script_core 0.2.2 → 0.2.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +41 -45
- data/.travis.yml +2 -1
- data/Gemfile +3 -3
- data/README.md +7 -1
- data/bootstrap.sh +2 -2
- data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
- data/ext/enterprise_script_service/libseccomp/README.md +21 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
- data/ext/enterprise_script_service/mruby/.gitignore +3 -0
- data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
- data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/LICENSE +1 -1
- data/ext/enterprise_script_service/mruby/README.md +6 -2
- data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
- data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
- data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
- data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
- data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
- data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
- data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
- data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
- data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
- data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
- data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
- data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
- data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
- data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
- data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
- data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
- data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
- data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
- data/ext/enterprise_script_service/mruby/src/array.c +25 -11
- data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
- data/ext/enterprise_script_service/mruby/src/class.c +48 -32
- data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
- data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
- data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
- data/ext/enterprise_script_service/mruby/src/error.c +58 -7
- data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
- data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
- data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
- data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
- data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
- data/ext/enterprise_script_service/mruby/src/load.c +56 -30
- data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
- data/ext/enterprise_script_service/mruby/src/object.c +23 -5
- data/ext/enterprise_script_service/mruby/src/print.c +27 -3
- data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/state.c +34 -11
- data/ext/enterprise_script_service/mruby/src/string.c +93 -56
- data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
- data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
- data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
- data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
- data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
- data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
- data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
- data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
- data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
- data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
- data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
- data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
- data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
- data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
- data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
- data/ext/enterprise_script_service/msgpack/README.md +3 -2
- data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
- data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
- data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
- data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
- data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
- data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
- data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
- data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
- data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
- data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
- data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
- data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
- data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
- data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
- data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
- data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
- data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
- data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
- data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
- data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
- data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
- data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
- data/lib/script_core/engine.rb +24 -5
- data/lib/script_core/executable.rb +4 -3
- data/lib/script_core/result.rb +1 -5
- data/lib/script_core/service_channel.rb +1 -0
- data/lib/script_core/version.rb +1 -1
- data/lib/tasks/script_core.rake +3 -1
- data/script_core.gemspec +2 -2
- data/spec/dummy/app/lib/script_engine.rb +64 -5
- metadata +68 -30
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
- data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
.TH "seccomp_notify_alloc" 3 "30 May 2020" "tycho@tycho.ws" "libseccomp Documentation"
|
|
2
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
|
+
.SH NAME
|
|
4
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
5
|
+
seccomp_notify_alloc, seccomp_notify_free, seccomp_notify_receive,
|
|
6
|
+
seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd \- Manage seccomp notifications
|
|
7
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
8
|
+
.SH SYNOPSIS
|
|
9
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
10
|
+
.nf
|
|
11
|
+
.B #include <seccomp.h>
|
|
12
|
+
.sp
|
|
13
|
+
.BI "int seccomp_notify_alloc(struct seccomp_notif **" req ", struct seccomp_notif_resp **" resp ")"
|
|
14
|
+
.BI "void seccomp_notify_free(struct seccomp_notif *" req ", struct seccomp_notif_resp *" resp ")"
|
|
15
|
+
.BI "int seccomp_notify_receive(int " fd ", struct seccomp_notif *" req ")"
|
|
16
|
+
.BI "int seccomp_notify_respond(int " fd ", struct seccomp_notif_resp *" resp ")"
|
|
17
|
+
.BI "int seccomp_notify_id_valid(int " fd ", uint64_t " id ")"
|
|
18
|
+
.BI "int seccomp_notify_fd(const scmp_filter_ctx " ctx ")"
|
|
19
|
+
.sp
|
|
20
|
+
Link with \fI\-lseccomp\fP.
|
|
21
|
+
.fi
|
|
22
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
23
|
+
.SH DESCRIPTION
|
|
24
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
25
|
+
.P
|
|
26
|
+
The
|
|
27
|
+
.BR seccomp_notify_alloc ()
|
|
28
|
+
function dynamically allocates enough memory for a seccomp notification and
|
|
29
|
+
response. Note that one should always use these functions and not depend on the
|
|
30
|
+
structure sizes in headers, since the size can vary depending on the kernel
|
|
31
|
+
version. This function takes care to ask the kernel how big each structure
|
|
32
|
+
should be, and allocates the right amount of memory. The
|
|
33
|
+
.BR seccomp_notify_free ()
|
|
34
|
+
function frees memory allocated by
|
|
35
|
+
.BR seccomp_notify_alloc ().
|
|
36
|
+
.P
|
|
37
|
+
The
|
|
38
|
+
.BR seccomp_notify_receive ()
|
|
39
|
+
function receives a notification from a seccomp notify fd (obtained from
|
|
40
|
+
.BR seccomp_notify_fd ()).
|
|
41
|
+
.P
|
|
42
|
+
The
|
|
43
|
+
.BR seccomp_notify_respond ()
|
|
44
|
+
function sends a response to a particular notification. The id field should be
|
|
45
|
+
the same as the id from the request, so that the kernel knows which request
|
|
46
|
+
this response corresponds to.
|
|
47
|
+
.P
|
|
48
|
+
The
|
|
49
|
+
.BR seccomp_notify_id_valid ()
|
|
50
|
+
function checks to see if the syscall from a particular notification request is
|
|
51
|
+
still valid, i.e. if the task is still alive. See NOTES below for details on
|
|
52
|
+
race conditions.
|
|
53
|
+
.P
|
|
54
|
+
The
|
|
55
|
+
.BR seccomp_notify_fd ()
|
|
56
|
+
returns the notification fd of a filter after it has been loaded.
|
|
57
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
58
|
+
.SH RETURN VALUE
|
|
59
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
60
|
+
The
|
|
61
|
+
.BR seccomp_notify_fd ()
|
|
62
|
+
returns the notification fd of the loaded filter.
|
|
63
|
+
.P
|
|
64
|
+
The
|
|
65
|
+
.BR seccomp_notify_id_valid ()
|
|
66
|
+
returns 0 if the id is valid, and -ENOENT if it is not.
|
|
67
|
+
.P
|
|
68
|
+
The
|
|
69
|
+
.BR seccomp_notify_alloc (),
|
|
70
|
+
.BR seccomp_notify_receive (),
|
|
71
|
+
and
|
|
72
|
+
.BR seccomp_notify_respond ()
|
|
73
|
+
functions return zero on success, or one of the following error codes on
|
|
74
|
+
failure:
|
|
75
|
+
.TP
|
|
76
|
+
.B -ECANCELED
|
|
77
|
+
There was a system failure beyond the control of the library, check the
|
|
78
|
+
\fIerrno\fP value for more information.
|
|
79
|
+
.TP
|
|
80
|
+
.B -EFAULT
|
|
81
|
+
Internal libseccomp failure.
|
|
82
|
+
.TP
|
|
83
|
+
.B -ENOMEM
|
|
84
|
+
The library was unable to allocate enough memory.
|
|
85
|
+
.TP
|
|
86
|
+
.B -EOPNOTSUPP
|
|
87
|
+
The library doesn't support the particular operation.
|
|
88
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
89
|
+
.SH NOTES
|
|
90
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
91
|
+
.P
|
|
92
|
+
Care should be taken to avoid two different time of check/time of use errors.
|
|
93
|
+
First, after opening any resources relevant to the pid for a notification (e.g.
|
|
94
|
+
/proc/pid/mem for reading tracee memory to make policy decisions), applications
|
|
95
|
+
should call
|
|
96
|
+
.BR seccomp_notify_id_valid ()
|
|
97
|
+
to make sure that the resources the application has opened correspond to the
|
|
98
|
+
right pid, i.e. that the pid didn't die and a different task take its place.
|
|
99
|
+
.P
|
|
100
|
+
Second, the classic time of check/time of use issue with seccomp memory should
|
|
101
|
+
also be avoided: applications should copy any memory they wish to use to make
|
|
102
|
+
decisions from the tracee into its own address space before applying any policy
|
|
103
|
+
decisions, since a multi-threaded tracee may edit the memory at any time,
|
|
104
|
+
including after it's used to make a policy decision.
|
|
105
|
+
.P
|
|
106
|
+
A complete example of how to avoid these two races is available in the Linux
|
|
107
|
+
Kernel source tree at
|
|
108
|
+
.BR /samples/seccomp/user-trap.c.
|
|
109
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
110
|
+
.SH AUTHOR
|
|
111
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
112
|
+
Tycho Andersen <tycho@tycho.ws>
|
|
113
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
.TH "seccomp_rule_add" 3 "
|
|
1
|
+
.TH "seccomp_rule_add" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
|
|
2
2
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
3
|
.SH NAME
|
|
4
4
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -87,6 +87,17 @@ do guarantee the same behavior regardless of the architecture.
|
|
|
87
87
|
The newly added filter rule does not take effect until the entire filter is
|
|
88
88
|
loaded into the kernel using
|
|
89
89
|
.BR seccomp_load (3).
|
|
90
|
+
When adding rules to a filter, it is important to consider the impact of
|
|
91
|
+
previously loaded filters; see the
|
|
92
|
+
.BR seccomp_load (3)
|
|
93
|
+
documentation for more information.
|
|
94
|
+
.P
|
|
95
|
+
All of the filter rules supplied by the calling application are combined into
|
|
96
|
+
a union, with additional logic to eliminate redundant syscall filters. For
|
|
97
|
+
example, if a rule is added which allows a given syscall with a specific set of
|
|
98
|
+
argument values and later a rule is added which allows the same syscall
|
|
99
|
+
regardless the argument values then the first, more specific rule, is
|
|
100
|
+
effectively dropped from the filter by the second more generic rule.
|
|
90
101
|
.P
|
|
91
102
|
The
|
|
92
103
|
.BR SCMP_CMP (),
|
|
@@ -120,6 +131,18 @@ macros and use the variants which are explicitly 32 or 64-bit. This should
|
|
|
120
131
|
help eliminate problems caused by an unwanted sign extension of negative datum
|
|
121
132
|
values.
|
|
122
133
|
.P
|
|
134
|
+
If syscall argument comparisons are included in the filter rule, all of the
|
|
135
|
+
comparisons must be true for the rule to match.
|
|
136
|
+
.P
|
|
137
|
+
When adding syscall argument comparisons to the filter it is important to
|
|
138
|
+
remember that while it is possible to have multiple comparisons in a single
|
|
139
|
+
rule, you can only compare each argument once in a single rule. In other words,
|
|
140
|
+
you can not have multiple comparisons of the 3rd syscall argument in a single
|
|
141
|
+
rule.
|
|
142
|
+
.P
|
|
143
|
+
In a filter containing multiple architectures, it is an error to add a filter
|
|
144
|
+
rule for a syscall that does not exist in all of the filter's architectures.
|
|
145
|
+
.P
|
|
123
146
|
While it is possible to specify the
|
|
124
147
|
.I syscall
|
|
125
148
|
value directly using the standard
|
|
@@ -127,7 +150,10 @@ value directly using the standard
|
|
|
127
150
|
values, in order to ensure proper operation across multiple architectures it
|
|
128
151
|
is highly recommended to use the
|
|
129
152
|
.BR SCMP_SYS ()
|
|
130
|
-
macro instead. See the EXAMPLES section below.
|
|
153
|
+
macro instead. See the EXAMPLES section below. It is also important to
|
|
154
|
+
remember that regardless of the architectures present in the filter, the
|
|
155
|
+
syscall numbers used in filter rules are interpreted in the context of the
|
|
156
|
+
native architecture.
|
|
131
157
|
.P
|
|
132
158
|
Starting with Linux v4.8, there may be a need to create a rule with a syscall
|
|
133
159
|
value of -1 to allow tracing programs to skip a syscall invocation; in order
|
|
@@ -259,12 +285,47 @@ SCMP_CMP(
|
|
|
259
285
|
.SH RETURN VALUE
|
|
260
286
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
261
287
|
The
|
|
288
|
+
.BR SCMP_SYS ()
|
|
289
|
+
macro returns a value suitable for use as the
|
|
290
|
+
.I syscall
|
|
291
|
+
value in the
|
|
292
|
+
.BR seccomp_rule_add* ()
|
|
293
|
+
functions. In a similar manner, the
|
|
294
|
+
.BR SCMP_CMP ()
|
|
295
|
+
and
|
|
296
|
+
.BR SCMP_A* ()
|
|
297
|
+
macros return values suitable for use as argument comparisons in the
|
|
298
|
+
.BR seccomp_rule_add ()
|
|
299
|
+
and
|
|
300
|
+
.BR seccomp_rule_add_exact ()
|
|
301
|
+
functions.
|
|
302
|
+
.P
|
|
303
|
+
The
|
|
262
304
|
.BR seccomp_rule_add (),
|
|
263
305
|
.BR seccomp_rule_add_array (),
|
|
264
306
|
.BR seccomp_rule_add_exact (),
|
|
265
307
|
and
|
|
266
308
|
.BR seccomp_rule_add_exact_array ()
|
|
267
|
-
functions return zero on success
|
|
309
|
+
functions return zero on success or one of the following error codes on
|
|
310
|
+
failure:
|
|
311
|
+
.TP
|
|
312
|
+
.B -EDOM
|
|
313
|
+
Architecture specific failure.
|
|
314
|
+
.TP
|
|
315
|
+
.B -EEXIST
|
|
316
|
+
The rule already exists.
|
|
317
|
+
.TP
|
|
318
|
+
.B -EFAULT
|
|
319
|
+
Internal libseccomp failure.
|
|
320
|
+
.TP
|
|
321
|
+
.B -EINVAL
|
|
322
|
+
Invalid input, either the context or architecture token is invalid.
|
|
323
|
+
.TP
|
|
324
|
+
.B -ENOMEM
|
|
325
|
+
The library was unable to allocate enough memory.
|
|
326
|
+
.TP
|
|
327
|
+
.B -EOPNOTSUPP
|
|
328
|
+
The library doesn't support the particular operation.
|
|
268
329
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
269
330
|
.SH EXAMPLES
|
|
270
331
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
.TH "seccomp_syscall_priority" 3 "
|
|
1
|
+
.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
|
|
2
2
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
3
|
.SH NAME
|
|
4
4
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -53,13 +53,28 @@ is the value returned by the call to
|
|
|
53
53
|
.SH RETURN VALUE
|
|
54
54
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
55
55
|
The
|
|
56
|
-
.BR seccomp_syscall_priority ()
|
|
57
|
-
function returns zero on success, negative errno values on failure. The
|
|
58
56
|
.BR SCMP_SYS ()
|
|
59
57
|
macro returns a value suitable for use as the
|
|
60
58
|
.I syscall
|
|
61
59
|
value in
|
|
62
60
|
.BR seccomp_syscall_priority ().
|
|
61
|
+
.P
|
|
62
|
+
The
|
|
63
|
+
.BR seccomp_syscall_priority ()
|
|
64
|
+
function returns zero on success or one of the following error codes on
|
|
65
|
+
failure:
|
|
66
|
+
.TP
|
|
67
|
+
.B -EDOM
|
|
68
|
+
Architecture specific failure.
|
|
69
|
+
.TP
|
|
70
|
+
.B -EFAULT
|
|
71
|
+
Internal libseccomp failure.
|
|
72
|
+
.TP
|
|
73
|
+
.B -EINVAL
|
|
74
|
+
Invalid input, either the context or architecture token is invalid.
|
|
75
|
+
.TP
|
|
76
|
+
.B -ENOMEM
|
|
77
|
+
The library was unable to allocate enough memory.
|
|
63
78
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
64
79
|
.SH EXAMPLES
|
|
65
80
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -272,6 +272,9 @@
|
|
|
272
272
|
#define __PNR_timerfd_gettime64 -10238
|
|
273
273
|
#define __PNR_timerfd_settime64 -10239
|
|
274
274
|
#define __PNR_utimensat_time64 -10240
|
|
275
|
+
#define __PNR_ppoll -10241
|
|
276
|
+
#define __PNR_renameat -10242
|
|
277
|
+
#define __PNR_riscv_flush_icache -10243
|
|
275
278
|
|
|
276
279
|
/*
|
|
277
280
|
* libseccomp syscall definitions
|
|
@@ -1359,6 +1362,12 @@
|
|
|
1359
1362
|
#define __SNR_poll __PNR_poll
|
|
1360
1363
|
#endif
|
|
1361
1364
|
|
|
1365
|
+
#ifdef __NR_ppoll
|
|
1366
|
+
#define __SNR_ppoll __NR_ppoll
|
|
1367
|
+
#else
|
|
1368
|
+
#define __SNR_ppoll __PNR_ppoll
|
|
1369
|
+
#endif
|
|
1370
|
+
|
|
1362
1371
|
#ifdef __NR_ppoll_time64
|
|
1363
1372
|
#define __SNR_ppoll_time64 __NR_ppoll_time64
|
|
1364
1373
|
#else
|
|
@@ -1487,7 +1496,11 @@
|
|
|
1487
1496
|
#define __SNR_rename __PNR_rename
|
|
1488
1497
|
#endif
|
|
1489
1498
|
|
|
1499
|
+
#ifdef __NR_renameat
|
|
1490
1500
|
#define __SNR_renameat __NR_renameat
|
|
1501
|
+
#else
|
|
1502
|
+
#define __SNR_renameat __PNR_renameat
|
|
1503
|
+
#endif
|
|
1491
1504
|
|
|
1492
1505
|
#define __SNR_renameat2 __NR_renameat2
|
|
1493
1506
|
|
|
@@ -1495,6 +1508,12 @@
|
|
|
1495
1508
|
|
|
1496
1509
|
#define __SNR_restart_syscall __NR_restart_syscall
|
|
1497
1510
|
|
|
1511
|
+
#ifdef __NR_riscv_flush_icache
|
|
1512
|
+
#define __SNR_riscv_flush_icache __NR_riscv_flush_icache
|
|
1513
|
+
#else
|
|
1514
|
+
#define __SNR_riscv_flush_icache __PNR_riscv_flush_icache
|
|
1515
|
+
#endif
|
|
1516
|
+
|
|
1498
1517
|
#ifdef __NR_rmdir
|
|
1499
1518
|
#define __SNR_rmdir __NR_rmdir
|
|
1500
1519
|
#else
|
|
@@ -27,6 +27,8 @@
|
|
|
27
27
|
#include <inttypes.h>
|
|
28
28
|
#include <asm/unistd.h>
|
|
29
29
|
#include <linux/audit.h>
|
|
30
|
+
#include <linux/types.h>
|
|
31
|
+
#include <linux/seccomp.h>
|
|
30
32
|
|
|
31
33
|
#ifdef __cplusplus
|
|
32
34
|
extern "C" {
|
|
@@ -66,6 +68,15 @@ enum scmp_filter_attr {
|
|
|
66
68
|
SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */
|
|
67
69
|
SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */
|
|
68
70
|
SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */
|
|
71
|
+
SCMP_FLTATR_CTL_SSB = 7, /**< disable SSB mitigation */
|
|
72
|
+
SCMP_FLTATR_CTL_OPTIMIZE = 8, /**< filter optimization level:
|
|
73
|
+
* 0 - currently unused
|
|
74
|
+
* 1 - rules weighted by priority and
|
|
75
|
+
* complexity (DEFAULT)
|
|
76
|
+
* 2 - binary tree sorted by syscall
|
|
77
|
+
* number
|
|
78
|
+
*/
|
|
79
|
+
SCMP_FLTATR_API_SYSRAWRC = 9, /**< return the system return codes */
|
|
69
80
|
_SCMP_FLTATR_MAX,
|
|
70
81
|
};
|
|
71
82
|
|
|
@@ -193,6 +204,18 @@ struct scmp_arg_cmp {
|
|
|
193
204
|
#define SCMP_ARCH_PARISC AUDIT_ARCH_PARISC
|
|
194
205
|
#define SCMP_ARCH_PARISC64 AUDIT_ARCH_PARISC64
|
|
195
206
|
|
|
207
|
+
/**
|
|
208
|
+
* The RISC-V architecture tokens
|
|
209
|
+
*/
|
|
210
|
+
/* RISC-V support for audit was merged in 5.0-rc1 */
|
|
211
|
+
#ifndef AUDIT_ARCH_RISCV64
|
|
212
|
+
#ifndef EM_RISCV
|
|
213
|
+
#define EM_RISCV 243
|
|
214
|
+
#endif /* EM_RISCV */
|
|
215
|
+
#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
|
|
216
|
+
#endif /* AUDIT_ARCH_RISCV64 */
|
|
217
|
+
#define SCMP_ARCH_RISCV64 AUDIT_ARCH_RISCV64
|
|
218
|
+
|
|
196
219
|
/**
|
|
197
220
|
* Convert a syscall name into the associated syscall number
|
|
198
221
|
* @param x the syscall name
|
|
@@ -319,6 +342,10 @@ struct scmp_arg_cmp {
|
|
|
319
342
|
* Throw a SIGSYS signal
|
|
320
343
|
*/
|
|
321
344
|
#define SCMP_ACT_TRAP 0x00030000U
|
|
345
|
+
/**
|
|
346
|
+
* Notifies userspace
|
|
347
|
+
*/
|
|
348
|
+
#define SCMP_ACT_NOTIFY 0x7fc00000U
|
|
322
349
|
/**
|
|
323
350
|
* Return the specified error code
|
|
324
351
|
*/
|
|
@@ -336,6 +363,25 @@ struct scmp_arg_cmp {
|
|
|
336
363
|
*/
|
|
337
364
|
#define SCMP_ACT_ALLOW 0x7fff0000U
|
|
338
365
|
|
|
366
|
+
/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
|
|
367
|
+
#ifndef SECCOMP_RET_USER_NOTIF
|
|
368
|
+
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U
|
|
369
|
+
|
|
370
|
+
struct seccomp_notif {
|
|
371
|
+
__u64 id;
|
|
372
|
+
__u32 pid;
|
|
373
|
+
__u32 flags;
|
|
374
|
+
struct seccomp_data data;
|
|
375
|
+
};
|
|
376
|
+
|
|
377
|
+
struct seccomp_notif_resp {
|
|
378
|
+
__u64 id;
|
|
379
|
+
__s64 val;
|
|
380
|
+
__s32 error;
|
|
381
|
+
__u32 flags;
|
|
382
|
+
};
|
|
383
|
+
#endif
|
|
384
|
+
|
|
339
385
|
/*
|
|
340
386
|
* functions
|
|
341
387
|
*/
|
|
@@ -368,6 +414,9 @@ const struct scmp_version *seccomp_version(void);
|
|
|
368
414
|
* 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
|
|
369
415
|
* support for the SCMP_ACT_LOG action
|
|
370
416
|
* support for the SCMP_ACT_KILL_PROCESS action
|
|
417
|
+
* 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute
|
|
418
|
+
* 5 : support for the SCMP_ACT_NOTIFY action and notify APIs
|
|
419
|
+
* 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs
|
|
371
420
|
*
|
|
372
421
|
*/
|
|
373
422
|
unsigned int seccomp_api_get(void);
|
|
@@ -672,6 +721,73 @@ int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
|
|
|
672
721
|
unsigned int arg_cnt,
|
|
673
722
|
const struct scmp_arg_cmp *arg_array);
|
|
674
723
|
|
|
724
|
+
/**
|
|
725
|
+
* Allocate a pair of notification request/response structures
|
|
726
|
+
* @param req the request location
|
|
727
|
+
* @param resp the response location
|
|
728
|
+
*
|
|
729
|
+
* This function allocates a pair of request/response structure by computing
|
|
730
|
+
* the correct sized based on the currently running kernel. It returns zero on
|
|
731
|
+
* success, and negative values on failure.
|
|
732
|
+
*
|
|
733
|
+
*/
|
|
734
|
+
int seccomp_notify_alloc(struct seccomp_notif **req,
|
|
735
|
+
struct seccomp_notif_resp **resp);
|
|
736
|
+
|
|
737
|
+
/**
|
|
738
|
+
* Free a pair of notification request/response structures.
|
|
739
|
+
* @param req the request location
|
|
740
|
+
* @param resp the response location
|
|
741
|
+
*/
|
|
742
|
+
void seccomp_notify_free(struct seccomp_notif *req,
|
|
743
|
+
struct seccomp_notif_resp *resp);
|
|
744
|
+
|
|
745
|
+
/**
|
|
746
|
+
* Receive a notification from a seccomp notification fd
|
|
747
|
+
* @param fd the notification fd
|
|
748
|
+
* @param req the request buffer to save into
|
|
749
|
+
*
|
|
750
|
+
* Blocks waiting for a notification on this fd. This function is thread safe
|
|
751
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
752
|
+
* negative values on error.
|
|
753
|
+
*
|
|
754
|
+
*/
|
|
755
|
+
int seccomp_notify_receive(int fd, struct seccomp_notif *req);
|
|
756
|
+
|
|
757
|
+
/**
|
|
758
|
+
* Send a notification response to a seccomp notification fd
|
|
759
|
+
* @param fd the notification fd
|
|
760
|
+
* @param resp the response buffer to use
|
|
761
|
+
*
|
|
762
|
+
* Sends a notification response on this fd. This function is thread safe
|
|
763
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
764
|
+
* negative values on error.
|
|
765
|
+
*
|
|
766
|
+
*/
|
|
767
|
+
int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp);
|
|
768
|
+
|
|
769
|
+
/**
|
|
770
|
+
* Check if a notification id is still valid
|
|
771
|
+
* @param fd the notification fd
|
|
772
|
+
* @param id the id to test
|
|
773
|
+
*
|
|
774
|
+
* Checks to see if a notification id is still valid. Returns 0 on success, and
|
|
775
|
+
* negative values on failure.
|
|
776
|
+
*
|
|
777
|
+
*/
|
|
778
|
+
int seccomp_notify_id_valid(int fd, uint64_t id);
|
|
779
|
+
|
|
780
|
+
/**
|
|
781
|
+
* Return the notification fd from a filter that has already been loaded
|
|
782
|
+
* @param ctx the filter context
|
|
783
|
+
*
|
|
784
|
+
* This returns the listener fd that was generated when the seccomp policy was
|
|
785
|
+
* loaded. This is only valid after seccomp_load() with a filter that makes
|
|
786
|
+
* use of SCMP_ACT_NOTIFY.
|
|
787
|
+
*
|
|
788
|
+
*/
|
|
789
|
+
int seccomp_notify_fd(const scmp_filter_ctx ctx);
|
|
790
|
+
|
|
675
791
|
/**
|
|
676
792
|
* Generate seccomp Pseudo Filter Code (PFC) and export it to a file
|
|
677
793
|
* @param ctx the filter context
|