script_core 0.2.6 → 0.2.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (191) hide show
  1. checksums.yaml +4 -4
  2. data/ext/enterprise_script_service/libseccomp/.travis.yml +21 -7
  3. data/ext/enterprise_script_service/libseccomp/CHANGELOG +22 -0
  4. data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
  5. data/ext/enterprise_script_service/libseccomp/CREDITS +8 -0
  6. data/ext/enterprise_script_service/libseccomp/README.md +3 -1
  7. data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
  8. data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
  9. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
  10. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
  11. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
  12. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
  13. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
  14. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
  15. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
  16. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
  17. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
  18. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
  19. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
  20. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
  21. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
  22. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
  23. data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
  24. data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +12 -0
  25. data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
  26. data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
  27. data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
  28. data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
  29. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
  30. data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
  31. data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
  32. data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
  33. data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
  34. data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
  35. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
  36. data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
  37. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
  38. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
  39. data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
  40. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
  41. data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
  42. data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
  43. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
  44. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
  45. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
  46. data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
  47. data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
  48. data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
  49. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
  50. data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
  51. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
  52. data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
  53. data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
  54. data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
  55. data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
  56. data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
  57. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
  58. data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
  59. data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
  60. data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
  61. data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
  62. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
  63. data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
  64. data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
  65. data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
  66. data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
  67. data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
  68. data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
  69. data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
  70. data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
  71. data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
  72. data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
  73. data/ext/enterprise_script_service/libseccomp/tests/.gitignore +9 -2
  74. data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
  75. data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
  76. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
  77. data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
  78. data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +1 -0
  79. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
  80. data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
  81. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
  82. data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
  83. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
  84. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
  85. data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
  86. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
  87. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
  88. data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
  89. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
  90. data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
  91. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
  92. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
  93. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
  94. data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
  95. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
  96. data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
  97. data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
  98. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
  99. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
  100. data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
  101. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
  102. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
  103. data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
  104. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
  105. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
  106. data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
  107. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
  108. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
  109. data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
  110. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
  111. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
  112. data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
  113. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
  114. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
  115. data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
  116. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
  117. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
  118. data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
  119. data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +31 -10
  120. data/ext/enterprise_script_service/libseccomp/tests/regression +6 -3
  121. data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
  122. data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
  123. data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
  124. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
  125. data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +2 -0
  126. data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
  127. data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
  128. data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
  129. data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
  130. data/ext/enterprise_script_service/mruby/README.md +1 -1
  131. data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
  132. data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
  133. data/ext/enterprise_script_service/mruby/include/mruby.h +13 -0
  134. data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -1
  135. data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
  136. data/ext/enterprise_script_service/mruby/include/mruby/value.h +25 -29
  137. data/ext/enterprise_script_service/mruby/include/mruby/version.h +3 -3
  138. data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
  139. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +2 -2
  140. data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +17 -10
  141. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
  142. data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
  143. data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +1 -1
  144. data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
  145. data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
  146. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +1 -2
  147. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +9 -26
  148. data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +1 -2
  149. data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
  150. data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +3 -4
  151. data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
  152. data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +1 -2
  153. data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
  154. data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
  155. data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +3 -3
  156. data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +1 -2
  157. data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
  158. data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +5 -10
  159. data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
  160. data/ext/enterprise_script_service/mruby/src/array.c +14 -11
  161. data/ext/enterprise_script_service/mruby/src/class.c +22 -21
  162. data/ext/enterprise_script_service/mruby/src/error.c +1 -2
  163. data/ext/enterprise_script_service/mruby/src/etc.c +0 -1
  164. data/ext/enterprise_script_service/mruby/src/gc.c +5 -5
  165. data/ext/enterprise_script_service/mruby/src/hash.c +8 -15
  166. data/ext/enterprise_script_service/mruby/src/kernel.c +4 -7
  167. data/ext/enterprise_script_service/mruby/src/numeric.c +28 -60
  168. data/ext/enterprise_script_service/mruby/src/object.c +11 -1
  169. data/ext/enterprise_script_service/mruby/src/proc.c +7 -8
  170. data/ext/enterprise_script_service/mruby/src/range.c +4 -12
  171. data/ext/enterprise_script_service/mruby/src/string.c +24 -21
  172. data/ext/enterprise_script_service/mruby/src/symbol.c +1 -2
  173. data/ext/enterprise_script_service/mruby/src/vm.c +28 -24
  174. data/ext/enterprise_script_service/mruby/test/t/kernel.rb +7 -0
  175. data/lib/script_core/version.rb +1 -1
  176. metadata +45 -21
  177. data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
  178. data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
  179. data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
  180. data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
  181. data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
  182. data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
  183. data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
  184. data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
  185. data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -642
  186. data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -642
  187. data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
  188. data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
  189. data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
  190. data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
  191. data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
@@ -22,9 +22,12 @@
22
22
  #ifndef _SYSTEM_H
23
23
  #define _SYSTEM_H
24
24
 
25
+ #include <inttypes.h>
26
+ #include <stdbool.h>
25
27
  #include <linux/filter.h>
28
+ #include <linux/types.h>
26
29
  #include <sys/prctl.h>
27
-
30
+ #include <sys/ioctl.h>
28
31
  #include "configure.h"
29
32
 
30
33
  /* NOTE: this was taken from the Linux Kernel sources */
@@ -40,7 +43,6 @@ struct db_filter_col;
40
43
  #else
41
44
 
42
45
  /* NOTE: the definitions below were taken from the Linux Kernel sources */
43
- #include <linux/types.h>
44
46
 
45
47
  /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
46
48
  #define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
@@ -60,12 +62,11 @@ struct db_filter_col;
60
62
  #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD /* default to killing the thread */
61
63
  #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
62
64
  #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
65
+ #define SECCOMP_RET_USER_NOTIF 0x7fc00000U /* notifies userspace */
63
66
  #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
64
- #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
65
67
  #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
66
68
 
67
69
  /* Masks for the return value sections. */
68
- #define SECCOMP_RET_ACTION_FULL 0xffff0000U
69
70
  #define SECCOMP_RET_ACTION 0x7fff0000U
70
71
  #define SECCOMP_RET_DATA 0x0000ffffU
71
72
 
@@ -109,29 +110,78 @@ typedef struct sock_filter bpf_instr_raw;
109
110
  #ifndef SECCOMP_GET_ACTION_AVAIL
110
111
  #define SECCOMP_GET_ACTION_AVAIL 2
111
112
  #endif
113
+ #ifndef SECCOMP_GET_NOTIF_SIZES
114
+ #define SECCOMP_GET_NOTIF_SIZES 3
115
+ #endif
112
116
 
113
117
  /* flags for the seccomp() syscall */
114
118
  #ifndef SECCOMP_FILTER_FLAG_TSYNC
115
- #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
119
+ #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
116
120
  #endif
117
121
  #ifndef SECCOMP_FILTER_FLAG_LOG
118
- #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
122
+ #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
123
+ #endif
124
+ #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
125
+ #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
126
+ #endif
127
+ #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
128
+ #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
129
+ #endif
130
+ #ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
131
+ #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
119
132
  #endif
120
133
 
121
- /* SECCOMP_RET_ACTION_FULL was added in kernel v4.14. It may not be
122
- * defined on older kernels
123
- */
134
+ #ifndef SECCOMP_RET_LOG
135
+ #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
136
+ #endif
137
+
138
+ /* SECCOMP_RET_ACTION_FULL was added in kernel v4.14. */
124
139
  #ifndef SECCOMP_RET_ACTION_FULL
125
140
  #define SECCOMP_RET_ACTION_FULL 0xffff0000U
126
141
  #endif
127
142
 
128
- /* SECCOMP_RET_LOG was added in kernel v4.14. It may not be defined on
129
- * older kernels.
130
- */
143
+ /* SECCOMP_RET_LOG was added in kernel v4.14. */
131
144
  #ifndef SECCOMP_RET_LOG
132
145
  #define SECCOMP_RET_LOG 0x7fc00000U
133
146
  #endif
134
147
 
148
+ /* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
149
+ #ifndef SECCOMP_RET_USER_NOTIF
150
+ #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
151
+
152
+ struct seccomp_notif_sizes {
153
+ __u16 seccomp_notif;
154
+ __u16 seccomp_notif_resp;
155
+ __u16 seccomp_data;
156
+ };
157
+
158
+ struct seccomp_notif {
159
+ __u64 id;
160
+ __u32 pid;
161
+ __u32 flags;
162
+ struct seccomp_data data;
163
+ };
164
+
165
+ struct seccomp_notif_resp {
166
+ __u64 id;
167
+ __s64 val;
168
+ __s32 error;
169
+ __u32 flags;
170
+ };
171
+
172
+ #define SECCOMP_IOC_MAGIC '!'
173
+ #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
174
+ #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
175
+ #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
176
+ #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
177
+
178
+ /* flags for seccomp notification fd ioctl */
179
+ #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
180
+ #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
181
+ struct seccomp_notif_resp)
182
+ #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
183
+ #endif /* SECCOMP_RET_USER_NOTIF */
184
+
135
185
  int sys_chk_seccomp_syscall(void);
136
186
  void sys_set_seccomp_syscall(bool enable);
137
187
 
@@ -141,6 +191,11 @@ void sys_set_seccomp_action(uint32_t action, bool enable);
141
191
  int sys_chk_seccomp_flag(int flag);
142
192
  void sys_set_seccomp_flag(int flag, bool enable);
143
193
 
144
- int sys_filter_load(const struct db_filter_col *col);
194
+ int sys_filter_load(struct db_filter_col *col, bool rawrc);
145
195
 
196
+ int sys_notify_alloc(struct seccomp_notif **req,
197
+ struct seccomp_notif_resp **resp);
198
+ int sys_notify_receive(int fd, struct seccomp_notif *req);
199
+ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp);
200
+ int sys_notify_id_valid(int fd, uint64_t id);
146
201
  #endif
@@ -23,7 +23,7 @@ util.pyc
23
23
  15-basic-resolver
24
24
  16-sim-arch_basic
25
25
  17-sim-arch_merge
26
- 18-sim-basic_whitelist
26
+ 18-sim-basic_allowlist
27
27
  19-sim-missing_syscalls
28
28
  20-live-basic_die
29
29
  21-live-basic_allow
@@ -39,7 +39,7 @@ util.pyc
39
39
  31-basic-version_check
40
40
  32-live-tsync_allow
41
41
  33-sim-socket_syscalls_be
42
- 34-sim-basic_blacklist
42
+ 34-sim-basic_denylist
43
43
  35-sim-negative_one
44
44
  36-sim-ipc_syscalls
45
45
  37-sim-ipc_syscalls_be
@@ -56,4 +56,11 @@ util.pyc
56
56
  48-sim-32b_args
57
57
  49-sim-64b_comparisons
58
58
  50-sim-hash_collision
59
+ 51-live-user_notification
59
60
  52-basic-load
61
+ 53-sim-binary_tree
62
+ 54-live-binary_tree
63
+ 55-basic-pfc_binary_tree
64
+ 56-basic-iterate_syscalls
65
+ 57-basic-rawsysrc
66
+ 58-live-tsync_notify
@@ -12,7 +12,7 @@ test type: bpf-sim
12
12
  06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
13
13
  06-sim-actions all close 4 N N N N N TRAP
14
14
  06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234)
15
- 06-sim-actions all stat N N N N N N KILL_PROCESS
15
+ 06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS
16
16
  06-sim-actions all rt_sigreturn N N N N N N LOG
17
17
  06-sim-actions x86 0-2 N N N N N N KILL
18
18
  06-sim-actions x86 7-105 N N N N N N KILL
@@ -81,7 +81,7 @@ int main(int argc, char *argv[])
81
81
  return -1;
82
82
  else {
83
83
  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
84
- if (rc != -EPERM)
84
+ if (rc != -EACCES)
85
85
  return -1;
86
86
  rc = seccomp_rule_add(ctx, SCMP_ACT_KILL - 1, SCMP_SYS(read), 0);
87
87
  if (rc != -EINVAL)
@@ -151,7 +151,7 @@ int main(int argc, char *argv[])
151
151
  return -1;
152
152
  else {
153
153
  rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1);
154
- if (rc != EBADF)
154
+ if (rc != -ECANCELED)
155
155
  return -1;
156
156
  }
157
157
  seccomp_release(ctx);
@@ -167,7 +167,7 @@ int main(int argc, char *argv[])
167
167
  return -1;
168
168
  else {
169
169
  rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1);
170
- if (rc != -EBADF)
170
+ if (rc != -ECANCELED)
171
171
  return -1;
172
172
  }
173
173
  seccomp_release(ctx);
@@ -178,10 +178,10 @@ int main(int argc, char *argv[])
178
178
  if (ctx == NULL)
179
179
  return -1;
180
180
  rc = seccomp_attr_get(ctx, 1000, &attr);
181
- if (rc != -EEXIST)
181
+ if (rc != -EINVAL)
182
182
  return -1;
183
183
  rc = seccomp_attr_set(ctx, 1000, 1);
184
- if (rc != -EEXIST)
184
+ if (rc != -EINVAL)
185
185
  return -1;
186
186
 
187
187
  return 0;
@@ -32,7 +32,7 @@ int main(int argc, char *argv[])
32
32
  uint32_t val = (uint32_t)(-1);
33
33
  scmp_filter_ctx ctx = NULL;
34
34
 
35
- rc = seccomp_api_set(3);
35
+ rc = seccomp_api_set(5);
36
36
  if (rc != 0)
37
37
  return EOPNOTSUPP;
38
38
 
@@ -108,6 +108,40 @@ int main(int argc, char *argv[])
108
108
  goto out;
109
109
  }
110
110
 
111
+
112
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
113
+ if (rc != 0)
114
+ goto out;
115
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_SSB, &val);
116
+ if (rc != 0)
117
+ goto out;
118
+ if (val != 1) {
119
+ rc = -1;
120
+ goto out;
121
+ }
122
+
123
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
124
+ if (rc != 0)
125
+ goto out;
126
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val);
127
+ if (rc != 0)
128
+ goto out;
129
+ if (val != 2) {
130
+ rc = -1;
131
+ goto out;
132
+ }
133
+
134
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
135
+ if (rc != 0)
136
+ goto out;
137
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val);
138
+ if (rc != 0)
139
+ goto out;
140
+ if (val != 1) {
141
+ rc = -1;
142
+ goto out;
143
+ }
144
+
111
145
  rc = 0;
112
146
  out:
113
147
  seccomp_release(ctx);
@@ -29,7 +29,7 @@ import util
29
29
  from seccomp import *
30
30
 
31
31
  def test():
32
- set_api(3)
32
+ set_api(5)
33
33
 
34
34
  f = SyscallFilter(ALLOW)
35
35
  if f.get_attr(Attr.ACT_DEFAULT) != ALLOW:
@@ -52,6 +52,15 @@ def test():
52
52
  f.set_attr(Attr.CTL_LOG, 1)
53
53
  if f.get_attr(Attr.CTL_LOG) != 1:
54
54
  raise RuntimeError("Failed getting Attr.CTL_LOG")
55
+ f.set_attr(Attr.CTL_SSB, 1)
56
+ if f.get_attr(Attr.CTL_SSB) != 1:
57
+ raise RuntimeError("Failed getting Attr.CTL_SSB")
58
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
59
+ if f.get_attr(Attr.CTL_OPTIMIZE) != 2:
60
+ raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE")
61
+ f.set_attr(Attr.API_SYSRAWRC, 1)
62
+ if f.get_attr(Attr.API_SYSRAWRC) != 1:
63
+ raise RuntimeError("Failed getting Attr.API_SYSRAWRC")
55
64
 
56
65
  test()
57
66
 
@@ -45,6 +45,7 @@ unsigned int arch_list[] = {
45
45
  SCMP_ARCH_S390X,
46
46
  SCMP_ARCH_PARISC,
47
47
  SCMP_ARCH_PARISC64,
48
+ SCMP_ARCH_RISCV64,
48
49
  -1
49
50
  };
50
51
 
@@ -51,6 +51,12 @@ int main(int argc, char *argv[])
51
51
  if (rc != 0)
52
52
  goto out;
53
53
 
54
+ /* NOTE: we are using a different approach to test for the native arch
55
+ * to exercise slightly different code paths */
56
+ rc = seccomp_arch_exist(ctx, 0);
57
+ if (rc != -EEXIST)
58
+ goto out;
59
+
54
60
  /* NOTE: more sanity/coverage tests (see above) */
55
61
  rc = seccomp_arch_add(ctx, SCMP_ARCH_NATIVE);
56
62
  if (rc != 0)
@@ -84,6 +90,9 @@ int main(int argc, char *argv[])
84
90
  if (rc != 0)
85
91
  goto out;
86
92
  rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
93
+ if (rc != 0)
94
+ goto out;
95
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
87
96
  if (rc != 0)
88
97
  goto out;
89
98
 
@@ -150,6 +159,9 @@ int main(int argc, char *argv[])
150
159
  rc = seccomp_arch_remove(ctx, SCMP_ARCH_PPC64LE);
151
160
  if (rc != 0)
152
161
  goto out;
162
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_RISCV64);
163
+ if (rc != 0)
164
+ goto out;
153
165
 
154
166
  out:
155
167
  seccomp_release(ctx);
@@ -44,6 +44,7 @@ def test(args):
44
44
  f.add_arch(Arch("mipsel64"))
45
45
  f.add_arch(Arch("mipsel64n32"))
46
46
  f.add_arch(Arch("ppc64le"))
47
+ f.add_arch(Arch("riscv64"))
47
48
  f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
48
49
  f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
49
50
  f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
@@ -0,0 +1,32 @@
1
+ #
2
+ # libseccomp regression test automation data
3
+ #
4
+ # Copyright (c) 2013 Red Hat <pmoore@redhat.com>
5
+ # Author: Paul Moore <paul@paul-moore.com>
6
+ #
7
+
8
+ test type: bpf-sim
9
+
10
+ # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
11
+ 18-sim-basic_allowlist all read 0 0x856B008 10 N N N ALLOW
12
+ 18-sim-basic_allowlist all read 1-10 0x856B008 10 N N N KILL
13
+ 18-sim-basic_allowlist all write 1-2 0x856B008 10 N N N ALLOW
14
+ 18-sim-basic_allowlist all write 3-10 0x856B008 10 N N N KILL
15
+ 18-sim-basic_allowlist all close N N N N N N ALLOW
16
+ 18-sim-basic_allowlist all rt_sigreturn N N N N N N ALLOW
17
+ 18-sim-basic_allowlist all open 0x856B008 4 N N N N KILL
18
+ 18-sim-basic_allowlist x86 0-2 N N N N N N KILL
19
+ 18-sim-basic_allowlist x86 7-172 N N N N N N KILL
20
+ 18-sim-basic_allowlist x86 174-350 N N N N N N KILL
21
+ 18-sim-basic_allowlist x86_64 4-14 N N N N N N KILL
22
+ 18-sim-basic_allowlist x86_64 16-350 N N N N N N KILL
23
+
24
+ test type: bpf-sim-fuzz
25
+
26
+ # Testname StressCount
27
+ 18-sim-basic_allowlist 50
28
+
29
+ test type: bpf-valgrind
30
+
31
+ # Testname
32
+ 18-sim-basic_allowlist
@@ -69,6 +69,9 @@ int main(int argc, char *argv[])
69
69
  if (rc != 0)
70
70
  goto out;
71
71
  rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le"));
72
+ if (rc != 0)
73
+ goto out;
74
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("riscv64"));
72
75
  if (rc != 0)
73
76
  goto out;
74
77
 
@@ -40,6 +40,7 @@ def test(args):
40
40
  f.add_arch(Arch("mipsel64"))
41
41
  f.add_arch(Arch("mipsel64n32"))
42
42
  f.add_arch(Arch("ppc64le"))
43
+ f.add_arch(Arch("riscv64"))
43
44
  f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
44
45
  f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
45
46
  f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
@@ -51,6 +51,9 @@ int main(int argc, char *argv[])
51
51
  if (rc != 0)
52
52
  goto out;
53
53
  rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
54
+ if (rc != 0)
55
+ goto out;
56
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
54
57
  if (rc != 0)
55
58
  goto out;
56
59
 
@@ -34,6 +34,7 @@ def test(args):
34
34
  f.add_arch(Arch("x86"))
35
35
  f.add_arch(Arch("x86_64"))
36
36
  f.add_arch(Arch("x32"))
37
+ f.add_arch(Arch("ppc64le"))
37
38
  f.add_rule(ALLOW, "socket")
38
39
  f.add_rule(ALLOW, "connect")
39
40
  f.add_rule(ALLOW, "accept")
@@ -7,23 +7,39 @@
7
7
 
8
8
  test type: bpf-sim
9
9
 
10
- # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
11
- 30-sim-socket_syscalls +x86 socketcall 1 N N N N N ALLOW
12
- 30-sim-socket_syscalls +x86 socketcall 3 N N N N N ALLOW
13
- 30-sim-socket_syscalls +x86 socketcall 5 N N N N N ALLOW
14
- 30-sim-socket_syscalls +x86 socketcall 13 N N N N N ALLOW
15
- 30-sim-socket_syscalls +x86 359 0 1 2 N N N ALLOW
16
- 30-sim-socket_syscalls +x86 362 0 1 2 N N N ALLOW
17
- 30-sim-socket_syscalls +x86 364 0 1 2 N N N ALLOW
18
- 30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
19
- 30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW
20
- 30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL
21
- 30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW
22
- 30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL
23
- 30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
24
- 30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
25
- 30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
26
- 30-sim-socket_syscalls +x86_64 shutdown 0 1 2 N N N ALLOW
10
+ # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
11
+ # socket
12
+ 30-sim-socket_syscalls +x86,+ppc64le socketcall 1 N N N N N ALLOW
13
+ # connect
14
+ 30-sim-socket_syscalls +x86,+ppc64le socketcall 3 N N N N N ALLOW
15
+ # accept
16
+ 30-sim-socket_syscalls +x86,+ppc64le socketcall 5 N N N N N ALLOW
17
+ # accept4
18
+ 30-sim-socket_syscalls +ppc64le socketcall 18 N N N N N ALLOW
19
+ # shutdown
20
+ 30-sim-socket_syscalls +x86,+ppc64le socketcall 13 N N N N N ALLOW
21
+ # socket
22
+ 30-sim-socket_syscalls +x86 359 0 1 2 N N N ALLOW
23
+ 30-sim-socket_syscalls +ppc64le 326 0 1 2 N N N ALLOW
24
+ # connect
25
+ 30-sim-socket_syscalls +x86 362 0 1 2 N N N ALLOW
26
+ 30-sim-socket_syscalls +ppc64le 328 0 1 2 N N N ALLOW
27
+ # accept
28
+ 30-sim-socket_syscalls +ppc64le 330 0 1 2 N N N ALLOW
29
+ # accept4
30
+ 30-sim-socket_syscalls +x86 364 0 1 2 N N N ALLOW
31
+ 30-sim-socket_syscalls +ppc64le 344 0 1 2 N N N ALLOW
32
+ # shutdown
33
+ 30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
34
+ 30-sim-socket_syscalls +ppc64le 338 0 1 2 N N N ALLOW
35
+ 30-sim-socket_syscalls +x86,+ppc64le accept 5 N N N N N ALLOW
36
+ 30-sim-socket_syscalls +x86,+ppc64le accept 0 1 2 N N N KILL
37
+ 30-sim-socket_syscalls +x86,+ppc64le accept4 18 1 2 N N N ALLOW
38
+ 30-sim-socket_syscalls +x86,+ppc64le accept4 0 1 2 N N N KILL
39
+ 30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
40
+ 30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
41
+ 30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
42
+ 30-sim-socket_syscalls +x86_64 shutdown 0 1 2 N N N ALLOW
27
43
 
28
44
  test type: bpf-valgrind
29
45