script_core 0.2.2 → 0.2.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +41 -45
- data/.travis.yml +2 -1
- data/Gemfile +3 -3
- data/README.md +7 -1
- data/bootstrap.sh +2 -2
- data/ext/enterprise_script_service/libseccomp/.travis.yml +24 -12
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +32 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +11 -0
- data/ext/enterprise_script_service/libseccomp/README.md +21 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +19 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +10 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +4 -3
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c +48 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py +38 -0
- data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +34 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +10 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/Makefile.am +0 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +4 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/build.yml +106 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/main.yml +24 -0
- data/ext/enterprise_script_service/mruby/.gitignore +3 -0
- data/ext/enterprise_script_service/mruby/.travis.yml +6 -9
- data/ext/enterprise_script_service/mruby/AUTHORS +1 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/LICENSE +1 -1
- data/ext/enterprise_script_service/mruby/README.md +6 -2
- data/ext/enterprise_script_service/mruby/appveyor.yml +9 -12
- data/ext/enterprise_script_service/mruby/appveyor_config.rb +9 -0
- data/ext/enterprise_script_service/mruby/build_config.rb +6 -6
- data/ext/enterprise_script_service/mruby/doc/guides/compile.md +6 -2
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/mrbconf.md +4 -8
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/doc/opcode.md +108 -95
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_ArduinoDue.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelEdison.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_IntelGalileo.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_RX630.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_chipKITMax32.rb +2 -2
- data/ext/enterprise_script_service/mruby/examples/targets/build_config_dreamcast_shelf.rb +108 -0
- data/ext/enterprise_script_service/mruby/include/mrbconf.h +10 -7
- data/ext/enterprise_script_service/mruby/include/mruby.h +24 -9
- data/ext/enterprise_script_service/mruby/include/mruby/array.h +4 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_nan.h +11 -2
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -10
- data/ext/enterprise_script_service/mruby/include/mruby/common.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/compile.h +11 -3
- data/ext/enterprise_script_service/mruby/include/mruby/dump.h +1 -17
- data/ext/enterprise_script_service/mruby/include/mruby/irep.h +10 -0
- data/ext/enterprise_script_service/mruby/include/mruby/istruct.h +4 -1
- data/ext/enterprise_script_service/mruby/include/mruby/khash.h +23 -5
- data/ext/enterprise_script_service/mruby/include/mruby/numeric.h +1 -0
- data/ext/enterprise_script_service/mruby/include/mruby/ops.h +3 -2
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/string.h +2 -1
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +32 -41
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +4 -4
- data/ext/enterprise_script_service/mruby/lib/mruby/build.rb +2 -30
- data/ext/enterprise_script_service/mruby/lib/mruby/build/command.rb +21 -46
- data/ext/enterprise_script_service/mruby/lib/mruby/gem.rb +9 -0
- data/ext/enterprise_script_service/mruby/lib/mruby/source.rb +3 -1
- data/ext/enterprise_script_service/mruby/mrbgems/default.gembox +7 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/mrblib/array.rb +0 -31
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/test/array.rb +0 -13
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-config/mrbgem.rake +5 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdb.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-debugger/tools/mrdb/mrdbconf.h +5 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +7 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +24 -21
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/mrbgem.rake +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-strip/tools/mruby-strip/mruby-strip.c +6 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-class-ext/src/class.c +6 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/codegen.c +76 -48
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/parse.y +107 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/core/y.tab.c +13153 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-compiler/mrbgem.rake +13 -15
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-error/src/exception.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +3 -214
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/test/eval.rb +21 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-hash-ext/src/hash-ext.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/include/mruby/ext/io.h +39 -7
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrbgem.rake +2 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/file_constants.rb +0 -16
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/mrblib/io.rb +7 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +77 -32
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +18 -36
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +324 -122
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/file.rb +18 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/io.rb +32 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/test/mruby_io_test.c +57 -49
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/src/metaprog.c +15 -17
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-metaprog/test/metaprog.rb +9 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-object-ext/src/object.c +3 -12
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-pack/src/pack.c +113 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +6 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-proc-ext/src/proc.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/src/rational.c +9 -9
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sleep/src/mrb_sleep.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/mrbgem.rake +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-socket/test/sockettest.c +3 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +62 -25
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/test/sprintf.rb +5 -23
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +4 -5
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-symbol-ext/src/symbol.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-test/mrbgem.rake +1 -0
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +11 -15
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/mrblib/hash.rb +3 -3
- data/ext/enterprise_script_service/mruby/src/array.c +25 -11
- data/ext/enterprise_script_service/mruby/src/backtrace.c +2 -2
- data/ext/enterprise_script_service/mruby/src/class.c +48 -32
- data/ext/enterprise_script_service/mruby/src/codedump.c +4 -0
- data/ext/enterprise_script_service/mruby/src/debug.c +8 -5
- data/ext/enterprise_script_service/mruby/src/dump.c +3 -65
- data/ext/enterprise_script_service/mruby/src/error.c +58 -7
- data/ext/enterprise_script_service/mruby/src/etc.c +13 -5
- data/ext/enterprise_script_service/mruby/src/fmt_fp.c +98 -21
- data/ext/enterprise_script_service/mruby/src/gc.c +15 -280
- data/ext/enterprise_script_service/mruby/src/hash.c +13 -21
- data/ext/enterprise_script_service/mruby/src/kernel.c +6 -9
- data/ext/enterprise_script_service/mruby/src/load.c +56 -30
- data/ext/enterprise_script_service/mruby/src/numeric.c +50 -70
- data/ext/enterprise_script_service/mruby/src/object.c +23 -5
- data/ext/enterprise_script_service/mruby/src/print.c +27 -3
- data/ext/enterprise_script_service/mruby/src/proc.c +26 -7
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/state.c +34 -11
- data/ext/enterprise_script_service/mruby/src/string.c +93 -56
- data/ext/enterprise_script_service/mruby/src/symbol.c +13 -12
- data/ext/enterprise_script_service/mruby/src/vm.c +48 -53
- data/ext/enterprise_script_service/mruby/tasks/gitlab.rake +19 -22
- data/ext/enterprise_script_service/mruby/tasks/mrbgems.rake +1 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/android.rake +46 -1
- data/ext/enterprise_script_service/mruby/tasks/toolchains/gcc.rake +3 -3
- data/ext/enterprise_script_service/mruby/tasks/toolchains/openwrt.rake +6 -6
- data/ext/enterprise_script_service/mruby/tasks/toolchains/visualcpp.rake +8 -8
- data/ext/enterprise_script_service/mruby/test/assert.rb +5 -4
- data/ext/enterprise_script_service/mruby/test/t/ensure.rb +8 -26
- data/ext/enterprise_script_service/mruby/test/t/exception.rb +2 -2
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +15 -24
- data/ext/enterprise_script_service/mruby/travis_config.rb +0 -14
- data/ext/enterprise_script_service/msgpack/.github/depends/boost.sh +56 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/coverage.yml +62 -0
- data/ext/enterprise_script_service/msgpack/.github/workflows/gha.yml +304 -0
- data/ext/enterprise_script_service/msgpack/CHANGELOG.md +11 -0
- data/ext/enterprise_script_service/msgpack/CMakeLists.txt +82 -39
- data/ext/enterprise_script_service/msgpack/Files.cmake +22 -12
- data/ext/enterprise_script_service/msgpack/QUICKSTART-C.md +26 -29
- data/ext/enterprise_script_service/msgpack/README.md +3 -2
- data/ext/enterprise_script_service/msgpack/appveyor.yml +6 -2
- data/ext/enterprise_script_service/msgpack/ci/build_cmake.sh +3 -1
- data/ext/enterprise_script_service/msgpack/cmake/CodeCoverage.cmake +55 -0
- data/ext/enterprise_script_service/msgpack/codecov.yml +36 -0
- data/ext/enterprise_script_service/msgpack/example/CMakeLists.txt +9 -5
- data/ext/enterprise_script_service/msgpack/example/boost/CMakeLists.txt +1 -1
- data/ext/enterprise_script_service/msgpack/example/c/CMakeLists.txt +17 -6
- data/ext/enterprise_script_service/msgpack/example/c/boundary.c +296 -0
- data/ext/enterprise_script_service/msgpack/example/c/jsonconv.c +419 -0
- data/ext/enterprise_script_service/msgpack/example/c/simple_c.c +1 -1
- data/ext/enterprise_script_service/msgpack/example/cpp03/CMakeLists.txt +3 -3
- data/ext/enterprise_script_service/msgpack/example/cpp11/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/example/x3/CMakeLists.txt +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/pack.h +24 -1
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/array_ref.hpp +5 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/boost/optional.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/cpp17/vector_byte.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/map.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/vector_unsigned_char.hpp +8 -8
- data/ext/enterprise_script_service/msgpack/include/msgpack/v1/adaptor/wstring.hpp +4 -4
- data/ext/enterprise_script_service/msgpack/include/msgpack/v3/unpack.hpp +6 -6
- data/ext/enterprise_script_service/msgpack/include/msgpack/version_master.h +2 -2
- data/ext/enterprise_script_service/msgpack/include/msgpack/zbuffer.h +4 -4
- data/ext/enterprise_script_service/msgpack/make_file_list.sh +38 -11
- data/ext/enterprise_script_service/msgpack/src/vrefbuffer.c +6 -0
- data/ext/enterprise_script_service/msgpack/test/CMakeLists.txt +86 -64
- data/ext/enterprise_script_service/msgpack/test/array_ref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_fusion.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_optional.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_string_ref.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/boost_string_view.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/boost_variant.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/buffer.cpp +4 -47
- data/ext/enterprise_script_service/msgpack/test/buffer_c.cpp +148 -0
- data/ext/enterprise_script_service/msgpack/test/carray.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/cases.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/convert.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/fixint.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fixint_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/fuzz_unpack_pack_fuzzer_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/iterator_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/json.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/limit.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/msgpack_basic.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_c.cpp +159 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_container.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp11.cpp +32 -27
- data/ext/enterprise_script_service/msgpack/test/msgpack_cpp17.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_stream.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_tuple.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/msgpack_vref.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/msgpack_x3_parse.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/object.cpp +4 -1
- data/ext/enterprise_script_service/msgpack/test/object_with_zone.cpp +12 -8
- data/ext/enterprise_script_service/msgpack/test/pack_unpack.cpp +30 -26
- data/ext/enterprise_script_service/msgpack/test/pack_unpack_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/raw.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/reference_wrapper_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/shared_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/size_equal_only.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/streaming.cpp +8 -4
- data/ext/enterprise_script_service/msgpack/test/streaming_c.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/unique_ptr_cpp11.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/user_class.cpp +16 -12
- data/ext/enterprise_script_service/msgpack/test/version.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/visitor.cpp +4 -0
- data/ext/enterprise_script_service/msgpack/test/zone.cpp +4 -0
- data/lib/script_core/engine.rb +24 -5
- data/lib/script_core/executable.rb +4 -3
- data/lib/script_core/result.rb +1 -5
- data/lib/script_core/service_channel.rb +1 -0
- data/lib/script_core/version.rb +1 -1
- data/lib/tasks/script_core.rake +3 -1
- data/script_core.gemspec +2 -2
- data/spec/dummy/app/lib/script_engine.rb +64 -5
- metadata +68 -30
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -626
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
- data/ext/enterprise_script_service/msgpack/.travis.yml +0 -258
|
@@ -26,14 +26,48 @@
|
|
|
26
26
|
#include "arch.h"
|
|
27
27
|
#include "arch-x32.h"
|
|
28
28
|
|
|
29
|
+
/**
|
|
30
|
+
* Resolve a syscall name to a number
|
|
31
|
+
* @param name the syscall name
|
|
32
|
+
*
|
|
33
|
+
* Resolve the given syscall name to the syscall number using the syscall table.
|
|
34
|
+
* Returns the syscall number on success, including negative pseudo syscall
|
|
35
|
+
* numbers; returns __NR_SCMP_ERROR on failure.
|
|
36
|
+
*
|
|
37
|
+
*/
|
|
38
|
+
int x32_syscall_resolve_name_munge(const char *name)
|
|
39
|
+
{
|
|
40
|
+
int sys;
|
|
41
|
+
|
|
42
|
+
sys = x32_syscall_resolve_name(name);
|
|
43
|
+
if (sys == __NR_SCMP_ERROR)
|
|
44
|
+
return sys;
|
|
45
|
+
|
|
46
|
+
return (sys | X32_SYSCALL_BIT);
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
/**
|
|
50
|
+
* Resolve a syscall number to a name
|
|
51
|
+
* @param num the syscall number
|
|
52
|
+
*
|
|
53
|
+
* Resolve the given syscall number to the syscall name using the syscall table.
|
|
54
|
+
* Returns a pointer to the syscall name string on success, including pseudo
|
|
55
|
+
* syscall names; returns NULL on failure.
|
|
56
|
+
*
|
|
57
|
+
*/
|
|
58
|
+
const char *x32_syscall_resolve_num_munge(int num)
|
|
59
|
+
{
|
|
60
|
+
return x32_syscall_resolve_num(num & (~X32_SYSCALL_BIT));
|
|
61
|
+
}
|
|
62
|
+
|
|
29
63
|
const struct arch_def arch_def_x32 = {
|
|
30
64
|
.token = SCMP_ARCH_X32,
|
|
31
65
|
/* NOTE: this seems odd but the kernel treats x32 like x86_64 here */
|
|
32
66
|
.token_bpf = AUDIT_ARCH_X86_64,
|
|
33
67
|
.size = ARCH_SIZE_32,
|
|
34
68
|
.endian = ARCH_ENDIAN_LITTLE,
|
|
35
|
-
.syscall_resolve_name =
|
|
36
|
-
.syscall_resolve_num =
|
|
69
|
+
.syscall_resolve_name = x32_syscall_resolve_name_munge,
|
|
70
|
+
.syscall_resolve_num = x32_syscall_resolve_num_munge,
|
|
37
71
|
.syscall_rewrite = NULL,
|
|
38
72
|
.rule_add = NULL,
|
|
39
73
|
};
|
|
@@ -22,18 +22,10 @@
|
|
|
22
22
|
#ifndef _ARCH_X32_H
|
|
23
23
|
#define _ARCH_X32_H
|
|
24
24
|
|
|
25
|
-
#include <inttypes.h>
|
|
26
|
-
|
|
27
25
|
#include "arch.h"
|
|
28
|
-
#include "system.h"
|
|
29
|
-
|
|
30
|
-
#define X32_SYSCALL_BIT 0x40000000
|
|
31
|
-
|
|
32
|
-
extern const struct arch_def arch_def_x32;
|
|
33
26
|
|
|
34
|
-
|
|
35
|
-
const char *x32_syscall_resolve_num(int num);
|
|
27
|
+
#define X32_SYSCALL_BIT 0x40000000
|
|
36
28
|
|
|
37
|
-
|
|
29
|
+
ARCH_DECL(x32)
|
|
38
30
|
|
|
39
31
|
#endif
|
|
@@ -24,6 +24,8 @@
|
|
|
24
24
|
#include <string.h>
|
|
25
25
|
#include <linux/audit.h>
|
|
26
26
|
|
|
27
|
+
#include "db.h"
|
|
28
|
+
#include "syscalls.h"
|
|
27
29
|
#include "arch.h"
|
|
28
30
|
#include "arch-x86.h"
|
|
29
31
|
|
|
@@ -31,16 +33,165 @@
|
|
|
31
33
|
#define __x86_NR_socketcall 102
|
|
32
34
|
#define __x86_NR_ipc 117
|
|
33
35
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
36
|
+
/**
|
|
37
|
+
* Resolve a syscall name to a number
|
|
38
|
+
* @param name the syscall name
|
|
39
|
+
*
|
|
40
|
+
* Resolve the given syscall name to the syscall number using the syscall table.
|
|
41
|
+
* Returns the syscall number on success, including negative pseudo syscall
|
|
42
|
+
* numbers; returns __NR_SCMP_ERROR on failure.
|
|
43
|
+
*
|
|
44
|
+
*/
|
|
45
|
+
int x86_syscall_resolve_name_munge(const char *name)
|
|
46
|
+
{
|
|
47
|
+
if (strcmp(name, "accept") == 0)
|
|
48
|
+
return __PNR_accept;
|
|
49
|
+
else if (strcmp(name, "accept4") == 0)
|
|
50
|
+
return __PNR_accept4;
|
|
51
|
+
else if (strcmp(name, "bind") == 0)
|
|
52
|
+
return __PNR_bind;
|
|
53
|
+
else if (strcmp(name, "connect") == 0)
|
|
54
|
+
return __PNR_connect;
|
|
55
|
+
else if (strcmp(name, "getpeername") == 0)
|
|
56
|
+
return __PNR_getpeername;
|
|
57
|
+
else if (strcmp(name, "getsockname") == 0)
|
|
58
|
+
return __PNR_getsockname;
|
|
59
|
+
else if (strcmp(name, "getsockopt") == 0)
|
|
60
|
+
return __PNR_getsockopt;
|
|
61
|
+
else if (strcmp(name, "listen") == 0)
|
|
62
|
+
return __PNR_listen;
|
|
63
|
+
else if (strcmp(name, "recv") == 0)
|
|
64
|
+
return __PNR_recv;
|
|
65
|
+
else if (strcmp(name, "recvfrom") == 0)
|
|
66
|
+
return __PNR_recvfrom;
|
|
67
|
+
else if (strcmp(name, "recvmsg") == 0)
|
|
68
|
+
return __PNR_recvmsg;
|
|
69
|
+
else if (strcmp(name, "recvmmsg") == 0)
|
|
70
|
+
return __PNR_recvmmsg;
|
|
71
|
+
else if (strcmp(name, "send") == 0)
|
|
72
|
+
return __PNR_send;
|
|
73
|
+
else if (strcmp(name, "sendmsg") == 0)
|
|
74
|
+
return __PNR_sendmsg;
|
|
75
|
+
else if (strcmp(name, "sendmmsg") == 0)
|
|
76
|
+
return __PNR_sendmmsg;
|
|
77
|
+
else if (strcmp(name, "sendto") == 0)
|
|
78
|
+
return __PNR_sendto;
|
|
79
|
+
else if (strcmp(name, "setsockopt") == 0)
|
|
80
|
+
return __PNR_setsockopt;
|
|
81
|
+
else if (strcmp(name, "shutdown") == 0)
|
|
82
|
+
return __PNR_shutdown;
|
|
83
|
+
else if (strcmp(name, "socket") == 0)
|
|
84
|
+
return __PNR_socket;
|
|
85
|
+
else if (strcmp(name, "socketpair") == 0)
|
|
86
|
+
return __PNR_socketpair;
|
|
87
|
+
|
|
88
|
+
if (strcmp(name, "semop") == 0)
|
|
89
|
+
return __PNR_semop;
|
|
90
|
+
else if (strcmp(name, "semget") == 0)
|
|
91
|
+
return __PNR_semget;
|
|
92
|
+
else if (strcmp(name, "semctl") == 0)
|
|
93
|
+
return __PNR_semctl;
|
|
94
|
+
else if (strcmp(name, "semtimedop") == 0)
|
|
95
|
+
return __PNR_semtimedop;
|
|
96
|
+
else if (strcmp(name, "msgsnd") == 0)
|
|
97
|
+
return __PNR_msgsnd;
|
|
98
|
+
else if (strcmp(name, "msgrcv") == 0)
|
|
99
|
+
return __PNR_msgrcv;
|
|
100
|
+
else if (strcmp(name, "msgget") == 0)
|
|
101
|
+
return __PNR_msgget;
|
|
102
|
+
else if (strcmp(name, "msgctl") == 0)
|
|
103
|
+
return __PNR_msgctl;
|
|
104
|
+
else if (strcmp(name, "shmat") == 0)
|
|
105
|
+
return __PNR_shmat;
|
|
106
|
+
else if (strcmp(name, "shmdt") == 0)
|
|
107
|
+
return __PNR_shmdt;
|
|
108
|
+
else if (strcmp(name, "shmget") == 0)
|
|
109
|
+
return __PNR_shmget;
|
|
110
|
+
else if (strcmp(name, "shmctl") == 0)
|
|
111
|
+
return __PNR_shmctl;
|
|
112
|
+
|
|
113
|
+
return x86_syscall_resolve_name(name);
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
/**
|
|
117
|
+
* Resolve a syscall number to a name
|
|
118
|
+
* @param num the syscall number
|
|
119
|
+
*
|
|
120
|
+
* Resolve the given syscall number to the syscall name using the syscall table.
|
|
121
|
+
* Returns a pointer to the syscall name string on success, including pseudo
|
|
122
|
+
* syscall names; returns NULL on failure.
|
|
123
|
+
*
|
|
124
|
+
*/
|
|
125
|
+
const char *x86_syscall_resolve_num_munge(int num)
|
|
126
|
+
{
|
|
127
|
+
if (num == __PNR_accept)
|
|
128
|
+
return "accept";
|
|
129
|
+
else if (num == __PNR_accept4)
|
|
130
|
+
return "accept4";
|
|
131
|
+
else if (num == __PNR_bind)
|
|
132
|
+
return "bind";
|
|
133
|
+
else if (num == __PNR_connect)
|
|
134
|
+
return "connect";
|
|
135
|
+
else if (num == __PNR_getpeername)
|
|
136
|
+
return "getpeername";
|
|
137
|
+
else if (num == __PNR_getsockname)
|
|
138
|
+
return "getsockname";
|
|
139
|
+
else if (num == __PNR_getsockopt)
|
|
140
|
+
return "getsockopt";
|
|
141
|
+
else if (num == __PNR_listen)
|
|
142
|
+
return "listen";
|
|
143
|
+
else if (num == __PNR_recv)
|
|
144
|
+
return "recv";
|
|
145
|
+
else if (num == __PNR_recvfrom)
|
|
146
|
+
return "recvfrom";
|
|
147
|
+
else if (num == __PNR_recvmsg)
|
|
148
|
+
return "recvmsg";
|
|
149
|
+
else if (num == __PNR_recvmmsg)
|
|
150
|
+
return "recvmmsg";
|
|
151
|
+
else if (num == __PNR_send)
|
|
152
|
+
return "send";
|
|
153
|
+
else if (num == __PNR_sendmsg)
|
|
154
|
+
return "sendmsg";
|
|
155
|
+
else if (num == __PNR_sendmmsg)
|
|
156
|
+
return "sendmmsg";
|
|
157
|
+
else if (num == __PNR_sendto)
|
|
158
|
+
return "sendto";
|
|
159
|
+
else if (num == __PNR_setsockopt)
|
|
160
|
+
return "setsockopt";
|
|
161
|
+
else if (num == __PNR_shutdown)
|
|
162
|
+
return "shutdown";
|
|
163
|
+
else if (num == __PNR_socket)
|
|
164
|
+
return "socket";
|
|
165
|
+
else if (num == __PNR_socketpair)
|
|
166
|
+
return "socketpair";
|
|
167
|
+
|
|
168
|
+
if (num == __PNR_semop)
|
|
169
|
+
return "semop";
|
|
170
|
+
else if (num == __PNR_semget)
|
|
171
|
+
return "semget";
|
|
172
|
+
else if (num == __PNR_semctl)
|
|
173
|
+
return "semctl";
|
|
174
|
+
else if (num == __PNR_semtimedop)
|
|
175
|
+
return "semtimedop";
|
|
176
|
+
else if (num == __PNR_msgsnd)
|
|
177
|
+
return "msgsnd";
|
|
178
|
+
else if (num == __PNR_msgrcv)
|
|
179
|
+
return "msgrcv";
|
|
180
|
+
else if (num == __PNR_msgget)
|
|
181
|
+
return "msgget";
|
|
182
|
+
else if (num == __PNR_msgctl)
|
|
183
|
+
return "msgctl";
|
|
184
|
+
else if (num == __PNR_shmat)
|
|
185
|
+
return "shmat";
|
|
186
|
+
else if (num == __PNR_shmdt)
|
|
187
|
+
return "shmdt";
|
|
188
|
+
else if (num == __PNR_shmget)
|
|
189
|
+
return "shmget";
|
|
190
|
+
else if (num == __PNR_shmctl)
|
|
191
|
+
return "shmctl";
|
|
192
|
+
|
|
193
|
+
return x86_syscall_resolve_num(num);
|
|
194
|
+
}
|
|
44
195
|
|
|
45
196
|
/**
|
|
46
197
|
* Convert a multiplexed pseudo syscall into a direct syscall
|
|
@@ -461,3 +612,14 @@ add_return:
|
|
|
461
612
|
free(rule_dup);
|
|
462
613
|
return rc;
|
|
463
614
|
}
|
|
615
|
+
|
|
616
|
+
const struct arch_def arch_def_x86 = {
|
|
617
|
+
.token = SCMP_ARCH_X86,
|
|
618
|
+
.token_bpf = AUDIT_ARCH_I386,
|
|
619
|
+
.size = ARCH_SIZE_32,
|
|
620
|
+
.endian = ARCH_ENDIAN_LITTLE,
|
|
621
|
+
.syscall_resolve_name = x86_syscall_resolve_name_munge,
|
|
622
|
+
.syscall_resolve_num = x86_syscall_resolve_num_munge,
|
|
623
|
+
.syscall_rewrite = x86_syscall_rewrite,
|
|
624
|
+
.rule_add = x86_rule_add,
|
|
625
|
+
};
|
|
@@ -22,21 +22,8 @@
|
|
|
22
22
|
#ifndef _ARCH_X86_H
|
|
23
23
|
#define _ARCH_X86_H
|
|
24
24
|
|
|
25
|
-
#include <stdbool.h>
|
|
26
|
-
|
|
27
25
|
#include "arch.h"
|
|
28
|
-
#include "db.h"
|
|
29
|
-
#include "system.h"
|
|
30
|
-
|
|
31
|
-
extern const struct arch_def arch_def_x86;
|
|
32
|
-
|
|
33
|
-
int x86_syscall_resolve_name(const char *name);
|
|
34
|
-
const char *x86_syscall_resolve_num(int num);
|
|
35
|
-
|
|
36
|
-
const struct arch_syscall_def *x86_syscall_iterate(unsigned int spot);
|
|
37
|
-
|
|
38
|
-
int x86_syscall_rewrite(int *syscall);
|
|
39
26
|
|
|
40
|
-
|
|
27
|
+
ARCH_DECL(x86)
|
|
41
28
|
|
|
42
29
|
#endif
|
|
@@ -22,16 +22,8 @@
|
|
|
22
22
|
#ifndef _ARCH_x86_64_H
|
|
23
23
|
#define _ARCH_x86_64_H
|
|
24
24
|
|
|
25
|
-
#include <inttypes.h>
|
|
26
|
-
|
|
27
25
|
#include "arch.h"
|
|
28
|
-
#include "system.h"
|
|
29
|
-
|
|
30
|
-
extern const struct arch_def arch_def_x86_64;
|
|
31
|
-
|
|
32
|
-
int x86_64_syscall_resolve_name(const char *name);
|
|
33
|
-
const char *x86_64_syscall_resolve_num(int num);
|
|
34
26
|
|
|
35
|
-
|
|
27
|
+
ARCH_DECL(x86_64)
|
|
36
28
|
|
|
37
29
|
#endif
|
|
@@ -39,8 +39,10 @@
|
|
|
39
39
|
#include "arch-mips64.h"
|
|
40
40
|
#include "arch-mips64n32.h"
|
|
41
41
|
#include "arch-parisc.h"
|
|
42
|
+
#include "arch-parisc64.h"
|
|
42
43
|
#include "arch-ppc.h"
|
|
43
44
|
#include "arch-ppc64.h"
|
|
45
|
+
#include "arch-riscv64.h"
|
|
44
46
|
#include "arch-s390.h"
|
|
45
47
|
#include "arch-s390x.h"
|
|
46
48
|
#include "db.h"
|
|
@@ -94,6 +96,8 @@ const struct arch_def *arch_def_native = &arch_def_ppc;
|
|
|
94
96
|
const struct arch_def *arch_def_native = &arch_def_s390x;
|
|
95
97
|
#elif __s390__
|
|
96
98
|
const struct arch_def *arch_def_native = &arch_def_s390;
|
|
99
|
+
#elif __riscv && __riscv_xlen == 64
|
|
100
|
+
const struct arch_def *arch_def_native = &arch_def_riscv64;
|
|
97
101
|
#else
|
|
98
102
|
#error the arch code needs to know about your machine type
|
|
99
103
|
#endif /* machine type guess */
|
|
@@ -156,6 +160,8 @@ const struct arch_def *arch_def_lookup(uint32_t token)
|
|
|
156
160
|
return &arch_def_s390;
|
|
157
161
|
case SCMP_ARCH_S390X:
|
|
158
162
|
return &arch_def_s390x;
|
|
163
|
+
case SCMP_ARCH_RISCV64:
|
|
164
|
+
return &arch_def_riscv64;
|
|
159
165
|
}
|
|
160
166
|
|
|
161
167
|
return NULL;
|
|
@@ -206,6 +212,8 @@ const struct arch_def *arch_def_lookup_name(const char *arch_name)
|
|
|
206
212
|
return &arch_def_s390;
|
|
207
213
|
else if (strcmp(arch_name, "s390x") == 0)
|
|
208
214
|
return &arch_def_s390x;
|
|
215
|
+
else if (strcmp(arch_name, "riscv64") == 0)
|
|
216
|
+
return &arch_def_riscv64;
|
|
209
217
|
|
|
210
218
|
return NULL;
|
|
211
219
|
}
|
|
@@ -367,10 +375,10 @@ int arch_syscall_rewrite(const struct arch_def *arch, int *syscall)
|
|
|
367
375
|
if (sys >= -1) {
|
|
368
376
|
/* we shouldn't be here - no rewrite needed */
|
|
369
377
|
return 0;
|
|
370
|
-
} else if (sys
|
|
371
|
-
/* reserved values */
|
|
378
|
+
} else if (sys > -100) {
|
|
379
|
+
/* -2 to -99 are reserved values */
|
|
372
380
|
return -EINVAL;
|
|
373
|
-
} else if (sys
|
|
381
|
+
} else if (sys > -10000) {
|
|
374
382
|
/* rewritable syscalls */
|
|
375
383
|
if (arch->syscall_rewrite)
|
|
376
384
|
(*arch->syscall_rewrite)(syscall);
|
|
@@ -59,6 +59,13 @@ struct arch_def {
|
|
|
59
59
|
/* arch_def for the current architecture */
|
|
60
60
|
extern const struct arch_def *arch_def_native;
|
|
61
61
|
|
|
62
|
+
/* macro to declare the arch specific structures and functions */
|
|
63
|
+
#define ARCH_DECL(NAME) \
|
|
64
|
+
extern const struct arch_def arch_def_##NAME; \
|
|
65
|
+
int NAME##_syscall_resolve_name(const char *name); \
|
|
66
|
+
const char *NAME##_syscall_resolve_num(int num); \
|
|
67
|
+
const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot);
|
|
68
|
+
|
|
62
69
|
/* syscall name/num mapping */
|
|
63
70
|
struct arch_syscall_def {
|
|
64
71
|
const char *name;
|
|
@@ -841,6 +841,7 @@ static void _db_reset(struct db_filter *db)
|
|
|
841
841
|
}
|
|
842
842
|
db->syscalls = NULL;
|
|
843
843
|
}
|
|
844
|
+
db->syscall_cnt = 0;
|
|
844
845
|
|
|
845
846
|
/* free any rules */
|
|
846
847
|
if (db->rules != NULL) {
|
|
@@ -909,6 +910,9 @@ static void _db_snap_release(struct db_filter_snap *snap)
|
|
|
909
910
|
{
|
|
910
911
|
unsigned int iter;
|
|
911
912
|
|
|
913
|
+
if (snap == NULL)
|
|
914
|
+
return;
|
|
915
|
+
|
|
912
916
|
if (snap->filter_cnt > 0) {
|
|
913
917
|
for (iter = 0; iter < snap->filter_cnt; iter++) {
|
|
914
918
|
if (snap->filters[iter])
|
|
@@ -1053,6 +1057,7 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
|
|
|
1053
1057
|
if (col->filters)
|
|
1054
1058
|
free(col->filters);
|
|
1055
1059
|
col->filters = NULL;
|
|
1060
|
+
col->notify_fd = -1;
|
|
1056
1061
|
|
|
1057
1062
|
/* set the endianess to undefined */
|
|
1058
1063
|
col->endian = 0;
|
|
@@ -1064,9 +1069,16 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
|
|
|
1064
1069
|
col->attr.tsync_enable = 0;
|
|
1065
1070
|
col->attr.api_tskip = 0;
|
|
1066
1071
|
col->attr.log_enable = 0;
|
|
1072
|
+
col->attr.spec_allow = 0;
|
|
1073
|
+
col->attr.optimize = 1;
|
|
1074
|
+
col->attr.api_sysrawrc = 0;
|
|
1067
1075
|
|
|
1068
1076
|
/* set the state */
|
|
1069
1077
|
col->state = _DB_STA_VALID;
|
|
1078
|
+
if (def_action == SCMP_ACT_NOTIFY)
|
|
1079
|
+
col->notify_used = true;
|
|
1080
|
+
else
|
|
1081
|
+
col->notify_used = false;
|
|
1070
1082
|
|
|
1071
1083
|
/* reset the initial db */
|
|
1072
1084
|
db = _db_init(arch_def_native);
|
|
@@ -1128,6 +1140,7 @@ init_failure:
|
|
|
1128
1140
|
void db_col_release(struct db_filter_col *col)
|
|
1129
1141
|
{
|
|
1130
1142
|
unsigned int iter;
|
|
1143
|
+
struct db_filter_snap *snap;
|
|
1131
1144
|
|
|
1132
1145
|
if (col == NULL)
|
|
1133
1146
|
return;
|
|
@@ -1135,6 +1148,13 @@ void db_col_release(struct db_filter_col *col)
|
|
|
1135
1148
|
/* set the state, just in case */
|
|
1136
1149
|
col->state = _DB_STA_FREED;
|
|
1137
1150
|
|
|
1151
|
+
/* free any snapshots */
|
|
1152
|
+
while (col->snapshots != NULL) {
|
|
1153
|
+
snap = col->snapshots;
|
|
1154
|
+
col->snapshots = snap->next;
|
|
1155
|
+
_db_snap_release(snap);
|
|
1156
|
+
}
|
|
1157
|
+
|
|
1138
1158
|
/* free any filters */
|
|
1139
1159
|
for (iter = 0; iter < col->filter_cnt; iter++)
|
|
1140
1160
|
_db_release(col->filters[iter]);
|
|
@@ -1148,30 +1168,42 @@ void db_col_release(struct db_filter_col *col)
|
|
|
1148
1168
|
}
|
|
1149
1169
|
|
|
1150
1170
|
/**
|
|
1151
|
-
* Validate
|
|
1152
|
-
* @param
|
|
1171
|
+
* Validate a filter collection
|
|
1172
|
+
* @param col the seccomp filter collection
|
|
1173
|
+
*
|
|
1174
|
+
* This function validates a seccomp filter collection. Returns zero if the
|
|
1175
|
+
* collection is valid, negative values on failure.
|
|
1153
1176
|
*
|
|
1154
|
-
* Verify that the given action is a valid seccomp action; return zero if
|
|
1155
|
-
* valid, -EINVAL if invalid.
|
|
1156
1177
|
*/
|
|
1157
|
-
int
|
|
1178
|
+
int db_col_valid(struct db_filter_col *col)
|
|
1158
1179
|
{
|
|
1159
|
-
if (
|
|
1180
|
+
if (col != NULL && col->state == _DB_STA_VALID && col->filter_cnt > 0)
|
|
1160
1181
|
return 0;
|
|
1161
1182
|
return -EINVAL;
|
|
1162
1183
|
}
|
|
1163
1184
|
|
|
1164
1185
|
/**
|
|
1165
|
-
* Validate
|
|
1186
|
+
* Validate the seccomp action
|
|
1166
1187
|
* @param col the seccomp filter collection
|
|
1188
|
+
* @param action the seccomp action
|
|
1167
1189
|
*
|
|
1168
|
-
*
|
|
1169
|
-
*
|
|
1170
|
-
*
|
|
1190
|
+
* Verify that the given action is a valid seccomp action; return zero if
|
|
1191
|
+
* valid, -EINVAL if invalid.
|
|
1171
1192
|
*/
|
|
1172
|
-
int
|
|
1193
|
+
int db_col_action_valid(const struct db_filter_col *col, uint32_t action)
|
|
1173
1194
|
{
|
|
1174
|
-
if (col != NULL
|
|
1195
|
+
if (col != NULL) {
|
|
1196
|
+
/* NOTE: in some cases we don't have a filter collection yet,
|
|
1197
|
+
* but when we do we need to do the following checks */
|
|
1198
|
+
|
|
1199
|
+
/* kernel disallows TSYNC and NOTIFY in one filter unless we
|
|
1200
|
+
* have the TSYNC_ESRCH flag */
|
|
1201
|
+
if (sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH) < 1 &&
|
|
1202
|
+
col->attr.tsync_enable && action == SCMP_ACT_NOTIFY)
|
|
1203
|
+
return -EINVAL;
|
|
1204
|
+
}
|
|
1205
|
+
|
|
1206
|
+
if (sys_chk_seccomp_action(action) == 1)
|
|
1175
1207
|
return 0;
|
|
1176
1208
|
return -EINVAL;
|
|
1177
1209
|
}
|
|
@@ -1281,14 +1313,42 @@ int db_col_attr_get(const struct db_filter_col *col,
|
|
|
1281
1313
|
case SCMP_FLTATR_CTL_LOG:
|
|
1282
1314
|
*value = col->attr.log_enable;
|
|
1283
1315
|
break;
|
|
1316
|
+
case SCMP_FLTATR_CTL_SSB:
|
|
1317
|
+
*value = col->attr.spec_allow;
|
|
1318
|
+
break;
|
|
1319
|
+
case SCMP_FLTATR_CTL_OPTIMIZE:
|
|
1320
|
+
*value = col->attr.optimize;
|
|
1321
|
+
break;
|
|
1322
|
+
case SCMP_FLTATR_API_SYSRAWRC:
|
|
1323
|
+
*value = col->attr.api_sysrawrc;
|
|
1324
|
+
break;
|
|
1284
1325
|
default:
|
|
1285
|
-
rc = -
|
|
1326
|
+
rc = -EINVAL;
|
|
1286
1327
|
break;
|
|
1287
1328
|
}
|
|
1288
1329
|
|
|
1289
1330
|
return rc;
|
|
1290
1331
|
}
|
|
1291
1332
|
|
|
1333
|
+
/**
|
|
1334
|
+
* Get a filter attribute
|
|
1335
|
+
* @param col the seccomp filter collection
|
|
1336
|
+
* @param attr the filter attribute
|
|
1337
|
+
*
|
|
1338
|
+
* Returns the requested filter attribute value with zero on any error.
|
|
1339
|
+
* Special care must be given with this function as error conditions can be
|
|
1340
|
+
* hidden from the caller.
|
|
1341
|
+
*
|
|
1342
|
+
*/
|
|
1343
|
+
uint32_t db_col_attr_read(const struct db_filter_col *col,
|
|
1344
|
+
enum scmp_filter_attr attr)
|
|
1345
|
+
{
|
|
1346
|
+
uint32_t value = 0;
|
|
1347
|
+
|
|
1348
|
+
db_col_attr_get(col, attr, &value);
|
|
1349
|
+
return value;
|
|
1350
|
+
}
|
|
1351
|
+
|
|
1292
1352
|
/**
|
|
1293
1353
|
* Set a filter attribute
|
|
1294
1354
|
* @param col the seccomp filter collection
|
|
@@ -1310,7 +1370,7 @@ int db_col_attr_set(struct db_filter_col *col,
|
|
|
1310
1370
|
return -EACCES;
|
|
1311
1371
|
break;
|
|
1312
1372
|
case SCMP_FLTATR_ACT_BADARCH:
|
|
1313
|
-
if (
|
|
1373
|
+
if (db_col_action_valid(col, value) == 0)
|
|
1314
1374
|
col->attr.act_badarch = value;
|
|
1315
1375
|
else
|
|
1316
1376
|
return -EINVAL;
|
|
@@ -1323,6 +1383,11 @@ int db_col_attr_set(struct db_filter_col *col,
|
|
|
1323
1383
|
if (rc == 1) {
|
|
1324
1384
|
/* supported */
|
|
1325
1385
|
rc = 0;
|
|
1386
|
+
/* kernel disallows TSYNC and NOTIFY in one filter
|
|
1387
|
+
* unless we have TSYNC_ESRCH */
|
|
1388
|
+
if (sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC_ESRCH) < 1 &&
|
|
1389
|
+
value && col->notify_used)
|
|
1390
|
+
return -EINVAL;
|
|
1326
1391
|
col->attr.tsync_enable = (value ? 1 : 0);
|
|
1327
1392
|
} else if (rc == 0)
|
|
1328
1393
|
/* unsupported */
|
|
@@ -1342,8 +1407,33 @@ int db_col_attr_set(struct db_filter_col *col,
|
|
|
1342
1407
|
rc = -EOPNOTSUPP;
|
|
1343
1408
|
}
|
|
1344
1409
|
break;
|
|
1410
|
+
case SCMP_FLTATR_CTL_SSB:
|
|
1411
|
+
rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW);
|
|
1412
|
+
if (rc == 1) {
|
|
1413
|
+
/* supported */
|
|
1414
|
+
rc = 0;
|
|
1415
|
+
col->attr.spec_allow = (value ? 1 : 0);
|
|
1416
|
+
} else if (rc == 0) {
|
|
1417
|
+
/* unsupported */
|
|
1418
|
+
rc = -EOPNOTSUPP;
|
|
1419
|
+
}
|
|
1420
|
+
break;
|
|
1421
|
+
case SCMP_FLTATR_CTL_OPTIMIZE:
|
|
1422
|
+
switch (value) {
|
|
1423
|
+
case 1:
|
|
1424
|
+
case 2:
|
|
1425
|
+
col->attr.optimize = value;
|
|
1426
|
+
break;
|
|
1427
|
+
default:
|
|
1428
|
+
rc = -EOPNOTSUPP;
|
|
1429
|
+
break;
|
|
1430
|
+
}
|
|
1431
|
+
break;
|
|
1432
|
+
case SCMP_FLTATR_API_SYSRAWRC:
|
|
1433
|
+
col->attr.api_sysrawrc = (value ? 1 : 0);
|
|
1434
|
+
break;
|
|
1345
1435
|
default:
|
|
1346
|
-
rc = -
|
|
1436
|
+
rc = -EINVAL;
|
|
1347
1437
|
break;
|
|
1348
1438
|
}
|
|
1349
1439
|
|
|
@@ -2008,6 +2098,7 @@ add_reset:
|
|
|
2008
2098
|
s_new->next = db->syscalls;
|
|
2009
2099
|
db->syscalls = s_new;
|
|
2010
2100
|
}
|
|
2101
|
+
db->syscall_cnt++;
|
|
2011
2102
|
return 0;
|
|
2012
2103
|
} else if (s_iter->chains == NULL) {
|
|
2013
2104
|
if (rm_flag || !s_iter->valid) {
|
|
@@ -2146,6 +2237,44 @@ priority_failure:
|
|
|
2146
2237
|
return rc;
|
|
2147
2238
|
}
|
|
2148
2239
|
|
|
2240
|
+
/**
|
|
2241
|
+
* Add a new rule to a single filter
|
|
2242
|
+
* @param filter the filter
|
|
2243
|
+
* @param rule the filter rule
|
|
2244
|
+
*
|
|
2245
|
+
* This is a helper function for db_col_rule_add() and similar functions, it
|
|
2246
|
+
* isn't generally useful. Returns zero on success, negative values on error.
|
|
2247
|
+
*
|
|
2248
|
+
*/
|
|
2249
|
+
static int _db_col_rule_add(struct db_filter *filter,
|
|
2250
|
+
struct db_api_rule_list *rule)
|
|
2251
|
+
{
|
|
2252
|
+
int rc;
|
|
2253
|
+
struct db_api_rule_list *iter;
|
|
2254
|
+
|
|
2255
|
+
/* add the rule to the filter */
|
|
2256
|
+
rc = arch_filter_rule_add(filter, rule);
|
|
2257
|
+
if (rc != 0)
|
|
2258
|
+
return rc;
|
|
2259
|
+
|
|
2260
|
+
/* insert the chain to the end of the rule list */
|
|
2261
|
+
iter = rule;
|
|
2262
|
+
while (iter->next)
|
|
2263
|
+
iter = iter->next;
|
|
2264
|
+
if (filter->rules != NULL) {
|
|
2265
|
+
rule->prev = filter->rules->prev;
|
|
2266
|
+
iter->next = filter->rules;
|
|
2267
|
+
filter->rules->prev->next = rule;
|
|
2268
|
+
filter->rules->prev = iter;
|
|
2269
|
+
} else {
|
|
2270
|
+
rule->prev = iter;
|
|
2271
|
+
iter->next = rule;
|
|
2272
|
+
filter->rules = rule;
|
|
2273
|
+
}
|
|
2274
|
+
|
|
2275
|
+
return 0;
|
|
2276
|
+
}
|
|
2277
|
+
|
|
2149
2278
|
/**
|
|
2150
2279
|
* Add a new rule to the current filter
|
|
2151
2280
|
* @param col the filter collection
|
|
@@ -2174,7 +2303,7 @@ int db_col_rule_add(struct db_filter_col *col,
|
|
|
2174
2303
|
size_t chain_size;
|
|
2175
2304
|
struct db_api_arg *chain = NULL;
|
|
2176
2305
|
struct scmp_arg_cmp arg_data;
|
|
2177
|
-
struct db_api_rule_list *rule
|
|
2306
|
+
struct db_api_rule_list *rule;
|
|
2178
2307
|
struct db_filter *db;
|
|
2179
2308
|
|
|
2180
2309
|
/* collect the arguments for the filter rule */
|
|
@@ -2222,9 +2351,6 @@ int db_col_rule_add(struct db_filter_col *col,
|
|
|
2222
2351
|
|
|
2223
2352
|
/* add the rule to the different filters in the collection */
|
|
2224
2353
|
for (iter = 0; iter < col->filter_cnt; iter++) {
|
|
2225
|
-
|
|
2226
|
-
/* TODO: consolidate with db_col_transaction_start() */
|
|
2227
|
-
|
|
2228
2354
|
db = col->filters[iter];
|
|
2229
2355
|
|
|
2230
2356
|
/* create the rule */
|
|
@@ -2235,24 +2361,10 @@ int db_col_rule_add(struct db_filter_col *col,
|
|
|
2235
2361
|
}
|
|
2236
2362
|
|
|
2237
2363
|
/* add the rule */
|
|
2238
|
-
rc_tmp =
|
|
2239
|
-
if (rc_tmp
|
|
2240
|
-
/* insert the chain to the end of the rule list */
|
|
2241
|
-
rule_tmp = rule;
|
|
2242
|
-
while (rule_tmp->next)
|
|
2243
|
-
rule_tmp = rule_tmp->next;
|
|
2244
|
-
if (db->rules != NULL) {
|
|
2245
|
-
rule->prev = db->rules->prev;
|
|
2246
|
-
rule_tmp->next = db->rules;
|
|
2247
|
-
db->rules->prev->next = rule;
|
|
2248
|
-
db->rules->prev = rule_tmp;
|
|
2249
|
-
} else {
|
|
2250
|
-
rule->prev = rule_tmp;
|
|
2251
|
-
rule_tmp->next = rule;
|
|
2252
|
-
db->rules = rule;
|
|
2253
|
-
}
|
|
2254
|
-
} else
|
|
2364
|
+
rc_tmp = _db_col_rule_add(db, rule);
|
|
2365
|
+
if (rc_tmp != 0)
|
|
2255
2366
|
free(rule);
|
|
2367
|
+
|
|
2256
2368
|
add_arch_fail:
|
|
2257
2369
|
if (rc_tmp != 0 && rc == 0)
|
|
2258
2370
|
rc = rc_tmp;
|
|
@@ -2265,6 +2377,9 @@ add_arch_fail:
|
|
|
2265
2377
|
db_col_transaction_abort(col);
|
|
2266
2378
|
|
|
2267
2379
|
add_return:
|
|
2380
|
+
/* update the misc state */
|
|
2381
|
+
if (rc == 0 && action == SCMP_ACT_NOTIFY)
|
|
2382
|
+
col->notify_used = true;
|
|
2268
2383
|
if (chain != NULL)
|
|
2269
2384
|
free(chain);
|
|
2270
2385
|
return rc;
|
|
@@ -2284,7 +2399,21 @@ int db_col_transaction_start(struct db_filter_col *col)
|
|
|
2284
2399
|
unsigned int iter;
|
|
2285
2400
|
struct db_filter_snap *snap;
|
|
2286
2401
|
struct db_filter *filter_o, *filter_s;
|
|
2287
|
-
struct db_api_rule_list *rule_o, *rule_s = NULL
|
|
2402
|
+
struct db_api_rule_list *rule_o, *rule_s = NULL;
|
|
2403
|
+
|
|
2404
|
+
/* check to see if a shadow snapshot exists */
|
|
2405
|
+
if (col->snapshots && col->snapshots->shadow) {
|
|
2406
|
+
/* we have a shadow! this will be easy */
|
|
2407
|
+
|
|
2408
|
+
/* NOTE: we don't bother to do any verification of the shadow
|
|
2409
|
+
* because we start a new transaction every time we add
|
|
2410
|
+
* a new rule to the filter(s); if this ever changes we
|
|
2411
|
+
* will need to add a mechanism to verify that the shadow
|
|
2412
|
+
* transaction is current/correct */
|
|
2413
|
+
|
|
2414
|
+
col->snapshots->shadow = false;
|
|
2415
|
+
return 0;
|
|
2416
|
+
}
|
|
2288
2417
|
|
|
2289
2418
|
/* allocate the snapshot */
|
|
2290
2419
|
snap = zmalloc(sizeof(*snap));
|
|
@@ -2314,33 +2443,15 @@ int db_col_transaction_start(struct db_filter_col *col)
|
|
|
2314
2443
|
if (rule_o == NULL)
|
|
2315
2444
|
continue;
|
|
2316
2445
|
do {
|
|
2317
|
-
|
|
2318
|
-
/* TODO: consolidate with db_col_rule_add() */
|
|
2319
|
-
|
|
2320
2446
|
/* duplicate the rule */
|
|
2321
2447
|
rule_s = db_rule_dup(rule_o);
|
|
2322
2448
|
if (rule_s == NULL)
|
|
2323
2449
|
goto trans_start_failure;
|
|
2324
2450
|
|
|
2325
2451
|
/* add the rule */
|
|
2326
|
-
rc =
|
|
2452
|
+
rc = _db_col_rule_add(filter_s, rule_s);
|
|
2327
2453
|
if (rc != 0)
|
|
2328
2454
|
goto trans_start_failure;
|
|
2329
|
-
|
|
2330
|
-
/* insert the chain to the end of the rule list */
|
|
2331
|
-
rule_tmp = rule_s;
|
|
2332
|
-
while (rule_tmp->next)
|
|
2333
|
-
rule_tmp = rule_tmp->next;
|
|
2334
|
-
if (filter_s->rules != NULL) {
|
|
2335
|
-
rule_s->prev = filter_s->rules->prev;
|
|
2336
|
-
rule_tmp->next = filter_s->rules;
|
|
2337
|
-
filter_s->rules->prev->next = rule_s;
|
|
2338
|
-
filter_s->rules->prev = rule_tmp;
|
|
2339
|
-
} else {
|
|
2340
|
-
rule_s->prev = rule_tmp;
|
|
2341
|
-
rule_tmp->next = rule_s;
|
|
2342
|
-
filter_s->rules = rule_s;
|
|
2343
|
-
}
|
|
2344
2455
|
rule_s = NULL;
|
|
2345
2456
|
|
|
2346
2457
|
/* next rule */
|
|
@@ -2397,14 +2508,114 @@ void db_col_transaction_abort(struct db_filter_col *col)
|
|
|
2397
2508
|
* Commit the top most seccomp filter transaction
|
|
2398
2509
|
* @param col the filter collection
|
|
2399
2510
|
*
|
|
2400
|
-
* This function commits the most recent seccomp filter transaction
|
|
2511
|
+
* This function commits the most recent seccomp filter transaction and
|
|
2512
|
+
* attempts to create a shadow transaction that is a duplicate of the current
|
|
2513
|
+
* filter to speed up future transactions.
|
|
2401
2514
|
*
|
|
2402
2515
|
*/
|
|
2403
2516
|
void db_col_transaction_commit(struct db_filter_col *col)
|
|
2404
2517
|
{
|
|
2518
|
+
int rc;
|
|
2519
|
+
unsigned int iter;
|
|
2405
2520
|
struct db_filter_snap *snap;
|
|
2521
|
+
struct db_filter *filter_o, *filter_s;
|
|
2522
|
+
struct db_api_rule_list *rule_o, *rule_s;
|
|
2406
2523
|
|
|
2407
2524
|
snap = col->snapshots;
|
|
2525
|
+
if (snap == NULL)
|
|
2526
|
+
return;
|
|
2527
|
+
|
|
2528
|
+
/* check for a shadow set by a higher transaction commit */
|
|
2529
|
+
if (snap->shadow) {
|
|
2530
|
+
/* leave the shadow intact, but drop the next snapshot */
|
|
2531
|
+
if (snap->next) {
|
|
2532
|
+
snap->next = snap->next->next;
|
|
2533
|
+
_db_snap_release(snap->next);
|
|
2534
|
+
}
|
|
2535
|
+
return;
|
|
2536
|
+
}
|
|
2537
|
+
|
|
2538
|
+
/* adjust the number of filters if needed */
|
|
2539
|
+
if (col->filter_cnt > snap->filter_cnt) {
|
|
2540
|
+
unsigned int tmp_i;
|
|
2541
|
+
struct db_filter **tmp_f;
|
|
2542
|
+
|
|
2543
|
+
/* add filters */
|
|
2544
|
+
tmp_f = realloc(snap->filters,
|
|
2545
|
+
sizeof(struct db_filter *) * col->filter_cnt);
|
|
2546
|
+
if (tmp_f == NULL)
|
|
2547
|
+
goto shadow_err;
|
|
2548
|
+
snap->filters = tmp_f;
|
|
2549
|
+
do {
|
|
2550
|
+
tmp_i = snap->filter_cnt;
|
|
2551
|
+
snap->filters[tmp_i] =
|
|
2552
|
+
_db_init(col->filters[tmp_i]->arch);
|
|
2553
|
+
if (snap->filters[tmp_i] == NULL)
|
|
2554
|
+
goto shadow_err;
|
|
2555
|
+
snap->filter_cnt++;
|
|
2556
|
+
} while (snap->filter_cnt < col->filter_cnt);
|
|
2557
|
+
} else if (col->filter_cnt < snap->filter_cnt) {
|
|
2558
|
+
/* remove filters */
|
|
2559
|
+
|
|
2560
|
+
/* NOTE: while we release the filters we no longer need, we
|
|
2561
|
+
* don't bother to resize the filter array, we just
|
|
2562
|
+
* adjust the filter counter, this *should* be harmless
|
|
2563
|
+
* at the cost of a not reaping all the memory possible */
|
|
2564
|
+
|
|
2565
|
+
do {
|
|
2566
|
+
_db_release(snap->filters[snap->filter_cnt--]);
|
|
2567
|
+
} while (snap->filter_cnt > col->filter_cnt);
|
|
2568
|
+
}
|
|
2569
|
+
|
|
2570
|
+
/* loop through each filter and update the rules on the snapshot */
|
|
2571
|
+
for (iter = 0; iter < col->filter_cnt; iter++) {
|
|
2572
|
+
filter_o = col->filters[iter];
|
|
2573
|
+
filter_s = snap->filters[iter];
|
|
2574
|
+
|
|
2575
|
+
/* skip ahead to the new rule(s) */
|
|
2576
|
+
rule_o = filter_o->rules;
|
|
2577
|
+
rule_s = filter_s->rules;
|
|
2578
|
+
if (rule_o == NULL)
|
|
2579
|
+
/* nothing to shadow */
|
|
2580
|
+
continue;
|
|
2581
|
+
if (rule_s != NULL) {
|
|
2582
|
+
do {
|
|
2583
|
+
rule_o = rule_o->next;
|
|
2584
|
+
rule_s = rule_s->next;
|
|
2585
|
+
} while (rule_s != filter_s->rules);
|
|
2586
|
+
|
|
2587
|
+
/* did we actually add any rules? */
|
|
2588
|
+
if (rule_o == filter_o->rules)
|
|
2589
|
+
/* no, we are done in this case */
|
|
2590
|
+
continue;
|
|
2591
|
+
}
|
|
2592
|
+
|
|
2593
|
+
/* update the old snapshot to make it a shadow */
|
|
2594
|
+
do {
|
|
2595
|
+
/* duplicate the rule */
|
|
2596
|
+
rule_s = db_rule_dup(rule_o);
|
|
2597
|
+
if (rule_s == NULL)
|
|
2598
|
+
goto shadow_err;
|
|
2599
|
+
|
|
2600
|
+
/* add the rule */
|
|
2601
|
+
rc = _db_col_rule_add(filter_s, rule_s);
|
|
2602
|
+
if (rc != 0) {
|
|
2603
|
+
free(rule_s);
|
|
2604
|
+
goto shadow_err;
|
|
2605
|
+
}
|
|
2606
|
+
|
|
2607
|
+
/* next rule */
|
|
2608
|
+
rule_o = rule_o->next;
|
|
2609
|
+
} while (rule_o != filter_o->rules);
|
|
2610
|
+
}
|
|
2611
|
+
|
|
2612
|
+
/* success, mark the snapshot as a shadow and return */
|
|
2613
|
+
snap->shadow = true;
|
|
2614
|
+
return;
|
|
2615
|
+
|
|
2616
|
+
shadow_err:
|
|
2617
|
+
/* we failed making a shadow, cleanup and return */
|
|
2408
2618
|
col->snapshots = snap->next;
|
|
2409
2619
|
_db_snap_release(snap);
|
|
2620
|
+
return;
|
|
2410
2621
|
}
|