script_core 0.2.6 → 0.2.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/enterprise_script_service/libseccomp/.travis.yml +21 -7
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +22 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +8 -0
- data/ext/enterprise_script_service/libseccomp/README.md +3 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +12 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +9 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +31 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +6 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +2 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/README.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/include/mruby.h +13 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -1
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +25 -29
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +17 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +9 -26
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +5 -10
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/src/array.c +14 -11
- data/ext/enterprise_script_service/mruby/src/class.c +22 -21
- data/ext/enterprise_script_service/mruby/src/error.c +1 -2
- data/ext/enterprise_script_service/mruby/src/etc.c +0 -1
- data/ext/enterprise_script_service/mruby/src/gc.c +5 -5
- data/ext/enterprise_script_service/mruby/src/hash.c +8 -15
- data/ext/enterprise_script_service/mruby/src/kernel.c +4 -7
- data/ext/enterprise_script_service/mruby/src/numeric.c +28 -60
- data/ext/enterprise_script_service/mruby/src/object.c +11 -1
- data/ext/enterprise_script_service/mruby/src/proc.c +7 -8
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/string.c +24 -21
- data/ext/enterprise_script_service/mruby/src/symbol.c +1 -2
- data/ext/enterprise_script_service/mruby/src/vm.c +28 -24
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +7 -0
- data/lib/script_core/version.rb +1 -1
- metadata +45 -21
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -642
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -642
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
@@ -22,9 +22,12 @@
|
|
22
22
|
#ifndef _SYSTEM_H
|
23
23
|
#define _SYSTEM_H
|
24
24
|
|
25
|
+
#include <inttypes.h>
|
26
|
+
#include <stdbool.h>
|
25
27
|
#include <linux/filter.h>
|
28
|
+
#include <linux/types.h>
|
26
29
|
#include <sys/prctl.h>
|
27
|
-
|
30
|
+
#include <sys/ioctl.h>
|
28
31
|
#include "configure.h"
|
29
32
|
|
30
33
|
/* NOTE: this was taken from the Linux Kernel sources */
|
@@ -40,7 +43,6 @@ struct db_filter_col;
|
|
40
43
|
#else
|
41
44
|
|
42
45
|
/* NOTE: the definitions below were taken from the Linux Kernel sources */
|
43
|
-
#include <linux/types.h>
|
44
46
|
|
45
47
|
/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
|
46
48
|
#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
|
@@ -60,12 +62,11 @@ struct db_filter_col;
|
|
60
62
|
#define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD /* default to killing the thread */
|
61
63
|
#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
|
62
64
|
#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
|
65
|
+
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U /* notifies userspace */
|
63
66
|
#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
|
64
|
-
#define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
|
65
67
|
#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
|
66
68
|
|
67
69
|
/* Masks for the return value sections. */
|
68
|
-
#define SECCOMP_RET_ACTION_FULL 0xffff0000U
|
69
70
|
#define SECCOMP_RET_ACTION 0x7fff0000U
|
70
71
|
#define SECCOMP_RET_DATA 0x0000ffffU
|
71
72
|
|
@@ -109,29 +110,78 @@ typedef struct sock_filter bpf_instr_raw;
|
|
109
110
|
#ifndef SECCOMP_GET_ACTION_AVAIL
|
110
111
|
#define SECCOMP_GET_ACTION_AVAIL 2
|
111
112
|
#endif
|
113
|
+
#ifndef SECCOMP_GET_NOTIF_SIZES
|
114
|
+
#define SECCOMP_GET_NOTIF_SIZES 3
|
115
|
+
#endif
|
112
116
|
|
113
117
|
/* flags for the seccomp() syscall */
|
114
118
|
#ifndef SECCOMP_FILTER_FLAG_TSYNC
|
115
|
-
#define SECCOMP_FILTER_FLAG_TSYNC
|
119
|
+
#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
|
116
120
|
#endif
|
117
121
|
#ifndef SECCOMP_FILTER_FLAG_LOG
|
118
|
-
#define SECCOMP_FILTER_FLAG_LOG
|
122
|
+
#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
|
123
|
+
#endif
|
124
|
+
#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
|
125
|
+
#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
|
126
|
+
#endif
|
127
|
+
#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
|
128
|
+
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
|
129
|
+
#endif
|
130
|
+
#ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
|
131
|
+
#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
|
119
132
|
#endif
|
120
133
|
|
121
|
-
|
122
|
-
|
123
|
-
|
134
|
+
#ifndef SECCOMP_RET_LOG
|
135
|
+
#define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
|
136
|
+
#endif
|
137
|
+
|
138
|
+
/* SECCOMP_RET_ACTION_FULL was added in kernel v4.14. */
|
124
139
|
#ifndef SECCOMP_RET_ACTION_FULL
|
125
140
|
#define SECCOMP_RET_ACTION_FULL 0xffff0000U
|
126
141
|
#endif
|
127
142
|
|
128
|
-
/* SECCOMP_RET_LOG was added in kernel v4.14.
|
129
|
-
* older kernels.
|
130
|
-
*/
|
143
|
+
/* SECCOMP_RET_LOG was added in kernel v4.14. */
|
131
144
|
#ifndef SECCOMP_RET_LOG
|
132
145
|
#define SECCOMP_RET_LOG 0x7fc00000U
|
133
146
|
#endif
|
134
147
|
|
148
|
+
/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
|
149
|
+
#ifndef SECCOMP_RET_USER_NOTIF
|
150
|
+
#define SECCOMP_RET_USER_NOTIF 0x7fc00000U
|
151
|
+
|
152
|
+
struct seccomp_notif_sizes {
|
153
|
+
__u16 seccomp_notif;
|
154
|
+
__u16 seccomp_notif_resp;
|
155
|
+
__u16 seccomp_data;
|
156
|
+
};
|
157
|
+
|
158
|
+
struct seccomp_notif {
|
159
|
+
__u64 id;
|
160
|
+
__u32 pid;
|
161
|
+
__u32 flags;
|
162
|
+
struct seccomp_data data;
|
163
|
+
};
|
164
|
+
|
165
|
+
struct seccomp_notif_resp {
|
166
|
+
__u64 id;
|
167
|
+
__s64 val;
|
168
|
+
__s32 error;
|
169
|
+
__u32 flags;
|
170
|
+
};
|
171
|
+
|
172
|
+
#define SECCOMP_IOC_MAGIC '!'
|
173
|
+
#define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
|
174
|
+
#define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
|
175
|
+
#define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
|
176
|
+
#define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
|
177
|
+
|
178
|
+
/* flags for seccomp notification fd ioctl */
|
179
|
+
#define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
|
180
|
+
#define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
|
181
|
+
struct seccomp_notif_resp)
|
182
|
+
#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
|
183
|
+
#endif /* SECCOMP_RET_USER_NOTIF */
|
184
|
+
|
135
185
|
int sys_chk_seccomp_syscall(void);
|
136
186
|
void sys_set_seccomp_syscall(bool enable);
|
137
187
|
|
@@ -141,6 +191,11 @@ void sys_set_seccomp_action(uint32_t action, bool enable);
|
|
141
191
|
int sys_chk_seccomp_flag(int flag);
|
142
192
|
void sys_set_seccomp_flag(int flag, bool enable);
|
143
193
|
|
144
|
-
int sys_filter_load(
|
194
|
+
int sys_filter_load(struct db_filter_col *col, bool rawrc);
|
145
195
|
|
196
|
+
int sys_notify_alloc(struct seccomp_notif **req,
|
197
|
+
struct seccomp_notif_resp **resp);
|
198
|
+
int sys_notify_receive(int fd, struct seccomp_notif *req);
|
199
|
+
int sys_notify_respond(int fd, struct seccomp_notif_resp *resp);
|
200
|
+
int sys_notify_id_valid(int fd, uint64_t id);
|
146
201
|
#endif
|
@@ -23,7 +23,7 @@ util.pyc
|
|
23
23
|
15-basic-resolver
|
24
24
|
16-sim-arch_basic
|
25
25
|
17-sim-arch_merge
|
26
|
-
18-sim-
|
26
|
+
18-sim-basic_allowlist
|
27
27
|
19-sim-missing_syscalls
|
28
28
|
20-live-basic_die
|
29
29
|
21-live-basic_allow
|
@@ -39,7 +39,7 @@ util.pyc
|
|
39
39
|
31-basic-version_check
|
40
40
|
32-live-tsync_allow
|
41
41
|
33-sim-socket_syscalls_be
|
42
|
-
34-sim-
|
42
|
+
34-sim-basic_denylist
|
43
43
|
35-sim-negative_one
|
44
44
|
36-sim-ipc_syscalls
|
45
45
|
37-sim-ipc_syscalls_be
|
@@ -56,4 +56,11 @@ util.pyc
|
|
56
56
|
48-sim-32b_args
|
57
57
|
49-sim-64b_comparisons
|
58
58
|
50-sim-hash_collision
|
59
|
+
51-live-user_notification
|
59
60
|
52-basic-load
|
61
|
+
53-sim-binary_tree
|
62
|
+
54-live-binary_tree
|
63
|
+
55-basic-pfc_binary_tree
|
64
|
+
56-basic-iterate_syscalls
|
65
|
+
57-basic-rawsysrc
|
66
|
+
58-live-tsync_notify
|
@@ -12,7 +12,7 @@ test type: bpf-sim
|
|
12
12
|
06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
|
13
13
|
06-sim-actions all close 4 N N N N N TRAP
|
14
14
|
06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234)
|
15
|
-
06-sim-actions all
|
15
|
+
06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS
|
16
16
|
06-sim-actions all rt_sigreturn N N N N N N LOG
|
17
17
|
06-sim-actions x86 0-2 N N N N N N KILL
|
18
18
|
06-sim-actions x86 7-105 N N N N N N KILL
|
@@ -81,7 +81,7 @@ int main(int argc, char *argv[])
|
|
81
81
|
return -1;
|
82
82
|
else {
|
83
83
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
|
84
|
-
if (rc != -
|
84
|
+
if (rc != -EACCES)
|
85
85
|
return -1;
|
86
86
|
rc = seccomp_rule_add(ctx, SCMP_ACT_KILL - 1, SCMP_SYS(read), 0);
|
87
87
|
if (rc != -EINVAL)
|
@@ -151,7 +151,7 @@ int main(int argc, char *argv[])
|
|
151
151
|
return -1;
|
152
152
|
else {
|
153
153
|
rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1);
|
154
|
-
if (rc !=
|
154
|
+
if (rc != -ECANCELED)
|
155
155
|
return -1;
|
156
156
|
}
|
157
157
|
seccomp_release(ctx);
|
@@ -167,7 +167,7 @@ int main(int argc, char *argv[])
|
|
167
167
|
return -1;
|
168
168
|
else {
|
169
169
|
rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1);
|
170
|
-
if (rc != -
|
170
|
+
if (rc != -ECANCELED)
|
171
171
|
return -1;
|
172
172
|
}
|
173
173
|
seccomp_release(ctx);
|
@@ -178,10 +178,10 @@ int main(int argc, char *argv[])
|
|
178
178
|
if (ctx == NULL)
|
179
179
|
return -1;
|
180
180
|
rc = seccomp_attr_get(ctx, 1000, &attr);
|
181
|
-
if (rc != -
|
181
|
+
if (rc != -EINVAL)
|
182
182
|
return -1;
|
183
183
|
rc = seccomp_attr_set(ctx, 1000, 1);
|
184
|
-
if (rc != -
|
184
|
+
if (rc != -EINVAL)
|
185
185
|
return -1;
|
186
186
|
|
187
187
|
return 0;
|
@@ -32,7 +32,7 @@ int main(int argc, char *argv[])
|
|
32
32
|
uint32_t val = (uint32_t)(-1);
|
33
33
|
scmp_filter_ctx ctx = NULL;
|
34
34
|
|
35
|
-
rc = seccomp_api_set(
|
35
|
+
rc = seccomp_api_set(5);
|
36
36
|
if (rc != 0)
|
37
37
|
return EOPNOTSUPP;
|
38
38
|
|
@@ -108,6 +108,40 @@ int main(int argc, char *argv[])
|
|
108
108
|
goto out;
|
109
109
|
}
|
110
110
|
|
111
|
+
|
112
|
+
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
|
113
|
+
if (rc != 0)
|
114
|
+
goto out;
|
115
|
+
rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_SSB, &val);
|
116
|
+
if (rc != 0)
|
117
|
+
goto out;
|
118
|
+
if (val != 1) {
|
119
|
+
rc = -1;
|
120
|
+
goto out;
|
121
|
+
}
|
122
|
+
|
123
|
+
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
124
|
+
if (rc != 0)
|
125
|
+
goto out;
|
126
|
+
rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val);
|
127
|
+
if (rc != 0)
|
128
|
+
goto out;
|
129
|
+
if (val != 2) {
|
130
|
+
rc = -1;
|
131
|
+
goto out;
|
132
|
+
}
|
133
|
+
|
134
|
+
rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
|
135
|
+
if (rc != 0)
|
136
|
+
goto out;
|
137
|
+
rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val);
|
138
|
+
if (rc != 0)
|
139
|
+
goto out;
|
140
|
+
if (val != 1) {
|
141
|
+
rc = -1;
|
142
|
+
goto out;
|
143
|
+
}
|
144
|
+
|
111
145
|
rc = 0;
|
112
146
|
out:
|
113
147
|
seccomp_release(ctx);
|
@@ -29,7 +29,7 @@ import util
|
|
29
29
|
from seccomp import *
|
30
30
|
|
31
31
|
def test():
|
32
|
-
set_api(
|
32
|
+
set_api(5)
|
33
33
|
|
34
34
|
f = SyscallFilter(ALLOW)
|
35
35
|
if f.get_attr(Attr.ACT_DEFAULT) != ALLOW:
|
@@ -52,6 +52,15 @@ def test():
|
|
52
52
|
f.set_attr(Attr.CTL_LOG, 1)
|
53
53
|
if f.get_attr(Attr.CTL_LOG) != 1:
|
54
54
|
raise RuntimeError("Failed getting Attr.CTL_LOG")
|
55
|
+
f.set_attr(Attr.CTL_SSB, 1)
|
56
|
+
if f.get_attr(Attr.CTL_SSB) != 1:
|
57
|
+
raise RuntimeError("Failed getting Attr.CTL_SSB")
|
58
|
+
f.set_attr(Attr.CTL_OPTIMIZE, 2)
|
59
|
+
if f.get_attr(Attr.CTL_OPTIMIZE) != 2:
|
60
|
+
raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE")
|
61
|
+
f.set_attr(Attr.API_SYSRAWRC, 1)
|
62
|
+
if f.get_attr(Attr.API_SYSRAWRC) != 1:
|
63
|
+
raise RuntimeError("Failed getting Attr.API_SYSRAWRC")
|
55
64
|
|
56
65
|
test()
|
57
66
|
|
@@ -51,6 +51,12 @@ int main(int argc, char *argv[])
|
|
51
51
|
if (rc != 0)
|
52
52
|
goto out;
|
53
53
|
|
54
|
+
/* NOTE: we are using a different approach to test for the native arch
|
55
|
+
* to exercise slightly different code paths */
|
56
|
+
rc = seccomp_arch_exist(ctx, 0);
|
57
|
+
if (rc != -EEXIST)
|
58
|
+
goto out;
|
59
|
+
|
54
60
|
/* NOTE: more sanity/coverage tests (see above) */
|
55
61
|
rc = seccomp_arch_add(ctx, SCMP_ARCH_NATIVE);
|
56
62
|
if (rc != 0)
|
@@ -84,6 +90,9 @@ int main(int argc, char *argv[])
|
|
84
90
|
if (rc != 0)
|
85
91
|
goto out;
|
86
92
|
rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
|
93
|
+
if (rc != 0)
|
94
|
+
goto out;
|
95
|
+
rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
|
87
96
|
if (rc != 0)
|
88
97
|
goto out;
|
89
98
|
|
@@ -150,6 +159,9 @@ int main(int argc, char *argv[])
|
|
150
159
|
rc = seccomp_arch_remove(ctx, SCMP_ARCH_PPC64LE);
|
151
160
|
if (rc != 0)
|
152
161
|
goto out;
|
162
|
+
rc = seccomp_arch_remove(ctx, SCMP_ARCH_RISCV64);
|
163
|
+
if (rc != 0)
|
164
|
+
goto out;
|
153
165
|
|
154
166
|
out:
|
155
167
|
seccomp_release(ctx);
|
@@ -44,6 +44,7 @@ def test(args):
|
|
44
44
|
f.add_arch(Arch("mipsel64"))
|
45
45
|
f.add_arch(Arch("mipsel64n32"))
|
46
46
|
f.add_arch(Arch("ppc64le"))
|
47
|
+
f.add_arch(Arch("riscv64"))
|
47
48
|
f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
|
48
49
|
f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
|
49
50
|
f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
|
File without changes
|
File without changes
|
@@ -0,0 +1,32 @@
|
|
1
|
+
#
|
2
|
+
# libseccomp regression test automation data
|
3
|
+
#
|
4
|
+
# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
|
5
|
+
# Author: Paul Moore <paul@paul-moore.com>
|
6
|
+
#
|
7
|
+
|
8
|
+
test type: bpf-sim
|
9
|
+
|
10
|
+
# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
|
11
|
+
18-sim-basic_allowlist all read 0 0x856B008 10 N N N ALLOW
|
12
|
+
18-sim-basic_allowlist all read 1-10 0x856B008 10 N N N KILL
|
13
|
+
18-sim-basic_allowlist all write 1-2 0x856B008 10 N N N ALLOW
|
14
|
+
18-sim-basic_allowlist all write 3-10 0x856B008 10 N N N KILL
|
15
|
+
18-sim-basic_allowlist all close N N N N N N ALLOW
|
16
|
+
18-sim-basic_allowlist all rt_sigreturn N N N N N N ALLOW
|
17
|
+
18-sim-basic_allowlist all open 0x856B008 4 N N N N KILL
|
18
|
+
18-sim-basic_allowlist x86 0-2 N N N N N N KILL
|
19
|
+
18-sim-basic_allowlist x86 7-172 N N N N N N KILL
|
20
|
+
18-sim-basic_allowlist x86 174-350 N N N N N N KILL
|
21
|
+
18-sim-basic_allowlist x86_64 4-14 N N N N N N KILL
|
22
|
+
18-sim-basic_allowlist x86_64 16-350 N N N N N N KILL
|
23
|
+
|
24
|
+
test type: bpf-sim-fuzz
|
25
|
+
|
26
|
+
# Testname StressCount
|
27
|
+
18-sim-basic_allowlist 50
|
28
|
+
|
29
|
+
test type: bpf-valgrind
|
30
|
+
|
31
|
+
# Testname
|
32
|
+
18-sim-basic_allowlist
|
@@ -69,6 +69,9 @@ int main(int argc, char *argv[])
|
|
69
69
|
if (rc != 0)
|
70
70
|
goto out;
|
71
71
|
rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le"));
|
72
|
+
if (rc != 0)
|
73
|
+
goto out;
|
74
|
+
rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("riscv64"));
|
72
75
|
if (rc != 0)
|
73
76
|
goto out;
|
74
77
|
|
@@ -40,6 +40,7 @@ def test(args):
|
|
40
40
|
f.add_arch(Arch("mipsel64"))
|
41
41
|
f.add_arch(Arch("mipsel64n32"))
|
42
42
|
f.add_arch(Arch("ppc64le"))
|
43
|
+
f.add_arch(Arch("riscv64"))
|
43
44
|
f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
|
44
45
|
f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
|
45
46
|
f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
|
@@ -7,23 +7,39 @@
|
|
7
7
|
|
8
8
|
test type: bpf-sim
|
9
9
|
|
10
|
-
# Testname Arch
|
11
|
-
|
12
|
-
30-sim-socket_syscalls +x86 socketcall
|
13
|
-
|
14
|
-
30-sim-socket_syscalls +x86 socketcall
|
15
|
-
|
16
|
-
30-sim-socket_syscalls +x86
|
17
|
-
|
18
|
-
30-sim-socket_syscalls +
|
19
|
-
|
20
|
-
30-sim-socket_syscalls +x86
|
21
|
-
|
22
|
-
30-sim-socket_syscalls +x86
|
23
|
-
30-sim-socket_syscalls +
|
24
|
-
|
25
|
-
30-sim-socket_syscalls +
|
26
|
-
30-sim-socket_syscalls +
|
10
|
+
# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
|
11
|
+
# socket
|
12
|
+
30-sim-socket_syscalls +x86,+ppc64le socketcall 1 N N N N N ALLOW
|
13
|
+
# connect
|
14
|
+
30-sim-socket_syscalls +x86,+ppc64le socketcall 3 N N N N N ALLOW
|
15
|
+
# accept
|
16
|
+
30-sim-socket_syscalls +x86,+ppc64le socketcall 5 N N N N N ALLOW
|
17
|
+
# accept4
|
18
|
+
30-sim-socket_syscalls +ppc64le socketcall 18 N N N N N ALLOW
|
19
|
+
# shutdown
|
20
|
+
30-sim-socket_syscalls +x86,+ppc64le socketcall 13 N N N N N ALLOW
|
21
|
+
# socket
|
22
|
+
30-sim-socket_syscalls +x86 359 0 1 2 N N N ALLOW
|
23
|
+
30-sim-socket_syscalls +ppc64le 326 0 1 2 N N N ALLOW
|
24
|
+
# connect
|
25
|
+
30-sim-socket_syscalls +x86 362 0 1 2 N N N ALLOW
|
26
|
+
30-sim-socket_syscalls +ppc64le 328 0 1 2 N N N ALLOW
|
27
|
+
# accept
|
28
|
+
30-sim-socket_syscalls +ppc64le 330 0 1 2 N N N ALLOW
|
29
|
+
# accept4
|
30
|
+
30-sim-socket_syscalls +x86 364 0 1 2 N N N ALLOW
|
31
|
+
30-sim-socket_syscalls +ppc64le 344 0 1 2 N N N ALLOW
|
32
|
+
# shutdown
|
33
|
+
30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
|
34
|
+
30-sim-socket_syscalls +ppc64le 338 0 1 2 N N N ALLOW
|
35
|
+
30-sim-socket_syscalls +x86,+ppc64le accept 5 N N N N N ALLOW
|
36
|
+
30-sim-socket_syscalls +x86,+ppc64le accept 0 1 2 N N N KILL
|
37
|
+
30-sim-socket_syscalls +x86,+ppc64le accept4 18 1 2 N N N ALLOW
|
38
|
+
30-sim-socket_syscalls +x86,+ppc64le accept4 0 1 2 N N N KILL
|
39
|
+
30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
|
40
|
+
30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
|
41
|
+
30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
|
42
|
+
30-sim-socket_syscalls +x86_64 shutdown 0 1 2 N N N ALLOW
|
27
43
|
|
28
44
|
test type: bpf-valgrind
|
29
45
|
|