From: Felix Geyer Date: Sun, 8 Nov 2020 18:59:21 +0000 (+0000) Subject: libseccomp (2.5.0-3) unstable; urgency=medium X-Git-Tag: archive/raspbian/2.5.0-3+rpi1^2~6 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=67321010d3290eaa61d95fcbec36c35a4148d9ec;p=libseccomp.git libseccomp (2.5.0-3) unstable; urgency=medium * Cherry-pick patch from the 2.5 branch to fix test error on mips: - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch [dgit import unpatched libseccomp 2.5.0-3] --- 67321010d3290eaa61d95fcbec36c35a4148d9ec diff --cc debian/changelog index 0000000,0000000..0d20ae2 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,314 @@@ ++libseccomp (2.5.0-3) unstable; urgency=medium ++ ++ * Cherry-pick patch from the 2.5 branch to fix test error on mips: ++ - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch ++ ++ -- Felix Geyer Sun, 08 Nov 2020 19:59:21 +0100 ++ ++libseccomp (2.5.0-2) unstable; urgency=medium ++ ++ * Upload to unstable. ++ * Cherry-pick patches from the 2.5 branch to fix build and test errors: ++ - build_undefine_mips_to_prevent_build_problems.patch ++ - tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch ++ ++ -- Felix Geyer Sun, 08 Nov 2020 15:49:41 +0100 ++ ++libseccomp (2.5.0-1) experimental; urgency=medium ++ ++ * New upstream release. ++ - Build-depend on gperf. ++ - Update symbols file. ++ * Remove patches that have been applied upstream: ++ - cython3.patch ++ - riscv64_support.patch ++ * Cherry-pick patches from the 2.5 branch: ++ - all_only_request_the_userspace_notification_fd_once.patch ++ - system_change_our_notification_fd_handling.patch ++ ++ -- Felix Geyer Sat, 24 Oct 2020 13:58:28 +0200 ++ ++libseccomp (2.4.4-1) unstable; urgency=medium ++ ++ * Team upload. ++ ++ [ Debian Janitor ] ++ * Set upstream metadata fields: Repository, Repository-Browse. ++ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository. ++ ++ [ Felix Geyer ] ++ * New upstream release. ++ * Download and verify orig gpg signature. ++ ++ -- Felix Geyer Sun, 20 Sep 2020 19:03:41 +0200 ++ ++libseccomp (2.4.3-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Drop patches that have been applied upstream: ++ - tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch ++ - api_define__SNR_ppoll_again.patch ++ * Cherry-pick support for the riscv64 architecture. (Closes: #952386) ++ - Add riscv64_support.patch ++ ++ -- Felix Geyer Thu, 12 Mar 2020 23:35:13 +0100 ++ ++libseccomp (2.4.2-2) unstable; urgency=medium ++ ++ [ Christian Ehrhardt ] ++ * d/rules: fix potential FTFBS after full python3 switch ++ * d/t/control: drop python2 test following the removal of the package ++ ++ [ Felix Geyer ] ++ * Remove build-dependency on valgrind for mips64el as it's broken there. ++ * Backport patch to define __SNR_ppoll again. ++ - Add api_define__SNR_ppoll_again.patch ++ * Replace custom patch for cython3 with the upstream fix. ++ ++ -- Felix Geyer Fri, 15 Nov 2019 18:12:53 +0100 ++ ++libseccomp (2.4.2-1) unstable; urgency=medium ++ ++ [ Christian Ehrhardt ] ++ * New upstream release 2.4.2 for compatibility with newer kernels and ++ fixing FTBFS (LP: #1849785). ++ - drop d/p/python_install_dir.patch (now upstream) ++ - d/rules: adapt to python 3.8 lacking the m modifier on includes ++ see https://wiki.debian.org/Python/Python3.8 ++ - d/p/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch: fix ++ build time test on arm64 ++ ++ [ Felix Geyer ] ++ * Drop Python 2 bindings. (Closes: #936917) ++ - Add cython3.patch to use the Python 3 cython variant. ++ ++ -- Felix Geyer Wed, 13 Nov 2019 00:00:49 +0100 ++ ++libseccomp (2.4.1-2) unstable; urgency=medium ++ ++ * Remove build-dependency on valgrind for mipsel and x32 as it's broken ++ on those archs. ++ * Set Rules-Requires-Root: no. ++ ++ -- Felix Geyer Fri, 19 Jul 2019 00:03:34 +0200 ++ ++libseccomp (2.4.1-1) unstable; urgency=medium ++ ++ * New upstream release. ++ - Addresses CVE-2019-9893 (Closes: #924646) ++ * Drop all patches for parisc arch support, merged upstream. ++ * Build-depend on valgrind to run more unit tests. ++ * Run dh_auto_configure for every python 3 version to install the extension ++ in the correct path. ++ * Update the symbols file. ++ * Adapt autopkgtest to new upstream version: ++ - Build against pthread ++ - Build scmp_api_level tool ++ * Upgrade to debhelper compat level 12. ++ - Add d/not-installed file ++ * Fix install path of the python module. ++ - Add python_install_dir.patch ++ * Add autopkgtest for python packages. ++ ++ -- Felix Geyer Wed, 17 Jul 2019 23:23:28 +0200 ++ ++libseccomp (2.3.3-4) unstable; urgency=medium ++ ++ [ Ondřej Nový ] ++ * d/copyright: Change Format URL to correct one ++ ++ [ Helmut Grohne ] ++ * Fix FTCBFS: (Closes: #903556) ++ + Multiarchify python Build-Depends. ++ + Annotate cython dependencies with :native for now. ++ + Drop noop dh_auto_build invocations. ++ + Pass a suitable PYTHONPATH for python2. ++ + Pass _PYTHON_SYSCONFIGDATA_NAME for python3. ++ ++ -- Felix Geyer Sun, 10 Feb 2019 12:25:44 +0100 ++ ++libseccomp (2.3.3-3) unstable; urgency=medium ++ ++ * Fix FTBFS: Adapt to renamed README file. (Closes: #902767) ++ ++ -- Felix Geyer Sun, 01 Jul 2018 20:32:03 +0200 ++ ++libseccomp (2.3.3-2) unstable; urgency=medium ++ ++ [ Helmut Grohne ] ++ * Support the nopython build profile. (Closes: #897057) ++ ++ [ Felix Geyer ] ++ * Run upstream "live" tests in an autopkgtest. ++ ++ -- Felix Geyer Sun, 13 May 2018 09:53:08 +0200 ++ ++libseccomp (2.3.3-1) unstable; urgency=medium ++ ++ * New upstream release. (Closes: #895417) ++ - Adds pkey_mprotect syscall. (Closes: #893722) ++ * Refresh parisc patch. ++ * Move libseccomp2 back to /usr/lib. (Closes: #894988) ++ * Make test failures cause the build to fail. (Closes: 877901) ++ * Build python bindings. (Closes: #810712) ++ * Switch to debhelper compat level 10. ++ * Move git repo to salsa.debian.org ++ * Add myself to Uploaders. ++ ++ -- Felix Geyer Sun, 22 Apr 2018 23:55:03 +0200 ++ ++libseccomp (2.3.1-2.1) unstable; urgency=medium ++ ++ [ Martin Pitt ] ++ * Non-maintainer upload with Kees' consent. ++ ++ [ Laurent Bigonville ] ++ * Ensure strict enough generated dependencies (Closes: #844496) ++ ++ -- Martin Pitt Thu, 17 Nov 2016 10:16:44 +0100 ++ ++libseccomp (2.3.1-2) unstable; urgency=medium ++ ++ * Add hppa (parisc) support (Closes: #820501) ++ ++ -- Luca Bruno Sat, 28 May 2016 20:05:01 +0200 ++ ++libseccomp (2.3.1-1) unstable; urgency=medium ++ ++ * New upstream release ++ * control: add Vcs-* fields ++ ++ -- Luca Bruno Tue, 05 Apr 2016 22:16:55 +0200 ++ ++libseccomp (2.3.0-1) unstable; urgency=medium ++ ++ * New upstream release ++ + drop all patches, applied upstream ++ * libseccomp2: update symbols file ++ * control: add myself to uploaders ++ * control: bump policy version ++ ++ -- Luca Bruno Sun, 03 Apr 2016 00:31:09 +0200 ++ ++libseccomp (2.2.3-3) unstable; urgency=medium ++ ++ [ Martin Pitt ] ++ * debian/patches/add-x86-32bit-socket-calls.patch: add the newly ++ connected direct socket calls. (Closes: #809556) ++ * debian/add-membarrier.patch: add membarrier syscall. ++ * Backport patches for ppc/ppc64 and s390x. (Closes: #800818) ++ ++ -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 ++ ++libseccomp (2.2.3-2) unstable; urgency=medium ++ ++ * debian/control: enable mips64, mips64el, and x32 architectures, ++ thanks to Helmut Grohne (Closes: 797383). ++ ++ -- Kees Cook Tue, 01 Sep 2015 15:37:31 -0700 ++ ++libseccomp (2.2.3-1) unstable; urgency=medium ++ ++ * New upstream release (Closes: 793032). ++ * debian/control: update Homepage (Closes: 793033). ++ ++ -- Kees Cook Mon, 03 Aug 2015 15:06:08 -0700 ++ ++libseccomp (2.2.1-2) unstable; urgency=medium ++ ++ * debian/{rules,*.install}: move to /lib, thanks to Michael Biebl ++ (Closes: 788923). ++ ++ -- Kees Cook Tue, 16 Jun 2015 12:45:08 -0700 ++ ++libseccomp (2.2.1-1) unstable; urgency=medium ++ ++ * New upstream release (Closes: 785428). ++ - debian/patches dropped: incorporated upstream. ++ * debian/libseccomp2.symbols: include only documented symbols. ++ * debian/libseccomp-dev.install: include static library (Closes: 698508). ++ * debian/control: ++ - add newly supported arm64, mips, and mipsel. ++ - bump standards version, no changes needed. ++ ++ -- Kees Cook Sat, 16 May 2015 08:15:26 -0700 ++ ++libseccomp (2.1.1-1) unstable; urgency=low ++ ++ * New upstream release (Closes: 733293). ++ * copyright: add a few missed people. ++ * rules: adjusted for new test target. ++ * libseccomp2.symbols: drop accidentally exported functions. ++ * control: ++ - bump standards, no changes needed. ++ - add armel target ++ ++ -- Kees Cook Sat, 12 Apr 2014 10:44:22 -0700 ++ ++libseccomp (2.1.0+dfsg-1) unstable; urgency=low ++ ++ * Rebuild source package without accidental binaries (Closes: 725617). ++ - debian/watch: mangle upstream version check. ++ * debian/rules: make tests non-fatal while upstream fixes them ++ (Closes: 721292). ++ ++ -- Kees Cook Sun, 06 Oct 2013 15:05:51 -0700 ++ ++libseccomp (2.1.0-1) unstable; urgency=low ++ ++ * New upstream release (Closes: 718398): ++ - dropped debian/patches/manpage-dashes.patch: taken upstream. ++ - dropped debian/patches/include-unistd.patch: not needed. ++ - debian/patches/testsuite-x86-write.patch: taken upstream. ++ - ABI bump: moved from libseccomp1 to libseccomp2. ++ * debian/control: ++ - added Arch: armhf, now supported upstream. ++ - added seccomp binary package for helper tools. ++ * Added debian/patches/manpage-typo.patch: spelling fix. ++ * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling. ++ ++ -- Kees Cook Tue, 13 Aug 2013 00:02:01 -0700 ++ ++libseccomp (1.0.1-2) unstable; urgency=low ++ ++ * debian/rules: enable testsuite at build time, thanks to ++ Stéphane Graber (Closes: 698803). ++ * Added debian/patches/include-unistd.patch: detect location of ++ asm/unistd.h correctly. ++ * Added debian/patches/testsuite-x86-write.patch: skip the "write" ++ syscall correctly on x86. ++ * debian/control: bump standards to 3.9.4, no changes needed. ++ ++ -- Kees Cook Wed, 23 Jan 2013 13:11:53 -0800 ++ ++libseccomp (1.0.1-1) unstable; urgency=low ++ ++ * New upstream release. ++ * debian/control: only build on amd64 and i386 (Closes: 687368). ++ ++ -- Kees Cook Fri, 07 Dec 2012 11:38:03 -0800 ++ ++libseccomp (1.0.0-1) unstable; urgency=low ++ ++ * New upstream release. ++ - bump ABI. ++ - drop build verbosity patch, use upstream V=1 instead. ++ * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471). ++ * debian/patches/pkgconfig-macro.patch: use literals for macro. ++ ++ -- Kees Cook Fri, 03 Aug 2012 16:59:41 -0700 ++ ++libseccomp (0.1.0-1) unstable; urgency=low ++ ++ * New upstream release. ++ - drop patches taken upstream: ++ - libexecdir.patch ++ - pass-flags.patch ++ ++ -- Kees Cook Fri, 08 Jun 2012 12:32:22 -0700 ++ ++libseccomp (0.0.0~20120605-1) unstable; urgency=low ++ ++ * Initial release (Closes: #676257). ++ ++ -- Kees Cook Tue, 05 Jun 2012 11:28:07 -0700 diff --cc debian/control index 0000000,0000000..c445bd0 new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,63 @@@ ++Source: libseccomp ++Section: libs ++Priority: optional ++Maintainer: Kees Cook ++Uploaders: Luca Bruno , Felix Geyer ++Build-Depends: debhelper-compat (= 12), ++ linux-libc-dev, ++ dh-python , ++ python3-all-dev:any , ++ libpython3-all-dev , ++ cython3:native , ++ valgrind [amd64 arm64 armhf i386 mips mips64 powerpc ppc64 ppc64el s390x] , ++ gperf ++Rules-Requires-Root: no ++Standards-Version: 3.9.7 ++Homepage: https://github.com/seccomp/libseccomp ++Vcs-Git: https://salsa.debian.org/debian/libseccomp.git ++Vcs-Browser: https://salsa.debian.org/debian/libseccomp ++ ++Package: libseccomp-dev ++Section: libdevel ++Architecture: linux-any ++Multi-Arch: same ++Pre-Depends: ${misc:Pre-Depends} ++Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends} ++Suggests: seccomp ++Description: high level interface to Linux seccomp filter (development files) ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. ++ . ++ This package contains the development files. ++ ++Package: libseccomp2 ++Architecture: linux-any ++Multi-Arch: same ++Pre-Depends: ${misc:Pre-Depends} ++Depends: ${shlibs:Depends}, ${misc:Depends} ++Description: high level interface to Linux seccomp filter ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. ++ ++Package: seccomp ++Section: utils ++Architecture: linux-any ++Depends: ${shlibs:Depends}, ${misc:Depends} ++Suggests: libseccomp-dev ++Description: helper tools for high level interface to Linux seccomp filter ++ Provides helper tools for interacting with libseccomp. Currently, only ++ a single tool exists, providing a way to easily enumerate syscalls across ++ the supported architectures. ++ ++Package: python3-seccomp ++Build-Profiles: ++Architecture: linux-any ++Multi-Arch: same ++Section: python ++Depends: ${shlibs:Depends}, ${misc:Depends}, ${python3:Depends} ++Description: high level interface to Linux seccomp filter (Python 3 bindings) ++ This library provides a high level interface to constructing, analyzing ++ and installing seccomp filters via a BPF passed to the Linux Kernel's ++ prctl() syscall. diff --cc debian/copyright index 0000000,0000000..307817f new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,39 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-Name: libseccomp ++Source: https://sourceforge.net/projects/libseccomp/ ++ ++Files: * ++Copyright: 2012 Paul Moore ++ 2012 Ashley Lai ++ 2012 Corey Bryant ++ 2012 Eduardo Otubo ++ 2012 Eric Paris ++License: LGPL-2.1 ++ ++Files: tests/22-sim-basic_chains_array.tests ++Copyright: 2013 Vitaly Shukela ++License: LGPL-2.1 ++ ++Files: src/hash.* ++Copyright: 2006 Bob Jenkins ++License: LGPL-2.1 ++ ++Files: debian/* ++Copyright: 2012 Kees Cook ++License: LGPL-2.1 ++ ++License: LGPL-2.1 ++ This library is free software; you can redistribute it and/or modify it ++ under the terms of version 2.1 of the GNU Lesser General Public License as ++ published by the Free Software Foundation. ++ . ++ This library is distributed in the hope that it will be useful, but WITHOUT ++ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License ++ for more details. ++ . ++ You should have received a copy of the GNU Lesser General Public License ++ along with this library; if not, see . ++ . ++ On Debian systems, the complete text of the GNU Lesser General ++ Public License can be found in "/usr/share/common-licenses/LGPL-2.1". diff --cc debian/docs index 0000000,0000000..b43bf86 new file mode 100644 --- /dev/null +++ b/debian/docs @@@ -1,0 -1,0 +1,1 @@@ ++README.md diff --cc debian/gbp.conf index 0000000,0000000..c16083c new file mode 100644 --- /dev/null +++ b/debian/gbp.conf @@@ -1,0 -1,0 +1,9 @@@ ++[DEFAULT] ++upstream-tag = upstream/%(version)s ++debian-tag = debian/%(version)s ++pristine-tar = True ++upstream-branch = upstream ++debian-branch = debian/sid ++ ++[buildpackage] ++submodules = True diff --cc debian/libseccomp-dev.install index 0000000,0000000..b973af4 new file mode 100644 --- /dev/null +++ b/debian/libseccomp-dev.install @@@ -1,0 -1,0 +1,4 @@@ ++usr/include/* ++usr/lib/*/lib*.so ++usr/lib/*/lib*.a ++usr/lib/*/pkgconfig/* diff --cc debian/libseccomp-dev.manpages index 0000000,0000000..7c72677 new file mode 100644 --- /dev/null +++ b/debian/libseccomp-dev.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/tmp/usr/share/man/man3/* diff --cc debian/libseccomp2.install index 0000000,0000000..3ddde58 new file mode 100644 --- /dev/null +++ b/debian/libseccomp2.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/*/lib*.so.* diff --cc debian/libseccomp2.symbols index 0000000,0000000..d1823d0 new file mode 100644 --- /dev/null +++ b/debian/libseccomp2.symbols @@@ -1,0 -1,0 +1,34 @@@ ++libseccomp.so.2 libseccomp2 #MINVER# ++* Build-Depends-Package: libseccomp-dev ++ seccomp_api_get@Base 2.4.1 ++ seccomp_api_set@Base 2.4.1 ++ seccomp_attr_get@Base 0.0.0~20120605 ++ seccomp_attr_set@Base 0.0.0~20120605 ++ seccomp_export_bpf@Base 0.0.0~20120605 ++ seccomp_export_pfc@Base 0.0.0~20120605 ++ seccomp_init@Base 0.0.0~20120605 ++ seccomp_load@Base 0.0.0~20120605 ++ seccomp_release@Base 0.0.0~20120605 ++ seccomp_reset@Base 0.0.0~20120605 ++ seccomp_rule_add@Base 0.0.0~20120605 ++ seccomp_rule_add_exact@Base 0.0.0~20120605 ++ seccomp_syscall_priority@Base 0.0.0~20120605 ++ seccomp_syscall_resolve_name@Base 1.0.1 ++ seccomp_merge@Base 1.0.1 ++ seccomp_notify_alloc@Base 2.5.0 ++ seccomp_notify_fd@Base 2.5.0 ++ seccomp_notify_free@Base 2.5.0 ++ seccomp_notify_id_valid@Base 2.5.0 ++ seccomp_notify_receive@Base 2.5.0 ++ seccomp_notify_respond@Base 2.5.0 ++ seccomp_arch_add@Base 1.0.1 ++ seccomp_arch_exist@Base 1.0.1 ++ seccomp_arch_remove@Base 1.0.1 ++ seccomp_arch_native@Base 2.1.0 ++ seccomp_rule_add_array@Base 2.1.0 ++ seccomp_rule_add_exact_array@Base 2.1.0 ++ seccomp_syscall_resolve_name_arch@Base 2.1.0 ++ seccomp_syscall_resolve_num_arch@Base 2.1.0 ++ seccomp_arch_resolve_name@Base 2.2.1 ++ seccomp_syscall_resolve_name_rewrite@Base 2.2.1 ++ seccomp_version@Base 2.3.0 diff --cc debian/not-installed index 0000000,0000000..4f60595 new file mode 100644 --- /dev/null +++ b/debian/not-installed @@@ -1,0 -1,0 +1,3 @@@ ++usr/lib/python*/*-packages/install_files.txt ++usr/lib/python*/*-packages/seccomp-*.egg-info ++usr/lib/*/libseccomp.la diff --cc debian/patches/all_only_request_the_userspace_notification_fd_once.patch index 0000000,0000000..79c053c new file mode 100644 --- /dev/null +++ b/debian/patches/all_only_request_the_userspace_notification_fd_once.patch @@@ -1,0 -1,0 +1,629 @@@ ++From 8147801fbc73016491d9caaab0fc740dbdbc989d Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Sun, 26 Jul 2020 11:01:49 -0400 ++Subject: [PATCH] all: only request the userspace notification fd once ++ ++It turns out that requesting the seccomp userspace notifcation fd ++more than once is a bad thing which causes the kernel to complain ++(rightfully so for a variety of reasons). Unfortunately as we were ++always requesting the notification fd whenever possible this results ++in problems at filter load time. ++ ++Our solution is to move the notification fd out of the filter context ++and into the global task context, using a newly created task_state ++structure. This allows us to store, and retrieve the notification ++outside the scope of an individual filter context. It also provides ++some implementation improvements by giving us a convenient place to ++stash all of the API level related support variables. We also extend ++the seccomp_reset() API call to reset this internal global state when ++passed a NULL filter context. ++ ++There is one potential case which we don't currently handle well: ++threads. At the moment libseccomp is thread ignorant, and that works ++well as the only global state up to this point was the currently ++supported API level information which was common to all threads in a ++process. Unfortunately, it appears that the notification fd need not ++be common to all threads in a process, yet this patch treats it as if ++it is common. I suspect this is a very unusual use case so I decided ++to keep this patch simple and ignore this case, but in the future if ++we need to support this properly we should be able to do so without ++API changes by keeping an internal list of notification fds indexed ++by gettid(2). ++ ++This fixes the GitHub issue below: ++* https://github.com/seccomp/libseccomp/issues/273 ++ ++Reported-by: Tobias Stoeckmann ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++(imported from commit ce314fe4111887c593e3c6b17c60d93bc6ab66b9) ++--- ++ doc/man/man3/seccomp_init.3 | 10 +- ++ doc/man/man3/seccomp_notify_alloc.3 | 3 +- ++ src/api.c | 19 ++- ++ src/db.c | 1 - ++ src/db.h | 3 +- ++ src/system.c | 204 ++++++++++++++++++---------- ++ src/system.h | 3 + ++ tests/11-basic-basic_errors.c | 9 +- ++ tests/51-live-user_notification.c | 21 +++ ++ tests/51-live-user_notification.py | 4 + ++ 10 files changed, 187 insertions(+), 90 deletions(-) ++ ++diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3 ++index 3ab68fef..87520cd3 100644 ++--- a/doc/man/man3/seccomp_init.3 +++++ b/doc/man/man3/seccomp_init.3 ++@@ -36,7 +36,15 @@ The ++ function releases the existing filter context state before reinitializing it ++ and can only be called after a call to ++ .BR seccomp_init () ++-has succeeded. +++has succeeded. If +++.BR seccomp_reset () +++is called with a NULL filter, it resets the library's global task state; +++normally this is not needed, but it may be required to continue using the +++library after a +++.BR fork () +++or +++.BR clone () +++call to ensure the API level and user notification state is properly reset. ++ .P ++ When the caller is finished configuring the seccomp filter and has loaded it ++ into the kernel, the caller should call ++diff --git a/doc/man/man3/seccomp_notify_alloc.3 b/doc/man/man3/seccomp_notify_alloc.3 ++index 50c89706..cb1c0480 100644 ++--- a/doc/man/man3/seccomp_notify_alloc.3 +++++ b/doc/man/man3/seccomp_notify_alloc.3 ++@@ -59,7 +59,8 @@ returns the notification fd of a filter after it has been loaded. ++ .\" ////////////////////////////////////////////////////////////////////////// ++ The ++ .BR seccomp_notify_fd () ++-returns the notification fd of the loaded filter. +++returns the notification fd of the loaded filter, -1 if a notification fd has +++not yet been created, and -EINVAL if the filter context is invalid. ++ .P ++ The ++ .BR seccomp_notify_id_valid () ++diff --git a/src/api.c b/src/api.c ++index 00975ad5..5cec0883 100644 ++--- a/src/api.c +++++ b/src/api.c ++@@ -301,10 +301,18 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action) ++ { ++ struct db_filter_col *col = (struct db_filter_col *)ctx; ++ ++- /* use a NULL filter collection here since we are resetting it */ ++- if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0) +++ /* a NULL filter context indicates we are resetting the global state */ +++ if (ctx == NULL) { +++ /* reset the global state and redetermine the api level */ +++ sys_reset_state(); +++ _seccomp_api_update(); +++ return _rc_filter(0); +++ } +++ /* ensure the default action is valid */ +++ if (db_col_action_valid(NULL, def_action) < 0) ++ return _rc_filter(-EINVAL); ++ +++ /* reset the filter */ ++ return _rc_filter(db_col_reset(col, def_action)); ++ } ++ ++@@ -675,16 +683,17 @@ API int seccomp_notify_id_valid(int fd, uint64_t id) ++ /* NOTE - function header comment in include/seccomp.h */ ++ API int seccomp_notify_fd(const scmp_filter_ctx ctx) ++ { ++- struct db_filter_col *col; +++ /* NOTE: for historical reasons, and possibly future use, we require a +++ * valid filter context even though we don't actual use it here; the +++ * api update is also not strictly necessary, but keep it for now */ ++ ++ /* force a runtime api level detection */ ++ _seccomp_api_update(); ++ ++ if (_ctx_valid(ctx)) ++ return _rc_filter(-EINVAL); ++- col = (struct db_filter_col *)ctx; ++ ++- return _rc_filter(col->notify_fd); +++ return _rc_filter(sys_notify_fd()); ++ } ++ ++ /* NOTE - function header comment in include/seccomp.h */ ++diff --git a/src/db.c b/src/db.c ++index 4a87ea36..836171ae 100644 ++--- a/src/db.c +++++ b/src/db.c ++@@ -1057,7 +1057,6 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action) ++ if (col->filters) ++ free(col->filters); ++ col->filters = NULL; ++- col->notify_fd = -1; ++ ++ /* set the endianess to undefined */ ++ col->endian = 0; ++diff --git a/src/db.h b/src/db.h ++index b96b1049..765c607e 100644 ++--- a/src/db.h +++++ b/src/db.h ++@@ -160,8 +160,7 @@ struct db_filter_col { ++ /* transaction snapshots */ ++ struct db_filter_snap *snapshots; ++ ++- /* notification fd that was returned from seccomp() */ ++- int notify_fd; +++ /* userspace notification */ ++ bool notify_used; ++ }; ++ ++diff --git a/src/system.c b/src/system.c ++index 6cdfc16a..3b43b2a9 100644 ++--- a/src/system.c +++++ b/src/system.c ++@@ -40,16 +40,61 @@ ++ * our next release we may have to enable the allowlist */ ++ #define SYSCALL_ALLOWLIST_ENABLE 0 ++ ++-static int _nr_seccomp = -1; ++-static int _support_seccomp_syscall = -1; ++-static int _support_seccomp_flag_tsync = -1; ++-static int _support_seccomp_flag_log = -1; ++-static int _support_seccomp_action_log = -1; ++-static int _support_seccomp_kill_process = -1; ++-static int _support_seccomp_flag_spec_allow = -1; ++-static int _support_seccomp_flag_new_listener = -1; ++-static int _support_seccomp_user_notif = -1; ++-static int _support_seccomp_flag_tsync_esrch = -1; +++/* task global state */ +++struct task_state { +++ /* seccomp(2) syscall */ +++ int nr_seccomp; +++ +++ /* userspace notification fd */ +++ int notify_fd; +++ +++ /* runtime support flags */ +++ int sup_syscall; +++ int sup_flag_tsync; +++ int sup_flag_log; +++ int sup_action_log; +++ int sup_kill_process; +++ int sup_flag_spec_allow; +++ int sup_flag_new_listener; +++ int sup_user_notif; +++ int sup_flag_tsync_esrch; +++}; +++static struct task_state state = { +++ .nr_seccomp = -1, +++ +++ .notify_fd = -1, +++ +++ .sup_syscall = -1, +++ .sup_flag_tsync = -1, +++ .sup_flag_log = -1, +++ .sup_action_log = -1, +++ .sup_kill_process = -1, +++ .sup_flag_spec_allow = -1, +++ .sup_flag_new_listener = -1, +++ .sup_user_notif = -1, +++ .sup_flag_tsync_esrch = -1, +++}; +++ +++/** +++ * Reset the task state +++ * +++ * This function fully resets the library's global "system task state". +++ * +++ */ +++void sys_reset_state(void) +++{ +++ state.nr_seccomp = -1; +++ state.notify_fd = -1; +++ state.sup_syscall = -1; +++ state.sup_flag_tsync = -1; +++ state.sup_flag_log = -1; +++ state.sup_action_log = -1; +++ state.sup_kill_process = -1; +++ state.sup_flag_spec_allow = -1; +++ state.sup_flag_new_listener = -1; +++ state.sup_user_notif = -1; +++ state.sup_flag_tsync_esrch = -1; +++} ++ ++ /** ++ * Check to see if the seccomp() syscall is supported ++@@ -68,8 +113,8 @@ int sys_chk_seccomp_syscall(void) ++ /* NOTE: it is reasonably safe to assume that we should be able to call ++ * seccomp() when the caller first starts, but we can't rely on ++ * it later so we need to cache our findings for use later */ ++- if (_support_seccomp_syscall >= 0) ++- return _support_seccomp_syscall; +++ if (state.sup_syscall >= 0) +++ return state.sup_syscall; ++ ++ #if SYSCALL_ALLOWLIST_ENABLE ++ /* architecture allowlist */ ++@@ -100,11 +145,11 @@ int sys_chk_seccomp_syscall(void) ++ goto supported; ++ ++ unsupported: ++- _support_seccomp_syscall = 0; +++ state.sup_syscall = 0; ++ return 0; ++ supported: ++- _nr_seccomp = nr_seccomp; ++- _support_seccomp_syscall = 1; +++ state.nr_seccomp = nr_seccomp; +++ state.sup_syscall = 1; ++ return 1; ++ } ++ ++@@ -118,7 +163,7 @@ int sys_chk_seccomp_syscall(void) ++ */ ++ void sys_set_seccomp_syscall(bool enable) ++ { ++- _support_seccomp_syscall = (enable ? 1 : 0); +++ state.sup_syscall = (enable ? 1 : 0); ++ } ++ ++ /** ++@@ -132,16 +177,16 @@ void sys_set_seccomp_syscall(bool enable) ++ int sys_chk_seccomp_action(uint32_t action) ++ { ++ if (action == SCMP_ACT_KILL_PROCESS) { ++- if (_support_seccomp_kill_process < 0) { +++ if (state.sup_kill_process < 0) { ++ if (sys_chk_seccomp_syscall() == 1 && ++- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0, ++- &action) == 0) ++- _support_seccomp_kill_process = 1; +++ syscall(state.nr_seccomp, +++ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) +++ state.sup_kill_process = 1; ++ else ++- _support_seccomp_kill_process = 0; +++ state.sup_kill_process = 0; ++ } ++ ++- return _support_seccomp_kill_process; +++ return state.sup_kill_process; ++ } else if (action == SCMP_ACT_KILL_THREAD) { ++ return 1; ++ } else if (action == SCMP_ACT_TRAP) { ++@@ -152,30 +197,30 @@ int sys_chk_seccomp_action(uint32_t action) ++ } else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) { ++ return 1; ++ } else if (action == SCMP_ACT_LOG) { ++- if (_support_seccomp_action_log < 0) { +++ if (state.sup_action_log < 0) { ++ if (sys_chk_seccomp_syscall() == 1 && ++- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0, ++- &action) == 0) ++- _support_seccomp_action_log = 1; +++ syscall(state.nr_seccomp, +++ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) +++ state.sup_action_log = 1; ++ else ++- _support_seccomp_action_log = 0; +++ state.sup_action_log = 0; ++ } ++ ++- return _support_seccomp_action_log; +++ return state.sup_action_log; ++ } else if (action == SCMP_ACT_ALLOW) { ++ return 1; ++ } else if (action == SCMP_ACT_NOTIFY) { ++- if (_support_seccomp_user_notif < 0) { +++ if (state.sup_user_notif < 0) { ++ struct seccomp_notif_sizes sizes; ++ if (sys_chk_seccomp_syscall() == 1 && ++- syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, ++- &sizes) == 0) ++- _support_seccomp_user_notif = 1; +++ syscall(state.nr_seccomp, +++ SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0) +++ state.sup_user_notif = 1; ++ else ++- _support_seccomp_user_notif = 0; +++ state.sup_user_notif = 0; ++ } ++ ++- return _support_seccomp_user_notif; +++ return state.sup_user_notif; ++ } ++ ++ return 0; ++@@ -193,13 +238,13 @@ void sys_set_seccomp_action(uint32_t action, bool enable) ++ { ++ switch (action) { ++ case SCMP_ACT_LOG: ++- _support_seccomp_action_log = (enable ? 1 : 0); +++ state.sup_action_log = (enable ? 1 : 0); ++ break; ++ case SCMP_ACT_KILL_PROCESS: ++- _support_seccomp_kill_process = (enable ? 1 : 0); +++ state.sup_kill_process = (enable ? 1 : 0); ++ break; ++ case SCMP_ACT_NOTIFY: ++- _support_seccomp_user_notif = (enable ? 1 : 0); +++ state.sup_user_notif = (enable ? 1 : 0); ++ break; ++ } ++ } ++@@ -212,13 +257,14 @@ void sys_set_seccomp_action(uint32_t action, bool enable) ++ * Return one if the flag is supported, zero otherwise. ++ * ++ */ ++-static int _sys_chk_seccomp_flag_kernel(int flag) +++static int _sys_chk_flag_kernel(int flag) ++ { ++ /* this is an invalid seccomp(2) call because the last argument ++ * is NULL, but depending on the errno value of EFAULT we can ++ * guess if the filter flag is supported or not */ ++ if (sys_chk_seccomp_syscall() == 1 && ++- syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && +++ syscall(state.nr_seccomp, +++ SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && ++ errno == EFAULT) ++ return 1; ++ ++@@ -238,29 +284,25 @@ int sys_chk_seccomp_flag(int flag) ++ { ++ switch (flag) { ++ case SECCOMP_FILTER_FLAG_TSYNC: ++- if (_support_seccomp_flag_tsync < 0) ++- _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag); ++- ++- return _support_seccomp_flag_tsync; +++ if (state.sup_flag_tsync < 0) +++ state.sup_flag_tsync = _sys_chk_flag_kernel(flag); +++ return state.sup_flag_tsync; ++ case SECCOMP_FILTER_FLAG_LOG: ++- if (_support_seccomp_flag_log < 0) ++- _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag); ++- ++- return _support_seccomp_flag_log; +++ if (state.sup_flag_log < 0) +++ state.sup_flag_log = _sys_chk_flag_kernel(flag); +++ return state.sup_flag_log; ++ case SECCOMP_FILTER_FLAG_SPEC_ALLOW: ++- if (_support_seccomp_flag_spec_allow < 0) ++- _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag); ++- ++- return _support_seccomp_flag_spec_allow; +++ if (state.sup_flag_spec_allow < 0) +++ state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag); +++ return state.sup_flag_spec_allow; ++ case SECCOMP_FILTER_FLAG_NEW_LISTENER: ++- if (_support_seccomp_flag_new_listener < 0) ++- _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag); ++- ++- return _support_seccomp_flag_new_listener; +++ if (state.sup_flag_new_listener < 0) +++ state.sup_flag_new_listener = _sys_chk_flag_kernel(flag); +++ return state.sup_flag_new_listener; ++ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH: ++- if (_support_seccomp_flag_tsync_esrch < 0) ++- _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag); ++- return _support_seccomp_flag_tsync_esrch; +++ if (state.sup_flag_tsync_esrch < 0) +++ state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag); +++ return state.sup_flag_tsync_esrch; ++ } ++ ++ return -EOPNOTSUPP; ++@@ -279,19 +321,19 @@ void sys_set_seccomp_flag(int flag, bool enable) ++ { ++ switch (flag) { ++ case SECCOMP_FILTER_FLAG_TSYNC: ++- _support_seccomp_flag_tsync = (enable ? 1 : 0); +++ state.sup_flag_tsync = (enable ? 1 : 0); ++ break; ++ case SECCOMP_FILTER_FLAG_LOG: ++- _support_seccomp_flag_log = (enable ? 1 : 0); +++ state.sup_flag_log = (enable ? 1 : 0); ++ break; ++ case SECCOMP_FILTER_FLAG_SPEC_ALLOW: ++- _support_seccomp_flag_spec_allow = (enable ? 1 : 0); +++ state.sup_flag_spec_allow = (enable ? 1 : 0); ++ break; ++ case SECCOMP_FILTER_FLAG_NEW_LISTENER: ++- _support_seccomp_flag_new_listener = (enable ? 1 : 0); +++ state.sup_flag_new_listener = (enable ? 1 : 0); ++ break; ++ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH: ++- _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0); +++ state.sup_flag_tsync_esrch = (enable ? 1 : 0); ++ break; ++ } ++ } ++@@ -324,7 +366,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ goto filter_load_out; ++ } ++ ++- tsync_notify = (_support_seccomp_flag_tsync_esrch > 0); +++ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1; ++ ++ /* load the filter into the kernel */ ++ if (sys_chk_seccomp_syscall() == 1) { ++@@ -333,28 +375,29 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ if (col->attr.tsync_enable) ++ flgs |= SECCOMP_FILTER_FLAG_TSYNC | \ ++ SECCOMP_FILTER_FLAG_TSYNC_ESRCH; ++- if (_support_seccomp_user_notif > 0) +++ if (state.sup_user_notif > 0) ++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; ++ } else if (col->attr.tsync_enable) ++ flgs |= SECCOMP_FILTER_FLAG_TSYNC; ++- else if (_support_seccomp_user_notif > 0) +++ else if (state.sup_user_notif > 0 && state.notify_fd == -1) ++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; ++ if (col->attr.log_enable) ++ flgs |= SECCOMP_FILTER_FLAG_LOG; ++ if (col->attr.spec_allow) ++ flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW; ++- rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm); +++ rc = syscall(state.nr_seccomp, +++ SECCOMP_SET_MODE_FILTER, flgs, prgm); ++ if (tsync_notify && rc > 0) { ++ /* return 0 on NEW_LISTENER success, but save the fd */ ++- col->notify_fd = rc; +++ state.notify_fd = rc; ++ rc = 0; ++ } else if (rc > 0 && col->attr.tsync_enable) { ++ /* always return -ESRCH if we fail to sync threads */ ++ errno = ESRCH; ++ rc = -errno; ++- } else if (rc > 0 && _support_seccomp_user_notif > 0) { +++ } else if (rc > 0 && state.sup_user_notif > 0) { ++ /* return 0 on NEW_LISTENER success, but save the fd */ ++- col->notify_fd = rc; +++ state.notify_fd = rc; ++ rc = 0; ++ } ++ } else ++@@ -370,6 +413,19 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ return rc; ++ } ++ +++/** +++ * Return the userspace notification fd +++ * +++ * This function returns the userspace notification fd from +++ * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been +++ * set, or an error has occurred, -1 is returned. +++ * +++ */ +++int sys_notify_fd(void) +++{ +++ return state.notify_fd; +++} +++ ++ /** ++ * Allocate a pair of notification request/response structures ++ * @param req the request location ++@@ -386,7 +442,7 @@ int sys_notify_alloc(struct seccomp_notif **req, ++ int rc; ++ static struct seccomp_notif_sizes sizes = { 0, 0, 0 }; ++ ++- if (_support_seccomp_syscall <= 0) +++ if (state.sup_syscall <= 0) ++ return -EOPNOTSUPP; ++ ++ if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) { ++@@ -427,7 +483,7 @@ int sys_notify_alloc(struct seccomp_notif **req, ++ */ ++ int sys_notify_receive(int fd, struct seccomp_notif *req) ++ { ++- if (_support_seccomp_user_notif <= 0) +++ if (state.sup_user_notif <= 0) ++ return -EOPNOTSUPP; ++ ++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) ++@@ -448,7 +504,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req) ++ */ ++ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp) ++ { ++- if (_support_seccomp_user_notif <= 0) +++ if (state.sup_user_notif <= 0) ++ return -EOPNOTSUPP; ++ ++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) ++@@ -467,7 +523,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp) ++ */ ++ int sys_notify_id_valid(int fd, uint64_t id) ++ { ++- if (_support_seccomp_user_notif <= 0) +++ if (state.sup_user_notif <= 0) ++ return -EOPNOTSUPP; ++ ++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0) ++diff --git a/src/system.h b/src/system.h ++index 133f9b11..096f3cad 100644 ++--- a/src/system.h +++++ b/src/system.h ++@@ -182,6 +182,8 @@ struct seccomp_notif_resp { ++ #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64) ++ #endif /* SECCOMP_RET_USER_NOTIF */ ++ +++void sys_reset_state(void); +++ ++ int sys_chk_seccomp_syscall(void); ++ void sys_set_seccomp_syscall(bool enable); ++ ++@@ -193,6 +195,7 @@ void sys_set_seccomp_flag(int flag, bool enable); ++ ++ int sys_filter_load(struct db_filter_col *col, bool rawrc); ++ +++int sys_notify_fd(void); ++ int sys_notify_alloc(struct seccomp_notif **req, ++ struct seccomp_notif_resp **resp); ++ int sys_notify_receive(int fd, struct seccomp_notif *req); ++diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c ++index d3b22566..da059df2 100644 ++--- a/tests/11-basic-basic_errors.c +++++ b/tests/11-basic-basic_errors.c ++@@ -41,12 +41,9 @@ int main(int argc, char *argv[]) ++ seccomp_release(ctx); ++ ctx = NULL; ++ ++- /* seccomp_reset error */ ++- rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1); ++- if (rc != -EINVAL) ++- return -1; ++- rc = seccomp_reset(ctx, SCMP_ACT_KILL); ++- if (rc != -EINVAL) +++ /* ensure that seccomp_reset(NULL, ...) is accepted */ +++ rc = seccomp_reset(NULL, SCMP_ACT_ALLOW); +++ if (rc != 0) ++ return -1; ++ ++ /* seccomp_load error */ ++diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c ++index 4340194c..4847d8b1 100644 ++--- a/tests/51-live-user_notification.c +++++ b/tests/51-live-user_notification.c ++@@ -99,6 +99,27 @@ int main(int argc, char *argv[]) ++ goto out; ++ } ++ +++ rc = seccomp_reset(ctx, SCMP_ACT_ALLOW); +++ if (rc < 0) +++ goto out; +++ +++ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL); +++ if (rc) +++ goto out; +++ +++ rc = seccomp_load(ctx); +++ if (rc < 0) +++ goto out; +++ +++ rc = seccomp_notify_fd(ctx); +++ if (rc < 0) +++ goto out; +++ if (rc != fd) { +++ rc = -EFAULT; +++ goto out; +++ } else +++ rc = 0; +++ ++ out: ++ if (fd >= 0) ++ close(fd); ++diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py ++index 0d81f5e1..3449c44c 100755 ++--- a/tests/51-live-user_notification.py +++++ b/tests/51-live-user_notification.py ++@@ -52,6 +52,10 @@ def test(): ++ raise RuntimeError("Child process error") ++ if os.WEXITSTATUS(rc) != 0: ++ raise RuntimeError("Child process error") +++ f.reset(ALLOW) +++ f.add_rule(NOTIFY, "getppid") +++ f.load() +++ # no easy way to check the notification fd here ++ quit(160) ++ ++ test() diff --cc debian/patches/arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch index 0000000,0000000..6e2e24c new file mode 100644 --- /dev/null +++ b/debian/patches/arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch @@@ -1,0 -1,0 +1,165 @@@ ++From d1482eaf5a3643f73bc7f599876e7000c502b3d5 Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Sun, 16 Aug 2020 09:56:36 -0400 ++Subject: [PATCH] arch: ensure we don't "munge" pseudo syscall numbers ++ ++A number of arches/ABIs have either syscall offsets (the MIPS ++family) or specific bits (x32) which are applied to their normal ++syscall numbers. We generally handle that via "munging" in ++libseccomp, and it works reasonably well. Unfortunately we were ++applying this munging process to the negative pseudo syscall ++numbers as well and this was causing problems. ++ ++This patch fixes the various offset/bit arches/ABIs by not applying ++the munging to the negative pseudo syscall numbers. ++ ++This resolves GH issue #284: ++* https://github.com/seccomp/libseccomp/issues/284 ++ ++Reported-by: Harald van Dijk ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++(imported from commit 34cde704979defcbddb8eea64295acf0e477c250) ++--- ++ src/arch-arm.c | 8 ++++++-- ++ src/arch-mips.c | 8 ++++++-- ++ src/arch-mips64.c | 8 ++++++-- ++ src/arch-mips64n32.c | 8 ++++++-- ++ src/arch-x32.c | 8 ++++++-- ++ 5 files changed, 30 insertions(+), 10 deletions(-) ++ ++diff --git a/src/arch-arm.c b/src/arch-arm.c ++index 4dd4b631..9c9153ae 100644 ++--- a/src/arch-arm.c +++++ b/src/arch-arm.c ++@@ -50,8 +50,9 @@ int arm_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = arm_syscall_resolve_name(name); ++- if (sys == __NR_SCMP_ERROR) +++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++ return (sys | __SCMP_NR_BASE); ++@@ -68,7 +69,10 @@ int arm_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *arm_syscall_resolve_num_munge(int num) ++ { ++- return arm_syscall_resolve_num(num & (~__SCMP_NR_BASE)); +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= 0) +++ num &= ~__SCMP_NR_BASE; +++ return arm_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_arm = { ++diff --git a/src/arch-mips.c b/src/arch-mips.c ++index f0e6a143..06741c7f 100644 ++--- a/src/arch-mips.c +++++ b/src/arch-mips.c ++@@ -43,8 +43,9 @@ int mips_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = mips_syscall_resolve_name(name); ++- if (sys == __NR_SCMP_ERROR) +++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++ return sys + __SCMP_NR_BASE; ++@@ -61,7 +62,10 @@ int mips_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *mips_syscall_resolve_num_munge(int num) ++ { ++- return mips_syscall_resolve_num(num - __SCMP_NR_BASE); +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= __SCMP_NR_BASE) +++ num -= __SCMP_NR_BASE; +++ return mips_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_mips = { ++diff --git a/src/arch-mips64.c b/src/arch-mips64.c ++index 9707d1c5..342d0d88 100644 ++--- a/src/arch-mips64.c +++++ b/src/arch-mips64.c ++@@ -41,8 +41,9 @@ int mips64_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = mips64_syscall_resolve_name(name); ++- if (sys == __NR_SCMP_ERROR) +++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++ return sys + __SCMP_NR_BASE; ++@@ -59,7 +60,10 @@ int mips64_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *mips64_syscall_resolve_num_munge(int num) ++ { ++- return mips64_syscall_resolve_num(num - __SCMP_NR_BASE); +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= __SCMP_NR_BASE) +++ num -= __SCMP_NR_BASE; +++ return mips64_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_mips64 = { ++diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c ++index f8088aee..098864be 100644 ++--- a/src/arch-mips64n32.c +++++ b/src/arch-mips64n32.c ++@@ -43,8 +43,9 @@ int mips64n32_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = mips64n32_syscall_resolve_name(name); ++- if (sys == __NR_SCMP_ERROR) +++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++ return sys + __SCMP_NR_BASE; ++@@ -61,7 +62,10 @@ int mips64n32_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *mips64n32_syscall_resolve_num_munge(int num) ++ { ++- return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE); +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= __SCMP_NR_BASE) +++ num -= __SCMP_NR_BASE; +++ return mips64n32_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_mips64n32 = { ++diff --git a/src/arch-x32.c b/src/arch-x32.c ++index 38909681..50c502ee 100644 ++--- a/src/arch-x32.c +++++ b/src/arch-x32.c ++@@ -39,8 +39,9 @@ int x32_syscall_resolve_name_munge(const char *name) ++ { ++ int sys; ++ +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ ++ sys = x32_syscall_resolve_name(name); ++- if (sys == __NR_SCMP_ERROR) +++ if (sys == __NR_SCMP_ERROR || sys < 0) ++ return sys; ++ ++ return (sys | X32_SYSCALL_BIT); ++@@ -57,7 +58,10 @@ int x32_syscall_resolve_name_munge(const char *name) ++ */ ++ const char *x32_syscall_resolve_num_munge(int num) ++ { ++- return x32_syscall_resolve_num(num & (~X32_SYSCALL_BIT)); +++ /* NOTE: we don't want to modify the pseudo-syscall numbers */ +++ if (num >= 0) +++ num &= ~X32_SYSCALL_BIT; +++ return x32_syscall_resolve_num(num); ++ } ++ ++ const struct arch_def arch_def_x32 = { diff --cc debian/patches/build_undefine_mips_to_prevent_build_problems.patch index 0000000,0000000..ce2dbeb new file mode 100644 --- /dev/null +++ b/debian/patches/build_undefine_mips_to_prevent_build_problems.patch @@@ -1,0 -1,0 +1,55 @@@ ++From 3e1a828777f097e55cd831cf7e7f617057c801c5 Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Sun, 2 Aug 2020 09:57:39 -0400 ++Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS ++ targets ++ ++It turns out that the MIPS GCC compiler defines a "mips" cpp macro ++which was resulting in build failures on MIPS so we need to ++undefine the "mips" macro during build. As this should be safe ++to do in all architectures, just add it to the compiler flags by ++default. ++ ++This was reported in the following GH issue: ++* https://github.com/seccomp/libseccomp/issues/274 ++ ++Reported-by: Rongwei Zhang ++Suggested-by: Rongwei Zhang ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++(imported from commit 5cd9059618a0810ee47c21e6b44c5a876b75e23d) ++--- ++ configure.ac | 4 +++- ++ src/Makefile.am | 2 +- ++ 2 files changed, 4 insertions(+), 2 deletions(-) ++ ++diff --git a/configure.ac b/configure.ac ++index d47c25ca..7b91c7af 100644 ++--- a/configure.ac +++++ b/configure.ac ++@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) ++ ++ dnl #### ++ dnl build flags +++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it +++dnl for us which wreaks havoc on the build ++ dnl #### ++ AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" ++-AM_CFLAGS="-Wall" +++AM_CFLAGS="-Wall -Umips" ++ AM_LDFLAGS="-Wl,-z -Wl,relro" ++ AC_SUBST([AM_CPPFLAGS]) ++ AC_SUBST([AM_CFLAGS]) ++diff --git a/src/Makefile.am b/src/Makefile.am ++index 8d8b97ff..10154e14 100644 ++--- a/src/Makefile.am +++++ b/src/Makefile.am ++@@ -61,7 +61,7 @@ lib_LTLIBRARIES = libseccomp.la ++ arch_syscall_dump_SOURCES = arch-syscall-dump.c ${SOURCES_ALL} ++ ++ arch_syscall_check_SOURCES = arch-syscall-check.c ${SOURCES_ALL} ++-arch_syscall_check_CFLAGS = ${CODE_COVERAGE_CFLAGS} +++arch_syscall_check_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ++ arch_syscall_check_LDFLAGS = ${CODE_COVERAGE_LDFLAGS} ++ ++ libseccomp_la_SOURCES = ${SOURCES_ALL} diff --cc debian/patches/series index 0000000,0000000..68012a6 new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,5 @@@ ++all_only_request_the_userspace_notification_fd_once.patch ++system_change_our_notification_fd_handling.patch ++build_undefine_mips_to_prevent_build_problems.patch ++tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch ++arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch diff --cc debian/patches/system_change_our_notification_fd_handling.patch index 0000000,0000000..1c508b0 new file mode 100644 --- /dev/null +++ b/debian/patches/system_change_our_notification_fd_handling.patch @@@ -1,0 -1,0 +1,92 @@@ ++From 1db3b323d8b61eb83a186013422e57b75b18ace0 Mon Sep 17 00:00:00 2001 ++From: Paul Moore ++Date: Tue, 4 Aug 2020 10:52:08 -0400 ++Subject: [PATCH] system: change our notification fd handling ++ ++This commit changes how we handle the notification fd by only ++requesting it via _NEW_LISTENER if the filter has a _NOTIFY action ++in it. We also augment the seccomp_reset(NULL, ...) behavior so ++that it closes the notification fd before resetting the global ++state; applications that need to keep their notification fd open ++across a call to seccomp_reset(NULL, ...) can simply dup() it. ++Although one would have to wonder why the application would be ++calling seccomp_reset(NULL, ...) in that case. ++ ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++(imported from commit 02812f99e8d1df2e671dac675b4af663d0266303) ++--- ++ doc/man/man3/seccomp_init.3 | 6 ++++-- ++ src/system.c | 18 +++++++++++++++--- ++ 2 files changed, 19 insertions(+), 5 deletions(-) ++ ++diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3 ++index 87520cd3..7881c357 100644 ++--- a/doc/man/man3/seccomp_init.3 +++++ b/doc/man/man3/seccomp_init.3 ++@@ -38,8 +38,10 @@ and can only be called after a call to ++ .BR seccomp_init () ++ has succeeded. If ++ .BR seccomp_reset () ++-is called with a NULL filter, it resets the library's global task state; ++-normally this is not needed, but it may be required to continue using the +++is called with a NULL filter, it resets the library's global task state, +++including any notification file descriptors retrieved by +++.BR seccomp_notify_fd(3) . +++Normally this is not needed, but it may be required to continue using the ++ library after a ++ .BR fork () ++ or ++diff --git a/src/system.c b/src/system.c ++index 3b43b2a9..c646c65e 100644 ++--- a/src/system.c +++++ b/src/system.c ++@@ -84,7 +84,11 @@ static struct task_state state = { ++ void sys_reset_state(void) ++ { ++ state.nr_seccomp = -1; +++ +++ if (state.notify_fd > 0) +++ close(state.notify_fd); ++ state.notify_fd = -1; +++ ++ state.sup_syscall = -1; ++ state.sup_flag_tsync = -1; ++ state.sup_flag_log = -1; ++@@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ { ++ int rc; ++ bool tsync_notify; +++ bool listener_req; ++ struct bpf_program *prgm = NULL; ++ ++ rc = gen_bpf_generate(col, &prgm); ++@@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ } ++ ++ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1; +++ listener_req = state.sup_user_notif > 0 && \ +++ col->notify_used && state.notify_fd == -1; ++ ++ /* load the filter into the kernel */ ++ if (sys_chk_seccomp_syscall() == 1) { ++@@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc) ++ if (col->attr.tsync_enable) ++ flgs |= SECCOMP_FILTER_FLAG_TSYNC | \ ++ SECCOMP_FILTER_FLAG_TSYNC_ESRCH; ++- if (state.sup_user_notif > 0) +++ if (listener_req) ++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; ++- } else if (col->attr.tsync_enable) +++ } else if (col->attr.tsync_enable) { +++ if (listener_req) { +++ /* NOTE: we _should_ catch this in db.c */ +++ rc = -EFAULT; +++ goto filter_load_out; +++ } ++ flgs |= SECCOMP_FILTER_FLAG_TSYNC; ++- else if (state.sup_user_notif > 0 && state.notify_fd == -1) +++ } else if (listener_req) ++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; ++ if (col->attr.log_enable) ++ flgs |= SECCOMP_FILTER_FLAG_LOG; diff --cc debian/patches/tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch index 0000000,0000000..65f97a7 new file mode 100644 --- /dev/null +++ b/debian/patches/tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch @@@ -1,0 -1,0 +1,138 @@@ ++From cc580a514f05a7fc1f412f66ed002dd8aee89618 Mon Sep 17 00:00:00 2001 ++From: Andreas Schwab ++Date: Tue, 18 Aug 2020 15:59:54 +0200 ++Subject: [PATCH] tests: use openat and fstat instead of open and stat syscalls ++ in tests 04 and 06 ++ ++Architectures like aarch64 and riscv64, and all future architectures that ++use the generic syscall table, do not support the open and stat syscalls. ++Use the openat and fstat syscalls instead. ++ ++Signed-off-by: Andreas Schwab ++Acked-by: Tom Hromatka ++Signed-off-by: Paul Moore ++(imported from commit a317fabc1fd915f19f7e7326bf7dcb77493f1210) ++--- ++ tests/04-sim-multilevel_chains.c | 2 +- ++ tests/04-sim-multilevel_chains.py | 2 +- ++ tests/04-sim-multilevel_chains.tests | 8 +++++--- ++ tests/06-sim-actions.c | 4 ++-- ++ tests/06-sim-actions.py | 4 ++-- ++ tests/06-sim-actions.tests | 16 +++++++++------- ++ 6 files changed, 20 insertions(+), 16 deletions(-) ++ ++diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c ++index a660b40d..e3e4f9bd 100644 ++--- a/tests/04-sim-multilevel_chains.c +++++ b/tests/04-sim-multilevel_chains.c ++@@ -41,7 +41,7 @@ int main(int argc, char *argv[]) ++ if (ctx == NULL) ++ return ENOMEM; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); +++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py ++index bcf1ee46..a5127a2b 100755 ++--- a/tests/04-sim-multilevel_chains.py +++++ b/tests/04-sim-multilevel_chains.py ++@@ -30,7 +30,7 @@ ++ ++ def test(args): ++ f = SyscallFilter(KILL) ++- f.add_rule(ALLOW, "open") +++ f.add_rule(ALLOW, "openat") ++ f.add_rule(ALLOW, "close") ++ f.add_rule(ALLOW, "read", ++ Arg(0, EQ, sys.stdin.fileno()), ++diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests ++index 6613f9a0..b6f75761 100644 ++--- a/tests/04-sim-multilevel_chains.tests +++++ b/tests/04-sim-multilevel_chains.tests ++@@ -8,7 +8,7 @@ ++ test type: bpf-sim ++ ++ # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++-04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW +++04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW ++ 04-sim-multilevel_chains all close 4 N N N N N ALLOW ++ 04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW ++ 04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW ++@@ -27,9 +27,11 @@ test type: bpf-sim ++ 04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW ++ 04-sim-multilevel_chains x86 0-2 N N N N N N KILL ++ 04-sim-multilevel_chains x86 7-172 N N N N N N KILL ++-04-sim-multilevel_chains x86 174-350 N N N N N N KILL +++04-sim-multilevel_chains x86 174-294 N N N N N N KILL +++04-sim-multilevel_chains x86 296-350 N N N N N N KILL ++ 04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL ++-04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL +++04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL +++04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL ++ ++ test type: bpf-sim-fuzz ++ ++diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c ++index 10b366c9..da636c94 100644 ++--- a/tests/06-sim-actions.c +++++ b/tests/06-sim-actions.c ++@@ -60,11 +60,11 @@ int main(int argc, char *argv[]) ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); +++ rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0); ++ if (rc != 0) ++ goto out; ++ ++- rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(stat), 0); +++ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); ++ if (rc != 0) ++ goto out; ++ ++diff --git a/tests/06-sim-actions.py b/tests/06-sim-actions.py ++index f14d6ed8..253061df 100755 ++--- a/tests/06-sim-actions.py +++++ b/tests/06-sim-actions.py ++@@ -37,8 +37,8 @@ def test(args): ++ f.add_rule(LOG, "rt_sigreturn") ++ f.add_rule(ERRNO(errno.EPERM), "write") ++ f.add_rule(TRAP, "close") ++- f.add_rule(TRACE(1234), "open") ++- f.add_rule(KILL_PROCESS, "stat") +++ f.add_rule(TRACE(1234), "openat") +++ f.add_rule(KILL_PROCESS, "fstat") ++ return f ++ ++ args = util.get_opt() ++diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests ++index b830917e..1ef38b32 100644 ++--- a/tests/06-sim-actions.tests +++++ b/tests/06-sim-actions.tests ++@@ -11,15 +11,17 @@ test type: bpf-sim ++ 06-sim-actions all read 4 0x856B008 80 N N N ALLOW ++ 06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) ++ 06-sim-actions all close 4 N N N N N TRAP ++-06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234) ++-06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS +++06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234) +++06-sim-actions all fstat N N N N N N KILL_PROCESS ++ 06-sim-actions all rt_sigreturn N N N N N N LOG ++ 06-sim-actions x86 0-2 N N N N N N KILL ++-06-sim-actions x86 7-105 N N N N N N KILL ++-06-sim-actions x86 107-172 N N N N N N KILL ++-06-sim-actions x86 174-350 N N N N N N KILL ++-06-sim-actions x86_64 5-14 N N N N N N KILL ++-06-sim-actions x86_64 16-350 N N N N N N KILL +++06-sim-actions x86 7-107 N N N N N N KILL +++06-sim-actions x86 109-172 N N N N N N KILL +++06-sim-actions x86 174-294 N N N N N N KILL +++06-sim-actions x86 296-350 N N N N N N KILL +++06-sim-actions x86_64 6-14 N N N N N N KILL +++06-sim-actions x86_64 16-256 N N N N N N KILL +++06-sim-actions x86_64 258-350 N N N N N N KILL ++ ++ test type: bpf-sim-fuzz ++ diff --cc debian/python-seccomp.install index 0000000,0000000..a71458d new file mode 100644 --- /dev/null +++ b/debian/python-seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/python2.*/dist-packages/seccomp.so diff --cc debian/python3-seccomp.install index 0000000,0000000..97a45dc new file mode 100644 --- /dev/null +++ b/debian/python3-seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/python3.*/site-packages/seccomp.cpython-*.so diff --cc debian/rules index 0000000,0000000..54d5951 new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,37 @@@ ++#!/usr/bin/make -f ++# -*- makefile -*- ++ ++# Uncomment this to turn on verbose mode. ++#export DH_VERBOSE=1 ++ ++# Enable verbose build details. ++export V=1 ++ ++include /usr/share/dpkg/architecture.mk ++ ++%: ++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) ++ dh $@ --with python3 ++else ++ dh $@ ++endif ++ ++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),) ++ ++override_dh_auto_install: ++ dh_auto_install ++ for pyver in `py3versions -s`; do \ ++ set -e; \ ++ if python3 -c "pyver='$$pyver'; exit(0 if float(pyver[6:]) >= 3.8 else 1)"; then \ ++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata__${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ ++ else \ ++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata_m_${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \ ++ fi; \ ++ dh_auto_configure -- --enable-python PYTHON=$$pyver; \ ++ dh_auto_install --sourcedirectory=src/python -- PYTHON=$$pyver; \ ++ done ++endif ++ ++override_dh_auto_clean: ++ dh_auto_clean ++ rm -f regression.out diff --cc debian/seccomp.install index 0000000,0000000..1df36c6 new file mode 100644 --- /dev/null +++ b/debian/seccomp.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/bin/* diff --cc debian/seccomp.manpages index 0000000,0000000..5ea05fe new file mode 100644 --- /dev/null +++ b/debian/seccomp.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/tmp/usr/share/man/man1/* diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/tests/common index 0000000,0000000..e02e8db new file mode 100644 --- /dev/null +++ b/debian/tests/common @@@ -1,0 -1,0 +1,12 @@@ ++SRCDIR="$(pwd)" ++ ++mkdir "$AUTOPKGTEST_TMP/tests" "$AUTOPKGTEST_TMP/tools" ++cp -a tests/. "$AUTOPKGTEST_TMP/tests/" ++ ++cd "$AUTOPKGTEST_TMP/tests" ++ ++# build tools needed for tests ++for tool in scmp_api_level scmp_arch_detect scmp_sys_resolver; do ++ echo "Building $tool ..." ++ gcc -O2 -g "$SRCDIR/tools/$tool.c" "$SRCDIR/tools/util.c" -lseccomp -o ../tools/$tool ++done diff --cc debian/tests/control index 0000000,0000000..3d2c4ba new file mode 100644 --- /dev/null +++ b/debian/tests/control @@@ -1,0 -1,0 +1,7 @@@ ++Tests: testsuite-live ++Depends: libseccomp-dev, build-essential ++Restrictions: isolation-machine ++ ++Tests: testsuite-live-python3 ++Depends: libseccomp-dev, build-essential, python3-seccomp ++Restrictions: isolation-machine, allow-stderr diff --cc debian/tests/testsuite-live index 0000000,0000000..bbf20d0 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live @@@ -1,0 -1,0 +1,17 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++# manually build necessary files against the installed libseccomp ++ ++# build live tests ++for filename in *-live-*.tests; do ++ testname=$(echo "$filename" | cut -f 1 -d '.') ++ echo "Building $testname ..." ++ gcc -O2 -g "${testname}.c" util.c -pthread -lseccomp -o "$testname" ++done ++ ++echo "Running test suite ..." ++./regression -T live diff --cc debian/tests/testsuite-live-python2 index 0000000,0000000..9c9ded4 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live-python2 @@@ -1,0 -1,0 +1,8 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++echo "Running test suite ..." ++./regression -T live -m python diff --cc debian/tests/testsuite-live-python3 index 0000000,0000000..f4fb094 new file mode 100644 --- /dev/null +++ b/debian/tests/testsuite-live-python3 @@@ -1,0 -1,0 +1,13 @@@ ++#!/bin/sh ++ ++set -eu ++ ++. debian/tests/common ++ ++# make sure "python" points to python3 as this is not configurable ++# in the regression script ++mkdir python3env ++ln -s /usr/bin/python3 python3env/python ++ ++echo "Running test suite ..." ++PATH="$(pwd)/python3env:$PATH" ./regression -T live -m python diff --cc debian/upstream/metadata index 0000000,0000000..0fef70b new file mode 100644 --- /dev/null +++ b/debian/upstream/metadata @@@ -1,0 -1,0 +1,4 @@@ ++Bug-Database: https://github.com/seccomp/libseccomp/issues ++Bug-Submit: https://github.com/seccomp/libseccomp/issues/new ++Repository: https://github.com/seccomp/libseccomp.git ++Repository-Browse: https://github.com/seccomp/libseccomp diff --cc debian/upstream/signing-key.asc index 0000000,0000000..5ddf435 new file mode 100644 --- /dev/null +++ b/debian/upstream/signing-key.asc @@@ -1,0 -1,0 +1,192 @@@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++ ++mQINBE6TSxkBEACy+4BPGoI7vphGh/q5WET0lmU7LcDwuNs/satPRH/vPoSYLxYU ++FmZ64A2zA4/imlohR+9VMfEVgOX6f23vZWheC2Z12bCtK0/cGLfoGMddFi7mg6aV ++hJeAegYkC6hDAYI+Mc/mt0fYvDB+bSPUCUdnB/NegbWegJMJur2pc0/nQqeeoRdp ++sazOyBEs4ipP1p05DZA/MifGNRASMHJg2bYG2FyC48Vx/xl0B+oactTwPODJlkQS ++n6+yYTcvYh7wIbbainEi0jBnyRj6bi6jODPTjArW2YRzEmPEkqbBsfA/HYEpH4DR ++IyZIJzqkP/+P+F+BVBjPVz4r6CWvCjnTMTlROfaUqIvfmpdKKtBDVN0Cjn6GVYae ++t9yoJM5bcJK+KEp5aNmW3U7vDMG2XEttw4vdfIFc9ZEWnu2kyiltQw9cUk3ucsIH ++79M4o24oVu2+J/z4QNGbRHdbxbO6c9R+IxAfiF/FAz5OhQfRHrDayfQV457cE/Ga ++ZhE1AeT7EdnXFF3G1RhTTE2lomQ1TfBSK6CyIyabU7I0R2Gh0aITpAE0fP4heZNZ ++zA8vPggdtRzgKgu4tC2is2Dg3NQnPc+k4mnU07LwmJuxCluN7pNhhlhtJkNWnA+a ++C2sV8zIicH7SAwmGoeMkp1kluxcdp/jGKsdRIfIDnVax4/t6VPL2+lKQzwARAQAB ++tB5QYXVsIE1vb3JlIDxwY21vb3JlQHVtaWNoLmVkdT6JAjgEEwECACIFAk6TS4MC ++GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFXkWlroynyKs5MP/it8TqV6 ++IVXZh9X6ioJbchNcofT+L74+BjHXpzmdlf0awutCrKdZTWz5zC4A7Xrnam5LNg9j ++aZr44oUOhnwIKwm1xxm2KBIGky7nKMinUfsSlYlfJybSJjWA3hv3dKI4Fpd7xsy1 ++5CDcmfAD5NfQeW7KD5I0U89zKsdFyGCZV03xWbrvGPitncPB+Sifjp29lWmGwOwY ++5tNcg7Mvby5vi6Zit686Q4wjYzmgoCDKKgk6QSo/VAqXJn8PRttuZArDfckraL+h ++LXsxx1W0zaKVi9qeyR3n/++fDxPcc5rQIsd9TZj7nojj/5qGjoLCPwFDZaR97u8M ++v795+ITrMCLRPYAd8DE94e3sjZK8R+hCtD0Xp9KgaNWofnA4cIHQyWaKI5is4NaT ++9Y638We5RkTaYrFC0dxSgiekmnB0pogDU69smFNa26r0CX85cQf4YKYURc1xnbmS ++Cyh+gvIHXVSGglmGXgKJ436qUBFCq2/BlecLZm/Lk0vQyPdCr08ZzPc7AUfc1hAe +++PiZ7RDkhJzQaUN3ufjvcyeMGHoUejaO3G9ODE/yVZ6Yi8HQPN7IGmyeh73xaqcv ++5PpSrfpK+yjR13WGdi6PRL1IBfverc1fXtxXBywFhV4o/Jatj6XrS7hsU5EJ43An ++I9Cqa+8FBjLIrqzfAKHng3qYKA3R346+L0pPtB5QYXVsIE1vb3JlIDxwbW9vcmVA ++cmVkaGF0LmNvbT6JAjgEEwECACIFAk6TS60CGwMGCwkIBwMCBhUIAgkKCwQWAgMB ++Ah4BAheAAAoJEFXkWlroynyKK8AP+QFOxGd3sSxMgEgTjT2fUUwqjD0oRZUrC3RZ ++pld+fqmMIoGP0XRQYIpSZubX/ryn0DK9zd7D1o8nOz32lz8QfeEwshh+KAI93V0J ++iIFprZUtCJxXKIO2GuHVgwqyzQs+DbXoov6BiTmbNHDGy1xT+mx4Z0xboHX2ZzKc ++mLj42w7Qv5clL8X+4D3EiePCWeaw5e/p2xlPEVXfaYlu3nsUUrRwdx1RZSZ/qJE6 ++CZLL348vp7mf9nR7bGBx8NiHrzbE3nh7ofZ8ai/dUTkkK+cFsxr5Gkt1nHegdv2t ++Q3pk/KoR6YYvGYIDeuyZB0zMs2VW6zLIrD7qPc9sFLIwAsgBW3pWyznZ9mZrpbqp ++JPzkhDYQH5XnTkL5g0tq4z3eDtOCODB2rNRrj/JvZcv3WmT1IK2d3x3E06Bfb4oy ++qMgTzD2z/IHgyL9Wt+yyogB0Y0zyGj3lV3fISIINT2mn+UtutYIqDEeGbSEtQrXx ++yIvQEViPO52mO+QdOtc5ZMfQ9ddsQKbawK/pqbzVMRPXX1z5hYKyx/Tv0roBrAzj ++DSBI2vP0NmfzzSUKZ3POOZLOxE0425AYeNE623SCntrOWNYdgwf9EfnAcMgsY2Kl ++a18e24ZHdAGFmJWBYx+XllheI6diU7dOZAlvuuuslVJfvD8ixzm7SR98elmUk57k ++wf9FO9yxtCBQYXVsIE1vb3JlIDxwYXVsQHBhdWwtbW9vcmUuY29tPokCOgQTAQIA ++JQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk6TS8ACGQEACgkQVeRaWujK ++fIrtrg/2Kr2XYWu6jYDX2PSWeLQ/5P/VgGzjZI+AKaj5JyEID/5J31yvSKICjK3F ++Wl+lHRo/LQzQx8f6gQ9FEBeDTndpa1t23XQGmBgEDAev6FHX3jmheFTkJJ+dEYpc ++gX7R+jTjmrRYjAFu1Jo2fIblBTvECwlKLxDvSzAvp5giHYj8TDWcYPlZcDqfq9Aq ++5p7UjkRYvAAUlkwSxPE28zcWPwgQuikcyVw/ObPpNWon+0TfruzindsyKnMss7mE ++pxUMhRHAWM8KACBUmScP2TC95xKzm+KtlT6E/pdPXItPXiFg5sg8Vf5Rco8j16+b ++DzviiAC21Mp69wtnV8Mdsl1jiL65wotclG+SMcgUmyqD3rgBW3jSedDFFu6CHQyG ++FuthVj25eNUSXjhVOMCWQSxOgv4uN1jgk89paHJuBqHwKfk55ezQJFB1UlkJqH7L ++NJ2uVd0Go5PTE2mBbkBQ4bvSyfhlOUYbcjNUlZOZSHsaQPVXDUXCW90LjH4azg8j ++ek7YinygvZBpxQurRj7honmoqqyBfvOweA8wDdjIYURFrA4kwYwN8d+xdIDv5Pu5 ++8U/ruus+y59MebQDhMr1BaM26QhgPZ6Ur/vHvTkW6bFo+Q0Rg9/abO67O00OZX/+ ++oakt1BZ3Tb30L6nGu7ZosTXos+s9Leter/wcOk49JNd5q4WnZbkCDQROk0sZARAA ++7lIE/HyQ5pTSabH0OJKa78mNJckQ+2NsEwUpEj459Ca5s3DvJCT7ZBOUQaL5ctkl ++KgjByI+3BSIT90swim6vdMYxSrS7IpQ17zb3pdV5H5LFQSCvS1Dd466amWFWCyb6 ++ZWl3g7kmf5xEEIob9PLMlCe37gsIXp9M0hbRIOVISeqCiWp5HkcMXwMEd5XHxGN6 ++CCgG86vzxEOnLKoMdXQIxkenA4ggk5cCBoYd0FMURH53EznhuceS3euNSzu71+H3 ++SJjIdjIjYQDhpHF6gXoI+u8NSWsZ9dEn/s+9e/uP2cYvAPmR01a73QyVIZS23eo9 ++rmMqlPJNjJbybQ81uaHxQqA5ljC7WWqYl7tia+QSKYMEyMkHvTqnPPhJvghsQoJO ++aeN6j/qIQWIl5fQEENLRzkcGO6SLEDOKzEgABZSwP9Wff47jyzD4JVb71qApI60m ++3TGB829vBavFIkHNzhvr91m+6AfeUvZlWlFmC3v4BsqH/3SzwwQU28cxy53a/EDO ++wm2MDJL4wkVLO2Yh2CZ/4x07VZtjmGmG6wyVOq+9GQ3cnTPEgynfZYsdPaml/RJm ++kbCAmDbHbyV4NhT1RCg803thZZX8HzJcM2nywutGlzi0xxv63tP48tfTAV6ajqyQ ++5jeRGKCq/zpME9Ghr/oH414NlGcomYU0UQ5Fjpdk8eMAEQEAAYkCHwQYAQIACQUC ++TpNLGQIbDAAKCRBV5Fpa6Mp8iqQaD/9L2zMdzYznSOnApTz1SHhpgbi8RKaKy88j ++WTz0AxZGrYF6cKv8BH2fFgA7phlONcWhUvWpEEpP208EY52c811lohRocNhSlXgW ++XHYCiG2vydsQe9HEdBB6bUOO0z8g2DPcoBtUGWe1gDZddRW2VbqN2ts8Wxebog2Y ++Y3tvJ0ocMo150t5c0koldlStav/zM2eipz+zTjfsN4Xy04q/WQ63FIbub5o5jcUJ ++j1o177I1VtA8eEumsfnMMRgQBfz0t2bEIc/ZmrsuR+j/H4WlBAuIarNjWtIylH/e ++VJhxFtXGnCI5mO1gN90QG6IpwszcwEPJf3gU7dO8r+HXeTBifLYB/JnzGWixPaek ++DgCrNOZXz+48KEJEoVXUxsnqa8PRIUO5OtVRq3mk2uwcIHqPEBLb0yB6GRQjb9jQ ++qBdRPun2FavjxWRuTZBGS1RItLW8bmAJz1d/ySWizRqnoz8U0s9SyGGHx5OsyJJu ++FO6FFr31m7WZG5LPfQJUNiyR2y9ZrjdPbwXmchywhTLqyTb5N6j5RfAdn74H379t ++ilUhH5c7ieVLt/RLTtWXEnkZzsO7LvP/3X0jHt3eZD2WzvVg4llZFvnuie8C0/yC ++Twhc2xMJOLd2WpH6ZKHNbRqv1a2xg8K2KGdhlZrRo/AYbX/FjZ/k9klZwEjFsefd ++0Ff4mojoNokCNgQoAQgAIBYhBHEAqt+ubm6UDS4K1lXkWlroynyKBQJbxKnWAh0B ++AAoJEFXkWlroynyKGT4P/jXnXhB+VEkr+NL86MssDU+S9Gz+kCYEOSxFPFvhxpmk ++x+Q9Y2SXugaThp9h9IIUH6lhtAZeYimzGC67ObZh+Ev0SIfN24xvZ2nPzLLj1pay ++/2f/OQ0g7LalC7SpaF/7nIrxrYSP3Lyv3QAw/ZCeP8+U0CCV0Nw2Jrxck61ySXOR ++W9diyGKTszNwzWQOPUBOLlMw2BxjudQW0Djy8mYoqyByUYEWtbcGgJ3MSPzE0RgW ++PLgVujdzDunGDeJd9SBeI220ILxAHiB96JZYxmkVoz4trB7PwyA3plg19CXjwZ5J ++ediKZov02JG0aGNpL2678YwJAGDCLMNhBi9gDqx3Xf6rvzqK/CvR3xQs6/bAjiAC ++FHSUjv1oQ+p75yyt0clVrJOaB3kh6DICr+dZYuBvPGbls0yMTvEvCRxrj0rmpd9w ++tI2ZTvN6ak9+5c9ZI7N+tQKYRPonfrVigVR+VgoWS0UMh5IQedkcfMO1vX2S5i/m ++mmtDPT8aTyearL/ZpRoba8UvuTi/jksGTkR9QwKxBQeBWIy4xpKtddtp29RJFAFm ++m3uvsHTGfRIm0oAGnbSgAooQSqZiv9bQvjzP0maWc7A9uNIspKj4CaEjDttqMzPG ++u5GyplMDGnmEuldXbUhyCLlRXzVqmxuE46q0G2vl+qwiwwoYDauNoyvLvHK0AOZb ++uQINBFvEpn0BEACpnI2D7qSeKGEihHtIvbZAhN6x3zkkELaLB2+MmhWZAdTmzfFm ++JU28DXNLuCqxyy7GxATaBdPR5gPyq4LkA/xqTqC5nK9zTZqxtqwh9xTFCchUhmdC ++voSkFy3R1cZlifLVartuIBHQXd9XfYkJMop4whsbPcbzDJ9JYUqHpuqysNAAhHge ++vKIzZ93B7nW5JIBHf1/iVMSnC7+l3gSLMg0n+0UalGiQSpgzUSnyfgnoJjBbbyQT ++JMrOhGSJHviezcCT3OOctnn0j5I0DuU1IRJ5h+MZ4NpgV2YyHCTXdHE9x1DGE9Wu ++ExubFjiAvJtgcYkwcfqyqpbcK2IICWOUv+XJbrApm0PdaclyXbrJZRZ08QBOW9cZ ++8tnrkvb4PtktigiHzTy9LenoWP7lSXVeroju3+g+igkaa9ZbgVkHOkDRrrjtJhNl ++3yPEaK0RplLpJ6J/ysGvjuG9b/pWAsXptsfSN4TCCKIAqOg4/RINiyM5YzzIIqLc ++vwBzm8awFpoMsexhBBUJLdBC3F2s53AZJUkH+NYJ/lZgnDA9/EVYPAOGCXt5u/Ot ++ZyCyJzyYD6fZtLshQiRRdDMkeCZ+W88+HmgxA3Ck6vfSPIPyVUGYQYqREzZqfBVV ++FuANufrr+dBYYxE0R61zYMJdXL8fsNshHR5mlcHg4EODdnhOeRSeIuS+uQARAQAB ++iQI2BBgBCAAgFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlvEpn0CGwwACgkQVeRa ++WujKfIquIRAArTQcsGL/5Tw+L4g0OxUeH1/E7TQ54UrpT9f4PjPj0SPZevqzsV/b ++uRemr6bqpNx5aMvLhoeoAodq4a0GmC+BX9ucfGKELavgReQWpyAlFFop8/MCbonq ++q+07PdO+6ZJiff0VIMGFAdWOabzQ9VMkYQ4ibF+etTjgWNpJ0UiFhUNric+eT00t ++HMzEq2WdgbnS/bwANsEF7kIA3klF7lkYG5MFN5gTbWssHeavfUn3coR9AJVqmx+m ++bJdUiMxiMrzRORepUO1zs8XJzLMkOb5h2CElk1um0LfGI9T/RZ3nyP5uv3xU5aG/ ++Rp2owv4EsvjhpATt+votq3iZk2hkwymYmMbKpZ690sNT7tTYS5E6dX085NRmEQpy ++/U+gX/V5rsWULPmQ2UJEoIizyRrhxq/O73ZinapkDZVO+DeePBrdXDwDOKlhDQ2V ++dMp/uLbOg8Hxs2N+Brnn5Ts6FADeP951F9VxTaRWrppOt9eRQgxasYE9hEzFS61e ++WY3qHfWT59Pnx+KPmuR69SobBrG5Y7qYvlQxHQUsiVhRlPDDlOuZk0nbK7QR4/aX ++7AwNxp2byo7cduCOecs+uSsAcWgA+KMif8yGzHxywHm34dTn7JY0Moqd03n09UY4 ++3LISNC1atd/q0BTijMpzroU+4i3omeL3SSHJRBJJSMxSxU5SXV/DBMa5Ag0EW8Sm ++sQEQAOQoaAL4LSK1yQzbIJg4hojiJ+iOIMhz2BG9zVNp2CJ4veyfjgH0eUbSr8kX ++D1OBkdw9hJuyQXIu4hARvkh41H1N9BTDRMXt5VzeiZUQBS0mJlTQ6EJrX6z+Y497 ++0OwPXHYTZG7EcBtTrrY9s+Bm0JnBQr5lZ4TdoGWg8sQxGZIY79zUYYjle6naBZQ0 ++QFUTgfyKbx4n8gzXqIZbpj/SrbGctFve36HD+YVwmkcjIJuxKBKMcVfTRQ1AG1PV ++qoIyV/gTcmPbVMKcC8L9S0ixkWrqmVhkNJEblzkTEhN0WF5XjzasbxCkUGcJ24Cd ++oM5515LpCKaqOTSyuov2aDJfGrNoXi0LTo93M+xaBq6Li/kVUb9S7KY1CSD7buuw ++9CAriAVJZBYCuvByp49tBwYWSVhn2GURh7mex91NsJ2H7OveLygYEHSvT+S2ARA1 ++lvpLDEG8LvIuKo8QrwmCkE5AO4WU6c62gnrajWwTDU0R38vXObD0dquguhvVyLWi ++OEVWacUUXfTN6hCLoqUlOAijKgSmHVhjIs2nngKdR/PLOQiVjKpMxxDoyStMJkfg ++khL8v9D/VBU398QwBOBHXFDovKZLhNz32KU3Ma2pE+RGZYBEQeCAWBK51MNdcpsd ++Q0p26O33H6Np+GWRHSwrtvO00HK0Wd4eOmO5LY2AiSUdK0NXABEBAAGJBGwEGAEI ++ACAWIQRxAKrfrm5ulA0uCtZV5Fpa6Mp8igUCW8SmsQIbAgJACRBV5Fpa6Mp8isF0 ++IAQZAQgAHRYhBEtCqM8H8pnVVJd+7+og8tqXN4lzBQJbxKaxAAoJEOog8tqXN4lz ++0fkQAILG/ON167EqJq2VNMCD/e4Su5M5/RzcosEk+0xxmHyjOTn/36TG9uneNSr+ ++IaNdSeH926LaVpcauSFdCKbegKjznUTtmMfdJQX+iTdfO7JTSdZACFHQUSva4Rs6 ++33VMTnyhJdRerxrGvNAL0aAyDdTG5rc/CSQjj683AJGK9T7iZubgkBKWoYY8jtJi ++nsSuePp+gFetIhCQyG2nSq4yrIgXbd6l/kJdsqq6xEz42mbGJf2uPQ/BEbD/gzWj ++m8sRUAJ91u0lHqz3KjQ4MzdsU+Mm/ngZdyXWzwlfC24QbHAr9cnWwZvtLdvo2G7z ++igMX7PyMwfEq5l7i3gFS0Mny3LtvGqH1AS/YJczDeyonDtR2gAptYlyBHOBftdj7 ++hVoZS0QNNss2B0kwHqSWOLtfgMHWiBXFq8buntwWGW2rUXs77gvKYG9TB1a0NYp1 ++Hv2FOOUCWY9pzs/WBOkW0s5EOiatxoDfAFIoKH7FlqDf7Cnr3IpaKS6tXDH+7B35 ++QBptYgMIY43v+GhqIEELkaYow3VnnTcbQFi0VfBxh/GgyhydhFyaUs5djklCZ091 ++nRRYeDSyUhB1nlr7FnuLK91/rm6YI+IWmw2j3Z6urlnD6TNYPFfeZzXDoJgtlRsc ++HFQL2/HCIiCcObVFd8HbCvHmNpMdRxId8qogOr/y5Lu2FYvzRzEP/A8NNqwqj7zX ++Wk5w6lj4tVk796B4gPNZ0NUIXYeUobEtuuPjrh4SQSVOluvADCV5/8quP4fdw/iN ++tmaoTqYqmhpHArFgP9gjHQ7vL3+eHCQIqV0hdhsLm0t8ol5ArP3BgNtfS3RcQf3k ++Q9aQdIYscz5iTvCpcncVrMXDxz3wO7YKylzNHDUF7bo1FMc9HPedcKbzG/BRFnpw ++YNn8w24xlr9+o1YEzwgc48N7djcAsYl7KCIKq82vWrbeePNHLA4yo0rdqS1RP7jI ++lOlMWfxF+IGODkwCfiuMWVo35h5uMPueA0xyEfGobX1OtK6pkeFq1b1mNYCVr++4 ++eWaJj64cv3ijx/sA+Ni51pD1dHrwURuX5FIixRJm0awwoJgxbsXLy54PGVgatNoa ++1Wx4lnt/6HA32MtM7Im0NMLGAt298GD/AIr3bAnbovevNTjaxwpO8KlMNLhANqYt ++GjFlhucGfQjVOxOU0c3QL1wBJ5s0bNltz5C8LqCRpqjJc43v3CfQ/IZzqZ+g51wJ ++WWgN9wAj62doD4x6JlVg17AZm6WRoGQjslyDUuBE3ZtZd2XXpc7P/rbmfZQCcr1W ++1h8moBknbU2eOji/cULgGM3Y8W5V3RwNgD7IFHDKr1I19PyBEMr+Qk+KVHpsw09S ++xOtqJHdjtKxzOrgL0rG+n0VYx6dl2Lt4mQINBF3C4AkBEADQxp4jfxmbJ3t/ZuKc ++sV4JxG8mhuGXBkzMB0k2uGULCpY4yh7dsN4PBU7PuHgUMkxJnJlbg0xVR2nux20I ++NzroYn8xzRe+jSmKTW0fTvNH+Nxyr4k+KgqmVZCcfyvwXuL7IOfG5luc/oSXJV62 ++u+LHP891dVcJlVN0Ef9i5Sz9iRkkMUknwoTrOK9q1nZNOA+XoLMhCIdyWIPx6jFm ++PxfZpgEJw6YIeyOSRIPYtH4twuDj50bzQuTTfQ3ph9FdcXVLYwP3BayvfFasGhyJ ++6caqVW9GpMDa/OPvteNmt2WbqaRgcX9CWWOKonhFqkaWAXj0lYFkM65DTzSUKpNt ++oh2MRVA7qyGZ2zlHocNWSplQ8VJlly6ch9O95UEXlSIJFxAi/7NBNuG/CekHQxxQ ++ZhdslUe7LIsujlKS8Fy0bpYsTDPb/g+rUuIHWCOhEC+B0qOYVEf+wcc9jTQjZf6N ++P3zIV4dO+Mc9GVT+d3Kz0y11g1ON0b82qy2ONvRys1NmqXC2vCnXzKCQ6UTHRYt+ ++EdV0nlo59G+lolCnT8t1sW7ezuByA4zWMI6hLyk0NLb8xwPK9BT732RGhzba7a7E ++aArTBsPA3rWvObC1kQWSaw+ule5rmnTL5Q4Jw3qDhgM9b2Bg3hLYP5/UU0INq7kr ++H413Kin0C29T1aNmLfMTfmS5EwARAQABtCZUb20gSHJvbWF0a2EgPHRvbS5ocm9t ++YXRrYUBvcmFjbGUuY29tPokCTgQTAQgAOBYhBEemj843x9cCT9ZeETVs5iwrUkCZ ++BQJdwuAJAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDVs5iwrUkCZNL0P ++/3KFyrWXW5ouPuAzWeMMUZrQmyz31T70iVSS8PtPWb8S2QxQdzgpdVPrvxT+wfq5 ++zJbdz3X5uPvdOXUeyv0bAQRqYQVX/tkz10zu6+m+Bgx0H6I5Xk9F7EDvag1EDDs/ ++BDSLh9VbsTllSaNpLhFjSRj0dVmE1DgaUDX5F66npYMgSIspsAjEI1MZ1PDYQfho ++yxEMiz0ld14yv6HE7hBPekcQW2mAWzlpZmgw9NVIcqShy3znJNGGpQUbLEtGbrv/ ++wRMNWjGWPJyfE5dLDvkfQjrdsTRWv5+Sd5/z3fwp0G8dUq1iWeegu6mFe0KRLB5z ++3lcc+QJSlWetyyoYWOhq1Jzn0QHjakZp2Nb4rtp9/b9TdhvD5cOjpsECmL5qMri1 ++mn/j4F63AG4yLQaYrwwjWzDcz+jQ8wNuyl7cXQFD6UYbywC1tC9DE0VppV2nOirt ++TOPz8+etXMx6sg40STJ4dbYn/gJLhiycSaUAqGkSHpC24FbcvkVwKz5MBUYuLEgN ++H3RyNKVgnb5JWZofE7ehOVCc+VAmzMyobjE+71FRXlPdmqD/im4vYDsqzb15wX79 ++VsXqI0bij+xVYaR7GoQbTfVQ0a6f6slWex6PmKOnZTjfLL7sEu1JhAteqlI9I0Nl ++NJBF/y32T6lQpO+3CJGhY+2rSiCpnI31NMusAkcufnxquQINBF3C4AkBEAC9ReOz ++Yf6nryTLn8lGg6M0kpMX3P7v8GlOV1hZ8hTDlUETpo+xxR3FvNjWEDNyuawCpvNz ++8Pu3OKqxKDIivyVdJNEc335glsMY7BmAevLvAtyfjb0rOzOXqLfhdsn108Nr6Ai+ ++lkMs8xlK2hxGI3qpDHzImOYmhWD4J181gxlj5Gaj8fOyV8JZvfY6AZcei2tzlmHp ++j9SSh7K59trUZtaUDljUeVAEP4KfU1sLEYy3BUzS+eb4Qw1tleui+89E/J4zPrgw ++wuLg5OU+ScTigfbEF/05MMUAySiKieKhp8IFsT41+FXOlotBl0wz6Jbo4HxNtY5P ++trpv6BOrBlYfhfhZeANk4+y5OnLqRjjgTvf1p9CHmsgs6sx/lkNyXpzoxKR89Rzx ++HxnrgUATSa80JK9o/0tPZkN33HKJlkSndPQEM4uLrTsIxvNsBSOPIKC09siMbbBe ++I0t811P1pMh8zvTnRl2FSQjiumLoVhr+xxZ2wWiPxztVQkMLuuWXkzcxQUfuw5nE ++QCH+WdqYKNmV6rw2kU6j10q0kvvspWPMTbsI/vBY3KyiP1F8dToXiwulNT1U05NG ++J20YbzEHnYEKatBq9ZILLx63c8eLZ6VppkAE0ZlmgsOvn+zIcv81P4x9mDLvuqTO ++zRj/RuDAY6qJHuICpsV3F5A03z9ne/Z9u0mwSwARAQABiQI2BBgBCAAgFiEER6aP ++zjfH1wJP1l4RNWzmLCtSQJkFAl3C4AkCGwwACgkQNWzmLCtSQJkiQA/8Cm07bQf2 ++FIKTdwRECJO7pvpuc3zE1XsSuLyu40qpsWX24Ll97S7cpOK7rN2jSZ6UDoXpNgXV ++iOzma5yiC+GO6UUWxr8xE/CDXeuawxHUt0Xrn+UQnWsirsrZifjVPkXou71QM+ka ++Q9qXy4liOpRaJjf8B7iz3ilgMUACnMcwOVn+jbswLQpNetsKk+vrLwQlILPkWcKG ++xIu1Iro3E7WoIPojHHtT7Co7mSRzaNI00VU7jMwZwXFQL/IbeGsKlaAyxh1BzRLn ++LdPN8hxiYtEq2IG66Uq3EmigtwOvh06d/Qi/gBH6CWxdahRk7HwATyrNvbjfduzN ++nhF+lPA39iKrI5+IGasK6Lp9HklUJD0Q9JK7yac/cUj5LptY/PBFC7eJKHJLyohm ++vlXYgRSeAXEm7uGpU5k/jUZDM4Z1o5JboiNVQoqDWs6iDYJb82cRjKKlvC2d2lFK ++xtBOR3xJZUUsIpoQrstxn1LA5DcBosPvd9ISyIZs38UyJNTz07GUedEpeE3YhLke ++sc6n2iL9D2Yjz/S4ANukxl9YZDW+EFS8LtTchvK11OHWubvWxWFV7txLFmkBYQwk ++2krCi2MVguRZGj8bodqjty1H8ZMfA5NYwAKeyQmsmTHqNmR1Ws/cdQCV7+3q9Rur ++lUtY1AVxx4LtnS16GX+OVCybWzbK1uqLrfo= ++=9JXr ++-----END PGP PUBLIC KEY BLOCK----- diff --cc debian/watch index 0000000,0000000..b4ba68c new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,6 @@@ ++# See uscan(1) for format ++version=4 ++opts="dversionmangle=s/\+dfsg//,pgpsigurlmangle=s/$/.asc/" \ ++https://github.com/seccomp/libseccomp/releases \ ++ /download/v.*/libseccomp-(.*)\.tar\.gz \ ++ debian uupdate