From: Felix Geyer Date: Sun, 3 Oct 2021 21:26:59 +0000 (+0100) Subject: libseccomp (2.5.2-2) unstable; urgency=medium X-Git-Tag: archive/raspbian/2.5.2-2+rpi1^2~5 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5fd105979bfc2b579848872546dda50bea69f144;p=libseccomp.git libseccomp (2.5.2-2) unstable; urgency=medium * Revert mips and powerpc multiplexed syscall handling. - Fixes test suite failures. (Closes: #994285) [dgit import unpatched libseccomp 2.5.2-2] --- 5fd105979bfc2b579848872546dda50bea69f144 diff --cc debian/changelog index 0000000,0000000..9b9f834 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,335 @@@ ++libseccomp (2.5.2-2) unstable; urgency=medium ++ ++ * Revert mips and powerpc multiplexed syscall handling. ++ - Fixes test suite failures. (Closes: #994285) ++ ++ -- Felix Geyer Sun, 03 Oct 2021 23:26:59 +0200 ++ ++libseccomp (2.5.2-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Update watch file. ++ ++ -- Felix Geyer Tue, 07 Sep 2021 11:14:34 +0200 ++ ++libseccomp (2.5.1-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Drop all patches as they have been applied upstream. ++ ++ -- Felix Geyer Mon, 21 Dec 2020 10:50:30 +0100 ++ ++libseccomp (2.5.0-3) unstable; urgency=medium ++ ++ * Cherry-pick patch from the 2.5 branch to fix test error on mips: ++ - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch ++ ++ -- Felix Geyer Sun, 08 Nov 2020 19:59:21 +0100 ++ ++libseccomp (2.5.0-2) unstable; urgency=medium ++ ++ * Upload to unstable. ++ * Cherry-pick patches from the 2.5 branch to fix build and test errors: ++ - build_undefine_mips_to_prevent_build_problems.patch ++ - tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch ++ ++ -- Felix Geyer Sun, 08 Nov 2020 15:49:41 +0100 ++ ++libseccomp (2.5.0-1) experimental; urgency=medium ++ ++ * New upstream release. ++ - Build-depend on gperf. ++ - Update symbols file. ++ * Remove patches that have been applied upstream: ++ - cython3.patch ++ - riscv64_support.patch ++ * Cherry-pick patches from the 2.5 branch: ++ - all_only_request_the_userspace_notification_fd_once.patch ++ - system_change_our_notification_fd_handling.patch ++ ++ -- Felix Geyer Sat, 24 Oct 2020 13:58:28 +0200 ++ ++libseccomp (2.4.4-1) unstable; urgency=medium ++ ++ * Team upload. ++ ++ [ Debian Janitor ] ++ * Set upstream metadata fields: Repository, Repository-Browse. ++ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository. ++ ++ [ Felix Geyer ] ++ * New upstream release. ++ * Download and verify orig gpg signature. ++ ++ -- Felix Geyer Sun, 20 Sep 2020 19:03:41 +0200 ++ ++libseccomp (2.4.3-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Drop patches that have been applied upstream: ++ - tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch ++ - api_define__SNR_ppoll_again.patch ++ * Cherry-pick support for the riscv64 architecture. (Closes: #952386) ++ - Add riscv64_support.patch ++ ++ -- Felix Geyer Thu, 12 Mar 2020 23:35:13 +0100 ++ ++libseccomp (2.4.2-2) unstable; urgency=medium ++ ++ [ Christian Ehrhardt ] ++ * d/rules: fix potential FTFBS after full python3 switch ++ * d/t/control: drop python2 test following the removal of the package ++ ++ [ Felix Geyer ] ++ * Remove build-dependency on valgrind for mips64el as it's broken there. ++ * Backport patch to define __SNR_ppoll again. ++ - Add api_define__SNR_ppoll_again.patch ++ * Replace custom patch for cython3 with the upstream fix. ++ ++ -- Felix Geyer Fri, 15 Nov 2019 18:12:53 +0100 ++ ++libseccomp (2.4.2-1) unstable; urgency=medium ++ ++ [ Christian Ehrhardt ] ++ * New upstream release 2.4.2 for compatibility with newer kernels and ++ fixing FTBFS (LP: #1849785). ++ - drop d/p/python_install_dir.patch (now upstream) ++ - d/rules: adapt to python 3.8 lacking the m modifier on includes ++ see https://wiki.debian.org/Python/Python3.8 ++ - d/p/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch: fix ++ build time test on arm64 ++ ++ [ Felix Geyer ] ++ * Drop Python 2 bindings. (Closes: #936917) ++ - Add cython3.patch to use the Python 3 cython variant. ++ ++ -- Felix Geyer Wed, 13 Nov 2019 00:00:49 +0100 ++ ++libseccomp (2.4.1-2) unstable; urgency=medium ++ ++ * Remove build-dependency on valgrind for mipsel and x32 as it's broken ++ on those archs. ++ * Set Rules-Requires-Root: no. ++ ++ -- Felix Geyer Fri, 19 Jul 2019 00:03:34 +0200 ++ ++libseccomp (2.4.1-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - Addresses CVE-2019-9893 (Closes: #924646) ++ * Drop all patches for parisc arch support, merged upstream. ++ * Build-depend on valgrind to run more unit tests. ++ * Run dh_auto_configure for every python 3 version to install the extension ++ in the correct path. ++ * Update the symbols file. ++ * Adapt autopkgtest to new upstream version: ++ - Build against pthread ++ - Build scmp_api_level tool ++ * Upgrade to debhelper compat level 12. ++ - Add d/not-installed file ++ * Fix install path of the python module. ++ - Add python_install_dir.patch ++ * Add autopkgtest for python packages. ++ ++ -- Felix Geyer Wed, 17 Jul 2019 23:23:28 +0200 ++ ++libseccomp (2.3.3-4) unstable; urgency=medium ++ ++ [ Ondřej Nový ] ++ * d/copyright: Change Format URL to correct one ++ ++ [ Helmut Grohne ] ++ * Fix FTCBFS: (Closes: #903556) ++ + Multiarchify python Build-Depends. ++ + Annotate cython dependencies with :native for now. ++ + Drop noop dh_auto_build invocations. ++ + Pass a suitable PYTHONPATH for python2. ++ + Pass _PYTHON_SYSCONFIGDATA_NAME for python3. ++ ++ -- Felix Geyer Sun, 10 Feb 2019 12:25:44 +0100 ++ ++libseccomp (2.3.3-3) unstable; urgency=medium ++ ++ * Fix FTBFS: Adapt to renamed README file. (Closes: #902767) ++ ++ -- Felix Geyer Sun, 01 Jul 2018 20:32:03 +0200 ++ ++libseccomp (2.3.3-2) unstable; urgency=medium ++ ++ [ Helmut Grohne ] ++ * Support the nopython build profile. (Closes: #897057) ++ ++ [ Felix Geyer ] ++ * Run upstream "live" tests in an autopkgtest. ++ ++ -- Felix Geyer Sun, 13 May 2018 09:53:08 +0200 ++ ++libseccomp (2.3.3-1) unstable; urgency=medium ++ ++ * New upstream release. (Closes: #895417) ++ - Adds pkey_mprotect syscall. (Closes: #893722) ++ * Refresh parisc patch. ++ * Move libseccomp2 back to /usr/lib. (Closes: #894988) ++ * Make test failures cause the build to fail. (Closes: 877901) ++ * Build python bindings. (Closes: #810712) ++ * Switch to debhelper compat level 10. ++ * Move git repo to salsa.debian.org ++ * Add myself to Uploaders. ++ ++ -- Felix Geyer Sun, 22 Apr 2018 23:55:03 +0200 ++ ++libseccomp (2.3.1-2.1) unstable; urgency=medium ++ ++ [ Martin Pitt ] ++ * Non-maintainer upload with Kees' consent. ++ ++ [ Laurent Bigonville ] ++ * Ensure strict enough generated dependencies (Closes: #844496) ++ ++ -- Martin Pitt Thu, 17 Nov 2016 10:16:44 +0100 ++ ++libseccomp (2.3.1-2) unstable; urgency=medium ++ ++ * Add hppa (parisc) support (Closes: #820501) ++ ++ -- Luca Bruno Sat, 28 May 2016 20:05:01 +0200 ++ ++libseccomp (2.3.1-1) unstable; urgency=medium ++ ++ * New upstream release ++ * control: add Vcs-* fields ++ ++ -- Luca Bruno Tue, 05 Apr 2016 22:16:55 +0200 ++ ++libseccomp (2.3.0-1) unstable; urgency=medium ++ ++ * New upstream release ++ + drop all patches, applied upstream ++ * libseccomp2: update symbols file ++ * control: add myself to uploaders ++ * control: bump policy version ++ ++ -- Luca Bruno Sun, 03 Apr 2016 00:31:09 +0200 ++ ++libseccomp (2.2.3-3) unstable; urgency=medium ++ ++ [ Martin Pitt ] ++ * debian/patches/add-x86-32bit-socket-calls.patch: add the newly ++ connected direct socket calls. (Closes: #809556) ++ * debian/add-membarrier.patch: add membarrier syscall. ++ * Backport patches for ppc/ppc64 and s390x. (Closes: #800818) ++ ++ -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 ++ ++libseccomp (2.2.3-2) unstable; urgency=medium ++ ++ * debian/control: enable mips64, mips64el, and x32 architectures, ++ thanks to Helmut Grohne (Closes: 797383). ++ ++ -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 ++ ++libseccomp (2.2.3-1) unstable; urgency=medium ++ ++ * New upstream release (Closes: 793032). ++ * debian/control: update Homepage (Closes: 793033). ++ ++ -- Kees Cook Mon, 03 Aug 2015 15:06:08 -0700 ++ ++libseccomp (2.2.1-2) unstable; urgency=medium ++ ++ * debian/{rules,*.install}: move to /lib, thanks to Michael Biebl ++ (Closes: 788923). ++ ++ -- Kees Cook Tue, 16 Jun 2015 12:45:08 -0700 ++ ++libseccomp (2.2.1-1) unstable; urgency=medium ++ ++ * New upstream release (Closes: 785428). ++ - debian/patches dropped: incorporated upstream. ++ * debian/libseccomp2.symbols: include only documented symbols. ++ * debian/libseccomp-dev.install: include static library (Closes: 698508). ++ * debian/control: ++ - add newly supported arm64, mips, and mipsel. ++ - bump standards version, no changes needed. ++ ++ -- Kees Cook Sat, 16 May 2015 08:15:26 -0700 ++ ++libseccomp (2.1.1-1) unstable; urgency=low ++ ++ * New upstream release (Closes: 733293). ++ * copyright: add a few missed people. ++ * rules: adjusted for new test target. ++ * libseccomp2.symbols: drop accidentally exported functions. ++ * control: ++ - bump standards, no changes needed. ++ - add armel target ++ ++ -- Kees Cook Sat, 12 Apr 2014 10:44:22 -0700 ++ ++libseccomp (2.1.0+dfsg-1) unstable; urgency=low ++ ++ * Rebuild source package without accidental binaries (Closes: 725617). ++ - debian/watch: mangle upstream version check. ++ * debian/rules: make tests non-fatal while upstream fixes them ++ (Closes: 721292). ++ ++ -- Kees Cook Sun, 06 Oct 2013 15:05:51 -0700 ++ ++libseccomp (2.1.0-1) unstable; urgency=low ++ ++ * New upstream release (Closes: 718398): ++ - dropped debian/patches/manpage-dashes.patch: taken upstream. ++ - dropped debian/patches/include-unistd.patch: not needed. ++ - debian/patches/testsuite-x86-write.patch: taken upstream. ++ - ABI bump: moved from libseccomp1 to libseccomp2. ++ * debian/control: ++ - added Arch: armhf, now supported upstream. ++ - added seccomp binary package for helper tools. ++ * Added debian/patches/manpage-typo.patch: spelling fix. ++ * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling. ++ ++ -- Kees Cook Tue, 13 Aug 2013 00:02:01 -0700 ++ ++libseccomp (1.0.1-2) unstable; urgency=low ++ ++ * debian/rules: enable testsuite at build time, thanks to ++ Stéphane Graber (Closes: 698803). ++ * Added debian/patches/include-unistd.patch: detect location of ++ asm/unistd.h correctly. ++ * Added debian/patches/testsuite-x86-write.patch: skip the "write" ++ syscall correctly on x86. ++ * debian/control: bump standards to 3.9.4, no changes needed. ++ ++ -- Kees Cook Wed, 23 Jan 2013 13:11:53 -0800 ++ ++libseccomp (1.0.1-1) unstable; urgency=low ++ ++ * New upstream release. ++ * debian/control: only build on amd64 and i386 (Closes: 687368). ++ ++ -- Kees Cook Fri, 07 Dec 2012 11:38:03 -0800 ++ ++libseccomp (1.0.0-1) unstable; urgency=low ++ ++ * New upstream release. ++ - bump ABI. ++ - drop build verbosity patch, use upstream V=1 instead. ++ * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471). ++ * debian/patches/pkgconfig-macro.patch: use literals for macro. ++ ++ -- Kees Cook Fri, 03 Aug 2012 16:59:41 -0700 ++ ++libseccomp (0.1.0-1) unstable; urgency=low ++ ++ * New upstream release. ++ - drop patches taken upstream: ++ - libexecdir.patch ++ - pass-flags.patch ++ ++ -- Kees Cook Fri, 08 Jun 2012 12:32:22 -0700 ++ ++libseccomp (0.0.0~20120605-1) unstable; urgency=low ++ ++ * Initial release (Closes: #676257). ++ ++ -- Kees Cook Tue, 05 Jun 2012 11:28:07 -0700 diff --cc debian/control index 0000000,0000000..c445bd0 new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,63 @@@ ++Source: libseccomp ++Section: libs ++Priority: optional ++Maintainer: Kees Cook ++Uploaders: Luca Bruno , Felix Geyer ++Build-Depends: debhelper-compat (= 12), ++ linux-libc-dev, ++ dh-python , ++ python3-all-dev:any , ++ libpython3-all-dev , ++ cython3:native , ++ valgrind [amd64 arm64 armhf i386 mips mips64 powerpc ppc64 ppc64el s390x] , ++ gperf ++Rules-Requires-Root: no ++Standards-Version: 3.9.7 ++Homepage: https://github.com/seccomp/libseccomp ++Vcs-Git: https://salsa.debian.org/debian/libseccomp.git ++Vcs-Browser: https://salsa.debian.org/debian/libseccomp ++ ++Package: libseccomp-dev ++Section: libdevel ++Architecture: linux-any ++Multi-Arch: same ++Pre-Depends: ${misc:Pre-Depends} ++Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends} ++Suggests: seccomp ++Description: high level interface to Linux seccomp filter (development files) ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. ++ . ++ This package contains the development files. ++ ++Package: libseccomp2 ++Architecture: linux-any ++Multi-Arch: same ++Pre-Depends: ${misc:Pre-Depends} ++Depends: ${shlibs:Depends}, ${misc:Depends} ++Description: high level interface to Linux seccomp filter ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. ++ ++Package: seccomp ++Section: utils ++Architecture: linux-any ++Depends: ${shlibs:Depends}, ${misc:Depends} ++Suggests: libseccomp-dev ++Description: helper tools for high level interface to Linux seccomp filter ++ Provides helper tools for interacting with libseccomp. Currently, only ++ a single tool exists, providing a way to easily enumerate syscalls across ++ the supported architectures. ++ ++Package: python3-seccomp ++Build-Profiles: ++Architecture: linux-any ++Multi-Arch: same ++Section: python ++Depends: ${shlibs:Depends}, ${misc:Depends}, ${python3:Depends} ++Description: high level interface to Linux seccomp filter (Python 3 bindings) ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. diff --cc debian/copyright index 0000000,0000000..307817f new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,39 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-Name: libseccomp ++Source: https://sourceforge.net/projects/libseccomp/ ++ ++Files: * ++Copyright: 2012 Paul Moore ++ 2012 Ashley Lai ++ 2012 Corey Bryant ++ 2012 Eduardo Otubo ++ 2012 Eric Paris ++License: LGPL-2.1 ++ ++Files: tests/22-sim-basic_chains_array.tests ++Copyright: 2013 Vitaly Shukela ++License: LGPL-2.1 ++ ++Files: src/hash.* ++Copyright: 2006 Bob Jenkins ++License: LGPL-2.1 ++ ++Files: debian/* ++Copyright: 2012 Kees Cook ++License: LGPL-2.1 ++ ++License: LGPL-2.1 ++ This library is free software; you can redistribute it and/or modify it ++ under the terms of version 2.1 of the GNU Lesser General Public License as ++ published by the Free Software Foundation. ++ . ++ This library is distributed in the hope that it will be useful, but WITHOUT ++ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License ++ for more details. ++ . ++ You should have received a copy of the GNU Lesser General Public License ++ along with this library; if not, see . ++ . ++ On Debian systems, the complete text of the GNU Lesser General ++ Public License can be found in "/usr/share/common-licenses/LGPL-2.1". diff --cc debian/docs index 0000000,0000000..b43bf86 new file mode 100644 --- /dev/null +++ b/debian/docs @@@ -1,0 -1,0 +1,1 @@@ ++README.md diff --cc debian/gbp.conf index 0000000,0000000..c16083c new file mode 100644 --- /dev/null +++ b/debian/gbp.conf @@@ -1,0 -1,0 +1,9 @@@ ++[DEFAULT] ++upstream-tag = upstream/%(version)s ++debian-tag = debian/%(version)s ++pristine-tar = True ++upstream-branch = upstream ++debian-branch = debian/sid ++ ++[buildpackage] ++submodules = True diff --cc debian/libseccomp-dev.install index 0000000,0000000..b973af4 new file mode 100644 --- /dev/null +++ b/debian/libseccomp-dev.install @@@ -1,0 -1,0 +1,4 @@@ ++usr/include/* ++usr/lib/*/lib*.so ++usr/lib/*/lib*.a ++usr/lib/*/pkgconfig/* diff --cc debian/libseccomp-dev.manpages index 0000000,0000000..7c72677 new file mode 100644 --- /dev/null +++ b/debian/libseccomp-dev.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/tmp/usr/share/man/man3/* diff --cc debian/libseccomp2.install index 0000000,0000000..3ddde58 new file mode 100644 --- /dev/null +++ b/debian/libseccomp2.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/*/lib*.so.* diff --cc debian/libseccomp2.symbols index 0000000,0000000..d1823d0 new file mode 100644 --- /dev/null +++ b/debian/libseccomp2.symbols @@@ -1,0 -1,0 +1,34 @@@ ++libseccomp.so.2 libseccomp2 #MINVER# ++* Build-Depends-Package: libseccomp-dev ++ seccomp_api_get@Base 2.4.1 ++ seccomp_api_set@Base 2.4.1 ++ seccomp_attr_get@Base 0.0.0~20120605 ++ seccomp_attr_set@Base 0.0.0~20120605 ++ seccomp_export_bpf@Base 0.0.0~20120605 ++ seccomp_export_pfc@Base 0.0.0~20120605 ++ seccomp_init@Base 0.0.0~20120605 ++ seccomp_load@Base 0.0.0~20120605 ++ seccomp_release@Base 0.0.0~20120605 ++ seccomp_reset@Base 0.0.0~20120605 ++ seccomp_rule_add@Base 0.0.0~20120605 ++ seccomp_rule_add_exact@Base 0.0.0~20120605 ++ seccomp_syscall_priority@Base 0.0.0~20120605 ++ seccomp_syscall_resolve_name@Base 1.0.1 ++ seccomp_merge@Base 1.0.1 ++ seccomp_notify_alloc@Base 2.5.0 ++ seccomp_notify_fd@Base 2.5.0 ++ seccomp_notify_free@Base 2.5.0 ++ seccomp_notify_id_valid@Base 2.5.0 ++ seccomp_notify_receive@Base 2.5.0 ++ seccomp_notify_respond@Base 2.5.0 ++ seccomp_arch_add@Base 1.0.1 ++ seccomp_arch_exist@Base 1.0.1 ++ seccomp_arch_remove@Base 1.0.1 ++ seccomp_arch_native@Base 2.1.0 ++ seccomp_rule_add_array@Base 2.1.0 ++ seccomp_rule_add_exact_array@Base 2.1.0 ++ seccomp_syscall_resolve_name_arch@Base 2.1.0 ++ seccomp_syscall_resolve_num_arch@Base 2.1.0 ++ seccomp_arch_resolve_name@Base 2.2.1 ++ seccomp_syscall_resolve_name_rewrite@Base 2.2.1 ++ seccomp_version@Base 2.3.0 diff --cc debian/not-installed index 0000000,0000000..4f60595 new file mode 100644 --- /dev/null +++ b/debian/not-installed @@@ -1,0 -1,0 +1,3 @@@ ++usr/lib/python*/*-packages/install_files.txt ++usr/lib/python*/*-packages/seccomp-*.egg-info ++usr/lib/*/libseccomp.la diff --cc debian/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch index 0000000,0000000..67bdc63 new file mode 100644 --- /dev/null +++ b/debian/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch @@@ -1,0 -1,0 +1,4520 @@@ ++REVERTS ++ ++From f454456e261930d94b3a1a444b6bac75c11c3cb0 Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Wed, 4 Aug 2021 11:51:12 -0400 ++Subject: [PATCH] arch: consolidate all of the multiplexed syscall handling ++ ++Not only does this reduce the amount of duplicated code ++significantly, it removes a lot of the "magic" numbers in the ++code, and it happened to catch some bugs too. ++ ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++ ++(imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc) ++ ++diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c ++--- a/src/arch-aarch64.c +++++ b/src/arch-aarch64.c ++@@ -31,8 +31,8 @@ const struct arch_def arch_def_aarch64 = { ++ .token_bpf = AUDIT_ARCH_AARCH64, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .syscall_resolve_name_raw = aarch64_syscall_resolve_name, ++- .syscall_resolve_num_raw = aarch64_syscall_resolve_num, +++ .syscall_resolve_name = aarch64_syscall_resolve_name, +++ .syscall_resolve_num = aarch64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-arm.c b/src/arch-arm.c ++--- a/src/arch-arm.c +++++ b/src/arch-arm.c ++@@ -39,7 +39,6 @@ ++ ++ /** ++ * Resolve a syscall name to a number ++- * @param arch the architecture definition ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++@@ -47,13 +46,12 @@ ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++-int arm_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name) +++int arm_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++- sys = arch->syscall_resolve_name_raw(name); +++ sys = arm_syscall_resolve_name(name); ++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++@@ -62,7 +60,6 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch, ++ ++ /** ++ * Resolve a syscall number to a name ++- * @param arch the architecture definition ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++@@ -70,12 +67,12 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch, ++ * syscall names; returns NULL on failure. ++ * ++ */ ++-const char *arm_syscall_resolve_num_munge(const struct arch_def *arch, int num) +++const char *arm_syscall_resolve_num_munge(int num) ++ { ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ if (num >= 0) ++ num &= ~__SCMP_NR_BASE; ++- return arch->syscall_resolve_num_raw(num); +++ return arm_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_arm = { ++@@ -84,9 +81,7 @@ const struct arch_def arch_def_arm = { ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_LITTLE, ++ .syscall_resolve_name = arm_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = arm_syscall_resolve_name, ++ .syscall_resolve_num = arm_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = arm_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-mips.c b/src/arch-mips.c ++--- a/src/arch-mips.c +++++ b/src/arch-mips.c ++@@ -30,23 +30,535 @@ ++ #include "arch.h" ++ #include "arch-mips.h" ++ +++/* O32 ABI */ +++#define __SCMP_NR_BASE 4000 +++ ++ /* mips syscall numbers */ ++ #define __mips_NR_socketcall 102 ++ #define __mips_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int mips_syscall_resolve_name_munge(const char *name) +++{ +++ +++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return __PNR_##NAME; +++ +++ _ABI_SYSCALL_RES_NAME_CHK(socket) +++ _ABI_SYSCALL_RES_NAME_CHK(bind) +++ _ABI_SYSCALL_RES_NAME_CHK(connect) +++ _ABI_SYSCALL_RES_NAME_CHK(listen) +++ _ABI_SYSCALL_RES_NAME_CHK(accept) +++ _ABI_SYSCALL_RES_NAME_CHK(getsockname) +++ _ABI_SYSCALL_RES_NAME_CHK(getpeername) +++ _ABI_SYSCALL_RES_NAME_CHK(socketpair) +++ _ABI_SYSCALL_RES_NAME_CHK(send) +++ _ABI_SYSCALL_RES_NAME_CHK(recv) +++ _ABI_SYSCALL_RES_NAME_CHK(sendto) +++ _ABI_SYSCALL_RES_NAME_CHK(recvfrom) +++ _ABI_SYSCALL_RES_NAME_CHK(shutdown) +++ _ABI_SYSCALL_RES_NAME_CHK(setsockopt) +++ _ABI_SYSCALL_RES_NAME_CHK(getsockopt) +++ _ABI_SYSCALL_RES_NAME_CHK(sendmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(recvmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(accept4) +++ _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(semop) +++ _ABI_SYSCALL_RES_NAME_CHK(semget) +++ _ABI_SYSCALL_RES_NAME_CHK(semctl) +++ _ABI_SYSCALL_RES_NAME_CHK(semtimedop) +++ _ABI_SYSCALL_RES_NAME_CHK(msgsnd) +++ _ABI_SYSCALL_RES_NAME_CHK(msgrcv) +++ _ABI_SYSCALL_RES_NAME_CHK(msgget) +++ _ABI_SYSCALL_RES_NAME_CHK(msgctl) +++ _ABI_SYSCALL_RES_NAME_CHK(shmat) +++ _ABI_SYSCALL_RES_NAME_CHK(shmdt) +++ _ABI_SYSCALL_RES_NAME_CHK(shmget) +++ _ABI_SYSCALL_RES_NAME_CHK(shmctl) +++ +++ return mips_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *mips_syscall_resolve_num_munge(int num) +++{ +++ +++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ +++ if (num == __PNR_##NAME) return #NAME; +++ +++ _ABI_SYSCALL_RES_NUM_CHK(socket) +++ _ABI_SYSCALL_RES_NUM_CHK(bind) +++ _ABI_SYSCALL_RES_NUM_CHK(connect) +++ _ABI_SYSCALL_RES_NUM_CHK(listen) +++ _ABI_SYSCALL_RES_NUM_CHK(accept) +++ _ABI_SYSCALL_RES_NUM_CHK(getsockname) +++ _ABI_SYSCALL_RES_NUM_CHK(getpeername) +++ _ABI_SYSCALL_RES_NUM_CHK(socketpair) +++ _ABI_SYSCALL_RES_NUM_CHK(send) +++ _ABI_SYSCALL_RES_NUM_CHK(recv) +++ _ABI_SYSCALL_RES_NUM_CHK(sendto) +++ _ABI_SYSCALL_RES_NUM_CHK(recvfrom) +++ _ABI_SYSCALL_RES_NUM_CHK(shutdown) +++ _ABI_SYSCALL_RES_NUM_CHK(setsockopt) +++ _ABI_SYSCALL_RES_NUM_CHK(getsockopt) +++ _ABI_SYSCALL_RES_NUM_CHK(sendmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(recvmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(accept4) +++ _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(semop) +++ _ABI_SYSCALL_RES_NUM_CHK(semget) +++ _ABI_SYSCALL_RES_NUM_CHK(semctl) +++ _ABI_SYSCALL_RES_NUM_CHK(semtimedop) +++ _ABI_SYSCALL_RES_NUM_CHK(msgsnd) +++ _ABI_SYSCALL_RES_NUM_CHK(msgrcv) +++ _ABI_SYSCALL_RES_NUM_CHK(msgget) +++ _ABI_SYSCALL_RES_NUM_CHK(msgctl) +++ _ABI_SYSCALL_RES_NUM_CHK(shmat) +++ _ABI_SYSCALL_RES_NUM_CHK(shmdt) +++ _ABI_SYSCALL_RES_NUM_CHK(shmget) +++ _ABI_SYSCALL_RES_NUM_CHK(shmctl) +++ +++ return mips_syscall_resolve_num(num); +++} +++ +++/** +++ * Check if a syscall is a socket syscall +++ * @param sys the syscall number +++ * +++ * Returns true if the syscall is a socket related syscall, false otherwise. +++ * +++ */ +++static bool _mips_syscall_socket_test(int sys) +++{ +++ const char *name; +++ +++ /* multiplexed pseduo-syscalls */ +++ if (sys <= -100 && sys >= -120) +++ return true; +++ +++ name = mips_syscall_resolve_num(sys); +++ if (!name) +++ return false; +++ +++#define _ABI_SYSCALL_SOCK_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return true; +++ +++ _ABI_SYSCALL_SOCK_CHK(socket) +++ _ABI_SYSCALL_SOCK_CHK(bind) +++ _ABI_SYSCALL_SOCK_CHK(connect) +++ _ABI_SYSCALL_SOCK_CHK(listen) +++ _ABI_SYSCALL_SOCK_CHK(accept) +++ _ABI_SYSCALL_SOCK_CHK(getsockname) +++ _ABI_SYSCALL_SOCK_CHK(getpeername) +++ _ABI_SYSCALL_SOCK_CHK(socketpair) +++ _ABI_SYSCALL_SOCK_CHK(send) +++ _ABI_SYSCALL_SOCK_CHK(recv) +++ _ABI_SYSCALL_SOCK_CHK(sendto) +++ _ABI_SYSCALL_SOCK_CHK(recvfrom) +++ _ABI_SYSCALL_SOCK_CHK(shutdown) +++ _ABI_SYSCALL_SOCK_CHK(setsockopt) +++ _ABI_SYSCALL_SOCK_CHK(getsockopt) +++ _ABI_SYSCALL_SOCK_CHK(sendmsg) +++ _ABI_SYSCALL_SOCK_CHK(recvmsg) +++ _ABI_SYSCALL_SOCK_CHK(accept4) +++ _ABI_SYSCALL_SOCK_CHK(recvmmsg) +++ _ABI_SYSCALL_SOCK_CHK(sendmmsg) +++ +++ return false; +++} +++ +++/** +++ * Check if a syscall is an ipc syscall +++ * @param sys the syscall number +++ * +++ * Returns true if the syscall is an ipc related syscall, false otherwise. +++ * +++ */ +++static bool _mips_syscall_ipc_test(int sys) +++{ +++ const char *name; +++ +++ /* multiplexed pseduo-syscalls */ +++ if (sys <= -200 && sys >= -224) +++ return true; +++ +++ name = mips_syscall_resolve_num(sys); +++ if (!name) +++ return false; +++ +++#define _ABI_SYSCALL_IPC_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return true; +++ +++ _ABI_SYSCALL_IPC_CHK(semop) +++ _ABI_SYSCALL_IPC_CHK(semget) +++ _ABI_SYSCALL_IPC_CHK(semctl) +++ _ABI_SYSCALL_IPC_CHK(semtimedop) +++ _ABI_SYSCALL_IPC_CHK(msgsnd) +++ _ABI_SYSCALL_IPC_CHK(msgrcv) +++ _ABI_SYSCALL_IPC_CHK(msgget) +++ _ABI_SYSCALL_IPC_CHK(msgctl) +++ _ABI_SYSCALL_IPC_CHK(shmat) +++ _ABI_SYSCALL_IPC_CHK(shmdt) +++ _ABI_SYSCALL_IPC_CHK(shmget) +++ _ABI_SYSCALL_IPC_CHK(shmctl) +++ +++ return false; +++} +++ +++/** +++ * Convert a multiplexed pseudo syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _mips_syscall_demux(int syscall) +++{ +++ int sys = __NR_SCMP_UNDEF; +++ +++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ +++case __PNR_##NAME: \ +++ sys = mips_syscall_resolve_name(#NAME); break; +++ +++ switch (syscall) { +++ _ABI_SYSCALL_DEMUX_CHK(socket) +++ _ABI_SYSCALL_DEMUX_CHK(bind) +++ _ABI_SYSCALL_DEMUX_CHK(connect) +++ _ABI_SYSCALL_DEMUX_CHK(listen) +++ _ABI_SYSCALL_DEMUX_CHK(accept) +++ _ABI_SYSCALL_DEMUX_CHK(getsockname) +++ _ABI_SYSCALL_DEMUX_CHK(getpeername) +++ _ABI_SYSCALL_DEMUX_CHK(socketpair) +++ _ABI_SYSCALL_DEMUX_CHK(send) +++ _ABI_SYSCALL_DEMUX_CHK(recv) +++ _ABI_SYSCALL_DEMUX_CHK(sendto) +++ _ABI_SYSCALL_DEMUX_CHK(recvfrom) +++ _ABI_SYSCALL_DEMUX_CHK(shutdown) +++ _ABI_SYSCALL_DEMUX_CHK(setsockopt) +++ _ABI_SYSCALL_DEMUX_CHK(getsockopt) +++ _ABI_SYSCALL_DEMUX_CHK(sendmsg) +++ _ABI_SYSCALL_DEMUX_CHK(recvmsg) +++ _ABI_SYSCALL_DEMUX_CHK(accept4) +++ _ABI_SYSCALL_DEMUX_CHK(recvmmsg) +++ _ABI_SYSCALL_DEMUX_CHK(sendmmsg) +++ _ABI_SYSCALL_DEMUX_CHK(semop) +++ _ABI_SYSCALL_DEMUX_CHK(semget) +++ _ABI_SYSCALL_DEMUX_CHK(semctl) +++ _ABI_SYSCALL_DEMUX_CHK(semtimedop) +++ _ABI_SYSCALL_DEMUX_CHK(msgsnd) +++ _ABI_SYSCALL_DEMUX_CHK(msgrcv) +++ _ABI_SYSCALL_DEMUX_CHK(msgget) +++ _ABI_SYSCALL_DEMUX_CHK(msgctl) +++ _ABI_SYSCALL_DEMUX_CHK(shmat) +++ _ABI_SYSCALL_DEMUX_CHK(shmdt) +++ _ABI_SYSCALL_DEMUX_CHK(shmget) +++ _ABI_SYSCALL_DEMUX_CHK(shmctl) +++ } +++ +++ /* this looks odd because the arch resolver returns _ERROR if it can't +++ * resolve the syscall, but we want to use _UNDEF for that, so we set +++ * 'sys' to a sentinel value of _UNDEF and if it is error here we know +++ * the resolve failed to find a match */ +++ if (sys == __NR_SCMP_UNDEF) +++ sys = __NR_SCMP_ERROR; +++ else if (sys == __NR_SCMP_ERROR) +++ sys = __NR_SCMP_UNDEF; +++ +++ return sys; +++} +++ +++/** +++ * Convert a direct syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _mips_syscall_mux(int syscall) +++{ +++ const char *sys; +++ +++ sys = mips_syscall_resolve_num(syscall); +++ if (!sys) +++ return __NR_SCMP_ERROR; +++ +++#define _ABI_SYSCALL_MUX_CHK(NAME) \ +++ if (!strcmp(sys, #NAME)) return __PNR_##NAME; +++ +++ _ABI_SYSCALL_MUX_CHK(socket) +++ _ABI_SYSCALL_MUX_CHK(bind) +++ _ABI_SYSCALL_MUX_CHK(connect) +++ _ABI_SYSCALL_MUX_CHK(listen) +++ _ABI_SYSCALL_MUX_CHK(accept) +++ _ABI_SYSCALL_MUX_CHK(getsockname) +++ _ABI_SYSCALL_MUX_CHK(getpeername) +++ _ABI_SYSCALL_MUX_CHK(socketpair) +++ _ABI_SYSCALL_MUX_CHK(send) +++ _ABI_SYSCALL_MUX_CHK(recv) +++ _ABI_SYSCALL_MUX_CHK(sendto) +++ _ABI_SYSCALL_MUX_CHK(recvfrom) +++ _ABI_SYSCALL_MUX_CHK(shutdown) +++ _ABI_SYSCALL_MUX_CHK(setsockopt) +++ _ABI_SYSCALL_MUX_CHK(getsockopt) +++ _ABI_SYSCALL_MUX_CHK(sendmsg) +++ _ABI_SYSCALL_MUX_CHK(recvmsg) +++ _ABI_SYSCALL_MUX_CHK(accept4) +++ _ABI_SYSCALL_MUX_CHK(recvmmsg) +++ _ABI_SYSCALL_MUX_CHK(sendmmsg) +++ _ABI_SYSCALL_MUX_CHK(semop) +++ _ABI_SYSCALL_MUX_CHK(semget) +++ _ABI_SYSCALL_MUX_CHK(semctl) +++ _ABI_SYSCALL_MUX_CHK(semtimedop) +++ _ABI_SYSCALL_MUX_CHK(msgsnd) +++ _ABI_SYSCALL_MUX_CHK(msgrcv) +++ _ABI_SYSCALL_MUX_CHK(msgget) +++ _ABI_SYSCALL_MUX_CHK(msgctl) +++ _ABI_SYSCALL_MUX_CHK(shmat) +++ _ABI_SYSCALL_MUX_CHK(shmdt) +++ _ABI_SYSCALL_MUX_CHK(shmget) +++ _ABI_SYSCALL_MUX_CHK(shmctl) +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int mips_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __mips_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __mips_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the mips seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the mips ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if (_mips_syscall_socket_test(sys)) { +++ /* socket syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _mips_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _mips_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __mips_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (_mips_syscall_ipc_test(sys)) { +++ /* ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _mips_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _mips_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __mips_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_mips = { ++ .token = SCMP_ARCH_MIPS, ++ .token_bpf = AUDIT_ARCH_MIPS, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++- .sys_socketcall = __mips_NR_socketcall, ++- .sys_ipc = __mips_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = mips_syscall_resolve_name_munge, +++ .syscall_resolve_num = mips_syscall_resolve_num_munge, +++ .syscall_rewrite = mips_syscall_rewrite, +++ .rule_add = mips_rule_add, ++ }; ++ ++ const struct arch_def arch_def_mipsel = { ++@@ -54,12 +566,8 @@ const struct arch_def arch_def_mipsel = { ++ .token_bpf = AUDIT_ARCH_MIPSEL, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .sys_socketcall = __mips_NR_socketcall, ++- .sys_ipc = __mips_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = mips_syscall_resolve_name_munge, +++ .syscall_resolve_num = mips_syscall_resolve_num_munge, +++ .syscall_rewrite = mips_syscall_rewrite, +++ .rule_add = mips_rule_add, ++ }; ++diff --git a/src/arch-mips64.c b/src/arch-mips64.c ++--- a/src/arch-mips64.c +++++ b/src/arch-mips64.c ++@@ -30,7 +30,6 @@ ++ ++ /** ++ * Resolve a syscall name to a number ++- * @param arch the architecture definition ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++@@ -38,13 +37,12 @@ ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++-int mips64_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name) +++int mips64_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++- sys = arch->syscall_resolve_name_raw(name); +++ sys = mips64_syscall_resolve_name(name); ++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++@@ -53,7 +51,6 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch, ++ ++ /** ++ * Resolve a syscall number to a name ++- * @param arch the architecture definition ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++@@ -61,13 +58,12 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch, ++ * syscall names; returns NULL on failure. ++ * ++ */ ++-const char *mips64_syscall_resolve_num_munge(const struct arch_def *arch, ++- int num) +++const char *mips64_syscall_resolve_num_munge(int num) ++ { ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ if (num >= __SCMP_NR_BASE) ++ num -= __SCMP_NR_BASE; ++- return arch->syscall_resolve_num_raw(num); +++ return mips64_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_mips64 = { ++@@ -76,9 +72,7 @@ const struct arch_def arch_def_mips64 = { ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_BIG, ++ .syscall_resolve_name = mips64_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips64_syscall_resolve_name, ++ .syscall_resolve_num = mips64_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++@@ -89,9 +83,7 @@ const struct arch_def arch_def_mipsel64 = { ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_LITTLE, ++ .syscall_resolve_name = mips64_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips64_syscall_resolve_name, ++ .syscall_resolve_num = mips64_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c ++--- a/src/arch-mips64n32.c +++++ b/src/arch-mips64n32.c ++@@ -32,7 +32,6 @@ ++ ++ /** ++ * Resolve a syscall name to a number ++- * @param arch the architecture definition ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++@@ -40,8 +39,7 @@ ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++-int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name) +++int mips64n32_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ ++@@ -55,7 +53,6 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, ++ ++ /** ++ * Resolve a syscall number to a name ++- * @param arch the architecture definition ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++@@ -63,8 +60,7 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch, ++ * syscall names; returns NULL on failure. ++ * ++ */ ++-const char *mips64n32_syscall_resolve_num_munge(const struct arch_def *arch, ++- int num) +++const char *mips64n32_syscall_resolve_num_munge(int num) ++ { ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ if (num >= __SCMP_NR_BASE) ++@@ -78,9 +74,7 @@ const struct arch_def arch_def_mips64n32 = { ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++ .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips64n32_syscall_resolve_name, ++ .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips64n32_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++@@ -91,9 +85,7 @@ const struct arch_def arch_def_mipsel64n32 = { ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_LITTLE, ++ .syscall_resolve_name = mips64n32_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = mips64n32_syscall_resolve_name, ++ .syscall_resolve_num = mips64n32_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = mips64n32_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-parisc.c b/src/arch-parisc.c ++--- a/src/arch-parisc.c +++++ b/src/arch-parisc.c ++@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc = { ++ .token_bpf = AUDIT_ARCH_PARISC, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++- .syscall_resolve_name_raw = parisc_syscall_resolve_name, ++- .syscall_resolve_num_raw = parisc_syscall_resolve_num, +++ .syscall_resolve_name = parisc_syscall_resolve_name, +++ .syscall_resolve_num = parisc_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-parisc64.c b/src/arch-parisc64.c ++--- a/src/arch-parisc64.c +++++ b/src/arch-parisc64.c ++@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc64 = { ++ .token_bpf = AUDIT_ARCH_PARISC64, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_BIG, ++- .syscall_resolve_name_raw = parisc64_syscall_resolve_name, ++- .syscall_resolve_num_raw = parisc64_syscall_resolve_num, +++ .syscall_resolve_name = parisc64_syscall_resolve_name, +++ .syscall_resolve_num = parisc64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-ppc.c b/src/arch-ppc.c ++--- a/src/arch-ppc.c +++++ b/src/arch-ppc.c ++@@ -34,17 +34,526 @@ ++ #define __ppc_NR_socketcall 102 ++ #define __ppc_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int ppc_syscall_resolve_name_munge(const char *name) +++{ +++ +++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return __PNR_##NAME; +++ +++ _ABI_SYSCALL_RES_NAME_CHK(socket) +++ _ABI_SYSCALL_RES_NAME_CHK(bind) +++ _ABI_SYSCALL_RES_NAME_CHK(connect) +++ _ABI_SYSCALL_RES_NAME_CHK(listen) +++ _ABI_SYSCALL_RES_NAME_CHK(accept) +++ _ABI_SYSCALL_RES_NAME_CHK(getsockname) +++ _ABI_SYSCALL_RES_NAME_CHK(getpeername) +++ _ABI_SYSCALL_RES_NAME_CHK(socketpair) +++ _ABI_SYSCALL_RES_NAME_CHK(send) +++ _ABI_SYSCALL_RES_NAME_CHK(recv) +++ _ABI_SYSCALL_RES_NAME_CHK(sendto) +++ _ABI_SYSCALL_RES_NAME_CHK(recvfrom) +++ _ABI_SYSCALL_RES_NAME_CHK(shutdown) +++ _ABI_SYSCALL_RES_NAME_CHK(setsockopt) +++ _ABI_SYSCALL_RES_NAME_CHK(getsockopt) +++ _ABI_SYSCALL_RES_NAME_CHK(sendmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(recvmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(accept4) +++ _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) +++ _ABI_SYSCALL_RES_NAME_CHK(semop) +++ _ABI_SYSCALL_RES_NAME_CHK(semget) +++ _ABI_SYSCALL_RES_NAME_CHK(semctl) +++ _ABI_SYSCALL_RES_NAME_CHK(semtimedop) +++ _ABI_SYSCALL_RES_NAME_CHK(msgsnd) +++ _ABI_SYSCALL_RES_NAME_CHK(msgrcv) +++ _ABI_SYSCALL_RES_NAME_CHK(msgget) +++ _ABI_SYSCALL_RES_NAME_CHK(msgctl) +++ _ABI_SYSCALL_RES_NAME_CHK(shmat) +++ _ABI_SYSCALL_RES_NAME_CHK(shmdt) +++ _ABI_SYSCALL_RES_NAME_CHK(shmget) +++ _ABI_SYSCALL_RES_NAME_CHK(shmctl) +++ +++ return ppc_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *ppc_syscall_resolve_num_munge(int num) +++{ +++ +++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ +++ if (num == __PNR_##NAME) return #NAME; +++ +++ _ABI_SYSCALL_RES_NUM_CHK(socket) +++ _ABI_SYSCALL_RES_NUM_CHK(bind) +++ _ABI_SYSCALL_RES_NUM_CHK(connect) +++ _ABI_SYSCALL_RES_NUM_CHK(listen) +++ _ABI_SYSCALL_RES_NUM_CHK(accept) +++ _ABI_SYSCALL_RES_NUM_CHK(getsockname) +++ _ABI_SYSCALL_RES_NUM_CHK(getpeername) +++ _ABI_SYSCALL_RES_NUM_CHK(socketpair) +++ _ABI_SYSCALL_RES_NUM_CHK(send) +++ _ABI_SYSCALL_RES_NUM_CHK(recv) +++ _ABI_SYSCALL_RES_NUM_CHK(sendto) +++ _ABI_SYSCALL_RES_NUM_CHK(recvfrom) +++ _ABI_SYSCALL_RES_NUM_CHK(shutdown) +++ _ABI_SYSCALL_RES_NUM_CHK(setsockopt) +++ _ABI_SYSCALL_RES_NUM_CHK(getsockopt) +++ _ABI_SYSCALL_RES_NUM_CHK(sendmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(recvmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(accept4) +++ _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) +++ _ABI_SYSCALL_RES_NUM_CHK(semop) +++ _ABI_SYSCALL_RES_NUM_CHK(semget) +++ _ABI_SYSCALL_RES_NUM_CHK(semctl) +++ _ABI_SYSCALL_RES_NUM_CHK(semtimedop) +++ _ABI_SYSCALL_RES_NUM_CHK(msgsnd) +++ _ABI_SYSCALL_RES_NUM_CHK(msgrcv) +++ _ABI_SYSCALL_RES_NUM_CHK(msgget) +++ _ABI_SYSCALL_RES_NUM_CHK(msgctl) +++ _ABI_SYSCALL_RES_NUM_CHK(shmat) +++ _ABI_SYSCALL_RES_NUM_CHK(shmdt) +++ _ABI_SYSCALL_RES_NUM_CHK(shmget) +++ _ABI_SYSCALL_RES_NUM_CHK(shmctl) +++ +++ return ppc_syscall_resolve_num(num); +++} +++ +++/** +++ * Check if a syscall is a socket syscall +++ * @param sys the syscall number +++ * +++ * Returns true if the syscall is a socket related syscall, false otherwise. +++ * +++ */ +++static bool _ppc_syscall_socket_test(int sys) +++{ +++ const char *name; +++ +++ /* multiplexed pseduo-syscalls */ +++ if (sys <= -100 && sys >= -120) +++ return true; +++ +++ name = ppc_syscall_resolve_num(sys); +++ if (!name) +++ return false; +++ +++#define _ABI_SYSCALL_SOCK_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return true; +++ +++ _ABI_SYSCALL_SOCK_CHK(socket) +++ _ABI_SYSCALL_SOCK_CHK(bind) +++ _ABI_SYSCALL_SOCK_CHK(connect) +++ _ABI_SYSCALL_SOCK_CHK(listen) +++ _ABI_SYSCALL_SOCK_CHK(accept) +++ _ABI_SYSCALL_SOCK_CHK(getsockname) +++ _ABI_SYSCALL_SOCK_CHK(getpeername) +++ _ABI_SYSCALL_SOCK_CHK(socketpair) +++ _ABI_SYSCALL_SOCK_CHK(send) +++ _ABI_SYSCALL_SOCK_CHK(recv) +++ _ABI_SYSCALL_SOCK_CHK(sendto) +++ _ABI_SYSCALL_SOCK_CHK(recvfrom) +++ _ABI_SYSCALL_SOCK_CHK(shutdown) +++ _ABI_SYSCALL_SOCK_CHK(setsockopt) +++ _ABI_SYSCALL_SOCK_CHK(getsockopt) +++ _ABI_SYSCALL_SOCK_CHK(sendmsg) +++ _ABI_SYSCALL_SOCK_CHK(recvmsg) +++ _ABI_SYSCALL_SOCK_CHK(accept4) +++ _ABI_SYSCALL_SOCK_CHK(recvmmsg) +++ _ABI_SYSCALL_SOCK_CHK(sendmmsg) +++ +++ return false; +++} +++ +++/** +++ * Check if a syscall is an ipc syscall +++ * @param sys the syscall number +++ * +++ * Returns true if the syscall is an ipc related syscall, false otherwise. +++ * +++ */ +++static bool _ppc_syscall_ipc_test(int sys) +++{ +++ const char *name; +++ +++ /* multiplexed pseduo-syscalls */ +++ if (sys <= -200 && sys >= -224) +++ return true; +++ +++ name = ppc_syscall_resolve_num(sys); +++ if (!name) +++ return false; +++ +++#define _ABI_SYSCALL_IPC_CHK(NAME) \ +++ if (!strcmp(name, #NAME)) return true; +++ +++ _ABI_SYSCALL_IPC_CHK(semop) +++ _ABI_SYSCALL_IPC_CHK(semget) +++ _ABI_SYSCALL_IPC_CHK(semctl) +++ _ABI_SYSCALL_IPC_CHK(semtimedop) +++ _ABI_SYSCALL_IPC_CHK(msgsnd) +++ _ABI_SYSCALL_IPC_CHK(msgrcv) +++ _ABI_SYSCALL_IPC_CHK(msgget) +++ _ABI_SYSCALL_IPC_CHK(msgctl) +++ _ABI_SYSCALL_IPC_CHK(shmat) +++ _ABI_SYSCALL_IPC_CHK(shmdt) +++ _ABI_SYSCALL_IPC_CHK(shmget) +++ _ABI_SYSCALL_IPC_CHK(shmctl) +++ +++ return false; +++} +++ +++/** +++ * Convert a multiplexed pseudo syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _ppc_syscall_demux(int syscall) +++{ +++ int sys = __NR_SCMP_UNDEF; +++ +++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ +++case __PNR_##NAME: \ +++ sys = ppc_syscall_resolve_name(#NAME); break; +++ +++ switch (syscall) { +++ _ABI_SYSCALL_DEMUX_CHK(socket) +++ _ABI_SYSCALL_DEMUX_CHK(bind) +++ _ABI_SYSCALL_DEMUX_CHK(connect) +++ _ABI_SYSCALL_DEMUX_CHK(listen) +++ _ABI_SYSCALL_DEMUX_CHK(accept) +++ _ABI_SYSCALL_DEMUX_CHK(getsockname) +++ _ABI_SYSCALL_DEMUX_CHK(getpeername) +++ _ABI_SYSCALL_DEMUX_CHK(socketpair) +++ _ABI_SYSCALL_DEMUX_CHK(send) +++ _ABI_SYSCALL_DEMUX_CHK(recv) +++ _ABI_SYSCALL_DEMUX_CHK(sendto) +++ _ABI_SYSCALL_DEMUX_CHK(recvfrom) +++ _ABI_SYSCALL_DEMUX_CHK(shutdown) +++ _ABI_SYSCALL_DEMUX_CHK(setsockopt) +++ _ABI_SYSCALL_DEMUX_CHK(getsockopt) +++ _ABI_SYSCALL_DEMUX_CHK(sendmsg) +++ _ABI_SYSCALL_DEMUX_CHK(recvmsg) +++ _ABI_SYSCALL_DEMUX_CHK(accept4) +++ _ABI_SYSCALL_DEMUX_CHK(recvmmsg) +++ _ABI_SYSCALL_DEMUX_CHK(sendmmsg) +++ _ABI_SYSCALL_DEMUX_CHK(semop) +++ _ABI_SYSCALL_DEMUX_CHK(semget) +++ _ABI_SYSCALL_DEMUX_CHK(semctl) +++ _ABI_SYSCALL_DEMUX_CHK(semtimedop) +++ _ABI_SYSCALL_DEMUX_CHK(msgsnd) +++ _ABI_SYSCALL_DEMUX_CHK(msgrcv) +++ _ABI_SYSCALL_DEMUX_CHK(msgget) +++ _ABI_SYSCALL_DEMUX_CHK(msgctl) +++ _ABI_SYSCALL_DEMUX_CHK(shmat) +++ _ABI_SYSCALL_DEMUX_CHK(shmdt) +++ _ABI_SYSCALL_DEMUX_CHK(shmget) +++ _ABI_SYSCALL_DEMUX_CHK(shmctl) +++ } +++ +++ /* this looks odd because the arch resolver returns _ERROR if it can't +++ * resolve the syscall, but we want to use _UNDEF for that, so we set +++ * 'sys' to a sentinel value of _UNDEF and if it is error here we know +++ * the resolve failed to find a match */ +++ if (sys == __NR_SCMP_UNDEF) +++ sys = __NR_SCMP_ERROR; +++ else if (sys == __NR_SCMP_ERROR) +++ sys = __NR_SCMP_UNDEF; +++ +++ return sys; +++} +++ +++/** +++ * Convert a direct syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _ppc_syscall_mux(int syscall) +++{ +++ const char *sys; +++ +++ sys = ppc_syscall_resolve_num(syscall); +++ if (!sys) +++ return __NR_SCMP_ERROR; +++ +++#define _ABI_SYSCALL_MUX_CHK(NAME) \ +++ if (!strcmp(sys, #NAME)) return __PNR_##NAME; +++ +++ _ABI_SYSCALL_MUX_CHK(socket) +++ _ABI_SYSCALL_MUX_CHK(bind) +++ _ABI_SYSCALL_MUX_CHK(connect) +++ _ABI_SYSCALL_MUX_CHK(listen) +++ _ABI_SYSCALL_MUX_CHK(accept) +++ _ABI_SYSCALL_MUX_CHK(getsockname) +++ _ABI_SYSCALL_MUX_CHK(getpeername) +++ _ABI_SYSCALL_MUX_CHK(socketpair) +++ _ABI_SYSCALL_MUX_CHK(send) +++ _ABI_SYSCALL_MUX_CHK(recv) +++ _ABI_SYSCALL_MUX_CHK(sendto) +++ _ABI_SYSCALL_MUX_CHK(recvfrom) +++ _ABI_SYSCALL_MUX_CHK(shutdown) +++ _ABI_SYSCALL_MUX_CHK(setsockopt) +++ _ABI_SYSCALL_MUX_CHK(getsockopt) +++ _ABI_SYSCALL_MUX_CHK(sendmsg) +++ _ABI_SYSCALL_MUX_CHK(recvmsg) +++ _ABI_SYSCALL_MUX_CHK(accept4) +++ _ABI_SYSCALL_MUX_CHK(recvmmsg) +++ _ABI_SYSCALL_MUX_CHK(sendmmsg) +++ _ABI_SYSCALL_MUX_CHK(semop) +++ _ABI_SYSCALL_MUX_CHK(semget) +++ _ABI_SYSCALL_MUX_CHK(semctl) +++ _ABI_SYSCALL_MUX_CHK(semtimedop) +++ _ABI_SYSCALL_MUX_CHK(msgsnd) +++ _ABI_SYSCALL_MUX_CHK(msgrcv) +++ _ABI_SYSCALL_MUX_CHK(msgget) +++ _ABI_SYSCALL_MUX_CHK(msgctl) +++ _ABI_SYSCALL_MUX_CHK(shmat) +++ _ABI_SYSCALL_MUX_CHK(shmdt) +++ _ABI_SYSCALL_MUX_CHK(shmget) +++ _ABI_SYSCALL_MUX_CHK(shmctl) +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int ppc_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __ppc_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __ppc_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the ppc seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the ppc ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if (_ppc_syscall_socket_test(sys)) { +++ /* socket syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _ppc_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _ppc_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __ppc_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (_ppc_syscall_ipc_test(sys)) { +++ /* ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _ppc_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _ppc_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __ppc_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_ppc = { ++ .token = SCMP_ARCH_PPC, ++ .token_bpf = AUDIT_ARCH_PPC, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++- .sys_socketcall = __ppc_NR_socketcall, ++- .sys_ipc = __ppc_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = ppc_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = ppc_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = ppc_syscall_resolve_name_munge, +++ .syscall_resolve_num = ppc_syscall_resolve_num_munge, +++ .syscall_rewrite = ppc_syscall_rewrite, +++ .rule_add = ppc_rule_add, ++ }; ++diff --git a/src/arch-ppc64.c b/src/arch-ppc64.c ++--- a/src/arch-ppc64.c +++++ b/src/arch-ppc64.c ++@@ -26,7 +26,6 @@ ++ #include ++ ++ #include "db.h" ++-#include "syscalls.h" ++ #include "arch.h" ++ #include "arch-ppc64.h" ++ ++@@ -34,19 +33,605 @@ ++ #define __ppc64_NR_socketcall 102 ++ #define __ppc64_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int ppc64_syscall_resolve_name_munge(const char *name) +++{ +++ if (strcmp(name, "accept") == 0) +++ return __PNR_accept; +++ if (strcmp(name, "accept4") == 0) +++ return __PNR_accept4; +++ else if (strcmp(name, "bind") == 0) +++ return __PNR_bind; +++ else if (strcmp(name, "connect") == 0) +++ return __PNR_connect; +++ else if (strcmp(name, "getpeername") == 0) +++ return __PNR_getpeername; +++ else if (strcmp(name, "getsockname") == 0) +++ return __PNR_getsockname; +++ else if (strcmp(name, "getsockopt") == 0) +++ return __PNR_getsockopt; +++ else if (strcmp(name, "listen") == 0) +++ return __PNR_listen; +++ else if (strcmp(name, "msgctl") == 0) +++ return __PNR_msgctl; +++ else if (strcmp(name, "msgget") == 0) +++ return __PNR_msgget; +++ else if (strcmp(name, "msgrcv") == 0) +++ return __PNR_msgrcv; +++ else if (strcmp(name, "msgsnd") == 0) +++ return __PNR_msgsnd; +++ else if (strcmp(name, "recv") == 0) +++ return __PNR_recv; +++ else if (strcmp(name, "recvfrom") == 0) +++ return __PNR_recvfrom; +++ else if (strcmp(name, "recvmsg") == 0) +++ return __PNR_recvmsg; +++ else if (strcmp(name, "recvmmsg") == 0) +++ return __PNR_recvmmsg; +++ else if (strcmp(name, "semctl") == 0) +++ return __PNR_semctl; +++ else if (strcmp(name, "semget") == 0) +++ return __PNR_semget; +++ else if (strcmp(name, "semtimedop") == 0) +++ return __PNR_semtimedop; +++ else if (strcmp(name, "send") == 0) +++ return __PNR_send; +++ else if (strcmp(name, "sendmsg") == 0) +++ return __PNR_sendmsg; +++ else if (strcmp(name, "sendmmsg") == 0) +++ return __PNR_sendmmsg; +++ else if (strcmp(name, "sendto") == 0) +++ return __PNR_sendto; +++ else if (strcmp(name, "setsockopt") == 0) +++ return __PNR_setsockopt; +++ else if (strcmp(name, "shmat") == 0) +++ return __PNR_shmat; +++ else if (strcmp(name, "shmdt") == 0) +++ return __PNR_shmdt; +++ else if (strcmp(name, "shmget") == 0) +++ return __PNR_shmget; +++ else if (strcmp(name, "shmctl") == 0) +++ return __PNR_shmctl; +++ else if (strcmp(name, "shutdown") == 0) +++ return __PNR_shutdown; +++ else if (strcmp(name, "socket") == 0) +++ return __PNR_socket; +++ else if (strcmp(name, "socketpair") == 0) +++ return __PNR_socketpair; +++ +++ return ppc64_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *ppc64_syscall_resolve_num_munge(int num) +++{ +++ if (num == __PNR_accept) +++ return "accept"; +++ else if (num == __PNR_accept4) +++ return "accept4"; +++ else if (num == __PNR_bind) +++ return "bind"; +++ else if (num == __PNR_connect) +++ return "connect"; +++ else if (num == __PNR_getpeername) +++ return "getpeername"; +++ else if (num == __PNR_getsockname) +++ return "getsockname"; +++ else if (num == __PNR_getsockopt) +++ return "getsockopt"; +++ else if (num == __PNR_listen) +++ return "listen"; +++ else if (num == __PNR_msgctl) +++ return "msgctl"; +++ else if (num == __PNR_msgget) +++ return "msgget"; +++ else if (num == __PNR_msgrcv) +++ return "msgrcv"; +++ else if (num == __PNR_msgsnd) +++ return "msgsnd"; +++ else if (num == __PNR_recv) +++ return "recv"; +++ else if (num == __PNR_recvfrom) +++ return "recvfrom"; +++ else if (num == __PNR_recvmsg) +++ return "recvmsg"; +++ else if (num == __PNR_recvmmsg) +++ return "recvmmsg"; +++ else if (num == __PNR_semctl) +++ return "semctl"; +++ else if (num == __PNR_semget) +++ return "semget"; +++ else if (num == __PNR_semtimedop) +++ return "semtimedop"; +++ else if (num == __PNR_send) +++ return "send"; +++ else if (num == __PNR_sendmsg) +++ return "sendmsg"; +++ else if (num == __PNR_sendmmsg) +++ return "sendmmsg"; +++ else if (num == __PNR_sendto) +++ return "sendto"; +++ else if (num == __PNR_setsockopt) +++ return "setsockopt"; +++ else if (num == __PNR_shmat) +++ return "shmat"; +++ else if (num == __PNR_shmdt) +++ return "shmdt"; +++ else if (num == __PNR_shmget) +++ return "shmget"; +++ else if (num == __PNR_shmctl) +++ return "shmctl"; +++ else if (num == __PNR_shutdown) +++ return "shutdown"; +++ else if (num == __PNR_socket) +++ return "socket"; +++ else if (num == __PNR_socketpair) +++ return "socketpair"; +++ +++ return ppc64_syscall_resolve_num(num); +++} +++ +++/** +++ * Convert a multiplexed pseudo socket syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _ppc64_syscall_demux(int syscall) +++{ +++ switch (syscall) { +++ case -101: +++ /* socket */ +++ return 326; +++ case -102: +++ /* bind */ +++ return 327; +++ case -103: +++ /* connect */ +++ return 328; +++ case -104: +++ /* listen */ +++ return 329; +++ case -105: +++ /* accept */ +++ return 330; +++ case -106: +++ /* getsockname */ +++ return 331; +++ case -107: +++ /* getpeername */ +++ return 332; +++ case -108: +++ /* socketpair */ +++ return 333; +++ case -109: +++ /* send */ +++ return 334; +++ case -110: +++ /* recv */ +++ return 336; +++ case -111: +++ /* sendto */ +++ return 335; +++ case -112: +++ /* recvfrom */ +++ return 337; +++ case -113: +++ /* shutdown */ +++ return 338; +++ case -114: +++ /* setsockopt */ +++ return 339; +++ case -115: +++ /* getsockopt */ +++ return 340; +++ case -116: +++ /* sendmsg */ +++ return 341; +++ case -117: +++ /* recvmsg */ +++ return 342; +++ case -118: +++ /* accept4 */ +++ return 344; +++ case -119: +++ /* recvmmsg */ +++ return 343; +++ case -120: +++ /* sendmmsg */ +++ return 349; +++ case -201: +++ /* semop - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -202: +++ /* semget */ +++ return 393; +++ case -203: +++ /* semctl */ +++ return 394; +++ case -204: +++ /* semtimedop */ +++ return 392; +++ case -211: +++ /* msgsnd */ +++ return 400; +++ case -212: +++ /* msgrcv */ +++ return 401; +++ case -213: +++ /* msgget */ +++ return 399; +++ case -214: +++ /* msgctl */ +++ return 402; +++ case -221: +++ /* shmat */ +++ return 397; +++ case -222: +++ /* shmdt */ +++ return 398; +++ case -223: +++ /* shmget */ +++ return 395; +++ case -224: +++ /* shmctl */ +++ return 396; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Convert a direct socket syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _ppc64_syscall_mux(int syscall) +++{ +++ switch (syscall) { +++ case 326: +++ /* socket */ +++ return -101; +++ case 327: +++ /* bind */ +++ return -102; +++ case 328: +++ /* connect */ +++ return -103; +++ case 329: +++ /* listen */ +++ return -104; +++ case 330: +++ /* accept */ +++ return -105; +++ case 331: +++ /* getsockname */ +++ return -106; +++ case 332: +++ /* getpeername */ +++ return -107; +++ case 333: +++ /* socketpair */ +++ return -108; +++ case 334: +++ /* send */ +++ return -109; +++ case 335: +++ /* sendto */ +++ return -111; +++ case 336: +++ /* recv */ +++ return -110; +++ case 337: +++ /* recvfrom */ +++ return -112; +++ case 338: +++ /* shutdown */ +++ return -113; +++ case 339: +++ /* setsockopt */ +++ return -114; +++ case 340: +++ /* getsockopt */ +++ return -115; +++ case 341: +++ /* sendmsg */ +++ return -116; +++ case 342: +++ /* recvmsg */ +++ return -117; +++ case 343: +++ /* recvmmsg */ +++ return -119; +++ case 344: +++ /* accept4 */ +++ return -118; +++ case 349: +++ /* sendmmsg */ +++ return -120; +++ case 392: +++ /* semtimedop */ +++ return -204; +++ case 393: +++ /* semget */ +++ return -202; +++ case 394: +++ /* semctl */ +++ return -203; +++ case 395: +++ /* shmget */ +++ return -223; +++ case 396: +++ /* shmctl */ +++ return -224; +++ case 397: +++ /* shmat */ +++ return -221; +++ case 398: +++ /* shmdt */ +++ return -222; +++ case 399: +++ /* msgget */ +++ return -213; +++ case 400: +++ /* msgsnd */ +++ return -211; +++ case 401: +++ /* msgrcv */ +++ return -212; +++ case 402: +++ /* msgctl */ +++ return -214; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int ppc64_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __ppc64_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __ppc64_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the ppc64 seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the ppc64 ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int ppc64_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if ((sys <= -100 && sys >= -120) || (sys >= 326 && sys <= 344) || +++ (sys == 349)) { +++ /* (-100 to -120) : multiplexed socket syscalls +++ (326 to 344) : direct socket syscalls, Linux 4.3+ +++ (349) : sendmmsg */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _ppc64_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _ppc64_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) { +++ rc = -ENOMEM; +++ goto add_return; +++ } +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __ppc64_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) { +++ /* (-200 to -224) : multiplexed ipc syscalls +++ (392 to 402) : direct ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _ppc64_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _ppc64_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __ppc64_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_ppc64 = { ++ .token = SCMP_ARCH_PPC64, ++ .token_bpf = AUDIT_ARCH_PPC64, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_BIG, ++- .sys_socketcall = __ppc64_NR_socketcall, ++- .sys_ipc = __ppc64_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = ppc64_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = ppc64_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = ppc64_syscall_resolve_name_munge, +++ .syscall_resolve_num = ppc64_syscall_resolve_num_munge, +++ .syscall_rewrite = ppc64_syscall_rewrite, +++ .rule_add = ppc64_rule_add, ++ }; ++ ++ const struct arch_def arch_def_ppc64le = { ++@@ -54,12 +639,8 @@ const struct arch_def arch_def_ppc64le = { ++ .token_bpf = AUDIT_ARCH_PPC64LE, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .sys_socketcall = __ppc64_NR_socketcall, ++- .sys_ipc = __ppc64_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = ppc64_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = ppc64_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = ppc64_syscall_resolve_name_munge, +++ .syscall_resolve_num = ppc64_syscall_resolve_num_munge, +++ .syscall_rewrite = ppc64_syscall_rewrite, +++ .rule_add = ppc64_rule_add, ++ }; ++diff --git a/src/arch-riscv64.c b/src/arch-riscv64.c ++--- a/src/arch-riscv64.c +++++ b/src/arch-riscv64.c ++@@ -24,8 +24,8 @@ const struct arch_def arch_def_riscv64 = { ++ .token_bpf = AUDIT_ARCH_RISCV64, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .syscall_resolve_name_raw = riscv64_syscall_resolve_name, ++- .syscall_resolve_num_raw = riscv64_syscall_resolve_num, +++ .syscall_resolve_name = riscv64_syscall_resolve_name, +++ .syscall_resolve_num = riscv64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-s390.c b/src/arch-s390.c ++--- a/src/arch-s390.c +++++ b/src/arch-s390.c ++@@ -17,17 +17,593 @@ ++ #define __s390_NR_socketcall 102 ++ #define __s390_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int s390_syscall_resolve_name_munge(const char *name) +++{ +++ if (strcmp(name, "accept") == 0) +++ return __PNR_accept; +++ if (strcmp(name, "accept4") == 0) +++ return __PNR_accept4; +++ else if (strcmp(name, "bind") == 0) +++ return __PNR_bind; +++ else if (strcmp(name, "connect") == 0) +++ return __PNR_connect; +++ else if (strcmp(name, "getpeername") == 0) +++ return __PNR_getpeername; +++ else if (strcmp(name, "getsockname") == 0) +++ return __PNR_getsockname; +++ else if (strcmp(name, "getsockopt") == 0) +++ return __PNR_getsockopt; +++ else if (strcmp(name, "listen") == 0) +++ return __PNR_listen; +++ else if (strcmp(name, "msgctl") == 0) +++ return __PNR_msgctl; +++ else if (strcmp(name, "msgget") == 0) +++ return __PNR_msgget; +++ else if (strcmp(name, "msgrcv") == 0) +++ return __PNR_msgrcv; +++ else if (strcmp(name, "msgsnd") == 0) +++ return __PNR_msgsnd; +++ else if (strcmp(name, "recv") == 0) +++ return __PNR_recv; +++ else if (strcmp(name, "recvfrom") == 0) +++ return __PNR_recvfrom; +++ else if (strcmp(name, "recvmsg") == 0) +++ return __PNR_recvmsg; +++ else if (strcmp(name, "semctl") == 0) +++ return __PNR_semctl; +++ else if (strcmp(name, "semget") == 0) +++ return __PNR_semget; +++ else if (strcmp(name, "semtimedop") == 0) +++ return __PNR_semtimedop; +++ else if (strcmp(name, "recvmmsg") == 0) +++ return __PNR_recvmmsg; +++ else if (strcmp(name, "send") == 0) +++ return __PNR_send; +++ else if (strcmp(name, "sendmsg") == 0) +++ return __PNR_sendmsg; +++ else if (strcmp(name, "sendmmsg") == 0) +++ return __PNR_sendmmsg; +++ else if (strcmp(name, "sendto") == 0) +++ return __PNR_sendto; +++ else if (strcmp(name, "setsockopt") == 0) +++ return __PNR_setsockopt; +++ else if (strcmp(name, "shmat") == 0) +++ return __PNR_shmat; +++ else if (strcmp(name, "shmdt") == 0) +++ return __PNR_shmdt; +++ else if (strcmp(name, "shmget") == 0) +++ return __PNR_shmget; +++ else if (strcmp(name, "shmctl") == 0) +++ return __PNR_shmctl; +++ else if (strcmp(name, "shutdown") == 0) +++ return __PNR_shutdown; +++ else if (strcmp(name, "socket") == 0) +++ return __PNR_socket; +++ else if (strcmp(name, "socketpair") == 0) +++ return __PNR_socketpair; +++ +++ return s390_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *s390_syscall_resolve_num_munge(int num) +++{ +++ if (num == __PNR_accept) +++ return "accept"; +++ else if (num == __PNR_accept4) +++ return "accept4"; +++ else if (num == __PNR_bind) +++ return "bind"; +++ else if (num == __PNR_connect) +++ return "connect"; +++ else if (num == __PNR_getpeername) +++ return "getpeername"; +++ else if (num == __PNR_getsockname) +++ return "getsockname"; +++ else if (num == __PNR_getsockopt) +++ return "getsockopt"; +++ else if (num == __PNR_listen) +++ return "listen"; +++ else if (num == __PNR_msgctl) +++ return "msgctl"; +++ else if (num == __PNR_msgget) +++ return "msgget"; +++ else if (num == __PNR_msgrcv) +++ return "msgrcv"; +++ else if (num == __PNR_msgsnd) +++ return "msgsnd"; +++ else if (num == __PNR_recv) +++ return "recv"; +++ else if (num == __PNR_recvfrom) +++ return "recvfrom"; +++ else if (num == __PNR_recvmsg) +++ return "recvmsg"; +++ else if (num == __PNR_recvmmsg) +++ return "recvmmsg"; +++ else if (num == __PNR_semctl) +++ return "semctl"; +++ else if (num == __PNR_semget) +++ return "semget"; +++ else if (num == __PNR_semtimedop) +++ return "semtimedop"; +++ else if (num == __PNR_send) +++ return "send"; +++ else if (num == __PNR_sendmsg) +++ return "sendmsg"; +++ else if (num == __PNR_sendmmsg) +++ return "sendmmsg"; +++ else if (num == __PNR_sendto) +++ return "sendto"; +++ else if (num == __PNR_setsockopt) +++ return "setsockopt"; +++ else if (num == __PNR_shmat) +++ return "shmat"; +++ else if (num == __PNR_shmdt) +++ return "shmdt"; +++ else if (num == __PNR_shmget) +++ return "shmget"; +++ else if (num == __PNR_shmctl) +++ return "shmctl"; +++ else if (num == __PNR_shutdown) +++ return "shutdown"; +++ else if (num == __PNR_socket) +++ return "socket"; +++ else if (num == __PNR_socketpair) +++ return "socketpair"; +++ +++ return s390_syscall_resolve_num(num); +++} +++ +++/** +++ * Convert a multiplexed pseudo syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _s390_syscall_demux(int syscall) +++{ +++ switch (syscall) { +++ case -101: +++ /* socket */ +++ return 359; +++ case -102: +++ /* bind */ +++ return 361; +++ case -103: +++ /* connect */ +++ return 362; +++ case -104: +++ /* listen */ +++ return 363; +++ case -105: +++ /* accept - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -106: +++ /* getsockname */ +++ return 367; +++ case -107: +++ /* getpeername */ +++ return 368; +++ case -108: +++ /* socketpair */ +++ return 360; +++ case -109: +++ /* send - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -110: +++ /* recv - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -111: +++ /* sendto */ +++ return 369; +++ case -112: +++ /* recvfrom */ +++ return 371; +++ case -113: +++ /* shutdown */ +++ return 373; +++ case -114: +++ /* setsockopt */ +++ return 366; +++ case -115: +++ /* getsockopt */ +++ return 365; +++ case -116: +++ /* sendmsg */ +++ return 370; +++ case -117: +++ /* recvmsg */ +++ return 372; +++ case -118: +++ /* accept4 */ +++ return 364; +++ case -119: +++ /* recvmmsg */ +++ return 337; +++ case -120: +++ /* sendmmsg */ +++ return 345; +++ case -201: +++ /* semop - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -202: +++ /* semget */ +++ return 393; +++ case -203: +++ /* semctl */ +++ return 394; +++ case -204: +++ /* semtimedop */ +++ return 392; +++ case -211: +++ /* msgsnd */ +++ return 400; +++ case -212: +++ /* msgrcv */ +++ return 401; +++ case -213: +++ /* msgget */ +++ return 399; +++ case -214: +++ /* msgctl */ +++ return 402; +++ case -221: +++ /* shmat */ +++ return 397; +++ case -222: +++ /* shmdt */ +++ return 398; +++ case -223: +++ /* shmget */ +++ return 395; +++ case -224: +++ /* shmctl */ +++ return 396; +++ +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Convert a direct socket syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _s390_syscall_mux(int syscall) +++{ +++ switch (syscall) { +++ case 337: +++ /* recvmmsg */ +++ return -119; +++ case 345: +++ /* sendmmsg */ +++ return -120; +++ case 359: +++ /* socket */ +++ return -101; +++ case 360: +++ /* socketpair */ +++ return -108; +++ case 361: +++ /* bind */ +++ return -102; +++ case 362: +++ /* connect */ +++ return -103; +++ case 363: +++ /* listen */ +++ return -104; +++ case 364: +++ /* accept4 */ +++ return -118; +++ case 365: +++ /* getsockopt */ +++ return -115; +++ case 366: +++ /* setsockopt */ +++ return -114; +++ case 367: +++ /* getsockname */ +++ return -106; +++ case 368: +++ /* getpeername */ +++ return -107; +++ case 369: +++ /* sendto */ +++ return -111; +++ case 370: +++ /* sendmsg */ +++ return -116; +++ case 371: +++ /* recvfrom */ +++ return -112; +++ case 372: +++ /* recvmsg */ +++ return -117; +++ case 373: +++ /* shutdown */ +++ return -113; +++ case 393: +++ /* semget */ +++ return -202; +++ case 394: +++ /* semctl */ +++ return -203; +++ case 400: +++ /* msgsnd */ +++ return -211; +++ case 401: +++ /* msgrcv */ +++ return -212; +++ case 399: +++ /* msgget */ +++ return -213; +++ case 402: +++ /* msgctl */ +++ return -214; +++ case 397: +++ /* shmat */ +++ return -221; +++ case 398: +++ /* shmdt */ +++ return -222; +++ case 395: +++ /* shmget */ +++ return -223; +++ case 396: +++ /* shmctl */ +++ return -224; +++ case 392: +++ /* semtimedop */ +++ return -204; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int s390_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __s390_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __s390_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the s390 seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the s390 ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { +++ /* (-100 to -120) : multiplexed socket syscalls +++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _s390_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _s390_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) { +++ rc = -ENOMEM; +++ goto add_return; +++ } +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __s390_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) { +++ /* (-200 to -224) : multiplexed ipc syscalls +++ (393 to 402) : direct ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _s390_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _s390_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __s390_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_s390 = { ++ .token = SCMP_ARCH_S390, ++ .token_bpf = AUDIT_ARCH_S390, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++- .sys_socketcall = __s390_NR_socketcall, ++- .sys_ipc = __s390_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = s390_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = s390_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = s390_syscall_resolve_name_munge, +++ .syscall_resolve_num = s390_syscall_resolve_num_munge, +++ .syscall_rewrite = s390_syscall_rewrite, +++ .rule_add = s390_rule_add, ++ }; ++diff --git a/src/arch-s390x.c b/src/arch-s390x.c ++--- a/src/arch-s390x.c +++++ b/src/arch-s390x.c ++@@ -17,17 +17,592 @@ ++ #define __s390x_NR_socketcall 102 ++ #define __s390x_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int s390x_syscall_resolve_name_munge(const char *name) +++{ +++ if (strcmp(name, "accept") == 0) +++ return __PNR_accept; +++ if (strcmp(name, "accept4") == 0) +++ return __PNR_accept4; +++ else if (strcmp(name, "bind") == 0) +++ return __PNR_bind; +++ else if (strcmp(name, "connect") == 0) +++ return __PNR_connect; +++ else if (strcmp(name, "getpeername") == 0) +++ return __PNR_getpeername; +++ else if (strcmp(name, "getsockname") == 0) +++ return __PNR_getsockname; +++ else if (strcmp(name, "getsockopt") == 0) +++ return __PNR_getsockopt; +++ else if (strcmp(name, "listen") == 0) +++ return __PNR_listen; +++ else if (strcmp(name, "msgctl") == 0) +++ return __PNR_msgctl; +++ else if (strcmp(name, "msgget") == 0) +++ return __PNR_msgget; +++ else if (strcmp(name, "msgrcv") == 0) +++ return __PNR_msgrcv; +++ else if (strcmp(name, "msgsnd") == 0) +++ return __PNR_msgsnd; +++ else if (strcmp(name, "recv") == 0) +++ return __PNR_recv; +++ else if (strcmp(name, "recvfrom") == 0) +++ return __PNR_recvfrom; +++ else if (strcmp(name, "recvmsg") == 0) +++ return __PNR_recvmsg; +++ else if (strcmp(name, "recvmmsg") == 0) +++ return __PNR_recvmmsg; +++ else if (strcmp(name, "semctl") == 0) +++ return __PNR_semctl; +++ else if (strcmp(name, "semget") == 0) +++ return __PNR_semget; +++ else if (strcmp(name, "semtimedop") == 0) +++ return __PNR_semtimedop; +++ else if (strcmp(name, "send") == 0) +++ return __PNR_send; +++ else if (strcmp(name, "sendmsg") == 0) +++ return __PNR_sendmsg; +++ else if (strcmp(name, "sendmmsg") == 0) +++ return __PNR_sendmmsg; +++ else if (strcmp(name, "sendto") == 0) +++ return __PNR_sendto; +++ else if (strcmp(name, "setsockopt") == 0) +++ return __PNR_setsockopt; +++ else if (strcmp(name, "shmat") == 0) +++ return __PNR_shmat; +++ else if (strcmp(name, "shmdt") == 0) +++ return __PNR_shmdt; +++ else if (strcmp(name, "shmget") == 0) +++ return __PNR_shmget; +++ else if (strcmp(name, "shmctl") == 0) +++ return __PNR_shmctl; +++ else if (strcmp(name, "shutdown") == 0) +++ return __PNR_shutdown; +++ else if (strcmp(name, "socket") == 0) +++ return __PNR_socket; +++ else if (strcmp(name, "socketpair") == 0) +++ return __PNR_socketpair; +++ +++ return s390x_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *s390x_syscall_resolve_num_munge(int num) +++{ +++ if (num == __PNR_accept) +++ return "accept"; +++ else if (num == __PNR_accept4) +++ return "accept4"; +++ else if (num == __PNR_bind) +++ return "bind"; +++ else if (num == __PNR_connect) +++ return "connect"; +++ else if (num == __PNR_getpeername) +++ return "getpeername"; +++ else if (num == __PNR_getsockname) +++ return "getsockname"; +++ else if (num == __PNR_getsockopt) +++ return "getsockopt"; +++ else if (num == __PNR_listen) +++ return "listen"; +++ else if (num == __PNR_msgctl) +++ return "msgctl"; +++ else if (num == __PNR_msgget) +++ return "msgget"; +++ else if (num == __PNR_msgrcv) +++ return "msgrcv"; +++ else if (num == __PNR_msgsnd) +++ return "msgsnd"; +++ else if (num == __PNR_recv) +++ return "recv"; +++ else if (num == __PNR_recvfrom) +++ return "recvfrom"; +++ else if (num == __PNR_recvmsg) +++ return "recvmsg"; +++ else if (num == __PNR_recvmmsg) +++ return "recvmmsg"; +++ else if (num == __PNR_semctl) +++ return "semctl"; +++ else if (num == __PNR_semget) +++ return "semget"; +++ else if (num == __PNR_semtimedop) +++ return "semtimedop"; +++ else if (num == __PNR_send) +++ return "send"; +++ else if (num == __PNR_sendmsg) +++ return "sendmsg"; +++ else if (num == __PNR_sendmmsg) +++ return "sendmmsg"; +++ else if (num == __PNR_sendto) +++ return "sendto"; +++ else if (num == __PNR_setsockopt) +++ return "setsockopt"; +++ else if (num == __PNR_shmat) +++ return "shmat"; +++ else if (num == __PNR_shmdt) +++ return "shmdt"; +++ else if (num == __PNR_shmget) +++ return "shmget"; +++ else if (num == __PNR_shmctl) +++ return "shmctl"; +++ else if (num == __PNR_shutdown) +++ return "shutdown"; +++ else if (num == __PNR_socket) +++ return "socket"; +++ else if (num == __PNR_socketpair) +++ return "socketpair"; +++ +++ return s390x_syscall_resolve_num(num); +++} +++ +++/** +++ * Convert a multiplexed pseudo socket syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _s390x_syscall_demux(int syscall) +++{ +++ switch (syscall) { +++ case -101: +++ /* socket */ +++ return 359; +++ case -102: +++ /* bind */ +++ return 361; +++ case -103: +++ /* connect */ +++ return 362; +++ case -104: +++ /* listen */ +++ return 363; +++ case -105: +++ /* accept - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -106: +++ /* getsockname */ +++ return 367; +++ case -107: +++ /* getpeername */ +++ return 368; +++ case -108: +++ /* socketpair */ +++ return 360; +++ case -109: +++ /* send - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -110: +++ /* recv - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -111: +++ /* sendto */ +++ return 369; +++ case -112: +++ /* recvfrom */ +++ return 371; +++ case -113: +++ /* shutdown */ +++ return 373; +++ case -114: +++ /* setsockopt */ +++ return 366; +++ case -115: +++ /* getsockopt */ +++ return 365; +++ case -116: +++ /* sendmsg */ +++ return 370; +++ case -117: +++ /* recvmsg */ +++ return 372; +++ case -118: +++ /* accept4 */ +++ return 364; +++ case -119: +++ /* recvmmsg */ +++ return 337; +++ case -120: +++ /* sendmmsg */ +++ return 345; +++ case -201: +++ /* semop - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -202: +++ /* semget */ +++ return 393; +++ case -203: +++ /* semctl */ +++ return 394; +++ case -204: +++ /* semtimedop */ +++ return 392; +++ case -211: +++ /* msgsnd */ +++ return 400; +++ case -212: +++ /* msgrcv */ +++ return 401; +++ case -213: +++ /* msgget */ +++ return 399; +++ case -214: +++ /* msgctl */ +++ return 402; +++ case -221: +++ /* shmat */ +++ return 397; +++ case -222: +++ /* shmdt */ +++ return 398; +++ case -223: +++ /* shmget */ +++ return 395; +++ case -224: +++ /* shmctl */ +++ return 396; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Convert a direct socket syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _s390x_syscall_mux(int syscall) +++{ +++ switch (syscall) { +++ case 337: +++ /* recvmmsg */ +++ return -119; +++ case 345: +++ /* sendmmsg */ +++ return -120; +++ case 359: +++ /* socket */ +++ return -101; +++ case 360: +++ /* socketpair */ +++ return -108; +++ case 361: +++ /* bind */ +++ return -102; +++ case 362: +++ /* connect */ +++ return -103; +++ case 363: +++ /* listen */ +++ return -104; +++ case 364: +++ /* accept4 */ +++ return -118; +++ case 365: +++ /* getsockopt */ +++ return -115; +++ case 366: +++ /* setsockopt */ +++ return -114; +++ case 367: +++ /* getsockname */ +++ return -106; +++ case 368: +++ /* getpeername */ +++ return -107; +++ case 369: +++ /* sendto */ +++ return -111; +++ case 370: +++ /* sendmsg */ +++ return -116; +++ case 371: +++ /* recvfrom */ +++ return -112; +++ case 372: +++ /* recvmsg */ +++ return -117; +++ case 373: +++ /* shutdown */ +++ return -113; +++ case 392: +++ /* semtimedop */ +++ return -204; +++ case 393: +++ /* semget */ +++ return -202; +++ case 394: +++ /* semctl */ +++ return -203; +++ case 400: +++ /* msgsnd */ +++ return -211; +++ case 401: +++ /* msgrcv */ +++ return -212; +++ case 399: +++ /* msgget */ +++ return -213; +++ case 402: +++ /* msgctl */ +++ return -214; +++ case 397: +++ /* shmat */ +++ return -221; +++ case 398: +++ /* shmdt */ +++ return -222; +++ case 395: +++ /* shmget */ +++ return -223; +++ case 396: +++ /* shmctl */ +++ return -224; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int s390x_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __s390x_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __s390x_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the s390x seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the s390x ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { +++ /* (-100 to -120) : multiplexed socket syscalls +++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _s390x_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _s390x_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) { +++ rc = -ENOMEM; +++ goto add_return; +++ } +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __s390x_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) { +++ /* (-200 to -224) : multiplexed ipc syscalls +++ (392 to 402) : direct ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _s390x_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _s390x_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __s390x_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_s390x = { ++ .token = SCMP_ARCH_S390X, ++ .token_bpf = AUDIT_ARCH_S390X, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_BIG, ++- .sys_socketcall = __s390x_NR_socketcall, ++- .sys_ipc = __s390x_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = s390x_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = s390x_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = s390x_syscall_resolve_name_munge, +++ .syscall_resolve_num = s390x_syscall_resolve_num_munge, +++ .syscall_rewrite = s390x_syscall_rewrite, +++ .rule_add = s390x_rule_add, ++ }; ++diff --git a/src/arch-x32.c b/src/arch-x32.c ++--- a/src/arch-x32.c +++++ b/src/arch-x32.c ++@@ -28,7 +28,6 @@ ++ ++ /** ++ * Resolve a syscall name to a number ++- * @param arch the architecture definition ++ * @param name the syscall name ++ * ++ * Resolve the given syscall name to the syscall number using the syscall table. ++@@ -36,13 +35,12 @@ ++ * numbers; returns __NR_SCMP_ERROR on failure. ++ * ++ */ ++-int x32_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name) +++int x32_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++- sys = arch->syscall_resolve_name_raw(name); +++ sys = x32_syscall_resolve_name(name); ++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++@@ -51,7 +49,6 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch, ++ ++ /** ++ * Resolve a syscall number to a name ++- * @param arch the architecture definition ++ * @param num the syscall number ++ * ++ * Resolve the given syscall number to the syscall name using the syscall table. ++@@ -59,13 +56,12 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch, ++ * syscall names; returns NULL on failure. ++ * ++ */ ++-const char *x32_syscall_resolve_num_munge(const struct arch_def *arch, ++- int num) +++const char *x32_syscall_resolve_num_munge(int num) ++ { ++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ if (num >= 0) ++ num &= ~X32_SYSCALL_BIT; ++- return arch->syscall_resolve_num_raw(num); +++ return x32_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_x32 = { ++@@ -75,9 +71,7 @@ const struct arch_def arch_def_x32 = { ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_LITTLE, ++ .syscall_resolve_name = x32_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = x32_syscall_resolve_name, ++ .syscall_resolve_num = x32_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = x32_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch-x86.c b/src/arch-x86.c ++--- a/src/arch-x86.c +++++ b/src/arch-x86.c ++@@ -33,17 +33,593 @@ ++ #define __x86_NR_socketcall 102 ++ #define __x86_NR_ipc 117 ++ +++/** +++ * Resolve a syscall name to a number +++ * @param name the syscall name +++ * +++ * Resolve the given syscall name to the syscall number using the syscall table. +++ * Returns the syscall number on success, including negative pseudo syscall +++ * numbers; returns __NR_SCMP_ERROR on failure. +++ * +++ */ +++int x86_syscall_resolve_name_munge(const char *name) +++{ +++ if (strcmp(name, "accept") == 0) +++ return __PNR_accept; +++ else if (strcmp(name, "accept4") == 0) +++ return __PNR_accept4; +++ else if (strcmp(name, "bind") == 0) +++ return __PNR_bind; +++ else if (strcmp(name, "connect") == 0) +++ return __PNR_connect; +++ else if (strcmp(name, "getpeername") == 0) +++ return __PNR_getpeername; +++ else if (strcmp(name, "getsockname") == 0) +++ return __PNR_getsockname; +++ else if (strcmp(name, "getsockopt") == 0) +++ return __PNR_getsockopt; +++ else if (strcmp(name, "listen") == 0) +++ return __PNR_listen; +++ else if (strcmp(name, "recv") == 0) +++ return __PNR_recv; +++ else if (strcmp(name, "recvfrom") == 0) +++ return __PNR_recvfrom; +++ else if (strcmp(name, "recvmsg") == 0) +++ return __PNR_recvmsg; +++ else if (strcmp(name, "recvmmsg") == 0) +++ return __PNR_recvmmsg; +++ else if (strcmp(name, "send") == 0) +++ return __PNR_send; +++ else if (strcmp(name, "sendmsg") == 0) +++ return __PNR_sendmsg; +++ else if (strcmp(name, "sendmmsg") == 0) +++ return __PNR_sendmmsg; +++ else if (strcmp(name, "sendto") == 0) +++ return __PNR_sendto; +++ else if (strcmp(name, "setsockopt") == 0) +++ return __PNR_setsockopt; +++ else if (strcmp(name, "shutdown") == 0) +++ return __PNR_shutdown; +++ else if (strcmp(name, "socket") == 0) +++ return __PNR_socket; +++ else if (strcmp(name, "socketpair") == 0) +++ return __PNR_socketpair; +++ +++ if (strcmp(name, "semop") == 0) +++ return __PNR_semop; +++ else if (strcmp(name, "semget") == 0) +++ return __PNR_semget; +++ else if (strcmp(name, "semctl") == 0) +++ return __PNR_semctl; +++ else if (strcmp(name, "semtimedop") == 0) +++ return __PNR_semtimedop; +++ else if (strcmp(name, "msgsnd") == 0) +++ return __PNR_msgsnd; +++ else if (strcmp(name, "msgrcv") == 0) +++ return __PNR_msgrcv; +++ else if (strcmp(name, "msgget") == 0) +++ return __PNR_msgget; +++ else if (strcmp(name, "msgctl") == 0) +++ return __PNR_msgctl; +++ else if (strcmp(name, "shmat") == 0) +++ return __PNR_shmat; +++ else if (strcmp(name, "shmdt") == 0) +++ return __PNR_shmdt; +++ else if (strcmp(name, "shmget") == 0) +++ return __PNR_shmget; +++ else if (strcmp(name, "shmctl") == 0) +++ return __PNR_shmctl; +++ +++ return x86_syscall_resolve_name(name); +++} +++ +++/** +++ * Resolve a syscall number to a name +++ * @param num the syscall number +++ * +++ * Resolve the given syscall number to the syscall name using the syscall table. +++ * Returns a pointer to the syscall name string on success, including pseudo +++ * syscall names; returns NULL on failure. +++ * +++ */ +++const char *x86_syscall_resolve_num_munge(int num) +++{ +++ if (num == __PNR_accept) +++ return "accept"; +++ else if (num == __PNR_accept4) +++ return "accept4"; +++ else if (num == __PNR_bind) +++ return "bind"; +++ else if (num == __PNR_connect) +++ return "connect"; +++ else if (num == __PNR_getpeername) +++ return "getpeername"; +++ else if (num == __PNR_getsockname) +++ return "getsockname"; +++ else if (num == __PNR_getsockopt) +++ return "getsockopt"; +++ else if (num == __PNR_listen) +++ return "listen"; +++ else if (num == __PNR_recv) +++ return "recv"; +++ else if (num == __PNR_recvfrom) +++ return "recvfrom"; +++ else if (num == __PNR_recvmsg) +++ return "recvmsg"; +++ else if (num == __PNR_recvmmsg) +++ return "recvmmsg"; +++ else if (num == __PNR_send) +++ return "send"; +++ else if (num == __PNR_sendmsg) +++ return "sendmsg"; +++ else if (num == __PNR_sendmmsg) +++ return "sendmmsg"; +++ else if (num == __PNR_sendto) +++ return "sendto"; +++ else if (num == __PNR_setsockopt) +++ return "setsockopt"; +++ else if (num == __PNR_shutdown) +++ return "shutdown"; +++ else if (num == __PNR_socket) +++ return "socket"; +++ else if (num == __PNR_socketpair) +++ return "socketpair"; +++ +++ if (num == __PNR_semop) +++ return "semop"; +++ else if (num == __PNR_semget) +++ return "semget"; +++ else if (num == __PNR_semctl) +++ return "semctl"; +++ else if (num == __PNR_semtimedop) +++ return "semtimedop"; +++ else if (num == __PNR_msgsnd) +++ return "msgsnd"; +++ else if (num == __PNR_msgrcv) +++ return "msgrcv"; +++ else if (num == __PNR_msgget) +++ return "msgget"; +++ else if (num == __PNR_msgctl) +++ return "msgctl"; +++ else if (num == __PNR_shmat) +++ return "shmat"; +++ else if (num == __PNR_shmdt) +++ return "shmdt"; +++ else if (num == __PNR_shmget) +++ return "shmget"; +++ else if (num == __PNR_shmctl) +++ return "shmctl"; +++ +++ return x86_syscall_resolve_num(num); +++} +++ +++/** +++ * Convert a multiplexed pseudo syscall into a direct syscall +++ * @param syscall the multiplexed pseudo syscall number +++ * +++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is +++ * no related syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _x86_syscall_demux(int syscall) +++{ +++ switch (syscall) { +++ case -101: +++ /* socket */ +++ return 359; +++ case -102: +++ /* bind */ +++ return 361; +++ case -103: +++ /* connect */ +++ return 362; +++ case -104: +++ /* listen */ +++ return 363; +++ case -105: +++ /* accept - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -106: +++ /* getsockname */ +++ return 367; +++ case -107: +++ /* getpeername */ +++ return 368; +++ case -108: +++ /* socketpair */ +++ return 360; +++ case -109: +++ /* send - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -110: +++ /* recv - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -111: +++ /* sendto */ +++ return 369; +++ case -112: +++ /* recvfrom */ +++ return 371; +++ case -113: +++ /* shutdown */ +++ return 373; +++ case -114: +++ /* setsockopt */ +++ return 366; +++ case -115: +++ /* getsockopt */ +++ return 365; +++ case -116: +++ /* sendmsg */ +++ return 370; +++ case -117: +++ /* recvmsg */ +++ return 372; +++ case -118: +++ /* accept4 */ +++ return 364; +++ case -119: +++ /* recvmmsg */ +++ return 337; +++ case -120: +++ /* sendmmsg */ +++ return 345; +++ case -201: +++ /* semop - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -202: +++ /* semget */ +++ return 393; +++ case -203: +++ /* semctl */ +++ return 394; +++ case -204: +++ /* semtimedop - not defined */ +++ return __NR_SCMP_UNDEF; +++ case -211: +++ /* msgsnd */ +++ return 400; +++ case -212: +++ /* msgrcv */ +++ return 401; +++ case -213: +++ /* msgget */ +++ return 399; +++ case -214: +++ /* msgctl */ +++ return 402; +++ case -221: +++ /* shmat */ +++ return 397; +++ case -222: +++ /* shmdt */ +++ return 398; +++ case -223: +++ /* shmget */ +++ return 395; +++ case -224: +++ /* shmctl */ +++ return 396; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Convert a direct syscall into multiplexed pseudo socket syscall +++ * @param syscall the direct syscall +++ * +++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is +++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. +++ * +++ */ +++static int _x86_syscall_mux(int syscall) +++{ +++ switch (syscall) { +++ case 337: +++ /* recvmmsg */ +++ return -119; +++ case 345: +++ /* sendmmsg */ +++ return -120; +++ case 359: +++ /* socket */ +++ return -101; +++ case 360: +++ /* socketpair */ +++ return -108; +++ case 361: +++ /* bind */ +++ return -102; +++ case 362: +++ /* connect */ +++ return -103; +++ case 363: +++ /* listen */ +++ return -104; +++ case 364: +++ /* accept4 */ +++ return -118; +++ case 365: +++ /* getsockopt */ +++ return -115; +++ case 366: +++ /* setsockopt */ +++ return -114; +++ case 367: +++ /* getsockname */ +++ return -106; +++ case 368: +++ /* getpeername */ +++ return -107; +++ case 369: +++ /* sendto */ +++ return -111; +++ case 370: +++ /* sendmsg */ +++ return -116; +++ case 371: +++ /* recvfrom */ +++ return -112; +++ case 372: +++ /* recvmsg */ +++ return -117; +++ case 373: +++ /* shutdown */ +++ return -113; +++ case 393: +++ /* semget */ +++ return -202; +++ case 394: +++ /* semctl */ +++ return -203; +++ case 400: +++ /* msgsnd */ +++ return -211; +++ case 401: +++ /* msgrcv */ +++ return -212; +++ case 399: +++ /* msgget */ +++ return -213; +++ case 402: +++ /* msgctl */ +++ return -214; +++ case 397: +++ /* shmat */ +++ return -221; +++ case 398: +++ /* shmdt */ +++ return -222; +++ case 395: +++ /* shmget */ +++ return -223; +++ case 396: +++ /* shmctl */ +++ return -224; +++ } +++ +++ return __NR_SCMP_ERROR; +++} +++ +++/** +++ * Rewrite a syscall value to match the architecture +++ * @param syscall the syscall number +++ * +++ * Syscalls can vary across different architectures so this function rewrites +++ * the syscall into the correct value for the specified architecture. Returns +++ * zero on success, negative values on failure. +++ * +++ */ +++int x86_syscall_rewrite(int *syscall) +++{ +++ int sys = *syscall; +++ +++ if (sys <= -100 && sys >= -120) +++ *syscall = __x86_NR_socketcall; +++ else if (sys <= -200 && sys >= -224) +++ *syscall = __x86_NR_ipc; +++ else if (sys < 0) +++ return -EDOM; +++ +++ return 0; +++} +++ +++/** +++ * add a new rule to the x86 seccomp filter +++ * @param db the seccomp filter db +++ * @param rule the filter rule +++ * +++ * This function adds a new syscall filter to the seccomp filter db, making any +++ * necessary adjustments for the x86 ABI. Returns zero on success, negative +++ * values on failure. +++ * +++ * It is important to note that in the case of failure the db may be corrupted, +++ * the caller must use the transaction mechanism if the db integrity is +++ * important. +++ * +++ */ +++int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule) +++{ +++ int rc = 0; +++ unsigned int iter; +++ int sys = rule->syscall; +++ int sys_a, sys_b; +++ struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; +++ +++ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { +++ /* (-100 to -120) : multiplexed socket syscalls +++ (359 to 373) : direct socket syscalls, Linux 4.3+ */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _x86_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _x86_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __x86_NR_socketcall; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 100; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) { +++ /* (-200 to -224) : multiplexed ipc syscalls +++ (393 to 402) : direct ipc syscalls */ +++ +++ /* strict check for the multiplexed socket syscalls */ +++ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { +++ if ((rule->args[iter].valid != 0) && (rule->strict)) { +++ rc = -EINVAL; +++ goto add_return; +++ } +++ } +++ +++ /* determine both the muxed and direct syscall numbers */ +++ if (sys > 0) { +++ sys_a = _x86_syscall_mux(sys); +++ if (sys_a == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ sys_b = sys; +++ } else { +++ sys_a = sys; +++ sys_b = _x86_syscall_demux(sys); +++ if (sys_b == __NR_SCMP_ERROR) { +++ rc = __NR_SCMP_ERROR; +++ goto add_return; +++ } +++ } +++ +++ /* use rule_a for the multiplexed syscall and use rule_b for +++ * the direct wired syscall */ +++ +++ if (sys_a == __NR_SCMP_UNDEF) { +++ rule_a = NULL; +++ rule_b = rule; +++ } else if (sys_b == __NR_SCMP_UNDEF) { +++ rule_a = rule; +++ rule_b = NULL; +++ } else { +++ /* need two rules, dup the first and link together */ +++ rule_a = rule; +++ rule_dup = db_rule_dup(rule_a); +++ rule_b = rule_dup; +++ if (rule_b == NULL) +++ goto add_return; +++ rule_b->prev = rule_a; +++ rule_b->next = NULL; +++ rule_a->next = rule_b; +++ } +++ +++ /* multiplexed socket syscalls */ +++ if (rule_a != NULL) { +++ rule_a->syscall = __x86_NR_ipc; +++ rule_a->args[0].arg = 0; +++ rule_a->args[0].op = SCMP_CMP_EQ; +++ rule_a->args[0].mask = DATUM_MAX; +++ rule_a->args[0].datum = (-sys_a) % 200; +++ rule_a->args[0].valid = 1; +++ } +++ +++ /* direct wired socket syscalls */ +++ if (rule_b != NULL) +++ rule_b->syscall = sys_b; +++ +++ /* we should be protected by a transaction checkpoint */ +++ if (rule_a != NULL) { +++ rc = db_rule_add(db, rule_a); +++ if (rc < 0) +++ goto add_return; +++ } +++ if (rule_b != NULL) { +++ rc = db_rule_add(db, rule_b); +++ if (rc < 0) +++ goto add_return; +++ } +++ } else if (sys >= 0) { +++ /* normal syscall processing */ +++ rc = db_rule_add(db, rule); +++ if (rc < 0) +++ goto add_return; +++ } else if (rule->strict) { +++ rc = -EDOM; +++ goto add_return; +++ } +++ +++add_return: +++ if (rule_dup != NULL) +++ free(rule_dup); +++ return rc; +++} +++ ++ const struct arch_def arch_def_x86 = { ++ .token = SCMP_ARCH_X86, ++ .token_bpf = AUDIT_ARCH_I386, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .sys_socketcall = __x86_NR_socketcall, ++- .sys_ipc = __x86_NR_ipc, ++- .syscall_resolve_name = abi_syscall_resolve_name_munge, ++- .syscall_resolve_name_raw = x86_syscall_resolve_name, ++- .syscall_resolve_num = abi_syscall_resolve_num_munge, ++- .syscall_resolve_num_raw = x86_syscall_resolve_num, ++- .syscall_rewrite = abi_syscall_rewrite, ++- .rule_add = abi_rule_add, +++ .syscall_resolve_name = x86_syscall_resolve_name_munge, +++ .syscall_resolve_num = x86_syscall_resolve_num_munge, +++ .syscall_rewrite = x86_syscall_rewrite, +++ .rule_add = x86_rule_add, ++ }; ++diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c ++--- a/src/arch-x86_64.c +++++ b/src/arch-x86_64.c ++@@ -31,8 +31,8 @@ const struct arch_def arch_def_x86_64 = { ++ .token_bpf = AUDIT_ARCH_X86_64, ++ .size = ARCH_SIZE_64, ++ .endian = ARCH_ENDIAN_LITTLE, ++- .syscall_resolve_name_raw = x86_64_syscall_resolve_name, ++- .syscall_resolve_num_raw = x86_64_syscall_resolve_num, +++ .syscall_resolve_name = x86_64_syscall_resolve_name, +++ .syscall_resolve_num = x86_64_syscall_resolve_num, ++ .syscall_rewrite = NULL, ++ .rule_add = NULL, ++ }; ++diff --git a/src/arch.c b/src/arch.c ++--- a/src/arch.c +++++ b/src/arch.c ++@@ -300,9 +300,7 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg) ++ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) ++ { ++ if (arch->syscall_resolve_name) ++- return (*arch->syscall_resolve_name)(arch, name); ++- if (arch->syscall_resolve_name_raw) ++- return (*arch->syscall_resolve_name_raw)(name); +++ return (*arch->syscall_resolve_name)(name); ++ ++ return __NR_SCMP_ERROR; ++ } ++@@ -320,9 +318,7 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) ++ const char *arch_syscall_resolve_num(const struct arch_def *arch, int num) ++ { ++ if (arch->syscall_resolve_num) ++- return (*arch->syscall_resolve_num)(arch, num); ++- if (arch->syscall_resolve_num_raw) ++- return (*arch->syscall_resolve_num_raw)(num); +++ return (*arch->syscall_resolve_num)(num); ++ ++ return NULL; ++ } ++@@ -385,7 +381,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, int *syscall) ++ } else if (sys > -10000) { ++ /* rewritable syscalls */ ++ if (arch->syscall_rewrite) ++- (*arch->syscall_rewrite)(arch, syscall); +++ (*arch->syscall_rewrite)(syscall); ++ } ++ ++ /* syscalls not defined on this architecture */ ++diff --git a/src/arch.h b/src/arch.h ++--- a/src/arch.h +++++ b/src/arch.h ++@@ -49,18 +49,10 @@ struct arch_def { ++ ARCH_ENDIAN_BIG, ++ } endian; ++ ++- /* arch specific constants */ ++- int sys_socketcall; ++- int sys_ipc; ++- ++ /* arch specific functions */ ++- int (*syscall_resolve_name)(const struct arch_def *arch, ++- const char *name); ++- int (*syscall_resolve_name_raw)(const char *name); ++- const char *(*syscall_resolve_num)(const struct arch_def *arch, ++- int num); ++- const char *(*syscall_resolve_num_raw)(int num); ++- int (*syscall_rewrite)(const struct arch_def *arch, int *syscall); +++ int (*syscall_resolve_name)(const char *name); +++ const char *(*syscall_resolve_num)(int num); +++ int (*syscall_rewrite)(int *syscall); ++ int (*rule_add)(struct db_filter *db, struct db_api_rule_list *rule); ++ }; ++ ++diff --git a/src/syscalls.c b/src/syscalls.c ++--- a/src/syscalls.c +++++ b/src/syscalls.c ++@@ -1,5 +1,5 @@ ++ /** ++- * Enhanced Seccomp Syscall Table Functions +++ * Enhanced Seccomp x86_64 Syscall Table ++ * ++ * Copyright (c) 2012, 2020 Red Hat ++ * Author: Paul Moore ++@@ -19,13 +19,9 @@ ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this library; if not, see . ++ */ ++- ++-#include ++-#include ++-#include ++ #include +++#include ++ ++-#include "db.h" ++ #include "arch.h" ++ #include "syscalls.h" ++ ++@@ -58,524 +54,3 @@ ARCH_DEF(s390x) ++ ARCH_DEF(x32) ++ ARCH_DEF(x86) ++ ARCH_DEF(riscv64) ++- ++-/** ++- * Resolve a syscall name to a number ++- * @param arch the arch definition ++- * @param name the syscall name ++- * ++- * Resolve the given syscall name to the syscall number using the syscall table. ++- * Returns the syscall number on success, including negative pseudo syscall ++- * numbers; returns __NR_SCMP_ERROR on failure. ++- * ++- */ ++-int abi_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name) ++-{ ++- ++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return __PNR_##NAME; ++- ++- _ABI_SYSCALL_RES_NAME_CHK(socket) ++- _ABI_SYSCALL_RES_NAME_CHK(bind) ++- _ABI_SYSCALL_RES_NAME_CHK(connect) ++- _ABI_SYSCALL_RES_NAME_CHK(listen) ++- _ABI_SYSCALL_RES_NAME_CHK(accept) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockname) ++- _ABI_SYSCALL_RES_NAME_CHK(getpeername) ++- _ABI_SYSCALL_RES_NAME_CHK(socketpair) ++- _ABI_SYSCALL_RES_NAME_CHK(send) ++- _ABI_SYSCALL_RES_NAME_CHK(recv) ++- _ABI_SYSCALL_RES_NAME_CHK(sendto) ++- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NAME_CHK(shutdown) ++- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(accept4) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(semop) ++- _ABI_SYSCALL_RES_NAME_CHK(semget) ++- _ABI_SYSCALL_RES_NAME_CHK(semctl) ++- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NAME_CHK(msgget) ++- _ABI_SYSCALL_RES_NAME_CHK(msgctl) ++- _ABI_SYSCALL_RES_NAME_CHK(shmat) ++- _ABI_SYSCALL_RES_NAME_CHK(shmdt) ++- _ABI_SYSCALL_RES_NAME_CHK(shmget) ++- _ABI_SYSCALL_RES_NAME_CHK(shmctl) ++- ++- return arch->syscall_resolve_name_raw(name); ++-} ++- ++-/** ++- * Resolve a syscall number to a name ++- * @param arch the arch definition ++- * @param num the syscall number ++- * ++- * Resolve the given syscall number to the syscall name using the syscall table. ++- * Returns a pointer to the syscall name string on success, including pseudo ++- * syscall names; returns NULL on failure. ++- * ++- */ ++-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num) ++-{ ++- ++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ ++- if (num == __PNR_##NAME) return #NAME; ++- ++- _ABI_SYSCALL_RES_NUM_CHK(socket) ++- _ABI_SYSCALL_RES_NUM_CHK(bind) ++- _ABI_SYSCALL_RES_NUM_CHK(connect) ++- _ABI_SYSCALL_RES_NUM_CHK(listen) ++- _ABI_SYSCALL_RES_NUM_CHK(accept) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockname) ++- _ABI_SYSCALL_RES_NUM_CHK(getpeername) ++- _ABI_SYSCALL_RES_NUM_CHK(socketpair) ++- _ABI_SYSCALL_RES_NUM_CHK(send) ++- _ABI_SYSCALL_RES_NUM_CHK(recv) ++- _ABI_SYSCALL_RES_NUM_CHK(sendto) ++- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NUM_CHK(shutdown) ++- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(accept4) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(semop) ++- _ABI_SYSCALL_RES_NUM_CHK(semget) ++- _ABI_SYSCALL_RES_NUM_CHK(semctl) ++- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NUM_CHK(msgget) ++- _ABI_SYSCALL_RES_NUM_CHK(msgctl) ++- _ABI_SYSCALL_RES_NUM_CHK(shmat) ++- _ABI_SYSCALL_RES_NUM_CHK(shmdt) ++- _ABI_SYSCALL_RES_NUM_CHK(shmget) ++- _ABI_SYSCALL_RES_NUM_CHK(shmctl) ++- ++- return arch->syscall_resolve_num_raw(num); ++-} ++- ++-/** ++- * Check if a syscall is a socket syscall ++- * @param arch the arch definition ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is a socket related syscall, false otherwise. ++- * ++- */ ++-static bool _abi_syscall_socket_test(const struct arch_def *arch, int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -100 && sys >= -120) ++- return true; ++- ++- name = arch->syscall_resolve_num_raw(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_SOCK_CHK(socket) ++- _ABI_SYSCALL_SOCK_CHK(bind) ++- _ABI_SYSCALL_SOCK_CHK(connect) ++- _ABI_SYSCALL_SOCK_CHK(listen) ++- _ABI_SYSCALL_SOCK_CHK(accept) ++- _ABI_SYSCALL_SOCK_CHK(getsockname) ++- _ABI_SYSCALL_SOCK_CHK(getpeername) ++- _ABI_SYSCALL_SOCK_CHK(socketpair) ++- _ABI_SYSCALL_SOCK_CHK(send) ++- _ABI_SYSCALL_SOCK_CHK(recv) ++- _ABI_SYSCALL_SOCK_CHK(sendto) ++- _ABI_SYSCALL_SOCK_CHK(recvfrom) ++- _ABI_SYSCALL_SOCK_CHK(shutdown) ++- _ABI_SYSCALL_SOCK_CHK(setsockopt) ++- _ABI_SYSCALL_SOCK_CHK(getsockopt) ++- _ABI_SYSCALL_SOCK_CHK(sendmsg) ++- _ABI_SYSCALL_SOCK_CHK(recvmsg) ++- _ABI_SYSCALL_SOCK_CHK(accept4) ++- _ABI_SYSCALL_SOCK_CHK(recvmmsg) ++- _ABI_SYSCALL_SOCK_CHK(sendmmsg) ++- ++- return false; ++-} ++- ++-/** ++- * Check if a syscall is an ipc syscall ++- * @param arch the arch definition ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is an ipc related syscall, false otherwise. ++- * ++- */ ++-static bool _abi_syscall_ipc_test(const struct arch_def *arch, int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -200 && sys >= -224) ++- return true; ++- ++- name = arch->syscall_resolve_num_raw(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_IPC_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_IPC_CHK(semop) ++- _ABI_SYSCALL_IPC_CHK(semget) ++- _ABI_SYSCALL_IPC_CHK(semctl) ++- _ABI_SYSCALL_IPC_CHK(semtimedop) ++- _ABI_SYSCALL_IPC_CHK(msgsnd) ++- _ABI_SYSCALL_IPC_CHK(msgrcv) ++- _ABI_SYSCALL_IPC_CHK(msgget) ++- _ABI_SYSCALL_IPC_CHK(msgctl) ++- _ABI_SYSCALL_IPC_CHK(shmat) ++- _ABI_SYSCALL_IPC_CHK(shmdt) ++- _ABI_SYSCALL_IPC_CHK(shmget) ++- _ABI_SYSCALL_IPC_CHK(shmctl) ++- ++- return false; ++-} ++- ++-/** ++- * Convert a multiplexed pseudo syscall into a direct syscall ++- * @param arch the arch definition ++- * @param syscall the multiplexed pseudo syscall number ++- * ++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++- * no related syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _abi_syscall_demux(const struct arch_def *arch, int syscall) ++-{ ++- int sys = __NR_SCMP_UNDEF; ++- ++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ ++-case __PNR_##NAME: \ ++- sys = arch->syscall_resolve_name_raw(#NAME); break; ++- ++- switch (syscall) { ++- _ABI_SYSCALL_DEMUX_CHK(socket) ++- _ABI_SYSCALL_DEMUX_CHK(bind) ++- _ABI_SYSCALL_DEMUX_CHK(connect) ++- _ABI_SYSCALL_DEMUX_CHK(listen) ++- _ABI_SYSCALL_DEMUX_CHK(accept) ++- _ABI_SYSCALL_DEMUX_CHK(getsockname) ++- _ABI_SYSCALL_DEMUX_CHK(getpeername) ++- _ABI_SYSCALL_DEMUX_CHK(socketpair) ++- _ABI_SYSCALL_DEMUX_CHK(send) ++- _ABI_SYSCALL_DEMUX_CHK(recv) ++- _ABI_SYSCALL_DEMUX_CHK(sendto) ++- _ABI_SYSCALL_DEMUX_CHK(recvfrom) ++- _ABI_SYSCALL_DEMUX_CHK(shutdown) ++- _ABI_SYSCALL_DEMUX_CHK(setsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(getsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(sendmsg) ++- _ABI_SYSCALL_DEMUX_CHK(recvmsg) ++- _ABI_SYSCALL_DEMUX_CHK(accept4) ++- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(semop) ++- _ABI_SYSCALL_DEMUX_CHK(semget) ++- _ABI_SYSCALL_DEMUX_CHK(semctl) ++- _ABI_SYSCALL_DEMUX_CHK(semtimedop) ++- _ABI_SYSCALL_DEMUX_CHK(msgsnd) ++- _ABI_SYSCALL_DEMUX_CHK(msgrcv) ++- _ABI_SYSCALL_DEMUX_CHK(msgget) ++- _ABI_SYSCALL_DEMUX_CHK(msgctl) ++- _ABI_SYSCALL_DEMUX_CHK(shmat) ++- _ABI_SYSCALL_DEMUX_CHK(shmdt) ++- _ABI_SYSCALL_DEMUX_CHK(shmget) ++- _ABI_SYSCALL_DEMUX_CHK(shmctl) ++- } ++- ++- /* this looks odd because the arch resolver returns _ERROR if it can't ++- * resolve the syscall, but we want to use _UNDEF for that, so we set ++- * 'sys' to a sentinel value of _UNDEF and if it is error here we know ++- * the resolve failed to find a match */ ++- if (sys == __NR_SCMP_UNDEF) ++- sys = __NR_SCMP_ERROR; ++- else if (sys == __NR_SCMP_ERROR) ++- sys = __NR_SCMP_UNDEF; ++- ++- return sys; ++-} ++- ++-/** ++- * Convert a direct syscall into multiplexed pseudo socket syscall ++- * @param arch the arch definition ++- * @param syscall the direct syscall ++- * ++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _abi_syscall_mux(const struct arch_def *arch, int syscall) ++-{ ++- const char *sys; ++- ++- sys = arch->syscall_resolve_num_raw(syscall); ++- if (!sys) ++- return __NR_SCMP_ERROR; ++- ++-#define _ABI_SYSCALL_MUX_CHK(NAME) \ ++- if (!strcmp(sys, #NAME)) return __PNR_##NAME; ++- ++- _ABI_SYSCALL_MUX_CHK(socket) ++- _ABI_SYSCALL_MUX_CHK(bind) ++- _ABI_SYSCALL_MUX_CHK(connect) ++- _ABI_SYSCALL_MUX_CHK(listen) ++- _ABI_SYSCALL_MUX_CHK(accept) ++- _ABI_SYSCALL_MUX_CHK(getsockname) ++- _ABI_SYSCALL_MUX_CHK(getpeername) ++- _ABI_SYSCALL_MUX_CHK(socketpair) ++- _ABI_SYSCALL_MUX_CHK(send) ++- _ABI_SYSCALL_MUX_CHK(recv) ++- _ABI_SYSCALL_MUX_CHK(sendto) ++- _ABI_SYSCALL_MUX_CHK(recvfrom) ++- _ABI_SYSCALL_MUX_CHK(shutdown) ++- _ABI_SYSCALL_MUX_CHK(setsockopt) ++- _ABI_SYSCALL_MUX_CHK(getsockopt) ++- _ABI_SYSCALL_MUX_CHK(sendmsg) ++- _ABI_SYSCALL_MUX_CHK(recvmsg) ++- _ABI_SYSCALL_MUX_CHK(accept4) ++- _ABI_SYSCALL_MUX_CHK(recvmmsg) ++- _ABI_SYSCALL_MUX_CHK(sendmmsg) ++- _ABI_SYSCALL_MUX_CHK(semop) ++- _ABI_SYSCALL_MUX_CHK(semget) ++- _ABI_SYSCALL_MUX_CHK(semctl) ++- _ABI_SYSCALL_MUX_CHK(semtimedop) ++- _ABI_SYSCALL_MUX_CHK(msgsnd) ++- _ABI_SYSCALL_MUX_CHK(msgrcv) ++- _ABI_SYSCALL_MUX_CHK(msgget) ++- _ABI_SYSCALL_MUX_CHK(msgctl) ++- _ABI_SYSCALL_MUX_CHK(shmat) ++- _ABI_SYSCALL_MUX_CHK(shmdt) ++- _ABI_SYSCALL_MUX_CHK(shmget) ++- _ABI_SYSCALL_MUX_CHK(shmctl) ++- ++- return __NR_SCMP_ERROR; ++-} ++- ++-/** ++- * Rewrite a syscall value to match the architecture ++- * @param arch the arch definition ++- * @param syscall the syscall number ++- * ++- * Syscalls can vary across different architectures so this function rewrites ++- * the syscall into the correct value for the specified architecture. Returns ++- * zero on success, negative values on failure. ++- * ++- */ ++-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall) ++-{ ++- int sys = *syscall; ++- ++- if (sys <= -100 && sys >= -120) ++- *syscall = arch->sys_socketcall; ++- else if (sys <= -200 && sys >= -224) ++- *syscall = arch->sys_ipc; ++- else if (sys < 0) ++- return -EDOM; ++- ++- return 0; ++-} ++- ++-/** ++- * add a new rule to the abi seccomp filter ++- * @param db the seccomp filter db ++- * @param rule the filter rule ++- * ++- * This function adds a new syscall filter to the seccomp filter db, making any ++- * necessary adjustments for the abi ABI. Returns zero on success, negative ++- * values on failure. ++- * ++- * It is important to note that in the case of failure the db may be corrupted, ++- * the caller must use the transaction mechanism if the db integrity is ++- * important. ++- * ++- */ ++-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++-{ ++- int rc = 0; ++- unsigned int iter; ++- int sys = rule->syscall; ++- int sys_a, sys_b; ++- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++- ++- if (_abi_syscall_socket_test(db->arch, sys)) { ++- /* socket syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _abi_syscall_mux(db->arch, sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _abi_syscall_demux(db->arch, sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = db->arch->sys_socketcall; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 100; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (_abi_syscall_ipc_test(db->arch, sys)) { ++- /* ipc syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _abi_syscall_mux(db->arch, sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _abi_syscall_demux(db->arch, sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = db->arch->sys_ipc; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 200; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (sys >= 0) { ++- /* normal syscall processing */ ++- rc = db_rule_add(db, rule); ++- if (rc < 0) ++- goto add_return; ++- } else if (rule->strict) { ++- rc = -EDOM; ++- goto add_return; ++- } ++- ++-add_return: ++- if (rule_dup != NULL) ++- free(rule_dup); ++- return rc; ++-} ++diff --git a/src/syscalls.h b/src/syscalls.h ++--- a/src/syscalls.h +++++ b/src/syscalls.h ++@@ -59,12 +59,4 @@ int syscall_resolve_name(const char *name, int offset); ++ const char *syscall_resolve_num(int num, int offset); ++ const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset); ++ ++-/* helper functions for multiplexed syscalls, e.g. socketcall(2) and ipc(2) */ ++-int abi_syscall_resolve_name_munge(const struct arch_def *arch, ++- const char *name); ++-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num); ++-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall); ++-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule); ++- ++- ++ #endif diff --cc debian/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch index 0000000,0000000..56eaca7 new file mode 100644 --- /dev/null +++ b/debian/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch @@@ -1,0 -1,0 +1,572 @@@ ++REVERTS ++ ++From e976080ac5547a46f4654abc710e89bed992bb63 Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Tue, 3 Aug 2021 23:09:04 -0400 ++Subject: [PATCH] mips: add multiplexed syscall support to MIPS ++ ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++ ++(imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae) ++--- ++ src/arch-mips.c | 508 ++++++++++++++++++++++++++++++++++++++++++++++-- ++ 1 file changed, 495 insertions(+), 13 deletions(-) ++ ++diff --git a/src/arch-mips.c b/src/arch-mips.c ++--- a/src/arch-mips.c +++++ b/src/arch-mips.c ++@@ -22,21 +22,14 @@ ++ ++ #include ++ #include ++-#include ++ #include ++ ++-#include "db.h" ++-#include "syscalls.h" ++ #include "arch.h" ++ #include "arch-mips.h" ++ ++ /* O32 ABI */ ++ #define __SCMP_NR_BASE 4000 ++ ++-/* mips syscall numbers */ ++-#define __mips_NR_socketcall 102 ++-#define __mips_NR_ipc 117 ++- ++ /** ++ * Resolve a syscall name to a number ++ * @param name the syscall name ++@@ -48,44 +41,14 @@ ++ */ ++ int mips_syscall_resolve_name_munge(const char *name) ++ { +++ int sys; ++ ++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return __PNR_##NAME; +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ sys = mips_syscall_resolve_name(name); +++ if (sys == __NR_SCMP_ERROR || sys < 0) +++ return sys; ++ ++- _ABI_SYSCALL_RES_NAME_CHK(socket) ++- _ABI_SYSCALL_RES_NAME_CHK(bind) ++- _ABI_SYSCALL_RES_NAME_CHK(connect) ++- _ABI_SYSCALL_RES_NAME_CHK(listen) ++- _ABI_SYSCALL_RES_NAME_CHK(accept) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockname) ++- _ABI_SYSCALL_RES_NAME_CHK(getpeername) ++- _ABI_SYSCALL_RES_NAME_CHK(socketpair) ++- _ABI_SYSCALL_RES_NAME_CHK(send) ++- _ABI_SYSCALL_RES_NAME_CHK(recv) ++- _ABI_SYSCALL_RES_NAME_CHK(sendto) ++- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NAME_CHK(shutdown) ++- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(accept4) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(semop) ++- _ABI_SYSCALL_RES_NAME_CHK(semget) ++- _ABI_SYSCALL_RES_NAME_CHK(semctl) ++- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NAME_CHK(msgget) ++- _ABI_SYSCALL_RES_NAME_CHK(msgctl) ++- _ABI_SYSCALL_RES_NAME_CHK(shmat) ++- _ABI_SYSCALL_RES_NAME_CHK(shmdt) ++- _ABI_SYSCALL_RES_NAME_CHK(shmget) ++- _ABI_SYSCALL_RES_NAME_CHK(shmctl) ++- ++- return mips_syscall_resolve_name(name); +++ return sys + __SCMP_NR_BASE; ++ } ++ ++ /** ++@@ -99,457 +62,12 @@ int mips_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *mips_syscall_resolve_num_munge(int num) ++ { ++- ++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ ++- if (num == __PNR_##NAME) return #NAME; ++- ++- _ABI_SYSCALL_RES_NUM_CHK(socket) ++- _ABI_SYSCALL_RES_NUM_CHK(bind) ++- _ABI_SYSCALL_RES_NUM_CHK(connect) ++- _ABI_SYSCALL_RES_NUM_CHK(listen) ++- _ABI_SYSCALL_RES_NUM_CHK(accept) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockname) ++- _ABI_SYSCALL_RES_NUM_CHK(getpeername) ++- _ABI_SYSCALL_RES_NUM_CHK(socketpair) ++- _ABI_SYSCALL_RES_NUM_CHK(send) ++- _ABI_SYSCALL_RES_NUM_CHK(recv) ++- _ABI_SYSCALL_RES_NUM_CHK(sendto) ++- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NUM_CHK(shutdown) ++- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(accept4) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(semop) ++- _ABI_SYSCALL_RES_NUM_CHK(semget) ++- _ABI_SYSCALL_RES_NUM_CHK(semctl) ++- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NUM_CHK(msgget) ++- _ABI_SYSCALL_RES_NUM_CHK(msgctl) ++- _ABI_SYSCALL_RES_NUM_CHK(shmat) ++- _ABI_SYSCALL_RES_NUM_CHK(shmdt) ++- _ABI_SYSCALL_RES_NUM_CHK(shmget) ++- _ABI_SYSCALL_RES_NUM_CHK(shmctl) ++- +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= __SCMP_NR_BASE) +++ num -= __SCMP_NR_BASE; ++ return mips_syscall_resolve_num(num); ++ } ++ ++-/** ++- * Check if a syscall is a socket syscall ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is a socket related syscall, false otherwise. ++- * ++- */ ++-static bool _mips_syscall_socket_test(int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -100 && sys >= -120) ++- return true; ++- ++- name = mips_syscall_resolve_num(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_SOCK_CHK(socket) ++- _ABI_SYSCALL_SOCK_CHK(bind) ++- _ABI_SYSCALL_SOCK_CHK(connect) ++- _ABI_SYSCALL_SOCK_CHK(listen) ++- _ABI_SYSCALL_SOCK_CHK(accept) ++- _ABI_SYSCALL_SOCK_CHK(getsockname) ++- _ABI_SYSCALL_SOCK_CHK(getpeername) ++- _ABI_SYSCALL_SOCK_CHK(socketpair) ++- _ABI_SYSCALL_SOCK_CHK(send) ++- _ABI_SYSCALL_SOCK_CHK(recv) ++- _ABI_SYSCALL_SOCK_CHK(sendto) ++- _ABI_SYSCALL_SOCK_CHK(recvfrom) ++- _ABI_SYSCALL_SOCK_CHK(shutdown) ++- _ABI_SYSCALL_SOCK_CHK(setsockopt) ++- _ABI_SYSCALL_SOCK_CHK(getsockopt) ++- _ABI_SYSCALL_SOCK_CHK(sendmsg) ++- _ABI_SYSCALL_SOCK_CHK(recvmsg) ++- _ABI_SYSCALL_SOCK_CHK(accept4) ++- _ABI_SYSCALL_SOCK_CHK(recvmmsg) ++- _ABI_SYSCALL_SOCK_CHK(sendmmsg) ++- ++- return false; ++-} ++- ++-/** ++- * Check if a syscall is an ipc syscall ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is an ipc related syscall, false otherwise. ++- * ++- */ ++-static bool _mips_syscall_ipc_test(int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -200 && sys >= -224) ++- return true; ++- ++- name = mips_syscall_resolve_num(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_IPC_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_IPC_CHK(semop) ++- _ABI_SYSCALL_IPC_CHK(semget) ++- _ABI_SYSCALL_IPC_CHK(semctl) ++- _ABI_SYSCALL_IPC_CHK(semtimedop) ++- _ABI_SYSCALL_IPC_CHK(msgsnd) ++- _ABI_SYSCALL_IPC_CHK(msgrcv) ++- _ABI_SYSCALL_IPC_CHK(msgget) ++- _ABI_SYSCALL_IPC_CHK(msgctl) ++- _ABI_SYSCALL_IPC_CHK(shmat) ++- _ABI_SYSCALL_IPC_CHK(shmdt) ++- _ABI_SYSCALL_IPC_CHK(shmget) ++- _ABI_SYSCALL_IPC_CHK(shmctl) ++- ++- return false; ++-} ++- ++-/** ++- * Convert a multiplexed pseudo syscall into a direct syscall ++- * @param syscall the multiplexed pseudo syscall number ++- * ++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++- * no related syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _mips_syscall_demux(int syscall) ++-{ ++- int sys = __NR_SCMP_UNDEF; ++- ++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ ++-case __PNR_##NAME: \ ++- sys = mips_syscall_resolve_name(#NAME); break; ++- ++- switch (syscall) { ++- _ABI_SYSCALL_DEMUX_CHK(socket) ++- _ABI_SYSCALL_DEMUX_CHK(bind) ++- _ABI_SYSCALL_DEMUX_CHK(connect) ++- _ABI_SYSCALL_DEMUX_CHK(listen) ++- _ABI_SYSCALL_DEMUX_CHK(accept) ++- _ABI_SYSCALL_DEMUX_CHK(getsockname) ++- _ABI_SYSCALL_DEMUX_CHK(getpeername) ++- _ABI_SYSCALL_DEMUX_CHK(socketpair) ++- _ABI_SYSCALL_DEMUX_CHK(send) ++- _ABI_SYSCALL_DEMUX_CHK(recv) ++- _ABI_SYSCALL_DEMUX_CHK(sendto) ++- _ABI_SYSCALL_DEMUX_CHK(recvfrom) ++- _ABI_SYSCALL_DEMUX_CHK(shutdown) ++- _ABI_SYSCALL_DEMUX_CHK(setsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(getsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(sendmsg) ++- _ABI_SYSCALL_DEMUX_CHK(recvmsg) ++- _ABI_SYSCALL_DEMUX_CHK(accept4) ++- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(semop) ++- _ABI_SYSCALL_DEMUX_CHK(semget) ++- _ABI_SYSCALL_DEMUX_CHK(semctl) ++- _ABI_SYSCALL_DEMUX_CHK(semtimedop) ++- _ABI_SYSCALL_DEMUX_CHK(msgsnd) ++- _ABI_SYSCALL_DEMUX_CHK(msgrcv) ++- _ABI_SYSCALL_DEMUX_CHK(msgget) ++- _ABI_SYSCALL_DEMUX_CHK(msgctl) ++- _ABI_SYSCALL_DEMUX_CHK(shmat) ++- _ABI_SYSCALL_DEMUX_CHK(shmdt) ++- _ABI_SYSCALL_DEMUX_CHK(shmget) ++- _ABI_SYSCALL_DEMUX_CHK(shmctl) ++- } ++- ++- /* this looks odd because the arch resolver returns _ERROR if it can't ++- * resolve the syscall, but we want to use _UNDEF for that, so we set ++- * 'sys' to a sentinel value of _UNDEF and if it is error here we know ++- * the resolve failed to find a match */ ++- if (sys == __NR_SCMP_UNDEF) ++- sys = __NR_SCMP_ERROR; ++- else if (sys == __NR_SCMP_ERROR) ++- sys = __NR_SCMP_UNDEF; ++- ++- return sys; ++-} ++- ++-/** ++- * Convert a direct syscall into multiplexed pseudo socket syscall ++- * @param syscall the direct syscall ++- * ++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _mips_syscall_mux(int syscall) ++-{ ++- const char *sys; ++- ++- sys = mips_syscall_resolve_num(syscall); ++- if (!sys) ++- return __NR_SCMP_ERROR; ++- ++-#define _ABI_SYSCALL_MUX_CHK(NAME) \ ++- if (!strcmp(sys, #NAME)) return __PNR_##NAME; ++- ++- _ABI_SYSCALL_MUX_CHK(socket) ++- _ABI_SYSCALL_MUX_CHK(bind) ++- _ABI_SYSCALL_MUX_CHK(connect) ++- _ABI_SYSCALL_MUX_CHK(listen) ++- _ABI_SYSCALL_MUX_CHK(accept) ++- _ABI_SYSCALL_MUX_CHK(getsockname) ++- _ABI_SYSCALL_MUX_CHK(getpeername) ++- _ABI_SYSCALL_MUX_CHK(socketpair) ++- _ABI_SYSCALL_MUX_CHK(send) ++- _ABI_SYSCALL_MUX_CHK(recv) ++- _ABI_SYSCALL_MUX_CHK(sendto) ++- _ABI_SYSCALL_MUX_CHK(recvfrom) ++- _ABI_SYSCALL_MUX_CHK(shutdown) ++- _ABI_SYSCALL_MUX_CHK(setsockopt) ++- _ABI_SYSCALL_MUX_CHK(getsockopt) ++- _ABI_SYSCALL_MUX_CHK(sendmsg) ++- _ABI_SYSCALL_MUX_CHK(recvmsg) ++- _ABI_SYSCALL_MUX_CHK(accept4) ++- _ABI_SYSCALL_MUX_CHK(recvmmsg) ++- _ABI_SYSCALL_MUX_CHK(sendmmsg) ++- _ABI_SYSCALL_MUX_CHK(semop) ++- _ABI_SYSCALL_MUX_CHK(semget) ++- _ABI_SYSCALL_MUX_CHK(semctl) ++- _ABI_SYSCALL_MUX_CHK(semtimedop) ++- _ABI_SYSCALL_MUX_CHK(msgsnd) ++- _ABI_SYSCALL_MUX_CHK(msgrcv) ++- _ABI_SYSCALL_MUX_CHK(msgget) ++- _ABI_SYSCALL_MUX_CHK(msgctl) ++- _ABI_SYSCALL_MUX_CHK(shmat) ++- _ABI_SYSCALL_MUX_CHK(shmdt) ++- _ABI_SYSCALL_MUX_CHK(shmget) ++- _ABI_SYSCALL_MUX_CHK(shmctl) ++- ++- return __NR_SCMP_ERROR; ++-} ++- ++-/** ++- * Rewrite a syscall value to match the architecture ++- * @param syscall the syscall number ++- * ++- * Syscalls can vary across different architectures so this function rewrites ++- * the syscall into the correct value for the specified architecture. Returns ++- * zero on success, negative values on failure. ++- * ++- */ ++-int mips_syscall_rewrite(int *syscall) ++-{ ++- int sys = *syscall; ++- ++- if (sys <= -100 && sys >= -120) ++- *syscall = __mips_NR_socketcall; ++- else if (sys <= -200 && sys >= -224) ++- *syscall = __mips_NR_ipc; ++- else if (sys < 0) ++- return -EDOM; ++- ++- return 0; ++-} ++- ++-/** ++- * add a new rule to the mips seccomp filter ++- * @param db the seccomp filter db ++- * @param rule the filter rule ++- * ++- * This function adds a new syscall filter to the seccomp filter db, making any ++- * necessary adjustments for the mips ABI. Returns zero on success, negative ++- * values on failure. ++- * ++- * It is important to note that in the case of failure the db may be corrupted, ++- * the caller must use the transaction mechanism if the db integrity is ++- * important. ++- * ++- */ ++-int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++-{ ++- int rc = 0; ++- unsigned int iter; ++- int sys = rule->syscall; ++- int sys_a, sys_b; ++- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++- ++- if (_mips_syscall_socket_test(sys)) { ++- /* socket syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _mips_syscall_mux(sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _mips_syscall_demux(sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = __mips_NR_socketcall; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 100; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (_mips_syscall_ipc_test(sys)) { ++- /* ipc syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _mips_syscall_mux(sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _mips_syscall_demux(sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = __mips_NR_ipc; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 200; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (sys >= 0) { ++- /* normal syscall processing */ ++- rc = db_rule_add(db, rule); ++- if (rc < 0) ++- goto add_return; ++- } else if (rule->strict) { ++- rc = -EDOM; ++- goto add_return; ++- } ++- ++-add_return: ++- if (rule_dup != NULL) ++- free(rule_dup); ++- return rc; ++-} ++- ++ const struct arch_def arch_def_mips = { ++ .token = SCMP_ARCH_MIPS, ++ .token_bpf = AUDIT_ARCH_MIPS, ++@@ -557,8 +75,8 @@ const struct arch_def arch_def_mips = { ++ .endian = ARCH_ENDIAN_BIG, ++ .syscall_resolve_name = mips_syscall_resolve_name_munge, ++ .syscall_resolve_num = mips_syscall_resolve_num_munge, ++- .syscall_rewrite = mips_syscall_rewrite, ++- .rule_add = mips_rule_add, +++ .syscall_rewrite = NULL, +++ .rule_add = NULL, ++ }; ++ ++ const struct arch_def arch_def_mipsel = { ++@@ -568,6 +86,6 @@ const struct arch_def arch_def_mipsel = { ++ .endian = ARCH_ENDIAN_LITTLE, ++ .syscall_resolve_name = mips_syscall_resolve_name_munge, ++ .syscall_resolve_num = mips_syscall_resolve_num_munge, ++- .syscall_rewrite = mips_syscall_rewrite, ++- .rule_add = mips_rule_add, +++ .syscall_rewrite = NULL, +++ .rule_add = NULL, ++ }; diff --cc debian/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch index 0000000,0000000..974b550 new file mode 100644 --- /dev/null +++ b/debian/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch @@@ -1,0 -1,0 +1,563 @@@ ++REVERTS ++ ++From f93a872fbc404df3dd3739dd399ad67f139fb1fa Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Tue, 3 Aug 2021 23:21:55 -0400 ++Subject: [PATCH] ppc: add multiplexed syscall support to PPC ++ ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++ ++(imported from commit 255801bccf89343c684b2b94e85d9e0df484c133) ++--- ++ src/arch-ppc.c | 530 ++++++++++++++++++++++++++++++++++++++++++++++++- ++ 1 file changed, 526 insertions(+), 4 deletions(-) ++ ++diff --git a/src/arch-ppc.c b/src/arch-ppc.c ++--- a/src/arch-ppc.c +++++ b/src/arch-ppc.c ++@@ -20,540 +20,18 @@ ++ * along with this library; if not, see . ++ */ ++ ++-#include ++-#include ++-#include ++ #include ++ ++-#include "db.h" ++-#include "syscalls.h" ++ #include "arch.h" ++ #include "arch-ppc.h" ++ ++-/* ppc syscall numbers */ ++-#define __ppc_NR_socketcall 102 ++-#define __ppc_NR_ipc 117 ++- ++-/** ++- * Resolve a syscall name to a number ++- * @param name the syscall name ++- * ++- * Resolve the given syscall name to the syscall number using the syscall table. ++- * Returns the syscall number on success, including negative pseudo syscall ++- * numbers; returns __NR_SCMP_ERROR on failure. ++- * ++- */ ++-int ppc_syscall_resolve_name_munge(const char *name) ++-{ ++- ++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return __PNR_##NAME; ++- ++- _ABI_SYSCALL_RES_NAME_CHK(socket) ++- _ABI_SYSCALL_RES_NAME_CHK(bind) ++- _ABI_SYSCALL_RES_NAME_CHK(connect) ++- _ABI_SYSCALL_RES_NAME_CHK(listen) ++- _ABI_SYSCALL_RES_NAME_CHK(accept) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockname) ++- _ABI_SYSCALL_RES_NAME_CHK(getpeername) ++- _ABI_SYSCALL_RES_NAME_CHK(socketpair) ++- _ABI_SYSCALL_RES_NAME_CHK(send) ++- _ABI_SYSCALL_RES_NAME_CHK(recv) ++- _ABI_SYSCALL_RES_NAME_CHK(sendto) ++- _ABI_SYSCALL_RES_NAME_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NAME_CHK(shutdown) ++- _ABI_SYSCALL_RES_NAME_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(accept4) ++- _ABI_SYSCALL_RES_NAME_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NAME_CHK(semop) ++- _ABI_SYSCALL_RES_NAME_CHK(semget) ++- _ABI_SYSCALL_RES_NAME_CHK(semctl) ++- _ABI_SYSCALL_RES_NAME_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NAME_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NAME_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NAME_CHK(msgget) ++- _ABI_SYSCALL_RES_NAME_CHK(msgctl) ++- _ABI_SYSCALL_RES_NAME_CHK(shmat) ++- _ABI_SYSCALL_RES_NAME_CHK(shmdt) ++- _ABI_SYSCALL_RES_NAME_CHK(shmget) ++- _ABI_SYSCALL_RES_NAME_CHK(shmctl) ++- ++- return ppc_syscall_resolve_name(name); ++-} ++- ++-/** ++- * Resolve a syscall number to a name ++- * @param num the syscall number ++- * ++- * Resolve the given syscall number to the syscall name using the syscall table. ++- * Returns a pointer to the syscall name string on success, including pseudo ++- * syscall names; returns NULL on failure. ++- * ++- */ ++-const char *ppc_syscall_resolve_num_munge(int num) ++-{ ++- ++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \ ++- if (num == __PNR_##NAME) return #NAME; ++- ++- _ABI_SYSCALL_RES_NUM_CHK(socket) ++- _ABI_SYSCALL_RES_NUM_CHK(bind) ++- _ABI_SYSCALL_RES_NUM_CHK(connect) ++- _ABI_SYSCALL_RES_NUM_CHK(listen) ++- _ABI_SYSCALL_RES_NUM_CHK(accept) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockname) ++- _ABI_SYSCALL_RES_NUM_CHK(getpeername) ++- _ABI_SYSCALL_RES_NUM_CHK(socketpair) ++- _ABI_SYSCALL_RES_NUM_CHK(send) ++- _ABI_SYSCALL_RES_NUM_CHK(recv) ++- _ABI_SYSCALL_RES_NUM_CHK(sendto) ++- _ABI_SYSCALL_RES_NUM_CHK(recvfrom) ++- _ABI_SYSCALL_RES_NUM_CHK(shutdown) ++- _ABI_SYSCALL_RES_NUM_CHK(setsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(getsockopt) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(accept4) ++- _ABI_SYSCALL_RES_NUM_CHK(recvmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(sendmmsg) ++- _ABI_SYSCALL_RES_NUM_CHK(semop) ++- _ABI_SYSCALL_RES_NUM_CHK(semget) ++- _ABI_SYSCALL_RES_NUM_CHK(semctl) ++- _ABI_SYSCALL_RES_NUM_CHK(semtimedop) ++- _ABI_SYSCALL_RES_NUM_CHK(msgsnd) ++- _ABI_SYSCALL_RES_NUM_CHK(msgrcv) ++- _ABI_SYSCALL_RES_NUM_CHK(msgget) ++- _ABI_SYSCALL_RES_NUM_CHK(msgctl) ++- _ABI_SYSCALL_RES_NUM_CHK(shmat) ++- _ABI_SYSCALL_RES_NUM_CHK(shmdt) ++- _ABI_SYSCALL_RES_NUM_CHK(shmget) ++- _ABI_SYSCALL_RES_NUM_CHK(shmctl) ++- ++- return ppc_syscall_resolve_num(num); ++-} ++- ++-/** ++- * Check if a syscall is a socket syscall ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is a socket related syscall, false otherwise. ++- * ++- */ ++-static bool _ppc_syscall_socket_test(int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -100 && sys >= -120) ++- return true; ++- ++- name = ppc_syscall_resolve_num(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_SOCK_CHK(socket) ++- _ABI_SYSCALL_SOCK_CHK(bind) ++- _ABI_SYSCALL_SOCK_CHK(connect) ++- _ABI_SYSCALL_SOCK_CHK(listen) ++- _ABI_SYSCALL_SOCK_CHK(accept) ++- _ABI_SYSCALL_SOCK_CHK(getsockname) ++- _ABI_SYSCALL_SOCK_CHK(getpeername) ++- _ABI_SYSCALL_SOCK_CHK(socketpair) ++- _ABI_SYSCALL_SOCK_CHK(send) ++- _ABI_SYSCALL_SOCK_CHK(recv) ++- _ABI_SYSCALL_SOCK_CHK(sendto) ++- _ABI_SYSCALL_SOCK_CHK(recvfrom) ++- _ABI_SYSCALL_SOCK_CHK(shutdown) ++- _ABI_SYSCALL_SOCK_CHK(setsockopt) ++- _ABI_SYSCALL_SOCK_CHK(getsockopt) ++- _ABI_SYSCALL_SOCK_CHK(sendmsg) ++- _ABI_SYSCALL_SOCK_CHK(recvmsg) ++- _ABI_SYSCALL_SOCK_CHK(accept4) ++- _ABI_SYSCALL_SOCK_CHK(recvmmsg) ++- _ABI_SYSCALL_SOCK_CHK(sendmmsg) ++- ++- return false; ++-} ++- ++-/** ++- * Check if a syscall is an ipc syscall ++- * @param sys the syscall number ++- * ++- * Returns true if the syscall is an ipc related syscall, false otherwise. ++- * ++- */ ++-static bool _ppc_syscall_ipc_test(int sys) ++-{ ++- const char *name; ++- ++- /* multiplexed pseduo-syscalls */ ++- if (sys <= -200 && sys >= -224) ++- return true; ++- ++- name = ppc_syscall_resolve_num(sys); ++- if (!name) ++- return false; ++- ++-#define _ABI_SYSCALL_IPC_CHK(NAME) \ ++- if (!strcmp(name, #NAME)) return true; ++- ++- _ABI_SYSCALL_IPC_CHK(semop) ++- _ABI_SYSCALL_IPC_CHK(semget) ++- _ABI_SYSCALL_IPC_CHK(semctl) ++- _ABI_SYSCALL_IPC_CHK(semtimedop) ++- _ABI_SYSCALL_IPC_CHK(msgsnd) ++- _ABI_SYSCALL_IPC_CHK(msgrcv) ++- _ABI_SYSCALL_IPC_CHK(msgget) ++- _ABI_SYSCALL_IPC_CHK(msgctl) ++- _ABI_SYSCALL_IPC_CHK(shmat) ++- _ABI_SYSCALL_IPC_CHK(shmdt) ++- _ABI_SYSCALL_IPC_CHK(shmget) ++- _ABI_SYSCALL_IPC_CHK(shmctl) ++- ++- return false; ++-} ++- ++-/** ++- * Convert a multiplexed pseudo syscall into a direct syscall ++- * @param syscall the multiplexed pseudo syscall number ++- * ++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is ++- * no related syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _ppc_syscall_demux(int syscall) ++-{ ++- int sys = __NR_SCMP_UNDEF; ++- ++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \ ++-case __PNR_##NAME: \ ++- sys = ppc_syscall_resolve_name(#NAME); break; ++- ++- switch (syscall) { ++- _ABI_SYSCALL_DEMUX_CHK(socket) ++- _ABI_SYSCALL_DEMUX_CHK(bind) ++- _ABI_SYSCALL_DEMUX_CHK(connect) ++- _ABI_SYSCALL_DEMUX_CHK(listen) ++- _ABI_SYSCALL_DEMUX_CHK(accept) ++- _ABI_SYSCALL_DEMUX_CHK(getsockname) ++- _ABI_SYSCALL_DEMUX_CHK(getpeername) ++- _ABI_SYSCALL_DEMUX_CHK(socketpair) ++- _ABI_SYSCALL_DEMUX_CHK(send) ++- _ABI_SYSCALL_DEMUX_CHK(recv) ++- _ABI_SYSCALL_DEMUX_CHK(sendto) ++- _ABI_SYSCALL_DEMUX_CHK(recvfrom) ++- _ABI_SYSCALL_DEMUX_CHK(shutdown) ++- _ABI_SYSCALL_DEMUX_CHK(setsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(getsockopt) ++- _ABI_SYSCALL_DEMUX_CHK(sendmsg) ++- _ABI_SYSCALL_DEMUX_CHK(recvmsg) ++- _ABI_SYSCALL_DEMUX_CHK(accept4) ++- _ABI_SYSCALL_DEMUX_CHK(recvmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(sendmmsg) ++- _ABI_SYSCALL_DEMUX_CHK(semop) ++- _ABI_SYSCALL_DEMUX_CHK(semget) ++- _ABI_SYSCALL_DEMUX_CHK(semctl) ++- _ABI_SYSCALL_DEMUX_CHK(semtimedop) ++- _ABI_SYSCALL_DEMUX_CHK(msgsnd) ++- _ABI_SYSCALL_DEMUX_CHK(msgrcv) ++- _ABI_SYSCALL_DEMUX_CHK(msgget) ++- _ABI_SYSCALL_DEMUX_CHK(msgctl) ++- _ABI_SYSCALL_DEMUX_CHK(shmat) ++- _ABI_SYSCALL_DEMUX_CHK(shmdt) ++- _ABI_SYSCALL_DEMUX_CHK(shmget) ++- _ABI_SYSCALL_DEMUX_CHK(shmctl) ++- } ++- ++- /* this looks odd because the arch resolver returns _ERROR if it can't ++- * resolve the syscall, but we want to use _UNDEF for that, so we set ++- * 'sys' to a sentinel value of _UNDEF and if it is error here we know ++- * the resolve failed to find a match */ ++- if (sys == __NR_SCMP_UNDEF) ++- sys = __NR_SCMP_ERROR; ++- else if (sys == __NR_SCMP_ERROR) ++- sys = __NR_SCMP_UNDEF; ++- ++- return sys; ++-} ++- ++-/** ++- * Convert a direct syscall into multiplexed pseudo socket syscall ++- * @param syscall the direct syscall ++- * ++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is ++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. ++- * ++- */ ++-static int _ppc_syscall_mux(int syscall) ++-{ ++- const char *sys; ++- ++- sys = ppc_syscall_resolve_num(syscall); ++- if (!sys) ++- return __NR_SCMP_ERROR; ++- ++-#define _ABI_SYSCALL_MUX_CHK(NAME) \ ++- if (!strcmp(sys, #NAME)) return __PNR_##NAME; ++- ++- _ABI_SYSCALL_MUX_CHK(socket) ++- _ABI_SYSCALL_MUX_CHK(bind) ++- _ABI_SYSCALL_MUX_CHK(connect) ++- _ABI_SYSCALL_MUX_CHK(listen) ++- _ABI_SYSCALL_MUX_CHK(accept) ++- _ABI_SYSCALL_MUX_CHK(getsockname) ++- _ABI_SYSCALL_MUX_CHK(getpeername) ++- _ABI_SYSCALL_MUX_CHK(socketpair) ++- _ABI_SYSCALL_MUX_CHK(send) ++- _ABI_SYSCALL_MUX_CHK(recv) ++- _ABI_SYSCALL_MUX_CHK(sendto) ++- _ABI_SYSCALL_MUX_CHK(recvfrom) ++- _ABI_SYSCALL_MUX_CHK(shutdown) ++- _ABI_SYSCALL_MUX_CHK(setsockopt) ++- _ABI_SYSCALL_MUX_CHK(getsockopt) ++- _ABI_SYSCALL_MUX_CHK(sendmsg) ++- _ABI_SYSCALL_MUX_CHK(recvmsg) ++- _ABI_SYSCALL_MUX_CHK(accept4) ++- _ABI_SYSCALL_MUX_CHK(recvmmsg) ++- _ABI_SYSCALL_MUX_CHK(sendmmsg) ++- _ABI_SYSCALL_MUX_CHK(semop) ++- _ABI_SYSCALL_MUX_CHK(semget) ++- _ABI_SYSCALL_MUX_CHK(semctl) ++- _ABI_SYSCALL_MUX_CHK(semtimedop) ++- _ABI_SYSCALL_MUX_CHK(msgsnd) ++- _ABI_SYSCALL_MUX_CHK(msgrcv) ++- _ABI_SYSCALL_MUX_CHK(msgget) ++- _ABI_SYSCALL_MUX_CHK(msgctl) ++- _ABI_SYSCALL_MUX_CHK(shmat) ++- _ABI_SYSCALL_MUX_CHK(shmdt) ++- _ABI_SYSCALL_MUX_CHK(shmget) ++- _ABI_SYSCALL_MUX_CHK(shmctl) ++- ++- return __NR_SCMP_ERROR; ++-} ++- ++-/** ++- * Rewrite a syscall value to match the architecture ++- * @param syscall the syscall number ++- * ++- * Syscalls can vary across different architectures so this function rewrites ++- * the syscall into the correct value for the specified architecture. Returns ++- * zero on success, negative values on failure. ++- * ++- */ ++-int ppc_syscall_rewrite(int *syscall) ++-{ ++- int sys = *syscall; ++- ++- if (sys <= -100 && sys >= -120) ++- *syscall = __ppc_NR_socketcall; ++- else if (sys <= -200 && sys >= -224) ++- *syscall = __ppc_NR_ipc; ++- else if (sys < 0) ++- return -EDOM; ++- ++- return 0; ++-} ++- ++-/** ++- * add a new rule to the ppc seccomp filter ++- * @param db the seccomp filter db ++- * @param rule the filter rule ++- * ++- * This function adds a new syscall filter to the seccomp filter db, making any ++- * necessary adjustments for the ppc ABI. Returns zero on success, negative ++- * values on failure. ++- * ++- * It is important to note that in the case of failure the db may be corrupted, ++- * the caller must use the transaction mechanism if the db integrity is ++- * important. ++- * ++- */ ++-int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule) ++-{ ++- int rc = 0; ++- unsigned int iter; ++- int sys = rule->syscall; ++- int sys_a, sys_b; ++- struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL; ++- ++- if (_ppc_syscall_socket_test(sys)) { ++- /* socket syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _ppc_syscall_mux(sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _ppc_syscall_demux(sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = __ppc_NR_socketcall; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 100; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (_ppc_syscall_ipc_test(sys)) { ++- /* ipc syscalls */ ++- ++- /* strict check for the multiplexed socket syscalls */ ++- for (iter = 0; iter < ARG_COUNT_MAX; iter++) { ++- if ((rule->args[iter].valid != 0) && (rule->strict)) { ++- rc = -EINVAL; ++- goto add_return; ++- } ++- } ++- ++- /* determine both the muxed and direct syscall numbers */ ++- if (sys > 0) { ++- sys_a = _ppc_syscall_mux(sys); ++- if (sys_a == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- sys_b = sys; ++- } else { ++- sys_a = sys; ++- sys_b = _ppc_syscall_demux(sys); ++- if (sys_b == __NR_SCMP_ERROR) { ++- rc = __NR_SCMP_ERROR; ++- goto add_return; ++- } ++- } ++- ++- /* use rule_a for the multiplexed syscall and use rule_b for ++- * the direct wired syscall */ ++- ++- if (sys_a == __NR_SCMP_UNDEF) { ++- rule_a = NULL; ++- rule_b = rule; ++- } else if (sys_b == __NR_SCMP_UNDEF) { ++- rule_a = rule; ++- rule_b = NULL; ++- } else { ++- /* need two rules, dup the first and link together */ ++- rule_a = rule; ++- rule_dup = db_rule_dup(rule_a); ++- rule_b = rule_dup; ++- if (rule_b == NULL) ++- goto add_return; ++- rule_b->prev = rule_a; ++- rule_b->next = NULL; ++- rule_a->next = rule_b; ++- } ++- ++- /* multiplexed socket syscalls */ ++- if (rule_a != NULL) { ++- rule_a->syscall = __ppc_NR_ipc; ++- rule_a->args[0].arg = 0; ++- rule_a->args[0].op = SCMP_CMP_EQ; ++- rule_a->args[0].mask = DATUM_MAX; ++- rule_a->args[0].datum = (-sys_a) % 200; ++- rule_a->args[0].valid = 1; ++- } ++- ++- /* direct wired socket syscalls */ ++- if (rule_b != NULL) ++- rule_b->syscall = sys_b; ++- ++- /* we should be protected by a transaction checkpoint */ ++- if (rule_a != NULL) { ++- rc = db_rule_add(db, rule_a); ++- if (rc < 0) ++- goto add_return; ++- } ++- if (rule_b != NULL) { ++- rc = db_rule_add(db, rule_b); ++- if (rc < 0) ++- goto add_return; ++- } ++- } else if (sys >= 0) { ++- /* normal syscall processing */ ++- rc = db_rule_add(db, rule); ++- if (rc < 0) ++- goto add_return; ++- } else if (rule->strict) { ++- rc = -EDOM; ++- goto add_return; ++- } ++- ++-add_return: ++- if (rule_dup != NULL) ++- free(rule_dup); ++- return rc; ++-} ++- ++ const struct arch_def arch_def_ppc = { ++ .token = SCMP_ARCH_PPC, ++ .token_bpf = AUDIT_ARCH_PPC, ++ .size = ARCH_SIZE_32, ++ .endian = ARCH_ENDIAN_BIG, ++- .syscall_resolve_name = ppc_syscall_resolve_name_munge, ++- .syscall_resolve_num = ppc_syscall_resolve_num_munge, ++- .syscall_rewrite = ppc_syscall_rewrite, ++- .rule_add = ppc_rule_add, +++ .syscall_resolve_name = ppc_syscall_resolve_name, +++ .syscall_resolve_num = ppc_syscall_resolve_num, +++ .syscall_rewrite = NULL, +++ .rule_add = NULL, ++ }; diff --cc debian/patches/revert_various_additions_to_improve_code_coverage.patch index 0000000,0000000..3270170 new file mode 100644 --- /dev/null +++ b/debian/patches/revert_various_additions_to_improve_code_coverage.patch @@@ -1,0 -1,0 +1,1110 @@@ ++REVERTS ++ ++From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Tue, 3 Aug 2021 14:12:50 -0400 ++Subject: [PATCH] tests: various additions to improve code coverage ++ ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++ ++(imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65) ++--- ++ tests/11-basic-basic_errors.c | 52 +++ ++ tests/15-basic-resolver.c | 40 ++ ++ tests/30-sim-socket_syscalls.c | 62 ++- ++ tests/33-sim-socket_syscalls_be.c | 3 + ++ tests/33-sim-socket_syscalls_be.py | 1 + ++ tests/33-sim-socket_syscalls_be.tests | 42 +- ++ tests/36-sim-ipc_syscalls.c | 3 + ++ tests/36-sim-ipc_syscalls.py | 1 + ++ tests/36-sim-ipc_syscalls.tests | 50 +-- ++ tests/37-sim-ipc_syscalls_be.c | 3 + ++ tests/37-sim-ipc_syscalls_be.py | 1 + ++ tests/37-sim-ipc_syscalls_be.tests | 26 +- ++ tests/38-basic-pfc_coverage.c | 27 ++ ++ tests/38-basic-pfc_coverage.pfc | 534 ++++++++++++++++++++++++++ ++ tests/52-basic-load.c | 23 ++ ++ 15 files changed, 804 insertions(+), 64 deletions(-) ++ ++diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c ++--- a/tests/11-basic-basic_errors.c +++++ b/tests/11-basic-basic_errors.c ++@@ -29,8 +29,6 @@ int main(int argc, char *argv[]) ++ int rc; ++ scmp_filter_ctx ctx; ++ uint32_t attr; ++- struct seccomp_notif *req = NULL; ++- struct seccomp_notif_resp *resp = NULL; ++ ++ /* seccomp_init errors */ ++ ctx = seccomp_init(SCMP_ACT_ALLOW + 1); ++@@ -125,9 +123,6 @@ int main(int argc, char *argv[]) ++ return -1; ++ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, ++ SCMP_A0(SCMP_CMP_EQ, 2)); ++- if (rc != -EINVAL) ++- return -1; ++- rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0); ++ if (rc != -EINVAL) ++ return -1; ++ seccomp_release(ctx); ++@@ -185,53 +180,6 @@ int main(int argc, char *argv[]) ++ rc = seccomp_attr_set(ctx, 1000, 1); ++ if (rc != -EINVAL) ++ return -1; ++- seccomp_release(ctx); ++- ctx = NULL; ++- ++- /* seccomp_merge() errors */ ++- ctx = seccomp_init(SCMP_ACT_ALLOW); ++- if (ctx == NULL) ++- return -1; ++- rc = seccomp_merge(ctx, NULL); ++- if (rc == 0) ++- return -1; ++- seccomp_release(ctx); ++- ctx = NULL; ++- ++- /* seccomp notify errors */ ++- ctx = seccomp_init(SCMP_ACT_ALLOW); ++- if (ctx == NULL) ++- return -1; ++- rc = seccomp_notify_alloc(NULL, NULL); ++- if (rc != 0) ++- return -1; ++- rc = seccomp_notify_alloc(&req, NULL); ++- if (rc != 0) ++- return -1; ++- rc = seccomp_notify_alloc(NULL, &resp); ++- if (rc != 0) ++- return -1; ++- seccomp_notify_free(NULL, NULL); ++- seccomp_notify_free(req, resp); ++- req = NULL; ++- resp = NULL; ++- rc = seccomp_notify_receive(-1, NULL); ++- if (rc == 0) ++- return -1; ++- rc = seccomp_notify_respond(-1, NULL); ++- if (rc == 0) ++- return -1; ++- rc = seccomp_notify_id_valid(-1, 0); ++- if (rc == 0) ++- return -1; ++- rc = seccomp_notify_fd(NULL); ++- if (rc == 0) ++- return -1; ++- rc = seccomp_notify_fd(ctx); ++- if (rc == 0) ++- return -1; ++- seccomp_release(ctx); ++- ctx = NULL; ++ ++ return 0; ++ } ++diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c ++--- a/tests/15-basic-resolver.c +++++ b/tests/15-basic-resolver.c ++@@ -68,7 +68,6 @@ int main(int argc, char *argv[]) ++ goto fail; ++ ++ while ((arch = arch_list[iter++]) != -1) { ++- int sys; ++ int nr_open; ++ int nr_read; ++ int nr_socket; ++@@ -120,45 +119,6 @@ int main(int argc, char *argv[]) ++ goto fail; ++ free(name); ++ name = NULL; ++- ++- /* socket pseudo-syscalls */ ++- if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) { ++- for (sys = -101; sys >= -120; sys--) { ++- name = seccomp_syscall_resolve_num_arch(arch, ++- sys); ++- if (name == NULL) ++- goto fail; ++- free(name); ++- name = NULL; ++- } ++- } ++- /* ipc pseudo-syscalls */ ++- if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) { ++- for (sys = -201; sys >= -204; sys--) { ++- name = seccomp_syscall_resolve_num_arch(arch, ++- sys); ++- if (name == NULL) ++- goto fail; ++- free(name); ++- name = NULL; ++- } ++- for (sys = -211; sys >= -214; sys--) { ++- name = seccomp_syscall_resolve_num_arch(arch, ++- sys); ++- if (name == NULL) ++- goto fail; ++- free(name); ++- name = NULL; ++- } ++- for (sys = -221; sys >= -224; sys--) { ++- name = seccomp_syscall_resolve_num_arch(arch, ++- sys); ++- if (name == NULL) ++- goto fail; ++- free(name); ++- name = NULL; ++- } ++- } ++ } ++ ++ return 0; ++diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c ++--- a/tests/30-sim-socket_syscalls.c +++++ b/tests/30-sim-socket_syscalls.c ++@@ -61,79 +61,19 @@ int main(int argc, char *argv[]) ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0); ++- if (rc != 0) ++- goto out; ++- ++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0); ++- if (rc != 0) ++- goto out; ++- ++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0); ++- if (rc != 0) ++- goto out; ++- ++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0); ++- if (rc != 0) ++- goto out; ++- ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0); +++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c ++--- a/tests/33-sim-socket_syscalls_be.c +++++ b/tests/33-sim-socket_syscalls_be.c ++@@ -48,9 +48,6 @@ int main(int argc, char *argv[]) ++ if (rc != 0) ++ goto out; ++ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); ++- if (rc != 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py ++--- a/tests/33-sim-socket_syscalls_be.py +++++ b/tests/33-sim-socket_syscalls_be.py ++@@ -33,7 +33,6 @@ def test(args): ++ f.remove_arch(Arch()) ++ f.add_arch(Arch("s390")) ++ f.add_arch(Arch("s390x")) ++- f.add_arch(Arch("ppc")) ++ f.add_rule(ALLOW, "socket") ++ f.add_rule(ALLOW, "connect") ++ f.add_rule(ALLOW, "accept") ++diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests ++--- a/tests/33-sim-socket_syscalls_be.tests +++++ b/tests/33-sim-socket_syscalls_be.tests ++@@ -7,23 +7,31 @@ ++ ++ test type: bpf-sim ++ ++-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW ++-33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL +++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +++33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL +++33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL +++33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW +++33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL +++33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW +++33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL ++ ++ test type: bpf-valgrind ++ ++diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c ++--- a/tests/36-sim-ipc_syscalls.c +++++ b/tests/36-sim-ipc_syscalls.c ++@@ -54,9 +54,6 @@ int main(int argc, char *argv[]) ++ if (rc != 0) ++ goto out; ++ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); ++- if (rc != 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py ++--- a/tests/36-sim-ipc_syscalls.py +++++ b/tests/36-sim-ipc_syscalls.py ++@@ -35,7 +35,6 @@ def test(args): ++ f.add_arch(Arch("x86_64")) ++ f.add_arch(Arch("x32")) ++ f.add_arch(Arch("ppc64le")) ++- f.add_arch(Arch("mipsel")) ++ f.add_rule(ALLOW, "semop") ++ f.add_rule(ALLOW, "semtimedop") ++ f.add_rule(ALLOW, "semget") ++diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests ++--- a/tests/36-sim-ipc_syscalls.tests +++++ b/tests/36-sim-ipc_syscalls.tests ++@@ -7,31 +7,31 @@ ++ ++ test type: bpf-sim ++ ++-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW ++-36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW +++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +++36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW +++36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW +++36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW ++ ++ test type: bpf-valgrind ++ ++diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c ++--- a/tests/37-sim-ipc_syscalls_be.c +++++ b/tests/37-sim-ipc_syscalls_be.c ++@@ -48,9 +48,6 @@ int main(int argc, char *argv[]) ++ if (rc != 0) ++ goto out; ++ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); ++- if (rc != 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py ++--- a/tests/37-sim-ipc_syscalls_be.py +++++ b/tests/37-sim-ipc_syscalls_be.py ++@@ -33,7 +33,6 @@ def test(args): ++ f.remove_arch(Arch()) ++ f.add_arch(Arch("s390")) ++ f.add_arch(Arch("s390x")) ++- f.add_arch(Arch("ppc")) ++ f.add_rule(ALLOW, "semop") ++ f.add_rule(ALLOW, "semtimedop") ++ f.add_rule(ALLOW, "semget") ++diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests ++--- a/tests/37-sim-ipc_syscalls_be.tests +++++ b/tests/37-sim-ipc_syscalls_be.tests ++@@ -7,19 +7,19 @@ ++ ++ test type: bpf-sim ++ ++-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW ++-37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW +++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +++37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW +++37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW ++ ++ test type: bpf-valgrind ++ ++diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c ++--- a/tests/38-basic-pfc_coverage.c +++++ b/tests/38-basic-pfc_coverage.c ++@@ -55,30 +55,6 @@ int main(int argc, char *argv[]) ++ if (rc < 0) ++ goto out; ++ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); ++ if (rc < 0) ++ goto out; ++ ++@@ -109,9 +85,6 @@ int main(int argc, char *argv[]) ++ if (rc < 0) ++ goto out; ++ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); ++- if (rc < 0) ++- goto out; ++- rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); ++ if (rc < 0) ++ goto out; ++ ++diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc ++--- a/tests/38-basic-pfc_coverage.pfc +++++ b/tests/38-basic-pfc_coverage.pfc ++@@ -3,9 +3,6 @@ ++ # ++ # filter for arch x86_64 (3221225534) ++ if ($arch == 3221225534) ++- # filter for syscall "exit_group" (231) [priority: 65535] ++- if ($syscall == 231) ++- action LOG; ++ # filter for syscall "exit" (60) [priority: 65535] ++ if ($syscall == 60) ++ action TRACE(1); ++@@ -100,9 +97,6 @@ if ($arch == 3221225534) ++ action ALLOW; ++ # filter for arch x86 (1073741827) ++ if ($arch == 1073741827) ++- # filter for syscall "exit_group" (252) [priority: 65535] ++- if ($syscall == 252) ++- action LOG; ++ # filter for syscall "fstat" (108) [priority: 65535] ++ if ($syscall == 108) ++ action KILL_PROCESS; ++@@ -133,534 +127,6 @@ if ($arch == 1073741827) ++ action KILL; ++ # default action ++ action ALLOW; ++-# filter for arch x32 (3221225534) ++-if ($arch == 3221225534) ++- # filter for syscall "exit_group" (1073742055) [priority: 65535] ++- if ($syscall == 1073742055) ++- action LOG; ++- # filter for syscall "exit" (1073741884) [priority: 65535] ++- if ($syscall == 1073741884) ++- action TRACE(1); ++- # filter for syscall "fstat" (1073741829) [priority: 65535] ++- if ($syscall == 1073741829) ++- action KILL_PROCESS; ++- # filter for syscall "close" (1073741827) [priority: 65535] ++- if ($syscall == 1073741827) ++- action ERRNO(1); ++- # filter for syscall "open" (1073741826) [priority: 65535] ++- if ($syscall == 1073741826) ++- action KILL; ++- # filter for syscall "write" (1073741825) [priority: 65532] ++- if ($syscall == 1073741825) ++- if ($a0 == 0) ++- else ++- if ($a1 > 1) ++- else ++- if ($a2 >= 2) ++- else ++- action TRAP; ++- # filter for syscall "read" (1073741824) [priority: 65531] ++- if ($syscall == 1073741824) ++- if ($a0 == 0) ++- if ($a1 >= 1) ++- if ($a2 > 2) ++- if ($a3 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch arm (1073741864) ++-if ($arch == 1073741864) ++- # filter for syscall "exit_group" (248) [priority: 65535] ++- if ($syscall == 248) ++- action LOG; ++- # filter for syscall "fstat" (108) [priority: 65535] ++- if ($syscall == 108) ++- action KILL_PROCESS; ++- # filter for syscall "close" (6) [priority: 65535] ++- if ($syscall == 6) ++- action ERRNO(1); ++- # filter for syscall "open" (5) [priority: 65535] ++- if ($syscall == 5) ++- action KILL; ++- # filter for syscall "exit" (1) [priority: 65535] ++- if ($syscall == 1) ++- action TRACE(1); ++- # filter for syscall "write" (4) [priority: 65532] ++- if ($syscall == 4) ++- if ($a0 == 0) ++- else ++- if ($a1 > 1) ++- else ++- if ($a2 >= 2) ++- else ++- action TRAP; ++- # filter for syscall "read" (3) [priority: 65531] ++- if ($syscall == 3) ++- if ($a0 == 0) ++- if ($a1 >= 1) ++- if ($a2 > 2) ++- if ($a3 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch aarch64 (3221225655) ++-if ($arch == 3221225655) ++- # filter for syscall "open" (4294957130) [priority: 65535] ++- if ($syscall == 4294957130) ++- action KILL; ++- # filter for syscall "exit_group" (94) [priority: 65535] ++- if ($syscall == 94) ++- action LOG; ++- # filter for syscall "exit" (93) [priority: 65535] ++- if ($syscall == 93) ++- action TRACE(1); ++- # filter for syscall "fstat" (80) [priority: 65535] ++- if ($syscall == 80) ++- action KILL_PROCESS; ++- # filter for syscall "close" (57) [priority: 65535] ++- if ($syscall == 57) ++- action ERRNO(1); ++- # filter for syscall "write" (64) [priority: 65527] ++- if ($syscall == 64) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- # filter for syscall "read" (63) [priority: 65525] ++- if ($syscall == 63) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- if ($a1.hi32 > 0) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 >= 1) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch mipsel (1073741832) ++-if ($arch == 1073741832) ++- # filter for syscall "exit_group" (246) [priority: 65535] ++- if ($syscall == 246) ++- action LOG; ++- # filter for syscall "fstat" (108) [priority: 65535] ++- if ($syscall == 108) ++- action KILL_PROCESS; ++- # filter for syscall "close" (6) [priority: 65535] ++- if ($syscall == 6) ++- action ERRNO(1); ++- # filter for syscall "open" (5) [priority: 65535] ++- if ($syscall == 5) ++- action KILL; ++- # filter for syscall "exit" (1) [priority: 65535] ++- if ($syscall == 1) ++- action TRACE(1); ++- # filter for syscall "write" (4) [priority: 65532] ++- if ($syscall == 4) ++- if ($a0 == 0) ++- else ++- if ($a1 > 1) ++- else ++- if ($a2 >= 2) ++- else ++- action TRAP; ++- # filter for syscall "read" (3) [priority: 65531] ++- if ($syscall == 3) ++- if ($a0 == 0) ++- if ($a1 >= 1) ++- if ($a2 > 2) ++- if ($a3 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch mipsel64 (3221225480) ++-if ($arch == 3221225480) ++- # filter for syscall "exit_group" (5205) [priority: 65535] ++- if ($syscall == 5205) ++- action LOG; ++- # filter for syscall "exit" (5058) [priority: 65535] ++- if ($syscall == 5058) ++- action TRACE(1); ++- # filter for syscall "fstat" (5005) [priority: 65535] ++- if ($syscall == 5005) ++- action KILL_PROCESS; ++- # filter for syscall "close" (5003) [priority: 65535] ++- if ($syscall == 5003) ++- action ERRNO(1); ++- # filter for syscall "open" (5002) [priority: 65535] ++- if ($syscall == 5002) ++- action KILL; ++- # filter for syscall "write" (5001) [priority: 65527] ++- if ($syscall == 5001) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- # filter for syscall "read" (5000) [priority: 65525] ++- if ($syscall == 5000) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- if ($a1.hi32 > 0) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 >= 1) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch mipsel64n32 (3758096392) ++-if ($arch == 3758096392) ++- # filter for syscall "exit_group" (6205) [priority: 65535] ++- if ($syscall == 6205) ++- action LOG; ++- # filter for syscall "exit" (6058) [priority: 65535] ++- if ($syscall == 6058) ++- action TRACE(1); ++- # filter for syscall "fstat" (6005) [priority: 65535] ++- if ($syscall == 6005) ++- action KILL_PROCESS; ++- # filter for syscall "close" (6003) [priority: 65535] ++- if ($syscall == 6003) ++- action ERRNO(1); ++- # filter for syscall "open" (6002) [priority: 65535] ++- if ($syscall == 6002) ++- action KILL; ++- # filter for syscall "write" (6001) [priority: 65532] ++- if ($syscall == 6001) ++- if ($a0 == 0) ++- else ++- if ($a1 > 1) ++- else ++- if ($a2 >= 2) ++- else ++- action TRAP; ++- # filter for syscall "read" (6000) [priority: 65531] ++- if ($syscall == 6000) ++- if ($a0 == 0) ++- if ($a1 >= 1) ++- if ($a2 > 2) ++- if ($a3 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch ppc64le (3221225493) ++-if ($arch == 3221225493) ++- # filter for syscall "exit_group" (234) [priority: 65535] ++- if ($syscall == 234) ++- action LOG; ++- # filter for syscall "fstat" (108) [priority: 65535] ++- if ($syscall == 108) ++- action KILL_PROCESS; ++- # filter for syscall "close" (6) [priority: 65535] ++- if ($syscall == 6) ++- action ERRNO(1); ++- # filter for syscall "open" (5) [priority: 65535] ++- if ($syscall == 5) ++- action KILL; ++- # filter for syscall "exit" (1) [priority: 65535] ++- if ($syscall == 1) ++- action TRACE(1); ++- # filter for syscall "write" (4) [priority: 65527] ++- if ($syscall == 4) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- # filter for syscall "read" (3) [priority: 65525] ++- if ($syscall == 3) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- if ($a1.hi32 > 0) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 >= 1) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++-# filter for arch riscv64 (3221225715) ++-if ($arch == 3221225715) ++- # filter for syscall "open" (4294957130) [priority: 65535] ++- if ($syscall == 4294957130) ++- action KILL; ++- # filter for syscall "exit_group" (94) [priority: 65535] ++- if ($syscall == 94) ++- action LOG; ++- # filter for syscall "exit" (93) [priority: 65535] ++- if ($syscall == 93) ++- action TRACE(1); ++- # filter for syscall "fstat" (80) [priority: 65535] ++- if ($syscall == 80) ++- action KILL_PROCESS; ++- # filter for syscall "close" (57) [priority: 65535] ++- if ($syscall == 57) ++- action ERRNO(1); ++- # filter for syscall "write" (64) [priority: 65527] ++- if ($syscall == 64) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a1.hi32 > 0) ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 > 1) ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- else ++- if ($a2.hi32 > 0) ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 >= 2) ++- else ++- action TRAP; ++- else ++- action TRAP; ++- # filter for syscall "read" (63) [priority: 65525] ++- if ($syscall == 63) ++- if ($a0.hi32 == 0) ++- if ($a0.lo32 == 0) ++- if ($a1.hi32 > 0) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a1.hi32 == 0) ++- if ($a1.lo32 >= 1) ++- if ($a2.hi32 > 0) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- else ++- if ($a2.hi32 == 0) ++- if ($a2.lo32 > 2) ++- if ($a3.hi32 & 0x00000000 == 0) ++- if ($a3.lo32 & 0x0000000f == 3) ++- action KILL; ++- # default action ++- action ALLOW; ++ # invalid architecture action ++ action KILL; ++ # ++diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c ++--- a/tests/52-basic-load.c +++++ b/tests/52-basic-load.c ++@@ -31,38 +31,15 @@ int main(int argc, char *argv[]) ++ int rc; ++ struct util_options opts; ++ scmp_filter_ctx ctx = NULL; ++- unsigned int api; ++ ++ rc = util_getopt(argc, argv, &opts); ++ if (rc < 0) ++ goto out; ++ ++- api = seccomp_api_get(); ++- if (api == 0) { ++- rc = -EFAULT; ++- goto out; ++- } ++- ++ ctx = seccomp_init(SCMP_ACT_ALLOW); ++ if (ctx == NULL) ++ return ENOMEM; ++ ++- if (api >= 2) { ++- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++- if (rc != 0) ++- goto out; ++- } ++- if (api >= 3) { ++- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); ++- if (rc != 0) ++- goto out; ++- } ++- if (api >= 4) { ++- rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); ++- if (rc != 0) ++- goto out; ++- } ++- ++ rc = seccomp_load(ctx); ++ ++ out: diff --cc debian/patches/series index 0000000,0000000..b6e2f86 new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,4 @@@ ++revert_various_additions_to_improve_code_coverage.patch ++revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch ++revert_ppc_add_multiplexed_syscall_support_to_PPC.patch ++revert_mips_add_multiplexed_syscall_support_to_MIPS.patch diff --cc debian/python-seccomp.install index 0000000,0000000..a71458d new file mode 100644 --- /dev/null +++ b/debian/python-seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/python2.*/dist-packages/seccomp.so diff --cc debian/python3-seccomp.install index 0000000,0000000..97a45dc new file mode 100644 --- /dev/null +++ b/debian/python3-seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/python3.*/site-packages/seccomp.cpython-*.so diff --cc debian/rules index 0000000,0000000..54d5951 new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,37 @@@ ++#!/usr/bin/make -f ++# -*- makefile -*- ++ ++# Uncomment this to turn on verbose mode. ++#export DH_VERBOSE=1 ++ ++# Enable verbose build details. ++export V=1 ++ ++include /usr/share/dpkg/architecture.mk ++ ++%: ++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) ++ dh $@ --with python3 ++else ++ dh $@ ++endif ++ ++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) ++ ++override_dh_auto_install: ++ dh_auto_install ++ for pyver in `py3versions -s`; do \ ++ set -e; \ ++ if python3 -c "pyver='$$pyver'; exit(0 if float(pyver[6:]) >= 3.8 else 1)"; then \ ++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata__${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ ++ else \ ++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata_m_${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ ++ fi; \ ++ dh_auto_configure -- --enable-python PYTHON=$$pyver; \ ++ dh_auto_install --sourcedirectory=src/python -- PYTHON=$$pyver; \ ++ done ++endif ++ ++override_dh_auto_clean: ++ dh_auto_clean ++ rm -f regression.out diff --cc debian/seccomp.install index 0000000,0000000..1df36c6 new file mode 100644 --- /dev/null +++ b/debian/seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/bin/* diff --cc debian/seccomp.manpages index 0000000,0000000..5ea05fe new file mode 100644 --- /dev/null +++ b/debian/seccomp.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/tmp/usr/share/man/man1/* diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/tests/common index 0000000,0000000..e02e8db new file mode 100644 --- /dev/null +++ b/debian/tests/common @@@ -1,0 -1,0 +1,12 @@@ ++SRCDIR="$(pwd)" ++ ++mkdir "$AUTOPKGTEST_TMP/tests" "$AUTOPKGTEST_TMP/tools" ++cp -a tests/. "$AUTOPKGTEST_TMP/tests/" ++ ++cd "$AUTOPKGTEST_TMP/tests" ++ ++# build tools needed for tests ++for tool in scmp_api_level scmp_arch_detect scmp_sys_resolver; do ++ echo "Building $tool ..." ++ gcc -O2 -g "$SRCDIR/tools/$tool.c" "$SRCDIR/tools/util.c" -lseccomp -o ../tools/$tool ++done diff --cc debian/tests/control index 0000000,0000000..3d2c4ba new file mode 100644 --- /dev/null +++ b/debian/tests/control @@@ -1,0 -1,0 +1,7 @@@ ++Tests: testsuite-live ++Depends: libseccomp-dev, build-essential ++Restrictions: isolation-machine ++ ++Tests: testsuite-live-python3 ++Depends: libseccomp-dev, build-essential, python3-seccomp ++Restrictions: isolation-machine, allow-stderr diff --cc debian/tests/testsuite-live index 0000000,0000000..bbf20d0 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live @@@ -1,0 -1,0 +1,17 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++# manually build necessary files against the installed libseccomp ++ ++# build live tests ++for filename in *-live-*.tests; do ++ testname=$(echo "$filename" | cut -f 1 -d '.') ++ echo "Building $testname ..." ++ gcc -O2 -g "${testname}.c" util.c -pthread -lseccomp -o "$testname" ++done ++ ++echo "Running test suite ..." ++./regression -T live diff --cc debian/tests/testsuite-live-python2 index 0000000,0000000..9c9ded4 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live-python2 @@@ -1,0 -1,0 +1,8 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++echo "Running test suite ..." ++./regression -T live -m python diff --cc debian/tests/testsuite-live-python3 index 0000000,0000000..f4fb094 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live-python3 @@@ -1,0 -1,0 +1,13 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++# make sure "python" points to python3 as this is not configurable ++# in the regression script ++mkdir python3env ++ln -s /usr/bin/python3 python3env/python ++ ++echo "Running test suite ..." ++PATH="$(pwd)/python3env:$PATH" ./regression -T live -m python diff --cc debian/upstream/metadata index 0000000,0000000..0fef70b new file mode 100644 --- /dev/null +++ b/debian/upstream/metadata @@@ -1,0 -1,0 +1,4 @@@ ++Bug-Database: https://github.com/seccomp/libseccomp/issues ++Bug-Submit: https://github.com/seccomp/libseccomp/issues/new ++Repository: https://github.com/seccomp/libseccomp.git ++Repository-Browse: https://github.com/seccomp/libseccomp diff --cc debian/upstream/signing-key.asc index 0000000,0000000..5ddf435 new file mode 100644 --- /dev/null +++ b/debian/upstream/signing-key.asc @@@ -1,0 -1,0 +1,192 @@@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++ ++mQINBE6TSxkBEACy+4BPGoI7vphGh/q5WET0lmU7LcDwuNs/satPRH/vPoSYLxYU ++FmZ64A2zA4/imlohR+9VMfEVgOX6f23vZWheC2Z12bCtK0/cGLfoGMddFi7mg6aV ++hJeAegYkC6hDAYI+Mc/mt0fYvDB+bSPUCUdnB/NegbWegJMJur2pc0/nQqeeoRdp ++sazOyBEs4ipP1p05DZA/MifGNRASMHJg2bYG2FyC48Vx/xl0B+oactTwPODJlkQS ++n6+yYTcvYh7wIbbainEi0jBnyRj6bi6jODPTjArW2YRzEmPEkqbBsfA/HYEpH4DR ++IyZIJzqkP/+P+F+BVBjPVz4r6CWvCjnTMTlROfaUqIvfmpdKKtBDVN0Cjn6GVYae ++t9yoJM5bcJK+KEp5aNmW3U7vDMG2XEttw4vdfIFc9ZEWnu2kyiltQw9cUk3ucsIH ++79M4o24oVu2+J/z4QNGbRHdbxbO6c9R+IxAfiF/FAz5OhQfRHrDayfQV457cE/Ga ++ZhE1AeT7EdnXFF3G1RhTTE2lomQ1TfBSK6CyIyabU7I0R2Gh0aITpAE0fP4heZNZ ++zA8vPggdtRzgKgu4tC2is2Dg3NQnPc+k4mnU07LwmJuxCluN7pNhhlhtJkNWnA+a ++C2sV8zIicH7SAwmGoeMkp1kluxcdp/jGKsdRIfIDnVax4/t6VPL2+lKQzwARAQAB ++tB5QYXVsIE1vb3JlIDxwY21vb3JlQHVtaWNoLmVkdT6JAjgEEwECACIFAk6TS4MC ++GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFXkWlroynyKs5MP/it8TqV6 ++IVXZh9X6ioJbchNcofT+L74+BjHXpzmdlf0awutCrKdZTWz5zC4A7Xrnam5LNg9j ++aZr44oUOhnwIKwm1xxm2KBIGky7nKMinUfsSlYlfJybSJjWA3hv3dKI4Fpd7xsy1 ++5CDcmfAD5NfQeW7KD5I0U89zKsdFyGCZV03xWbrvGPitncPB+Sifjp29lWmGwOwY ++5tNcg7Mvby5vi6Zit686Q4wjYzmgoCDKKgk6QSo/VAqXJn8PRttuZArDfckraL+h ++LXsxx1W0zaKVi9qeyR3n/++fDxPcc5rQIsd9TZj7nojj/5qGjoLCPwFDZaR97u8M ++v795+ITrMCLRPYAd8DE94e3sjZK8R+hCtD0Xp9KgaNWofnA4cIHQyWaKI5is4NaT ++9Y638We5RkTaYrFC0dxSgiekmnB0pogDU69smFNa26r0CX85cQf4YKYURc1xnbmS ++Cyh+gvIHXVSGglmGXgKJ436qUBFCq2/BlecLZm/Lk0vQyPdCr08ZzPc7AUfc1hAe +++PiZ7RDkhJzQaUN3ufjvcyeMGHoUejaO3G9ODE/yVZ6Yi8HQPN7IGmyeh73xaqcv ++5PpSrfpK+yjR13WGdi6PRL1IBfverc1fXtxXBywFhV4o/Jatj6XrS7hsU5EJ43An ++I9Cqa+8FBjLIrqzfAKHng3qYKA3R346+L0pPtB5QYXVsIE1vb3JlIDxwbW9vcmVA ++cmVkaGF0LmNvbT6JAjgEEwECACIFAk6TS60CGwMGCwkIBwMCBhUIAgkKCwQWAgMB ++Ah4BAheAAAoJEFXkWlroynyKK8AP+QFOxGd3sSxMgEgTjT2fUUwqjD0oRZUrC3RZ ++pld+fqmMIoGP0XRQYIpSZubX/ryn0DK9zd7D1o8nOz32lz8QfeEwshh+KAI93V0J ++iIFprZUtCJxXKIO2GuHVgwqyzQs+DbXoov6BiTmbNHDGy1xT+mx4Z0xboHX2ZzKc ++mLj42w7Qv5clL8X+4D3EiePCWeaw5e/p2xlPEVXfaYlu3nsUUrRwdx1RZSZ/qJE6 ++CZLL348vp7mf9nR7bGBx8NiHrzbE3nh7ofZ8ai/dUTkkK+cFsxr5Gkt1nHegdv2t ++Q3pk/KoR6YYvGYIDeuyZB0zMs2VW6zLIrD7qPc9sFLIwAsgBW3pWyznZ9mZrpbqp ++JPzkhDYQH5XnTkL5g0tq4z3eDtOCODB2rNRrj/JvZcv3WmT1IK2d3x3E06Bfb4oy ++qMgTzD2z/IHgyL9Wt+yyogB0Y0zyGj3lV3fISIINT2mn+UtutYIqDEeGbSEtQrXx ++yIvQEViPO52mO+QdOtc5ZMfQ9ddsQKbawK/pqbzVMRPXX1z5hYKyx/Tv0roBrAzj ++DSBI2vP0NmfzzSUKZ3POOZLOxE0425AYeNE623SCntrOWNYdgwf9EfnAcMgsY2Kl ++a18e24ZHdAGFmJWBYx+XllheI6diU7dOZAlvuuuslVJfvD8ixzm7SR98elmUk57k ++wf9FO9yxtCBQYXVsIE1vb3JlIDxwYXVsQHBhdWwtbW9vcmUuY29tPokCOgQTAQIA ++JQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk6TS8ACGQEACgkQVeRaWujK ++fIrtrg/2Kr2XYWu6jYDX2PSWeLQ/5P/VgGzjZI+AKaj5JyEID/5J31yvSKICjK3F ++Wl+lHRo/LQzQx8f6gQ9FEBeDTndpa1t23XQGmBgEDAev6FHX3jmheFTkJJ+dEYpc ++gX7R+jTjmrRYjAFu1Jo2fIblBTvECwlKLxDvSzAvp5giHYj8TDWcYPlZcDqfq9Aq ++5p7UjkRYvAAUlkwSxPE28zcWPwgQuikcyVw/ObPpNWon+0TfruzindsyKnMss7mE ++pxUMhRHAWM8KACBUmScP2TC95xKzm+KtlT6E/pdPXItPXiFg5sg8Vf5Rco8j16+b ++DzviiAC21Mp69wtnV8Mdsl1jiL65wotclG+SMcgUmyqD3rgBW3jSedDFFu6CHQyG ++FuthVj25eNUSXjhVOMCWQSxOgv4uN1jgk89paHJuBqHwKfk55ezQJFB1UlkJqH7L ++NJ2uVd0Go5PTE2mBbkBQ4bvSyfhlOUYbcjNUlZOZSHsaQPVXDUXCW90LjH4azg8j ++ek7YinygvZBpxQurRj7honmoqqyBfvOweA8wDdjIYURFrA4kwYwN8d+xdIDv5Pu5 ++8U/ruus+y59MebQDhMr1BaM26QhgPZ6Ur/vHvTkW6bFo+Q0Rg9/abO67O00OZX/+ ++oakt1BZ3Tb30L6nGu7ZosTXos+s9Leter/wcOk49JNd5q4WnZbkCDQROk0sZARAA ++7lIE/HyQ5pTSabH0OJKa78mNJckQ+2NsEwUpEj459Ca5s3DvJCT7ZBOUQaL5ctkl ++KgjByI+3BSIT90swim6vdMYxSrS7IpQ17zb3pdV5H5LFQSCvS1Dd466amWFWCyb6 ++ZWl3g7kmf5xEEIob9PLMlCe37gsIXp9M0hbRIOVISeqCiWp5HkcMXwMEd5XHxGN6 ++CCgG86vzxEOnLKoMdXQIxkenA4ggk5cCBoYd0FMURH53EznhuceS3euNSzu71+H3 ++SJjIdjIjYQDhpHF6gXoI+u8NSWsZ9dEn/s+9e/uP2cYvAPmR01a73QyVIZS23eo9 ++rmMqlPJNjJbybQ81uaHxQqA5ljC7WWqYl7tia+QSKYMEyMkHvTqnPPhJvghsQoJO ++aeN6j/qIQWIl5fQEENLRzkcGO6SLEDOKzEgABZSwP9Wff47jyzD4JVb71qApI60m ++3TGB829vBavFIkHNzhvr91m+6AfeUvZlWlFmC3v4BsqH/3SzwwQU28cxy53a/EDO ++wm2MDJL4wkVLO2Yh2CZ/4x07VZtjmGmG6wyVOq+9GQ3cnTPEgynfZYsdPaml/RJm ++kbCAmDbHbyV4NhT1RCg803thZZX8HzJcM2nywutGlzi0xxv63tP48tfTAV6ajqyQ ++5jeRGKCq/zpME9Ghr/oH414NlGcomYU0UQ5Fjpdk8eMAEQEAAYkCHwQYAQIACQUC ++TpNLGQIbDAAKCRBV5Fpa6Mp8iqQaD/9L2zMdzYznSOnApTz1SHhpgbi8RKaKy88j ++WTz0AxZGrYF6cKv8BH2fFgA7phlONcWhUvWpEEpP208EY52c811lohRocNhSlXgW ++XHYCiG2vydsQe9HEdBB6bUOO0z8g2DPcoBtUGWe1gDZddRW2VbqN2ts8Wxebog2Y ++Y3tvJ0ocMo150t5c0koldlStav/zM2eipz+zTjfsN4Xy04q/WQ63FIbub5o5jcUJ ++j1o177I1VtA8eEumsfnMMRgQBfz0t2bEIc/ZmrsuR+j/H4WlBAuIarNjWtIylH/e ++VJhxFtXGnCI5mO1gN90QG6IpwszcwEPJf3gU7dO8r+HXeTBifLYB/JnzGWixPaek ++DgCrNOZXz+48KEJEoVXUxsnqa8PRIUO5OtVRq3mk2uwcIHqPEBLb0yB6GRQjb9jQ ++qBdRPun2FavjxWRuTZBGS1RItLW8bmAJz1d/ySWizRqnoz8U0s9SyGGHx5OsyJJu ++FO6FFr31m7WZG5LPfQJUNiyR2y9ZrjdPbwXmchywhTLqyTb5N6j5RfAdn74H379t ++ilUhH5c7ieVLt/RLTtWXEnkZzsO7LvP/3X0jHt3eZD2WzvVg4llZFvnuie8C0/yC ++Twhc2xMJOLd2WpH6ZKHNbRqv1a2xg8K2KGdhlZrRo/AYbX/FjZ/k9klZwEjFsefd ++0Ff4mojoNokCNgQoAQgAIBYhBHEAqt+ubm6UDS4K1lXkWlroynyKBQJbxKnWAh0B ++AAoJEFXkWlroynyKGT4P/jXnXhB+VEkr+NL86MssDU+S9Gz+kCYEOSxFPFvhxpmk ++x+Q9Y2SXugaThp9h9IIUH6lhtAZeYimzGC67ObZh+Ev0SIfN24xvZ2nPzLLj1pay ++/2f/OQ0g7LalC7SpaF/7nIrxrYSP3Lyv3QAw/ZCeP8+U0CCV0Nw2Jrxck61ySXOR ++W9diyGKTszNwzWQOPUBOLlMw2BxjudQW0Djy8mYoqyByUYEWtbcGgJ3MSPzE0RgW ++PLgVujdzDunGDeJd9SBeI220ILxAHiB96JZYxmkVoz4trB7PwyA3plg19CXjwZ5J ++ediKZov02JG0aGNpL2678YwJAGDCLMNhBi9gDqx3Xf6rvzqK/CvR3xQs6/bAjiAC ++FHSUjv1oQ+p75yyt0clVrJOaB3kh6DICr+dZYuBvPGbls0yMTvEvCRxrj0rmpd9w ++tI2ZTvN6ak9+5c9ZI7N+tQKYRPonfrVigVR+VgoWS0UMh5IQedkcfMO1vX2S5i/m ++mmtDPT8aTyearL/ZpRoba8UvuTi/jksGTkR9QwKxBQeBWIy4xpKtddtp29RJFAFm ++m3uvsHTGfRIm0oAGnbSgAooQSqZiv9bQvjzP0maWc7A9uNIspKj4CaEjDttqMzPG ++u5GyplMDGnmEuldXbUhyCLlRXzVqmxuE46q0G2vl+qwiwwoYDauNoyvLvHK0AOZb ++uQINBFvEpn0BEACpnI2D7qSeKGEihHtIvbZAhN6x3zkkELaLB2+MmhWZAdTmzfFm ++JU28DXNLuCqxyy7GxATaBdPR5gPyq4LkA/xqTqC5nK9zTZqxtqwh9xTFCchUhmdC ++voSkFy3R1cZlifLVartuIBHQXd9XfYkJMop4whsbPcbzDJ9JYUqHpuqysNAAhHge ++vKIzZ93B7nW5JIBHf1/iVMSnC7+l3gSLMg0n+0UalGiQSpgzUSnyfgnoJjBbbyQT ++JMrOhGSJHviezcCT3OOctnn0j5I0DuU1IRJ5h+MZ4NpgV2YyHCTXdHE9x1DGE9Wu ++ExubFjiAvJtgcYkwcfqyqpbcK2IICWOUv+XJbrApm0PdaclyXbrJZRZ08QBOW9cZ ++8tnrkvb4PtktigiHzTy9LenoWP7lSXVeroju3+g+igkaa9ZbgVkHOkDRrrjtJhNl ++3yPEaK0RplLpJ6J/ysGvjuG9b/pWAsXptsfSN4TCCKIAqOg4/RINiyM5YzzIIqLc ++vwBzm8awFpoMsexhBBUJLdBC3F2s53AZJUkH+NYJ/lZgnDA9/EVYPAOGCXt5u/Ot ++ZyCyJzyYD6fZtLshQiRRdDMkeCZ+W88+HmgxA3Ck6vfSPIPyVUGYQYqREzZqfBVV ++FuANufrr+dBYYxE0R61zYMJdXL8fsNshHR5mlcHg4EODdnhOeRSeIuS+uQARAQAB ++iQI2BBgBCAAgFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlvEpn0CGwwACgkQVeRa ++WujKfIquIRAArTQcsGL/5Tw+L4g0OxUeH1/E7TQ54UrpT9f4PjPj0SPZevqzsV/b ++uRemr6bqpNx5aMvLhoeoAodq4a0GmC+BX9ucfGKELavgReQWpyAlFFop8/MCbonq ++q+07PdO+6ZJiff0VIMGFAdWOabzQ9VMkYQ4ibF+etTjgWNpJ0UiFhUNric+eT00t ++HMzEq2WdgbnS/bwANsEF7kIA3klF7lkYG5MFN5gTbWssHeavfUn3coR9AJVqmx+m ++bJdUiMxiMrzRORepUO1zs8XJzLMkOb5h2CElk1um0LfGI9T/RZ3nyP5uv3xU5aG/ ++Rp2owv4EsvjhpATt+votq3iZk2hkwymYmMbKpZ690sNT7tTYS5E6dX085NRmEQpy ++/U+gX/V5rsWULPmQ2UJEoIizyRrhxq/O73ZinapkDZVO+DeePBrdXDwDOKlhDQ2V ++dMp/uLbOg8Hxs2N+Brnn5Ts6FADeP951F9VxTaRWrppOt9eRQgxasYE9hEzFS61e ++WY3qHfWT59Pnx+KPmuR69SobBrG5Y7qYvlQxHQUsiVhRlPDDlOuZk0nbK7QR4/aX ++7AwNxp2byo7cduCOecs+uSsAcWgA+KMif8yGzHxywHm34dTn7JY0Moqd03n09UY4 ++3LISNC1atd/q0BTijMpzroU+4i3omeL3SSHJRBJJSMxSxU5SXV/DBMa5Ag0EW8Sm ++sQEQAOQoaAL4LSK1yQzbIJg4hojiJ+iOIMhz2BG9zVNp2CJ4veyfjgH0eUbSr8kX ++D1OBkdw9hJuyQXIu4hARvkh41H1N9BTDRMXt5VzeiZUQBS0mJlTQ6EJrX6z+Y497 ++0OwPXHYTZG7EcBtTrrY9s+Bm0JnBQr5lZ4TdoGWg8sQxGZIY79zUYYjle6naBZQ0 ++QFUTgfyKbx4n8gzXqIZbpj/SrbGctFve36HD+YVwmkcjIJuxKBKMcVfTRQ1AG1PV ++qoIyV/gTcmPbVMKcC8L9S0ixkWrqmVhkNJEblzkTEhN0WF5XjzasbxCkUGcJ24Cd ++oM5515LpCKaqOTSyuov2aDJfGrNoXi0LTo93M+xaBq6Li/kVUb9S7KY1CSD7buuw ++9CAriAVJZBYCuvByp49tBwYWSVhn2GURh7mex91NsJ2H7OveLygYEHSvT+S2ARA1 ++lvpLDEG8LvIuKo8QrwmCkE5AO4WU6c62gnrajWwTDU0R38vXObD0dquguhvVyLWi ++OEVWacUUXfTN6hCLoqUlOAijKgSmHVhjIs2nngKdR/PLOQiVjKpMxxDoyStMJkfg ++khL8v9D/VBU398QwBOBHXFDovKZLhNz32KU3Ma2pE+RGZYBEQeCAWBK51MNdcpsd ++Q0p26O33H6Np+GWRHSwrtvO00HK0Wd4eOmO5LY2AiSUdK0NXABEBAAGJBGwEGAEI ++ACAWIQRxAKrfrm5ulA0uCtZV5Fpa6Mp8igUCW8SmsQIbAgJACRBV5Fpa6Mp8isF0 ++IAQZAQgAHRYhBEtCqM8H8pnVVJd+7+og8tqXN4lzBQJbxKaxAAoJEOog8tqXN4lz ++0fkQAILG/ON167EqJq2VNMCD/e4Su5M5/RzcosEk+0xxmHyjOTn/36TG9uneNSr+ ++IaNdSeH926LaVpcauSFdCKbegKjznUTtmMfdJQX+iTdfO7JTSdZACFHQUSva4Rs6 ++33VMTnyhJdRerxrGvNAL0aAyDdTG5rc/CSQjj683AJGK9T7iZubgkBKWoYY8jtJi ++nsSuePp+gFetIhCQyG2nSq4yrIgXbd6l/kJdsqq6xEz42mbGJf2uPQ/BEbD/gzWj ++m8sRUAJ91u0lHqz3KjQ4MzdsU+Mm/ngZdyXWzwlfC24QbHAr9cnWwZvtLdvo2G7z ++igMX7PyMwfEq5l7i3gFS0Mny3LtvGqH1AS/YJczDeyonDtR2gAptYlyBHOBftdj7 ++hVoZS0QNNss2B0kwHqSWOLtfgMHWiBXFq8buntwWGW2rUXs77gvKYG9TB1a0NYp1 ++Hv2FOOUCWY9pzs/WBOkW0s5EOiatxoDfAFIoKH7FlqDf7Cnr3IpaKS6tXDH+7B35 ++QBptYgMIY43v+GhqIEELkaYow3VnnTcbQFi0VfBxh/GgyhydhFyaUs5djklCZ091 ++nRRYeDSyUhB1nlr7FnuLK91/rm6YI+IWmw2j3Z6urlnD6TNYPFfeZzXDoJgtlRsc ++HFQL2/HCIiCcObVFd8HbCvHmNpMdRxId8qogOr/y5Lu2FYvzRzEP/A8NNqwqj7zX ++Wk5w6lj4tVk796B4gPNZ0NUIXYeUobEtuuPjrh4SQSVOluvADCV5/8quP4fdw/iN ++tmaoTqYqmhpHArFgP9gjHQ7vL3+eHCQIqV0hdhsLm0t8ol5ArP3BgNtfS3RcQf3k ++Q9aQdIYscz5iTvCpcncVrMXDxz3wO7YKylzNHDUF7bo1FMc9HPedcKbzG/BRFnpw ++YNn8w24xlr9+o1YEzwgc48N7djcAsYl7KCIKq82vWrbeePNHLA4yo0rdqS1RP7jI ++lOlMWfxF+IGODkwCfiuMWVo35h5uMPueA0xyEfGobX1OtK6pkeFq1b1mNYCVr++4 ++eWaJj64cv3ijx/sA+Ni51pD1dHrwURuX5FIixRJm0awwoJgxbsXLy54PGVgatNoa ++1Wx4lnt/6HA32MtM7Im0NMLGAt298GD/AIr3bAnbovevNTjaxwpO8KlMNLhANqYt ++GjFlhucGfQjVOxOU0c3QL1wBJ5s0bNltz5C8LqCRpqjJc43v3CfQ/IZzqZ+g51wJ ++WWgN9wAj62doD4x6JlVg17AZm6WRoGQjslyDUuBE3ZtZd2XXpc7P/rbmfZQCcr1W ++1h8moBknbU2eOji/cULgGM3Y8W5V3RwNgD7IFHDKr1I19PyBEMr+Qk+KVHpsw09S ++xOtqJHdjtKxzOrgL0rG+n0VYx6dl2Lt4mQINBF3C4AkBEADQxp4jfxmbJ3t/ZuKc ++sV4JxG8mhuGXBkzMB0k2uGULCpY4yh7dsN4PBU7PuHgUMkxJnJlbg0xVR2nux20I ++NzroYn8xzRe+jSmKTW0fTvNH+Nxyr4k+KgqmVZCcfyvwXuL7IOfG5luc/oSXJV62 ++u+LHP891dVcJlVN0Ef9i5Sz9iRkkMUknwoTrOK9q1nZNOA+XoLMhCIdyWIPx6jFm ++PxfZpgEJw6YIeyOSRIPYtH4twuDj50bzQuTTfQ3ph9FdcXVLYwP3BayvfFasGhyJ ++6caqVW9GpMDa/OPvteNmt2WbqaRgcX9CWWOKonhFqkaWAXj0lYFkM65DTzSUKpNt ++oh2MRVA7qyGZ2zlHocNWSplQ8VJlly6ch9O95UEXlSIJFxAi/7NBNuG/CekHQxxQ ++ZhdslUe7LIsujlKS8Fy0bpYsTDPb/g+rUuIHWCOhEC+B0qOYVEf+wcc9jTQjZf6N ++P3zIV4dO+Mc9GVT+d3Kz0y11g1ON0b82qy2ONvRys1NmqXC2vCnXzKCQ6UTHRYt+ ++EdV0nlo59G+lolCnT8t1sW7ezuByA4zWMI6hLyk0NLb8xwPK9BT732RGhzba7a7E ++aArTBsPA3rWvObC1kQWSaw+ule5rmnTL5Q4Jw3qDhgM9b2Bg3hLYP5/UU0INq7kr ++H413Kin0C29T1aNmLfMTfmS5EwARAQABtCZUb20gSHJvbWF0a2EgPHRvbS5ocm9t ++YXRrYUBvcmFjbGUuY29tPokCTgQTAQgAOBYhBEemj843x9cCT9ZeETVs5iwrUkCZ ++BQJdwuAJAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDVs5iwrUkCZNL0P ++/3KFyrWXW5ouPuAzWeMMUZrQmyz31T70iVSS8PtPWb8S2QxQdzgpdVPrvxT+wfq5 ++zJbdz3X5uPvdOXUeyv0bAQRqYQVX/tkz10zu6+m+Bgx0H6I5Xk9F7EDvag1EDDs/ ++BDSLh9VbsTllSaNpLhFjSRj0dVmE1DgaUDX5F66npYMgSIspsAjEI1MZ1PDYQfho ++yxEMiz0ld14yv6HE7hBPekcQW2mAWzlpZmgw9NVIcqShy3znJNGGpQUbLEtGbrv/ ++wRMNWjGWPJyfE5dLDvkfQjrdsTRWv5+Sd5/z3fwp0G8dUq1iWeegu6mFe0KRLB5z ++3lcc+QJSlWetyyoYWOhq1Jzn0QHjakZp2Nb4rtp9/b9TdhvD5cOjpsECmL5qMri1 ++mn/j4F63AG4yLQaYrwwjWzDcz+jQ8wNuyl7cXQFD6UYbywC1tC9DE0VppV2nOirt ++TOPz8+etXMx6sg40STJ4dbYn/gJLhiycSaUAqGkSHpC24FbcvkVwKz5MBUYuLEgN ++H3RyNKVgnb5JWZofE7ehOVCc+VAmzMyobjE+71FRXlPdmqD/im4vYDsqzb15wX79 ++VsXqI0bij+xVYaR7GoQbTfVQ0a6f6slWex6PmKOnZTjfLL7sEu1JhAteqlI9I0Nl ++NJBF/y32T6lQpO+3CJGhY+2rSiCpnI31NMusAkcufnxquQINBF3C4AkBEAC9ReOz ++Yf6nryTLn8lGg6M0kpMX3P7v8GlOV1hZ8hTDlUETpo+xxR3FvNjWEDNyuawCpvNz ++8Pu3OKqxKDIivyVdJNEc335glsMY7BmAevLvAtyfjb0rOzOXqLfhdsn108Nr6Ai+ ++lkMs8xlK2hxGI3qpDHzImOYmhWD4J181gxlj5Gaj8fOyV8JZvfY6AZcei2tzlmHp ++j9SSh7K59trUZtaUDljUeVAEP4KfU1sLEYy3BUzS+eb4Qw1tleui+89E/J4zPrgw ++wuLg5OU+ScTigfbEF/05MMUAySiKieKhp8IFsT41+FXOlotBl0wz6Jbo4HxNtY5P ++trpv6BOrBlYfhfhZeANk4+y5OnLqRjjgTvf1p9CHmsgs6sx/lkNyXpzoxKR89Rzx ++HxnrgUATSa80JK9o/0tPZkN33HKJlkSndPQEM4uLrTsIxvNsBSOPIKC09siMbbBe ++I0t811P1pMh8zvTnRl2FSQjiumLoVhr+xxZ2wWiPxztVQkMLuuWXkzcxQUfuw5nE ++QCH+WdqYKNmV6rw2kU6j10q0kvvspWPMTbsI/vBY3KyiP1F8dToXiwulNT1U05NG ++J20YbzEHnYEKatBq9ZILLx63c8eLZ6VppkAE0ZlmgsOvn+zIcv81P4x9mDLvuqTO ++zRj/RuDAY6qJHuICpsV3F5A03z9ne/Z9u0mwSwARAQABiQI2BBgBCAAgFiEER6aP ++zjfH1wJP1l4RNWzmLCtSQJkFAl3C4AkCGwwACgkQNWzmLCtSQJkiQA/8Cm07bQf2 ++FIKTdwRECJO7pvpuc3zE1XsSuLyu40qpsWX24Ll97S7cpOK7rN2jSZ6UDoXpNgXV ++iOzma5yiC+GO6UUWxr8xE/CDXeuawxHUt0Xrn+UQnWsirsrZifjVPkXou71QM+ka ++Q9qXy4liOpRaJjf8B7iz3ilgMUACnMcwOVn+jbswLQpNetsKk+vrLwQlILPkWcKG ++xIu1Iro3E7WoIPojHHtT7Co7mSRzaNI00VU7jMwZwXFQL/IbeGsKlaAyxh1BzRLn ++LdPN8hxiYtEq2IG66Uq3EmigtwOvh06d/Qi/gBH6CWxdahRk7HwATyrNvbjfduzN ++nhF+lPA39iKrI5+IGasK6Lp9HklUJD0Q9JK7yac/cUj5LptY/PBFC7eJKHJLyohm ++vlXYgRSeAXEm7uGpU5k/jUZDM4Z1o5JboiNVQoqDWs6iDYJb82cRjKKlvC2d2lFK ++xtBOR3xJZUUsIpoQrstxn1LA5DcBosPvd9ISyIZs38UyJNTz07GUedEpeE3YhLke ++sc6n2iL9D2Yjz/S4ANukxl9YZDW+EFS8LtTchvK11OHWubvWxWFV7txLFmkBYQwk ++2krCi2MVguRZGj8bodqjty1H8ZMfA5NYwAKeyQmsmTHqNmR1Ws/cdQCV7+3q9Rur ++lUtY1AVxx4LtnS16GX+OVCybWzbK1uqLrfo= ++=9JXr ++-----END PGP PUBLIC KEY BLOCK----- diff --cc debian/watch index 0000000,0000000..a94a868 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,4 @@@ ++version=4 ++opts="dversionmangle=s/\+dfsg//,pgpsigurlmangle=s/$/.asc/" \ ++https://github.com/seccomp/libseccomp/releases \ ++ .*/libseccomp-(.*)\.tar\.gz