script_core 0.2.2 → 0.2.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (376) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +41 -45
  3. data/.travis.yml +2 -1
  4. data/Gemfile +3 -3
  5. data/README.md +7 -1
  6. data/bootstrap.sh +2 -2
  7. data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
  8. data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
  9. data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
  10. data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
  11. data/ext/enterprise_script_service/libseccomp/README.md +21 -1
  12. data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
  13. data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
  14. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
  15. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
  16. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
  17. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
  18. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
  19. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
  20. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
  21. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
  22. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
  23. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
  24. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
  25. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
  26. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
  27. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
  28. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
  29. data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
  30. data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
  31. data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
  32. data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
  33. data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
  34. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
  35. data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
  36. data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
  37. data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
  38. data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
  39. data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
  40. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
  41. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
  42. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
  43. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
  44. data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
  45. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
  46. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
  47. data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
  48. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
  49. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
  50. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
  51. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
  52. data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
  53. data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
  54. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
  55. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
  56. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
  57. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
  58. data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
  59. data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
  60. data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
  61. data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
  62. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
  63. data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
  64. data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
  65. data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
  66. data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
  67. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
  68. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
  69. data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
  70. data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
  71. data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
  72. data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
  73. data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
  74. data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
  75. data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
  76. data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
  77. data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
  78. data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
  79. data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
  80. data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
  81. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
  82. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
  83. data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
  84. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
  85. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
  86. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
  87. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
  88. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
  89. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
  90. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
  91. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
  92. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
  93. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
  94. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
  95. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
  96. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
  97. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
  98. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
  99. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
  100. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
  101. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
  102. data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
  103. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
  104. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
  105. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
  106. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
  107. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
  108. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
  109. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
  110. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
  111. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
  112. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
  113. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
  114. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
  115. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
  116. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
  117. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
  118. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
  119. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
  120. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
  121. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
  122. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
  123. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
  124. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
  125. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
  126. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
  127. data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
  128. data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
  129. data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
  130. data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
  131. data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
  132. data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
  133. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
  134. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
  135. data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
  136. data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
  137. data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
  138. data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
  139. data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
  140. data/ext/enterprise_script_service/mruby/.gitignore +3 -0
  141. data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
  142. data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
  143. data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
  144. data/ext/enterprise_script_service/mruby/LICENSE +1 -1
  145. data/ext/enterprise_script_service/mruby/README.md +6 -2
  146. data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
  147. data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
  148. data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
  149. data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
  150. data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
  151. data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
  152. data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
  153. data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
  154. data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
  155. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
  156. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
  157. data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
  158. data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
  159. data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
  160. data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
  161. data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
  162. data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
  163. data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
  164. data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
  165. data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
  166. data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
  167. data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
  168. data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
  169. data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
  170. data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
  171. data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
  172. data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
  173. data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
  174. data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
  175. data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
  176. data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
  177. data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
  178. data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
  179. data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
  180. data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
  181. data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
  182. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
  183. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
  184. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
  185. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
  186. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
  187. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
  188. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
  189. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
  190. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
  191. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
  192. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
  193. data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
  194. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
  195. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
  196. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
  197. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
  198. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
  199. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
  200. data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
  201. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
  202. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
  203. data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
  204. data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
  205. data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
  206. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
  207. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
  208. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
  209. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
  210. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
  211. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
  212. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
  213. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
  214. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
  215. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
  216. data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
  217. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
  218. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
  219. data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
  220. data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
  221. data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
  222. data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
  223. data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
  224. data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
  225. data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
  226. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
  227. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
  228. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
  229. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
  230. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
  231. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
  232. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
  233. data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
  234. data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
  235. data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
  236. data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
  237. data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
  238. data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
  239. data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
  240. data/ext/enterprise_script_service/mruby/src/array.c +25 -11
  241. data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
  242. data/ext/enterprise_script_service/mruby/src/class.c +48 -32
  243. data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
  244. data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
  245. data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
  246. data/ext/enterprise_script_service/mruby/src/error.c +58 -7
  247. data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
  248. data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
  249. data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
  250. data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
  251. data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
  252. data/ext/enterprise_script_service/mruby/src/load.c +56 -30
  253. data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
  254. data/ext/enterprise_script_service/mruby/src/object.c +23 -5
  255. data/ext/enterprise_script_service/mruby/src/print.c +27 -3
  256. data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
  257. data/ext/enterprise_script_service/mruby/src/range.c +4 -12
  258. data/ext/enterprise_script_service/mruby/src/state.c +34 -11
  259. data/ext/enterprise_script_service/mruby/src/string.c +93 -56
  260. data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
  261. data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
  262. data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
  263. data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
  264. data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
  265. data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
  266. data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
  267. data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
  268. data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
  269. data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
  270. data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
  271. data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
  272. data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
  273. data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
  274. data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
  275. data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
  276. data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
  277. data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
  278. data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
  279. data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
  280. data/ext/enterprise_script_service/msgpack/README.md +3 -2
  281. data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
  282. data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
  283. data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
  284. data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
  285. data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
  286. data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
  287. data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
  288. data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
  289. data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
  290. data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
  291. data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
  292. data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
  293. data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
  294. data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
  295. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
  296. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
  297. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
  298. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
  299. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
  300. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
  301. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
  302. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
  303. data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
  304. data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
  305. data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
  306. data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
  307. data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
  308. data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
  309. data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
  310. data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
  311. data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
  312. data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
  313. data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
  314. data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
  315. data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
  316. data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
  317. data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
  318. data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
  319. data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
  320. data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
  321. data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
  322. data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
  323. data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
  324. data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
  325. data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
  326. data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
  327. data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
  328. data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
  329. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
  330. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
  331. data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
  332. data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
  333. data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
  334. data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
  335. data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
  336. data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
  337. data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
  338. data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
  339. data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
  340. data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
  341. data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
  342. data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
  343. data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
  344. data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
  345. data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
  346. data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
  347. data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
  348. data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
  349. data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
  350. data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
  351. data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
  352. data/lib/script_core/engine.rb +24 -5
  353. data/lib/script_core/executable.rb +4 -3
  354. data/lib/script_core/result.rb +1 -5
  355. data/lib/script_core/service_channel.rb +1 -0
  356. data/lib/script_core/version.rb +1 -1
  357. data/lib/tasks/script_core.rake +3 -1
  358. data/script_core.gemspec +2 -2
  359. data/spec/dummy/app/lib/script_engine.rb +64 -5
  360. metadata +68 -30
  361. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
  362. data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
  363. data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
  364. data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
  365. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
  366. data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
  367. data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
  368. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
  369. data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
  370. data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
  371. data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
  372. data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
  373. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
  374. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
  375. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
  376. data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
@@ -0,0 +1,62 @@
1
+ /**
2
+ * Enhanced Seccomp x86_64 Syscall Table
3
+ *
4
+ * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
5
+ * Author: Paul Moore <paul@paul-moore.com>
6
+ * gperf support: Giuseppe Scrivano <gscrivan@redhat.com>
7
+ */
8
+
9
+ #ifndef _SYSCALLS_H
10
+ #define _SYSCALLS_H
11
+
12
+ #include <stddef.h>
13
+
14
+ #include "arch-aarch64.h"
15
+ #include "arch-arm.h"
16
+ #include "arch.h"
17
+ #include "arch-mips64.h"
18
+ #include "arch-mips64n32.h"
19
+ #include "arch-mips.h"
20
+ #include "arch-parisc.h"
21
+ #include "arch-ppc64.h"
22
+ #include "arch-ppc.h"
23
+ #include "arch-s390.h"
24
+ #include "arch-s390x.h"
25
+ #include "arch-x32.h"
26
+ #include "arch-x86_64.h"
27
+ #include "arch-x86.h"
28
+ #include "arch-x86.h"
29
+ #include "arch-riscv64.h"
30
+
31
+ /* NOTE: changes to the arch_syscall_table layout may require changes to the
32
+ * generate_syscalls_perf.sh and arch-syscall-validate scripts */
33
+ struct arch_syscall_table {
34
+ int name;
35
+ int index;
36
+
37
+ /* each arch listed here must be defined in syscalls.c */
38
+ /* NOTE: see the warning above - BEWARE! */
39
+ int x86;
40
+ int x86_64;
41
+ int x32;
42
+ int arm;
43
+ int aarch64;
44
+ int mips;
45
+ int mips64;
46
+ int mips64n32;
47
+ int parisc;
48
+ int parisc64;
49
+ int ppc;
50
+ int ppc64;
51
+ int riscv64;
52
+ int s390;
53
+ int s390x;
54
+ };
55
+ #define OFFSET_ARCH(NAME) offsetof(struct arch_syscall_table, NAME)
56
+
57
+ /* defined in syscalls.perf.template */
58
+ int syscall_resolve_name(const char *name, int offset);
59
+ const char *syscall_resolve_num(int num, int offset);
60
+ const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset);
61
+
62
+ #endif
@@ -0,0 +1,82 @@
1
+ %{
2
+ /**
3
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
4
+ * Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
5
+ * Authors: Paul Moore <paul@paul-moore.com>
6
+ * Giuseppe Scrivano <gscrivan@redhat.com>
7
+ */
8
+
9
+ /*
10
+ * This library is free software; you can redistribute it and/or modify it
11
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
12
+ * published by the Free Software Foundation.
13
+ *
14
+ * This library is distributed in the hope that it will be useful, but WITHOUT
15
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
16
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
17
+ * for more details.
18
+ *
19
+ * You should have received a copy of the GNU Lesser General Public License
20
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
21
+ */
22
+
23
+ #include <seccomp.h>
24
+ #include <string.h>
25
+ #include "syscalls.h"
26
+
27
+ %}
28
+ struct arch_syscall_table;
29
+
30
+ %%
31
+ @@SYSCALLS_TABLE@@
32
+ %%
33
+
34
+ static int syscall_get_offset_value(const struct arch_syscall_table *s,
35
+ int offset)
36
+ {
37
+ return *(int *)((char *)s + offset);
38
+ }
39
+
40
+ int syscall_resolve_name(const char *name, int offset)
41
+ {
42
+ const struct arch_syscall_table *s;
43
+
44
+ s = in_word_set(name, strlen(name));
45
+ if (s == NULL)
46
+ return __NR_SCMP_ERROR;
47
+
48
+ return syscall_get_offset_value(s, offset);
49
+ }
50
+
51
+ const char *syscall_resolve_num(int num, int offset)
52
+ {
53
+ unsigned int iter;
54
+
55
+ for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
56
+ if (syscall_get_offset_value(&wordlist[iter], offset) == num)
57
+ return (stringpool + wordlist[iter].name);
58
+ }
59
+
60
+ return NULL;
61
+ }
62
+
63
+ const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset)
64
+ {
65
+ unsigned int iter;
66
+ /* this is thread-unsafe, only use for testing */
67
+ static struct arch_syscall_def arch_def;
68
+
69
+ arch_def.name = NULL;
70
+ arch_def.num = __NR_SCMP_ERROR;
71
+
72
+ for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
73
+ if (wordlist[iter].index == spot) {
74
+ arch_def.name = stringpool + wordlist[iter].name;
75
+ arch_def.num = syscall_get_offset_value(&wordlist[iter],
76
+ offset);
77
+ return &arch_def;
78
+ }
79
+ }
80
+
81
+ return &arch_def;
82
+ }
@@ -26,17 +26,19 @@
26
26
  #define _GNU_SOURCE
27
27
  #include <unistd.h>
28
28
 
29
+ #include "system.h"
30
+
29
31
  #include <seccomp.h>
30
32
 
31
33
  #include "arch.h"
32
34
  #include "db.h"
33
35
  #include "gen_bpf.h"
34
- #include "system.h"
36
+ #include "helper.h"
35
37
 
36
- /* NOTE: the seccomp syscall whitelist is currently disabled for testing
38
+ /* NOTE: the seccomp syscall allowlist is currently disabled for testing
37
39
  * purposes, but unless we can verify all of the supported ABIs before
38
- * our next release we may have to enable the whitelist */
39
- #define SYSCALL_WHITELIST_ENABLE 0
40
+ * our next release we may have to enable the allowlist */
41
+ #define SYSCALL_ALLOWLIST_ENABLE 0
40
42
 
41
43
  static int _nr_seccomp = -1;
42
44
  static int _support_seccomp_syscall = -1;
@@ -44,6 +46,10 @@ static int _support_seccomp_flag_tsync = -1;
44
46
  static int _support_seccomp_flag_log = -1;
45
47
  static int _support_seccomp_action_log = -1;
46
48
  static int _support_seccomp_kill_process = -1;
49
+ static int _support_seccomp_flag_spec_allow = -1;
50
+ static int _support_seccomp_flag_new_listener = -1;
51
+ static int _support_seccomp_user_notif = -1;
52
+ static int _support_seccomp_flag_tsync_esrch = -1;
47
53
 
48
54
  /**
49
55
  * Check to see if the seccomp() syscall is supported
@@ -65,8 +71,8 @@ int sys_chk_seccomp_syscall(void)
65
71
  if (_support_seccomp_syscall >= 0)
66
72
  return _support_seccomp_syscall;
67
73
 
68
- #if SYSCALL_WHITELIST_ENABLE
69
- /* architecture whitelist */
74
+ #if SYSCALL_ALLOWLIST_ENABLE
75
+ /* architecture allowlist */
70
76
  switch (arch_def_native->token) {
71
77
  case SCMP_ARCH_X86_64:
72
78
  case SCMP_ARCH_ARM:
@@ -75,6 +81,7 @@ int sys_chk_seccomp_syscall(void)
75
81
  case SCMP_ARCH_PPC64LE:
76
82
  case SCMP_ARCH_S390:
77
83
  case SCMP_ARCH_S390X:
84
+ case SCMP_ARCH_RISCV64:
78
85
  break;
79
86
  default:
80
87
  goto unsupported;
@@ -87,7 +94,7 @@ int sys_chk_seccomp_syscall(void)
87
94
 
88
95
  /* this is an invalid call because the second argument is non-zero, but
89
96
  * depending on the errno value of ENOSYS or EINVAL we can guess if the
90
- * seccomp() syscal is supported or not */
97
+ * seccomp() syscall is supported or not */
91
98
  rc = syscall(nr_seccomp, SECCOMP_SET_MODE_STRICT, 1, NULL);
92
99
  if (rc < 0 && errno == EINVAL)
93
100
  goto supported;
@@ -157,6 +164,18 @@ int sys_chk_seccomp_action(uint32_t action)
157
164
  return _support_seccomp_action_log;
158
165
  } else if (action == SCMP_ACT_ALLOW) {
159
166
  return 1;
167
+ } else if (action == SCMP_ACT_NOTIFY) {
168
+ if (_support_seccomp_user_notif < 0) {
169
+ struct seccomp_notif_sizes sizes;
170
+ if (sys_chk_seccomp_syscall() == 1 &&
171
+ syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
172
+ &sizes) == 0)
173
+ _support_seccomp_user_notif = 1;
174
+ else
175
+ _support_seccomp_user_notif = 0;
176
+ }
177
+
178
+ return _support_seccomp_user_notif;
160
179
  }
161
180
 
162
181
  return 0;
@@ -172,10 +191,17 @@ int sys_chk_seccomp_action(uint32_t action)
172
191
  */
173
192
  void sys_set_seccomp_action(uint32_t action, bool enable)
174
193
  {
175
- if (action == SCMP_ACT_LOG)
194
+ switch (action) {
195
+ case SCMP_ACT_LOG:
176
196
  _support_seccomp_action_log = (enable ? 1 : 0);
177
- else if (action == SCMP_ACT_KILL_PROCESS)
197
+ break;
198
+ case SCMP_ACT_KILL_PROCESS:
178
199
  _support_seccomp_kill_process = (enable ? 1 : 0);
200
+ break;
201
+ case SCMP_ACT_NOTIFY:
202
+ _support_seccomp_user_notif = (enable ? 1 : 0);
203
+ break;
204
+ }
179
205
  }
180
206
 
181
207
  /**
@@ -221,6 +247,20 @@ int sys_chk_seccomp_flag(int flag)
221
247
  _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
222
248
 
223
249
  return _support_seccomp_flag_log;
250
+ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
251
+ if (_support_seccomp_flag_spec_allow < 0)
252
+ _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
253
+
254
+ return _support_seccomp_flag_spec_allow;
255
+ case SECCOMP_FILTER_FLAG_NEW_LISTENER:
256
+ if (_support_seccomp_flag_new_listener < 0)
257
+ _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
258
+
259
+ return _support_seccomp_flag_new_listener;
260
+ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
261
+ if (_support_seccomp_flag_tsync_esrch < 0)
262
+ _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
263
+ return _support_seccomp_flag_tsync_esrch;
224
264
  }
225
265
 
226
266
  return -EOPNOTSUPP;
@@ -244,12 +284,22 @@ void sys_set_seccomp_flag(int flag, bool enable)
244
284
  case SECCOMP_FILTER_FLAG_LOG:
245
285
  _support_seccomp_flag_log = (enable ? 1 : 0);
246
286
  break;
287
+ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
288
+ _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
289
+ break;
290
+ case SECCOMP_FILTER_FLAG_NEW_LISTENER:
291
+ _support_seccomp_flag_new_listener = (enable ? 1 : 0);
292
+ break;
293
+ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
294
+ _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
295
+ break;
247
296
  }
248
297
  }
249
298
 
250
299
  /**
251
300
  * Loads the filter into the kernel
252
301
  * @param col the filter collection
302
+ * @param rawrc pass the raw return code if true
253
303
  *
254
304
  * This function loads the given seccomp filter context into the kernel. If
255
305
  * the filter was loaded correctly, the kernel will be enforcing the filter
@@ -257,14 +307,15 @@ void sys_set_seccomp_flag(int flag, bool enable)
257
307
  * error.
258
308
  *
259
309
  */
260
- int sys_filter_load(const struct db_filter_col *col)
310
+ int sys_filter_load(struct db_filter_col *col, bool rawrc)
261
311
  {
262
312
  int rc;
313
+ bool tsync_notify;
263
314
  struct bpf_program *prgm = NULL;
264
315
 
265
- prgm = gen_bpf_generate(col);
266
- if (prgm == NULL)
267
- return -ENOMEM;
316
+ rc = gen_bpf_generate(col, &prgm);
317
+ if (rc < 0)
318
+ return rc;
268
319
 
269
320
  /* attempt to set NO_NEW_PRIVS */
270
321
  if (col->attr.nnp_enable) {
@@ -273,24 +324,153 @@ int sys_filter_load(const struct db_filter_col *col)
273
324
  goto filter_load_out;
274
325
  }
275
326
 
327
+ tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
328
+
276
329
  /* load the filter into the kernel */
277
330
  if (sys_chk_seccomp_syscall() == 1) {
278
331
  int flgs = 0;
279
- if (col->attr.tsync_enable)
332
+ if (tsync_notify) {
333
+ if (col->attr.tsync_enable)
334
+ flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
335
+ SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
336
+ if (_support_seccomp_user_notif > 0)
337
+ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
338
+ } else if (col->attr.tsync_enable)
280
339
  flgs |= SECCOMP_FILTER_FLAG_TSYNC;
340
+ else if (_support_seccomp_user_notif > 0)
341
+ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
281
342
  if (col->attr.log_enable)
282
343
  flgs |= SECCOMP_FILTER_FLAG_LOG;
344
+ if (col->attr.spec_allow)
345
+ flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
283
346
  rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
284
- if (rc > 0 && col->attr.tsync_enable)
347
+ if (tsync_notify && rc > 0) {
348
+ /* return 0 on NEW_LISTENER success, but save the fd */
349
+ col->notify_fd = rc;
350
+ rc = 0;
351
+ } else if (rc > 0 && col->attr.tsync_enable) {
285
352
  /* always return -ESRCH if we fail to sync threads */
286
353
  errno = ESRCH;
354
+ rc = -errno;
355
+ } else if (rc > 0 && _support_seccomp_user_notif > 0) {
356
+ /* return 0 on NEW_LISTENER success, but save the fd */
357
+ col->notify_fd = rc;
358
+ rc = 0;
359
+ }
287
360
  } else
288
361
  rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prgm);
289
362
 
290
363
  filter_load_out:
291
364
  /* cleanup and return */
292
365
  gen_bpf_release(prgm);
366
+ if (rc == -ESRCH)
367
+ return -ESRCH;
293
368
  if (rc < 0)
294
- return -errno;
369
+ return (rawrc ? -errno : -ECANCELED);
370
+ return rc;
371
+ }
372
+
373
+ /**
374
+ * Allocate a pair of notification request/response structures
375
+ * @param req the request location
376
+ * @param resp the response location
377
+ *
378
+ * This function allocates a pair of request/response structure by computing
379
+ * the correct sized based on the currently running kernel. It returns zero on
380
+ * success, and negative values on failure.
381
+ *
382
+ */
383
+ int sys_notify_alloc(struct seccomp_notif **req,
384
+ struct seccomp_notif_resp **resp)
385
+ {
386
+ int rc;
387
+ static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
388
+
389
+ if (_support_seccomp_syscall <= 0)
390
+ return -EOPNOTSUPP;
391
+
392
+ if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
393
+ rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
394
+ if (rc < 0)
395
+ return -ECANCELED;
396
+ }
397
+ if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0)
398
+ return -EFAULT;
399
+
400
+ if (req) {
401
+ *req = zmalloc(sizes.seccomp_notif);
402
+ if (!*req)
403
+ return -ENOMEM;
404
+ }
405
+
406
+ if (resp) {
407
+ *resp = zmalloc(sizes.seccomp_notif_resp);
408
+ if (!*resp) {
409
+ if (req)
410
+ free(*req);
411
+ return -ENOMEM;
412
+ }
413
+ }
414
+
415
+ return 0;
416
+ }
417
+
418
+ /**
419
+ * Receive a notification from a seccomp notification fd
420
+ * @param fd the notification fd
421
+ * @param req the request buffer to save into
422
+ *
423
+ * Blocks waiting for a notification on this fd. This function is thread safe
424
+ * (synchronization is performed in the kernel). Returns zero on success,
425
+ * negative values on error.
426
+ *
427
+ */
428
+ int sys_notify_receive(int fd, struct seccomp_notif *req)
429
+ {
430
+ if (_support_seccomp_user_notif <= 0)
431
+ return -EOPNOTSUPP;
432
+
433
+ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
434
+ return -ECANCELED;
435
+
436
+ return 0;
437
+ }
438
+
439
+ /**
440
+ * Send a notification response to a seccomp notification fd
441
+ * @param fd the notification fd
442
+ * @param resp the response buffer to use
443
+ *
444
+ * Sends a notification response on this fd. This function is thread safe
445
+ * (synchronization is performed in the kernel). Returns zero on success,
446
+ * negative values on error.
447
+ *
448
+ */
449
+ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
450
+ {
451
+ if (_support_seccomp_user_notif <= 0)
452
+ return -EOPNOTSUPP;
453
+
454
+ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
455
+ return -ECANCELED;
456
+ return 0;
457
+ }
458
+
459
+ /**
460
+ * Check if a notification id is still valid
461
+ * @param fd the notification fd
462
+ * @param id the id to test
463
+ *
464
+ * Checks to see if a notification id is still valid. Returns 0 on success, and
465
+ * negative values on failure.
466
+ *
467
+ */
468
+ int sys_notify_id_valid(int fd, uint64_t id)
469
+ {
470
+ if (_support_seccomp_user_notif <= 0)
471
+ return -EOPNOTSUPP;
472
+
473
+ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
474
+ return -ENOENT;
295
475
  return 0;
296
476
  }