script_core 0.2.2 → 0.2.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +41 -45
- data/.travis.yml +2 -1
- data/Gemfile +3 -3
- data/README.md +7 -1
- data/bootstrap.sh +2 -2
- data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
- data/ext/enterprise_script_service/libseccomp/README.md +21 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
- data/ext/enterprise_script_service/mruby/.gitignore +3 -0
- data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
- data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/LICENSE +1 -1
- data/ext/enterprise_script_service/mruby/README.md +6 -2
- data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
- data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
- data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
- data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
- data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
- data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
- data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
- data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
- data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
- data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
- data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
- data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
- data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
- data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
- data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
- data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
- data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
- data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
- data/ext/enterprise_script_service/mruby/src/array.c +25 -11
- data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
- data/ext/enterprise_script_service/mruby/src/class.c +48 -32
- data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
- data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
- data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
- data/ext/enterprise_script_service/mruby/src/error.c +58 -7
- data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
- data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
- data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
- data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
- data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
- data/ext/enterprise_script_service/mruby/src/load.c +56 -30
- data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
- data/ext/enterprise_script_service/mruby/src/object.c +23 -5
- data/ext/enterprise_script_service/mruby/src/print.c +27 -3
- data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/state.c +34 -11
- data/ext/enterprise_script_service/mruby/src/string.c +93 -56
- data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
- data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
- data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
- data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
- data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
- data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
- data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
- data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
- data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
- data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
- data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
- data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
- data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
- data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
- data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
- data/ext/enterprise_script_service/msgpack/README.md +3 -2
- data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
- data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
- data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
- data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
- data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
- data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
- data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
- data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
- data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
- data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
- data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
- data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
- data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
- data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
- data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
- data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
- data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
- data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
- data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
- data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
- data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
- data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
- data/lib/script_core/engine.rb +24 -5
- data/lib/script_core/executable.rb +4 -3
- data/lib/script_core/result.rb +1 -5
- data/lib/script_core/service_channel.rb +1 -0
- data/lib/script_core/version.rb +1 -1
- data/lib/tasks/script_core.rake +3 -1
- data/script_core.gemspec +2 -2
- data/spec/dummy/app/lib/script_engine.rb +64 -5
- metadata +68 -30
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
- data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Enhanced Seccomp x86_64 Syscall Table
|
|
3
|
+
*
|
|
4
|
+
* Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
|
|
5
|
+
* Author: Paul Moore <paul@paul-moore.com>
|
|
6
|
+
* gperf support: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
#ifndef _SYSCALLS_H
|
|
10
|
+
#define _SYSCALLS_H
|
|
11
|
+
|
|
12
|
+
#include <stddef.h>
|
|
13
|
+
|
|
14
|
+
#include "arch-aarch64.h"
|
|
15
|
+
#include "arch-arm.h"
|
|
16
|
+
#include "arch.h"
|
|
17
|
+
#include "arch-mips64.h"
|
|
18
|
+
#include "arch-mips64n32.h"
|
|
19
|
+
#include "arch-mips.h"
|
|
20
|
+
#include "arch-parisc.h"
|
|
21
|
+
#include "arch-ppc64.h"
|
|
22
|
+
#include "arch-ppc.h"
|
|
23
|
+
#include "arch-s390.h"
|
|
24
|
+
#include "arch-s390x.h"
|
|
25
|
+
#include "arch-x32.h"
|
|
26
|
+
#include "arch-x86_64.h"
|
|
27
|
+
#include "arch-x86.h"
|
|
28
|
+
#include "arch-x86.h"
|
|
29
|
+
#include "arch-riscv64.h"
|
|
30
|
+
|
|
31
|
+
/* NOTE: changes to the arch_syscall_table layout may require changes to the
|
|
32
|
+
* generate_syscalls_perf.sh and arch-syscall-validate scripts */
|
|
33
|
+
struct arch_syscall_table {
|
|
34
|
+
int name;
|
|
35
|
+
int index;
|
|
36
|
+
|
|
37
|
+
/* each arch listed here must be defined in syscalls.c */
|
|
38
|
+
/* NOTE: see the warning above - BEWARE! */
|
|
39
|
+
int x86;
|
|
40
|
+
int x86_64;
|
|
41
|
+
int x32;
|
|
42
|
+
int arm;
|
|
43
|
+
int aarch64;
|
|
44
|
+
int mips;
|
|
45
|
+
int mips64;
|
|
46
|
+
int mips64n32;
|
|
47
|
+
int parisc;
|
|
48
|
+
int parisc64;
|
|
49
|
+
int ppc;
|
|
50
|
+
int ppc64;
|
|
51
|
+
int riscv64;
|
|
52
|
+
int s390;
|
|
53
|
+
int s390x;
|
|
54
|
+
};
|
|
55
|
+
#define OFFSET_ARCH(NAME) offsetof(struct arch_syscall_table, NAME)
|
|
56
|
+
|
|
57
|
+
/* defined in syscalls.perf.template */
|
|
58
|
+
int syscall_resolve_name(const char *name, int offset);
|
|
59
|
+
const char *syscall_resolve_num(int num, int offset);
|
|
60
|
+
const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset);
|
|
61
|
+
|
|
62
|
+
#endif
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
%{
|
|
2
|
+
/**
|
|
3
|
+
* Copyright (c) 2012 Red Hat <pmoore@redhat.com>
|
|
4
|
+
* Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
|
|
5
|
+
* Authors: Paul Moore <paul@paul-moore.com>
|
|
6
|
+
* Giuseppe Scrivano <gscrivan@redhat.com>
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
/*
|
|
10
|
+
* This library is free software; you can redistribute it and/or modify it
|
|
11
|
+
* under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
12
|
+
* published by the Free Software Foundation.
|
|
13
|
+
*
|
|
14
|
+
* This library is distributed in the hope that it will be useful, but WITHOUT
|
|
15
|
+
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
16
|
+
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
17
|
+
* for more details.
|
|
18
|
+
*
|
|
19
|
+
* You should have received a copy of the GNU Lesser General Public License
|
|
20
|
+
* along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
21
|
+
*/
|
|
22
|
+
|
|
23
|
+
#include <seccomp.h>
|
|
24
|
+
#include <string.h>
|
|
25
|
+
#include "syscalls.h"
|
|
26
|
+
|
|
27
|
+
%}
|
|
28
|
+
struct arch_syscall_table;
|
|
29
|
+
|
|
30
|
+
%%
|
|
31
|
+
@@SYSCALLS_TABLE@@
|
|
32
|
+
%%
|
|
33
|
+
|
|
34
|
+
static int syscall_get_offset_value(const struct arch_syscall_table *s,
|
|
35
|
+
int offset)
|
|
36
|
+
{
|
|
37
|
+
return *(int *)((char *)s + offset);
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
int syscall_resolve_name(const char *name, int offset)
|
|
41
|
+
{
|
|
42
|
+
const struct arch_syscall_table *s;
|
|
43
|
+
|
|
44
|
+
s = in_word_set(name, strlen(name));
|
|
45
|
+
if (s == NULL)
|
|
46
|
+
return __NR_SCMP_ERROR;
|
|
47
|
+
|
|
48
|
+
return syscall_get_offset_value(s, offset);
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
const char *syscall_resolve_num(int num, int offset)
|
|
52
|
+
{
|
|
53
|
+
unsigned int iter;
|
|
54
|
+
|
|
55
|
+
for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
|
|
56
|
+
if (syscall_get_offset_value(&wordlist[iter], offset) == num)
|
|
57
|
+
return (stringpool + wordlist[iter].name);
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
return NULL;
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset)
|
|
64
|
+
{
|
|
65
|
+
unsigned int iter;
|
|
66
|
+
/* this is thread-unsafe, only use for testing */
|
|
67
|
+
static struct arch_syscall_def arch_def;
|
|
68
|
+
|
|
69
|
+
arch_def.name = NULL;
|
|
70
|
+
arch_def.num = __NR_SCMP_ERROR;
|
|
71
|
+
|
|
72
|
+
for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
|
|
73
|
+
if (wordlist[iter].index == spot) {
|
|
74
|
+
arch_def.name = stringpool + wordlist[iter].name;
|
|
75
|
+
arch_def.num = syscall_get_offset_value(&wordlist[iter],
|
|
76
|
+
offset);
|
|
77
|
+
return &arch_def;
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
return &arch_def;
|
|
82
|
+
}
|
|
@@ -26,17 +26,19 @@
|
|
|
26
26
|
#define _GNU_SOURCE
|
|
27
27
|
#include <unistd.h>
|
|
28
28
|
|
|
29
|
+
#include "system.h"
|
|
30
|
+
|
|
29
31
|
#include <seccomp.h>
|
|
30
32
|
|
|
31
33
|
#include "arch.h"
|
|
32
34
|
#include "db.h"
|
|
33
35
|
#include "gen_bpf.h"
|
|
34
|
-
#include "
|
|
36
|
+
#include "helper.h"
|
|
35
37
|
|
|
36
|
-
/* NOTE: the seccomp syscall
|
|
38
|
+
/* NOTE: the seccomp syscall allowlist is currently disabled for testing
|
|
37
39
|
* purposes, but unless we can verify all of the supported ABIs before
|
|
38
|
-
* our next release we may have to enable the
|
|
39
|
-
#define
|
|
40
|
+
* our next release we may have to enable the allowlist */
|
|
41
|
+
#define SYSCALL_ALLOWLIST_ENABLE 0
|
|
40
42
|
|
|
41
43
|
static int _nr_seccomp = -1;
|
|
42
44
|
static int _support_seccomp_syscall = -1;
|
|
@@ -44,6 +46,10 @@ static int _support_seccomp_flag_tsync = -1;
|
|
|
44
46
|
static int _support_seccomp_flag_log = -1;
|
|
45
47
|
static int _support_seccomp_action_log = -1;
|
|
46
48
|
static int _support_seccomp_kill_process = -1;
|
|
49
|
+
static int _support_seccomp_flag_spec_allow = -1;
|
|
50
|
+
static int _support_seccomp_flag_new_listener = -1;
|
|
51
|
+
static int _support_seccomp_user_notif = -1;
|
|
52
|
+
static int _support_seccomp_flag_tsync_esrch = -1;
|
|
47
53
|
|
|
48
54
|
/**
|
|
49
55
|
* Check to see if the seccomp() syscall is supported
|
|
@@ -65,8 +71,8 @@ int sys_chk_seccomp_syscall(void)
|
|
|
65
71
|
if (_support_seccomp_syscall >= 0)
|
|
66
72
|
return _support_seccomp_syscall;
|
|
67
73
|
|
|
68
|
-
#if
|
|
69
|
-
/* architecture
|
|
74
|
+
#if SYSCALL_ALLOWLIST_ENABLE
|
|
75
|
+
/* architecture allowlist */
|
|
70
76
|
switch (arch_def_native->token) {
|
|
71
77
|
case SCMP_ARCH_X86_64:
|
|
72
78
|
case SCMP_ARCH_ARM:
|
|
@@ -75,6 +81,7 @@ int sys_chk_seccomp_syscall(void)
|
|
|
75
81
|
case SCMP_ARCH_PPC64LE:
|
|
76
82
|
case SCMP_ARCH_S390:
|
|
77
83
|
case SCMP_ARCH_S390X:
|
|
84
|
+
case SCMP_ARCH_RISCV64:
|
|
78
85
|
break;
|
|
79
86
|
default:
|
|
80
87
|
goto unsupported;
|
|
@@ -87,7 +94,7 @@ int sys_chk_seccomp_syscall(void)
|
|
|
87
94
|
|
|
88
95
|
/* this is an invalid call because the second argument is non-zero, but
|
|
89
96
|
* depending on the errno value of ENOSYS or EINVAL we can guess if the
|
|
90
|
-
* seccomp()
|
|
97
|
+
* seccomp() syscall is supported or not */
|
|
91
98
|
rc = syscall(nr_seccomp, SECCOMP_SET_MODE_STRICT, 1, NULL);
|
|
92
99
|
if (rc < 0 && errno == EINVAL)
|
|
93
100
|
goto supported;
|
|
@@ -157,6 +164,18 @@ int sys_chk_seccomp_action(uint32_t action)
|
|
|
157
164
|
return _support_seccomp_action_log;
|
|
158
165
|
} else if (action == SCMP_ACT_ALLOW) {
|
|
159
166
|
return 1;
|
|
167
|
+
} else if (action == SCMP_ACT_NOTIFY) {
|
|
168
|
+
if (_support_seccomp_user_notif < 0) {
|
|
169
|
+
struct seccomp_notif_sizes sizes;
|
|
170
|
+
if (sys_chk_seccomp_syscall() == 1 &&
|
|
171
|
+
syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
|
|
172
|
+
&sizes) == 0)
|
|
173
|
+
_support_seccomp_user_notif = 1;
|
|
174
|
+
else
|
|
175
|
+
_support_seccomp_user_notif = 0;
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
return _support_seccomp_user_notif;
|
|
160
179
|
}
|
|
161
180
|
|
|
162
181
|
return 0;
|
|
@@ -172,10 +191,17 @@ int sys_chk_seccomp_action(uint32_t action)
|
|
|
172
191
|
*/
|
|
173
192
|
void sys_set_seccomp_action(uint32_t action, bool enable)
|
|
174
193
|
{
|
|
175
|
-
|
|
194
|
+
switch (action) {
|
|
195
|
+
case SCMP_ACT_LOG:
|
|
176
196
|
_support_seccomp_action_log = (enable ? 1 : 0);
|
|
177
|
-
|
|
197
|
+
break;
|
|
198
|
+
case SCMP_ACT_KILL_PROCESS:
|
|
178
199
|
_support_seccomp_kill_process = (enable ? 1 : 0);
|
|
200
|
+
break;
|
|
201
|
+
case SCMP_ACT_NOTIFY:
|
|
202
|
+
_support_seccomp_user_notif = (enable ? 1 : 0);
|
|
203
|
+
break;
|
|
204
|
+
}
|
|
179
205
|
}
|
|
180
206
|
|
|
181
207
|
/**
|
|
@@ -221,6 +247,20 @@ int sys_chk_seccomp_flag(int flag)
|
|
|
221
247
|
_support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
|
|
222
248
|
|
|
223
249
|
return _support_seccomp_flag_log;
|
|
250
|
+
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
|
251
|
+
if (_support_seccomp_flag_spec_allow < 0)
|
|
252
|
+
_support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
|
|
253
|
+
|
|
254
|
+
return _support_seccomp_flag_spec_allow;
|
|
255
|
+
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
|
256
|
+
if (_support_seccomp_flag_new_listener < 0)
|
|
257
|
+
_support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
|
|
258
|
+
|
|
259
|
+
return _support_seccomp_flag_new_listener;
|
|
260
|
+
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
|
261
|
+
if (_support_seccomp_flag_tsync_esrch < 0)
|
|
262
|
+
_support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
|
|
263
|
+
return _support_seccomp_flag_tsync_esrch;
|
|
224
264
|
}
|
|
225
265
|
|
|
226
266
|
return -EOPNOTSUPP;
|
|
@@ -244,12 +284,22 @@ void sys_set_seccomp_flag(int flag, bool enable)
|
|
|
244
284
|
case SECCOMP_FILTER_FLAG_LOG:
|
|
245
285
|
_support_seccomp_flag_log = (enable ? 1 : 0);
|
|
246
286
|
break;
|
|
287
|
+
case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
|
|
288
|
+
_support_seccomp_flag_spec_allow = (enable ? 1 : 0);
|
|
289
|
+
break;
|
|
290
|
+
case SECCOMP_FILTER_FLAG_NEW_LISTENER:
|
|
291
|
+
_support_seccomp_flag_new_listener = (enable ? 1 : 0);
|
|
292
|
+
break;
|
|
293
|
+
case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
|
|
294
|
+
_support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
|
|
295
|
+
break;
|
|
247
296
|
}
|
|
248
297
|
}
|
|
249
298
|
|
|
250
299
|
/**
|
|
251
300
|
* Loads the filter into the kernel
|
|
252
301
|
* @param col the filter collection
|
|
302
|
+
* @param rawrc pass the raw return code if true
|
|
253
303
|
*
|
|
254
304
|
* This function loads the given seccomp filter context into the kernel. If
|
|
255
305
|
* the filter was loaded correctly, the kernel will be enforcing the filter
|
|
@@ -257,14 +307,15 @@ void sys_set_seccomp_flag(int flag, bool enable)
|
|
|
257
307
|
* error.
|
|
258
308
|
*
|
|
259
309
|
*/
|
|
260
|
-
int sys_filter_load(
|
|
310
|
+
int sys_filter_load(struct db_filter_col *col, bool rawrc)
|
|
261
311
|
{
|
|
262
312
|
int rc;
|
|
313
|
+
bool tsync_notify;
|
|
263
314
|
struct bpf_program *prgm = NULL;
|
|
264
315
|
|
|
265
|
-
|
|
266
|
-
if (
|
|
267
|
-
return
|
|
316
|
+
rc = gen_bpf_generate(col, &prgm);
|
|
317
|
+
if (rc < 0)
|
|
318
|
+
return rc;
|
|
268
319
|
|
|
269
320
|
/* attempt to set NO_NEW_PRIVS */
|
|
270
321
|
if (col->attr.nnp_enable) {
|
|
@@ -273,24 +324,153 @@ int sys_filter_load(const struct db_filter_col *col)
|
|
|
273
324
|
goto filter_load_out;
|
|
274
325
|
}
|
|
275
326
|
|
|
327
|
+
tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
|
|
328
|
+
|
|
276
329
|
/* load the filter into the kernel */
|
|
277
330
|
if (sys_chk_seccomp_syscall() == 1) {
|
|
278
331
|
int flgs = 0;
|
|
279
|
-
if (
|
|
332
|
+
if (tsync_notify) {
|
|
333
|
+
if (col->attr.tsync_enable)
|
|
334
|
+
flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
|
|
335
|
+
SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
|
|
336
|
+
if (_support_seccomp_user_notif > 0)
|
|
337
|
+
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
338
|
+
} else if (col->attr.tsync_enable)
|
|
280
339
|
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
|
|
340
|
+
else if (_support_seccomp_user_notif > 0)
|
|
341
|
+
flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
|
|
281
342
|
if (col->attr.log_enable)
|
|
282
343
|
flgs |= SECCOMP_FILTER_FLAG_LOG;
|
|
344
|
+
if (col->attr.spec_allow)
|
|
345
|
+
flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
|
|
283
346
|
rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
|
|
284
|
-
if (rc > 0
|
|
347
|
+
if (tsync_notify && rc > 0) {
|
|
348
|
+
/* return 0 on NEW_LISTENER success, but save the fd */
|
|
349
|
+
col->notify_fd = rc;
|
|
350
|
+
rc = 0;
|
|
351
|
+
} else if (rc > 0 && col->attr.tsync_enable) {
|
|
285
352
|
/* always return -ESRCH if we fail to sync threads */
|
|
286
353
|
errno = ESRCH;
|
|
354
|
+
rc = -errno;
|
|
355
|
+
} else if (rc > 0 && _support_seccomp_user_notif > 0) {
|
|
356
|
+
/* return 0 on NEW_LISTENER success, but save the fd */
|
|
357
|
+
col->notify_fd = rc;
|
|
358
|
+
rc = 0;
|
|
359
|
+
}
|
|
287
360
|
} else
|
|
288
361
|
rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prgm);
|
|
289
362
|
|
|
290
363
|
filter_load_out:
|
|
291
364
|
/* cleanup and return */
|
|
292
365
|
gen_bpf_release(prgm);
|
|
366
|
+
if (rc == -ESRCH)
|
|
367
|
+
return -ESRCH;
|
|
293
368
|
if (rc < 0)
|
|
294
|
-
return -errno;
|
|
369
|
+
return (rawrc ? -errno : -ECANCELED);
|
|
370
|
+
return rc;
|
|
371
|
+
}
|
|
372
|
+
|
|
373
|
+
/**
|
|
374
|
+
* Allocate a pair of notification request/response structures
|
|
375
|
+
* @param req the request location
|
|
376
|
+
* @param resp the response location
|
|
377
|
+
*
|
|
378
|
+
* This function allocates a pair of request/response structure by computing
|
|
379
|
+
* the correct sized based on the currently running kernel. It returns zero on
|
|
380
|
+
* success, and negative values on failure.
|
|
381
|
+
*
|
|
382
|
+
*/
|
|
383
|
+
int sys_notify_alloc(struct seccomp_notif **req,
|
|
384
|
+
struct seccomp_notif_resp **resp)
|
|
385
|
+
{
|
|
386
|
+
int rc;
|
|
387
|
+
static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
|
|
388
|
+
|
|
389
|
+
if (_support_seccomp_syscall <= 0)
|
|
390
|
+
return -EOPNOTSUPP;
|
|
391
|
+
|
|
392
|
+
if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
|
|
393
|
+
rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
|
|
394
|
+
if (rc < 0)
|
|
395
|
+
return -ECANCELED;
|
|
396
|
+
}
|
|
397
|
+
if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0)
|
|
398
|
+
return -EFAULT;
|
|
399
|
+
|
|
400
|
+
if (req) {
|
|
401
|
+
*req = zmalloc(sizes.seccomp_notif);
|
|
402
|
+
if (!*req)
|
|
403
|
+
return -ENOMEM;
|
|
404
|
+
}
|
|
405
|
+
|
|
406
|
+
if (resp) {
|
|
407
|
+
*resp = zmalloc(sizes.seccomp_notif_resp);
|
|
408
|
+
if (!*resp) {
|
|
409
|
+
if (req)
|
|
410
|
+
free(*req);
|
|
411
|
+
return -ENOMEM;
|
|
412
|
+
}
|
|
413
|
+
}
|
|
414
|
+
|
|
415
|
+
return 0;
|
|
416
|
+
}
|
|
417
|
+
|
|
418
|
+
/**
|
|
419
|
+
* Receive a notification from a seccomp notification fd
|
|
420
|
+
* @param fd the notification fd
|
|
421
|
+
* @param req the request buffer to save into
|
|
422
|
+
*
|
|
423
|
+
* Blocks waiting for a notification on this fd. This function is thread safe
|
|
424
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
425
|
+
* negative values on error.
|
|
426
|
+
*
|
|
427
|
+
*/
|
|
428
|
+
int sys_notify_receive(int fd, struct seccomp_notif *req)
|
|
429
|
+
{
|
|
430
|
+
if (_support_seccomp_user_notif <= 0)
|
|
431
|
+
return -EOPNOTSUPP;
|
|
432
|
+
|
|
433
|
+
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
|
|
434
|
+
return -ECANCELED;
|
|
435
|
+
|
|
436
|
+
return 0;
|
|
437
|
+
}
|
|
438
|
+
|
|
439
|
+
/**
|
|
440
|
+
* Send a notification response to a seccomp notification fd
|
|
441
|
+
* @param fd the notification fd
|
|
442
|
+
* @param resp the response buffer to use
|
|
443
|
+
*
|
|
444
|
+
* Sends a notification response on this fd. This function is thread safe
|
|
445
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
446
|
+
* negative values on error.
|
|
447
|
+
*
|
|
448
|
+
*/
|
|
449
|
+
int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
|
|
450
|
+
{
|
|
451
|
+
if (_support_seccomp_user_notif <= 0)
|
|
452
|
+
return -EOPNOTSUPP;
|
|
453
|
+
|
|
454
|
+
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
|
|
455
|
+
return -ECANCELED;
|
|
456
|
+
return 0;
|
|
457
|
+
}
|
|
458
|
+
|
|
459
|
+
/**
|
|
460
|
+
* Check if a notification id is still valid
|
|
461
|
+
* @param fd the notification fd
|
|
462
|
+
* @param id the id to test
|
|
463
|
+
*
|
|
464
|
+
* Checks to see if a notification id is still valid. Returns 0 on success, and
|
|
465
|
+
* negative values on failure.
|
|
466
|
+
*
|
|
467
|
+
*/
|
|
468
|
+
int sys_notify_id_valid(int fd, uint64_t id)
|
|
469
|
+
{
|
|
470
|
+
if (_support_seccomp_user_notif <= 0)
|
|
471
|
+
return -EOPNOTSUPP;
|
|
472
|
+
|
|
473
|
+
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
|
|
474
|
+
return -ENOENT;
|
|
295
475
|
return 0;
|
|
296
476
|
}
|