script_core 0.2.2 → 0.2.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +41 -45
- data/.travis.yml +2 -1
- data/Gemfile +3 -3
- data/README.md +7 -1
- data/bootstrap.sh +2 -2
- data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
- data/ext/enterprise_script_service/libseccomp/README.md +21 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
- data/ext/enterprise_script_service/mruby/.gitignore +3 -0
- data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
- data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/LICENSE +1 -1
- data/ext/enterprise_script_service/mruby/README.md +6 -2
- data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
- data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
- data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
- data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
- data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
- data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
- data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
- data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
- data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
- data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
- data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
- data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
- data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
- data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
- data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
- data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
- data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
- data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
- data/ext/enterprise_script_service/mruby/src/array.c +25 -11
- data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
- data/ext/enterprise_script_service/mruby/src/class.c +48 -32
- data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
- data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
- data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
- data/ext/enterprise_script_service/mruby/src/error.c +58 -7
- data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
- data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
- data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
- data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
- data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
- data/ext/enterprise_script_service/mruby/src/load.c +56 -30
- data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
- data/ext/enterprise_script_service/mruby/src/object.c +23 -5
- data/ext/enterprise_script_service/mruby/src/print.c +27 -3
- data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/state.c +34 -11
- data/ext/enterprise_script_service/mruby/src/string.c +93 -56
- data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
- data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
- data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
- data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
- data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
- data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
- data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
- data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
- data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
- data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
- data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
- data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
- data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
- data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
- data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
- data/ext/enterprise_script_service/msgpack/README.md +3 -2
- data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
- data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
- data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
- data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
- data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
- data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
- data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
- data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
- data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
- data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
- data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
- data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
- data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
- data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
- data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
- data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
- data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
- data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
- data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
- data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
- data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
- data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
- data/lib/script_core/engine.rb +24 -5
- data/lib/script_core/executable.rb +4 -3
- data/lib/script_core/result.rb +1 -5
- data/lib/script_core/service_channel.rb +1 -0
- data/lib/script_core/version.rb +1 -1
- data/lib/tasks/script_core.rake +3 -1
- data/script_core.gemspec +2 -2
- data/spec/dummy/app/lib/script_engine.rb +64 -5
- metadata +68 -30
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
- data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
.TH "seccomp_notify_alloc" 3 "30 May 2020" "tycho@tycho.ws" "libseccomp Documentation"
|
|
2
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
|
+
.SH NAME
|
|
4
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
5
|
+
seccomp_notify_alloc, seccomp_notify_free, seccomp_notify_receive,
|
|
6
|
+
seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd \- Manage seccomp notifications
|
|
7
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
8
|
+
.SH SYNOPSIS
|
|
9
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
10
|
+
.nf
|
|
11
|
+
.B #include <seccomp.h>
|
|
12
|
+
.sp
|
|
13
|
+
.BI "int seccomp_notify_alloc(struct seccomp_notif **" req ", struct seccomp_notif_resp **" resp ")"
|
|
14
|
+
.BI "void seccomp_notify_free(struct seccomp_notif *" req ", struct seccomp_notif_resp *" resp ")"
|
|
15
|
+
.BI "int seccomp_notify_receive(int " fd ", struct seccomp_notif *" req ")"
|
|
16
|
+
.BI "int seccomp_notify_respond(int " fd ", struct seccomp_notif_resp *" resp ")"
|
|
17
|
+
.BI "int seccomp_notify_id_valid(int " fd ", uint64_t " id ")"
|
|
18
|
+
.BI "int seccomp_notify_fd(const scmp_filter_ctx " ctx ")"
|
|
19
|
+
.sp
|
|
20
|
+
Link with \fI\-lseccomp\fP.
|
|
21
|
+
.fi
|
|
22
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
23
|
+
.SH DESCRIPTION
|
|
24
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
25
|
+
.P
|
|
26
|
+
The
|
|
27
|
+
.BR seccomp_notify_alloc ()
|
|
28
|
+
function dynamically allocates enough memory for a seccomp notification and
|
|
29
|
+
response. Note that one should always use these functions and not depend on the
|
|
30
|
+
structure sizes in headers, since the size can vary depending on the kernel
|
|
31
|
+
version. This function takes care to ask the kernel how big each structure
|
|
32
|
+
should be, and allocates the right amount of memory. The
|
|
33
|
+
.BR seccomp_notify_free ()
|
|
34
|
+
function frees memory allocated by
|
|
35
|
+
.BR seccomp_notify_alloc ().
|
|
36
|
+
.P
|
|
37
|
+
The
|
|
38
|
+
.BR seccomp_notify_receive ()
|
|
39
|
+
function receives a notification from a seccomp notify fd (obtained from
|
|
40
|
+
.BR seccomp_notify_fd ()).
|
|
41
|
+
.P
|
|
42
|
+
The
|
|
43
|
+
.BR seccomp_notify_respond ()
|
|
44
|
+
function sends a response to a particular notification. The id field should be
|
|
45
|
+
the same as the id from the request, so that the kernel knows which request
|
|
46
|
+
this response corresponds to.
|
|
47
|
+
.P
|
|
48
|
+
The
|
|
49
|
+
.BR seccomp_notify_id_valid ()
|
|
50
|
+
function checks to see if the syscall from a particular notification request is
|
|
51
|
+
still valid, i.e. if the task is still alive. See NOTES below for details on
|
|
52
|
+
race conditions.
|
|
53
|
+
.P
|
|
54
|
+
The
|
|
55
|
+
.BR seccomp_notify_fd ()
|
|
56
|
+
returns the notification fd of a filter after it has been loaded.
|
|
57
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
58
|
+
.SH RETURN VALUE
|
|
59
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
60
|
+
The
|
|
61
|
+
.BR seccomp_notify_fd ()
|
|
62
|
+
returns the notification fd of the loaded filter.
|
|
63
|
+
.P
|
|
64
|
+
The
|
|
65
|
+
.BR seccomp_notify_id_valid ()
|
|
66
|
+
returns 0 if the id is valid, and -ENOENT if it is not.
|
|
67
|
+
.P
|
|
68
|
+
The
|
|
69
|
+
.BR seccomp_notify_alloc (),
|
|
70
|
+
.BR seccomp_notify_receive (),
|
|
71
|
+
and
|
|
72
|
+
.BR seccomp_notify_respond ()
|
|
73
|
+
functions return zero on success, or one of the following error codes on
|
|
74
|
+
failure:
|
|
75
|
+
.TP
|
|
76
|
+
.B -ECANCELED
|
|
77
|
+
There was a system failure beyond the control of the library, check the
|
|
78
|
+
\fIerrno\fP value for more information.
|
|
79
|
+
.TP
|
|
80
|
+
.B -EFAULT
|
|
81
|
+
Internal libseccomp failure.
|
|
82
|
+
.TP
|
|
83
|
+
.B -ENOMEM
|
|
84
|
+
The library was unable to allocate enough memory.
|
|
85
|
+
.TP
|
|
86
|
+
.B -EOPNOTSUPP
|
|
87
|
+
The library doesn't support the particular operation.
|
|
88
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
89
|
+
.SH NOTES
|
|
90
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
91
|
+
.P
|
|
92
|
+
Care should be taken to avoid two different time of check/time of use errors.
|
|
93
|
+
First, after opening any resources relevant to the pid for a notification (e.g.
|
|
94
|
+
/proc/pid/mem for reading tracee memory to make policy decisions), applications
|
|
95
|
+
should call
|
|
96
|
+
.BR seccomp_notify_id_valid ()
|
|
97
|
+
to make sure that the resources the application has opened correspond to the
|
|
98
|
+
right pid, i.e. that the pid didn't die and a different task take its place.
|
|
99
|
+
.P
|
|
100
|
+
Second, the classic time of check/time of use issue with seccomp memory should
|
|
101
|
+
also be avoided: applications should copy any memory they wish to use to make
|
|
102
|
+
decisions from the tracee into its own address space before applying any policy
|
|
103
|
+
decisions, since a multi-threaded tracee may edit the memory at any time,
|
|
104
|
+
including after it's used to make a policy decision.
|
|
105
|
+
.P
|
|
106
|
+
A complete example of how to avoid these two races is available in the Linux
|
|
107
|
+
Kernel source tree at
|
|
108
|
+
.BR /samples/seccomp/user-trap.c.
|
|
109
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
110
|
+
.SH AUTHOR
|
|
111
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
112
|
+
Tycho Andersen <tycho@tycho.ws>
|
|
113
|
+
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
.so man3/seccomp_notify_alloc.3
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
.TH "seccomp_rule_add" 3 "
|
|
1
|
+
.TH "seccomp_rule_add" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
|
|
2
2
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
3
|
.SH NAME
|
|
4
4
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -87,6 +87,17 @@ do guarantee the same behavior regardless of the architecture.
|
|
|
87
87
|
The newly added filter rule does not take effect until the entire filter is
|
|
88
88
|
loaded into the kernel using
|
|
89
89
|
.BR seccomp_load (3).
|
|
90
|
+
When adding rules to a filter, it is important to consider the impact of
|
|
91
|
+
previously loaded filters; see the
|
|
92
|
+
.BR seccomp_load (3)
|
|
93
|
+
documentation for more information.
|
|
94
|
+
.P
|
|
95
|
+
All of the filter rules supplied by the calling application are combined into
|
|
96
|
+
a union, with additional logic to eliminate redundant syscall filters. For
|
|
97
|
+
example, if a rule is added which allows a given syscall with a specific set of
|
|
98
|
+
argument values and later a rule is added which allows the same syscall
|
|
99
|
+
regardless the argument values then the first, more specific rule, is
|
|
100
|
+
effectively dropped from the filter by the second more generic rule.
|
|
90
101
|
.P
|
|
91
102
|
The
|
|
92
103
|
.BR SCMP_CMP (),
|
|
@@ -120,6 +131,18 @@ macros and use the variants which are explicitly 32 or 64-bit. This should
|
|
|
120
131
|
help eliminate problems caused by an unwanted sign extension of negative datum
|
|
121
132
|
values.
|
|
122
133
|
.P
|
|
134
|
+
If syscall argument comparisons are included in the filter rule, all of the
|
|
135
|
+
comparisons must be true for the rule to match.
|
|
136
|
+
.P
|
|
137
|
+
When adding syscall argument comparisons to the filter it is important to
|
|
138
|
+
remember that while it is possible to have multiple comparisons in a single
|
|
139
|
+
rule, you can only compare each argument once in a single rule. In other words,
|
|
140
|
+
you can not have multiple comparisons of the 3rd syscall argument in a single
|
|
141
|
+
rule.
|
|
142
|
+
.P
|
|
143
|
+
In a filter containing multiple architectures, it is an error to add a filter
|
|
144
|
+
rule for a syscall that does not exist in all of the filter's architectures.
|
|
145
|
+
.P
|
|
123
146
|
While it is possible to specify the
|
|
124
147
|
.I syscall
|
|
125
148
|
value directly using the standard
|
|
@@ -127,7 +150,10 @@ value directly using the standard
|
|
|
127
150
|
values, in order to ensure proper operation across multiple architectures it
|
|
128
151
|
is highly recommended to use the
|
|
129
152
|
.BR SCMP_SYS ()
|
|
130
|
-
macro instead. See the EXAMPLES section below.
|
|
153
|
+
macro instead. See the EXAMPLES section below. It is also important to
|
|
154
|
+
remember that regardless of the architectures present in the filter, the
|
|
155
|
+
syscall numbers used in filter rules are interpreted in the context of the
|
|
156
|
+
native architecture.
|
|
131
157
|
.P
|
|
132
158
|
Starting with Linux v4.8, there may be a need to create a rule with a syscall
|
|
133
159
|
value of -1 to allow tracing programs to skip a syscall invocation; in order
|
|
@@ -259,12 +285,47 @@ SCMP_CMP(
|
|
|
259
285
|
.SH RETURN VALUE
|
|
260
286
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
261
287
|
The
|
|
288
|
+
.BR SCMP_SYS ()
|
|
289
|
+
macro returns a value suitable for use as the
|
|
290
|
+
.I syscall
|
|
291
|
+
value in the
|
|
292
|
+
.BR seccomp_rule_add* ()
|
|
293
|
+
functions. In a similar manner, the
|
|
294
|
+
.BR SCMP_CMP ()
|
|
295
|
+
and
|
|
296
|
+
.BR SCMP_A* ()
|
|
297
|
+
macros return values suitable for use as argument comparisons in the
|
|
298
|
+
.BR seccomp_rule_add ()
|
|
299
|
+
and
|
|
300
|
+
.BR seccomp_rule_add_exact ()
|
|
301
|
+
functions.
|
|
302
|
+
.P
|
|
303
|
+
The
|
|
262
304
|
.BR seccomp_rule_add (),
|
|
263
305
|
.BR seccomp_rule_add_array (),
|
|
264
306
|
.BR seccomp_rule_add_exact (),
|
|
265
307
|
and
|
|
266
308
|
.BR seccomp_rule_add_exact_array ()
|
|
267
|
-
functions return zero on success
|
|
309
|
+
functions return zero on success or one of the following error codes on
|
|
310
|
+
failure:
|
|
311
|
+
.TP
|
|
312
|
+
.B -EDOM
|
|
313
|
+
Architecture specific failure.
|
|
314
|
+
.TP
|
|
315
|
+
.B -EEXIST
|
|
316
|
+
The rule already exists.
|
|
317
|
+
.TP
|
|
318
|
+
.B -EFAULT
|
|
319
|
+
Internal libseccomp failure.
|
|
320
|
+
.TP
|
|
321
|
+
.B -EINVAL
|
|
322
|
+
Invalid input, either the context or architecture token is invalid.
|
|
323
|
+
.TP
|
|
324
|
+
.B -ENOMEM
|
|
325
|
+
The library was unable to allocate enough memory.
|
|
326
|
+
.TP
|
|
327
|
+
.B -EOPNOTSUPP
|
|
328
|
+
The library doesn't support the particular operation.
|
|
268
329
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
269
330
|
.SH EXAMPLES
|
|
270
331
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
.TH "seccomp_syscall_priority" 3 "
|
|
1
|
+
.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
|
|
2
2
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
3
3
|
.SH NAME
|
|
4
4
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -53,13 +53,28 @@ is the value returned by the call to
|
|
|
53
53
|
.SH RETURN VALUE
|
|
54
54
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
55
55
|
The
|
|
56
|
-
.BR seccomp_syscall_priority ()
|
|
57
|
-
function returns zero on success, negative errno values on failure. The
|
|
58
56
|
.BR SCMP_SYS ()
|
|
59
57
|
macro returns a value suitable for use as the
|
|
60
58
|
.I syscall
|
|
61
59
|
value in
|
|
62
60
|
.BR seccomp_syscall_priority ().
|
|
61
|
+
.P
|
|
62
|
+
The
|
|
63
|
+
.BR seccomp_syscall_priority ()
|
|
64
|
+
function returns zero on success or one of the following error codes on
|
|
65
|
+
failure:
|
|
66
|
+
.TP
|
|
67
|
+
.B -EDOM
|
|
68
|
+
Architecture specific failure.
|
|
69
|
+
.TP
|
|
70
|
+
.B -EFAULT
|
|
71
|
+
Internal libseccomp failure.
|
|
72
|
+
.TP
|
|
73
|
+
.B -EINVAL
|
|
74
|
+
Invalid input, either the context or architecture token is invalid.
|
|
75
|
+
.TP
|
|
76
|
+
.B -ENOMEM
|
|
77
|
+
The library was unable to allocate enough memory.
|
|
63
78
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
64
79
|
.SH EXAMPLES
|
|
65
80
|
.\" //////////////////////////////////////////////////////////////////////////
|
|
@@ -272,6 +272,9 @@
|
|
|
272
272
|
#define __PNR_timerfd_gettime64 -10238
|
|
273
273
|
#define __PNR_timerfd_settime64 -10239
|
|
274
274
|
#define __PNR_utimensat_time64 -10240
|
|
275
|
+
#define __PNR_ppoll -10241
|
|
276
|
+
#define __PNR_renameat -10242
|
|
277
|
+
#define __PNR_riscv_flush_icache -10243
|
|
275
278
|
|
|
276
279
|
/*
|
|
277
280
|
* libseccomp syscall definitions
|
|
@@ -1359,6 +1362,12 @@
|
|
|
1359
1362
|
#define __SNR_poll __PNR_poll
|
|
1360
1363
|
#endif
|
|
1361
1364
|
|
|
1365
|
+
#ifdef __NR_ppoll
|
|
1366
|
+
#define __SNR_ppoll __NR_ppoll
|
|
1367
|
+
#else
|
|
1368
|
+
#define __SNR_ppoll __PNR_ppoll
|
|
1369
|
+
#endif
|
|
1370
|
+
|
|
1362
1371
|
#ifdef __NR_ppoll_time64
|
|
1363
1372
|
#define __SNR_ppoll_time64 __NR_ppoll_time64
|
|
1364
1373
|
#else
|
|
@@ -1487,7 +1496,11 @@
|
|
|
1487
1496
|
#define __SNR_rename __PNR_rename
|
|
1488
1497
|
#endif
|
|
1489
1498
|
|
|
1499
|
+
#ifdef __NR_renameat
|
|
1490
1500
|
#define __SNR_renameat __NR_renameat
|
|
1501
|
+
#else
|
|
1502
|
+
#define __SNR_renameat __PNR_renameat
|
|
1503
|
+
#endif
|
|
1491
1504
|
|
|
1492
1505
|
#define __SNR_renameat2 __NR_renameat2
|
|
1493
1506
|
|
|
@@ -1495,6 +1508,12 @@
|
|
|
1495
1508
|
|
|
1496
1509
|
#define __SNR_restart_syscall __NR_restart_syscall
|
|
1497
1510
|
|
|
1511
|
+
#ifdef __NR_riscv_flush_icache
|
|
1512
|
+
#define __SNR_riscv_flush_icache __NR_riscv_flush_icache
|
|
1513
|
+
#else
|
|
1514
|
+
#define __SNR_riscv_flush_icache __PNR_riscv_flush_icache
|
|
1515
|
+
#endif
|
|
1516
|
+
|
|
1498
1517
|
#ifdef __NR_rmdir
|
|
1499
1518
|
#define __SNR_rmdir __NR_rmdir
|
|
1500
1519
|
#else
|
|
@@ -27,6 +27,8 @@
|
|
|
27
27
|
#include <inttypes.h>
|
|
28
28
|
#include <asm/unistd.h>
|
|
29
29
|
#include <linux/audit.h>
|
|
30
|
+
#include <linux/types.h>
|
|
31
|
+
#include <linux/seccomp.h>
|
|
30
32
|
|
|
31
33
|
#ifdef __cplusplus
|
|
32
34
|
extern "C" {
|
|
@@ -66,6 +68,15 @@ enum scmp_filter_attr {
|
|
|
66
68
|
SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */
|
|
67
69
|
SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */
|
|
68
70
|
SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */
|
|
71
|
+
SCMP_FLTATR_CTL_SSB = 7, /**< disable SSB mitigation */
|
|
72
|
+
SCMP_FLTATR_CTL_OPTIMIZE = 8, /**< filter optimization level:
|
|
73
|
+
* 0 - currently unused
|
|
74
|
+
* 1 - rules weighted by priority and
|
|
75
|
+
* complexity (DEFAULT)
|
|
76
|
+
* 2 - binary tree sorted by syscall
|
|
77
|
+
* number
|
|
78
|
+
*/
|
|
79
|
+
SCMP_FLTATR_API_SYSRAWRC = 9, /**< return the system return codes */
|
|
69
80
|
_SCMP_FLTATR_MAX,
|
|
70
81
|
};
|
|
71
82
|
|
|
@@ -193,6 +204,18 @@ struct scmp_arg_cmp {
|
|
|
193
204
|
#define SCMP_ARCH_PARISC AUDIT_ARCH_PARISC
|
|
194
205
|
#define SCMP_ARCH_PARISC64 AUDIT_ARCH_PARISC64
|
|
195
206
|
|
|
207
|
+
/**
|
|
208
|
+
* The RISC-V architecture tokens
|
|
209
|
+
*/
|
|
210
|
+
/* RISC-V support for audit was merged in 5.0-rc1 */
|
|
211
|
+
#ifndef AUDIT_ARCH_RISCV64
|
|
212
|
+
#ifndef EM_RISCV
|
|
213
|
+
#define EM_RISCV 243
|
|
214
|
+
#endif /* EM_RISCV */
|
|
215
|
+
#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
|
|
216
|
+
#endif /* AUDIT_ARCH_RISCV64 */
|
|
217
|
+
#define SCMP_ARCH_RISCV64 AUDIT_ARCH_RISCV64
|
|
218
|
+
|
|
196
219
|
/**
|
|
197
220
|
* Convert a syscall name into the associated syscall number
|
|
198
221
|
* @param x the syscall name
|
|
@@ -319,6 +342,10 @@ struct scmp_arg_cmp {
|
|
|
319
342
|
* Throw a SIGSYS signal
|
|
320
343
|
*/
|
|
321
344
|
#define SCMP_ACT_TRAP 0x00030000U
|
|
345
|
+
/**
|
|
346
|
+
* Notifies userspace
|
|
347
|
+
*/
|
|
348
|
+
#define SCMP_ACT_NOTIFY 0x7fc00000U
|
|
322
349
|
/**
|
|
323
350
|
* Return the specified error code
|
|
324
351
|
*/
|
|
@@ -336,6 +363,25 @@ struct scmp_arg_cmp {
|
|
|
336
363
|
*/
|
|
337
364
|
#define SCMP_ACT_ALLOW 0x7fff0000U
|
|
338
365
|
|
|
366
|
+
/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
|
|
367
|
+
#ifndef SECCOMP_RET_USER_NOTIF
|
|
368
|
+
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U
|
|
369
|
+
|
|
370
|
+
struct seccomp_notif {
|
|
371
|
+
__u64 id;
|
|
372
|
+
__u32 pid;
|
|
373
|
+
__u32 flags;
|
|
374
|
+
struct seccomp_data data;
|
|
375
|
+
};
|
|
376
|
+
|
|
377
|
+
struct seccomp_notif_resp {
|
|
378
|
+
__u64 id;
|
|
379
|
+
__s64 val;
|
|
380
|
+
__s32 error;
|
|
381
|
+
__u32 flags;
|
|
382
|
+
};
|
|
383
|
+
#endif
|
|
384
|
+
|
|
339
385
|
/*
|
|
340
386
|
* functions
|
|
341
387
|
*/
|
|
@@ -368,6 +414,9 @@ const struct scmp_version *seccomp_version(void);
|
|
|
368
414
|
* 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
|
|
369
415
|
* support for the SCMP_ACT_LOG action
|
|
370
416
|
* support for the SCMP_ACT_KILL_PROCESS action
|
|
417
|
+
* 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute
|
|
418
|
+
* 5 : support for the SCMP_ACT_NOTIFY action and notify APIs
|
|
419
|
+
* 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs
|
|
371
420
|
*
|
|
372
421
|
*/
|
|
373
422
|
unsigned int seccomp_api_get(void);
|
|
@@ -672,6 +721,73 @@ int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
|
|
|
672
721
|
unsigned int arg_cnt,
|
|
673
722
|
const struct scmp_arg_cmp *arg_array);
|
|
674
723
|
|
|
724
|
+
/**
|
|
725
|
+
* Allocate a pair of notification request/response structures
|
|
726
|
+
* @param req the request location
|
|
727
|
+
* @param resp the response location
|
|
728
|
+
*
|
|
729
|
+
* This function allocates a pair of request/response structure by computing
|
|
730
|
+
* the correct sized based on the currently running kernel. It returns zero on
|
|
731
|
+
* success, and negative values on failure.
|
|
732
|
+
*
|
|
733
|
+
*/
|
|
734
|
+
int seccomp_notify_alloc(struct seccomp_notif **req,
|
|
735
|
+
struct seccomp_notif_resp **resp);
|
|
736
|
+
|
|
737
|
+
/**
|
|
738
|
+
* Free a pair of notification request/response structures.
|
|
739
|
+
* @param req the request location
|
|
740
|
+
* @param resp the response location
|
|
741
|
+
*/
|
|
742
|
+
void seccomp_notify_free(struct seccomp_notif *req,
|
|
743
|
+
struct seccomp_notif_resp *resp);
|
|
744
|
+
|
|
745
|
+
/**
|
|
746
|
+
* Receive a notification from a seccomp notification fd
|
|
747
|
+
* @param fd the notification fd
|
|
748
|
+
* @param req the request buffer to save into
|
|
749
|
+
*
|
|
750
|
+
* Blocks waiting for a notification on this fd. This function is thread safe
|
|
751
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
752
|
+
* negative values on error.
|
|
753
|
+
*
|
|
754
|
+
*/
|
|
755
|
+
int seccomp_notify_receive(int fd, struct seccomp_notif *req);
|
|
756
|
+
|
|
757
|
+
/**
|
|
758
|
+
* Send a notification response to a seccomp notification fd
|
|
759
|
+
* @param fd the notification fd
|
|
760
|
+
* @param resp the response buffer to use
|
|
761
|
+
*
|
|
762
|
+
* Sends a notification response on this fd. This function is thread safe
|
|
763
|
+
* (synchronization is performed in the kernel). Returns zero on success,
|
|
764
|
+
* negative values on error.
|
|
765
|
+
*
|
|
766
|
+
*/
|
|
767
|
+
int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp);
|
|
768
|
+
|
|
769
|
+
/**
|
|
770
|
+
* Check if a notification id is still valid
|
|
771
|
+
* @param fd the notification fd
|
|
772
|
+
* @param id the id to test
|
|
773
|
+
*
|
|
774
|
+
* Checks to see if a notification id is still valid. Returns 0 on success, and
|
|
775
|
+
* negative values on failure.
|
|
776
|
+
*
|
|
777
|
+
*/
|
|
778
|
+
int seccomp_notify_id_valid(int fd, uint64_t id);
|
|
779
|
+
|
|
780
|
+
/**
|
|
781
|
+
* Return the notification fd from a filter that has already been loaded
|
|
782
|
+
* @param ctx the filter context
|
|
783
|
+
*
|
|
784
|
+
* This returns the listener fd that was generated when the seccomp policy was
|
|
785
|
+
* loaded. This is only valid after seccomp_load() with a filter that makes
|
|
786
|
+
* use of SCMP_ACT_NOTIFY.
|
|
787
|
+
*
|
|
788
|
+
*/
|
|
789
|
+
int seccomp_notify_fd(const scmp_filter_ctx ctx);
|
|
790
|
+
|
|
675
791
|
/**
|
|
676
792
|
* Generate seccomp Pseudo Filter Code (PFC) and export it to a file
|
|
677
793
|
* @param ctx the filter context
|