script_core 0.2.6 → 0.2.7

data/ext/enterprise_script_service/libseccomp/src/system.h

@@ -22,9 +22,12 @@
 #ifndef _SYSTEM_H
 #define _SYSTEM_H
 
+#include <inttypes.h>
+#include <stdbool.h>
 #include <linux/filter.h>
+#include <linux/types.h>
 #include <sys/prctl.h>
-
+#include <sys/ioctl.h>
 #include "configure.h"
 
 /* NOTE: this was taken from the Linux Kernel sources */
@@ -40,7 +43,6 @@ struct db_filter_col;
 #else
 
 /* NOTE: the definitions below were taken from the Linux Kernel sources */
-#include <linux/types.h>
 
 /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
 #define SECCOMP_MODE_DISABLED	0 /* seccomp is not in use. */
@@ -60,12 +62,11 @@ struct db_filter_col;
 #define SECCOMP_RET_KILL	SECCOMP_RET_KILL_THREAD /* default to killing the thread */
 #define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */
 #define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */
+#define SECCOMP_RET_USER_NOTIF	0x7fc00000U /* notifies userspace */
 #define SECCOMP_RET_TRACE	0x7ff00000U /* pass to a tracer or disallow */
-#define SECCOMP_RET_LOG		0x7ffc0000U /* allow after logging */
 #define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */
 
 /* Masks for the return value sections. */
-#define SECCOMP_RET_ACTION_FULL 0xffff0000U
 #define SECCOMP_RET_ACTION	0x7fff0000U
 #define SECCOMP_RET_DATA	0x0000ffffU
 
@@ -109,29 +110,78 @@ typedef struct sock_filter bpf_instr_raw;
 #ifndef SECCOMP_GET_ACTION_AVAIL
 #define SECCOMP_GET_ACTION_AVAIL	2
 #endif
+#ifndef SECCOMP_GET_NOTIF_SIZES
+#define SECCOMP_GET_NOTIF_SIZES		3
+#endif
 
 /* flags for the seccomp() syscall */
 #ifndef SECCOMP_FILTER_FLAG_TSYNC
-#define SECCOMP_FILTER_FLAG_TSYNC	(1UL << 0)
+#define SECCOMP_FILTER_FLAG_TSYNC		(1UL << 0)
 #endif
 #ifndef SECCOMP_FILTER_FLAG_LOG
-#define SECCOMP_FILTER_FLAG_LOG		(1UL << 1)
+#define SECCOMP_FILTER_FLAG_LOG			(1UL << 1)
+#endif
+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW		(1UL << 2)
+#endif
+#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
+#define SECCOMP_FILTER_FLAG_NEW_LISTENER	(1UL << 3)
+#endif
+#ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
+#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH		(1UL << 4)
 #endif
 
-/* SECCOMP_RET_ACTION_FULL was added in kernel v4.14.  It may not be
- * defined on older kernels
- */
+#ifndef SECCOMP_RET_LOG
+#define SECCOMP_RET_LOG			0x7ffc0000U /* allow after logging */
+#endif
+
+/* SECCOMP_RET_ACTION_FULL was added in kernel v4.14. */
 #ifndef SECCOMP_RET_ACTION_FULL
 #define SECCOMP_RET_ACTION_FULL		0xffff0000U
 #endif
 
-/* SECCOMP_RET_LOG was added in kernel v4.14.  It may not be defined on
- * older kernels.
- */
+/* SECCOMP_RET_LOG was added in kernel v4.14. */
 #ifndef SECCOMP_RET_LOG
 #define SECCOMP_RET_LOG			0x7fc00000U
 #endif
 
+/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
+#ifndef SECCOMP_RET_USER_NOTIF
+#define SECCOMP_RET_USER_NOTIF	 	0x7fc00000U
+
+struct seccomp_notif_sizes {
+	__u16 seccomp_notif;
+	__u16 seccomp_notif_resp;
+	__u16 seccomp_data;
+};
+
+struct seccomp_notif {
+	__u64 id;
+	__u32 pid;
+	__u32 flags;
+	struct seccomp_data data;
+};
+
+struct seccomp_notif_resp {
+	__u64 id;
+	__s64 val;
+	__s32 error;
+	__u32 flags;
+};
+
+#define SECCOMP_IOC_MAGIC               '!'
+#define SECCOMP_IO(nr)                  _IO(SECCOMP_IOC_MAGIC, nr)
+#define SECCOMP_IOR(nr, type)           _IOR(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOW(nr, type)           _IOW(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOWR(nr, type)          _IOWR(SECCOMP_IOC_MAGIC, nr, type)
+
+/* flags for seccomp notification fd ioctl */
+#define SECCOMP_IOCTL_NOTIF_RECV        SECCOMP_IOWR(0, struct seccomp_notif)
+#define SECCOMP_IOCTL_NOTIF_SEND        SECCOMP_IOWR(1, \
+						     struct seccomp_notif_resp)
+#define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOR(2, __u64)
+#endif /* SECCOMP_RET_USER_NOTIF */
+
 int sys_chk_seccomp_syscall(void);
 void sys_set_seccomp_syscall(bool enable);
 
@@ -141,6 +191,11 @@ void sys_set_seccomp_action(uint32_t action, bool enable);
 int sys_chk_seccomp_flag(int flag);
 void sys_set_seccomp_flag(int flag, bool enable);
 
-int sys_filter_load(const struct db_filter_col *col);
+int sys_filter_load(struct db_filter_col *col, bool rawrc);
 
+int sys_notify_alloc(struct seccomp_notif **req,
+		     struct seccomp_notif_resp **resp);
+int sys_notify_receive(int fd, struct seccomp_notif *req);
+int sys_notify_respond(int fd, struct seccomp_notif_resp *resp);
+int sys_notify_id_valid(int fd, uint64_t id);
 #endif

data/ext/enterprise_script_service/libseccomp/tests/.gitignore

@@ -23,7 +23,7 @@ util.pyc
 15-basic-resolver
 16-sim-arch_basic
 17-sim-arch_merge
-18-sim-basic_whitelist
+18-sim-basic_allowlist
 19-sim-missing_syscalls
 20-live-basic_die
 21-live-basic_allow
@@ -39,7 +39,7 @@ util.pyc
 31-basic-version_check
 32-live-tsync_allow
 33-sim-socket_syscalls_be
-34-sim-basic_blacklist
+34-sim-basic_denylist
 35-sim-negative_one
 36-sim-ipc_syscalls
 37-sim-ipc_syscalls_be
@@ -56,4 +56,11 @@ util.pyc
 48-sim-32b_args
 49-sim-64b_comparisons
 50-sim-hash_collision
+51-live-user_notification
 52-basic-load
+53-sim-binary_tree
+54-live-binary_tree
+55-basic-pfc_binary_tree
+56-basic-iterate_syscalls
+57-basic-rawsysrc
+58-live-tsync_notify

data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests

@@ -12,7 +12,7 @@ test type: bpf-sim
 06-sim-actions	all		write		1		0x856B008	N	N	N	N	ERRNO(1)
 06-sim-actions	all		close		4		N		N	N	N	N	TRAP
 06-sim-actions	all,-aarch64	open		0x856B008	4		N	N	N	N	TRACE(1234)
-06-sim-actions	all		stat		N		N		N	N	N	N	KILL_PROCESS
+06-sim-actions	all,-aarch64	stat		N		N		N	N	N	N	KILL_PROCESS
 06-sim-actions	all		rt_sigreturn	N		N		N	N	N	N	LOG
 06-sim-actions	x86		0-2		N		N		N	N	N	N	KILL
 06-sim-actions	x86		7-105		N		N		N	N	N	N	KILL

data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c

@@ -81,7 +81,7 @@ int main(int argc, char *argv[])
 		return -1;
 	else {
 		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
-		if (rc != -EPERM)
+		if (rc != -EACCES)
 			return -1;
 		rc = seccomp_rule_add(ctx, SCMP_ACT_KILL - 1, SCMP_SYS(read), 0);
 		if (rc != -EINVAL)
@@ -151,7 +151,7 @@ int main(int argc, char *argv[])
 		return -1;
 	else {
 		rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1);
-		if (rc != EBADF)
+		if (rc != -ECANCELED)
 			return -1;
 	}
 	seccomp_release(ctx);
@@ -167,7 +167,7 @@ int main(int argc, char *argv[])
 		return -1;
 	else {
 		rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1);
-		if (rc != -EBADF)
+		if (rc != -ECANCELED)
 			return -1;
 	}
 	seccomp_release(ctx);
@@ -178,10 +178,10 @@ int main(int argc, char *argv[])
 	if (ctx == NULL)
 		return -1;
 	rc = seccomp_attr_get(ctx, 1000, &attr);
-	if (rc != -EEXIST)
+	if (rc != -EINVAL)
 		return -1;
 	rc = seccomp_attr_set(ctx, 1000, 1);
-	if (rc != -EEXIST)
+	if (rc != -EINVAL)
 		return -1;
 
 	return 0;

data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c

@@ -32,7 +32,7 @@ int main(int argc, char *argv[])
 	uint32_t val = (uint32_t)(-1);
 	scmp_filter_ctx ctx = NULL;
 
-	rc = seccomp_api_set(3);
+	rc = seccomp_api_set(5);
 	if (rc != 0)
 		return EOPNOTSUPP;
 
@@ -108,6 +108,40 @@ int main(int argc, char *argv[])
 		goto out;
 	}
 
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_SSB, &val);
+	if (rc != 0)
+		goto out;
+	if (val != 1) {
+		rc = -1;
+		goto out;
+	}
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val);
+	if (rc != 0)
+		goto out;
+	if (val != 2) {
+		rc = -1;
+		goto out;
+	}
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val);
+	if (rc != 0)
+		goto out;
+	if (val != 1) {
+		rc = -1;
+		goto out;
+	}
+
 	rc = 0;
 out:
 	seccomp_release(ctx);

data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py

@@ -29,7 +29,7 @@ import util
 from seccomp import *
 
 def test():
-    set_api(3)
+    set_api(5)
 
     f = SyscallFilter(ALLOW)
     if f.get_attr(Attr.ACT_DEFAULT) != ALLOW:
@@ -52,6 +52,15 @@ def test():
     f.set_attr(Attr.CTL_LOG, 1)
     if f.get_attr(Attr.CTL_LOG) != 1:
         raise RuntimeError("Failed getting Attr.CTL_LOG")
+    f.set_attr(Attr.CTL_SSB, 1)
+    if f.get_attr(Attr.CTL_SSB) != 1:
+        raise RuntimeError("Failed getting Attr.CTL_SSB")
+    f.set_attr(Attr.CTL_OPTIMIZE, 2)
+    if f.get_attr(Attr.CTL_OPTIMIZE) != 2:
+        raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE")
+    f.set_attr(Attr.API_SYSRAWRC, 1)
+    if f.get_attr(Attr.API_SYSRAWRC) != 1:
+        raise RuntimeError("Failed getting Attr.API_SYSRAWRC")
 
 test()
 

data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c

@@ -45,6 +45,7 @@ unsigned int arch_list[] = {
 	SCMP_ARCH_S390X,
 	SCMP_ARCH_PARISC,
 	SCMP_ARCH_PARISC64,
+	SCMP_ARCH_RISCV64,
 	-1
 };
 

data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c

@@ -51,6 +51,12 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 
+	/* NOTE: we are using a different approach to test for the native arch
+	 *       to exercise slightly different code paths */
+	rc = seccomp_arch_exist(ctx, 0);
+	if (rc != -EEXIST)
+		goto out;
+
 	/* NOTE: more sanity/coverage tests (see above) */
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_NATIVE);
 	if (rc != 0)
@@ -84,6 +90,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
 	if (rc != 0)
 		goto out;
 
@@ -150,6 +159,9 @@ int main(int argc, char *argv[])
 	rc = seccomp_arch_remove(ctx, SCMP_ARCH_PPC64LE);
 	if (rc != 0)
 		goto out;
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_RISCV64);
+	if (rc != 0)
+		goto out;
 
 out:
 	seccomp_release(ctx);

data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py

@@ -44,6 +44,7 @@ def test(args):
     f.add_arch(Arch("mipsel64"))
     f.add_arch(Arch("mipsel64n32"))
     f.add_arch(Arch("ppc64le"))
+    f.add_arch(Arch("riscv64"))
     f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
     f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
     f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))

data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests

@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname		Arch	Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
+18-sim-basic_allowlist	all	read		0		0x856B008	10	N	N	N	ALLOW
+18-sim-basic_allowlist	all	read		1-10		0x856B008	10	N	N	N	KILL
+18-sim-basic_allowlist	all	write		1-2		0x856B008	10	N	N	N	ALLOW
+18-sim-basic_allowlist	all	write		3-10		0x856B008	10	N	N	N	KILL
+18-sim-basic_allowlist	all	close		N		N		N	N	N	N	ALLOW
+18-sim-basic_allowlist	all	rt_sigreturn	N		N		N	N	N	N	ALLOW
+18-sim-basic_allowlist	all	open		0x856B008	4		N	N	N	N	KILL
+18-sim-basic_allowlist	x86	0-2		N		N		N	N	N	N	KILL
+18-sim-basic_allowlist	x86	7-172		N		N		N	N	N	N	KILL
+18-sim-basic_allowlist	x86	174-350		N		N		N	N	N	N	KILL
+18-sim-basic_allowlist	x86_64	4-14		N		N		N	N	N	N	KILL
+18-sim-basic_allowlist	x86_64	16-350		N		N		N	N	N	N	KILL
+
+test type: bpf-sim-fuzz
+
+# Testname		StressCount
+18-sim-basic_allowlist	50
+
+test type: bpf-valgrind
+
+# Testname
+18-sim-basic_allowlist

data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c

@@ -69,6 +69,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le"));
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("riscv64"));
 	if (rc != 0)
 		goto out;
 

data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py

@@ -40,6 +40,7 @@ def test(args):
     f.add_arch(Arch("mipsel64"))
     f.add_arch(Arch("mipsel64n32"))
     f.add_arch(Arch("ppc64le"))
+    f.add_arch(Arch("riscv64"))
     f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
     f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
     f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))

data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c

@@ -51,6 +51,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
 	if (rc != 0)
 		goto out;
 

data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py

@@ -34,6 +34,7 @@ def test(args):
     f.add_arch(Arch("x86"))
     f.add_arch(Arch("x86_64"))
     f.add_arch(Arch("x32"))
+    f.add_arch(Arch("ppc64le"))
     f.add_rule(ALLOW, "socket")
     f.add_rule(ALLOW, "connect")
     f.add_rule(ALLOW, "accept")

data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests

@@ -7,23 +7,39 @@
 
 test type: bpf-sim
 
-# Testname		Arch	Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
-30-sim-socket_syscalls	+x86	socketcall	1		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	socketcall	3		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	socketcall	5		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	socketcall	13		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	359		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	362		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	364		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	373		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	accept		5		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	accept		0		1		2	N	N	N	KILL
-30-sim-socket_syscalls	+x86	accept4		18		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86	accept4		0		1		2	N	N	N	KILL
-30-sim-socket_syscalls	+x86_64	socket		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86_64	connect		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86_64	accept4		0		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86_64	shutdown	0		1		2	N	N	N	ALLOW
+# Testname		Arch		Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
+# socket
+30-sim-socket_syscalls	+x86,+ppc64le	socketcall	1		N		N	N	N	N	ALLOW
+# connect
+30-sim-socket_syscalls	+x86,+ppc64le	socketcall	3		N		N	N	N	N	ALLOW
+# accept
+30-sim-socket_syscalls	+x86,+ppc64le	socketcall	5		N		N	N	N	N	ALLOW
+# accept4
+30-sim-socket_syscalls	+ppc64le	socketcall	18		N		N	N	N	N	ALLOW
+# shutdown
+30-sim-socket_syscalls	+x86,+ppc64le	socketcall	13		N		N	N	N	N	ALLOW
+# socket
+30-sim-socket_syscalls	+x86		359		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+ppc64le	326		0		1		2	N	N	N	ALLOW
+# connect
+30-sim-socket_syscalls	+x86		362		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+ppc64le	328		0		1		2	N	N	N	ALLOW
+# accept
+30-sim-socket_syscalls	+ppc64le	330		0		1		2	N	N	N	ALLOW
+# accept4
+30-sim-socket_syscalls	+x86		364		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+ppc64le	344		0		1		2	N	N	N	ALLOW
+# shutdown
+30-sim-socket_syscalls	+x86		373		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+ppc64le	338		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86,+ppc64le	accept		5		N		N	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86,+ppc64le	accept		0		1		2	N	N	N	KILL
+30-sim-socket_syscalls	+x86,+ppc64le	accept4		18		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86,+ppc64le	accept4		0		1		2	N	N	N	KILL
+30-sim-socket_syscalls	+x86_64		socket		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86_64		connect		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86_64		accept4		0		1		2	N	N	N	ALLOW
+30-sim-socket_syscalls	+x86_64		shutdown	0		1		2	N	N	N	ALLOW
 
 test type: bpf-valgrind