script_core 0.2.2 → 0.2.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (376) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +41 -45
  3. data/.travis.yml +2 -1
  4. data/Gemfile +3 -3
  5. data/README.md +7 -1
  6. data/bootstrap.sh +2 -2
  7. data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
  8. data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
  9. data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
  10. data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
  11. data/ext/enterprise_script_service/libseccomp/README.md +21 -1
  12. data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
  13. data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
  14. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
  15. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
  16. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
  17. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
  18. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
  19. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
  20. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
  21. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
  22. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
  23. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
  24. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
  25. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
  26. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
  27. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
  28. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
  29. data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
  30. data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
  31. data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
  32. data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
  33. data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
  34. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
  35. data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
  36. data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
  37. data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
  38. data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
  39. data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
  40. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
  41. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
  42. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
  43. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
  44. data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
  45. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
  46. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
  47. data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
  48. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
  49. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
  50. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
  51. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
  52. data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
  53. data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
  54. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
  55. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
  56. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
  57. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
  58. data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
  59. data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
  60. data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
  61. data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
  62. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
  63. data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
  64. data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
  65. data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
  66. data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
  67. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
  68. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
  69. data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
  70. data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
  71. data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
  72. data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
  73. data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
  74. data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
  75. data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
  76. data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
  77. data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
  78. data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
  79. data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
  80. data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
  81. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
  82. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
  83. data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
  84. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
  85. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
  86. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
  87. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
  88. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
  89. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
  90. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
  91. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
  92. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
  93. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
  94. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
  95. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
  96. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
  97. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
  98. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
  99. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
  100. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
  101. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
  102. data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
  103. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
  104. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
  105. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
  106. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
  107. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
  108. data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
  109. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
  110. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
  111. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
  112. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
  113. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
  114. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
  115. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
  116. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
  117. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
  118. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
  119. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
  120. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
  121. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
  122. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
  123. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
  124. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
  125. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
  126. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
  127. data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
  128. data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
  129. data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
  130. data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
  131. data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
  132. data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
  133. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
  134. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
  135. data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
  136. data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
  137. data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
  138. data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
  139. data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
  140. data/ext/enterprise_script_service/mruby/.gitignore +3 -0
  141. data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
  142. data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
  143. data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
  144. data/ext/enterprise_script_service/mruby/LICENSE +1 -1
  145. data/ext/enterprise_script_service/mruby/README.md +6 -2
  146. data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
  147. data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
  148. data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
  149. data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
  150. data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
  151. data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
  152. data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
  153. data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
  154. data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
  155. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
  156. data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
  157. data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
  158. data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
  159. data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
  160. data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
  161. data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
  162. data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
  163. data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
  164. data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
  165. data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
  166. data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
  167. data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
  168. data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
  169. data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
  170. data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
  171. data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
  172. data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
  173. data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
  174. data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
  175. data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
  176. data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
  177. data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
  178. data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
  179. data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
  180. data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
  181. data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
  182. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
  183. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
  184. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
  185. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
  186. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
  187. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
  188. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
  189. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
  190. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
  191. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
  192. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
  193. data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
  194. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
  195. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
  196. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
  197. data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
  198. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
  199. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
  200. data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
  201. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
  202. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
  203. data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
  204. data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
  205. data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
  206. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
  207. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
  208. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
  209. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
  210. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
  211. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
  212. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
  213. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
  214. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
  215. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
  216. data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
  217. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
  218. data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
  219. data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
  220. data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
  221. data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
  222. data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
  223. data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
  224. data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
  225. data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
  226. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
  227. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
  228. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
  229. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
  230. data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
  231. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
  232. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
  233. data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
  234. data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
  235. data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
  236. data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
  237. data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
  238. data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
  239. data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
  240. data/ext/enterprise_script_service/mruby/src/array.c +25 -11
  241. data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
  242. data/ext/enterprise_script_service/mruby/src/class.c +48 -32
  243. data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
  244. data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
  245. data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
  246. data/ext/enterprise_script_service/mruby/src/error.c +58 -7
  247. data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
  248. data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
  249. data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
  250. data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
  251. data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
  252. data/ext/enterprise_script_service/mruby/src/load.c +56 -30
  253. data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
  254. data/ext/enterprise_script_service/mruby/src/object.c +23 -5
  255. data/ext/enterprise_script_service/mruby/src/print.c +27 -3
  256. data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
  257. data/ext/enterprise_script_service/mruby/src/range.c +4 -12
  258. data/ext/enterprise_script_service/mruby/src/state.c +34 -11
  259. data/ext/enterprise_script_service/mruby/src/string.c +93 -56
  260. data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
  261. data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
  262. data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
  263. data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
  264. data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
  265. data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
  266. data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
  267. data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
  268. data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
  269. data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
  270. data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
  271. data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
  272. data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
  273. data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
  274. data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
  275. data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
  276. data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
  277. data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
  278. data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
  279. data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
  280. data/ext/enterprise_script_service/msgpack/README.md +3 -2
  281. data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
  282. data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
  283. data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
  284. data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
  285. data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
  286. data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
  287. data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
  288. data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
  289. data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
  290. data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
  291. data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
  292. data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
  293. data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
  294. data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
  295. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
  296. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
  297. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
  298. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
  299. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
  300. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
  301. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
  302. data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
  303. data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
  304. data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
  305. data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
  306. data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
  307. data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
  308. data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
  309. data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
  310. data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
  311. data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
  312. data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
  313. data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
  314. data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
  315. data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
  316. data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
  317. data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
  318. data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
  319. data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
  320. data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
  321. data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
  322. data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
  323. data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
  324. data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
  325. data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
  326. data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
  327. data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
  328. data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
  329. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
  330. data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
  331. data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
  332. data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
  333. data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
  334. data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
  335. data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
  336. data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
  337. data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
  338. data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
  339. data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
  340. data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
  341. data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
  342. data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
  343. data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
  344. data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
  345. data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
  346. data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
  347. data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
  348. data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
  349. data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
  350. data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
  351. data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
  352. data/lib/script_core/engine.rb +24 -5
  353. data/lib/script_core/executable.rb +4 -3
  354. data/lib/script_core/result.rb +1 -5
  355. data/lib/script_core/service_channel.rb +1 -0
  356. data/lib/script_core/version.rb +1 -1
  357. data/lib/tasks/script_core.rake +3 -1
  358. data/script_core.gemspec +2 -2
  359. data/spec/dummy/app/lib/script_engine.rb +64 -5
  360. metadata +68 -30
  361. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
  362. data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
  363. data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
  364. data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
  365. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
  366. data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
  367. data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
  368. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
  369. data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
  370. data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
  371. data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
  372. data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
  373. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
  374. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
  375. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
  376. data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
@@ -1,3 +1,5 @@
1
1
  libseccomp.a
2
2
  arch-syscall-check
3
3
  arch-syscall-dump
4
+ syscalls.perf
5
+ syscalls.perf.c
@@ -31,21 +31,26 @@ SOURCES_ALL = \
31
31
  hash.h hash.c \
32
32
  db.h db.c \
33
33
  arch.c arch.h \
34
- arch-x86.h arch-x86.c arch-x86-syscalls.c \
35
- arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \
36
- arch-x32.h arch-x32.c arch-x32-syscalls.c \
37
- arch-arm.h arch-arm.c arch-arm-syscalls.c \
38
- arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c \
39
- arch-mips.h arch-mips.c arch-mips-syscalls.c \
40
- arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \
41
- arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \
42
- arch-parisc.h arch-parisc.c arch-parisc64.c arch-parisc-syscalls.c \
43
- arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \
44
- arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \
45
- arch-s390.h arch-s390.c arch-s390-syscalls.c \
46
- arch-s390x.h arch-s390x.c arch-s390x-syscalls.c
47
-
48
- EXTRA_DIST = arch-syscall-validate
34
+ arch-x86.h arch-x86.c \
35
+ arch-x86_64.h arch-x86_64.c \
36
+ arch-x32.h arch-x32.c \
37
+ arch-arm.h arch-arm.c \
38
+ arch-aarch64.h arch-aarch64.c \
39
+ arch-mips.h arch-mips.c \
40
+ arch-mips64.h arch-mips64.c \
41
+ arch-mips64n32.h arch-mips64n32.c \
42
+ arch-parisc.h arch-parisc.c \
43
+ arch-parisc64.h arch-parisc64.c \
44
+ arch-ppc.h arch-ppc.c \
45
+ arch-ppc64.h arch-ppc64.c \
46
+ arch-riscv64.h arch-riscv64.c \
47
+ arch-s390.h arch-s390.c \
48
+ arch-s390x.h arch-s390x.c \
49
+ syscalls.h syscalls.c syscalls.perf.c
50
+
51
+ EXTRA_DIST = \
52
+ arch-syscall-validate arch-gperf-generate \
53
+ syscalls.csv syscalls.perf.template
49
54
 
50
55
  TESTS = arch-syscall-check
51
56
 
@@ -60,12 +65,21 @@ arch_syscall_check_CFLAGS = ${CODE_COVERAGE_CFLAGS}
60
65
  arch_syscall_check_LDFLAGS = ${CODE_COVERAGE_LDFLAGS}
61
66
 
62
67
  libseccomp_la_SOURCES = ${SOURCES_ALL}
63
- libseccomp_la_CPPFLAGS = ${AM_CPPFLAGS} ${CODE_COVERAGE_CPPFLAGS} \
64
- -I${top_builddir}/include
68
+ libseccomp_la_CPPFLAGS = ${AM_CPPFLAGS} ${CODE_COVERAGE_CPPFLAGS}
65
69
  libseccomp_la_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ${CFLAGS} \
66
70
  -fPIC -DPIC -fvisibility=hidden
67
71
  libseccomp_la_LDFLAGS = ${AM_LDFLAGS} ${CODE_COVERAGE_LDFLAGS} ${LDFLAGS} \
68
72
  -version-number ${VERSION_MAJOR}:${VERSION_MINOR}:${VERSION_MICRO}
69
73
 
74
+ EXTRA_DIST += syscalls.perf.c syscalls.perf
75
+ CLEANFILES = syscalls.perf.c syscalls.perf
76
+
77
+ syscalls.perf: syscalls.csv syscalls.perf.template
78
+ ${AM_V_GEN} ${srcdir}/arch-gperf-generate \
79
+ ${srcdir}/syscalls.csv ${srcdir}/syscalls.perf.template
80
+
81
+ syscalls.perf.c: syscalls.perf
82
+ ${GPERF} -m 100 --null-strings --pic -tCEG -T -S1 $< > $@
83
+
70
84
  check-build:
71
85
  ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS}
@@ -27,6 +27,7 @@
27
27
  #include <stdlib.h>
28
28
  #include <string.h>
29
29
  #include <stdbool.h>
30
+ #include <sys/ioctl.h>
30
31
 
31
32
  #include <seccomp.h>
32
33
 
@@ -34,6 +35,7 @@
34
35
  #include "db.h"
35
36
  #include "gen_pfc.h"
36
37
  #include "gen_bpf.h"
38
+ #include "helper.h"
37
39
  #include "system.h"
38
40
 
39
41
  #define API __attribute__((visibility("default")))
@@ -46,6 +48,72 @@ const struct scmp_version library_version = {
46
48
 
47
49
  unsigned int seccomp_api_level = 0;
48
50
 
51
+ /**
52
+ * Filter the error codes we send back to callers
53
+ * @param err the error code
54
+ *
55
+ * We consider error codes part of our API so we want to make sure we don't
56
+ * accidentally send an undocumented error code to our callers. This function
57
+ * helps with that.
58
+ *
59
+ */
60
+ static int _rc_filter(int err)
61
+ {
62
+ /* pass through success values */
63
+ if (err >= 0)
64
+ return err;
65
+
66
+ /* filter the error codes */
67
+ switch (err) {
68
+ case -EACCES:
69
+ /* NOTE: operation is not permitted by libseccomp */
70
+ case -ECANCELED:
71
+ /* NOTE: kernel level error that is beyond the control of
72
+ * libseccomp */
73
+ case -EDOM:
74
+ /* NOTE: failure due to arch/ABI */
75
+ case -EEXIST:
76
+ /* NOTE: operation failed due to existing rule or filter */
77
+ case -EINVAL:
78
+ /* NOTE: invalid input to the libseccomp API */
79
+ case -ENOENT:
80
+ /* NOTE: no matching entry found */
81
+ case -ENOMEM:
82
+ /* NOTE: unable to allocate enough memory to perform the
83
+ * requested operation */
84
+ case -EOPNOTSUPP:
85
+ /* NOTE: operation is not supported */
86
+ case -ESRCH:
87
+ /* NOTE: operation failed due to multi-threading */
88
+ return err;
89
+ default:
90
+ /* NOTE: this is the default "internal libseccomp error"
91
+ * error code, it is our catch-all */
92
+ return -EFAULT;
93
+ }
94
+ }
95
+
96
+ /**
97
+ * Filter the system error codes we send back to callers
98
+ * @param col the filter collection
99
+ * @param err the error code
100
+ *
101
+ * This is similar to _rc_filter(), but it first checks the filter attribute
102
+ * to determine if we should be filtering the return codes.
103
+ *
104
+ */
105
+ static int _rc_filter_sys(struct db_filter_col *col, int err)
106
+ {
107
+ /* pass through success values */
108
+ if (err >= 0)
109
+ return err;
110
+
111
+ /* pass the return code if the SCMP_FLTATR_API_SYSRAWRC is true */
112
+ if (db_col_attr_read(col, SCMP_FLTATR_API_SYSRAWRC))
113
+ return err;
114
+ return -ECANCELED;
115
+ }
116
+
49
117
  /**
50
118
  * Validate a filter context
51
119
  * @param ctx the filter context
@@ -97,17 +165,29 @@ static unsigned int _seccomp_api_update(void)
97
165
 
98
166
  /* NOTE: level 1 is the base level, start checking at 2 */
99
167
 
100
- /* level 2 */
101
168
  if (sys_chk_seccomp_syscall() &&
102
169
  sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC) == 1)
103
170
  level = 2;
104
171
 
105
- /* level 3 */
106
172
  if (level == 2 &&
107
173
  sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG) == 1 &&
108
- sys_chk_seccomp_action(SCMP_ACT_LOG) == 1)
174
+ sys_chk_seccomp_action(SCMP_ACT_LOG) == 1 &&
175
+ sys_chk_seccomp_action(SCMP_ACT_KILL_PROCESS) == 1)
109
176
  level = 3;
110
177
 
178
+ if (level == 3 &&
179
+ sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 1)
180
+ level = 4;
181
+
182
+ if (level == 4 &&
183
+ sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER) == 1 &&
184
+ sys_chk_seccomp_action(SCMP_ACT_NOTIFY) == 1)
185
+ level = 5;
186
+
187
+ if (level == 5 &&
188
+ sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH) == 1)
189
+ level = 6;
190
+
111
191
  /* update the stored api level and return */
112
192
  seccomp_api_level = level;
113
193
  return seccomp_api_level;
@@ -136,6 +216,10 @@ API int seccomp_api_set(unsigned int level)
136
216
  sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false);
137
217
  sys_set_seccomp_action(SCMP_ACT_LOG, false);
138
218
  sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, false);
219
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, false);
220
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, false);
221
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, false);
222
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, false);
139
223
  break;
140
224
  case 2:
141
225
  sys_set_seccomp_syscall(true);
@@ -143,6 +227,10 @@ API int seccomp_api_set(unsigned int level)
143
227
  sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false);
144
228
  sys_set_seccomp_action(SCMP_ACT_LOG, false);
145
229
  sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, false);
230
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, false);
231
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, false);
232
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, false);
233
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, false);
146
234
  break;
147
235
  case 3:
148
236
  sys_set_seccomp_syscall(true);
@@ -150,19 +238,59 @@ API int seccomp_api_set(unsigned int level)
150
238
  sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
151
239
  sys_set_seccomp_action(SCMP_ACT_LOG, true);
152
240
  sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
241
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, false);
242
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, false);
243
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, false);
244
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, false);
245
+ break;
246
+ case 4:
247
+ sys_set_seccomp_syscall(true);
248
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
249
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
250
+ sys_set_seccomp_action(SCMP_ACT_LOG, true);
251
+ sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
252
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, true);
253
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, false);
254
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, false);
255
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, false);
256
+ break;
257
+ case 5:
258
+ sys_set_seccomp_syscall(true);
259
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
260
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
261
+ sys_set_seccomp_action(SCMP_ACT_LOG, true);
262
+ sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
263
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, true);
264
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, true);
265
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, true);
266
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, false);
267
+ break;
268
+ case 6:
269
+ sys_set_seccomp_syscall(true);
270
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
271
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
272
+ sys_set_seccomp_action(SCMP_ACT_LOG, true);
273
+ sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
274
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, true);
275
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER, true);
276
+ sys_set_seccomp_action(SCMP_ACT_NOTIFY, true);
277
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH, true);
153
278
  break;
154
279
  default:
155
- return -EINVAL;
280
+ return _rc_filter(-EINVAL);
156
281
  }
157
282
 
158
283
  seccomp_api_level = level;
159
- return 0;
284
+ return _rc_filter(0);
160
285
  }
161
286
 
162
287
  /* NOTE - function header comment in include/seccomp.h */
163
288
  API scmp_filter_ctx seccomp_init(uint32_t def_action)
164
289
  {
165
- if (db_action_valid(def_action) < 0)
290
+ /* force a runtime api level detection */
291
+ _seccomp_api_update();
292
+
293
+ if (db_col_action_valid(NULL, def_action) < 0)
166
294
  return NULL;
167
295
 
168
296
  return db_col_init(def_action);
@@ -173,10 +301,11 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
173
301
  {
174
302
  struct db_filter_col *col = (struct db_filter_col *)ctx;
175
303
 
176
- if (ctx == NULL || db_action_valid(def_action) < 0)
177
- return -EINVAL;
304
+ /* use a NULL filter collection here since we are resetting it */
305
+ if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0)
306
+ return _rc_filter(-EINVAL);
178
307
 
179
- return db_col_reset(col, def_action);
308
+ return _rc_filter(db_col_reset(col, def_action));
180
309
  }
181
310
 
182
311
  /* NOTE - function header comment in include/seccomp.h */
@@ -186,22 +315,21 @@ API void seccomp_release(scmp_filter_ctx ctx)
186
315
  }
187
316
 
188
317
  /* NOTE - function header comment in include/seccomp.h */
189
- API int seccomp_merge(scmp_filter_ctx ctx_dst,
190
- scmp_filter_ctx ctx_src)
318
+ API int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src)
191
319
  {
192
320
  struct db_filter_col *col_dst = (struct db_filter_col *)ctx_dst;
193
321
  struct db_filter_col *col_src = (struct db_filter_col *)ctx_src;
194
322
 
195
323
  if (db_col_valid(col_dst) || db_col_valid(col_src))
196
- return -EINVAL;
324
+ return _rc_filter(-EINVAL);
197
325
 
198
326
  /* NOTE: only the default action, NNP, and TSYNC settings must match */
199
327
  if ((col_dst->attr.act_default != col_src->attr.act_default) ||
200
328
  (col_dst->attr.nnp_enable != col_src->attr.nnp_enable) ||
201
329
  (col_dst->attr.tsync_enable != col_src->attr.tsync_enable))
202
- return -EINVAL;
330
+ return _rc_filter(-EINVAL);
203
331
 
204
- return db_col_merge(col_dst, col_src);
332
+ return _rc_filter(db_col_merge(col_dst, col_src));
205
333
  }
206
334
 
207
335
  /* NOTE - function header comment in include/seccomp.h */
@@ -226,8 +354,7 @@ API uint32_t seccomp_arch_native(void)
226
354
  }
227
355
 
228
356
  /* NOTE - function header comment in include/seccomp.h */
229
- API int seccomp_arch_exist(const scmp_filter_ctx ctx,
230
- uint32_t arch_token)
357
+ API int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token)
231
358
  {
232
359
  struct db_filter_col *col = (struct db_filter_col *)ctx;
233
360
 
@@ -235,9 +362,9 @@ API int seccomp_arch_exist(const scmp_filter_ctx ctx,
235
362
  arch_token = arch_def_native->token;
236
363
 
237
364
  if (arch_valid(arch_token))
238
- return -EINVAL;
365
+ return _rc_filter(-EINVAL);
239
366
 
240
- return (db_col_arch_exist(col, arch_token) ? 0 : -EEXIST);
367
+ return _rc_filter((db_col_arch_exist(col, arch_token) ? 0 : -EEXIST));
241
368
  }
242
369
 
243
370
  /* NOTE - function header comment in include/seccomp.h */
@@ -251,11 +378,11 @@ API int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token)
251
378
 
252
379
  arch = arch_def_lookup(arch_token);
253
380
  if (arch == NULL)
254
- return -EINVAL;
381
+ return _rc_filter(-EINVAL);
255
382
  if (db_col_arch_exist(col, arch_token))
256
- return -EEXIST;
383
+ return _rc_filter(-EEXIST);
257
384
 
258
- return db_col_db_new(col, arch);
385
+ return _rc_filter(db_col_db_new(col, arch));
259
386
  }
260
387
 
261
388
  /* NOTE - function header comment in include/seccomp.h */
@@ -267,23 +394,25 @@ API int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token)
267
394
  arch_token = arch_def_native->token;
268
395
 
269
396
  if (arch_valid(arch_token))
270
- return -EINVAL;
397
+ return _rc_filter(-EINVAL);
271
398
  if (db_col_arch_exist(col, arch_token) != -EEXIST)
272
- return -EEXIST;
399
+ return _rc_filter(-EEXIST);
273
400
 
274
- return db_col_db_remove(col, arch_token);
401
+ return _rc_filter(db_col_db_remove(col, arch_token));
275
402
  }
276
403
 
277
404
  /* NOTE - function header comment in include/seccomp.h */
278
405
  API int seccomp_load(const scmp_filter_ctx ctx)
279
406
  {
280
407
  struct db_filter_col *col;
408
+ bool rawrc;
281
409
 
282
410
  if (_ctx_valid(ctx))
283
- return -EINVAL;
411
+ return _rc_filter(-EINVAL);
284
412
  col = (struct db_filter_col *)ctx;
285
413
 
286
- return sys_filter_load(col);
414
+ rawrc = db_col_attr_read(col, SCMP_FLTATR_API_SYSRAWRC);
415
+ return _rc_filter(sys_filter_load(col, rawrc));
287
416
  }
288
417
 
289
418
  /* NOTE - function header comment in include/seccomp.h */
@@ -291,9 +420,10 @@ API int seccomp_attr_get(const scmp_filter_ctx ctx,
291
420
  enum scmp_filter_attr attr, uint32_t *value)
292
421
  {
293
422
  if (_ctx_valid(ctx))
294
- return -EINVAL;
423
+ return _rc_filter(-EINVAL);
295
424
 
296
- return db_col_attr_get((const struct db_filter_col *)ctx, attr, value);
425
+ return _rc_filter(db_col_attr_get((const struct db_filter_col *)ctx,
426
+ attr, value));
297
427
  }
298
428
 
299
429
  /* NOTE - function header comment in include/seccomp.h */
@@ -301,9 +431,10 @@ API int seccomp_attr_set(scmp_filter_ctx ctx,
301
431
  enum scmp_filter_attr attr, uint32_t value)
302
432
  {
303
433
  if (_ctx_valid(ctx))
304
- return -EINVAL;
434
+ return _rc_filter(-EINVAL);
305
435
 
306
- return db_col_attr_set((struct db_filter_col *)ctx, attr, value);
436
+ return _rc_filter(db_col_attr_set((struct db_filter_col *)ctx,
437
+ attr, value));
307
438
  }
308
439
 
309
440
  /* NOTE - function header comment in include/seccomp.h */
@@ -391,9 +522,9 @@ API int seccomp_syscall_priority(scmp_filter_ctx ctx,
391
522
  struct db_filter_col *col = (struct db_filter_col *)ctx;
392
523
 
393
524
  if (db_col_valid(col) || _syscall_valid(col, syscall))
394
- return -EINVAL;
525
+ return _rc_filter(-EINVAL);
395
526
 
396
- return db_col_syscall_priority(col, syscall, priority);
527
+ return _rc_filter(db_col_syscall_priority(col, syscall, priority));
397
528
  }
398
529
 
399
530
  /* NOTE - function header comment in include/seccomp.h */
@@ -406,20 +537,21 @@ API int seccomp_rule_add_array(scmp_filter_ctx ctx,
406
537
  struct db_filter_col *col = (struct db_filter_col *)ctx;
407
538
 
408
539
  if (arg_cnt > ARG_COUNT_MAX)
409
- return -EINVAL;
540
+ return _rc_filter(-EINVAL);
410
541
  if (arg_cnt > 0 && arg_array == NULL)
411
- return -EINVAL;
542
+ return _rc_filter(-EINVAL);
412
543
 
413
544
  if (db_col_valid(col) || _syscall_valid(col, syscall))
414
- return -EINVAL;
545
+ return _rc_filter(-EINVAL);
415
546
 
416
- rc = db_action_valid(action);
547
+ rc = db_col_action_valid(col, action);
417
548
  if (rc < 0)
418
- return rc;
549
+ return _rc_filter(rc);
419
550
  if (action == col->attr.act_default)
420
- return -EPERM;
551
+ return _rc_filter(-EACCES);
421
552
 
422
- return db_col_rule_add(col, 0, action, syscall, arg_cnt, arg_array);
553
+ return _rc_filter(db_col_rule_add(col, 0, action,
554
+ syscall, arg_cnt, arg_array));
423
555
  }
424
556
 
425
557
  /* NOTE - function header comment in include/seccomp.h */
@@ -434,7 +566,7 @@ API int seccomp_rule_add(scmp_filter_ctx ctx,
434
566
 
435
567
  /* arg_cnt is unsigned, so no need to check the lower bound */
436
568
  if (arg_cnt > ARG_COUNT_MAX)
437
- return -EINVAL;
569
+ return _rc_filter(-EINVAL);
438
570
 
439
571
  va_start(arg_list, arg_cnt);
440
572
  for (iter = 0; iter < arg_cnt; ++iter)
@@ -442,7 +574,7 @@ API int seccomp_rule_add(scmp_filter_ctx ctx,
442
574
  rc = seccomp_rule_add_array(ctx, action, syscall, arg_cnt, arg_array);
443
575
  va_end(arg_list);
444
576
 
445
- return rc;
577
+ return _rc_filter(rc);
446
578
  }
447
579
 
448
580
  /* NOTE - function header comment in include/seccomp.h */
@@ -455,23 +587,24 @@ API int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
455
587
  struct db_filter_col *col = (struct db_filter_col *)ctx;
456
588
 
457
589
  if (arg_cnt > ARG_COUNT_MAX)
458
- return -EINVAL;
590
+ return _rc_filter(-EINVAL);
459
591
  if (arg_cnt > 0 && arg_array == NULL)
460
- return -EINVAL;
592
+ return _rc_filter(-EINVAL);
461
593
 
462
594
  if (db_col_valid(col) || _syscall_valid(col, syscall))
463
- return -EINVAL;
595
+ return _rc_filter(-EINVAL);
464
596
 
465
- rc = db_action_valid(action);
597
+ rc = db_col_action_valid(col, action);
466
598
  if (rc < 0)
467
- return rc;
599
+ return _rc_filter(rc);
468
600
  if (action == col->attr.act_default)
469
- return -EPERM;
601
+ return _rc_filter(-EACCES);
470
602
 
471
603
  if (col->filter_cnt > 1)
472
- return -EOPNOTSUPP;
604
+ return _rc_filter(-EOPNOTSUPP);
473
605
 
474
- return db_col_rule_add(col, 1, action, syscall, arg_cnt, arg_array);
606
+ return _rc_filter(db_col_rule_add(col, 1, action,
607
+ syscall, arg_cnt, arg_array));
475
608
  }
476
609
 
477
610
  /* NOTE - function header comment in include/seccomp.h */
@@ -486,7 +619,7 @@ API int seccomp_rule_add_exact(scmp_filter_ctx ctx,
486
619
 
487
620
  /* arg_cnt is unsigned, so no need to check the lower bound */
488
621
  if (arg_cnt > ARG_COUNT_MAX)
489
- return -EINVAL;
622
+ return _rc_filter(-EINVAL);
490
623
 
491
624
  va_start(arg_list, arg_cnt);
492
625
  for (iter = 0; iter < arg_cnt; ++iter)
@@ -495,34 +628,97 @@ API int seccomp_rule_add_exact(scmp_filter_ctx ctx,
495
628
  action, syscall, arg_cnt, arg_array);
496
629
  va_end(arg_list);
497
630
 
498
- return rc;
631
+ return _rc_filter(rc);
632
+ }
633
+
634
+ /* NOTE - function header comment in include/seccomp.h */
635
+ API int seccomp_notify_alloc(struct seccomp_notif **req,
636
+ struct seccomp_notif_resp **resp)
637
+ {
638
+ /* force a runtime api level detection */
639
+ _seccomp_api_update();
640
+
641
+ return _rc_filter(sys_notify_alloc(req, resp));
642
+ }
643
+
644
+ /* NOTE - function header comment in include/seccomp.h */
645
+ API void seccomp_notify_free(struct seccomp_notif *req,
646
+ struct seccomp_notif_resp *resp)
647
+ {
648
+ if (req)
649
+ free(req);
650
+ if (resp)
651
+ free(resp);
652
+ }
653
+
654
+ /* NOTE - function header comment in include/seccomp.h */
655
+ API int seccomp_notify_receive(int fd, struct seccomp_notif *req)
656
+ {
657
+ return _rc_filter(sys_notify_receive(fd, req));
658
+ }
659
+
660
+ /* NOTE - function header comment in include/seccomp.h */
661
+ API int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp)
662
+ {
663
+ return _rc_filter(sys_notify_respond(fd, resp));
664
+ }
665
+
666
+ /* NOTE - function header comment in include/seccomp.h */
667
+ API int seccomp_notify_id_valid(int fd, uint64_t id)
668
+ {
669
+ /* force a runtime api level detection */
670
+ _seccomp_api_update();
671
+
672
+ return _rc_filter(sys_notify_id_valid(fd, id));
673
+ }
674
+
675
+ /* NOTE - function header comment in include/seccomp.h */
676
+ API int seccomp_notify_fd(const scmp_filter_ctx ctx)
677
+ {
678
+ struct db_filter_col *col;
679
+
680
+ /* force a runtime api level detection */
681
+ _seccomp_api_update();
682
+
683
+ if (_ctx_valid(ctx))
684
+ return _rc_filter(-EINVAL);
685
+ col = (struct db_filter_col *)ctx;
686
+
687
+ return _rc_filter(col->notify_fd);
499
688
  }
500
689
 
501
690
  /* NOTE - function header comment in include/seccomp.h */
502
691
  API int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd)
503
692
  {
693
+ int rc;
694
+ struct db_filter_col *col;
695
+
504
696
  if (_ctx_valid(ctx))
505
- return -EINVAL;
697
+ return _rc_filter(-EINVAL);
698
+ col = (struct db_filter_col *)ctx;
506
699
 
507
- return gen_pfc_generate((struct db_filter_col *)ctx, fd);
700
+ rc = gen_pfc_generate(col, fd);
701
+ return _rc_filter_sys(col, rc);
508
702
  }
509
703
 
510
704
  /* NOTE - function header comment in include/seccomp.h */
511
705
  API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd)
512
706
  {
513
707
  int rc;
708
+ struct db_filter_col *col;
514
709
  struct bpf_program *program;
515
710
 
516
711
  if (_ctx_valid(ctx))
517
- return -EINVAL;
712
+ return _rc_filter(-EINVAL);
713
+ col = (struct db_filter_col *)ctx;
518
714
 
519
- program = gen_bpf_generate((struct db_filter_col *)ctx);
520
- if (program == NULL)
521
- return -ENOMEM;
715
+ rc = gen_bpf_generate(col, &program);
716
+ if (rc < 0)
717
+ return _rc_filter(rc);
522
718
  rc = write(fd, program->blks, BPF_PGM_SIZE(program));
523
719
  gen_bpf_release(program);
524
720
  if (rc < 0)
525
- return -errno;
721
+ return _rc_filter_sys(col, -errno);
526
722
 
527
723
  return 0;
528
724
  }