Geyer Wed, 13 Nov 2019 00:00:49 +0100 + +libseccomp (2.4.1-2) unstable; urgency=medium + + * Remove build-dependency on valgrind for mipsel and x32 as it's broken + on those archs. + * Set Rules-Requires-Root: no. + + -- Felix Geyer Fri, 19 Jul 2019 00:03:34 +0200 + +libseccomp (2.4.1-1) unstable; urgency=medium + + * New upstream release. + - Addresses CVE-2019-9893 (Closes: #924646) + * Drop all patches for parisc arch support, merged upstream. + * Build-depend on valgrind to run more unit tests. + * Run dh_auto_configure for every python 3 version to install the extension + in the correct path. + * Update the symbols file. + * Adapt autopkgtest to new upstream version: + - Build against pthread + - Build scmp_api_level tool + * Upgrade to debhelper compat level 12. + - Add d/not-installed file + * Fix install path of the python module. + - Add python_install_dir.patch + * Add autopkgtest for python packages. + + -- Felix Geyer Wed, 17 Jul 2019 23:23:28 +0200 + +libseccomp (2.3.3-4) unstable; urgency=medium + + [ Ondřej Nový ] + * d/copyright: Change Format URL to correct one + + [ Helmut Grohne ] + * Fix FTCBFS: (Closes: #903556) + + Multiarchify python Build-Depends. + + Annotate cython dependencies with :native for now. + + Drop noop dh_auto_build invocations. + + Pass a suitable PYTHONPATH for python2. + + Pass _PYTHON_SYSCONFIGDATA_NAME for python3. + + -- Felix Geyer Sun, 10 Feb 2019 12:25:44 +0100 + +libseccomp (2.3.3-3) unstable; urgency=medium + + * Fix FTBFS: Adapt to renamed README file. (Closes: #902767) + + -- Felix Geyer Sun, 01 Jul 2018 20:32:03 +0200 + +libseccomp (2.3.3-2) unstable; urgency=medium + + [ Helmut Grohne ] + * Support the nopython build profile. (Closes: #897057) + + [ Felix Geyer ] + * Run upstream "live" tests in an autopkgtest. + + -- Felix Geyer Sun, 13 May 2018 09:53:08 +0200 + +libseccomp (2.3.3-1) unstable; urgency=medium + + * New upstream release. (Closes: #895417) + - Adds pkey_mprotect syscall. (Closes: #893722) + * Refresh parisc patch. + * Move libseccomp2 back to /usr/lib. (Closes: #894988) + * Make test failures cause the build to fail. (Closes: 877901) + * Build python bindings. (Closes: #810712) + * Switch to debhelper compat level 10. + * Move git repo to salsa.debian.org + * Add myself to Uploaders. + + -- Felix Geyer Sun, 22 Apr 2018 23:55:03 +0200 + +libseccomp (2.3.1-2.1) unstable; urgency=medium + + [ Martin Pitt ] + * Non-maintainer upload with Kees' consent. + + [ Laurent Bigonville ] + * Ensure strict enough generated dependencies (Closes: #844496) + + -- Martin Pitt Thu, 17 Nov 2016 10:16:44 +0100 + +libseccomp (2.3.1-2) unstable; urgency=medium + + * Add hppa (parisc) support (Closes: #820501) + + -- Luca Bruno Sat, 28 May 2016 20:05:01 +0200 + +libseccomp (2.3.1-1) unstable; urgency=medium + + * New upstream release + * control: add Vcs-* fields + + -- Luca Bruno Tue, 05 Apr 2016 22:16:55 +0200 + +libseccomp (2.3.0-1) unstable; urgency=medium + + * New upstream release + + drop all patches, applied upstream + * libseccomp2: update symbols file + * control: add myself to uploaders + * control: bump policy version + + -- Luca Bruno Sun, 03 Apr 2016 00:31:09 +0200 + +libseccomp (2.2.3-3) unstable; urgency=medium + + [ Martin Pitt ] + * debian/patches/add-x86-32bit-socket-calls.patch: add the newly + connected direct socket calls. (Closes: #809556) + * debian/add-membarrier.patch: add membarrier syscall. + * Backport patches for ppc/ppc64 and s390x. (Closes: #800818) + + -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 + +libseccomp (2.2.3-2) unstable; urgency=medium + + * debian/control: enable mips64, mips64el, and x32 architectures, + thanks to Helmut Grohne (Closes: 797383). + + -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 + +libseccomp (2.2.3-1) unstable; urgency=medium + + * New upstream release (Closes: 793032). + * debian/control: update Homepage (Closes: 793033). + + -- Kees Cook Mon, 03 Aug 2015 15:06:08 -0700 + +libseccomp (2.2.1-2) unstable; urgency=medium + + * debian/{rules,*.install}: move to /lib, thanks to Michael Biebl + (Closes: 788923). + + -- Kees Cook Tue, 16 Jun 2015 12:45:08 -0700 + +libseccomp (2.2.1-1) unstable; urgency=medium + + * New upstream release (Closes: 785428). + - debian/patches dropped: incorporated upstream. + * debian/libseccomp2.symbols: include only documented symbols. + * debian/libseccomp-dev.install: include static library (Closes: 698508). + * debian/control: + - add newly supported arm64, mips, and mipsel. + - bump standards version, no changes needed. + + -- Kees Cook Sat, 16 May 2015 08:15:26 -0700 + +libseccomp (2.1.1-1) unstable; urgency=low + + * New upstream release (Closes: 733293). + * copyright: add a few missed people. + * rules: adjusted for new test target. + * libseccomp2.symbols: drop accidentally exported functions. + * control: + - bump standards, no changes needed. + - add armel target + + -- Kees Cook Sat, 12 Apr 2014 10:44:22 -0700 + +libseccomp (2.1.0+dfsg-1) unstable; urgency=low + + * Rebuild source package without accidental binaries (Closes: 725617). + - debian/watch: mangle upstream version check. + * debian/rules: make tests non-fatal while upstream fixes them + (Closes: 721292). + + -- Kees Cook Sun, 06 Oct 2013 15:05:51 -0700 + +libseccomp (2.1.0-1) unstable; urgency=low + + * New upstream release (Closes: 718398): + - dropped debian/patches/manpage-dashes.patch: taken upstream. + - dropped debian/patches/include-unistd.patch: not needed. + - debian/patches/testsuite-x86-write.patch: taken upstream. + - ABI bump: moved from libseccomp1 to libseccomp2. + * debian/control: + - added Arch: armhf, now supported upstream. + - added seccomp binary package for helper tools. + * Added debian/patches/manpage-typo.patch: spelling fix. + * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling. + + -- Kees Cook Tue, 13 Aug 2013 00:02:01 -0700 + +libseccomp (1.0.1-2) unstable; urgency=low + + * debian/rules: enable testsuite at build time, thanks to + Stéphane Graber (Closes: 698803). + * Added debian/patches/include-unistd.patch: detect location of + asm/unistd.h correctly. + * Added debian/patches/testsuite-x86-write.patch: skip the "write" + syscall correctly on x86. + * debian/control: bump standards to 3.9.4, no changes needed. + + -- Kees Cook Wed, 23 Jan 2013 13:11:53 -0800 + +libseccomp (1.0.1-1) unstable; urgency=low + + * New upstream release. + * debian/control: only build on amd64 and i386 (Closes: 687368). + + -- Kees Cook Fri, 07 Dec 2012 11:38:03 -0800 + +libseccomp (1.0.0-1) unstable; urgency=low + + * New upstream release. + - bump ABI. + - drop build verbosity patch, use upstream V=1 instead. + * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471). + * debian/patches/pkgconfig-macro.patch: use literals for macro. + + -- Kees Cook Fri, 03 Aug 2012 16:59:41 -0700 + +libseccomp (0.1.0-1) unstable; urgency=low + + * New upstream release. + - drop patches taken upstream: + - libexecdir.patch + - pass-flags.patch + + -- Kees Cook Fri, 08 Jun 2012 12:32:22 -0700 + +libseccomp (0.0.0~20120605-1) unstable; urgency=low + + * Initial release (Closes: #676257). + + -- Kees Cook Tue, 05 Jun 2012 11:28:07 -0700 diff --git a/control b/control new file mode 100644 index 0000000..c445bd0 --- /dev/null +++ b/control @@ -0,0 +1,63 @@ +Source: libseccomp +Section: libs +Priority: optional +Maintainer: Kees Cook +Uploaders: Luca Bruno , Felix Geyer +Build-Depends: debhelper-compat (= 12), + linux-libc-dev, + dh-python , + python3-all-dev:any , + libpython3-all-dev , + cython3:native , + valgrind [amd64 arm64 armhf i386 mips mips64 powerpc ppc64 ppc64el s390x] , + gperf +Rules-Requires-Root: no +Standards-Version: 3.9.7 +Homepage: https://github.com/seccomp/libseccomp +Vcs-Git: https://salsa.debian.org/debian/libseccomp.git +Vcs-Browser: https://salsa.debian.org/debian/libseccomp + +Package: libseccomp-dev +Section: libdevel +Architecture: linux-any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends} +Suggests: seccomp +Description: high level interface to Linux seccomp filter (development files) + This library provides a high level interface to constructing, analyzing + and installing seccomp filters via a BPF passed to the Linux Kernel's + prctl() syscall. + . + This package contains the development files. + +Package: libseccomp2 +Architecture: linux-any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: high level interface to Linux seccomp filter + This library provides a high level interface to constructing, analyzing + and installing seccomp filters via a BPF passed to the Linux Kernel's + prctl() syscall. + +Package: seccomp +Section: utils +Architecture: linux-any +Depends: ${shlibs:Depends}, ${misc:Depends} +Suggests: libseccomp-dev +Description: helper tools for high level interface to Linux seccomp filter + Provides helper tools for interacting with libseccomp. Currently, only + a single tool exists, providing a way to easily enumerate syscalls across + the supported architectures. + +Package: python3-seccomp +Build-Profiles: +Architecture: linux-any +Multi-Arch: same +Section: python +Depends: ${shlibs:Depends}, ${misc:Depends}, ${python3:Depends} +Description: high level interface to Linux seccomp filter (Python 3 bindings) + This library provides a high level interface to constructing, analyzing + and installing seccomp filters via a BPF passed to the Linux Kernel's + prctl() syscall. diff --git a/copyright b/copyright new file mode 100644 index 0000000..307817f --- /dev/null +++ b/copyright @@ -0,0 +1,39 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libseccomp +Source: https://sourceforge.net/projects/libseccomp/ + +Files: * +Copyright: 2012 Paul Moore + 2012 Ashley Lai + 2012 Corey Bryant + 2012 Eduardo Otubo + 2012 Eric Paris +License: LGPL-2.1 + +Files: tests/22-sim-basic_chains_array.tests +Copyright: 2013 Vitaly Shukela +License: LGPL-2.1 + +Files: src/hash.* +Copyright: 2006 Bob Jenkins +License: LGPL-2.1 + +Files: debian/* +Copyright: 2012 Kees Cook +License: LGPL-2.1 + +License: LGPL-2.1 + This library is free software; you can redistribute it and/or modify it + under the terms of version 2.1 of the GNU Lesser General Public License as + published by the Free Software Foundation. + . + This library is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + for more details. + . + You should have received a copy of the GNU Lesser General Public License + along with this library; if not, see . + . + On Debian systems, the complete text of the GNU Lesser General + Public License can be found in "/usr/share/common-licenses/LGPL-2.1". diff --git a/docs b/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/docs @@ -0,0 +1 @@ +README.md diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..c16083c --- /dev/null +++ b/gbp.conf @@ -0,0 +1,9 @@ +[DEFAULT] +upstream-tag = upstream/%(version)s +debian-tag = debian/%(version)s +pristine-tar = True +upstream-branch = upstream +debian-branch = debian/sid + +[buildpackage] +submodules = True diff --git a/libseccomp-dev.install b/libseccomp-dev.install new file mode 100644 index 0000000..b973af4 --- /dev/null +++ b/libseccomp-dev.install @@ -0,0 +1,4 @@ +usr/include/* +usr/lib/*/lib*.so +usr/lib/*/lib*.a +usr/lib/*/pkgconfig/* diff --git a/libseccomp-dev.manpages b/libseccomp-dev.manpages new file mode 100644 index 0000000..7c72677 --- /dev/null +++ b/libseccomp-dev.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man3/* diff --git a/libseccomp2.install b/libseccomp2.install new file mode 100644 index 0000000..3ddde58 --- /dev/null +++ b/libseccomp2.install @@ -0,0 +1 @@ +usr/lib/*/lib*.so.* diff --git a/libseccomp2.symbols b/libseccomp2.symbols new file mode 100644 index 0000000..d1823d0 --- /dev/null +++ b/libseccomp2.symbols @@ -0,0 +1,34 @@ +libseccomp.so.2 libseccomp2 #MINVER# +* Build-Depends-Package: libseccomp-dev + seccomp_api_get@Base 2.4.1 + seccomp_api_set@Base 2.4.1 + seccomp_attr_get@Base 0.0.0~20120605 + seccomp_attr_set@Base 0.0.0~20120605 + seccomp_export_bpf@Base 0.0.0~20120605 + seccomp_export_pfc@Base 0.0.0~20120605 + seccomp_init@Base 0.0.0~20120605 + seccomp_load@Base 0.0.0~20120605 + seccomp_release@Base 0.0.0~20120605 + seccomp_reset@Base 0.0.0~20120605 + seccomp_rule_add@Base 0.0.0~20120605 + seccomp_rule_add_exact@Base 0.0.0~20120605 + seccomp_syscall_priority@Base 0.0.0~20120605 + seccomp_syscall_resolve_name@Base 1.0.1 + seccomp_merge@Base 1.0.1 + seccomp_notify_alloc@Base 2.5.0 + seccomp_notify_fd@Base 2.5.0 + seccomp_notify_free@Base 2.5.0 + seccomp_notify_id_valid@Base 2.5.0 + seccomp_notify_receive@Base 2.5.0 + seccomp_notify_respond@Base 2.5.0 + seccomp_arch_add@Base 1.0.1 + seccomp_arch_exist@Base 1.0.1 + seccomp_arch_remove@Base 1.0.1 + seccomp_arch_native@Base 2.1.0 + seccomp_rule_add_array@Base 2.1.0 + seccomp_rule_add_exact_array@Base 2.1.0 + seccomp_syscall_resolve_name_arch@Base 2.1.0 + seccomp_syscall_resolve_num_arch@Base 2.1.0 + seccomp_arch_resolve_name@Base 2.2.1 + seccomp_syscall_resolve_name_rewrite@Base 2.2.1 + seccomp_version@Base 2.3.0 diff --git a/not-installed b/not-installed new file mode 100644 index 0000000..4f60595 --- /dev/null +++ b/not-installed @@ -0,0 +1,3 @@ +usr/lib/python*/*-packages/install_files.txt +usr/lib/python*/*-packages/seccomp-*.egg-info +usr/lib/*/libseccomp.la diff --git a/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch b/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch new file mode 100644 index 0000000..67bdc63 --- /dev/null +++ b/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch @@ -0,0 +1,4520 @@ +REVERTS + +From f454456e261930d94b3a1a444b6bac75c11c3cb0 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 4 Aug 2021 11:51:12 -0400 +Subject: [PATCH] arch: consolidate all of the multiplexed syscall handling + +Not only does this reduce the amount of duplicated code +significantly, it removes a lot of the "magic" numbers in the +code, and it happened to catch some bugs too. + +Acked-by: Tom Hromatka +Signed-off-by: Paul Moore + +(imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc) + +diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c +--- a/src/arch-aarch64.c ++++ b/src/arch-aarch64.c +@@ -31,8 +31,8 @@ const struct arch_def arch_def_aarch64 = { + .token_bpf = AUDIT_ARCH_AARCH64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +- .syscall_resolve_name_raw = aarch64_syscall_resolve_name, +- .syscall_resolve_num_raw = aarch64_syscall_resolve_num, ++ .syscall_resolve_name = aarch64_syscall_resolve_name, ++ .syscall_resolve_num = aarch64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-arm.c b/src/arch-arm.c +--- a/src/arch-arm.c ++++ b/src/arch-arm.c +@@ -39,7 +39,6 @@ + + /** + * Resolve a syscall name to a number +- * @param arch the architecture definition + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. +@@ -47,13 +46,12 @@ + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +-int arm_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name) ++int arm_syscall_resolve_name_munge(const char *name) + { + int sys; + + /* NOTE: we don't want to modify the pseudo-syscall numbers */ +- sys = arch->syscall_resolve_name_raw(name); ++ sys = arm_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR || sys < 0) + return sys; + +@@ -62,7 +60,6 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch, + + /** + * Resolve a syscall number to a name +- * @param arch the architecture definition + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. +@@ -70,12 +67,12 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch, + * syscall names; returns NULL on failure. + * + */ +-const char *arm_syscall_resolve_num_munge(const struct arch_def *arch, int num) ++const char *arm_syscall_resolve_num_munge(int num) + { + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= 0) + num &= ~__SCMP_NR_BASE; +- return arch->syscall_resolve_num_raw(num); ++ return arm_syscall_resolve_num(num); + } + + const struct arch_def arch_def_arm = { +@@ -84,9 +81,7 @@ const struct arch_def arch_def_arm = { + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = arm_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = arm_syscall_resolve_name, + .syscall_resolve_num = arm_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = arm_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-mips.c b/src/arch-mips.c +--- a/src/arch-mips.c ++++ b/src/arch-mips.c +@@ -30,23 +30,535 @@ + #include "arch.h" + #include "arch-mips.h" + ++/* O32 ABI */ ++#define __SCMP_NR_BASE 4000 ++ + /* mips syscall numbers */ + #define __mips_NR_socketcall 102 + #define __mips_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int mips_syscall_resolve_name_munge(const char *name) ++{ ++ ++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return __PNR_##NAME; ++ ++ _ABI_SYSCALL_RES_NAME_CHK(socket) ++ _ABI_SYSCALL_RES_NAME_CHK(bind) ++ _ABI_SYSCALL_RES_NAME_CHK(connect) ++ _ABI_SYSCALL_RES_NAME_CHK(listen) ++ _ABI_SYSCALL_RES_NAME_CHK(accept) ++ _ABI_SYSCALL_RES_NAME_CHK(getsockname) ++ _ABI_SYSCALL_RES_NAME_CHK(getpeername) ++ _ABI_SYSCALL_RES_NAME_CHK(socketpair) ++ _ABI_SYSCALL_RES_NAME_CHK(send) ++ _ABI_SYSCALL_RES_NAME_CHK(recv) ++ _ABI_SYSCALL_RES_NAME_CHK(sendto) ++ _ABI_SYSCALL_RES_NAME_CHK(recvfrom) ++ _ABI_SYSCALL_RES_NAME_CHK(shutdown) ++ _ABI_SYSCALL_RES_NAME_CHK(setsockopt) ++ _ABI_SYSCALL_RES_NAME_CHK(getsockopt) ++ _ABI_SYSCALL_RES_NAME_CHK(sendmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(recvmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(accept4) ++ _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(semop) ++ _ABI_SYSCALL_RES_NAME_CHK(semget) ++ _ABI_SYSCALL_RES_NAME_CHK(semctl) ++ _ABI_SYSCALL_RES_NAME_CHK(semtimedop) ++ _ABI_SYSCALL_RES_NAME_CHK(msgsnd) ++ _ABI_SYSCALL_RES_NAME_CHK(msgrcv) ++ _ABI_SYSCALL_RES_NAME_CHK(msgget) ++ _ABI_SYSCALL_RES_NAME_CHK(msgctl) ++ _ABI_SYSCALL_RES_NAME_CHK(shmat) ++ _ABI_SYSCALL_RES_NAME_CHK(shmdt) ++ _ABI_SYSCALL_RES_NAME_CHK(shmget) ++ _ABI_SYSCALL_RES_NAME_CHK(shmctl) ++ ++ return mips_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *mips_syscall_resolve_num_munge(int num) ++{ ++ ++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ ++ if (num == __PNR_##NAME) return #NAME; ++ ++ _ABI_SYSCALL_RES_NUM_CHK(socket) ++ _ABI_SYSCALL_RES_NUM_CHK(bind) ++ _ABI_SYSCALL_RES_NUM_CHK(connect) ++ _ABI_SYSCALL_RES_NUM_CHK(listen) ++ _ABI_SYSCALL_RES_NUM_CHK(accept) ++ _ABI_SYSCALL_RES_NUM_CHK(getsockname) ++ _ABI_SYSCALL_RES_NUM_CHK(getpeername) ++ _ABI_SYSCALL_RES_NUM_CHK(socketpair) ++ _ABI_SYSCALL_RES_NUM_CHK(send) ++ _ABI_SYSCALL_RES_NUM_CHK(recv) ++ _ABI_SYSCALL_RES_NUM_CHK(sendto) ++ _ABI_SYSCALL_RES_NUM_CHK(recvfrom) ++ _ABI_SYSCALL_RES_NUM_CHK(shutdown) ++ _ABI_SYSCALL_RES_NUM_CHK(setsockopt) ++ _ABI_SYSCALL_RES_NUM_CHK(getsockopt) ++ _ABI_SYSCALL_RES_NUM_CHK(sendmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(recvmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(accept4) ++ _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(semop) ++ _ABI_SYSCALL_RES_NUM_CHK(semget) ++ _ABI_SYSCALL_RES_NUM_CHK(semctl) ++ _ABI_SYSCALL_RES_NUM_CHK(semtimedop) ++ _ABI_SYSCALL_RES_NUM_CHK(msgsnd) ++ _ABI_SYSCALL_RES_NUM_CHK(msgrcv) ++ _ABI_SYSCALL_RES_NUM_CHK(msgget) ++ _ABI_SYSCALL_RES_NUM_CHK(msgctl) ++ _ABI_SYSCALL_RES_NUM_CHK(shmat) ++ _ABI_SYSCALL_RES_NUM_CHK(shmdt) ++ _ABI_SYSCALL_RES_NUM_CHK(shmget) ++ _ABI_SYSCALL_RES_NUM_CHK(shmctl) ++ ++ return mips_syscall_resolve_num(num); ++} ++ ++/** ++ * Check if a syscall is a socket syscall ++ * @param sys the syscall number ++ * ++ * Returns true if the syscall is a socket related syscall, false otherwise. ++ * ++ */ ++static bool _mips_syscall_socket_test(int sys) ++{ ++ const char *name; ++ ++ /* multiplexed pseduo-syscalls */ ++ if (sys <= -100 && sys >= -120) ++ return true; ++ ++ name = mips_syscall_resolve_num(sys); ++ if (!name) ++ return false; ++ ++#define _ABI_SYSCALL_SOCK_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return true; ++ ++ _ABI_SYSCALL_SOCK_CHK(socket) ++ _ABI_SYSCALL_SOCK_CHK(bind) ++ _ABI_SYSCALL_SOCK_CHK(connect) ++ _ABI_SYSCALL_SOCK_CHK(listen) ++ _ABI_SYSCALL_SOCK_CHK(accept) ++ _ABI_SYSCALL_SOCK_CHK(getsockname) ++ _ABI_SYSCALL_SOCK_CHK(getpeername) ++ _ABI_SYSCALL_SOCK_CHK(socketpair) ++ _ABI_SYSCALL_SOCK_CHK(send) ++ _ABI_SYSCALL_SOCK_CHK(recv) ++ _ABI_SYSCALL_SOCK_CHK(sendto) ++ _ABI_SYSCALL_SOCK_CHK(recvfrom) ++ _ABI_SYSCALL_SOCK_CHK(shutdown) ++ _ABI_SYSCALL_SOCK_CHK(setsockopt) ++ _ABI_SYSCALL_SOCK_CHK(getsockopt) ++ _ABI_SYSCALL_SOCK_CHK(sendmsg) ++ _ABI_SYSCALL_SOCK_CHK(recvmsg) ++ _ABI_SYSCALL_SOCK_CHK(accept4) ++ _ABI_SYSCALL_SOCK_CHK(recvmmsg) ++ _ABI_SYSCALL_SOCK_CHK(sendmmsg) ++ ++ return false; ++} ++ ++/** ++ * Check if a syscall is an ipc syscall ++ * @param sys the syscall number ++ * ++ * Returns true if the syscall is an ipc related syscall, false otherwise. ++ * ++ */ ++static bool _mips_syscall_ipc_test(int sys) ++{ ++ const char *name; ++ ++ /* multiplexed pseduo-syscalls */ ++ if (sys <= -200 && sys >= -224) ++ return true; ++ ++ name = mips_syscall_resolve_num(sys); ++ if (!name) ++ return false; ++ ++#define _ABI_SYSCALL_IPC_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return true; ++ ++ _ABI_SYSCALL_IPC_CHK(semop) ++ _ABI_SYSCALL_IPC_CHK(semget) ++ _ABI_SYSCALL_IPC_CHK(semctl) ++ _ABI_SYSCALL_IPC_CHK(semtimedop) ++ _ABI_SYSCALL_IPC_CHK(msgsnd) ++ _ABI_SYSCALL_IPC_CHK(msgrcv) ++ _ABI_SYSCALL_IPC_CHK(msgget) ++ _ABI_SYSCALL_IPC_CHK(msgctl) ++ _ABI_SYSCALL_IPC_CHK(shmat) ++ _ABI_SYSCALL_IPC_CHK(shmdt) ++ _ABI_SYSCALL_IPC_CHK(shmget) ++ _ABI_SYSCALL_IPC_CHK(shmctl) ++ ++ return false; ++} ++ ++/** ++ * Convert a multiplexed pseudo syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _mips_syscall_demux(int syscall) ++{ ++ int sys = __NR_SCMP_UNDEF; ++ ++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ ++case __PNR_##NAME: \ ++ sys = mips_syscall_resolve_name(#NAME); break; ++ ++ switch (syscall) { ++ _ABI_SYSCALL_DEMUX_CHK(socket) ++ _ABI_SYSCALL_DEMUX_CHK(bind) ++ _ABI_SYSCALL_DEMUX_CHK(connect) ++ _ABI_SYSCALL_DEMUX_CHK(listen) ++ _ABI_SYSCALL_DEMUX_CHK(accept) ++ _ABI_SYSCALL_DEMUX_CHK(getsockname) ++ _ABI_SYSCALL_DEMUX_CHK(getpeername) ++ _ABI_SYSCALL_DEMUX_CHK(socketpair) ++ _ABI_SYSCALL_DEMUX_CHK(send) ++ _ABI_SYSCALL_DEMUX_CHK(recv) ++ _ABI_SYSCALL_DEMUX_CHK(sendto) ++ _ABI_SYSCALL_DEMUX_CHK(recvfrom) ++ _ABI_SYSCALL_DEMUX_CHK(shutdown) ++ _ABI_SYSCALL_DEMUX_CHK(setsockopt) ++ _ABI_SYSCALL_DEMUX_CHK(getsockopt) ++ _ABI_SYSCALL_DEMUX_CHK(sendmsg) ++ _ABI_SYSCALL_DEMUX_CHK(recvmsg) ++ _ABI_SYSCALL_DEMUX_CHK(accept4) ++ _ABI_SYSCALL_DEMUX_CHK(recvmmsg) ++ _ABI_SYSCALL_DEMUX_CHK(sendmmsg) ++ _ABI_SYSCALL_DEMUX_CHK(semop) ++ _ABI_SYSCALL_DEMUX_CHK(semget) ++ _ABI_SYSCALL_DEMUX_CHK(semctl) ++ _ABI_SYSCALL_DEMUX_CHK(semtimedop) ++ _ABI_SYSCALL_DEMUX_CHK(msgsnd) ++ _ABI_SYSCALL_DEMUX_CHK(msgrcv) ++ _ABI_SYSCALL_DEMUX_CHK(msgget) ++ _ABI_SYSCALL_DEMUX_CHK(msgctl) ++ _ABI_SYSCALL_DEMUX_CHK(shmat) ++ _ABI_SYSCALL_DEMUX_CHK(shmdt) ++ _ABI_SYSCALL_DEMUX_CHK(shmget) ++ _ABI_SYSCALL_DEMUX_CHK(shmctl) ++ } ++ ++ /* this looks odd because the arch resolver returns _ERROR if it can't ++ * resolve the syscall, but we want to use _UNDEF for that, so we set ++ * 'sys' to a sentinel value of _UNDEF and if it is error here we know ++ * the resolve failed to find a match */ ++ if (sys == __NR_SCMP_UNDEF) ++ sys = __NR_SCMP_ERROR; ++ else if (sys == __NR_SCMP_ERROR) ++ sys = __NR_SCMP_UNDEF; ++ ++ return sys; ++} ++ ++/** ++ * Convert a direct syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _mips_syscall_mux(int syscall) ++{ ++ const char *sys; ++ ++ sys = mips_syscall_resolve_num(syscall); ++ if (!sys) ++ return __NR_SCMP_ERROR; ++ ++#define _ABI_SYSCALL_MUX_CHK(NAME) \ ++ if (!strcmp(sys, #NAME)) return __PNR_##NAME; ++ ++ _ABI_SYSCALL_MUX_CHK(socket) ++ _ABI_SYSCALL_MUX_CHK(bind) ++ _ABI_SYSCALL_MUX_CHK(connect) ++ _ABI_SYSCALL_MUX_CHK(listen) ++ _ABI_SYSCALL_MUX_CHK(accept) ++ _ABI_SYSCALL_MUX_CHK(getsockname) ++ _ABI_SYSCALL_MUX_CHK(getpeername) ++ _ABI_SYSCALL_MUX_CHK(socketpair) ++ _ABI_SYSCALL_MUX_CHK(send) ++ _ABI_SYSCALL_MUX_CHK(recv) ++ _ABI_SYSCALL_MUX_CHK(sendto) ++ _ABI_SYSCALL_MUX_CHK(recvfrom) ++ _ABI_SYSCALL_MUX_CHK(shutdown) ++ _ABI_SYSCALL_MUX_CHK(setsockopt) ++ _ABI_SYSCALL_MUX_CHK(getsockopt) ++ _ABI_SYSCALL_MUX_CHK(sendmsg) ++ _ABI_SYSCALL_MUX_CHK(recvmsg) ++ _ABI_SYSCALL_MUX_CHK(accept4) ++ _ABI_SYSCALL_MUX_CHK(recvmmsg) ++ _ABI_SYSCALL_MUX_CHK(sendmmsg) ++ _ABI_SYSCALL_MUX_CHK(semop) ++ _ABI_SYSCALL_MUX_CHK(semget) ++ _ABI_SYSCALL_MUX_CHK(semctl) ++ _ABI_SYSCALL_MUX_CHK(semtimedop) ++ _ABI_SYSCALL_MUX_CHK(msgsnd) ++ _ABI_SYSCALL_MUX_CHK(msgrcv) ++ _ABI_SYSCALL_MUX_CHK(msgget) ++ _ABI_SYSCALL_MUX_CHK(msgctl) ++ _ABI_SYSCALL_MUX_CHK(shmat) ++ _ABI_SYSCALL_MUX_CHK(shmdt) ++ _ABI_SYSCALL_MUX_CHK(shmget) ++ _ABI_SYSCALL_MUX_CHK(shmctl) ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int mips_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __mips_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __mips_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the mips seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the mips ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if (_mips_syscall_socket_test(sys)) { ++ /* socket syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _mips_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _mips_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __mips_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (_mips_syscall_ipc_test(sys)) { ++ /* ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _mips_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _mips_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __mips_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_mips = { + .token = SCMP_ARCH_MIPS, + .token_bpf = AUDIT_ARCH_MIPS, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +- .sys_socketcall = __mips_NR_socketcall, +- .sys_ipc = __mips_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = mips_syscall_resolve_name_munge, ++ .syscall_resolve_num = mips_syscall_resolve_num_munge, ++ .syscall_rewrite = mips_syscall_rewrite, ++ .rule_add = mips_rule_add, + }; + + const struct arch_def arch_def_mipsel = { +@@ -54,12 +566,8 @@ const struct arch_def arch_def_mipsel = { + .token_bpf = AUDIT_ARCH_MIPSEL, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, +- .sys_socketcall = __mips_NR_socketcall, +- .sys_ipc = __mips_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = mips_syscall_resolve_name_munge, ++ .syscall_resolve_num = mips_syscall_resolve_num_munge, ++ .syscall_rewrite = mips_syscall_rewrite, ++ .rule_add = mips_rule_add, + }; +diff --git a/src/arch-mips64.c b/src/arch-mips64.c +--- a/src/arch-mips64.c ++++ b/src/arch-mips64.c +@@ -30,7 +30,6 @@ + + /** + * Resolve a syscall name to a number +- * @param arch the architecture definition + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. +@@ -38,13 +37,12 @@ + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +-int mips64_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name) ++int mips64_syscall_resolve_name_munge(const char *name) + { + int sys; + + /* NOTE: we don't want to modify the pseudo-syscall numbers */ +- sys = arch->syscall_resolve_name_raw(name); ++ sys = mips64_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR || sys < 0) + return sys; + +@@ -53,7 +51,6 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch, + + /** + * Resolve a syscall number to a name +- * @param arch the architecture definition + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. +@@ -61,13 +58,12 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch, + * syscall names; returns NULL on failure. + * + */ +-const char *mips64_syscall_resolve_num_munge(const struct arch_def *arch, +- int num) ++const char *mips64_syscall_resolve_num_munge(int num) + { + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= __SCMP_NR_BASE) + num -= __SCMP_NR_BASE; +- return arch->syscall_resolve_num_raw(num); ++ return mips64_syscall_resolve_num(num); + } + + const struct arch_def arch_def_mips64 = { +@@ -76,9 +72,7 @@ const struct arch_def arch_def_mips64 = { + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, + .syscall_resolve_name = mips64_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips64_syscall_resolve_name, + .syscall_resolve_num = mips64_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +@@ -89,9 +83,7 @@ const struct arch_def arch_def_mipsel64 = { + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = mips64_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips64_syscall_resolve_name, + .syscall_resolve_num = mips64_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c +--- a/src/arch-mips64n32.c ++++ b/src/arch-mips64n32.c +@@ -32,7 +32,6 @@ + + /** + * Resolve a syscall name to a number +- * @param arch the architecture definition + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. +@@ -40,8 +39,7 @@ + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +-int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name) ++int mips64n32_syscall_resolve_name_munge(const char *name) + { + int sys; + +@@ -55,7 +53,6 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, + + /** + * Resolve a syscall number to a name +- * @param arch the architecture definition + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. +@@ -63,8 +60,7 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, + * syscall names; returns NULL on failure. + * + */ +-const char *mips64n32_syscall_resolve_num_munge(const struct arch_def *arch, +- int num) ++const char *mips64n32_syscall_resolve_num_munge(int num) + { + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= __SCMP_NR_BASE) +@@ -78,9 +74,7 @@ const struct arch_def arch_def_mips64n32 = { + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, + .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips64n32_syscall_resolve_name, + .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips64n32_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +@@ -91,9 +85,7 @@ const struct arch_def arch_def_mipsel64n32 = { + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = mips64n32_syscall_resolve_name, + .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = mips64n32_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-parisc.c b/src/arch-parisc.c +--- a/src/arch-parisc.c ++++ b/src/arch-parisc.c +@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc = { + .token_bpf = AUDIT_ARCH_PARISC, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +- .syscall_resolve_name_raw = parisc_syscall_resolve_name, +- .syscall_resolve_num_raw = parisc_syscall_resolve_num, ++ .syscall_resolve_name = parisc_syscall_resolve_name, ++ .syscall_resolve_num = parisc_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-parisc64.c b/src/arch-parisc64.c +--- a/src/arch-parisc64.c ++++ b/src/arch-parisc64.c +@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc64 = { + .token_bpf = AUDIT_ARCH_PARISC64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, +- .syscall_resolve_name_raw = parisc64_syscall_resolve_name, +- .syscall_resolve_num_raw = parisc64_syscall_resolve_num, ++ .syscall_resolve_name = parisc64_syscall_resolve_name, ++ .syscall_resolve_num = parisc64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-ppc.c b/src/arch-ppc.c +--- a/src/arch-ppc.c ++++ b/src/arch-ppc.c +@@ -34,17 +34,526 @@ + #define __ppc_NR_socketcall 102 + #define __ppc_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int ppc_syscall_resolve_name_munge(const char *name) ++{ ++ ++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return __PNR_##NAME; ++ ++ _ABI_SYSCALL_RES_NAME_CHK(socket) ++ _ABI_SYSCALL_RES_NAME_CHK(bind) ++ _ABI_SYSCALL_RES_NAME_CHK(connect) ++ _ABI_SYSCALL_RES_NAME_CHK(listen) ++ _ABI_SYSCALL_RES_NAME_CHK(accept) ++ _ABI_SYSCALL_RES_NAME_CHK(getsockname) ++ _ABI_SYSCALL_RES_NAME_CHK(getpeername) ++ _ABI_SYSCALL_RES_NAME_CHK(socketpair) ++ _ABI_SYSCALL_RES_NAME_CHK(send) ++ _ABI_SYSCALL_RES_NAME_CHK(recv) ++ _ABI_SYSCALL_RES_NAME_CHK(sendto) ++ _ABI_SYSCALL_RES_NAME_CHK(recvfrom) ++ _ABI_SYSCALL_RES_NAME_CHK(shutdown) ++ _ABI_SYSCALL_RES_NAME_CHK(setsockopt) ++ _ABI_SYSCALL_RES_NAME_CHK(getsockopt) ++ _ABI_SYSCALL_RES_NAME_CHK(sendmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(recvmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(accept4) ++ _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) ++ _ABI_SYSCALL_RES_NAME_CHK(semop) ++ _ABI_SYSCALL_RES_NAME_CHK(semget) ++ _ABI_SYSCALL_RES_NAME_CHK(semctl) ++ _ABI_SYSCALL_RES_NAME_CHK(semtimedop) ++ _ABI_SYSCALL_RES_NAME_CHK(msgsnd) ++ _ABI_SYSCALL_RES_NAME_CHK(msgrcv) ++ _ABI_SYSCALL_RES_NAME_CHK(msgget) ++ _ABI_SYSCALL_RES_NAME_CHK(msgctl) ++ _ABI_SYSCALL_RES_NAME_CHK(shmat) ++ _ABI_SYSCALL_RES_NAME_CHK(shmdt) ++ _ABI_SYSCALL_RES_NAME_CHK(shmget) ++ _ABI_SYSCALL_RES_NAME_CHK(shmctl) ++ ++ return ppc_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *ppc_syscall_resolve_num_munge(int num) ++{ ++ ++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ ++ if (num == __PNR_##NAME) return #NAME; ++ ++ _ABI_SYSCALL_RES_NUM_CHK(socket) ++ _ABI_SYSCALL_RES_NUM_CHK(bind) ++ _ABI_SYSCALL_RES_NUM_CHK(connect) ++ _ABI_SYSCALL_RES_NUM_CHK(listen) ++ _ABI_SYSCALL_RES_NUM_CHK(accept) ++ _ABI_SYSCALL_RES_NUM_CHK(getsockname) ++ _ABI_SYSCALL_RES_NUM_CHK(getpeername) ++ _ABI_SYSCALL_RES_NUM_CHK(socketpair) ++ _ABI_SYSCALL_RES_NUM_CHK(send) ++ _ABI_SYSCALL_RES_NUM_CHK(recv) ++ _ABI_SYSCALL_RES_NUM_CHK(sendto) ++ _ABI_SYSCALL_RES_NUM_CHK(recvfrom) ++ _ABI_SYSCALL_RES_NUM_CHK(shutdown) ++ _ABI_SYSCALL_RES_NUM_CHK(setsockopt) ++ _ABI_SYSCALL_RES_NUM_CHK(getsockopt) ++ _ABI_SYSCALL_RES_NUM_CHK(sendmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(recvmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(accept4) ++ _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) ++ _ABI_SYSCALL_RES_NUM_CHK(semop) ++ _ABI_SYSCALL_RES_NUM_CHK(semget) ++ _ABI_SYSCALL_RES_NUM_CHK(semctl) ++ _ABI_SYSCALL_RES_NUM_CHK(semtimedop) ++ _ABI_SYSCALL_RES_NUM_CHK(msgsnd) ++ _ABI_SYSCALL_RES_NUM_CHK(msgrcv) ++ _ABI_SYSCALL_RES_NUM_CHK(msgget) ++ _ABI_SYSCALL_RES_NUM_CHK(msgctl) ++ _ABI_SYSCALL_RES_NUM_CHK(shmat) ++ _ABI_SYSCALL_RES_NUM_CHK(shmdt) ++ _ABI_SYSCALL_RES_NUM_CHK(shmget) ++ _ABI_SYSCALL_RES_NUM_CHK(shmctl) ++ ++ return ppc_syscall_resolve_num(num); ++} ++ ++/** ++ * Check if a syscall is a socket syscall ++ * @param sys the syscall number ++ * ++ * Returns true if the syscall is a socket related syscall, false otherwise. ++ * ++ */ ++static bool _ppc_syscall_socket_test(int sys) ++{ ++ const char *name; ++ ++ /* multiplexed pseduo-syscalls */ ++ if (sys <= -100 && sys >= -120) ++ return true; ++ ++ name = ppc_syscall_resolve_num(sys); ++ if (!name) ++ return false; ++ ++#define _ABI_SYSCALL_SOCK_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return true; ++ ++ _ABI_SYSCALL_SOCK_CHK(socket) ++ _ABI_SYSCALL_SOCK_CHK(bind) ++ _ABI_SYSCALL_SOCK_CHK(connect) ++ _ABI_SYSCALL_SOCK_CHK(listen) ++ _ABI_SYSCALL_SOCK_CHK(accept) ++ _ABI_SYSCALL_SOCK_CHK(getsockname) ++ _ABI_SYSCALL_SOCK_CHK(getpeername) ++ _ABI_SYSCALL_SOCK_CHK(socketpair) ++ _ABI_SYSCALL_SOCK_CHK(send) ++ _ABI_SYSCALL_SOCK_CHK(recv) ++ _ABI_SYSCALL_SOCK_CHK(sendto) ++ _ABI_SYSCALL_SOCK_CHK(recvfrom) ++ _ABI_SYSCALL_SOCK_CHK(shutdown) ++ _ABI_SYSCALL_SOCK_CHK(setsockopt) ++ _ABI_SYSCALL_SOCK_CHK(getsockopt) ++ _ABI_SYSCALL_SOCK_CHK(sendmsg) ++ _ABI_SYSCALL_SOCK_CHK(recvmsg) ++ _ABI_SYSCALL_SOCK_CHK(accept4) ++ _ABI_SYSCALL_SOCK_CHK(recvmmsg) ++ _ABI_SYSCALL_SOCK_CHK(sendmmsg) ++ ++ return false; ++} ++ ++/** ++ * Check if a syscall is an ipc syscall ++ * @param sys the syscall number ++ * ++ * Returns true if the syscall is an ipc related syscall, false otherwise. ++ * ++ */ ++static bool _ppc_syscall_ipc_test(int sys) ++{ ++ const char *name; ++ ++ /* multiplexed pseduo-syscalls */ ++ if (sys <= -200 && sys >= -224) ++ return true; ++ ++ name = ppc_syscall_resolve_num(sys); ++ if (!name) ++ return false; ++ ++#define _ABI_SYSCALL_IPC_CHK(NAME) \ ++ if (!strcmp(name, #NAME)) return true; ++ ++ _ABI_SYSCALL_IPC_CHK(semop) ++ _ABI_SYSCALL_IPC_CHK(semget) ++ _ABI_SYSCALL_IPC_CHK(semctl) ++ _ABI_SYSCALL_IPC_CHK(semtimedop) ++ _ABI_SYSCALL_IPC_CHK(msgsnd) ++ _ABI_SYSCALL_IPC_CHK(msgrcv) ++ _ABI_SYSCALL_IPC_CHK(msgget) ++ _ABI_SYSCALL_IPC_CHK(msgctl) ++ _ABI_SYSCALL_IPC_CHK(shmat) ++ _ABI_SYSCALL_IPC_CHK(shmdt) ++ _ABI_SYSCALL_IPC_CHK(shmget) ++ _ABI_SYSCALL_IPC_CHK(shmctl) ++ ++ return false; ++} ++ ++/** ++ * Convert a multiplexed pseudo syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _ppc_syscall_demux(int syscall) ++{ ++ int sys = __NR_SCMP_UNDEF; ++ ++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ ++case __PNR_##NAME: \ ++ sys = ppc_syscall_resolve_name(#NAME); break; ++ ++ switch (syscall) { ++ _ABI_SYSCALL_DEMUX_CHK(socket) ++ _ABI_SYSCALL_DEMUX_CHK(bind) ++ _ABI_SYSCALL_DEMUX_CHK(connect) ++ _ABI_SYSCALL_DEMUX_CHK(listen) ++ _ABI_SYSCALL_DEMUX_CHK(accept) ++ _ABI_SYSCALL_DEMUX_CHK(getsockname) ++ _ABI_SYSCALL_DEMUX_CHK(getpeername) ++ _ABI_SYSCALL_DEMUX_CHK(socketpair) ++ _ABI_SYSCALL_DEMUX_CHK(send) ++ _ABI_SYSCALL_DEMUX_CHK(recv) ++ _ABI_SYSCALL_DEMUX_CHK(sendto) ++ _ABI_SYSCALL_DEMUX_CHK(recvfrom) ++ _ABI_SYSCALL_DEMUX_CHK(shutdown) ++ _ABI_SYSCALL_DEMUX_CHK(setsockopt) ++ _ABI_SYSCALL_DEMUX_CHK(getsockopt) ++ _ABI_SYSCALL_DEMUX_CHK(sendmsg) ++ _ABI_SYSCALL_DEMUX_CHK(recvmsg) ++ _ABI_SYSCALL_DEMUX_CHK(accept4) ++ _ABI_SYSCALL_DEMUX_CHK(recvmmsg) ++ _ABI_SYSCALL_DEMUX_CHK(sendmmsg) ++ _ABI_SYSCALL_DEMUX_CHK(semop) ++ _ABI_SYSCALL_DEMUX_CHK(semget) ++ _ABI_SYSCALL_DEMUX_CHK(semctl) ++ _ABI_SYSCALL_DEMUX_CHK(semtimedop) ++ _ABI_SYSCALL_DEMUX_CHK(msgsnd) ++ _ABI_SYSCALL_DEMUX_CHK(msgrcv) ++ _ABI_SYSCALL_DEMUX_CHK(msgget) ++ _ABI_SYSCALL_DEMUX_CHK(msgctl) ++ _ABI_SYSCALL_DEMUX_CHK(shmat) ++ _ABI_SYSCALL_DEMUX_CHK(shmdt) ++ _ABI_SYSCALL_DEMUX_CHK(shmget) ++ _ABI_SYSCALL_DEMUX_CHK(shmctl) ++ } ++ ++ /* this looks odd because the arch resolver returns _ERROR if it can't ++ * resolve the syscall, but we want to use _UNDEF for that, so we set ++ * 'sys' to a sentinel value of _UNDEF and if it is error here we know ++ * the resolve failed to find a match */ ++ if (sys == __NR_SCMP_UNDEF) ++ sys = __NR_SCMP_ERROR; ++ else if (sys == __NR_SCMP_ERROR) ++ sys = __NR_SCMP_UNDEF; ++ ++ return sys; ++} ++ ++/** ++ * Convert a direct syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _ppc_syscall_mux(int syscall) ++{ ++ const char *sys; ++ ++ sys = ppc_syscall_resolve_num(syscall); ++ if (!sys) ++ return __NR_SCMP_ERROR; ++ ++#define _ABI_SYSCALL_MUX_CHK(NAME) \ ++ if (!strcmp(sys, #NAME)) return __PNR_##NAME; ++ ++ _ABI_SYSCALL_MUX_CHK(socket) ++ _ABI_SYSCALL_MUX_CHK(bind) ++ _ABI_SYSCALL_MUX_CHK(connect) ++ _ABI_SYSCALL_MUX_CHK(listen) ++ _ABI_SYSCALL_MUX_CHK(accept) ++ _ABI_SYSCALL_MUX_CHK(getsockname) ++ _ABI_SYSCALL_MUX_CHK(getpeername) ++ _ABI_SYSCALL_MUX_CHK(socketpair) ++ _ABI_SYSCALL_MUX_CHK(send) ++ _ABI_SYSCALL_MUX_CHK(recv) ++ _ABI_SYSCALL_MUX_CHK(sendto) ++ _ABI_SYSCALL_MUX_CHK(recvfrom) ++ _ABI_SYSCALL_MUX_CHK(shutdown) ++ _ABI_SYSCALL_MUX_CHK(setsockopt) ++ _ABI_SYSCALL_MUX_CHK(getsockopt) ++ _ABI_SYSCALL_MUX_CHK(sendmsg) ++ _ABI_SYSCALL_MUX_CHK(recvmsg) ++ _ABI_SYSCALL_MUX_CHK(accept4) ++ _ABI_SYSCALL_MUX_CHK(recvmmsg) ++ _ABI_SYSCALL_MUX_CHK(sendmmsg) ++ _ABI_SYSCALL_MUX_CHK(semop) ++ _ABI_SYSCALL_MUX_CHK(semget) ++ _ABI_SYSCALL_MUX_CHK(semctl) ++ _ABI_SYSCALL_MUX_CHK(semtimedop) ++ _ABI_SYSCALL_MUX_CHK(msgsnd) ++ _ABI_SYSCALL_MUX_CHK(msgrcv) ++ _ABI_SYSCALL_MUX_CHK(msgget) ++ _ABI_SYSCALL_MUX_CHK(msgctl) ++ _ABI_SYSCALL_MUX_CHK(shmat) ++ _ABI_SYSCALL_MUX_CHK(shmdt) ++ _ABI_SYSCALL_MUX_CHK(shmget) ++ _ABI_SYSCALL_MUX_CHK(shmctl) ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int ppc_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __ppc_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __ppc_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the ppc seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the ppc ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if (_ppc_syscall_socket_test(sys)) { ++ /* socket syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _ppc_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _ppc_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __ppc_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (_ppc_syscall_ipc_test(sys)) { ++ /* ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _ppc_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _ppc_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __ppc_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_ppc = { + .token = SCMP_ARCH_PPC, + .token_bpf = AUDIT_ARCH_PPC, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +- .sys_socketcall = __ppc_NR_socketcall, +- .sys_ipc = __ppc_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = ppc_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = ppc_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = ppc_syscall_resolve_name_munge, ++ .syscall_resolve_num = ppc_syscall_resolve_num_munge, ++ .syscall_rewrite = ppc_syscall_rewrite, ++ .rule_add = ppc_rule_add, + }; +diff --git a/src/arch-ppc64.c b/src/arch-ppc64.c +--- a/src/arch-ppc64.c ++++ b/src/arch-ppc64.c +@@ -26,7 +26,6 @@ + #include + + #include "db.h" +-#include "syscalls.h" + #include "arch.h" + #include "arch-ppc64.h" + +@@ -34,19 +33,605 @@ + #define __ppc64_NR_socketcall 102 + #define __ppc64_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int ppc64_syscall_resolve_name_munge(const char *name) ++{ ++ if (strcmp(name, "accept") == 0) ++ return __PNR_accept; ++ if (strcmp(name, "accept4") == 0) ++ return __PNR_accept4; ++ else if (strcmp(name, "bind") == 0) ++ return __PNR_bind; ++ else if (strcmp(name, "connect") == 0) ++ return __PNR_connect; ++ else if (strcmp(name, "getpeername") == 0) ++ return __PNR_getpeername; ++ else if (strcmp(name, "getsockname") == 0) ++ return __PNR_getsockname; ++ else if (strcmp(name, "getsockopt") == 0) ++ return __PNR_getsockopt; ++ else if (strcmp(name, "listen") == 0) ++ return __PNR_listen; ++ else if (strcmp(name, "msgctl") == 0) ++ return __PNR_msgctl; ++ else if (strcmp(name, "msgget") == 0) ++ return __PNR_msgget; ++ else if (strcmp(name, "msgrcv") == 0) ++ return __PNR_msgrcv; ++ else if (strcmp(name, "msgsnd") == 0) ++ return __PNR_msgsnd; ++ else if (strcmp(name, "recv") == 0) ++ return __PNR_recv; ++ else if (strcmp(name, "recvfrom") == 0) ++ return __PNR_recvfrom; ++ else if (strcmp(name, "recvmsg") == 0) ++ return __PNR_recvmsg; ++ else if (strcmp(name, "recvmmsg") == 0) ++ return __PNR_recvmmsg; ++ else if (strcmp(name, "semctl") == 0) ++ return __PNR_semctl; ++ else if (strcmp(name, "semget") == 0) ++ return __PNR_semget; ++ else if (strcmp(name, "semtimedop") == 0) ++ return __PNR_semtimedop; ++ else if (strcmp(name, "send") == 0) ++ return __PNR_send; ++ else if (strcmp(name, "sendmsg") == 0) ++ return __PNR_sendmsg; ++ else if (strcmp(name, "sendmmsg") == 0) ++ return __PNR_sendmmsg; ++ else if (strcmp(name, "sendto") == 0) ++ return __PNR_sendto; ++ else if (strcmp(name, "setsockopt") == 0) ++ return __PNR_setsockopt; ++ else if (strcmp(name, "shmat") == 0) ++ return __PNR_shmat; ++ else if (strcmp(name, "shmdt") == 0) ++ return __PNR_shmdt; ++ else if (strcmp(name, "shmget") == 0) ++ return __PNR_shmget; ++ else if (strcmp(name, "shmctl") == 0) ++ return __PNR_shmctl; ++ else if (strcmp(name, "shutdown") == 0) ++ return __PNR_shutdown; ++ else if (strcmp(name, "socket") == 0) ++ return __PNR_socket; ++ else if (strcmp(name, "socketpair") == 0) ++ return __PNR_socketpair; ++ ++ return ppc64_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *ppc64_syscall_resolve_num_munge(int num) ++{ ++ if (num == __PNR_accept) ++ return "accept"; ++ else if (num == __PNR_accept4) ++ return "accept4"; ++ else if (num == __PNR_bind) ++ return "bind"; ++ else if (num == __PNR_connect) ++ return "connect"; ++ else if (num == __PNR_getpeername) ++ return "getpeername"; ++ else if (num == __PNR_getsockname) ++ return "getsockname"; ++ else if (num == __PNR_getsockopt) ++ return "getsockopt"; ++ else if (num == __PNR_listen) ++ return "listen"; ++ else if (num == __PNR_msgctl) ++ return "msgctl"; ++ else if (num == __PNR_msgget) ++ return "msgget"; ++ else if (num == __PNR_msgrcv) ++ return "msgrcv"; ++ else if (num == __PNR_msgsnd) ++ return "msgsnd"; ++ else if (num == __PNR_recv) ++ return "recv"; ++ else if (num == __PNR_recvfrom) ++ return "recvfrom"; ++ else if (num == __PNR_recvmsg) ++ return "recvmsg"; ++ else if (num == __PNR_recvmmsg) ++ return "recvmmsg"; ++ else if (num == __PNR_semctl) ++ return "semctl"; ++ else if (num == __PNR_semget) ++ return "semget"; ++ else if (num == __PNR_semtimedop) ++ return "semtimedop"; ++ else if (num == __PNR_send) ++ return "send"; ++ else if (num == __PNR_sendmsg) ++ return "sendmsg"; ++ else if (num == __PNR_sendmmsg) ++ return "sendmmsg"; ++ else if (num == __PNR_sendto) ++ return "sendto"; ++ else if (num == __PNR_setsockopt) ++ return "setsockopt"; ++ else if (num == __PNR_shmat) ++ return "shmat"; ++ else if (num == __PNR_shmdt) ++ return "shmdt"; ++ else if (num == __PNR_shmget) ++ return "shmget"; ++ else if (num == __PNR_shmctl) ++ return "shmctl"; ++ else if (num == __PNR_shutdown) ++ return "shutdown"; ++ else if (num == __PNR_socket) ++ return "socket"; ++ else if (num == __PNR_socketpair) ++ return "socketpair"; ++ ++ return ppc64_syscall_resolve_num(num); ++} ++ ++/** ++ * Convert a multiplexed pseudo socket syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _ppc64_syscall_demux(int syscall) ++{ ++ switch (syscall) { ++ case -101: ++ /* socket */ ++ return 326; ++ case -102: ++ /* bind */ ++ return 327; ++ case -103: ++ /* connect */ ++ return 328; ++ case -104: ++ /* listen */ ++ return 329; ++ case -105: ++ /* accept */ ++ return 330; ++ case -106: ++ /* getsockname */ ++ return 331; ++ case -107: ++ /* getpeername */ ++ return 332; ++ case -108: ++ /* socketpair */ ++ return 333; ++ case -109: ++ /* send */ ++ return 334; ++ case -110: ++ /* recv */ ++ return 336; ++ case -111: ++ /* sendto */ ++ return 335; ++ case -112: ++ /* recvfrom */ ++ return 337; ++ case -113: ++ /* shutdown */ ++ return 338; ++ case -114: ++ /* setsockopt */ ++ return 339; ++ case -115: ++ /* getsockopt */ ++ return 340; ++ case -116: ++ /* sendmsg */ ++ return 341; ++ case -117: ++ /* recvmsg */ ++ return 342; ++ case -118: ++ /* accept4 */ ++ return 344; ++ case -119: ++ /* recvmmsg */ ++ return 343; ++ case -120: ++ /* sendmmsg */ ++ return 349; ++ case -201: ++ /* semop - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -202: ++ /* semget */ ++ return 393; ++ case -203: ++ /* semctl */ ++ return 394; ++ case -204: ++ /* semtimedop */ ++ return 392; ++ case -211: ++ /* msgsnd */ ++ return 400; ++ case -212: ++ /* msgrcv */ ++ return 401; ++ case -213: ++ /* msgget */ ++ return 399; ++ case -214: ++ /* msgctl */ ++ return 402; ++ case -221: ++ /* shmat */ ++ return 397; ++ case -222: ++ /* shmdt */ ++ return 398; ++ case -223: ++ /* shmget */ ++ return 395; ++ case -224: ++ /* shmctl */ ++ return 396; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Convert a direct socket syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _ppc64_syscall_mux(int syscall) ++{ ++ switch (syscall) { ++ case 326: ++ /* socket */ ++ return -101; ++ case 327: ++ /* bind */ ++ return -102; ++ case 328: ++ /* connect */ ++ return -103; ++ case 329: ++ /* listen */ ++ return -104; ++ case 330: ++ /* accept */ ++ return -105; ++ case 331: ++ /* getsockname */ ++ return -106; ++ case 332: ++ /* getpeername */ ++ return -107; ++ case 333: ++ /* socketpair */ ++ return -108; ++ case 334: ++ /* send */ ++ return -109; ++ case 335: ++ /* sendto */ ++ return -111; ++ case 336: ++ /* recv */ ++ return -110; ++ case 337: ++ /* recvfrom */ ++ return -112; ++ case 338: ++ /* shutdown */ ++ return -113; ++ case 339: ++ /* setsockopt */ ++ return -114; ++ case 340: ++ /* getsockopt */ ++ return -115; ++ case 341: ++ /* sendmsg */ ++ return -116; ++ case 342: ++ /* recvmsg */ ++ return -117; ++ case 343: ++ /* recvmmsg */ ++ return -119; ++ case 344: ++ /* accept4 */ ++ return -118; ++ case 349: ++ /* sendmmsg */ ++ return -120; ++ case 392: ++ /* semtimedop */ ++ return -204; ++ case 393: ++ /* semget */ ++ return -202; ++ case 394: ++ /* semctl */ ++ return -203; ++ case 395: ++ /* shmget */ ++ return -223; ++ case 396: ++ /* shmctl */ ++ return -224; ++ case 397: ++ /* shmat */ ++ return -221; ++ case 398: ++ /* shmdt */ ++ return -222; ++ case 399: ++ /* msgget */ ++ return -213; ++ case 400: ++ /* msgsnd */ ++ return -211; ++ case 401: ++ /* msgrcv */ ++ return -212; ++ case 402: ++ /* msgctl */ ++ return -214; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int ppc64_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __ppc64_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __ppc64_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the ppc64 seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the ppc64 ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int ppc64_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if ((sys <= -100 && sys >= -120) || (sys >= 326 && sys <= 344) || ++ (sys == 349)) { ++ /* (-100 to -120) : multiplexed socket syscalls ++ (326 to 344) : direct socket syscalls, Linux 4.3+ ++ (349) : sendmmsg */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _ppc64_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _ppc64_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) { ++ rc = -ENOMEM; ++ goto add_return; ++ } ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __ppc64_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) { ++ /* (-200 to -224) : multiplexed ipc syscalls ++ (392 to 402) : direct ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _ppc64_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _ppc64_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __ppc64_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_ppc64 = { + .token = SCMP_ARCH_PPC64, + .token_bpf = AUDIT_ARCH_PPC64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, +- .sys_socketcall = __ppc64_NR_socketcall, +- .sys_ipc = __ppc64_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = ppc64_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = ppc64_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = ppc64_syscall_resolve_name_munge, ++ .syscall_resolve_num = ppc64_syscall_resolve_num_munge, ++ .syscall_rewrite = ppc64_syscall_rewrite, ++ .rule_add = ppc64_rule_add, + }; + + const struct arch_def arch_def_ppc64le = { +@@ -54,12 +639,8 @@ const struct arch_def arch_def_ppc64le = { + .token_bpf = AUDIT_ARCH_PPC64LE, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +- .sys_socketcall = __ppc64_NR_socketcall, +- .sys_ipc = __ppc64_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = ppc64_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = ppc64_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = ppc64_syscall_resolve_name_munge, ++ .syscall_resolve_num = ppc64_syscall_resolve_num_munge, ++ .syscall_rewrite = ppc64_syscall_rewrite, ++ .rule_add = ppc64_rule_add, + }; +diff --git a/src/arch-riscv64.c b/src/arch-riscv64.c +--- a/src/arch-riscv64.c ++++ b/src/arch-riscv64.c +@@ -24,8 +24,8 @@ const struct arch_def arch_def_riscv64 = { + .token_bpf = AUDIT_ARCH_RISCV64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +- .syscall_resolve_name_raw = riscv64_syscall_resolve_name, +- .syscall_resolve_num_raw = riscv64_syscall_resolve_num, ++ .syscall_resolve_name = riscv64_syscall_resolve_name, ++ .syscall_resolve_num = riscv64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-s390.c b/src/arch-s390.c +--- a/src/arch-s390.c ++++ b/src/arch-s390.c +@@ -17,17 +17,593 @@ + #define __s390_NR_socketcall 102 + #define __s390_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int s390_syscall_resolve_name_munge(const char *name) ++{ ++ if (strcmp(name, "accept") == 0) ++ return __PNR_accept; ++ if (strcmp(name, "accept4") == 0) ++ return __PNR_accept4; ++ else if (strcmp(name, "bind") == 0) ++ return __PNR_bind; ++ else if (strcmp(name, "connect") == 0) ++ return __PNR_connect; ++ else if (strcmp(name, "getpeername") == 0) ++ return __PNR_getpeername; ++ else if (strcmp(name, "getsockname") == 0) ++ return __PNR_getsockname; ++ else if (strcmp(name, "getsockopt") == 0) ++ return __PNR_getsockopt; ++ else if (strcmp(name, "listen") == 0) ++ return __PNR_listen; ++ else if (strcmp(name, "msgctl") == 0) ++ return __PNR_msgctl; ++ else if (strcmp(name, "msgget") == 0) ++ return __PNR_msgget; ++ else if (strcmp(name, "msgrcv") == 0) ++ return __PNR_msgrcv; ++ else if (strcmp(name, "msgsnd") == 0) ++ return __PNR_msgsnd; ++ else if (strcmp(name, "recv") == 0) ++ return __PNR_recv; ++ else if (strcmp(name, "recvfrom") == 0) ++ return __PNR_recvfrom; ++ else if (strcmp(name, "recvmsg") == 0) ++ return __PNR_recvmsg; ++ else if (strcmp(name, "semctl") == 0) ++ return __PNR_semctl; ++ else if (strcmp(name, "semget") == 0) ++ return __PNR_semget; ++ else if (strcmp(name, "semtimedop") == 0) ++ return __PNR_semtimedop; ++ else if (strcmp(name, "recvmmsg") == 0) ++ return __PNR_recvmmsg; ++ else if (strcmp(name, "send") == 0) ++ return __PNR_send; ++ else if (strcmp(name, "sendmsg") == 0) ++ return __PNR_sendmsg; ++ else if (strcmp(name, "sendmmsg") == 0) ++ return __PNR_sendmmsg; ++ else if (strcmp(name, "sendto") == 0) ++ return __PNR_sendto; ++ else if (strcmp(name, "setsockopt") == 0) ++ return __PNR_setsockopt; ++ else if (strcmp(name, "shmat") == 0) ++ return __PNR_shmat; ++ else if (strcmp(name, "shmdt") == 0) ++ return __PNR_shmdt; ++ else if (strcmp(name, "shmget") == 0) ++ return __PNR_shmget; ++ else if (strcmp(name, "shmctl") == 0) ++ return __PNR_shmctl; ++ else if (strcmp(name, "shutdown") == 0) ++ return __PNR_shutdown; ++ else if (strcmp(name, "socket") == 0) ++ return __PNR_socket; ++ else if (strcmp(name, "socketpair") == 0) ++ return __PNR_socketpair; ++ ++ return s390_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *s390_syscall_resolve_num_munge(int num) ++{ ++ if (num == __PNR_accept) ++ return "accept"; ++ else if (num == __PNR_accept4) ++ return "accept4"; ++ else if (num == __PNR_bind) ++ return "bind"; ++ else if (num == __PNR_connect) ++ return "connect"; ++ else if (num == __PNR_getpeername) ++ return "getpeername"; ++ else if (num == __PNR_getsockname) ++ return "getsockname"; ++ else if (num == __PNR_getsockopt) ++ return "getsockopt"; ++ else if (num == __PNR_listen) ++ return "listen"; ++ else if (num == __PNR_msgctl) ++ return "msgctl"; ++ else if (num == __PNR_msgget) ++ return "msgget"; ++ else if (num == __PNR_msgrcv) ++ return "msgrcv"; ++ else if (num == __PNR_msgsnd) ++ return "msgsnd"; ++ else if (num == __PNR_recv) ++ return "recv"; ++ else if (num == __PNR_recvfrom) ++ return "recvfrom"; ++ else if (num == __PNR_recvmsg) ++ return "recvmsg"; ++ else if (num == __PNR_recvmmsg) ++ return "recvmmsg"; ++ else if (num == __PNR_semctl) ++ return "semctl"; ++ else if (num == __PNR_semget) ++ return "semget"; ++ else if (num == __PNR_semtimedop) ++ return "semtimedop"; ++ else if (num == __PNR_send) ++ return "send"; ++ else if (num == __PNR_sendmsg) ++ return "sendmsg"; ++ else if (num == __PNR_sendmmsg) ++ return "sendmmsg"; ++ else if (num == __PNR_sendto) ++ return "sendto"; ++ else if (num == __PNR_setsockopt) ++ return "setsockopt"; ++ else if (num == __PNR_shmat) ++ return "shmat"; ++ else if (num == __PNR_shmdt) ++ return "shmdt"; ++ else if (num == __PNR_shmget) ++ return "shmget"; ++ else if (num == __PNR_shmctl) ++ return "shmctl"; ++ else if (num == __PNR_shutdown) ++ return "shutdown"; ++ else if (num == __PNR_socket) ++ return "socket"; ++ else if (num == __PNR_socketpair) ++ return "socketpair"; ++ ++ return s390_syscall_resolve_num(num); ++} ++ ++/** ++ * Convert a multiplexed pseudo syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _s390_syscall_demux(int syscall) ++{ ++ switch (syscall) { ++ case -101: ++ /* socket */ ++ return 359; ++ case -102: ++ /* bind */ ++ return 361; ++ case -103: ++ /* connect */ ++ return 362; ++ case -104: ++ /* listen */ ++ return 363; ++ case -105: ++ /* accept - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -106: ++ /* getsockname */ ++ return 367; ++ case -107: ++ /* getpeername */ ++ return 368; ++ case -108: ++ /* socketpair */ ++ return 360; ++ case -109: ++ /* send - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -110: ++ /* recv - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -111: ++ /* sendto */ ++ return 369; ++ case -112: ++ /* recvfrom */ ++ return 371; ++ case -113: ++ /* shutdown */ ++ return 373; ++ case -114: ++ /* setsockopt */ ++ return 366; ++ case -115: ++ /* getsockopt */ ++ return 365; ++ case -116: ++ /* sendmsg */ ++ return 370; ++ case -117: ++ /* recvmsg */ ++ return 372; ++ case -118: ++ /* accept4 */ ++ return 364; ++ case -119: ++ /* recvmmsg */ ++ return 337; ++ case -120: ++ /* sendmmsg */ ++ return 345; ++ case -201: ++ /* semop - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -202: ++ /* semget */ ++ return 393; ++ case -203: ++ /* semctl */ ++ return 394; ++ case -204: ++ /* semtimedop */ ++ return 392; ++ case -211: ++ /* msgsnd */ ++ return 400; ++ case -212: ++ /* msgrcv */ ++ return 401; ++ case -213: ++ /* msgget */ ++ return 399; ++ case -214: ++ /* msgctl */ ++ return 402; ++ case -221: ++ /* shmat */ ++ return 397; ++ case -222: ++ /* shmdt */ ++ return 398; ++ case -223: ++ /* shmget */ ++ return 395; ++ case -224: ++ /* shmctl */ ++ return 396; ++ ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Convert a direct socket syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _s390_syscall_mux(int syscall) ++{ ++ switch (syscall) { ++ case 337: ++ /* recvmmsg */ ++ return -119; ++ case 345: ++ /* sendmmsg */ ++ return -120; ++ case 359: ++ /* socket */ ++ return -101; ++ case 360: ++ /* socketpair */ ++ return -108; ++ case 361: ++ /* bind */ ++ return -102; ++ case 362: ++ /* connect */ ++ return -103; ++ case 363: ++ /* listen */ ++ return -104; ++ case 364: ++ /* accept4 */ ++ return -118; ++ case 365: ++ /* getsockopt */ ++ return -115; ++ case 366: ++ /* setsockopt */ ++ return -114; ++ case 367: ++ /* getsockname */ ++ return -106; ++ case 368: ++ /* getpeername */ ++ return -107; ++ case 369: ++ /* sendto */ ++ return -111; ++ case 370: ++ /* sendmsg */ ++ return -116; ++ case 371: ++ /* recvfrom */ ++ return -112; ++ case 372: ++ /* recvmsg */ ++ return -117; ++ case 373: ++ /* shutdown */ ++ return -113; ++ case 393: ++ /* semget */ ++ return -202; ++ case 394: ++ /* semctl */ ++ return -203; ++ case 400: ++ /* msgsnd */ ++ return -211; ++ case 401: ++ /* msgrcv */ ++ return -212; ++ case 399: ++ /* msgget */ ++ return -213; ++ case 402: ++ /* msgctl */ ++ return -214; ++ case 397: ++ /* shmat */ ++ return -221; ++ case 398: ++ /* shmdt */ ++ return -222; ++ case 395: ++ /* shmget */ ++ return -223; ++ case 396: ++ /* shmctl */ ++ return -224; ++ case 392: ++ /* semtimedop */ ++ return -204; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int s390_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __s390_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __s390_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the s390 seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the s390 ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { ++ /* (-100 to -120) : multiplexed socket syscalls ++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _s390_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _s390_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) { ++ rc = -ENOMEM; ++ goto add_return; ++ } ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __s390_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) { ++ /* (-200 to -224) : multiplexed ipc syscalls ++ (393 to 402) : direct ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _s390_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _s390_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __s390_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_s390 = { + .token = SCMP_ARCH_S390, + .token_bpf = AUDIT_ARCH_S390, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +- .sys_socketcall = __s390_NR_socketcall, +- .sys_ipc = __s390_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = s390_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = s390_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = s390_syscall_resolve_name_munge, ++ .syscall_resolve_num = s390_syscall_resolve_num_munge, ++ .syscall_rewrite = s390_syscall_rewrite, ++ .rule_add = s390_rule_add, + }; +diff --git a/src/arch-s390x.c b/src/arch-s390x.c +--- a/src/arch-s390x.c ++++ b/src/arch-s390x.c +@@ -17,17 +17,592 @@ + #define __s390x_NR_socketcall 102 + #define __s390x_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int s390x_syscall_resolve_name_munge(const char *name) ++{ ++ if (strcmp(name, "accept") == 0) ++ return __PNR_accept; ++ if (strcmp(name, "accept4") == 0) ++ return __PNR_accept4; ++ else if (strcmp(name, "bind") == 0) ++ return __PNR_bind; ++ else if (strcmp(name, "connect") == 0) ++ return __PNR_connect; ++ else if (strcmp(name, "getpeername") == 0) ++ return __PNR_getpeername; ++ else if (strcmp(name, "getsockname") == 0) ++ return __PNR_getsockname; ++ else if (strcmp(name, "getsockopt") == 0) ++ return __PNR_getsockopt; ++ else if (strcmp(name, "listen") == 0) ++ return __PNR_listen; ++ else if (strcmp(name, "msgctl") == 0) ++ return __PNR_msgctl; ++ else if (strcmp(name, "msgget") == 0) ++ return __PNR_msgget; ++ else if (strcmp(name, "msgrcv") == 0) ++ return __PNR_msgrcv; ++ else if (strcmp(name, "msgsnd") == 0) ++ return __PNR_msgsnd; ++ else if (strcmp(name, "recv") == 0) ++ return __PNR_recv; ++ else if (strcmp(name, "recvfrom") == 0) ++ return __PNR_recvfrom; ++ else if (strcmp(name, "recvmsg") == 0) ++ return __PNR_recvmsg; ++ else if (strcmp(name, "recvmmsg") == 0) ++ return __PNR_recvmmsg; ++ else if (strcmp(name, "semctl") == 0) ++ return __PNR_semctl; ++ else if (strcmp(name, "semget") == 0) ++ return __PNR_semget; ++ else if (strcmp(name, "semtimedop") == 0) ++ return __PNR_semtimedop; ++ else if (strcmp(name, "send") == 0) ++ return __PNR_send; ++ else if (strcmp(name, "sendmsg") == 0) ++ return __PNR_sendmsg; ++ else if (strcmp(name, "sendmmsg") == 0) ++ return __PNR_sendmmsg; ++ else if (strcmp(name, "sendto") == 0) ++ return __PNR_sendto; ++ else if (strcmp(name, "setsockopt") == 0) ++ return __PNR_setsockopt; ++ else if (strcmp(name, "shmat") == 0) ++ return __PNR_shmat; ++ else if (strcmp(name, "shmdt") == 0) ++ return __PNR_shmdt; ++ else if (strcmp(name, "shmget") == 0) ++ return __PNR_shmget; ++ else if (strcmp(name, "shmctl") == 0) ++ return __PNR_shmctl; ++ else if (strcmp(name, "shutdown") == 0) ++ return __PNR_shutdown; ++ else if (strcmp(name, "socket") == 0) ++ return __PNR_socket; ++ else if (strcmp(name, "socketpair") == 0) ++ return __PNR_socketpair; ++ ++ return s390x_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *s390x_syscall_resolve_num_munge(int num) ++{ ++ if (num == __PNR_accept) ++ return "accept"; ++ else if (num == __PNR_accept4) ++ return "accept4"; ++ else if (num == __PNR_bind) ++ return "bind"; ++ else if (num == __PNR_connect) ++ return "connect"; ++ else if (num == __PNR_getpeername) ++ return "getpeername"; ++ else if (num == __PNR_getsockname) ++ return "getsockname"; ++ else if (num == __PNR_getsockopt) ++ return "getsockopt"; ++ else if (num == __PNR_listen) ++ return "listen"; ++ else if (num == __PNR_msgctl) ++ return "msgctl"; ++ else if (num == __PNR_msgget) ++ return "msgget"; ++ else if (num == __PNR_msgrcv) ++ return "msgrcv"; ++ else if (num == __PNR_msgsnd) ++ return "msgsnd"; ++ else if (num == __PNR_recv) ++ return "recv"; ++ else if (num == __PNR_recvfrom) ++ return "recvfrom"; ++ else if (num == __PNR_recvmsg) ++ return "recvmsg"; ++ else if (num == __PNR_recvmmsg) ++ return "recvmmsg"; ++ else if (num == __PNR_semctl) ++ return "semctl"; ++ else if (num == __PNR_semget) ++ return "semget"; ++ else if (num == __PNR_semtimedop) ++ return "semtimedop"; ++ else if (num == __PNR_send) ++ return "send"; ++ else if (num == __PNR_sendmsg) ++ return "sendmsg"; ++ else if (num == __PNR_sendmmsg) ++ return "sendmmsg"; ++ else if (num == __PNR_sendto) ++ return "sendto"; ++ else if (num == __PNR_setsockopt) ++ return "setsockopt"; ++ else if (num == __PNR_shmat) ++ return "shmat"; ++ else if (num == __PNR_shmdt) ++ return "shmdt"; ++ else if (num == __PNR_shmget) ++ return "shmget"; ++ else if (num == __PNR_shmctl) ++ return "shmctl"; ++ else if (num == __PNR_shutdown) ++ return "shutdown"; ++ else if (num == __PNR_socket) ++ return "socket"; ++ else if (num == __PNR_socketpair) ++ return "socketpair"; ++ ++ return s390x_syscall_resolve_num(num); ++} ++ ++/** ++ * Convert a multiplexed pseudo socket syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _s390x_syscall_demux(int syscall) ++{ ++ switch (syscall) { ++ case -101: ++ /* socket */ ++ return 359; ++ case -102: ++ /* bind */ ++ return 361; ++ case -103: ++ /* connect */ ++ return 362; ++ case -104: ++ /* listen */ ++ return 363; ++ case -105: ++ /* accept - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -106: ++ /* getsockname */ ++ return 367; ++ case -107: ++ /* getpeername */ ++ return 368; ++ case -108: ++ /* socketpair */ ++ return 360; ++ case -109: ++ /* send - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -110: ++ /* recv - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -111: ++ /* sendto */ ++ return 369; ++ case -112: ++ /* recvfrom */ ++ return 371; ++ case -113: ++ /* shutdown */ ++ return 373; ++ case -114: ++ /* setsockopt */ ++ return 366; ++ case -115: ++ /* getsockopt */ ++ return 365; ++ case -116: ++ /* sendmsg */ ++ return 370; ++ case -117: ++ /* recvmsg */ ++ return 372; ++ case -118: ++ /* accept4 */ ++ return 364; ++ case -119: ++ /* recvmmsg */ ++ return 337; ++ case -120: ++ /* sendmmsg */ ++ return 345; ++ case -201: ++ /* semop - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -202: ++ /* semget */ ++ return 393; ++ case -203: ++ /* semctl */ ++ return 394; ++ case -204: ++ /* semtimedop */ ++ return 392; ++ case -211: ++ /* msgsnd */ ++ return 400; ++ case -212: ++ /* msgrcv */ ++ return 401; ++ case -213: ++ /* msgget */ ++ return 399; ++ case -214: ++ /* msgctl */ ++ return 402; ++ case -221: ++ /* shmat */ ++ return 397; ++ case -222: ++ /* shmdt */ ++ return 398; ++ case -223: ++ /* shmget */ ++ return 395; ++ case -224: ++ /* shmctl */ ++ return 396; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Convert a direct socket syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _s390x_syscall_mux(int syscall) ++{ ++ switch (syscall) { ++ case 337: ++ /* recvmmsg */ ++ return -119; ++ case 345: ++ /* sendmmsg */ ++ return -120; ++ case 359: ++ /* socket */ ++ return -101; ++ case 360: ++ /* socketpair */ ++ return -108; ++ case 361: ++ /* bind */ ++ return -102; ++ case 362: ++ /* connect */ ++ return -103; ++ case 363: ++ /* listen */ ++ return -104; ++ case 364: ++ /* accept4 */ ++ return -118; ++ case 365: ++ /* getsockopt */ ++ return -115; ++ case 366: ++ /* setsockopt */ ++ return -114; ++ case 367: ++ /* getsockname */ ++ return -106; ++ case 368: ++ /* getpeername */ ++ return -107; ++ case 369: ++ /* sendto */ ++ return -111; ++ case 370: ++ /* sendmsg */ ++ return -116; ++ case 371: ++ /* recvfrom */ ++ return -112; ++ case 372: ++ /* recvmsg */ ++ return -117; ++ case 373: ++ /* shutdown */ ++ return -113; ++ case 392: ++ /* semtimedop */ ++ return -204; ++ case 393: ++ /* semget */ ++ return -202; ++ case 394: ++ /* semctl */ ++ return -203; ++ case 400: ++ /* msgsnd */ ++ return -211; ++ case 401: ++ /* msgrcv */ ++ return -212; ++ case 399: ++ /* msgget */ ++ return -213; ++ case 402: ++ /* msgctl */ ++ return -214; ++ case 397: ++ /* shmat */ ++ return -221; ++ case 398: ++ /* shmdt */ ++ return -222; ++ case 395: ++ /* shmget */ ++ return -223; ++ case 396: ++ /* shmctl */ ++ return -224; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int s390x_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __s390x_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __s390x_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the s390x seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the s390x ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { ++ /* (-100 to -120) : multiplexed socket syscalls ++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _s390x_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _s390x_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) { ++ rc = -ENOMEM; ++ goto add_return; ++ } ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __s390x_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) { ++ /* (-200 to -224) : multiplexed ipc syscalls ++ (392 to 402) : direct ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _s390x_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _s390x_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __s390x_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_s390x = { + .token = SCMP_ARCH_S390X, + .token_bpf = AUDIT_ARCH_S390X, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_BIG, +- .sys_socketcall = __s390x_NR_socketcall, +- .sys_ipc = __s390x_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = s390x_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = s390x_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = s390x_syscall_resolve_name_munge, ++ .syscall_resolve_num = s390x_syscall_resolve_num_munge, ++ .syscall_rewrite = s390x_syscall_rewrite, ++ .rule_add = s390x_rule_add, + }; +diff --git a/src/arch-x32.c b/src/arch-x32.c +--- a/src/arch-x32.c ++++ b/src/arch-x32.c +@@ -28,7 +28,6 @@ + + /** + * Resolve a syscall name to a number +- * @param arch the architecture definition + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. +@@ -36,13 +35,12 @@ + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +-int x32_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name) ++int x32_syscall_resolve_name_munge(const char *name) + { + int sys; + + /* NOTE: we don't want to modify the pseudo-syscall numbers */ +- sys = arch->syscall_resolve_name_raw(name); ++ sys = x32_syscall_resolve_name(name); + if (sys == __NR_SCMP_ERROR || sys < 0) + return sys; + +@@ -51,7 +49,6 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch, + + /** + * Resolve a syscall number to a name +- * @param arch the architecture definition + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. +@@ -59,13 +56,12 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch, + * syscall names; returns NULL on failure. + * + */ +-const char *x32_syscall_resolve_num_munge(const struct arch_def *arch, +- int num) ++const char *x32_syscall_resolve_num_munge(int num) + { + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= 0) + num &= ~X32_SYSCALL_BIT; +- return arch->syscall_resolve_num_raw(num); ++ return x32_syscall_resolve_num(num); + } + + const struct arch_def arch_def_x32 = { +@@ -75,9 +71,7 @@ const struct arch_def arch_def_x32 = { + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = x32_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = x32_syscall_resolve_name, + .syscall_resolve_num = x32_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = x32_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch-x86.c b/src/arch-x86.c +--- a/src/arch-x86.c ++++ b/src/arch-x86.c +@@ -33,17 +33,593 @@ + #define __x86_NR_socketcall 102 + #define __x86_NR_ipc 117 + ++/** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++ * Returns the syscall number on success, including negative pseudo syscall ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++int x86_syscall_resolve_name_munge(const char *name) ++{ ++ if (strcmp(name, "accept") == 0) ++ return __PNR_accept; ++ else if (strcmp(name, "accept4") == 0) ++ return __PNR_accept4; ++ else if (strcmp(name, "bind") == 0) ++ return __PNR_bind; ++ else if (strcmp(name, "connect") == 0) ++ return __PNR_connect; ++ else if (strcmp(name, "getpeername") == 0) ++ return __PNR_getpeername; ++ else if (strcmp(name, "getsockname") == 0) ++ return __PNR_getsockname; ++ else if (strcmp(name, "getsockopt") == 0) ++ return __PNR_getsockopt; ++ else if (strcmp(name, "listen") == 0) ++ return __PNR_listen; ++ else if (strcmp(name, "recv") == 0) ++ return __PNR_recv; ++ else if (strcmp(name, "recvfrom") == 0) ++ return __PNR_recvfrom; ++ else if (strcmp(name, "recvmsg") == 0) ++ return __PNR_recvmsg; ++ else if (strcmp(name, "recvmmsg") == 0) ++ return __PNR_recvmmsg; ++ else if (strcmp(name, "send") == 0) ++ return __PNR_send; ++ else if (strcmp(name, "sendmsg") == 0) ++ return __PNR_sendmsg; ++ else if (strcmp(name, "sendmmsg") == 0) ++ return __PNR_sendmmsg; ++ else if (strcmp(name, "sendto") == 0) ++ return __PNR_sendto; ++ else if (strcmp(name, "setsockopt") == 0) ++ return __PNR_setsockopt; ++ else if (strcmp(name, "shutdown") == 0) ++ return __PNR_shutdown; ++ else if (strcmp(name, "socket") == 0) ++ return __PNR_socket; ++ else if (strcmp(name, "socketpair") == 0) ++ return __PNR_socketpair; ++ ++ if (strcmp(name, "semop") == 0) ++ return __PNR_semop; ++ else if (strcmp(name, "semget") == 0) ++ return __PNR_semget; ++ else if (strcmp(name, "semctl") == 0) ++ return __PNR_semctl; ++ else if (strcmp(name, "semtimedop") == 0) ++ return __PNR_semtimedop; ++ else if (strcmp(name, "msgsnd") == 0) ++ return __PNR_msgsnd; ++ else if (strcmp(name, "msgrcv") == 0) ++ return __PNR_msgrcv; ++ else if (strcmp(name, "msgget") == 0) ++ return __PNR_msgget; ++ else if (strcmp(name, "msgctl") == 0) ++ return __PNR_msgctl; ++ else if (strcmp(name, "shmat") == 0) ++ return __PNR_shmat; ++ else if (strcmp(name, "shmdt") == 0) ++ return __PNR_shmdt; ++ else if (strcmp(name, "shmget") == 0) ++ return __PNR_shmget; ++ else if (strcmp(name, "shmctl") == 0) ++ return __PNR_shmctl; ++ ++ return x86_syscall_resolve_name(name); ++} ++ ++/** ++ * Resolve a syscall number to a name ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++ * Returns a pointer to the syscall name string on success, including pseudo ++ * syscall names; returns NULL on failure. ++ * ++ */ ++const char *x86_syscall_resolve_num_munge(int num) ++{ ++ if (num == __PNR_accept) ++ return "accept"; ++ else if (num == __PNR_accept4) ++ return "accept4"; ++ else if (num == __PNR_bind) ++ return "bind"; ++ else if (num == __PNR_connect) ++ return "connect"; ++ else if (num == __PNR_getpeername) ++ return "getpeername"; ++ else if (num == __PNR_getsockname) ++ return "getsockname"; ++ else if (num == __PNR_getsockopt) ++ return "getsockopt"; ++ else if (num == __PNR_listen) ++ return "listen"; ++ else if (num == __PNR_recv) ++ return "recv"; ++ else if (num == __PNR_recvfrom) ++ return "recvfrom"; ++ else if (num == __PNR_recvmsg) ++ return "recvmsg"; ++ else if (num == __PNR_recvmmsg) ++ return "recvmmsg"; ++ else if (num == __PNR_send) ++ return "send"; ++ else if (num == __PNR_sendmsg) ++ return "sendmsg"; ++ else if (num == __PNR_sendmmsg) ++ return "sendmmsg"; ++ else if (num == __PNR_sendto) ++ return "sendto"; ++ else if (num == __PNR_setsockopt) ++ return "setsockopt"; ++ else if (num == __PNR_shutdown) ++ return "shutdown"; ++ else if (num == __PNR_socket) ++ return "socket"; ++ else if (num == __PNR_socketpair) ++ return "socketpair"; ++ ++ if (num == __PNR_semop) ++ return "semop"; ++ else if (num == __PNR_semget) ++ return "semget"; ++ else if (num == __PNR_semctl) ++ return "semctl"; ++ else if (num == __PNR_semtimedop) ++ return "semtimedop"; ++ else if (num == __PNR_msgsnd) ++ return "msgsnd"; ++ else if (num == __PNR_msgrcv) ++ return "msgrcv"; ++ else if (num == __PNR_msgget) ++ return "msgget"; ++ else if (num == __PNR_msgctl) ++ return "msgctl"; ++ else if (num == __PNR_shmat) ++ return "shmat"; ++ else if (num == __PNR_shmdt) ++ return "shmdt"; ++ else if (num == __PNR_shmget) ++ return "shmget"; ++ else if (num == __PNR_shmctl) ++ return "shmctl"; ++ ++ return x86_syscall_resolve_num(num); ++} ++ ++/** ++ * Convert a multiplexed pseudo syscall into a direct syscall ++ * @param syscall the multiplexed pseudo syscall number ++ * ++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++ * no related syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _x86_syscall_demux(int syscall) ++{ ++ switch (syscall) { ++ case -101: ++ /* socket */ ++ return 359; ++ case -102: ++ /* bind */ ++ return 361; ++ case -103: ++ /* connect */ ++ return 362; ++ case -104: ++ /* listen */ ++ return 363; ++ case -105: ++ /* accept - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -106: ++ /* getsockname */ ++ return 367; ++ case -107: ++ /* getpeername */ ++ return 368; ++ case -108: ++ /* socketpair */ ++ return 360; ++ case -109: ++ /* send - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -110: ++ /* recv - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -111: ++ /* sendto */ ++ return 369; ++ case -112: ++ /* recvfrom */ ++ return 371; ++ case -113: ++ /* shutdown */ ++ return 373; ++ case -114: ++ /* setsockopt */ ++ return 366; ++ case -115: ++ /* getsockopt */ ++ return 365; ++ case -116: ++ /* sendmsg */ ++ return 370; ++ case -117: ++ /* recvmsg */ ++ return 372; ++ case -118: ++ /* accept4 */ ++ return 364; ++ case -119: ++ /* recvmmsg */ ++ return 337; ++ case -120: ++ /* sendmmsg */ ++ return 345; ++ case -201: ++ /* semop - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -202: ++ /* semget */ ++ return 393; ++ case -203: ++ /* semctl */ ++ return 394; ++ case -204: ++ /* semtimedop - not defined */ ++ return __NR_SCMP_UNDEF; ++ case -211: ++ /* msgsnd */ ++ return 400; ++ case -212: ++ /* msgrcv */ ++ return 401; ++ case -213: ++ /* msgget */ ++ return 399; ++ case -214: ++ /* msgctl */ ++ return 402; ++ case -221: ++ /* shmat */ ++ return 397; ++ case -222: ++ /* shmdt */ ++ return 398; ++ case -223: ++ /* shmget */ ++ return 395; ++ case -224: ++ /* shmctl */ ++ return 396; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Convert a direct syscall into multiplexed pseudo socket syscall ++ * @param syscall the direct syscall ++ * ++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++ * ++ */ ++static int _x86_syscall_mux(int syscall) ++{ ++ switch (syscall) { ++ case 337: ++ /* recvmmsg */ ++ return -119; ++ case 345: ++ /* sendmmsg */ ++ return -120; ++ case 359: ++ /* socket */ ++ return -101; ++ case 360: ++ /* socketpair */ ++ return -108; ++ case 361: ++ /* bind */ ++ return -102; ++ case 362: ++ /* connect */ ++ return -103; ++ case 363: ++ /* listen */ ++ return -104; ++ case 364: ++ /* accept4 */ ++ return -118; ++ case 365: ++ /* getsockopt */ ++ return -115; ++ case 366: ++ /* setsockopt */ ++ return -114; ++ case 367: ++ /* getsockname */ ++ return -106; ++ case 368: ++ /* getpeername */ ++ return -107; ++ case 369: ++ /* sendto */ ++ return -111; ++ case 370: ++ /* sendmsg */ ++ return -116; ++ case 371: ++ /* recvfrom */ ++ return -112; ++ case 372: ++ /* recvmsg */ ++ return -117; ++ case 373: ++ /* shutdown */ ++ return -113; ++ case 393: ++ /* semget */ ++ return -202; ++ case 394: ++ /* semctl */ ++ return -203; ++ case 400: ++ /* msgsnd */ ++ return -211; ++ case 401: ++ /* msgrcv */ ++ return -212; ++ case 399: ++ /* msgget */ ++ return -213; ++ case 402: ++ /* msgctl */ ++ return -214; ++ case 397: ++ /* shmat */ ++ return -221; ++ case 398: ++ /* shmdt */ ++ return -222; ++ case 395: ++ /* shmget */ ++ return -223; ++ case 396: ++ /* shmctl */ ++ return -224; ++ } ++ ++ return __NR_SCMP_ERROR; ++} ++ ++/** ++ * Rewrite a syscall value to match the architecture ++ * @param syscall the syscall number ++ * ++ * Syscalls can vary across different architectures so this function rewrites ++ * the syscall into the correct value for the specified architecture. Returns ++ * zero on success, negative values on failure. ++ * ++ */ ++int x86_syscall_rewrite(int *syscall) ++{ ++ int sys = *syscall; ++ ++ if (sys <= -100 && sys >= -120) ++ *syscall = __x86_NR_socketcall; ++ else if (sys <= -200 && sys >= -224) ++ *syscall = __x86_NR_ipc; ++ else if (sys < 0) ++ return -EDOM; ++ ++ return 0; ++} ++ ++/** ++ * add a new rule to the x86 seccomp filter ++ * @param db the seccomp filter db ++ * @param rule the filter rule ++ * ++ * This function adds a new syscall filter to the seccomp filter db, making any ++ * necessary adjustments for the x86 ABI. Returns zero on success, negative ++ * values on failure. ++ * ++ * It is important to note that in the case of failure the db may be corrupted, ++ * the caller must use the transaction mechanism if the db integrity is ++ * important. ++ * ++ */ ++int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++{ ++ int rc = 0; ++ unsigned int iter; ++ int sys = rule->syscall; ++ int sys_a, sys_b; ++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++ ++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { ++ /* (-100 to -120) : multiplexed socket syscalls ++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _x86_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _x86_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __x86_NR_socketcall; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 100; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) { ++ /* (-200 to -224) : multiplexed ipc syscalls ++ (393 to 402) : direct ipc syscalls */ ++ ++ /* strict check for the multiplexed socket syscalls */ ++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++ if ((rule->args[iter].valid != 0) && (rule->strict)) { ++ rc = -EINVAL; ++ goto add_return; ++ } ++ } ++ ++ /* determine both the muxed and direct syscall numbers */ ++ if (sys > 0) { ++ sys_a = _x86_syscall_mux(sys); ++ if (sys_a == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ sys_b = sys; ++ } else { ++ sys_a = sys; ++ sys_b = _x86_syscall_demux(sys); ++ if (sys_b == __NR_SCMP_ERROR) { ++ rc = __NR_SCMP_ERROR; ++ goto add_return; ++ } ++ } ++ ++ /* use rule_a for the multiplexed syscall and use rule_b for ++ * the direct wired syscall */ ++ ++ if (sys_a == __NR_SCMP_UNDEF) { ++ rule_a = NULL; ++ rule_b = rule; ++ } else if (sys_b == __NR_SCMP_UNDEF) { ++ rule_a = rule; ++ rule_b = NULL; ++ } else { ++ /* need two rules, dup the first and link together */ ++ rule_a = rule; ++ rule_dup = db_rule_dup(rule_a); ++ rule_b = rule_dup; ++ if (rule_b == NULL) ++ goto add_return; ++ rule_b->prev = rule_a; ++ rule_b->next = NULL; ++ rule_a->next = rule_b; ++ } ++ ++ /* multiplexed socket syscalls */ ++ if (rule_a != NULL) { ++ rule_a->syscall = __x86_NR_ipc; ++ rule_a->args[0].arg = 0; ++ rule_a->args[0].op = SCMP_CMP_EQ; ++ rule_a->args[0].mask = DATUM_MAX; ++ rule_a->args[0].datum = (-sys_a) % 200; ++ rule_a->args[0].valid = 1; ++ } ++ ++ /* direct wired socket syscalls */ ++ if (rule_b != NULL) ++ rule_b->syscall = sys_b; ++ ++ /* we should be protected by a transaction checkpoint */ ++ if (rule_a != NULL) { ++ rc = db_rule_add(db, rule_a); ++ if (rc < 0) ++ goto add_return; ++ } ++ if (rule_b != NULL) { ++ rc = db_rule_add(db, rule_b); ++ if (rc < 0) ++ goto add_return; ++ } ++ } else if (sys >= 0) { ++ /* normal syscall processing */ ++ rc = db_rule_add(db, rule); ++ if (rc < 0) ++ goto add_return; ++ } else if (rule->strict) { ++ rc = -EDOM; ++ goto add_return; ++ } ++ ++add_return: ++ if (rule_dup != NULL) ++ free(rule_dup); ++ return rc; ++} ++ + const struct arch_def arch_def_x86 = { + .token = SCMP_ARCH_X86, + .token_bpf = AUDIT_ARCH_I386, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_LITTLE, +- .sys_socketcall = __x86_NR_socketcall, +- .sys_ipc = __x86_NR_ipc, +- .syscall_resolve_name = abi_syscall_resolve_name_munge, +- .syscall_resolve_name_raw = x86_syscall_resolve_name, +- .syscall_resolve_num = abi_syscall_resolve_num_munge, +- .syscall_resolve_num_raw = x86_syscall_resolve_num, +- .syscall_rewrite = abi_syscall_rewrite, +- .rule_add = abi_rule_add, ++ .syscall_resolve_name = x86_syscall_resolve_name_munge, ++ .syscall_resolve_num = x86_syscall_resolve_num_munge, ++ .syscall_rewrite = x86_syscall_rewrite, ++ .rule_add = x86_rule_add, + }; +diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c +--- a/src/arch-x86_64.c ++++ b/src/arch-x86_64.c +@@ -31,8 +31,8 @@ const struct arch_def arch_def_x86_64 = { + .token_bpf = AUDIT_ARCH_X86_64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +- .syscall_resolve_name_raw = x86_64_syscall_resolve_name, +- .syscall_resolve_num_raw = x86_64_syscall_resolve_num, ++ .syscall_resolve_name = x86_64_syscall_resolve_name, ++ .syscall_resolve_num = x86_64_syscall_resolve_num, + .syscall_rewrite = NULL, + .rule_add = NULL, + }; +diff --git a/src/arch.c b/src/arch.c +--- a/src/arch.c ++++ b/src/arch.c +@@ -300,9 +300,7 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg) + int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) + { + if (arch->syscall_resolve_name) +- return (*arch->syscall_resolve_name)(arch, name); +- if (arch->syscall_resolve_name_raw) +- return (*arch->syscall_resolve_name_raw)(name); ++ return (*arch->syscall_resolve_name)(name); + + return __NR_SCMP_ERROR; + } +@@ -320,9 +318,7 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) + const char *arch_syscall_resolve_num(const struct arch_def *arch, int num) + { + if (arch->syscall_resolve_num) +- return (*arch->syscall_resolve_num)(arch, num); +- if (arch->syscall_resolve_num_raw) +- return (*arch->syscall_resolve_num_raw)(num); ++ return (*arch->syscall_resolve_num)(num); + + return NULL; + } +@@ -385,7 +381,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, int *syscall) + } else if (sys > -10000) { + /* rewritable syscalls */ + if (arch->syscall_rewrite) +- (*arch->syscall_rewrite)(arch, syscall); ++ (*arch->syscall_rewrite)(syscall); + } + + /* syscalls not defined on this architecture */ +diff --git a/src/arch.h b/src/arch.h +--- a/src/arch.h ++++ b/src/arch.h +@@ -49,18 +49,10 @@ struct arch_def { + ARCH_ENDIAN_BIG, + } endian; + +- /* arch specific constants */ +- int sys_socketcall; +- int sys_ipc; +- + /* arch specific functions */ +- int (*syscall_resolve_name)(const struct arch_def *arch, +- const char *name); +- int (*syscall_resolve_name_raw)(const char *name); +- const char *(*syscall_resolve_num)(const struct arch_def *arch, +- int num); +- const char *(*syscall_resolve_num_raw)(int num); +- int (*syscall_rewrite)(const struct arch_def *arch, int *syscall); ++ int (*syscall_resolve_name)(const char *name); ++ const char *(*syscall_resolve_num)(int num); ++ int (*syscall_rewrite)(int *syscall); + int (*rule_add)(struct db_filter *db, struct db_api_rule_list *rule); + }; + +diff --git a/src/syscalls.c b/src/syscalls.c +--- a/src/syscalls.c ++++ b/src/syscalls.c +@@ -1,5 +1,5 @@ + /** +- * Enhanced Seccomp Syscall Table Functions ++ * Enhanced Seccomp x86_64 Syscall Table + * + * Copyright (c) 2012, 2020 Red Hat + * Author: Paul Moore +@@ -19,13 +19,9 @@ + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ +- +-#include +-#include +-#include + #include ++#include + +-#include "db.h" + #include "arch.h" + #include "syscalls.h" + +@@ -58,524 +54,3 @@ ARCH_DEF(s390x) + ARCH_DEF(x32) + ARCH_DEF(x86) + ARCH_DEF(riscv64) +- +-/** +- * Resolve a syscall name to a number +- * @param arch the arch definition +- * @param name the syscall name +- * +- * Resolve the given syscall name to the syscall number using the syscall table. +- * Returns the syscall number on success, including negative pseudo syscall +- * numbers; returns __NR_SCMP_ERROR on failure. +- * +- */ +-int abi_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name) +-{ +- +-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return __PNR_##NAME; +- +- _ABI_SYSCALL_RES_NAME_CHK(socket) +- _ABI_SYSCALL_RES_NAME_CHK(bind) +- _ABI_SYSCALL_RES_NAME_CHK(connect) +- _ABI_SYSCALL_RES_NAME_CHK(listen) +- _ABI_SYSCALL_RES_NAME_CHK(accept) +- _ABI_SYSCALL_RES_NAME_CHK(getsockname) +- _ABI_SYSCALL_RES_NAME_CHK(getpeername) +- _ABI_SYSCALL_RES_NAME_CHK(socketpair) +- _ABI_SYSCALL_RES_NAME_CHK(send) +- _ABI_SYSCALL_RES_NAME_CHK(recv) +- _ABI_SYSCALL_RES_NAME_CHK(sendto) +- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) +- _ABI_SYSCALL_RES_NAME_CHK(shutdown) +- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) +- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) +- _ABI_SYSCALL_RES_NAME_CHK(accept4) +- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(semop) +- _ABI_SYSCALL_RES_NAME_CHK(semget) +- _ABI_SYSCALL_RES_NAME_CHK(semctl) +- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) +- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) +- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) +- _ABI_SYSCALL_RES_NAME_CHK(msgget) +- _ABI_SYSCALL_RES_NAME_CHK(msgctl) +- _ABI_SYSCALL_RES_NAME_CHK(shmat) +- _ABI_SYSCALL_RES_NAME_CHK(shmdt) +- _ABI_SYSCALL_RES_NAME_CHK(shmget) +- _ABI_SYSCALL_RES_NAME_CHK(shmctl) +- +- return arch->syscall_resolve_name_raw(name); +-} +- +-/** +- * Resolve a syscall number to a name +- * @param arch the arch definition +- * @param num the syscall number +- * +- * Resolve the given syscall number to the syscall name using the syscall table. +- * Returns a pointer to the syscall name string on success, including pseudo +- * syscall names; returns NULL on failure. +- * +- */ +-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num) +-{ +- +-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ +- if (num == __PNR_##NAME) return #NAME; +- +- _ABI_SYSCALL_RES_NUM_CHK(socket) +- _ABI_SYSCALL_RES_NUM_CHK(bind) +- _ABI_SYSCALL_RES_NUM_CHK(connect) +- _ABI_SYSCALL_RES_NUM_CHK(listen) +- _ABI_SYSCALL_RES_NUM_CHK(accept) +- _ABI_SYSCALL_RES_NUM_CHK(getsockname) +- _ABI_SYSCALL_RES_NUM_CHK(getpeername) +- _ABI_SYSCALL_RES_NUM_CHK(socketpair) +- _ABI_SYSCALL_RES_NUM_CHK(send) +- _ABI_SYSCALL_RES_NUM_CHK(recv) +- _ABI_SYSCALL_RES_NUM_CHK(sendto) +- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) +- _ABI_SYSCALL_RES_NUM_CHK(shutdown) +- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) +- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) +- _ABI_SYSCALL_RES_NUM_CHK(accept4) +- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(semop) +- _ABI_SYSCALL_RES_NUM_CHK(semget) +- _ABI_SYSCALL_RES_NUM_CHK(semctl) +- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) +- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) +- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) +- _ABI_SYSCALL_RES_NUM_CHK(msgget) +- _ABI_SYSCALL_RES_NUM_CHK(msgctl) +- _ABI_SYSCALL_RES_NUM_CHK(shmat) +- _ABI_SYSCALL_RES_NUM_CHK(shmdt) +- _ABI_SYSCALL_RES_NUM_CHK(shmget) +- _ABI_SYSCALL_RES_NUM_CHK(shmctl) +- +- return arch->syscall_resolve_num_raw(num); +-} +- +-/** +- * Check if a syscall is a socket syscall +- * @param arch the arch definition +- * @param sys the syscall number +- * +- * Returns true if the syscall is a socket related syscall, false otherwise. +- * +- */ +-static bool _abi_syscall_socket_test(const struct arch_def *arch, int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -100 && sys >= -120) +- return true; +- +- name = arch->syscall_resolve_num_raw(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_SOCK_CHK(socket) +- _ABI_SYSCALL_SOCK_CHK(bind) +- _ABI_SYSCALL_SOCK_CHK(connect) +- _ABI_SYSCALL_SOCK_CHK(listen) +- _ABI_SYSCALL_SOCK_CHK(accept) +- _ABI_SYSCALL_SOCK_CHK(getsockname) +- _ABI_SYSCALL_SOCK_CHK(getpeername) +- _ABI_SYSCALL_SOCK_CHK(socketpair) +- _ABI_SYSCALL_SOCK_CHK(send) +- _ABI_SYSCALL_SOCK_CHK(recv) +- _ABI_SYSCALL_SOCK_CHK(sendto) +- _ABI_SYSCALL_SOCK_CHK(recvfrom) +- _ABI_SYSCALL_SOCK_CHK(shutdown) +- _ABI_SYSCALL_SOCK_CHK(setsockopt) +- _ABI_SYSCALL_SOCK_CHK(getsockopt) +- _ABI_SYSCALL_SOCK_CHK(sendmsg) +- _ABI_SYSCALL_SOCK_CHK(recvmsg) +- _ABI_SYSCALL_SOCK_CHK(accept4) +- _ABI_SYSCALL_SOCK_CHK(recvmmsg) +- _ABI_SYSCALL_SOCK_CHK(sendmmsg) +- +- return false; +-} +- +-/** +- * Check if a syscall is an ipc syscall +- * @param arch the arch definition +- * @param sys the syscall number +- * +- * Returns true if the syscall is an ipc related syscall, false otherwise. +- * +- */ +-static bool _abi_syscall_ipc_test(const struct arch_def *arch, int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -200 && sys >= -224) +- return true; +- +- name = arch->syscall_resolve_num_raw(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_IPC_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_IPC_CHK(semop) +- _ABI_SYSCALL_IPC_CHK(semget) +- _ABI_SYSCALL_IPC_CHK(semctl) +- _ABI_SYSCALL_IPC_CHK(semtimedop) +- _ABI_SYSCALL_IPC_CHK(msgsnd) +- _ABI_SYSCALL_IPC_CHK(msgrcv) +- _ABI_SYSCALL_IPC_CHK(msgget) +- _ABI_SYSCALL_IPC_CHK(msgctl) +- _ABI_SYSCALL_IPC_CHK(shmat) +- _ABI_SYSCALL_IPC_CHK(shmdt) +- _ABI_SYSCALL_IPC_CHK(shmget) +- _ABI_SYSCALL_IPC_CHK(shmctl) +- +- return false; +-} +- +-/** +- * Convert a multiplexed pseudo syscall into a direct syscall +- * @param arch the arch definition +- * @param syscall the multiplexed pseudo syscall number +- * +- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +- * no related syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _abi_syscall_demux(const struct arch_def *arch, int syscall) +-{ +- int sys = __NR_SCMP_UNDEF; +- +-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ +-case __PNR_##NAME: \ +- sys = arch->syscall_resolve_name_raw(#NAME); break; +- +- switch (syscall) { +- _ABI_SYSCALL_DEMUX_CHK(socket) +- _ABI_SYSCALL_DEMUX_CHK(bind) +- _ABI_SYSCALL_DEMUX_CHK(connect) +- _ABI_SYSCALL_DEMUX_CHK(listen) +- _ABI_SYSCALL_DEMUX_CHK(accept) +- _ABI_SYSCALL_DEMUX_CHK(getsockname) +- _ABI_SYSCALL_DEMUX_CHK(getpeername) +- _ABI_SYSCALL_DEMUX_CHK(socketpair) +- _ABI_SYSCALL_DEMUX_CHK(send) +- _ABI_SYSCALL_DEMUX_CHK(recv) +- _ABI_SYSCALL_DEMUX_CHK(sendto) +- _ABI_SYSCALL_DEMUX_CHK(recvfrom) +- _ABI_SYSCALL_DEMUX_CHK(shutdown) +- _ABI_SYSCALL_DEMUX_CHK(setsockopt) +- _ABI_SYSCALL_DEMUX_CHK(getsockopt) +- _ABI_SYSCALL_DEMUX_CHK(sendmsg) +- _ABI_SYSCALL_DEMUX_CHK(recvmsg) +- _ABI_SYSCALL_DEMUX_CHK(accept4) +- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) +- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) +- _ABI_SYSCALL_DEMUX_CHK(semop) +- _ABI_SYSCALL_DEMUX_CHK(semget) +- _ABI_SYSCALL_DEMUX_CHK(semctl) +- _ABI_SYSCALL_DEMUX_CHK(semtimedop) +- _ABI_SYSCALL_DEMUX_CHK(msgsnd) +- _ABI_SYSCALL_DEMUX_CHK(msgrcv) +- _ABI_SYSCALL_DEMUX_CHK(msgget) +- _ABI_SYSCALL_DEMUX_CHK(msgctl) +- _ABI_SYSCALL_DEMUX_CHK(shmat) +- _ABI_SYSCALL_DEMUX_CHK(shmdt) +- _ABI_SYSCALL_DEMUX_CHK(shmget) +- _ABI_SYSCALL_DEMUX_CHK(shmctl) +- } +- +- /* this looks odd because the arch resolver returns _ERROR if it can't +- * resolve the syscall, but we want to use _UNDEF for that, so we set +- * 'sys' to a sentinel value of _UNDEF and if it is error here we know +- * the resolve failed to find a match */ +- if (sys == __NR_SCMP_UNDEF) +- sys = __NR_SCMP_ERROR; +- else if (sys == __NR_SCMP_ERROR) +- sys = __NR_SCMP_UNDEF; +- +- return sys; +-} +- +-/** +- * Convert a direct syscall into multiplexed pseudo socket syscall +- * @param arch the arch definition +- * @param syscall the direct syscall +- * +- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _abi_syscall_mux(const struct arch_def *arch, int syscall) +-{ +- const char *sys; +- +- sys = arch->syscall_resolve_num_raw(syscall); +- if (!sys) +- return __NR_SCMP_ERROR; +- +-#define _ABI_SYSCALL_MUX_CHK(NAME) \ +- if (!strcmp(sys, #NAME)) return __PNR_##NAME; +- +- _ABI_SYSCALL_MUX_CHK(socket) +- _ABI_SYSCALL_MUX_CHK(bind) +- _ABI_SYSCALL_MUX_CHK(connect) +- _ABI_SYSCALL_MUX_CHK(listen) +- _ABI_SYSCALL_MUX_CHK(accept) +- _ABI_SYSCALL_MUX_CHK(getsockname) +- _ABI_SYSCALL_MUX_CHK(getpeername) +- _ABI_SYSCALL_MUX_CHK(socketpair) +- _ABI_SYSCALL_MUX_CHK(send) +- _ABI_SYSCALL_MUX_CHK(recv) +- _ABI_SYSCALL_MUX_CHK(sendto) +- _ABI_SYSCALL_MUX_CHK(recvfrom) +- _ABI_SYSCALL_MUX_CHK(shutdown) +- _ABI_SYSCALL_MUX_CHK(setsockopt) +- _ABI_SYSCALL_MUX_CHK(getsockopt) +- _ABI_SYSCALL_MUX_CHK(sendmsg) +- _ABI_SYSCALL_MUX_CHK(recvmsg) +- _ABI_SYSCALL_MUX_CHK(accept4) +- _ABI_SYSCALL_MUX_CHK(recvmmsg) +- _ABI_SYSCALL_MUX_CHK(sendmmsg) +- _ABI_SYSCALL_MUX_CHK(semop) +- _ABI_SYSCALL_MUX_CHK(semget) +- _ABI_SYSCALL_MUX_CHK(semctl) +- _ABI_SYSCALL_MUX_CHK(semtimedop) +- _ABI_SYSCALL_MUX_CHK(msgsnd) +- _ABI_SYSCALL_MUX_CHK(msgrcv) +- _ABI_SYSCALL_MUX_CHK(msgget) +- _ABI_SYSCALL_MUX_CHK(msgctl) +- _ABI_SYSCALL_MUX_CHK(shmat) +- _ABI_SYSCALL_MUX_CHK(shmdt) +- _ABI_SYSCALL_MUX_CHK(shmget) +- _ABI_SYSCALL_MUX_CHK(shmctl) +- +- return __NR_SCMP_ERROR; +-} +- +-/** +- * Rewrite a syscall value to match the architecture +- * @param arch the arch definition +- * @param syscall the syscall number +- * +- * Syscalls can vary across different architectures so this function rewrites +- * the syscall into the correct value for the specified architecture. Returns +- * zero on success, negative values on failure. +- * +- */ +-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall) +-{ +- int sys = *syscall; +- +- if (sys <= -100 && sys >= -120) +- *syscall = arch->sys_socketcall; +- else if (sys <= -200 && sys >= -224) +- *syscall = arch->sys_ipc; +- else if (sys < 0) +- return -EDOM; +- +- return 0; +-} +- +-/** +- * add a new rule to the abi seccomp filter +- * @param db the seccomp filter db +- * @param rule the filter rule +- * +- * This function adds a new syscall filter to the seccomp filter db, making any +- * necessary adjustments for the abi ABI. Returns zero on success, negative +- * values on failure. +- * +- * It is important to note that in the case of failure the db may be corrupted, +- * the caller must use the transaction mechanism if the db integrity is +- * important. +- * +- */ +-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +-{ +- int rc = 0; +- unsigned int iter; +- int sys = rule->syscall; +- int sys_a, sys_b; +- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +- +- if (_abi_syscall_socket_test(db->arch, sys)) { +- /* socket syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _abi_syscall_mux(db->arch, sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _abi_syscall_demux(db->arch, sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = db->arch->sys_socketcall; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 100; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (_abi_syscall_ipc_test(db->arch, sys)) { +- /* ipc syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _abi_syscall_mux(db->arch, sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _abi_syscall_demux(db->arch, sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = db->arch->sys_ipc; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 200; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (sys >= 0) { +- /* normal syscall processing */ +- rc = db_rule_add(db, rule); +- if (rc < 0) +- goto add_return; +- } else if (rule->strict) { +- rc = -EDOM; +- goto add_return; +- } +- +-add_return: +- if (rule_dup != NULL) +- free(rule_dup); +- return rc; +-} +diff --git a/src/syscalls.h b/src/syscalls.h +--- a/src/syscalls.h ++++ b/src/syscalls.h +@@ -59,12 +59,4 @@ int syscall_resolve_name(const char *name, int offset); + const char *syscall_resolve_num(int num, int offset); + const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset); + +-/* helper functions for multiplexed syscalls, e.g. socketcall(2) and ipc(2) */ +-int abi_syscall_resolve_name_munge(const struct arch_def *arch, +- const char *name); +-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num); +-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall); +-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule); +- +- + #endif diff --git a/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch b/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch new file mode 100644 index 0000000..56eaca7 --- /dev/null +++ b/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch @@ -0,0 +1,572 @@ +REVERTS + +From e976080ac5547a46f4654abc710e89bed992bb63 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 3 Aug 2021 23:09:04 -0400 +Subject: [PATCH] mips: add multiplexed syscall support to MIPS + +Acked-by: Tom Hromatka +Signed-off-by: Paul Moore + +(imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae) +--- + src/arch-mips.c | 508 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 495 insertions(+), 13 deletions(-) + +diff --git a/src/arch-mips.c b/src/arch-mips.c +--- a/src/arch-mips.c ++++ b/src/arch-mips.c +@@ -22,21 +22,14 @@ + + #include + #include +-#include + #include + +-#include "db.h" +-#include "syscalls.h" + #include "arch.h" + #include "arch-mips.h" + + /* O32 ABI */ + #define __SCMP_NR_BASE 4000 + +-/* mips syscall numbers */ +-#define __mips_NR_socketcall 102 +-#define __mips_NR_ipc 117 +- + /** + * Resolve a syscall name to a number + * @param name the syscall name +@@ -48,44 +41,14 @@ + */ + int mips_syscall_resolve_name_munge(const char *name) + { ++ int sys; + +-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return __PNR_##NAME; ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = mips_syscall_resolve_name(name); ++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; + +- _ABI_SYSCALL_RES_NAME_CHK(socket) +- _ABI_SYSCALL_RES_NAME_CHK(bind) +- _ABI_SYSCALL_RES_NAME_CHK(connect) +- _ABI_SYSCALL_RES_NAME_CHK(listen) +- _ABI_SYSCALL_RES_NAME_CHK(accept) +- _ABI_SYSCALL_RES_NAME_CHK(getsockname) +- _ABI_SYSCALL_RES_NAME_CHK(getpeername) +- _ABI_SYSCALL_RES_NAME_CHK(socketpair) +- _ABI_SYSCALL_RES_NAME_CHK(send) +- _ABI_SYSCALL_RES_NAME_CHK(recv) +- _ABI_SYSCALL_RES_NAME_CHK(sendto) +- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) +- _ABI_SYSCALL_RES_NAME_CHK(shutdown) +- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) +- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) +- _ABI_SYSCALL_RES_NAME_CHK(accept4) +- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(semop) +- _ABI_SYSCALL_RES_NAME_CHK(semget) +- _ABI_SYSCALL_RES_NAME_CHK(semctl) +- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) +- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) +- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) +- _ABI_SYSCALL_RES_NAME_CHK(msgget) +- _ABI_SYSCALL_RES_NAME_CHK(msgctl) +- _ABI_SYSCALL_RES_NAME_CHK(shmat) +- _ABI_SYSCALL_RES_NAME_CHK(shmdt) +- _ABI_SYSCALL_RES_NAME_CHK(shmget) +- _ABI_SYSCALL_RES_NAME_CHK(shmctl) +- +- return mips_syscall_resolve_name(name); ++ return sys + __SCMP_NR_BASE; + } + + /** +@@ -99,457 +62,12 @@ int mips_syscall_resolve_name_munge(const char *name) + */ + const char *mips_syscall_resolve_num_munge(int num) + { +- +-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ +- if (num == __PNR_##NAME) return #NAME; +- +- _ABI_SYSCALL_RES_NUM_CHK(socket) +- _ABI_SYSCALL_RES_NUM_CHK(bind) +- _ABI_SYSCALL_RES_NUM_CHK(connect) +- _ABI_SYSCALL_RES_NUM_CHK(listen) +- _ABI_SYSCALL_RES_NUM_CHK(accept) +- _ABI_SYSCALL_RES_NUM_CHK(getsockname) +- _ABI_SYSCALL_RES_NUM_CHK(getpeername) +- _ABI_SYSCALL_RES_NUM_CHK(socketpair) +- _ABI_SYSCALL_RES_NUM_CHK(send) +- _ABI_SYSCALL_RES_NUM_CHK(recv) +- _ABI_SYSCALL_RES_NUM_CHK(sendto) +- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) +- _ABI_SYSCALL_RES_NUM_CHK(shutdown) +- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) +- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) +- _ABI_SYSCALL_RES_NUM_CHK(accept4) +- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(semop) +- _ABI_SYSCALL_RES_NUM_CHK(semget) +- _ABI_SYSCALL_RES_NUM_CHK(semctl) +- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) +- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) +- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) +- _ABI_SYSCALL_RES_NUM_CHK(msgget) +- _ABI_SYSCALL_RES_NUM_CHK(msgctl) +- _ABI_SYSCALL_RES_NUM_CHK(shmat) +- _ABI_SYSCALL_RES_NUM_CHK(shmdt) +- _ABI_SYSCALL_RES_NUM_CHK(shmget) +- _ABI_SYSCALL_RES_NUM_CHK(shmctl) +- ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ if (num >= __SCMP_NR_BASE) ++ num -= __SCMP_NR_BASE; + return mips_syscall_resolve_num(num); + } + +-/** +- * Check if a syscall is a socket syscall +- * @param sys the syscall number +- * +- * Returns true if the syscall is a socket related syscall, false otherwise. +- * +- */ +-static bool _mips_syscall_socket_test(int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -100 && sys >= -120) +- return true; +- +- name = mips_syscall_resolve_num(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_SOCK_CHK(socket) +- _ABI_SYSCALL_SOCK_CHK(bind) +- _ABI_SYSCALL_SOCK_CHK(connect) +- _ABI_SYSCALL_SOCK_CHK(listen) +- _ABI_SYSCALL_SOCK_CHK(accept) +- _ABI_SYSCALL_SOCK_CHK(getsockname) +- _ABI_SYSCALL_SOCK_CHK(getpeername) +- _ABI_SYSCALL_SOCK_CHK(socketpair) +- _ABI_SYSCALL_SOCK_CHK(send) +- _ABI_SYSCALL_SOCK_CHK(recv) +- _ABI_SYSCALL_SOCK_CHK(sendto) +- _ABI_SYSCALL_SOCK_CHK(recvfrom) +- _ABI_SYSCALL_SOCK_CHK(shutdown) +- _ABI_SYSCALL_SOCK_CHK(setsockopt) +- _ABI_SYSCALL_SOCK_CHK(getsockopt) +- _ABI_SYSCALL_SOCK_CHK(sendmsg) +- _ABI_SYSCALL_SOCK_CHK(recvmsg) +- _ABI_SYSCALL_SOCK_CHK(accept4) +- _ABI_SYSCALL_SOCK_CHK(recvmmsg) +- _ABI_SYSCALL_SOCK_CHK(sendmmsg) +- +- return false; +-} +- +-/** +- * Check if a syscall is an ipc syscall +- * @param sys the syscall number +- * +- * Returns true if the syscall is an ipc related syscall, false otherwise. +- * +- */ +-static bool _mips_syscall_ipc_test(int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -200 && sys >= -224) +- return true; +- +- name = mips_syscall_resolve_num(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_IPC_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_IPC_CHK(semop) +- _ABI_SYSCALL_IPC_CHK(semget) +- _ABI_SYSCALL_IPC_CHK(semctl) +- _ABI_SYSCALL_IPC_CHK(semtimedop) +- _ABI_SYSCALL_IPC_CHK(msgsnd) +- _ABI_SYSCALL_IPC_CHK(msgrcv) +- _ABI_SYSCALL_IPC_CHK(msgget) +- _ABI_SYSCALL_IPC_CHK(msgctl) +- _ABI_SYSCALL_IPC_CHK(shmat) +- _ABI_SYSCALL_IPC_CHK(shmdt) +- _ABI_SYSCALL_IPC_CHK(shmget) +- _ABI_SYSCALL_IPC_CHK(shmctl) +- +- return false; +-} +- +-/** +- * Convert a multiplexed pseudo syscall into a direct syscall +- * @param syscall the multiplexed pseudo syscall number +- * +- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +- * no related syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _mips_syscall_demux(int syscall) +-{ +- int sys = __NR_SCMP_UNDEF; +- +-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ +-case __PNR_##NAME: \ +- sys = mips_syscall_resolve_name(#NAME); break; +- +- switch (syscall) { +- _ABI_SYSCALL_DEMUX_CHK(socket) +- _ABI_SYSCALL_DEMUX_CHK(bind) +- _ABI_SYSCALL_DEMUX_CHK(connect) +- _ABI_SYSCALL_DEMUX_CHK(listen) +- _ABI_SYSCALL_DEMUX_CHK(accept) +- _ABI_SYSCALL_DEMUX_CHK(getsockname) +- _ABI_SYSCALL_DEMUX_CHK(getpeername) +- _ABI_SYSCALL_DEMUX_CHK(socketpair) +- _ABI_SYSCALL_DEMUX_CHK(send) +- _ABI_SYSCALL_DEMUX_CHK(recv) +- _ABI_SYSCALL_DEMUX_CHK(sendto) +- _ABI_SYSCALL_DEMUX_CHK(recvfrom) +- _ABI_SYSCALL_DEMUX_CHK(shutdown) +- _ABI_SYSCALL_DEMUX_CHK(setsockopt) +- _ABI_SYSCALL_DEMUX_CHK(getsockopt) +- _ABI_SYSCALL_DEMUX_CHK(sendmsg) +- _ABI_SYSCALL_DEMUX_CHK(recvmsg) +- _ABI_SYSCALL_DEMUX_CHK(accept4) +- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) +- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) +- _ABI_SYSCALL_DEMUX_CHK(semop) +- _ABI_SYSCALL_DEMUX_CHK(semget) +- _ABI_SYSCALL_DEMUX_CHK(semctl) +- _ABI_SYSCALL_DEMUX_CHK(semtimedop) +- _ABI_SYSCALL_DEMUX_CHK(msgsnd) +- _ABI_SYSCALL_DEMUX_CHK(msgrcv) +- _ABI_SYSCALL_DEMUX_CHK(msgget) +- _ABI_SYSCALL_DEMUX_CHK(msgctl) +- _ABI_SYSCALL_DEMUX_CHK(shmat) +- _ABI_SYSCALL_DEMUX_CHK(shmdt) +- _ABI_SYSCALL_DEMUX_CHK(shmget) +- _ABI_SYSCALL_DEMUX_CHK(shmctl) +- } +- +- /* this looks odd because the arch resolver returns _ERROR if it can't +- * resolve the syscall, but we want to use _UNDEF for that, so we set +- * 'sys' to a sentinel value of _UNDEF and if it is error here we know +- * the resolve failed to find a match */ +- if (sys == __NR_SCMP_UNDEF) +- sys = __NR_SCMP_ERROR; +- else if (sys == __NR_SCMP_ERROR) +- sys = __NR_SCMP_UNDEF; +- +- return sys; +-} +- +-/** +- * Convert a direct syscall into multiplexed pseudo socket syscall +- * @param syscall the direct syscall +- * +- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _mips_syscall_mux(int syscall) +-{ +- const char *sys; +- +- sys = mips_syscall_resolve_num(syscall); +- if (!sys) +- return __NR_SCMP_ERROR; +- +-#define _ABI_SYSCALL_MUX_CHK(NAME) \ +- if (!strcmp(sys, #NAME)) return __PNR_##NAME; +- +- _ABI_SYSCALL_MUX_CHK(socket) +- _ABI_SYSCALL_MUX_CHK(bind) +- _ABI_SYSCALL_MUX_CHK(connect) +- _ABI_SYSCALL_MUX_CHK(listen) +- _ABI_SYSCALL_MUX_CHK(accept) +- _ABI_SYSCALL_MUX_CHK(getsockname) +- _ABI_SYSCALL_MUX_CHK(getpeername) +- _ABI_SYSCALL_MUX_CHK(socketpair) +- _ABI_SYSCALL_MUX_CHK(send) +- _ABI_SYSCALL_MUX_CHK(recv) +- _ABI_SYSCALL_MUX_CHK(sendto) +- _ABI_SYSCALL_MUX_CHK(recvfrom) +- _ABI_SYSCALL_MUX_CHK(shutdown) +- _ABI_SYSCALL_MUX_CHK(setsockopt) +- _ABI_SYSCALL_MUX_CHK(getsockopt) +- _ABI_SYSCALL_MUX_CHK(sendmsg) +- _ABI_SYSCALL_MUX_CHK(recvmsg) +- _ABI_SYSCALL_MUX_CHK(accept4) +- _ABI_SYSCALL_MUX_CHK(recvmmsg) +- _ABI_SYSCALL_MUX_CHK(sendmmsg) +- _ABI_SYSCALL_MUX_CHK(semop) +- _ABI_SYSCALL_MUX_CHK(semget) +- _ABI_SYSCALL_MUX_CHK(semctl) +- _ABI_SYSCALL_MUX_CHK(semtimedop) +- _ABI_SYSCALL_MUX_CHK(msgsnd) +- _ABI_SYSCALL_MUX_CHK(msgrcv) +- _ABI_SYSCALL_MUX_CHK(msgget) +- _ABI_SYSCALL_MUX_CHK(msgctl) +- _ABI_SYSCALL_MUX_CHK(shmat) +- _ABI_SYSCALL_MUX_CHK(shmdt) +- _ABI_SYSCALL_MUX_CHK(shmget) +- _ABI_SYSCALL_MUX_CHK(shmctl) +- +- return __NR_SCMP_ERROR; +-} +- +-/** +- * Rewrite a syscall value to match the architecture +- * @param syscall the syscall number +- * +- * Syscalls can vary across different architectures so this function rewrites +- * the syscall into the correct value for the specified architecture. Returns +- * zero on success, negative values on failure. +- * +- */ +-int mips_syscall_rewrite(int *syscall) +-{ +- int sys = *syscall; +- +- if (sys <= -100 && sys >= -120) +- *syscall = __mips_NR_socketcall; +- else if (sys <= -200 && sys >= -224) +- *syscall = __mips_NR_ipc; +- else if (sys < 0) +- return -EDOM; +- +- return 0; +-} +- +-/** +- * add a new rule to the mips seccomp filter +- * @param db the seccomp filter db +- * @param rule the filter rule +- * +- * This function adds a new syscall filter to the seccomp filter db, making any +- * necessary adjustments for the mips ABI. Returns zero on success, negative +- * values on failure. +- * +- * It is important to note that in the case of failure the db may be corrupted, +- * the caller must use the transaction mechanism if the db integrity is +- * important. +- * +- */ +-int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +-{ +- int rc = 0; +- unsigned int iter; +- int sys = rule->syscall; +- int sys_a, sys_b; +- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +- +- if (_mips_syscall_socket_test(sys)) { +- /* socket syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _mips_syscall_mux(sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _mips_syscall_demux(sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = __mips_NR_socketcall; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 100; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (_mips_syscall_ipc_test(sys)) { +- /* ipc syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _mips_syscall_mux(sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _mips_syscall_demux(sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = __mips_NR_ipc; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 200; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (sys >= 0) { +- /* normal syscall processing */ +- rc = db_rule_add(db, rule); +- if (rc < 0) +- goto add_return; +- } else if (rule->strict) { +- rc = -EDOM; +- goto add_return; +- } +- +-add_return: +- if (rule_dup != NULL) +- free(rule_dup); +- return rc; +-} +- + const struct arch_def arch_def_mips = { + .token = SCMP_ARCH_MIPS, + .token_bpf = AUDIT_ARCH_MIPS, +@@ -557,8 +75,8 @@ const struct arch_def arch_def_mips = { + .endian = ARCH_ENDIAN_BIG, + .syscall_resolve_name = mips_syscall_resolve_name_munge, + .syscall_resolve_num = mips_syscall_resolve_num_munge, +- .syscall_rewrite = mips_syscall_rewrite, +- .rule_add = mips_rule_add, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, + }; + + const struct arch_def arch_def_mipsel = { +@@ -568,6 +86,6 @@ const struct arch_def arch_def_mipsel = { + .endian = ARCH_ENDIAN_LITTLE, + .syscall_resolve_name = mips_syscall_resolve_name_munge, + .syscall_resolve_num = mips_syscall_resolve_num_munge, +- .syscall_rewrite = mips_syscall_rewrite, +- .rule_add = mips_rule_add, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, + }; diff --git a/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch b/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch new file mode 100644 index 0000000..974b550 --- /dev/null +++ b/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch @@ -0,0 +1,563 @@ +REVERTS + +From f93a872fbc404df3dd3739dd399ad67f139fb1fa Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 3 Aug 2021 23:21:55 -0400 +Subject: [PATCH] ppc: add multiplexed syscall support to PPC + +Acked-by: Tom Hromatka +Signed-off-by: Paul Moore + +(imported from commit 255801bccf89343c684b2b94e85d9e0df484c133) +--- + src/arch-ppc.c | 530 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 526 insertions(+), 4 deletions(-) + +diff --git a/src/arch-ppc.c b/src/arch-ppc.c +--- a/src/arch-ppc.c ++++ b/src/arch-ppc.c +@@ -20,540 +20,18 @@ + * along with this library; if not, see . + */ + +-#include +-#include +-#include + #include + +-#include "db.h" +-#include "syscalls.h" + #include "arch.h" + #include "arch-ppc.h" + +-/* ppc syscall numbers */ +-#define __ppc_NR_socketcall 102 +-#define __ppc_NR_ipc 117 +- +-/** +- * Resolve a syscall name to a number +- * @param name the syscall name +- * +- * Resolve the given syscall name to the syscall number using the syscall table. +- * Returns the syscall number on success, including negative pseudo syscall +- * numbers; returns __NR_SCMP_ERROR on failure. +- * +- */ +-int ppc_syscall_resolve_name_munge(const char *name) +-{ +- +-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return __PNR_##NAME; +- +- _ABI_SYSCALL_RES_NAME_CHK(socket) +- _ABI_SYSCALL_RES_NAME_CHK(bind) +- _ABI_SYSCALL_RES_NAME_CHK(connect) +- _ABI_SYSCALL_RES_NAME_CHK(listen) +- _ABI_SYSCALL_RES_NAME_CHK(accept) +- _ABI_SYSCALL_RES_NAME_CHK(getsockname) +- _ABI_SYSCALL_RES_NAME_CHK(getpeername) +- _ABI_SYSCALL_RES_NAME_CHK(socketpair) +- _ABI_SYSCALL_RES_NAME_CHK(send) +- _ABI_SYSCALL_RES_NAME_CHK(recv) +- _ABI_SYSCALL_RES_NAME_CHK(sendto) +- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) +- _ABI_SYSCALL_RES_NAME_CHK(shutdown) +- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) +- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) +- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) +- _ABI_SYSCALL_RES_NAME_CHK(accept4) +- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NAME_CHK(semop) +- _ABI_SYSCALL_RES_NAME_CHK(semget) +- _ABI_SYSCALL_RES_NAME_CHK(semctl) +- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) +- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) +- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) +- _ABI_SYSCALL_RES_NAME_CHK(msgget) +- _ABI_SYSCALL_RES_NAME_CHK(msgctl) +- _ABI_SYSCALL_RES_NAME_CHK(shmat) +- _ABI_SYSCALL_RES_NAME_CHK(shmdt) +- _ABI_SYSCALL_RES_NAME_CHK(shmget) +- _ABI_SYSCALL_RES_NAME_CHK(shmctl) +- +- return ppc_syscall_resolve_name(name); +-} +- +-/** +- * Resolve a syscall number to a name +- * @param num the syscall number +- * +- * Resolve the given syscall number to the syscall name using the syscall table. +- * Returns a pointer to the syscall name string on success, including pseudo +- * syscall names; returns NULL on failure. +- * +- */ +-const char *ppc_syscall_resolve_num_munge(int num) +-{ +- +-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ +- if (num == __PNR_##NAME) return #NAME; +- +- _ABI_SYSCALL_RES_NUM_CHK(socket) +- _ABI_SYSCALL_RES_NUM_CHK(bind) +- _ABI_SYSCALL_RES_NUM_CHK(connect) +- _ABI_SYSCALL_RES_NUM_CHK(listen) +- _ABI_SYSCALL_RES_NUM_CHK(accept) +- _ABI_SYSCALL_RES_NUM_CHK(getsockname) +- _ABI_SYSCALL_RES_NUM_CHK(getpeername) +- _ABI_SYSCALL_RES_NUM_CHK(socketpair) +- _ABI_SYSCALL_RES_NUM_CHK(send) +- _ABI_SYSCALL_RES_NUM_CHK(recv) +- _ABI_SYSCALL_RES_NUM_CHK(sendto) +- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) +- _ABI_SYSCALL_RES_NUM_CHK(shutdown) +- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) +- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) +- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) +- _ABI_SYSCALL_RES_NUM_CHK(accept4) +- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) +- _ABI_SYSCALL_RES_NUM_CHK(semop) +- _ABI_SYSCALL_RES_NUM_CHK(semget) +- _ABI_SYSCALL_RES_NUM_CHK(semctl) +- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) +- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) +- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) +- _ABI_SYSCALL_RES_NUM_CHK(msgget) +- _ABI_SYSCALL_RES_NUM_CHK(msgctl) +- _ABI_SYSCALL_RES_NUM_CHK(shmat) +- _ABI_SYSCALL_RES_NUM_CHK(shmdt) +- _ABI_SYSCALL_RES_NUM_CHK(shmget) +- _ABI_SYSCALL_RES_NUM_CHK(shmctl) +- +- return ppc_syscall_resolve_num(num); +-} +- +-/** +- * Check if a syscall is a socket syscall +- * @param sys the syscall number +- * +- * Returns true if the syscall is a socket related syscall, false otherwise. +- * +- */ +-static bool _ppc_syscall_socket_test(int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -100 && sys >= -120) +- return true; +- +- name = ppc_syscall_resolve_num(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_SOCK_CHK(socket) +- _ABI_SYSCALL_SOCK_CHK(bind) +- _ABI_SYSCALL_SOCK_CHK(connect) +- _ABI_SYSCALL_SOCK_CHK(listen) +- _ABI_SYSCALL_SOCK_CHK(accept) +- _ABI_SYSCALL_SOCK_CHK(getsockname) +- _ABI_SYSCALL_SOCK_CHK(getpeername) +- _ABI_SYSCALL_SOCK_CHK(socketpair) +- _ABI_SYSCALL_SOCK_CHK(send) +- _ABI_SYSCALL_SOCK_CHK(recv) +- _ABI_SYSCALL_SOCK_CHK(sendto) +- _ABI_SYSCALL_SOCK_CHK(recvfrom) +- _ABI_SYSCALL_SOCK_CHK(shutdown) +- _ABI_SYSCALL_SOCK_CHK(setsockopt) +- _ABI_SYSCALL_SOCK_CHK(getsockopt) +- _ABI_SYSCALL_SOCK_CHK(sendmsg) +- _ABI_SYSCALL_SOCK_CHK(recvmsg) +- _ABI_SYSCALL_SOCK_CHK(accept4) +- _ABI_SYSCALL_SOCK_CHK(recvmmsg) +- _ABI_SYSCALL_SOCK_CHK(sendmmsg) +- +- return false; +-} +- +-/** +- * Check if a syscall is an ipc syscall +- * @param sys the syscall number +- * +- * Returns true if the syscall is an ipc related syscall, false otherwise. +- * +- */ +-static bool _ppc_syscall_ipc_test(int sys) +-{ +- const char *name; +- +- /* multiplexed pseduo-syscalls */ +- if (sys <= -200 && sys >= -224) +- return true; +- +- name = ppc_syscall_resolve_num(sys); +- if (!name) +- return false; +- +-#define _ABI_SYSCALL_IPC_CHK(NAME) \ +- if (!strcmp(name, #NAME)) return true; +- +- _ABI_SYSCALL_IPC_CHK(semop) +- _ABI_SYSCALL_IPC_CHK(semget) +- _ABI_SYSCALL_IPC_CHK(semctl) +- _ABI_SYSCALL_IPC_CHK(semtimedop) +- _ABI_SYSCALL_IPC_CHK(msgsnd) +- _ABI_SYSCALL_IPC_CHK(msgrcv) +- _ABI_SYSCALL_IPC_CHK(msgget) +- _ABI_SYSCALL_IPC_CHK(msgctl) +- _ABI_SYSCALL_IPC_CHK(shmat) +- _ABI_SYSCALL_IPC_CHK(shmdt) +- _ABI_SYSCALL_IPC_CHK(shmget) +- _ABI_SYSCALL_IPC_CHK(shmctl) +- +- return false; +-} +- +-/** +- * Convert a multiplexed pseudo syscall into a direct syscall +- * @param syscall the multiplexed pseudo syscall number +- * +- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +- * no related syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _ppc_syscall_demux(int syscall) +-{ +- int sys = __NR_SCMP_UNDEF; +- +-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ +-case __PNR_##NAME: \ +- sys = ppc_syscall_resolve_name(#NAME); break; +- +- switch (syscall) { +- _ABI_SYSCALL_DEMUX_CHK(socket) +- _ABI_SYSCALL_DEMUX_CHK(bind) +- _ABI_SYSCALL_DEMUX_CHK(connect) +- _ABI_SYSCALL_DEMUX_CHK(listen) +- _ABI_SYSCALL_DEMUX_CHK(accept) +- _ABI_SYSCALL_DEMUX_CHK(getsockname) +- _ABI_SYSCALL_DEMUX_CHK(getpeername) +- _ABI_SYSCALL_DEMUX_CHK(socketpair) +- _ABI_SYSCALL_DEMUX_CHK(send) +- _ABI_SYSCALL_DEMUX_CHK(recv) +- _ABI_SYSCALL_DEMUX_CHK(sendto) +- _ABI_SYSCALL_DEMUX_CHK(recvfrom) +- _ABI_SYSCALL_DEMUX_CHK(shutdown) +- _ABI_SYSCALL_DEMUX_CHK(setsockopt) +- _ABI_SYSCALL_DEMUX_CHK(getsockopt) +- _ABI_SYSCALL_DEMUX_CHK(sendmsg) +- _ABI_SYSCALL_DEMUX_CHK(recvmsg) +- _ABI_SYSCALL_DEMUX_CHK(accept4) +- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) +- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) +- _ABI_SYSCALL_DEMUX_CHK(semop) +- _ABI_SYSCALL_DEMUX_CHK(semget) +- _ABI_SYSCALL_DEMUX_CHK(semctl) +- _ABI_SYSCALL_DEMUX_CHK(semtimedop) +- _ABI_SYSCALL_DEMUX_CHK(msgsnd) +- _ABI_SYSCALL_DEMUX_CHK(msgrcv) +- _ABI_SYSCALL_DEMUX_CHK(msgget) +- _ABI_SYSCALL_DEMUX_CHK(msgctl) +- _ABI_SYSCALL_DEMUX_CHK(shmat) +- _ABI_SYSCALL_DEMUX_CHK(shmdt) +- _ABI_SYSCALL_DEMUX_CHK(shmget) +- _ABI_SYSCALL_DEMUX_CHK(shmctl) +- } +- +- /* this looks odd because the arch resolver returns _ERROR if it can't +- * resolve the syscall, but we want to use _UNDEF for that, so we set +- * 'sys' to a sentinel value of _UNDEF and if it is error here we know +- * the resolve failed to find a match */ +- if (sys == __NR_SCMP_UNDEF) +- sys = __NR_SCMP_ERROR; +- else if (sys == __NR_SCMP_ERROR) +- sys = __NR_SCMP_UNDEF; +- +- return sys; +-} +- +-/** +- * Convert a direct syscall into multiplexed pseudo socket syscall +- * @param syscall the direct syscall +- * +- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +- * +- */ +-static int _ppc_syscall_mux(int syscall) +-{ +- const char *sys; +- +- sys = ppc_syscall_resolve_num(syscall); +- if (!sys) +- return __NR_SCMP_ERROR; +- +-#define _ABI_SYSCALL_MUX_CHK(NAME) \ +- if (!strcmp(sys, #NAME)) return __PNR_##NAME; +- +- _ABI_SYSCALL_MUX_CHK(socket) +- _ABI_SYSCALL_MUX_CHK(bind) +- _ABI_SYSCALL_MUX_CHK(connect) +- _ABI_SYSCALL_MUX_CHK(listen) +- _ABI_SYSCALL_MUX_CHK(accept) +- _ABI_SYSCALL_MUX_CHK(getsockname) +- _ABI_SYSCALL_MUX_CHK(getpeername) +- _ABI_SYSCALL_MUX_CHK(socketpair) +- _ABI_SYSCALL_MUX_CHK(send) +- _ABI_SYSCALL_MUX_CHK(recv) +- _ABI_SYSCALL_MUX_CHK(sendto) +- _ABI_SYSCALL_MUX_CHK(recvfrom) +- _ABI_SYSCALL_MUX_CHK(shutdown) +- _ABI_SYSCALL_MUX_CHK(setsockopt) +- _ABI_SYSCALL_MUX_CHK(getsockopt) +- _ABI_SYSCALL_MUX_CHK(sendmsg) +- _ABI_SYSCALL_MUX_CHK(recvmsg) +- _ABI_SYSCALL_MUX_CHK(accept4) +- _ABI_SYSCALL_MUX_CHK(recvmmsg) +- _ABI_SYSCALL_MUX_CHK(sendmmsg) +- _ABI_SYSCALL_MUX_CHK(semop) +- _ABI_SYSCALL_MUX_CHK(semget) +- _ABI_SYSCALL_MUX_CHK(semctl) +- _ABI_SYSCALL_MUX_CHK(semtimedop) +- _ABI_SYSCALL_MUX_CHK(msgsnd) +- _ABI_SYSCALL_MUX_CHK(msgrcv) +- _ABI_SYSCALL_MUX_CHK(msgget) +- _ABI_SYSCALL_MUX_CHK(msgctl) +- _ABI_SYSCALL_MUX_CHK(shmat) +- _ABI_SYSCALL_MUX_CHK(shmdt) +- _ABI_SYSCALL_MUX_CHK(shmget) +- _ABI_SYSCALL_MUX_CHK(shmctl) +- +- return __NR_SCMP_ERROR; +-} +- +-/** +- * Rewrite a syscall value to match the architecture +- * @param syscall the syscall number +- * +- * Syscalls can vary across different architectures so this function rewrites +- * the syscall into the correct value for the specified architecture. Returns +- * zero on success, negative values on failure. +- * +- */ +-int ppc_syscall_rewrite(int *syscall) +-{ +- int sys = *syscall; +- +- if (sys <= -100 && sys >= -120) +- *syscall = __ppc_NR_socketcall; +- else if (sys <= -200 && sys >= -224) +- *syscall = __ppc_NR_ipc; +- else if (sys < 0) +- return -EDOM; +- +- return 0; +-} +- +-/** +- * add a new rule to the ppc seccomp filter +- * @param db the seccomp filter db +- * @param rule the filter rule +- * +- * This function adds a new syscall filter to the seccomp filter db, making any +- * necessary adjustments for the ppc ABI. Returns zero on success, negative +- * values on failure. +- * +- * It is important to note that in the case of failure the db may be corrupted, +- * the caller must use the transaction mechanism if the db integrity is +- * important. +- * +- */ +-int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +-{ +- int rc = 0; +- unsigned int iter; +- int sys = rule->syscall; +- int sys_a, sys_b; +- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +- +- if (_ppc_syscall_socket_test(sys)) { +- /* socket syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _ppc_syscall_mux(sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _ppc_syscall_demux(sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = __ppc_NR_socketcall; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 100; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (_ppc_syscall_ipc_test(sys)) { +- /* ipc syscalls */ +- +- /* strict check for the multiplexed socket syscalls */ +- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +- if ((rule->args[iter].valid != 0) && (rule->strict)) { +- rc = -EINVAL; +- goto add_return; +- } +- } +- +- /* determine both the muxed and direct syscall numbers */ +- if (sys > 0) { +- sys_a = _ppc_syscall_mux(sys); +- if (sys_a == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- sys_b = sys; +- } else { +- sys_a = sys; +- sys_b = _ppc_syscall_demux(sys); +- if (sys_b == __NR_SCMP_ERROR) { +- rc = __NR_SCMP_ERROR; +- goto add_return; +- } +- } +- +- /* use rule_a for the multiplexed syscall and use rule_b for +- * the direct wired syscall */ +- +- if (sys_a == __NR_SCMP_UNDEF) { +- rule_a = NULL; +- rule_b = rule; +- } else if (sys_b == __NR_SCMP_UNDEF) { +- rule_a = rule; +- rule_b = NULL; +- } else { +- /* need two rules, dup the first and link together */ +- rule_a = rule; +- rule_dup = db_rule_dup(rule_a); +- rule_b = rule_dup; +- if (rule_b == NULL) +- goto add_return; +- rule_b->prev = rule_a; +- rule_b->next = NULL; +- rule_a->next = rule_b; +- } +- +- /* multiplexed socket syscalls */ +- if (rule_a != NULL) { +- rule_a->syscall = __ppc_NR_ipc; +- rule_a->args[0].arg = 0; +- rule_a->args[0].op = SCMP_CMP_EQ; +- rule_a->args[0].mask = DATUM_MAX; +- rule_a->args[0].datum = (-sys_a) % 200; +- rule_a->args[0].valid = 1; +- } +- +- /* direct wired socket syscalls */ +- if (rule_b != NULL) +- rule_b->syscall = sys_b; +- +- /* we should be protected by a transaction checkpoint */ +- if (rule_a != NULL) { +- rc = db_rule_add(db, rule_a); +- if (rc < 0) +- goto add_return; +- } +- if (rule_b != NULL) { +- rc = db_rule_add(db, rule_b); +- if (rc < 0) +- goto add_return; +- } +- } else if (sys >= 0) { +- /* normal syscall processing */ +- rc = db_rule_add(db, rule); +- if (rc < 0) +- goto add_return; +- } else if (rule->strict) { +- rc = -EDOM; +- goto add_return; +- } +- +-add_return: +- if (rule_dup != NULL) +- free(rule_dup); +- return rc; +-} +- + const struct arch_def arch_def_ppc = { + .token = SCMP_ARCH_PPC, + .token_bpf = AUDIT_ARCH_PPC, + .size = ARCH_SIZE_32, + .endian = ARCH_ENDIAN_BIG, +- .syscall_resolve_name = ppc_syscall_resolve_name_munge, +- .syscall_resolve_num = ppc_syscall_resolve_num_munge, +- .syscall_rewrite = ppc_syscall_rewrite, +- .rule_add = ppc_rule_add, ++ .syscall_resolve_name = ppc_syscall_resolve_name, ++ .syscall_resolve_num = ppc_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, + }; diff --git a/patches/revert_various_additions_to_improve_code_coverage.patch b/patches/revert_various_additions_to_improve_code_coverage.patch new file mode 100644 index 0000000..3270170 --- /dev/null +++ b/patches/revert_various_additions_to_improve_code_coverage.patch @@ -0,0 +1,1110 @@ +REVERTS + +From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 3 Aug 2021 14:12:50 -0400 +Subject: [PATCH] tests: various additions to improve code coverage + +Acked-by: Tom Hromatka +Signed-off-by: Paul Moore + +(imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65) +--- + tests/11-basic-basic_errors.c | 52 +++ + tests/15-basic-resolver.c | 40 ++ + tests/30-sim-socket_syscalls.c | 62 ++- + tests/33-sim-socket_syscalls_be.c | 3 + + tests/33-sim-socket_syscalls_be.py | 1 + + tests/33-sim-socket_syscalls_be.tests | 42 +- + tests/36-sim-ipc_syscalls.c | 3 + + tests/36-sim-ipc_syscalls.py | 1 + + tests/36-sim-ipc_syscalls.tests | 50 +-- + tests/37-sim-ipc_syscalls_be.c | 3 + + tests/37-sim-ipc_syscalls_be.py | 1 + + tests/37-sim-ipc_syscalls_be.tests | 26 +- + tests/38-basic-pfc_coverage.c | 27 ++ + tests/38-basic-pfc_coverage.pfc | 534 ++++++++++++++++++++++++++ + tests/52-basic-load.c | 23 ++ + 15 files changed, 804 insertions(+), 64 deletions(-) + +diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c +--- a/tests/11-basic-basic_errors.c ++++ b/tests/11-basic-basic_errors.c +@@ -29,8 +29,6 @@ int main(int argc, char *argv[]) + int rc; + scmp_filter_ctx ctx; + uint32_t attr; +- struct seccomp_notif *req = NULL; +- struct seccomp_notif_resp *resp = NULL; + + /* seccomp_init errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW + 1); +@@ -125,9 +123,6 @@ int main(int argc, char *argv[]) + return -1; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 2)); +- if (rc != -EINVAL) +- return -1; +- rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0); + if (rc != -EINVAL) + return -1; + seccomp_release(ctx); +@@ -185,53 +180,6 @@ int main(int argc, char *argv[]) + rc = seccomp_attr_set(ctx, 1000, 1); + if (rc != -EINVAL) + return -1; +- seccomp_release(ctx); +- ctx = NULL; +- +- /* seccomp_merge() errors */ +- ctx = seccomp_init(SCMP_ACT_ALLOW); +- if (ctx == NULL) +- return -1; +- rc = seccomp_merge(ctx, NULL); +- if (rc == 0) +- return -1; +- seccomp_release(ctx); +- ctx = NULL; +- +- /* seccomp notify errors */ +- ctx = seccomp_init(SCMP_ACT_ALLOW); +- if (ctx == NULL) +- return -1; +- rc = seccomp_notify_alloc(NULL, NULL); +- if (rc != 0) +- return -1; +- rc = seccomp_notify_alloc(&req, NULL); +- if (rc != 0) +- return -1; +- rc = seccomp_notify_alloc(NULL, &resp); +- if (rc != 0) +- return -1; +- seccomp_notify_free(NULL, NULL); +- seccomp_notify_free(req, resp); +- req = NULL; +- resp = NULL; +- rc = seccomp_notify_receive(-1, NULL); +- if (rc == 0) +- return -1; +- rc = seccomp_notify_respond(-1, NULL); +- if (rc == 0) +- return -1; +- rc = seccomp_notify_id_valid(-1, 0); +- if (rc == 0) +- return -1; +- rc = seccomp_notify_fd(NULL); +- if (rc == 0) +- return -1; +- rc = seccomp_notify_fd(ctx); +- if (rc == 0) +- return -1; +- seccomp_release(ctx); +- ctx = NULL; + + return 0; + } +diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c +--- a/tests/15-basic-resolver.c ++++ b/tests/15-basic-resolver.c +@@ -68,7 +68,6 @@ int main(int argc, char *argv[]) + goto fail; + + while ((arch = arch_list[iter++]) != -1) { +- int sys; + int nr_open; + int nr_read; + int nr_socket; +@@ -120,45 +119,6 @@ int main(int argc, char *argv[]) + goto fail; + free(name); + name = NULL; +- +- /* socket pseudo-syscalls */ +- if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) { +- for (sys = -101; sys >= -120; sys--) { +- name = seccomp_syscall_resolve_num_arch(arch, +- sys); +- if (name == NULL) +- goto fail; +- free(name); +- name = NULL; +- } +- } +- /* ipc pseudo-syscalls */ +- if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) { +- for (sys = -201; sys >= -204; sys--) { +- name = seccomp_syscall_resolve_num_arch(arch, +- sys); +- if (name == NULL) +- goto fail; +- free(name); +- name = NULL; +- } +- for (sys = -211; sys >= -214; sys--) { +- name = seccomp_syscall_resolve_num_arch(arch, +- sys); +- if (name == NULL) +- goto fail; +- free(name); +- name = NULL; +- } +- for (sys = -221; sys >= -224; sys--) { +- name = seccomp_syscall_resolve_num_arch(arch, +- sys); +- if (name == NULL) +- goto fail; +- free(name); +- name = NULL; +- } +- } + } + + return 0; +diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c +--- a/tests/30-sim-socket_syscalls.c ++++ b/tests/30-sim-socket_syscalls.c +@@ -61,79 +61,19 @@ int main(int argc, char *argv[]) + if (rc != 0) + goto out; + +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0); +- if (rc != 0) +- goto out; +- + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0); +- if (rc != 0) +- goto out; +- + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); + if (rc != 0) + goto out; + +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0); +- if (rc != 0) +- goto out; +- + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + if (rc != 0) + goto out; + +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0); +- if (rc != 0) +- goto out; +- +- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0); ++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + +diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c +--- a/tests/33-sim-socket_syscalls_be.c ++++ b/tests/33-sim-socket_syscalls_be.c +@@ -48,9 +48,6 @@ int main(int argc, char *argv[]) + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); +- if (rc != 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); + if (rc != 0) + goto out; + +diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py +--- a/tests/33-sim-socket_syscalls_be.py ++++ b/tests/33-sim-socket_syscalls_be.py +@@ -33,7 +33,6 @@ def test(args): + f.remove_arch(Arch()) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) +- f.add_arch(Arch("ppc")) + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "accept") +diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests +--- a/tests/33-sim-socket_syscalls_be.tests ++++ b/tests/33-sim-socket_syscalls_be.tests +@@ -7,23 +7,31 @@ + + test type: bpf-sim + +-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL +-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW +-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL ++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL ++33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL ++33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW ++33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL ++33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW ++33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL + + test type: bpf-valgrind + +diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c +--- a/tests/36-sim-ipc_syscalls.c ++++ b/tests/36-sim-ipc_syscalls.c +@@ -54,9 +54,6 @@ int main(int argc, char *argv[]) + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); +- if (rc != 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc != 0) + goto out; + +diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py +--- a/tests/36-sim-ipc_syscalls.py ++++ b/tests/36-sim-ipc_syscalls.py +@@ -35,7 +35,6 @@ def test(args): + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x32")) + f.add_arch(Arch("ppc64le")) +- f.add_arch(Arch("mipsel")) + f.add_rule(ALLOW, "semop") + f.add_rule(ALLOW, "semtimedop") + f.add_rule(ALLOW, "semget") +diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests +--- a/tests/36-sim-ipc_syscalls.tests ++++ b/tests/36-sim-ipc_syscalls.tests +@@ -7,31 +7,31 @@ + + test type: bpf-sim + +-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW +-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW +-36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW ++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW ++36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW ++36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW + + test type: bpf-valgrind + +diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c +--- a/tests/37-sim-ipc_syscalls_be.c ++++ b/tests/37-sim-ipc_syscalls_be.c +@@ -48,9 +48,6 @@ int main(int argc, char *argv[]) + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); +- if (rc != 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); + if (rc != 0) + goto out; + +diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py +--- a/tests/37-sim-ipc_syscalls_be.py ++++ b/tests/37-sim-ipc_syscalls_be.py +@@ -33,7 +33,6 @@ def test(args): + f.remove_arch(Arch()) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) +- f.add_arch(Arch("ppc")) + f.add_rule(ALLOW, "semop") + f.add_rule(ALLOW, "semtimedop") + f.add_rule(ALLOW, "semget") +diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests +--- a/tests/37-sim-ipc_syscalls_be.tests ++++ b/tests/37-sim-ipc_syscalls_be.tests +@@ -7,19 +7,19 @@ + + test type: bpf-sim + +-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW +-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW ++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW ++37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW + + test type: bpf-valgrind + +diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c +--- a/tests/38-basic-pfc_coverage.c ++++ b/tests/38-basic-pfc_coverage.c +@@ -55,30 +55,6 @@ int main(int argc, char *argv[]) + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); +- if (rc < 0) +- goto out; +- rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); + if (rc < 0) + goto out; + +@@ -109,9 +85,6 @@ int main(int argc, char *argv[]) + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); +- if (rc < 0) +- goto out; +- rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); + if (rc < 0) + goto out; + +diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc +--- a/tests/38-basic-pfc_coverage.pfc ++++ b/tests/38-basic-pfc_coverage.pfc +@@ -3,9 +3,6 @@ + # + # filter for arch x86_64 (3221225534) + if ($arch == 3221225534) +- # filter for syscall "exit_group" (231) [priority: 65535] +- if ($syscall == 231) +- action LOG; + # filter for syscall "exit" (60) [priority: 65535] + if ($syscall == 60) + action TRACE(1); +@@ -100,9 +97,6 @@ if ($arch == 3221225534) + action ALLOW; + # filter for arch x86 (1073741827) + if ($arch == 1073741827) +- # filter for syscall "exit_group" (252) [priority: 65535] +- if ($syscall == 252) +- action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; +@@ -133,534 +127,6 @@ if ($arch == 1073741827) + action KILL; + # default action + action ALLOW; +-# filter for arch x32 (3221225534) +-if ($arch == 3221225534) +- # filter for syscall "exit_group" (1073742055) [priority: 65535] +- if ($syscall == 1073742055) +- action LOG; +- # filter for syscall "exit" (1073741884) [priority: 65535] +- if ($syscall == 1073741884) +- action TRACE(1); +- # filter for syscall "fstat" (1073741829) [priority: 65535] +- if ($syscall == 1073741829) +- action KILL_PROCESS; +- # filter for syscall "close" (1073741827) [priority: 65535] +- if ($syscall == 1073741827) +- action ERRNO(1); +- # filter for syscall "open" (1073741826) [priority: 65535] +- if ($syscall == 1073741826) +- action KILL; +- # filter for syscall "write" (1073741825) [priority: 65532] +- if ($syscall == 1073741825) +- if ($a0 == 0) +- else +- if ($a1 > 1) +- else +- if ($a2 >= 2) +- else +- action TRAP; +- # filter for syscall "read" (1073741824) [priority: 65531] +- if ($syscall == 1073741824) +- if ($a0 == 0) +- if ($a1 >= 1) +- if ($a2 > 2) +- if ($a3 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch arm (1073741864) +-if ($arch == 1073741864) +- # filter for syscall "exit_group" (248) [priority: 65535] +- if ($syscall == 248) +- action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; +- # filter for syscall "close" (6) [priority: 65535] +- if ($syscall == 6) +- action ERRNO(1); +- # filter for syscall "open" (5) [priority: 65535] +- if ($syscall == 5) +- action KILL; +- # filter for syscall "exit" (1) [priority: 65535] +- if ($syscall == 1) +- action TRACE(1); +- # filter for syscall "write" (4) [priority: 65532] +- if ($syscall == 4) +- if ($a0 == 0) +- else +- if ($a1 > 1) +- else +- if ($a2 >= 2) +- else +- action TRAP; +- # filter for syscall "read" (3) [priority: 65531] +- if ($syscall == 3) +- if ($a0 == 0) +- if ($a1 >= 1) +- if ($a2 > 2) +- if ($a3 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch aarch64 (3221225655) +-if ($arch == 3221225655) +- # filter for syscall "open" (4294957130) [priority: 65535] +- if ($syscall == 4294957130) +- action KILL; +- # filter for syscall "exit_group" (94) [priority: 65535] +- if ($syscall == 94) +- action LOG; +- # filter for syscall "exit" (93) [priority: 65535] +- if ($syscall == 93) +- action TRACE(1); +- # filter for syscall "fstat" (80) [priority: 65535] +- if ($syscall == 80) +- action KILL_PROCESS; +- # filter for syscall "close" (57) [priority: 65535] +- if ($syscall == 57) +- action ERRNO(1); +- # filter for syscall "write" (64) [priority: 65527] +- if ($syscall == 64) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- # filter for syscall "read" (63) [priority: 65525] +- if ($syscall == 63) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- if ($a1.hi32 > 0) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 >= 1) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch mipsel (1073741832) +-if ($arch == 1073741832) +- # filter for syscall "exit_group" (246) [priority: 65535] +- if ($syscall == 246) +- action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; +- # filter for syscall "close" (6) [priority: 65535] +- if ($syscall == 6) +- action ERRNO(1); +- # filter for syscall "open" (5) [priority: 65535] +- if ($syscall == 5) +- action KILL; +- # filter for syscall "exit" (1) [priority: 65535] +- if ($syscall == 1) +- action TRACE(1); +- # filter for syscall "write" (4) [priority: 65532] +- if ($syscall == 4) +- if ($a0 == 0) +- else +- if ($a1 > 1) +- else +- if ($a2 >= 2) +- else +- action TRAP; +- # filter for syscall "read" (3) [priority: 65531] +- if ($syscall == 3) +- if ($a0 == 0) +- if ($a1 >= 1) +- if ($a2 > 2) +- if ($a3 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch mipsel64 (3221225480) +-if ($arch == 3221225480) +- # filter for syscall "exit_group" (5205) [priority: 65535] +- if ($syscall == 5205) +- action LOG; +- # filter for syscall "exit" (5058) [priority: 65535] +- if ($syscall == 5058) +- action TRACE(1); +- # filter for syscall "fstat" (5005) [priority: 65535] +- if ($syscall == 5005) +- action KILL_PROCESS; +- # filter for syscall "close" (5003) [priority: 65535] +- if ($syscall == 5003) +- action ERRNO(1); +- # filter for syscall "open" (5002) [priority: 65535] +- if ($syscall == 5002) +- action KILL; +- # filter for syscall "write" (5001) [priority: 65527] +- if ($syscall == 5001) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- # filter for syscall "read" (5000) [priority: 65525] +- if ($syscall == 5000) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- if ($a1.hi32 > 0) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 >= 1) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch mipsel64n32 (3758096392) +-if ($arch == 3758096392) +- # filter for syscall "exit_group" (6205) [priority: 65535] +- if ($syscall == 6205) +- action LOG; +- # filter for syscall "exit" (6058) [priority: 65535] +- if ($syscall == 6058) +- action TRACE(1); +- # filter for syscall "fstat" (6005) [priority: 65535] +- if ($syscall == 6005) +- action KILL_PROCESS; +- # filter for syscall "close" (6003) [priority: 65535] +- if ($syscall == 6003) +- action ERRNO(1); +- # filter for syscall "open" (6002) [priority: 65535] +- if ($syscall == 6002) +- action KILL; +- # filter for syscall "write" (6001) [priority: 65532] +- if ($syscall == 6001) +- if ($a0 == 0) +- else +- if ($a1 > 1) +- else +- if ($a2 >= 2) +- else +- action TRAP; +- # filter for syscall "read" (6000) [priority: 65531] +- if ($syscall == 6000) +- if ($a0 == 0) +- if ($a1 >= 1) +- if ($a2 > 2) +- if ($a3 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch ppc64le (3221225493) +-if ($arch == 3221225493) +- # filter for syscall "exit_group" (234) [priority: 65535] +- if ($syscall == 234) +- action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; +- # filter for syscall "close" (6) [priority: 65535] +- if ($syscall == 6) +- action ERRNO(1); +- # filter for syscall "open" (5) [priority: 65535] +- if ($syscall == 5) +- action KILL; +- # filter for syscall "exit" (1) [priority: 65535] +- if ($syscall == 1) +- action TRACE(1); +- # filter for syscall "write" (4) [priority: 65527] +- if ($syscall == 4) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- # filter for syscall "read" (3) [priority: 65525] +- if ($syscall == 3) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- if ($a1.hi32 > 0) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 >= 1) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; +-# filter for arch riscv64 (3221225715) +-if ($arch == 3221225715) +- # filter for syscall "open" (4294957130) [priority: 65535] +- if ($syscall == 4294957130) +- action KILL; +- # filter for syscall "exit_group" (94) [priority: 65535] +- if ($syscall == 94) +- action LOG; +- # filter for syscall "exit" (93) [priority: 65535] +- if ($syscall == 93) +- action TRACE(1); +- # filter for syscall "fstat" (80) [priority: 65535] +- if ($syscall == 80) +- action KILL_PROCESS; +- # filter for syscall "close" (57) [priority: 65535] +- if ($syscall == 57) +- action ERRNO(1); +- # filter for syscall "write" (64) [priority: 65527] +- if ($syscall == 64) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a1.hi32 > 0) +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 > 1) +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- else +- if ($a2.hi32 > 0) +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 >= 2) +- else +- action TRAP; +- else +- action TRAP; +- # filter for syscall "read" (63) [priority: 65525] +- if ($syscall == 63) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 0) +- if ($a1.hi32 > 0) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a1.hi32 == 0) +- if ($a1.lo32 >= 1) +- if ($a2.hi32 > 0) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- else +- if ($a2.hi32 == 0) +- if ($a2.lo32 > 2) +- if ($a3.hi32 & 0x00000000 == 0) +- if ($a3.lo32 & 0x0000000f == 3) +- action KILL; +- # default action +- action ALLOW; + # invalid architecture action + action KILL; + # +diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c +--- a/tests/52-basic-load.c ++++ b/tests/52-basic-load.c +@@ -31,38 +31,15 @@ int main(int argc, char *argv[]) + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; +- unsigned int api; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + +- api = seccomp_api_get(); +- if (api == 0) { +- rc = -EFAULT; +- goto out; +- } +- + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + +- if (api >= 2) { +- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); +- if (rc != 0) +- goto out; +- } +- if (api >= 3) { +- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); +- if (rc != 0) +- goto out; +- } +- if (api >= 4) { +- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); +- if (rc != 0) +- goto out; +- } +- + rc = seccomp_load(ctx); + + out: diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..b6e2f86 --- /dev/null +++ b/patches/series @@ -0,0 +1,4 @@ +revert_various_additions_to_improve_code_coverage.patch +revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch +revert_ppc_add_multiplexed_syscall_support_to_PPC.patch +revert_mips_add_multiplexed_syscall_support_to_MIPS.patch diff --git a/python-seccomp.install b/python-seccomp.install new file mode 100644 index 0000000..a71458d --- /dev/null +++ b/python-seccomp.install @@ -0,0 +1 @@ +usr/lib/python2.*/dist-packages/seccomp.so diff --git a/python3-seccomp.install b/python3-seccomp.install new file mode 100644 index 0000000..97a45dc --- /dev/null +++ b/python3-seccomp.install @@ -0,0 +1 @@ +usr/lib/python3.*/site-packages/seccomp.cpython-*.so diff --git a/rules b/rules new file mode 100755 index 0000000..54d5951 --- /dev/null +++ b/rules @@ -0,0 +1,37 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# Enable verbose build details. +export V=1 + +include /usr/share/dpkg/architecture.mk + +%: +ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) + dh $@ --with python3 +else + dh $@ +endif + +ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) + +override_dh_auto_install: + dh_auto_install + for pyver in `py3versions -s`; do \ + set -e; \ + if python3 -c "pyver='$$pyver'; exit(0 if float(pyver[6:]) >= 3.8 else 1)"; then \ + export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata__${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ + else \ + export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata_m_${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ + fi; \ + dh_auto_configure -- --enable-python PYTHON=$$pyver; \ + dh_auto_install --sourcedirectory=src/python -- PYTHON=$$pyver; \ + done +endif + +override_dh_auto_clean: + dh_auto_clean + rm -f regression.out diff --git a/seccomp.install b/seccomp.install new file mode 100644 index 0000000..1df36c6 --- /dev/null +++ b/seccomp.install @@ -0,0 +1 @@ +usr/bin/* diff --git a/seccomp.manpages b/seccomp.manpages new file mode 100644 index 0000000..5ea05fe --- /dev/null +++ b/seccomp.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/* diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/tests/common b/tests/common new file mode 100644 index 0000000..e02e8db --- /dev/null +++ b/tests/common @@ -0,0 +1,12 @@ +SRCDIR="$(pwd)" + +mkdir "$AUTOPKGTEST_TMP/tests" "$AUTOPKGTEST_TMP/tools" +cp -a tests/. "$AUTOPKGTEST_TMP/tests/" + +cd "$AUTOPKGTEST_TMP/tests" + +# build tools needed for tests +for tool in scmp_api_level scmp_arch_detect scmp_sys_resolver; do + echo "Building $tool ..." + gcc -O2 -g "$SRCDIR/tools/$tool.c" "$SRCDIR/tools/util.c" -lseccomp -o ../tools/$tool +done diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..3d2c4ba --- /dev/null +++ b/tests/control @@ -0,0 +1,7 @@ +Tests: testsuite-live +Depends: libseccomp-dev, build-essential +Restrictions: isolation-machine + +Tests: testsuite-live-python3 +Depends: libseccomp-dev, build-essential, python3-seccomp +Restrictions: isolation-machine, allow-stderr diff --git a/tests/testsuite-live b/tests/testsuite-live new file mode 100644 index 0000000..bbf20d0 --- /dev/null +++ b/tests/testsuite-live @@ -0,0 +1,17 @@ +#!/bin/sh + +set -eu + +. debian/tests/common + +# manually build necessary files against the installed libseccomp + +# build live tests +for filename in *-live-*.tests; do + testname=$(echo "$filename" | cut -f 1 -d '.') + echo "Building $testname ..." + gcc -O2 -g "${testname}.c" util.c -pthread -lseccomp -o "$testname" +done + +echo "Running test suite ..." +./regression -T live diff --git a/tests/testsuite-live-python2 b/tests/testsuite-live-python2 new file mode 100644 index 0000000..9c9ded4 --- /dev/null +++ b/tests/testsuite-live-python2 @@ -0,0 +1,8 @@ +#!/bin/sh + +set -eu + +. debian/tests/common + +echo "Running test suite ..." +./regression -T live -m python diff --git a/tests/testsuite-live-python3 b/tests/testsuite-live-python3 new file mode 100644 index 0000000..f4fb094 --- /dev/null +++ b/tests/testsuite-live-python3 @@ -0,0 +1,13 @@ +#!/bin/sh + +set -eu + +. debian/tests/common + +# make sure "python" points to python3 as this is not configurable +# in the regression script +mkdir python3env +ln -s /usr/bin/python3 python3env/python + +echo "Running test suite ..." +PATH="$(pwd)/python3env:$PATH" ./regression -T live -m python diff --git a/upstream/metadata b/upstream/metadata new file mode 100644 index 0000000..0fef70b --- /dev/null +++ b/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://github.com/seccomp/libseccomp/issues +Bug-Submit: https://github.com/seccomp/libseccomp/issues/new +Repository: https://github.com/seccomp/libseccomp.git +Repository-Browse: https://github.com/seccomp/libseccomp diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 0000000..5ddf435 --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,192 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6TSxkBEACy+4BPGoI7vphGh/q5WET0lmU7LcDwuNs/satPRH/vPoSYLxYU +FmZ64A2zA4/imlohR+9VMfEVgOX6f23vZWheC2Z12bCtK0/cGLfoGMddFi7mg6aV +hJeAegYkC6hDAYI+Mc/mt0fYvDB+bSPUCUdnB/NegbWegJMJur2pc0/nQqeeoRdp +sazOyBEs4ipP1p05DZA/MifGNRASMHJg2bYG2FyC48Vx/xl0B+oactTwPODJlkQS +n6+yYTcvYh7wIbbainEi0jBnyRj6bi6jODPTjArW2YRzEmPEkqbBsfA/HYEpH4DR +IyZIJzqkP/+P+F+BVBjPVz4r6CWvCjnTMTlROfaUqIvfmpdKKtBDVN0Cjn6GVYae +t9yoJM5bcJK+KEp5aNmW3U7vDMG2XEttw4vdfIFc9ZEWnu2kyiltQw9cUk3ucsIH +79M4o24oVu2+J/z4QNGbRHdbxbO6c9R+IxAfiF/FAz5OhQfRHrDayfQV457cE/Ga +ZhE1AeT7EdnXFF3G1RhTTE2lomQ1TfBSK6CyIyabU7I0R2Gh0aITpAE0fP4heZNZ +zA8vPggdtRzgKgu4tC2is2Dg3NQnPc+k4mnU07LwmJuxCluN7pNhhlhtJkNWnA+a +C2sV8zIicH7SAwmGoeMkp1kluxcdp/jGKsdRIfIDnVax4/t6VPL2+lKQzwARAQAB +tB5QYXVsIE1vb3JlIDxwY21vb3JlQHVtaWNoLmVkdT6JAjgEEwECACIFAk6TS4MC +GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFXkWlroynyKs5MP/it8TqV6 +IVXZh9X6ioJbchNcofT+L74+BjHXpzmdlf0awutCrKdZTWz5zC4A7Xrnam5LNg9j +aZr44oUOhnwIKwm1xxm2KBIGky7nKMinUfsSlYlfJybSJjWA3hv3dKI4Fpd7xsy1 +5CDcmfAD5NfQeW7KD5I0U89zKsdFyGCZV03xWbrvGPitncPB+Sifjp29lWmGwOwY +5tNcg7Mvby5vi6Zit686Q4wjYzmgoCDKKgk6QSo/VAqXJn8PRttuZArDfckraL+h +LXsxx1W0zaKVi9qeyR3n/++fDxPcc5rQIsd9TZj7nojj/5qGjoLCPwFDZaR97u8M +v795+ITrMCLRPYAd8DE94e3sjZK8R+hCtD0Xp9KgaNWofnA4cIHQyWaKI5is4NaT +9Y638We5RkTaYrFC0dxSgiekmnB0pogDU69smFNa26r0CX85cQf4YKYURc1xnbmS +Cyh+gvIHXVSGglmGXgKJ436qUBFCq2/BlecLZm/Lk0vQyPdCr08ZzPc7AUfc1hAe ++PiZ7RDkhJzQaUN3ufjvcyeMGHoUejaO3G9ODE/yVZ6Yi8HQPN7IGmyeh73xaqcv +5PpSrfpK+yjR13WGdi6PRL1IBfverc1fXtxXBywFhV4o/Jatj6XrS7hsU5EJ43An +I9Cqa+8FBjLIrqzfAKHng3qYKA3R346+L0pPtB5QYXVsIE1vb3JlIDxwbW9vcmVA +cmVkaGF0LmNvbT6JAjgEEwECACIFAk6TS60CGwMGCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJEFXkWlroynyKK8AP+QFOxGd3sSxMgEgTjT2fUUwqjD0oRZUrC3RZ +pld+fqmMIoGP0XRQYIpSZubX/ryn0DK9zd7D1o8nOz32lz8QfeEwshh+KAI93V0J +iIFprZUtCJxXKIO2GuHVgwqyzQs+DbXoov6BiTmbNHDGy1xT+mx4Z0xboHX2ZzKc +mLj42w7Qv5clL8X+4D3EiePCWeaw5e/p2xlPEVXfaYlu3nsUUrRwdx1RZSZ/qJE6 +CZLL348vp7mf9nR7bGBx8NiHrzbE3nh7ofZ8ai/dUTkkK+cFsxr5Gkt1nHegdv2t +Q3pk/KoR6YYvGYIDeuyZB0zMs2VW6zLIrD7qPc9sFLIwAsgBW3pWyznZ9mZrpbqp +JPzkhDYQH5XnTkL5g0tq4z3eDtOCODB2rNRrj/JvZcv3WmT1IK2d3x3E06Bfb4oy +qMgTzD2z/IHgyL9Wt+yyogB0Y0zyGj3lV3fISIINT2mn+UtutYIqDEeGbSEtQrXx +yIvQEViPO52mO+QdOtc5ZMfQ9ddsQKbawK/pqbzVMRPXX1z5hYKyx/Tv0roBrAzj +DSBI2vP0NmfzzSUKZ3POOZLOxE0425AYeNE623SCntrOWNYdgwf9EfnAcMgsY2Kl +a18e24ZHdAGFmJWBYx+XllheI6diU7dOZAlvuuuslVJfvD8ixzm7SR98elmUk57k +wf9FO9yxtCBQYXVsIE1vb3JlIDxwYXVsQHBhdWwtbW9vcmUuY29tPokCOgQTAQIA +JQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk6TS8ACGQEACgkQVeRaWujK +fIrtrg/2Kr2XYWu6jYDX2PSWeLQ/5P/VgGzjZI+AKaj5JyEID/5J31yvSKICjK3F +Wl+lHRo/LQzQx8f6gQ9FEBeDTndpa1t23XQGmBgEDAev6FHX3jmheFTkJJ+dEYpc +gX7R+jTjmrRYjAFu1Jo2fIblBTvECwlKLxDvSzAvp5giHYj8TDWcYPlZcDqfq9Aq +5p7UjkRYvAAUlkwSxPE28zcWPwgQuikcyVw/ObPpNWon+0TfruzindsyKnMss7mE +pxUMhRHAWM8KACBUmScP2TC95xKzm+KtlT6E/pdPXItPXiFg5sg8Vf5Rco8j16+b +DzviiAC21Mp69wtnV8Mdsl1jiL65wotclG+SMcgUmyqD3rgBW3jSedDFFu6CHQyG +FuthVj25eNUSXjhVOMCWQSxOgv4uN1jgk89paHJuBqHwKfk55ezQJFB1UlkJqH7L +NJ2uVd0Go5PTE2mBbkBQ4bvSyfhlOUYbcjNUlZOZSHsaQPVXDUXCW90LjH4azg8j +ek7YinygvZBpxQurRj7honmoqqyBfvOweA8wDdjIYURFrA4kwYwN8d+xdIDv5Pu5 +8U/ruus+y59MebQDhMr1BaM26QhgPZ6Ur/vHvTkW6bFo+Q0Rg9/abO67O00OZX/+ +oakt1BZ3Tb30L6nGu7ZosTXos+s9Leter/wcOk49JNd5q4WnZbkCDQROk0sZARAA +7lIE/HyQ5pTSabH0OJKa78mNJckQ+2NsEwUpEj459Ca5s3DvJCT7ZBOUQaL5ctkl +KgjByI+3BSIT90swim6vdMYxSrS7IpQ17zb3pdV5H5LFQSCvS1Dd466amWFWCyb6 +ZWl3g7kmf5xEEIob9PLMlCe37gsIXp9M0hbRIOVISeqCiWp5HkcMXwMEd5XHxGN6 +CCgG86vzxEOnLKoMdXQIxkenA4ggk5cCBoYd0FMURH53EznhuceS3euNSzu71+H3 +SJjIdjIjYQDhpHF6gXoI+u8NSWsZ9dEn/s+9e/uP2cYvAPmR01a73QyVIZS23eo9 +rmMqlPJNjJbybQ81uaHxQqA5ljC7WWqYl7tia+QSKYMEyMkHvTqnPPhJvghsQoJO +aeN6j/qIQWIl5fQEENLRzkcGO6SLEDOKzEgABZSwP9Wff47jyzD4JVb71qApI60m +3TGB829vBavFIkHNzhvr91m+6AfeUvZlWlFmC3v4BsqH/3SzwwQU28cxy53a/EDO +wm2MDJL4wkVLO2Yh2CZ/4x07VZtjmGmG6wyVOq+9GQ3cnTPEgynfZYsdPaml/RJm +kbCAmDbHbyV4NhT1RCg803thZZX8HzJcM2nywutGlzi0xxv63tP48tfTAV6ajqyQ +5jeRGKCq/zpME9Ghr/oH414NlGcomYU0UQ5Fjpdk8eMAEQEAAYkCHwQYAQIACQUC +TpNLGQIbDAAKCRBV5Fpa6Mp8iqQaD/9L2zMdzYznSOnApTz1SHhpgbi8RKaKy88j +WTz0AxZGrYF6cKv8BH2fFgA7phlONcWhUvWpEEpP208EY52c811lohRocNhSlXgW +XHYCiG2vydsQe9HEdBB6bUOO0z8g2DPcoBtUGWe1gDZddRW2VbqN2ts8Wxebog2Y +Y3tvJ0ocMo150t5c0koldlStav/zM2eipz+zTjfsN4Xy04q/WQ63FIbub5o5jcUJ +j1o177I1VtA8eEumsfnMMRgQBfz0t2bEIc/ZmrsuR+j/H4WlBAuIarNjWtIylH/e +VJhxFtXGnCI5mO1gN90QG6IpwszcwEPJf3gU7dO8r+HXeTBifLYB/JnzGWixPaek +DgCrNOZXz+48KEJEoVXUxsnqa8PRIUO5OtVRq3mk2uwcIHqPEBLb0yB6GRQjb9jQ +qBdRPun2FavjxWRuTZBGS1RItLW8bmAJz1d/ySWizRqnoz8U0s9SyGGHx5OsyJJu +FO6FFr31m7WZG5LPfQJUNiyR2y9ZrjdPbwXmchywhTLqyTb5N6j5RfAdn74H379t +ilUhH5c7ieVLt/RLTtWXEnkZzsO7LvP/3X0jHt3eZD2WzvVg4llZFvnuie8C0/yC +Twhc2xMJOLd2WpH6ZKHNbRqv1a2xg8K2KGdhlZrRo/AYbX/FjZ/k9klZwEjFsefd +0Ff4mojoNokCNgQoAQgAIBYhBHEAqt+ubm6UDS4K1lXkWlroynyKBQJbxKnWAh0B +AAoJEFXkWlroynyKGT4P/jXnXhB+VEkr+NL86MssDU+S9Gz+kCYEOSxFPFvhxpmk +x+Q9Y2SXugaThp9h9IIUH6lhtAZeYimzGC67ObZh+Ev0SIfN24xvZ2nPzLLj1pay +/2f/OQ0g7LalC7SpaF/7nIrxrYSP3Lyv3QAw/ZCeP8+U0CCV0Nw2Jrxck61ySXOR +W9diyGKTszNwzWQOPUBOLlMw2BxjudQW0Djy8mYoqyByUYEWtbcGgJ3MSPzE0RgW +PLgVujdzDunGDeJd9SBeI220ILxAHiB96JZYxmkVoz4trB7PwyA3plg19CXjwZ5J +ediKZov02JG0aGNpL2678YwJAGDCLMNhBi9gDqx3Xf6rvzqK/CvR3xQs6/bAjiAC +FHSUjv1oQ+p75yyt0clVrJOaB3kh6DICr+dZYuBvPGbls0yMTvEvCRxrj0rmpd9w +tI2ZTvN6ak9+5c9ZI7N+tQKYRPonfrVigVR+VgoWS0UMh5IQedkcfMO1vX2S5i/m +mmtDPT8aTyearL/ZpRoba8UvuTi/jksGTkR9QwKxBQeBWIy4xpKtddtp29RJFAFm +m3uvsHTGfRIm0oAGnbSgAooQSqZiv9bQvjzP0maWc7A9uNIspKj4CaEjDttqMzPG +u5GyplMDGnmEuldXbUhyCLlRXzVqmxuE46q0G2vl+qwiwwoYDauNoyvLvHK0AOZb +uQINBFvEpn0BEACpnI2D7qSeKGEihHtIvbZAhN6x3zkkELaLB2+MmhWZAdTmzfFm +JU28DXNLuCqxyy7GxATaBdPR5gPyq4LkA/xqTqC5nK9zTZqxtqwh9xTFCchUhmdC +voSkFy3R1cZlifLVartuIBHQXd9XfYkJMop4whsbPcbzDJ9JYUqHpuqysNAAhHge +vKIzZ93B7nW5JIBHf1/iVMSnC7+l3gSLMg0n+0UalGiQSpgzUSnyfgnoJjBbbyQT +JMrOhGSJHviezcCT3OOctnn0j5I0DuU1IRJ5h+MZ4NpgV2YyHCTXdHE9x1DGE9Wu +ExubFjiAvJtgcYkwcfqyqpbcK2IICWOUv+XJbrApm0PdaclyXbrJZRZ08QBOW9cZ +8tnrkvb4PtktigiHzTy9LenoWP7lSXVeroju3+g+igkaa9ZbgVkHOkDRrrjtJhNl +3yPEaK0RplLpJ6J/ysGvjuG9b/pWAsXptsfSN4TCCKIAqOg4/RINiyM5YzzIIqLc +vwBzm8awFpoMsexhBBUJLdBC3F2s53AZJUkH+NYJ/lZgnDA9/EVYPAOGCXt5u/Ot +ZyCyJzyYD6fZtLshQiRRdDMkeCZ+W88+HmgxA3Ck6vfSPIPyVUGYQYqREzZqfBVV +FuANufrr+dBYYxE0R61zYMJdXL8fsNshHR5mlcHg4EODdnhOeRSeIuS+uQARAQAB +iQI2BBgBCAAgFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlvEpn0CGwwACgkQVeRa +WujKfIquIRAArTQcsGL/5Tw+L4g0OxUeH1/E7TQ54UrpT9f4PjPj0SPZevqzsV/b +uRemr6bqpNx5aMvLhoeoAodq4a0GmC+BX9ucfGKELavgReQWpyAlFFop8/MCbonq +q+07PdO+6ZJiff0VIMGFAdWOabzQ9VMkYQ4ibF+etTjgWNpJ0UiFhUNric+eT00t +HMzEq2WdgbnS/bwANsEF7kIA3klF7lkYG5MFN5gTbWssHeavfUn3coR9AJVqmx+m +bJdUiMxiMrzRORepUO1zs8XJzLMkOb5h2CElk1um0LfGI9T/RZ3nyP5uv3xU5aG/ +Rp2owv4EsvjhpATt+votq3iZk2hkwymYmMbKpZ690sNT7tTYS5E6dX085NRmEQpy +/U+gX/V5rsWULPmQ2UJEoIizyRrhxq/O73ZinapkDZVO+DeePBrdXDwDOKlhDQ2V +dMp/uLbOg8Hxs2N+Brnn5Ts6FADeP951F9VxTaRWrppOt9eRQgxasYE9hEzFS61e +WY3qHfWT59Pnx+KPmuR69SobBrG5Y7qYvlQxHQUsiVhRlPDDlOuZk0nbK7QR4/aX +7AwNxp2byo7cduCOecs+uSsAcWgA+KMif8yGzHxywHm34dTn7JY0Moqd03n09UY4 +3LISNC1atd/q0BTijMpzroU+4i3omeL3SSHJRBJJSMxSxU5SXV/DBMa5Ag0EW8Sm +sQEQAOQoaAL4LSK1yQzbIJg4hojiJ+iOIMhz2BG9zVNp2CJ4veyfjgH0eUbSr8kX +D1OBkdw9hJuyQXIu4hARvkh41H1N9BTDRMXt5VzeiZUQBS0mJlTQ6EJrX6z+Y497 +0OwPXHYTZG7EcBtTrrY9s+Bm0JnBQr5lZ4TdoGWg8sQxGZIY79zUYYjle6naBZQ0 +QFUTgfyKbx4n8gzXqIZbpj/SrbGctFve36HD+YVwmkcjIJuxKBKMcVfTRQ1AG1PV +qoIyV/gTcmPbVMKcC8L9S0ixkWrqmVhkNJEblzkTEhN0WF5XjzasbxCkUGcJ24Cd +oM5515LpCKaqOTSyuov2aDJfGrNoXi0LTo93M+xaBq6Li/kVUb9S7KY1CSD7buuw +9CAriAVJZBYCuvByp49tBwYWSVhn2GURh7mex91NsJ2H7OveLygYEHSvT+S2ARA1 +lvpLDEG8LvIuKo8QrwmCkE5AO4WU6c62gnrajWwTDU0R38vXObD0dquguhvVyLWi +OEVWacUUXfTN6hCLoqUlOAijKgSmHVhjIs2nngKdR/PLOQiVjKpMxxDoyStMJkfg +khL8v9D/VBU398QwBOBHXFDovKZLhNz32KU3Ma2pE+RGZYBEQeCAWBK51MNdcpsd +Q0p26O33H6Np+GWRHSwrtvO00HK0Wd4eOmO5LY2AiSUdK0NXABEBAAGJBGwEGAEI +ACAWIQRxAKrfrm5ulA0uCtZV5Fpa6Mp8igUCW8SmsQIbAgJACRBV5Fpa6Mp8isF0 +IAQZAQgAHRYhBEtCqM8H8pnVVJd+7+og8tqXN4lzBQJbxKaxAAoJEOog8tqXN4lz +0fkQAILG/ON167EqJq2VNMCD/e4Su5M5/RzcosEk+0xxmHyjOTn/36TG9uneNSr+ +IaNdSeH926LaVpcauSFdCKbegKjznUTtmMfdJQX+iTdfO7JTSdZACFHQUSva4Rs6 +33VMTnyhJdRerxrGvNAL0aAyDdTG5rc/CSQjj683AJGK9T7iZubgkBKWoYY8jtJi +nsSuePp+gFetIhCQyG2nSq4yrIgXbd6l/kJdsqq6xEz42mbGJf2uPQ/BEbD/gzWj +m8sRUAJ91u0lHqz3KjQ4MzdsU+Mm/ngZdyXWzwlfC24QbHAr9cnWwZvtLdvo2G7z +igMX7PyMwfEq5l7i3gFS0Mny3LtvGqH1AS/YJczDeyonDtR2gAptYlyBHOBftdj7 +hVoZS0QNNss2B0kwHqSWOLtfgMHWiBXFq8buntwWGW2rUXs77gvKYG9TB1a0NYp1 +Hv2FOOUCWY9pzs/WBOkW0s5EOiatxoDfAFIoKH7FlqDf7Cnr3IpaKS6tXDH+7B35 +QBptYgMIY43v+GhqIEELkaYow3VnnTcbQFi0VfBxh/GgyhydhFyaUs5djklCZ091 +nRRYeDSyUhB1nlr7FnuLK91/rm6YI+IWmw2j3Z6urlnD6TNYPFfeZzXDoJgtlRsc +HFQL2/HCIiCcObVFd8HbCvHmNpMdRxId8qogOr/y5Lu2FYvzRzEP/A8NNqwqj7zX +Wk5w6lj4tVk796B4gPNZ0NUIXYeUobEtuuPjrh4SQSVOluvADCV5/8quP4fdw/iN +tmaoTqYqmhpHArFgP9gjHQ7vL3+eHCQIqV0hdhsLm0t8ol5ArP3BgNtfS3RcQf3k +Q9aQdIYscz5iTvCpcncVrMXDxz3wO7YKylzNHDUF7bo1FMc9HPedcKbzG/BRFnpw +YNn8w24xlr9+o1YEzwgc48N7djcAsYl7KCIKq82vWrbeePNHLA4yo0rdqS1RP7jI +lOlMWfxF+IGODkwCfiuMWVo35h5uMPueA0xyEfGobX1OtK6pkeFq1b1mNYCVr++4 +eWaJj64cv3ijx/sA+Ni51pD1dHrwURuX5FIixRJm0awwoJgxbsXLy54PGVgatNoa +1Wx4lnt/6HA32MtM7Im0NMLGAt298GD/AIr3bAnbovevNTjaxwpO8KlMNLhANqYt +GjFlhucGfQjVOxOU0c3QL1wBJ5s0bNltz5C8LqCRpqjJc43v3CfQ/IZzqZ+g51wJ +WWgN9wAj62doD4x6JlVg17AZm6WRoGQjslyDUuBE3ZtZd2XXpc7P/rbmfZQCcr1W +1h8moBknbU2eOji/cULgGM3Y8W5V3RwNgD7IFHDKr1I19PyBEMr+Qk+KVHpsw09S +xOtqJHdjtKxzOrgL0rG+n0VYx6dl2Lt4mQINBF3C4AkBEADQxp4jfxmbJ3t/ZuKc +sV4JxG8mhuGXBkzMB0k2uGULCpY4yh7dsN4PBU7PuHgUMkxJnJlbg0xVR2nux20I +NzroYn8xzRe+jSmKTW0fTvNH+Nxyr4k+KgqmVZCcfyvwXuL7IOfG5luc/oSXJV62 +u+LHP891dVcJlVN0Ef9i5Sz9iRkkMUknwoTrOK9q1nZNOA+XoLMhCIdyWIPx6jFm +PxfZpgEJw6YIeyOSRIPYtH4twuDj50bzQuTTfQ3ph9FdcXVLYwP3BayvfFasGhyJ +6caqVW9GpMDa/OPvteNmt2WbqaRgcX9CWWOKonhFqkaWAXj0lYFkM65DTzSUKpNt +oh2MRVA7qyGZ2zlHocNWSplQ8VJlly6ch9O95UEXlSIJFxAi/7NBNuG/CekHQxxQ +ZhdslUe7LIsujlKS8Fy0bpYsTDPb/g+rUuIHWCOhEC+B0qOYVEf+wcc9jTQjZf6N +P3zIV4dO+Mc9GVT+d3Kz0y11g1ON0b82qy2ONvRys1NmqXC2vCnXzKCQ6UTHRYt+ +EdV0nlo59G+lolCnT8t1sW7ezuByA4zWMI6hLyk0NLb8xwPK9BT732RGhzba7a7E +aArTBsPA3rWvObC1kQWSaw+ule5rmnTL5Q4Jw3qDhgM9b2Bg3hLYP5/UU0INq7kr +H413Kin0C29T1aNmLfMTfmS5EwARAQABtCZUb20gSHJvbWF0a2EgPHRvbS5ocm9t +YXRrYUBvcmFjbGUuY29tPokCTgQTAQgAOBYhBEemj843x9cCT9ZeETVs5iwrUkCZ +BQJdwuAJAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDVs5iwrUkCZNL0P +/3KFyrWXW5ouPuAzWeMMUZrQmyz31T70iVSS8PtPWb8S2QxQdzgpdVPrvxT+wfq5 +zJbdz3X5uPvdOXUeyv0bAQRqYQVX/tkz10zu6+m+Bgx0H6I5Xk9F7EDvag1EDDs/ +BDSLh9VbsTllSaNpLhFjSRj0dVmE1DgaUDX5F66npYMgSIspsAjEI1MZ1PDYQfho +yxEMiz0ld14yv6HE7hBPekcQW2mAWzlpZmgw9NVIcqShy3znJNGGpQUbLEtGbrv/ +wRMNWjGWPJyfE5dLDvkfQjrdsTRWv5+Sd5/z3fwp0G8dUq1iWeegu6mFe0KRLB5z +3lcc+QJSlWetyyoYWOhq1Jzn0QHjakZp2Nb4rtp9/b9TdhvD5cOjpsECmL5qMri1 +mn/j4F63AG4yLQaYrwwjWzDcz+jQ8wNuyl7cXQFD6UYbywC1tC9DE0VppV2nOirt +TOPz8+etXMx6sg40STJ4dbYn/gJLhiycSaUAqGkSHpC24FbcvkVwKz5MBUYuLEgN +H3RyNKVgnb5JWZofE7ehOVCc+VAmzMyobjE+71FRXlPdmqD/im4vYDsqzb15wX79 +VsXqI0bij+xVYaR7GoQbTfVQ0a6f6slWex6PmKOnZTjfLL7sEu1JhAteqlI9I0Nl +NJBF/y32T6lQpO+3CJGhY+2rSiCpnI31NMusAkcufnxquQINBF3C4AkBEAC9ReOz +Yf6nryTLn8lGg6M0kpMX3P7v8GlOV1hZ8hTDlUETpo+xxR3FvNjWEDNyuawCpvNz +8Pu3OKqxKDIivyVdJNEc335glsMY7BmAevLvAtyfjb0rOzOXqLfhdsn108Nr6Ai+ +lkMs8xlK2hxGI3qpDHzImOYmhWD4J181gxlj5Gaj8fOyV8JZvfY6AZcei2tzlmHp +j9SSh7K59trUZtaUDljUeVAEP4KfU1sLEYy3BUzS+eb4Qw1tleui+89E/J4zPrgw +wuLg5OU+ScTigfbEF/05MMUAySiKieKhp8IFsT41+FXOlotBl0wz6Jbo4HxNtY5P +trpv6BOrBlYfhfhZeANk4+y5OnLqRjjgTvf1p9CHmsgs6sx/lkNyXpzoxKR89Rzx +HxnrgUATSa80JK9o/0tPZkN33HKJlkSndPQEM4uLrTsIxvNsBSOPIKC09siMbbBe +I0t811P1pMh8zvTnRl2FSQjiumLoVhr+xxZ2wWiPxztVQkMLuuWXkzcxQUfuw5nE +QCH+WdqYKNmV6rw2kU6j10q0kvvspWPMTbsI/vBY3KyiP1F8dToXiwulNT1U05NG +J20YbzEHnYEKatBq9ZILLx63c8eLZ6VppkAE0ZlmgsOvn+zIcv81P4x9mDLvuqTO +zRj/RuDAY6qJHuICpsV3F5A03z9ne/Z9u0mwSwARAQABiQI2BBgBCAAgFiEER6aP +zjfH1wJP1l4RNWzmLCtSQJkFAl3C4AkCGwwACgkQNWzmLCtSQJkiQA/8Cm07bQf2 +FIKTdwRECJO7pvpuc3zE1XsSuLyu40qpsWX24Ll97S7cpOK7rN2jSZ6UDoXpNgXV +iOzma5yiC+GO6UUWxr8xE/CDXeuawxHUt0Xrn+UQnWsirsrZifjVPkXou71QM+ka +Q9qXy4liOpRaJjf8B7iz3ilgMUACnMcwOVn+jbswLQpNetsKk+vrLwQlILPkWcKG +xIu1Iro3E7WoIPojHHtT7Co7mSRzaNI00VU7jMwZwXFQL/IbeGsKlaAyxh1BzRLn +LdPN8hxiYtEq2IG66Uq3EmigtwOvh06d/Qi/gBH6CWxdahRk7HwATyrNvbjfduzN +nhF+lPA39iKrI5+IGasK6Lp9HklUJD0Q9JK7yac/cUj5LptY/PBFC7eJKHJLyohm +vlXYgRSeAXEm7uGpU5k/jUZDM4Z1o5JboiNVQoqDWs6iDYJb82cRjKKlvC2d2lFK +xtBOR3xJZUUsIpoQrstxn1LA5DcBosPvd9ISyIZs38UyJNTz07GUedEpeE3YhLke +sc6n2iL9D2Yjz/S4ANukxl9YZDW+EFS8LtTchvK11OHWubvWxWFV7txLFmkBYQwk +2krCi2MVguRZGj8bodqjty1H8ZMfA5NYwAKeyQmsmTHqNmR1Ws/cdQCV7+3q9Rur +lUtY1AVxx4LtnS16GX+OVCybWzbK1uqLrfo= +=9JXr +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 0000000..a94a868 --- /dev/null +++ b/watch @@ -0,0 +1,4 @@ +version=4 +opts="dversionmangle=s/\+dfsg//,pgpsigurlmangle=s/$/.asc/" \ +https://github.com/seccomp/libseccomp/releases \ + .*/libseccomp-(.*)\.tar\.gz