script_core 0.2.6 → 0.2.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0f7d0aed06a2aa8a5636be6e7113b9e4b651037d9489246ba995df1c375a190
-  data.tar.gz: 8725fa84598ca2370d7b79c747e1f29c41258d8c3f026137191a46d470f8c882
+  metadata.gz: 3cfa6713154bbd8ad099289142899dca5ba3f5dea5cc2c5a6d48f2119559b4b8
+  data.tar.gz: 6141a1d955d8ae69080c56f0d4b6966e9595d5f0992cc758ddc5ba6bdff9ab98
 SHA512:
-  metadata.gz: 39c01ca8ed18bf12a6c56c6d4b354d756212bb67ab33ad67855080eed4f2383cb07517e0ea42f1dde024b42be65dd86f19788356f2e0eda585010cc4afdbe8ba
-  data.tar.gz: 59c59baa3b3d6820c65df45b687d23bf0b4831b1f34539c6d0b70dd401fb60c3c686a3c2f9761417e05084e7f023e1e15a2b7eb6652680164ab74eca1740b8dc
+  metadata.gz: a250786dcf497f2e93f3734a154f32ed31fe367b6f6df50d12e5b683850003275a9852f2f3ae5eec037b313fc16c66af034528cf3f5abbc3cb55bc6b24fb6b20
+  data.tar.gz: 4ab307f3a464f1cfe5e0c0fe0a43ec56c70055e88a02a6ade5f0fb33b510ac56e8240fdc758104d1089a5b420e940476436695285f46f921e6f97cabc9f5ed7c

data/ext/enterprise_script_service/libseccomp/.travis.yml

@@ -4,13 +4,20 @@
 # https://wiki.ubuntu.com/Releases
 
 dist: bionic
-sudo: false
 
 notifications:
   email:
     on_success: always
     on_failure: always
 
+arch:
+  - amd64
+  - arm64
+  - ppc64le
+
+os:
+  - linux
+
 language: c
 compiler:
   - gcc
@@ -32,6 +39,7 @@ addons:
       - valgrind
       - clang
       - lcov
+      - gperf
 
 env:
   global:
@@ -44,7 +52,10 @@ before_install:
   # assume the distro has an old version of cython
   - pip install cython
   # see https://github.com/eddyxu/cpp-coveralls
-  - pip install cpp-coveralls
+  - |
+    if [ $TRAVIS_CPU_ARCH == "amd64" ]; then
+      pip install cpp-coveralls
+    fi
 
 # perform the build and fail immediately on error
 install:
@@ -58,12 +69,15 @@ script:
   - make check-build
   - LIBSECCOMP_TSTCFG_STRESSCNT=5 make check
   - LIBSECCOMP_TSTCFG_TYPE=live LIBSECCOMP_TSTCFG_MODE_LIST=c make -C tests check
-  # ubuntu 14.04 (trusty) clang has problems with the cython generated code
-  - make clean && ./configure && scan-build --status-bugs make
+  - |
+    if [ $TRAVIS_CPU_ARCH == "amd64" -o -x scan-build ]; then
+      make clean && ./configure && scan-build --status-bugs make
+    fi
 
 after_success:
   # limit the code coverage tests to the 'test-code-coverage' target
-  - make clean && ./configure --enable-code-coverage && make test-code-coverage
   # https://github.com/eddyxu/cpp-coveralls/blob/master/README.md
-  - coveralls --gcov-options '\-lp'
-    --exclude tests --exclude tools --exclude src/arch-syscall-check.c
+  - |
+    if [ $TRAVIS_CPU_ARCH == "amd64" ]; then
+      make clean && ./configure --enable-code-coverage && make test-code-coverage && coveralls --gcov-options '\-lp' --exclude tests --exclude tools --exclude src/arch-syscall-check.c
+    fi

data/ext/enterprise_script_service/libseccomp/CHANGELOG

@@ -2,6 +2,28 @@ libseccomp: Releases
 ===============================================================================
 https://github.com/seccomp/libseccomp
 
+* Version 2.5.0 - July 20, 2020
+- Add support for the seccomp user notifications, see the
+  seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3)
+  manpages for more information
+- Add support for new filter optimization approaches, including a balanced tree
+  optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more
+  information
+- Add support for the 64-bit RISC-V architecture
+- Performance improvements when adding new rules to a filter thanks to the use
+  of internal shadow transactions and improved syscall lookup tables
+- Properly document the libseccomp API return values and include them in the
+  stable API promise
+- Improvements to the s390 and s390x multiplexed syscall handling
+- Multiple fixes and improvements to the libseccomp manpages
+- Moved from manually maintained syscall tables to an automatically generated
+  syscall table in CSV format
+- Update the syscall tables to Linux v5.8.0-rc5
+- Python bindings and build now default to Python 3.x
+- Improvements to the tests have boosted code coverage to over 93%
+- Enable Travis CI testing on the aarch64 and ppc64le architectures
+- Add code inspection via lgtm.com
+
 * Version 2.4.3 - March 4, 2020
 - Add list of authorized release signatures to README.md
 - Fix multiplexing issue with s390/s390x shm* syscalls

data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md

@@ -8,7 +8,7 @@ to the rules described here, but by following the instructions below you
 should have a much easier time getting your work merged with the upstream
 project.
 
-## Test Your Code
+## Test Your Code Using Existing Tests
 
 There are three possible tests you can run to verify your code.  The first
 test is used to check the formatting and coding style of your changes, you
@@ -38,7 +38,7 @@ command:
 
 ... if there are any faults or errors they will be displayed.
 
-## Make Sure Your Code is Tested
+## Add New Tests for New Functionality
 
 The libseccomp code includes a fairly extensive test suite and any submissions
 which add functionality, or significantly change the existing code, should
@@ -50,29 +50,6 @@ base, and can be enabled via the "--enable-code-coverage" configure flag and
 the "check-code-coverage" make target.  Additional details on generating code
 coverage information can be found in the .travis.yml file.
 
-## Generate the Patch(es)
-
-Depending on how you decided to work with the libseccomp code base and what
-tools you are using there are different ways to generate your patch(es).
-However, regardless of what tools you use, you should always generate your
-patches using the "unified" diff/patch format and the patches should always
-apply to the libseccomp source tree using the following command from the top
-directory of the libseccomp sources:
-
-	# patch -p1 < changes.patch
-
-If you are not using git, stacked git (stgit), or some other tool which can
-generate patch files for you automatically, you may find the following command
-helpful in generating patches, where "libseccomp.orig/" is the unmodified
-source code directory and "libseccomp/" is the source code directory with your
-changes:
-
-	# diff -purN libseccomp.orig/ libseccomp/
-
-When in doubt please generate your patch and try applying it to an unmodified
-copy of the libseccomp sources; if it fails for you, it will fail for the rest
-of us.
-
 ## Explain Your Work
 
 At the top of every patch you should include a description of the problem you
@@ -120,7 +97,37 @@ your real name, saying:
 
 	Signed-off-by: Random J Developer <random@developer.example.org>
 
-## Email Your Patch(es)
+You can add this to your commit description in `git` with `git commit -s`
+
+## Post Your Patches Upstream
+
+The libseccomp project accepts both GitHub pull requests and patches sent via
+the mailing list.  GitHub pull requests are preferred.  This sections below
+explain how to contribute via either method. Please read each step and perform
+all steps that apply to your chosen contribution method.
+
+### Submitting via Email
+
+Depending on how you decided to work with the libseccomp code base and what
+tools you are using there are different ways to generate your patch(es).
+However, regardless of what tools you use, you should always generate your
+patches using the "unified" diff/patch format and the patches should always
+apply to the libseccomp source tree using the following command from the top
+directory of the libseccomp sources:
+
+	# patch -p1 < changes.patch
+
+If you are not using git, stacked git (stgit), or some other tool which can
+generate patch files for you automatically, you may find the following command
+helpful in generating patches, where "libseccomp.orig/" is the unmodified
+source code directory and "libseccomp/" is the source code directory with your
+changes:
+
+	# diff -purN libseccomp.orig/ libseccomp/
+
+When in doubt please generate your patch and try applying it to an unmodified
+copy of the libseccomp sources; if it fails for you, it will fail for the rest
+of us.
 
 Finally, you will need to email your patches to the mailing list so they can
 be reviewed and potentially merged into the main libseccomp repository.  When
@@ -132,3 +139,7 @@ a problem with your email client.  When in doubt try a test first by sending
 yourself an email with your patch and attempting to apply the emailed patch to
 the libseccomp repository; if it fails for you, it will fail for the rest of
 us trying to test your patch and include it in the main libseccomp repository.
+
+### Submitting via GitHub
+
+See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before.

data/ext/enterprise_script_service/libseccomp/CREDITS

@@ -2,11 +2,14 @@ libseccomp: Contributors
 ========================================================================
 https://github.com/seccomp/libseccomp
 
+Alex Murray <alex.murray@canonical.com>
+Andreas Schwab <schwab@suse.de>
 Andrew Jones <drjones@redhat.com>
 Andy Lutomirski <luto@amacapital.net>
 Ashley Lai <adlai@us.ibm.com>
 Bogdan Purcareata <bogdan.purcareata@freescale.com>
 Brian Cain <brian.cain@gmail.com>
+Christopher Waldon <christopher.waldon.dev@gmail.com>
 Chris Waldon <chris.waldon@ibm.com>
 Colin Walters <walters@verbum.org>
 Corey Bryant <coreyb@linux.vnet.ibm.com>
@@ -16,6 +19,7 @@ Eric Paris <eparis@redhat.com>
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
 Felix Abecassis <fabecassis@nvidia.com>
 Felix Geyer <debfx@fobos.de>
+Giuseppe Scrivano <gscrivan@redhat.com>
 Heiko Carstens <heiko.carstens@de.ibm.com>
 Helge Deller <deller@gmx.de>
 Jake Edge <jake@lwn.net>
@@ -25,9 +29,11 @@ Jan Willeke <willeke@linux.vnet.ibm.com>
 Jay Guo <guojiannan@cn.ibm.com>
 Jiannan Guo <guojiannan1101@gmail.com>
 Joe MacDonald <joe@deserted.net>
+Jonah Petri <jonah@petri.us>
 Justin Cormack <justin.cormack@docker.com>
 Kees Cook <keescook@chromium.org>
 Kyle R. Conway <kyle.r.conway@gmail.com>
+Kenta Tada <Kenta.Tada@sony.com>
 Luca Bruno <lucab@debian.org>
 Marcin Juszkiewicz <mjuszkiewicz@redhat.com>
 Marcus Meissner <meissner@suse.de>
@@ -38,12 +44,14 @@ Mike Frysinger <vapier@gentoo.org>
 Mike Strosaker <strosake@linux.vnet.ibm.com>
 Miroslav Lichvar <mlichvar@redhat.com>
 Paul Moore <paul@paul-moore.com>
+Rolf Eike Beer <eb@emlix.com>
 Serge Hallyn <serge.hallyn@ubuntu.com>
 Stéphane Graber <stgraber@ubuntu.com>
 Stephen Coleman <omegacoleman@gmail.com>
 Thiago Marcos P. Santos <thiago.santos@intel.com>
 Tobias Klauser <tklauser@distanz.ch>
 Tom Hromatka <tom.hromatka@oracle.com>
+Tudor Brindus <me@tbrindus.ca>
 Tycho Andersen <tycho@tycho.ws>
 Tyler Hicks <tyhicks@canonical.com>
 valoq <valoq@mailbox.org>

data/ext/enterprise_script_service/libseccomp/README.md

@@ -1,10 +1,11 @@
-![Enhanced Seccomp Helper Library](https://github.com/seccomp/libseccomp-artwork/blob/master/logo/libseccomp-color_text.png)
+![Enhanced Seccomp Helper Library](https://github.com/seccomp/libseccomp-artwork/blob/main/logo/libseccomp-color_text.png)
 ===============================================================================
 https://github.com/seccomp/libseccomp
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/608/badge)](https://bestpractices.coreinfrastructure.org/projects/608)
 [![Build Status](https://img.shields.io/travis/seccomp/libseccomp/master.svg)](https://travis-ci.org/seccomp/libseccomp)
 [![Coverage Status](https://img.shields.io/coveralls/github/seccomp/libseccomp/master.svg)](https://coveralls.io/github/seccomp/libseccomp?branch=master)
+[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/seccomp/libseccomp.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/seccomp/libseccomp/context:cpp)
 
 The libseccomp library provides an easy to use, platform independent, interface
 to the Linux Kernel's syscall filtering mechanism.  The libseccomp API is
@@ -52,6 +53,7 @@ The libseccomp library currently supports the architectures listed below:
 * 64-bit PowerPC little endian (ppc64le)
 * 32-bit s390 (s390)
 * 64-bit s390x (s390x)
+* 64-bit RISC-V (riscv64)
 
 ## Documentation
 

data/ext/enterprise_script_service/libseccomp/configure.ac

@@ -19,7 +19,7 @@ dnl #
 dnl ####
 dnl libseccomp defines
 dnl ####
-AC_INIT([libseccomp], [2.4.3])
+AC_INIT([libseccomp], [2.5.0])
 
 dnl ####
 dnl autoconf configuration
@@ -66,7 +66,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 dnl ####
 dnl build flags
 dnl ####
-AM_CPPFLAGS="-I\${top_srcdir}/include"
+AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
 AM_CFLAGS="-Wall"
 AM_LDFLAGS="-Wl,-z -Wl,relro"
 AC_SUBST([AM_CPPFLAGS])
@@ -91,11 +91,11 @@ AC_SUBST([VERSION_MICRO])
 dnl ####
 dnl cython checks
 dnl ####
-AC_CHECK_PROG(have_cython, cython, "yes", "no")
-AS_IF([test "$have_cython" = yes], [
-	AS_ECHO("checking cython version... $(cython -V 2>&1 | cut -d' ' -f 3)")
-	CYTHON_VER_MAJ=$(cython -V 2>&1 | cut -d' ' -f 3 | cut -d'.' -f 1);
-	CYTHON_VER_MIN=$(cython -V 2>&1 | cut -d' ' -f 3 | cut -d'.' -f 2);
+AC_CHECK_PROGS(cython, cython3 cython, "no")
+AS_IF([test "$cython" != no], [
+	AS_ECHO("checking cython version... $($cython -V 2>&1 | cut -d' ' -f 3)")
+	CYTHON_VER_MAJ=$($cython -V 2>&1 | cut -d' ' -f 3 | cut -d'.' -f 1);
+	CYTHON_VER_MIN=$($cython -V 2>&1 | cut -d' ' -f 3 | cut -d'.' -f 2);
 ],[
 	CYTHON_VER_MAJ=0
 	CYTHON_VER_MIN=0
@@ -112,13 +112,18 @@ AS_IF([test "$enable_python" = yes], [
 	AS_IF([test "$CYTHON_VER_MAJ" -eq 0 -a "$CYTHON_VER_MIN" -lt 29], [
 		AC_MSG_ERROR([python bindings require cython 0.29 or higher])
 	])
-	AM_PATH_PYTHON
+	AM_PATH_PYTHON([3])
 ])
 AM_CONDITIONAL([ENABLE_PYTHON], [test "$enable_python" = yes])
 AC_DEFINE_UNQUOTED([ENABLE_PYTHON],
 	[$(test "$enable_python" = yes && echo 1 || echo 0)],
 	[Python bindings build flag.])
 
+AC_CHECK_TOOL(GPERF, gperf)
+if test -z "$GPERF"; then
+	AC_MSG_ERROR([please install gperf])
+fi
+
 dnl ####
 dnl coverity checks
 dnl ####

data/ext/enterprise_script_service/libseccomp/doc/Makefile.am

@@ -38,6 +38,12 @@ dist_man3_MANS = \
 	man/man3/seccomp_rule_add_array.3 \
 	man/man3/seccomp_rule_add_exact.3 \
 	man/man3/seccomp_rule_add_exact_array.3 \
+	man/man3/seccomp_notify_alloc.3 \
+	man/man3/seccomp_notify_fd.3 \
+	man/man3/seccomp_notify_free.3 \
+	man/man3/seccomp_notify_id_valid.3 \
+	man/man3/seccomp_notify_receive.3 \
+	man/man3/seccomp_notify_respond.3 \
 	man/man3/seccomp_syscall_priority.3 \
 	man/man3/seccomp_syscall_resolve_name.3 \
 	man/man3/seccomp_syscall_resolve_name_arch.3 \

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3

@@ -1,4 +1,4 @@
-.TH "seccomp_api_get" 3 "8 October 2017" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_api_get" 3 "13 June 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -49,7 +49,17 @@ the
 syscall to load the seccomp filter into the kernel.
 .TP
 .B 3
-The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are supported.
+The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are
+supported.
+.TP
+.B 4
+The SCMP_FLTATR_CTL_SSB filter attribute is supported.
+.TP
+.B 5
+The SCMP_ACT_NOTIFY action and the notify APIs are supported.
+.TP
+.B 5
+The simultaneous use of SCMP_FLTATR_CTL_TSYNC and the notify APIs are supported.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3

@@ -1,4 +1,4 @@
-.TH "seccomp_arch_add" 3 "7 May 2014" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_arch_add" 3 "15 June 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -14,6 +14,23 @@ seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \
 .B #define SCMP_ARCH_NATIVE
 .B #define SCMP_ARCH_X86
 .B #define SCMP_ARCH_X86_64
+.B #define SCMP_ARCH_X32
+.B #define SCMP_ARCH_ARM
+.B #define SCMP_ARCH_AARCH64
+.B #define SCMP_ARCH_MIPS
+.B #define SCMP_ARCH_MIPS64
+.B #define SCMP_ARCH_MIPS64N32
+.B #define SCMP_ARCH_MIPSEL
+.B #define SCMP_ARCH_MIPSEL64
+.B #define SCMP_ARCH_MIPSEL64N32
+.B #define SCMP_ARCH_PPC
+.B #define SCMP_ARCH_PPC64
+.B #define SCMP_ARCH_PPC64LE
+.B #define SCMP_ARCH_S390
+.B #define SCMP_ARCH_S390X
+.B #define SCMP_ARCH_PARISC
+.B #define SCMP_ARCH_PARISC64
+.B #define SCMP_ARCH_RISCV64
 .sp
 .BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");"
 .BI "uint32_t seccomp_arch_native();"
@@ -69,13 +86,28 @@ new architecture will be added to all of the architectures in the filter.
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
 The
-.BR seccomp_arch_add ()
+.BR seccomp_arch_add (),
+.BR seccomp_arch_remove (),
 and
-.BR seccomp_arch_remove ()
-functions return zero on success, negative errno values on failure.  The
 .BR seccomp_arch_exist ()
-function returns zero if the architecture exists, \-EEXIST if it does not, and
-other negative errno values on failure.
+functions return zero on success or one of the following error codes on
+failure:
+.TP
+.B -EDOM
+Architecture specific failure.
+.TP
+.B -EEXIST
+In the case of
+.BR seccomp_arch_add ()
+the architecture already exists and in the case of
+.BR seccomp_arch_remove ()
+the architecture does not exist.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3

@@ -1,4 +1,4 @@
-.TH "seccomp_attr_set" 3 "21 August 2014" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_attr_set" 3 "06 June 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -94,10 +94,61 @@ the
 action. Defaults to off (
 .I value
 == 0).
+.TP
+.B SCMP_FLTATR_CTL_SSB
+A flag to disable Speculative Store Bypass mitigations for this filter.
+Defaults to off (
+.I value
+== 0).
+.TP
+.B SCMP_FLTATR_CTL_OPTIMIZE
+A flag to specify the optimization level of the seccomp filter.  By default
+libseccomp generates a set of sequential \'if\' statements for each rule in
+the filter.
+.BR seccomp_syscall_priority(3)
+can be used to prioritize the order for the default cause.  The binary tree
+optimization sorts by syscall numbers and generates consistent
+.BR O(log\ n)
+filter traversal for every rule in the filter.  The binary tree may be
+advantageous for large filters.  Note that
+.BR seccomp_syscall_priority(3)
+is ignored when SCMP_FLTATR_CTL_OPTIMIZE == 2.
+.RS
+.P
+The different optimization levels are described below:
+.TP
+.B 0
+Reserved value, not currently used.
+.TP
+.B 1
+Rules sorted by priority and complexity (DEFAULT).
+.TP
+.B 2
+Binary tree sorted by syscall number.
+.RE
+.TP
+.B SCMP_FLTATR_API_SYSRAWRC
+A flag to specify if libseccomp should pass system error codes back to the
+caller instead of the default -ECANCELED.  Defaults to off (
+.I value
+== 0).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
-Returns zero on success, negative errno values on failure.
+Returns zero on success or one of the following error codes on
+failure:
+.TP
+.B -EACCES
+Setting the attribute with the given value is not allowed.
+.TP
+.B -EEXIST
+The attribute does not exist.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -EOPNOTSUPP
+The library doesn't support the particular operation.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////