script_core 0.2.2 → 0.2.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (376) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +41 -45
  3. data/.travis.yml +2 -1
  4. data/Gemfile +3 -3
  5. data/README.md +7 -1
  6. data/bootstrap.sh +2 -2
  7. data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
  8. data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
  9. data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
  10. data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
  11. data/ext/enterprise_script_service/libseccomp/README.md +21 -1
  12. data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
  13. data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
  14. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
  15. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
  16. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
  17. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
  18. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
  19. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
  20. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
  21. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
  22. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
  23. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
  24. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
  25. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
  26. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
  27. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
  28. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
  29. data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
  30. data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
  31. data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
  32. data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
  33. data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
  34. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
  35. data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
  36. data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
  37. data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
  38. data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
  39. data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
  40. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
  41. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
  42. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
  43. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
  44. data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
  45. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
  46. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
  47. data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
  48. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
  49. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
  50. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
  51. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
  52. data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
  53. data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
  54. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
  55. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
  56. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
  57. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
  58. data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
  59. data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
  60. data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
  61. data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
  62. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
  63. data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
  64. data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
  65. data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
  66. data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
  67. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
  68. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
  69. data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
  70. data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
  71. data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
  72. data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
  73. data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
  74. data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
  75. data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
  76. data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
  77. data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
  78. data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
  79. data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
  80. data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
  81. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
  82. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
  83. data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
  84. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
  85. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
  86. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
  87. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
  88. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
  89. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
  90. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
  91. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
  92. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
  93. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
  94. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
  95. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
  96. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
  97. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
  98. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
  99. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
  100. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
  101. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
  102. data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
  103. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
  104. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
  105. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
  106. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
  107. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
  108. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
  109. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
  110. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
  111. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
  112. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
  113. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
  114. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
  115. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
  116. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
  117. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
  118. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
  119. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
  120. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
  121. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
  122. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
  123. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
  124. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
  125. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
  126. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
  127. data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
  128. data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
  129. data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
  130. data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
  131. data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
  132. data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
  133. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
  134. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
  135. data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
  136. data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
  137. data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
  138. data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
  139. data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
  140. data/ext/enterprise_script_service/mruby/.gitignore +3 -0
  141. data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
  142. data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
  143. data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
  144. data/ext/enterprise_script_service/mruby/LICENSE +1 -1
  145. data/ext/enterprise_script_service/mruby/README.md +6 -2
  146. data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
  147. data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
  148. data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
  149. data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
  150. data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
  151. data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
  152. data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
  153. data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
  154. data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
  155. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
  156. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
  157. data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
  158. data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
  159. data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
  160. data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
  161. data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
  162. data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
  163. data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
  164. data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
  165. data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
  166. data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
  167. data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
  168. data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
  169. data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
  170. data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
  171. data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
  172. data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
  173. data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
  174. data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
  175. data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
  176. data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
  177. data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
  178. data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
  179. data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
  180. data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
  181. data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
  182. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
  183. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
  184. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
  185. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
  186. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
  187. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
  188. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
  189. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
  190. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
  191. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
  192. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
  193. data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
  194. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
  195. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
  196. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
  197. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
  198. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
  199. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
  200. data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
  201. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
  202. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
  203. data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
  204. data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
  205. data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
  206. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
  207. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
  208. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
  209. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
  210. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
  211. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
  212. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
  213. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
  214. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
  215. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
  216. data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
  217. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
  218. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
  219. data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
  220. data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
  221. data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
  222. data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
  223. data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
  224. data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
  225. data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
  226. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
  227. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
  228. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
  229. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
  230. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
  231. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
  232. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
  233. data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
  234. data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
  235. data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
  236. data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
  237. data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
  238. data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
  239. data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
  240. data/ext/enterprise_script_service/mruby/src/array.c +25 -11
  241. data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
  242. data/ext/enterprise_script_service/mruby/src/class.c +48 -32
  243. data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
  244. data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
  245. data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
  246. data/ext/enterprise_script_service/mruby/src/error.c +58 -7
  247. data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
  248. data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
  249. data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
  250. data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
  251. data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
  252. data/ext/enterprise_script_service/mruby/src/load.c +56 -30
  253. data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
  254. data/ext/enterprise_script_service/mruby/src/object.c +23 -5
  255. data/ext/enterprise_script_service/mruby/src/print.c +27 -3
  256. data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
  257. data/ext/enterprise_script_service/mruby/src/range.c +4 -12
  258. data/ext/enterprise_script_service/mruby/src/state.c +34 -11
  259. data/ext/enterprise_script_service/mruby/src/string.c +93 -56
  260. data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
  261. data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
  262. data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
  263. data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
  264. data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
  265. data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
  266. data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
  267. data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
  268. data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
  269. data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
  270. data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
  271. data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
  272. data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
  273. data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
  274. data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
  275. data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
  276. data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
  277. data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
  278. data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
  279. data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
  280. data/ext/enterprise_script_service/msgpack/README.md +3 -2
  281. data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
  282. data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
  283. data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
  284. data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
  285. data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
  286. data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
  287. data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
  288. data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
  289. data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
  290. data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
  291. data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
  292. data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
  293. data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
  294. data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
  295. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
  296. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
  297. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
  298. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
  299. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
  300. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
  301. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
  302. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
  303. data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
  304. data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
  305. data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
  306. data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
  307. data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
  308. data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
  309. data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
  310. data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
  311. data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
  312. data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
  313. data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
  314. data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
  315. data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
  316. data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
  317. data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
  318. data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
  319. data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
  320. data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
  321. data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
  322. data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
  323. data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
  324. data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
  325. data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
  326. data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
  327. data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
  328. data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
  329. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
  330. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
  331. data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
  332. data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
  333. data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
  334. data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
  335. data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
  336. data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
  337. data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
  338. data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
  339. data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
  340. data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
  341. data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
  342. data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
  343. data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
  344. data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
  345. data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
  346. data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
  347. data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
  348. data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
  349. data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
  350. data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
  351. data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
  352. data/lib/script_core/engine.rb +24 -5
  353. data/lib/script_core/executable.rb +4 -3
  354. data/lib/script_core/result.rb +1 -5
  355. data/lib/script_core/service_channel.rb +1 -0
  356. data/lib/script_core/version.rb +1 -1
  357. data/lib/tasks/script_core.rake +3 -1
  358. data/script_core.gemspec +2 -2
  359. data/spec/dummy/app/lib/script_engine.rb +64 -5
  360. metadata +68 -30
  361. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
  362. data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
  363. data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
  364. data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
  365. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
  366. data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
  367. data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
  368. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
  369. data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
  370. data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
  371. data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
  372. data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
  373. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
  374. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
  375. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
  376. data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
@@ -36,7 +36,8 @@ struct bpf_program {
36
36
  #define BPF_PGM_SIZE(x) \
37
37
  ((x)->blk_cnt * sizeof(*((x)->blks)))
38
38
 
39
- struct bpf_program *gen_bpf_generate(const struct db_filter_col *col);
39
+ int gen_bpf_generate(const struct db_filter_col *col,
40
+ struct bpf_program **prgm_ptr);
40
41
  void gen_bpf_release(struct bpf_program *program);
41
42
 
42
43
  #endif
@@ -87,6 +87,8 @@ static const char *_pfc_arch(const struct arch_def *arch)
87
87
  return "s390x";
88
88
  case SCMP_ARCH_S390:
89
89
  return "s390";
90
+ case SCMP_ARCH_RISCV64:
91
+ return "riscv64";
90
92
  default:
91
93
  return "UNKNOWN";
92
94
  }
@@ -241,68 +243,163 @@ static void _gen_pfc_chain(const struct arch_def *arch,
241
243
  *
242
244
  */
243
245
  static void _gen_pfc_syscall(const struct arch_def *arch,
244
- const struct db_sys_list *sys, FILE *fds)
246
+ const struct db_sys_list *sys, FILE *fds,
247
+ int lvl)
245
248
  {
246
249
  unsigned int sys_num = sys->num;
247
250
  const char *sys_name = arch_syscall_resolve_num(arch, sys_num);
248
251
 
249
- _indent(fds, 1);
252
+ _indent(fds, lvl);
250
253
  fprintf(fds, "# filter for syscall \"%s\" (%u) [priority: %d]\n",
251
254
  (sys_name ? sys_name : "UNKNOWN"), sys_num, sys->priority);
252
- _indent(fds, 1);
255
+ _indent(fds, lvl);
253
256
  fprintf(fds, "if ($syscall == %u)\n", sys_num);
254
257
  if (sys->chains == NULL) {
255
- _indent(fds, 2);
258
+ _indent(fds, lvl + 1);
256
259
  _pfc_action(fds, sys->action);
257
260
  } else
258
- _gen_pfc_chain(arch, sys->chains, 2, fds);
261
+ _gen_pfc_chain(arch, sys->chains, lvl + 1, fds);
259
262
  }
260
263
 
261
- /**
262
- * Generate pseudo filter code for an architecture
263
- * @param col the seccomp filter collection
264
- * @param db the single seccomp filter
265
- * @param fds the file stream to send the output
266
- *
267
- * This function generates a pseudo filter code representation of the given
268
- * filter DB and writes it to the given output stream. Returns zero on
269
- * success, negative values on failure.
270
- *
271
- */
272
- static int _gen_pfc_arch(const struct db_filter_col *col,
273
- const struct db_filter *db, FILE *fds)
264
+ #define SYSCALLS_PER_NODE (4)
265
+ static int _get_bintree_levels(unsigned int syscall_cnt,
266
+ uint32_t optimize)
267
+ {
268
+ unsigned int i = 0, max_level;
269
+
270
+ if (optimize != 2)
271
+ /* Only use a binary tree if requested */
272
+ return 0;
273
+
274
+ do {
275
+ max_level = SYSCALLS_PER_NODE << i;
276
+ i++;
277
+ } while(max_level < syscall_cnt);
278
+
279
+ return i;
280
+ }
281
+
282
+ static int _get_bintree_syscall_num(const struct pfc_sys_list *cur,
283
+ int lookahead_cnt,
284
+ int *const num)
274
285
  {
275
- int rc = 0;
286
+ while (lookahead_cnt > 0 && cur != NULL) {
287
+ cur = cur->next;
288
+ lookahead_cnt--;
289
+ }
290
+
291
+ if (cur == NULL)
292
+ return -EFAULT;
293
+
294
+ *num = cur->sys->num;
295
+ return 0;
296
+ }
297
+
298
+ static int _sys_num_sort(struct db_sys_list *syscalls,
299
+ struct pfc_sys_list **p_head)
300
+ {
301
+ struct pfc_sys_list *p_iter = NULL, *p_new, *p_prev;
276
302
  struct db_sys_list *s_iter;
277
- struct pfc_sys_list *p_iter = NULL, *p_new, *p_head = NULL, *p_prev;
278
303
 
279
- /* sort the syscall list */
280
- db_list_foreach(s_iter, db->syscalls) {
304
+ db_list_foreach(s_iter, syscalls) {
281
305
  p_new = zmalloc(sizeof(*p_new));
282
306
  if (p_new == NULL) {
283
- rc = -ENOMEM;
284
- goto arch_return;
307
+ return -ENOMEM;
285
308
  }
286
309
  p_new->sys = s_iter;
287
310
 
288
311
  p_prev = NULL;
289
- p_iter = p_head;
312
+ p_iter = *p_head;
313
+ while (p_iter != NULL &&
314
+ s_iter->num < p_iter->sys->num) {
315
+ p_prev = p_iter;
316
+ p_iter = p_iter->next;
317
+ }
318
+ if (*p_head == NULL)
319
+ *p_head = p_new;
320
+ else if (p_prev == NULL) {
321
+ p_new->next = *p_head;
322
+ *p_head = p_new;
323
+ } else {
324
+ p_new->next = p_iter;
325
+ p_prev->next = p_new;
326
+ }
327
+ }
328
+
329
+ return 0;
330
+ }
331
+
332
+ static int _sys_priority_sort(struct db_sys_list *syscalls,
333
+ struct pfc_sys_list **p_head)
334
+ {
335
+ struct pfc_sys_list *p_iter = NULL, *p_new, *p_prev;
336
+ struct db_sys_list *s_iter;
337
+
338
+ db_list_foreach(s_iter, syscalls) {
339
+ p_new = zmalloc(sizeof(*p_new));
340
+ if (p_new == NULL) {
341
+ return -ENOMEM;
342
+ }
343
+ p_new->sys = s_iter;
344
+
345
+ p_prev = NULL;
346
+ p_iter = *p_head;
290
347
  while (p_iter != NULL &&
291
348
  s_iter->priority < p_iter->sys->priority) {
292
349
  p_prev = p_iter;
293
350
  p_iter = p_iter->next;
294
351
  }
295
- if (p_head == NULL)
296
- p_head = p_new;
352
+ if (*p_head == NULL)
353
+ *p_head = p_new;
297
354
  else if (p_prev == NULL) {
298
- p_new->next = p_head;
299
- p_head = p_new;
355
+ p_new->next = *p_head;
356
+ *p_head = p_new;
300
357
  } else {
301
358
  p_new->next = p_iter;
302
359
  p_prev->next = p_new;
303
360
  }
304
361
  }
305
362
 
363
+ return 0;
364
+ }
365
+
366
+ static int _sys_sort(struct db_sys_list *syscalls,
367
+ struct pfc_sys_list **p_head,
368
+ uint32_t optimize)
369
+ {
370
+ if (optimize != 2)
371
+ return _sys_priority_sort(syscalls, p_head);
372
+ else
373
+ /* sort by number for the binary tree */
374
+ return _sys_num_sort(syscalls, p_head);
375
+ }
376
+
377
+ /**
378
+ * Generate pseudo filter code for an architecture
379
+ * @param col the seccomp filter collection
380
+ * @param db the single seccomp filter
381
+ * @param fds the file stream to send the output
382
+ *
383
+ * This function generates a pseudo filter code representation of the given
384
+ * filter DB and writes it to the given output stream. Returns zero on
385
+ * success, negative values on failure.
386
+ *
387
+ */
388
+ static int _gen_pfc_arch(const struct db_filter_col *col,
389
+ const struct db_filter *db, FILE *fds,
390
+ uint32_t optimize)
391
+ {
392
+ int rc = 0, i = 0, lookahead_num;
393
+ unsigned int syscall_cnt = 0, bintree_levels, level, indent = 1;
394
+ struct pfc_sys_list *p_iter = NULL, *p_head = NULL;
395
+
396
+ /* sort the syscall list */
397
+ rc = _sys_sort(db->syscalls, &p_head, optimize);
398
+ if (rc < 0)
399
+ goto arch_return;
400
+
401
+ bintree_levels = _get_bintree_levels(db->syscall_cnt, optimize);
402
+
306
403
  fprintf(fds, "# filter for arch %s (%u)\n",
307
404
  _pfc_arch(db->arch), db->arch->token_bpf);
308
405
  fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf);
@@ -312,8 +409,40 @@ static int _gen_pfc_arch(const struct db_filter_col *col,
312
409
  p_iter = p_iter->next;
313
410
  continue;
314
411
  }
315
- _gen_pfc_syscall(db->arch, p_iter->sys, fds);
412
+
413
+ for (i = bintree_levels - 1; i > 0; i--) {
414
+ level = SYSCALLS_PER_NODE << i;
415
+
416
+ if (syscall_cnt == 0 || (syscall_cnt % level) == 0) {
417
+ rc = _get_bintree_syscall_num(p_iter, level / 2,
418
+ &lookahead_num);
419
+ if (rc < 0)
420
+ /* We have reached the end of the bintree.
421
+ * There aren't enough syscalls to construct
422
+ * any more if-elses.
423
+ */
424
+ continue;
425
+ _indent(fds, indent);
426
+ fprintf(fds, "if ($syscall > %u)\n", lookahead_num);
427
+ indent++;
428
+ } else if ((syscall_cnt % (level / 2)) == 0) {
429
+ lookahead_num = p_iter->sys->num;
430
+ _indent(fds, indent - 1);
431
+ fprintf(fds, "else # ($syscall <= %u)\n",
432
+ p_iter->sys->num);
433
+ }
434
+
435
+ }
436
+
437
+ _gen_pfc_syscall(db->arch, p_iter->sys, fds, indent);
438
+ syscall_cnt++;
316
439
  p_iter = p_iter->next;
440
+
441
+ /* undo the indentations as the else statements complete */
442
+ for (i = 0; i < bintree_levels; i++) {
443
+ if (syscall_cnt % ((SYSCALLS_PER_NODE * 2) << i) == 0)
444
+ indent--;
445
+ }
317
446
  }
318
447
  _indent(fds, 1);
319
448
  fprintf(fds, "# default action\n");
@@ -328,7 +457,6 @@ arch_return:
328
457
  }
329
458
  return rc;
330
459
  }
331
-
332
460
  /**
333
461
  * Generate a pseudo filter code string representation
334
462
  * @param col the seccomp filter collection
@@ -336,23 +464,22 @@ arch_return:
336
464
  *
337
465
  * This function generates a pseudo filter code representation of the given
338
466
  * filter collection and writes it to the given fd. Returns zero on success,
339
- * negative values on failure.
467
+ * negative errno values on failure.
340
468
  *
341
469
  */
342
470
  int gen_pfc_generate(const struct db_filter_col *col, int fd)
343
471
  {
344
- int rc = 0;
345
472
  int newfd;
346
473
  unsigned int iter;
347
474
  FILE *fds;
348
475
 
349
476
  newfd = dup(fd);
350
477
  if (newfd < 0)
351
- return errno;
478
+ return -errno;
352
479
  fds = fdopen(newfd, "a");
353
480
  if (fds == NULL) {
354
481
  close(newfd);
355
- return errno;
482
+ return -errno;
356
483
  }
357
484
 
358
485
  /* generate the pfc */
@@ -361,7 +488,8 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd)
361
488
  fprintf(fds, "#\n");
362
489
 
363
490
  for (iter = 0; iter < col->filter_cnt; iter++)
364
- _gen_pfc_arch(col, col->filters[iter], fds);
491
+ _gen_pfc_arch(col, col->filters[iter], fds,
492
+ col->attr.optimize);
365
493
 
366
494
  fprintf(fds, "# invalid architecture action\n");
367
495
  _pfc_action(fds, col->attr.act_badarch);
@@ -372,5 +500,5 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd)
372
500
  fflush(fds);
373
501
  fclose(fds);
374
502
 
375
- return rc;
503
+ return 0;
376
504
  }
@@ -19,7 +19,8 @@
19
19
  # along with this library; if not, see <http://www.gnu.org/licenses>.
20
20
  #
21
21
 
22
- from libc.stdint cimport uint8_t, uint32_t, uint64_t
22
+ from libc.stdint cimport int8_t, int16_t, int32_t, int64_t
23
+ from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t
23
24
 
24
25
  cdef extern from "seccomp.h":
25
26
 
@@ -50,6 +51,7 @@ cdef extern from "seccomp.h":
50
51
  SCMP_ARCH_PPC64LE
51
52
  SCMP_ARCH_S390
52
53
  SCMP_ARCH_S390X
54
+ SCMP_ARCH_RISCV64
53
55
 
54
56
  cdef enum scmp_filter_attr:
55
57
  SCMP_FLTATR_ACT_DEFAULT
@@ -58,6 +60,9 @@ cdef extern from "seccomp.h":
58
60
  SCMP_FLTATR_CTL_TSYNC
59
61
  SCMP_FLTATR_API_TSKIP
60
62
  SCMP_FLTATR_CTL_LOG
63
+ SCMP_FLTATR_CTL_SSB
64
+ SCMP_FLTATR_CTL_OPTIMIZE
65
+ SCMP_FLTATR_API_SYSRAWRC
61
66
 
62
67
  cdef enum scmp_compare:
63
68
  SCMP_CMP_NE
@@ -74,6 +79,7 @@ cdef extern from "seccomp.h":
74
79
  SCMP_ACT_TRAP
75
80
  SCMP_ACT_LOG
76
81
  SCMP_ACT_ALLOW
82
+ SCMP_ACT_NOTIFY
77
83
  unsigned int SCMP_ACT_ERRNO(int errno)
78
84
  unsigned int SCMP_ACT_TRACE(int value)
79
85
 
@@ -85,6 +91,29 @@ cdef extern from "seccomp.h":
85
91
  scmp_datum_t datum_a
86
92
  scmp_datum_t datum_b
87
93
 
94
+ cdef struct seccomp_data:
95
+ int nr
96
+ uint32_t arch
97
+ uint64_t instruction_pointer
98
+ uint64_t args[6]
99
+
100
+ cdef struct seccomp_notif_sizes:
101
+ uint16_t seccomp_notif
102
+ uint16_t seccomp_notif_resp
103
+ uint16_t seccomp_data
104
+
105
+ cdef struct seccomp_notif:
106
+ uint64_t id
107
+ uint32_t pid
108
+ uint32_t flags
109
+ seccomp_data data
110
+
111
+ cdef struct seccomp_notif_resp:
112
+ uint64_t id
113
+ int64_t val
114
+ int32_t error
115
+ uint32_t flags
116
+
88
117
  scmp_version *seccomp_version()
89
118
 
90
119
  unsigned int seccomp_api_get()
@@ -129,6 +158,13 @@ cdef extern from "seccomp.h":
129
158
  unsigned int arg_cnt,
130
159
  scmp_arg_cmp *arg_array)
131
160
 
161
+ int seccomp_notify_alloc(seccomp_notif **req, seccomp_notif_resp **resp)
162
+ void seccomp_notify_free(seccomp_notif *req, seccomp_notif_resp *resp)
163
+ int seccomp_notify_receive(int fd, seccomp_notif *req)
164
+ int seccomp_notify_respond(int fd, seccomp_notif_resp *resp)
165
+ int seccomp_notify_id_valid(int fd, uint64_t id)
166
+ int seccomp_notify_fd(scmp_filter_ctx ctx)
167
+
132
168
  int seccomp_export_pfc(scmp_filter_ctx ctx, int fd)
133
169
  int seccomp_export_bpf(scmp_filter_ctx ctx, int fd)
134
170
 
@@ -36,6 +36,7 @@ Filter action values:
36
36
  LOG - allow the syscall to be executed after the action has been logged
37
37
  ALLOW - allow the syscall to execute
38
38
  TRAP - a SIGSYS signal will be thrown
39
+ NOTIFY - a notification event will be sent via the notification API
39
40
  ERRNO(x) - syscall will return (x)
40
41
  TRACE(x) - if the process is being traced, (x) will be returned to the
41
42
  tracing process via PTRACE_EVENT_SECCOMP and the
@@ -60,13 +61,18 @@ Example:
60
61
  # create a filter object with a default KILL action
61
62
  f = SyscallFilter(defaction=KILL)
62
63
 
64
+ # add some basic syscalls which python typically wants
65
+ f.add_rule(ALLOW, "rt_sigaction")
66
+ f.add_rule(ALLOW, "rt_sigreturn")
67
+ f.add_rule(ALLOW, "exit_group")
68
+ f.add_rule(ALLOW, "brk")
69
+
63
70
  # add syscall filter rules to allow certain syscalls
64
71
  f.add_rule(ALLOW, "open")
65
72
  f.add_rule(ALLOW, "close")
66
- f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin))
67
- f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout))
68
- f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr))
69
- f.add_rule(ALLOW, "rt_sigreturn")
73
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
74
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
75
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
70
76
 
71
77
  # load the filter into the kernel
72
78
  f.load()
@@ -75,7 +81,9 @@ __author__ = 'Paul Moore <paul@paul-moore.com>'
75
81
  __date__ = "3 February 2017"
76
82
 
77
83
  from cpython.version cimport PY_MAJOR_VERSION
78
- from libc.stdint cimport uint32_t
84
+ from libc.stdint cimport int8_t, int16_t, int32_t, int64_t
85
+ from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t
86
+ from libc.stdlib cimport free
79
87
  import errno
80
88
 
81
89
  cimport libseccomp
@@ -102,6 +110,7 @@ KILL = libseccomp.SCMP_ACT_KILL
102
110
  TRAP = libseccomp.SCMP_ACT_TRAP
103
111
  LOG = libseccomp.SCMP_ACT_LOG
104
112
  ALLOW = libseccomp.SCMP_ACT_ALLOW
113
+ NOTIFY = libseccomp.SCMP_ACT_NOTIFY
105
114
  def ERRNO(int errno):
106
115
  """The action ERRNO(x) means that the syscall will return (x).
107
116
  To conform to Linux syscall calling conventions, the syscall return
@@ -205,6 +214,7 @@ cdef class Arch:
205
214
  PARISC64 - 64-bit PA-RISC
206
215
  PPC64 - 64-bit PowerPC
207
216
  PPC - 32-bit PowerPC
217
+ RISCV64 - 64-bit RISC-V
208
218
  """
209
219
 
210
220
  cdef int _token
@@ -228,6 +238,7 @@ cdef class Arch:
228
238
  PPC64LE = libseccomp.SCMP_ARCH_PPC64LE
229
239
  S390 = libseccomp.SCMP_ARCH_S390
230
240
  S390X = libseccomp.SCMP_ARCH_S390X
241
+ RISCV64 = libseccomp.SCMP_ARCH_RISCV64
231
242
 
232
243
  def __cinit__(self, arch=libseccomp.SCMP_ARCH_NATIVE):
233
244
  """ Initialize the architecture object.
@@ -303,6 +314,15 @@ cdef class Attr:
303
314
  ACT_BADARCH - the filter's bad architecture action
304
315
  CTL_NNP - the filter's "no new privileges" flag
305
316
  CTL_NNP - the filter's thread sync flag
317
+ CTL_TSYNC - sync threads on filter load
318
+ CTL_TSKIP - allow rules with a -1 syscall number
319
+ CTL_LOG - log not-allowed actions
320
+ CTL_SSB - disable SSB mitigations
321
+ CTL_OPTIMIZE - the filter's optimization level:
322
+ 0: currently unused
323
+ 1: rules weighted by priority and complexity (DEFAULT)
324
+ 2: binary tree sorted by syscall number
325
+ API_SYSRAWRC - return the raw syscall codes
306
326
  """
307
327
  ACT_DEFAULT = libseccomp.SCMP_FLTATR_ACT_DEFAULT
308
328
  ACT_BADARCH = libseccomp.SCMP_FLTATR_ACT_BADARCH
@@ -310,6 +330,9 @@ cdef class Attr:
310
330
  CTL_TSYNC = libseccomp.SCMP_FLTATR_CTL_TSYNC
311
331
  API_TSKIP = libseccomp.SCMP_FLTATR_API_TSKIP
312
332
  CTL_LOG = libseccomp.SCMP_FLTATR_CTL_LOG
333
+ CTL_SSB = libseccomp.SCMP_FLTATR_CTL_SSB
334
+ CTL_OPTIMIZE = libseccomp.SCMP_FLTATR_CTL_OPTIMIZE
335
+ API_SYSRAWRC = libseccomp.SCMP_FLTATR_API_SYSRAWRC
313
336
 
314
337
  cdef class Arg:
315
338
  """ Python object representing a SyscallFilter syscall argument.
@@ -344,6 +367,218 @@ cdef class Arg:
344
367
  """
345
368
  return self._arg
346
369
 
370
+ cdef class Notification:
371
+ """ Python object representing a seccomp notification.
372
+ """
373
+ cdef uint64_t _id
374
+ cdef uint32_t _pid
375
+ cdef uint32_t _flags
376
+ cdef int _syscall
377
+ cdef uint32_t _syscall_arch
378
+ cdef uint64_t _syscall_ip
379
+ cdef uint64_t _syscall_args[6]
380
+
381
+ def __cinit__(self, id, pid, flags, syscall, arch, ip, args):
382
+ """ Initialize the notification.
383
+
384
+ Arguments:
385
+ id - the notification ID
386
+ pid - the process ID
387
+ flags - the notification flags
388
+ syscall - the syscall number
389
+ ip - the instruction pointer
390
+ args - list of the six syscall arguments
391
+
392
+ Description:
393
+ Create a seccomp Notification object.
394
+ """
395
+ self._id = id
396
+ self._pid = pid
397
+ self._flags = flags
398
+ self._syscall = syscall
399
+ self._syscall_arch = arch
400
+ self._syscall_ip = ip
401
+ self._syscall_args[0] = args[0]
402
+ self._syscall_args[1] = args[1]
403
+ self._syscall_args[2] = args[2]
404
+ self._syscall_args[3] = args[3]
405
+ self._syscall_args[4] = args[4]
406
+ self._syscall_args[5] = args[5]
407
+
408
+ @property
409
+ def id(self):
410
+ """ Get the seccomp notification ID.
411
+
412
+ Description:
413
+ Get the seccomp notification ID.
414
+ """
415
+ return self._id
416
+
417
+ @property
418
+ def pid(self):
419
+ """ Get the seccomp notification process ID.
420
+
421
+ Description:
422
+ Get the seccomp notification process ID.
423
+ """
424
+ return self._pid
425
+
426
+ @property
427
+ def flags(self):
428
+ """ Get the seccomp notification flags.
429
+
430
+ Description:
431
+ Get the seccomp notification flags.
432
+ """
433
+ return self._flags
434
+
435
+ @property
436
+ def syscall(self):
437
+ """ Get the seccomp notification syscall.
438
+
439
+ Description:
440
+ Get the seccomp notification syscall.
441
+ """
442
+ return self._syscall
443
+
444
+ @property
445
+ def syscall_arch(self):
446
+ """ Get the seccomp notification syscall architecture.
447
+
448
+ Description:
449
+ Get the seccomp notification syscall architecture.
450
+ """
451
+ return self._syscall_arch
452
+
453
+ @property
454
+ def syscall_ip(self):
455
+ """ Get the seccomp notification syscall instruction pointer.
456
+
457
+ Description:
458
+ Get the seccomp notification syscall instruction pointer.
459
+ """
460
+ return self._syscall_ip
461
+
462
+ @property
463
+ def syscall_args(self):
464
+ """ Get the seccomp notification syscall arguments.
465
+
466
+ Description:
467
+ Get the seccomp notification syscall arguments in a six element list.
468
+ """
469
+ return [self._syscall_args[0], self._syscall_args[1],
470
+ self._syscall_args[2], self._syscall_args[3],
471
+ self._syscall_args[4], self._syscall_args[5]]
472
+
473
+ cdef class NotificationResponse:
474
+ """ Python object representing a seccomp notification response.
475
+ """
476
+ cdef uint64_t _id
477
+ cdef int64_t _val
478
+ cdef int32_t _error
479
+ cdef uint32_t _flags
480
+
481
+ def __cinit__(self, notify, val = 0, error = 0, flags = 0):
482
+ """ Initialize the notification response.
483
+
484
+ Arguments:
485
+ notify - a Notification object
486
+ val - the notification response value
487
+ error - the notification response error
488
+ flags - the notification response flags
489
+
490
+ Description:
491
+ Create a seccomp NotificationResponse object.
492
+ """
493
+ self._id = notify.id
494
+ self._val = val
495
+ self._error = error
496
+ self._flags = flags
497
+
498
+ @property
499
+ def id(self):
500
+ """ Get the seccomp notification response ID.
501
+
502
+ Description:
503
+ Get the seccomp notification response ID.
504
+ """
505
+ return self._id
506
+
507
+ @id.setter
508
+ def id(self, value):
509
+ """ Set the seccomp notification response ID.
510
+
511
+ Arguments:
512
+ id - the notification response ID
513
+
514
+ Description:
515
+ Set the seccomp notification response ID.
516
+ """
517
+ self._id = value
518
+
519
+ @property
520
+ def val(self):
521
+ """ Get the seccomp notification response value.
522
+
523
+ Description:
524
+ Get the seccomp notification response value.
525
+ """
526
+ return self._val
527
+
528
+ @val.setter
529
+ def val(self, value):
530
+ """ Set the seccomp notification response value.
531
+
532
+ Arguments:
533
+ val - the notification response value
534
+
535
+ Description:
536
+ Set the seccomp notification response value.
537
+ """
538
+ self._val = value
539
+
540
+ @property
541
+ def error(self):
542
+ """ Get the seccomp notification response error.
543
+
544
+ Description:
545
+ Get the seccomp notification response error.
546
+ """
547
+ return self._error
548
+
549
+ @error.setter
550
+ def error(self, value):
551
+ """ Set the seccomp notification response error.
552
+
553
+ Arguments:
554
+ error - the notification response error
555
+
556
+ Description:
557
+ Set the seccomp notification response error.
558
+ """
559
+ self._error = value
560
+
561
+ @property
562
+ def flags(self):
563
+ """ Get the seccomp notification response flags.
564
+
565
+ Description:
566
+ Get the seccomp notification response flags.
567
+ """
568
+ return self._flags
569
+
570
+ @flags.setter
571
+ def flags(self, value):
572
+ """ Set the seccomp notification response flags.
573
+
574
+ Arguments:
575
+ flags - the notification response flags
576
+
577
+ Description:
578
+ Set the seccomp notification response flags.
579
+ """
580
+ self._flags = value
581
+
347
582
  cdef class SyscallFilter:
348
583
  """ Python object representing a seccomp syscall filter. """
349
584
  cdef int _defaction
@@ -712,6 +947,60 @@ cdef class SyscallFilter:
712
947
  if rc != 0:
713
948
  raise RuntimeError(str.format("Library error (errno = {0})", rc))
714
949
 
950
+ def receive_notify(self):
951
+ """ Receive seccomp notifications.
952
+
953
+ Description:
954
+ Receive a seccomp notification from the system, requires the use of
955
+ the NOTIFY action.
956
+ """
957
+ cdef libseccomp.seccomp_notif *req
958
+
959
+ fd = libseccomp.seccomp_notify_fd(self._ctx)
960
+ if fd < 0:
961
+ raise RuntimeError("Notifications not enabled/active")
962
+ rc = libseccomp.seccomp_notify_alloc(&req, NULL)
963
+ if rc < 0:
964
+ raise RuntimeError(str.format("Library error (errno = {0})", rc))
965
+ rc = libseccomp.seccomp_notify_receive(fd, req)
966
+ if rc < 0:
967
+ raise RuntimeError(str.format("Library error (errno = {0})", rc))
968
+ rc = libseccomp.seccomp_notify_id_valid(fd, req.id)
969
+ if rc < 0:
970
+ raise RuntimeError(str.format("Library error (errno = {0})", rc))
971
+ notify = Notification(req.id, req.pid, req.flags, req.data.nr,
972
+ req.data.arch, req.data.instruction_pointer,
973
+ [req.data.args[0], req.data.args[1],
974
+ req.data.args[2], req.data.args[3],
975
+ req.data.args[4], req.data.args[5]])
976
+ free(req)
977
+ return notify
978
+
979
+ def respond_notify(self, response):
980
+ """ Send a seccomp notification response.
981
+
982
+ Arguments:
983
+ response - the response to send to the system
984
+
985
+ Description:
986
+ Respond to a seccomp notification.
987
+ """
988
+ cdef libseccomp.seccomp_notif_resp *resp
989
+
990
+ fd = libseccomp.seccomp_notify_fd(self._ctx)
991
+ if fd < 0:
992
+ raise RuntimeError("Notifications not enabled/active")
993
+ rc = libseccomp.seccomp_notify_alloc(NULL, &resp)
994
+ if rc < 0:
995
+ raise RuntimeError(str.format("Library error (errno = {0})", rc))
996
+ resp.id = response.id
997
+ resp.val = response.val
998
+ resp.error = response.error
999
+ resp.flags = response.flags
1000
+ rc = libseccomp.seccomp_notify_respond(fd, resp)
1001
+ if rc < 0:
1002
+ raise RuntimeError(str.format("Library error (errno = {0})", rc))
1003
+
715
1004
  def export_pfc(self, file):
716
1005
  """ Export the filter in PFC format.
717
1006
 
@@ -733,6 +1022,7 @@ cdef class SyscallFilter:
733
1022
  Arguments:
734
1023
  file - the output file
735
1024
 
1025
+ Description:
736
1026
  Output the filter in Berkley Packet Filter (BPF) to the given
737
1027
  file. The output is identical to what is loaded into the
738
1028
  Linux Kernel.