script_core 0.2.6 → 0.2.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/enterprise_script_service/libseccomp/.travis.yml +21 -7
- data/ext/enterprise_script_service/libseccomp/CHANGELOG +22 -0
- data/ext/enterprise_script_service/libseccomp/CONTRIBUTING.md +37 -26
- data/ext/enterprise_script_service/libseccomp/CREDITS +8 -0
- data/ext/enterprise_script_service/libseccomp/README.md +3 -1
- data/ext/enterprise_script_service/libseccomp/configure.ac +13 -8
- data/ext/enterprise_script_service/libseccomp/doc/Makefile.am +6 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_api_get.3 +12 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_arch_add.3 +38 -6
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_attr_set.3 +53 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3 +20 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3 +9 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3 +32 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3 +16 -2
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3 +113 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3 +1 -0
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3 +64 -3
- data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3 +18 -3
- data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h +12 -0
- data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in +116 -0
- data/ext/enterprise_script_service/libseccomp/src/.gitignore +2 -0
- data/ext/enterprise_script_service/libseccomp/src/Makefile.am +31 -17
- data/ext/enterprise_script_service/libseccomp/src/api.c +254 -58
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.c +47 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-arm.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-gperf-generate +40 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64.h +3 -11
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.c +41 -4
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc.h +1 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.c +3 -3
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc64.h +29 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.c +606 -8
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.c +31 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-riscv64.h +22 -0
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.c +171 -12
- data/ext/enterprise_script_service/libseccomp/src/arch-s390.h +1 -17
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.c +166 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x.h +1 -20
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-dump.c +8 -1
- data/ext/enterprise_script_service/libseccomp/src/arch-syscall-validate +359 -143
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.c +36 -2
- data/ext/enterprise_script_service/libseccomp/src/arch-x32.h +2 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.c +172 -10
- data/ext/enterprise_script_service/libseccomp/src/arch-x86.h +1 -14
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64.h +1 -9
- data/ext/enterprise_script_service/libseccomp/src/arch.c +11 -3
- data/ext/enterprise_script_service/libseccomp/src/arch.h +7 -0
- data/ext/enterprise_script_service/libseccomp/src/db.c +268 -57
- data/ext/enterprise_script_service/libseccomp/src/db.h +16 -2
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.c +503 -148
- data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h +2 -1
- data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c +165 -37
- data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd +37 -1
- data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx +295 -5
- data/ext/enterprise_script_service/libseccomp/src/syscalls.c +56 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.csv +470 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.h +62 -0
- data/ext/enterprise_script_service/libseccomp/src/syscalls.perf.template +82 -0
- data/ext/enterprise_script_service/libseccomp/src/system.c +196 -16
- data/ext/enterprise_script_service/libseccomp/src/system.h +68 -13
- data/ext/enterprise_script_service/libseccomp/tests/.gitignore +9 -2
- data/ext/enterprise_script_service/libseccomp/tests/06-sim-actions.tests +1 -1
- data/ext/enterprise_script_service/libseccomp/tests/11-basic-basic_errors.c +5 -5
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.c +35 -1
- data/ext/enterprise_script_service/libseccomp/tests/13-basic-attrs.py +10 -1
- data/ext/enterprise_script_service/libseccomp/tests/15-basic-resolver.c +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.c +12 -0
- data/ext/enterprise_script_service/libseccomp/tests/16-sim-arch_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.c → 18-sim-basic_allowlist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{18-sim-basic_whitelist.py → 18-sim-basic_allowlist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_allowlist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/23-sim-arch_all_le_basic.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/30-sim-socket_syscalls.tests +33 -17
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} +0 -0
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests +32 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py +1 -0
- data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests +25 -25
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c +24 -3
- data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py +16 -1
- data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c +112 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py +60 -0
- data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c +156 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c +128 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py +95 -0
- data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c +134 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.sh +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.c +90 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.py +65 -0
- data/ext/enterprise_script_service/libseccomp/tests/56-basic-iterate_syscalls.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.c +64 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.py +46 -0
- data/ext/enterprise_script_service/libseccomp/tests/57-basic-rawsysrc.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.c +116 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.py +61 -0
- data/ext/enterprise_script_service/libseccomp/tests/58-live-tsync_notify.tests +11 -0
- data/ext/enterprise_script_service/libseccomp/tests/Makefile.am +31 -10
- data/ext/enterprise_script_service/libseccomp/tests/regression +6 -3
- data/ext/enterprise_script_service/libseccomp/tests/util.c +3 -3
- data/ext/enterprise_script_service/libseccomp/tools/check-syntax +1 -1
- data/ext/enterprise_script_service/libseccomp/tools/scmp_arch_detect.c +3 -0
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_disasm.c +4 -2
- data/ext/enterprise_script_service/libseccomp/tools/scmp_bpf_sim.c +2 -0
- data/ext/enterprise_script_service/libseccomp/tools/util.c +14 -12
- data/ext/enterprise_script_service/libseccomp/tools/util.h +7 -0
- data/ext/enterprise_script_service/mruby/.github/workflows/codeql-analysis.yml +51 -0
- data/ext/enterprise_script_service/mruby/Doxyfile +1 -1
- data/ext/enterprise_script_service/mruby/README.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/guides/debugger.md +1 -1
- data/ext/enterprise_script_service/mruby/doc/limitations.md +10 -10
- data/ext/enterprise_script_service/mruby/include/mruby.h +13 -0
- data/ext/enterprise_script_service/mruby/include/mruby/boxing_word.h +0 -1
- data/ext/enterprise_script_service/mruby/include/mruby/proc.h +13 -8
- data/ext/enterprise_script_service/mruby/include/mruby/value.h +25 -29
- data/ext/enterprise_script_service/mruby/include/mruby/version.h +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-array-ext/src/array.c +5 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c +2 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-bin-mrbc/tools/mrbc/mrbc.c +17 -10
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/mrblib/complex.rb +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-complex/src/complex.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-eval/src/eval.c +1 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-fiber/src/fiber.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-inline-struct/test/inline.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/file_test.c +9 -26
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-io/src/io.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-kernel-ext/src/kernel.c +6 -8
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-method/src/method.c +3 -4
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-objectspace/src/mruby_objectspace.c +0 -1
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-print/src/print.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-range-ext/src/range.c +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-rational/mrblib/rational.rb +1 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-sprintf/src/sprintf.c +3 -3
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-string-ext/src/string.c +1 -2
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-struct/src/struct.c +5 -11
- data/ext/enterprise_script_service/mruby/mrbgems/mruby-time/src/time.c +5 -10
- data/ext/enterprise_script_service/mruby/mrblib/00class.rb +10 -0
- data/ext/enterprise_script_service/mruby/src/array.c +14 -11
- data/ext/enterprise_script_service/mruby/src/class.c +22 -21
- data/ext/enterprise_script_service/mruby/src/error.c +1 -2
- data/ext/enterprise_script_service/mruby/src/etc.c +0 -1
- data/ext/enterprise_script_service/mruby/src/gc.c +5 -5
- data/ext/enterprise_script_service/mruby/src/hash.c +8 -15
- data/ext/enterprise_script_service/mruby/src/kernel.c +4 -7
- data/ext/enterprise_script_service/mruby/src/numeric.c +28 -60
- data/ext/enterprise_script_service/mruby/src/object.c +11 -1
- data/ext/enterprise_script_service/mruby/src/proc.c +7 -8
- data/ext/enterprise_script_service/mruby/src/range.c +4 -12
- data/ext/enterprise_script_service/mruby/src/string.c +24 -21
- data/ext/enterprise_script_service/mruby/src/symbol.c +1 -2
- data/ext/enterprise_script_service/mruby/src/vm.c +28 -24
- data/ext/enterprise_script_service/mruby/test/t/kernel.rb +7 -0
- data/lib/script_core/version.rb +1 -1
- metadata +45 -21
- data/ext/enterprise_script_service/libseccomp/src/arch-aarch64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-arm-syscalls.c +0 -570
- data/ext/enterprise_script_service/libseccomp/src/arch-mips-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-mips64n32-syscalls.c +0 -562
- data/ext/enterprise_script_service/libseccomp/src/arch-parisc-syscalls.c +0 -542
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-ppc64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/src/arch-s390-syscalls.c +0 -642
- data/ext/enterprise_script_service/libseccomp/src/arch-s390x-syscalls.c +0 -642
- data/ext/enterprise_script_service/libseccomp/src/arch-x32-syscalls.c +0 -558
- data/ext/enterprise_script_service/libseccomp/src/arch-x86-syscalls.c +0 -692
- data/ext/enterprise_script_service/libseccomp/src/arch-x86_64-syscalls.c +0 -559
- data/ext/enterprise_script_service/libseccomp/tests/18-sim-basic_whitelist.tests +0 -32
- data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_blacklist.tests +0 -32
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
#!/usr/bin/env python
|
|
2
|
+
|
|
3
|
+
#
|
|
4
|
+
# Seccomp Library test program
|
|
5
|
+
#
|
|
6
|
+
# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
|
|
7
|
+
# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
8
|
+
#
|
|
9
|
+
|
|
10
|
+
#
|
|
11
|
+
# This library is free software; you can redistribute it and/or modify it
|
|
12
|
+
# under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
13
|
+
# published by the Free Software Foundation.
|
|
14
|
+
#
|
|
15
|
+
# This library is distributed in the hope that it will be useful, but WITHOUT
|
|
16
|
+
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
17
|
+
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
18
|
+
# for more details.
|
|
19
|
+
#
|
|
20
|
+
# You should have received a copy of the GNU Lesser General Public License
|
|
21
|
+
# along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
22
|
+
#
|
|
23
|
+
|
|
24
|
+
import argparse
|
|
25
|
+
import sys
|
|
26
|
+
|
|
27
|
+
import util
|
|
28
|
+
|
|
29
|
+
from seccomp import *
|
|
30
|
+
|
|
31
|
+
table = [
|
|
32
|
+
{"syscall": "read", "error": 0, "arg_cnt": 0 },
|
|
33
|
+
{"syscall": "write", "error": 1, "arg_cnt": 0 },
|
|
34
|
+
{"syscall": "open", "error": 2, "arg_cnt": 0 },
|
|
35
|
+
{"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 },
|
|
36
|
+
{"syscall": "stat", "error": 4, "arg_cnt": 0 },
|
|
37
|
+
{"syscall": "fstat", "error": 5, "arg_cnt": 0 },
|
|
38
|
+
{"syscall": "lstat", "error": 6, "arg_cnt": 0 },
|
|
39
|
+
{"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 },
|
|
40
|
+
{"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 },
|
|
41
|
+
{"syscall": "mmap", "error": 9, "arg_cnt": 0 },
|
|
42
|
+
{"syscall": "mprotect", "error": 10, "arg_cnt": 0 },
|
|
43
|
+
{"syscall": "munmap", "error": 11, "arg_cnt": 0 },
|
|
44
|
+
{"syscall": "brk", "error": 12, "arg_cnt": 0 },
|
|
45
|
+
{"syscall": "rt_sigaction", "error": 13, "arg_cnt": 0 },
|
|
46
|
+
{"syscall": "rt_sigprocmask", "error": 14, "arg_cnt": 0 },
|
|
47
|
+
{"syscall": "rt_sigreturn", "error": 15, "arg_cnt": 0 },
|
|
48
|
+
{"syscall": "ioctl", "error": 16, "arg_cnt": 0 },
|
|
49
|
+
{"syscall": "pread64", "error": 17, "arg_cnt": 1, "arg1": 105 },
|
|
50
|
+
{"syscall": "pwrite64", "error": 18, "arg_cnt": 0 },
|
|
51
|
+
{"syscall": "readv", "error": 19, "arg_cnt": 0 },
|
|
52
|
+
{"syscall": "writev", "error": 20, "arg_cnt": 0 },
|
|
53
|
+
{"syscall": "access", "error": 21, "arg_cnt": 0 },
|
|
54
|
+
{"syscall": "pipe", "error": 22, "arg_cnt": 0 },
|
|
55
|
+
{"syscall": "select", "error": 23, "arg_cnt": 2, "arg1": 106, "arg2": 107 },
|
|
56
|
+
{"syscall": "sched_yield", "error": 24, "arg_cnt": 0 },
|
|
57
|
+
{"syscall": "mremap", "error": 25, "arg_cnt": 2, "arg1": 108, "arg2": 109 },
|
|
58
|
+
{"syscall": "msync", "error": 26, "arg_cnt": 0 },
|
|
59
|
+
{"syscall": "mincore", "error": 27, "arg_cnt": 0 },
|
|
60
|
+
{"syscall": "madvise", "error": 28, "arg_cnt": 0 },
|
|
61
|
+
{"syscall": "dup", "error": 32, "arg_cnt": 1, "arg1": 112 },
|
|
62
|
+
{"syscall": "dup2", "error": 33, "arg_cnt": 0 },
|
|
63
|
+
{"syscall": "pause", "error": 34, "arg_cnt": 0 },
|
|
64
|
+
{"syscall": "nanosleep", "error": 35, "arg_cnt": 0 },
|
|
65
|
+
{"syscall": "getitimer", "error": 36, "arg_cnt": 0 },
|
|
66
|
+
{"syscall": "alarm", "error": 37, "arg_cnt": 0 },
|
|
67
|
+
]
|
|
68
|
+
|
|
69
|
+
def test(args):
|
|
70
|
+
f = SyscallFilter(ALLOW)
|
|
71
|
+
|
|
72
|
+
f.remove_arch(Arch())
|
|
73
|
+
f.add_arch(Arch("aarch64"))
|
|
74
|
+
f.add_arch(Arch("ppc64le"))
|
|
75
|
+
f.add_arch(Arch("x86_64"))
|
|
76
|
+
|
|
77
|
+
for entry in table:
|
|
78
|
+
if entry["arg_cnt"] == 2:
|
|
79
|
+
f.add_rule(ERRNO(entry["error"]), entry["syscall"],
|
|
80
|
+
Arg(0, EQ, entry["arg1"]),
|
|
81
|
+
Arg(1, EQ, entry["arg2"]))
|
|
82
|
+
elif entry["arg_cnt"] == 1:
|
|
83
|
+
f.add_rule(ERRNO(entry["error"]), entry["syscall"],
|
|
84
|
+
Arg(0, EQ, entry["arg1"]))
|
|
85
|
+
else:
|
|
86
|
+
f.add_rule(ERRNO(entry["error"]), entry["syscall"])
|
|
87
|
+
|
|
88
|
+
return f
|
|
89
|
+
|
|
90
|
+
args = util.get_opt()
|
|
91
|
+
ctx = test(args)
|
|
92
|
+
util.filter_output(args, ctx)
|
|
93
|
+
|
|
94
|
+
# kate: syntax python;
|
|
95
|
+
# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
#
|
|
2
|
+
# libseccomp regression test automation data
|
|
3
|
+
#
|
|
4
|
+
# Copyright (c) 2019-2020 Oracle and/or its affiliates.
|
|
5
|
+
# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
6
|
+
#
|
|
7
|
+
|
|
8
|
+
test type: bpf-sim
|
|
9
|
+
|
|
10
|
+
# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
|
|
11
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 read N N N N N N ERRNO(0)
|
|
12
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 write N N N N N N ERRNO(1)
|
|
13
|
+
53-sim-binary_tree +x86_64,+ppc64le open N N N N N N ERRNO(2)
|
|
14
|
+
53-sim-binary_tree +aarch64 open N N N N N N ALLOW
|
|
15
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close N N N N N N ALLOW
|
|
16
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 1234 N N N N ALLOW
|
|
17
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 101 N N N N ERRNO(3)
|
|
18
|
+
53-sim-binary_tree +x86_64,+ppc64le stat N N N N N N ERRNO(4)
|
|
19
|
+
53-sim-binary_tree +aarch64 stat N N N N N N ALLOW
|
|
20
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 fstat N N N N N N ERRNO(5)
|
|
21
|
+
53-sim-binary_tree +x86_64,+ppc64le lstat N N N N N N ERRNO(6)
|
|
22
|
+
53-sim-binary_tree +aarch64 lstat N N N N N N ALLOW
|
|
23
|
+
53-sim-binary_tree +x86_64,+ppc64le poll 102 N N N N N ERRNO(7)
|
|
24
|
+
53-sim-binary_tree +aarch64 poll 102 N N N N N ALLOW
|
|
25
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 lseek 103 104 N N N N ERRNO(8)
|
|
26
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mmap N N N N N N ERRNO(9)
|
|
27
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mprotect N N N N N N ERRNO(10)
|
|
28
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 munmap N N N N N N ERRNO(11)
|
|
29
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 brk N N N N N N ERRNO(12)
|
|
30
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigaction N N N N N N ERRNO(13)
|
|
31
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigprocmask N N N N N N ERRNO(14)
|
|
32
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigreturn N N N N N N ERRNO(15)
|
|
33
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 ioctl N N N N N N ERRNO(16)
|
|
34
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pread64 105 N N N N N ERRNO(17)
|
|
35
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pwrite64 N N N N N N ERRNO(18)
|
|
36
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 readv N N N N N N ERRNO(19)
|
|
37
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 writev N N N N N N ERRNO(20)
|
|
38
|
+
53-sim-binary_tree +x86_64,+ppc64le access N N N N N N ERRNO(21)
|
|
39
|
+
53-sim-binary_tree +aarch64 access N N N N N N ALLOW
|
|
40
|
+
53-sim-binary_tree +x86_64,+ppc64le pipe N N N N N N ERRNO(22)
|
|
41
|
+
53-sim-binary_tree +aarch64 pipe N N N N N N ALLOW
|
|
42
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 select N N N N N N ALLOW
|
|
43
|
+
53-sim-binary_tree +x86_64,+ppc64le select 106 107 N N N N ERRNO(23)
|
|
44
|
+
53-sim-binary_tree +aarch64 select 106 107 N N N N ALLOW
|
|
45
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 sched_yield N N N N N N ERRNO(24)
|
|
46
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap N N N N N N ALLOW
|
|
47
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap 108 109 N N N N ERRNO(25)
|
|
48
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 msync N N N N N N ERRNO(26)
|
|
49
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mincore N N N N N N ERRNO(27)
|
|
50
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 madvise N N N N N N ERRNO(28)
|
|
51
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 112 N N N N N ERRNO(32)
|
|
52
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 5678 N N N N N ALLOW
|
|
53
|
+
53-sim-binary_tree +x86_64,+ppc64le dup2 N N N N N N ERRNO(33)
|
|
54
|
+
53-sim-binary_tree +aarch64 dup2 N N N N N N ALLOW
|
|
55
|
+
53-sim-binary_tree +x86_64,+ppc64le pause N N N N N N ERRNO(34)
|
|
56
|
+
53-sim-binary_tree +aarch64 pause N N N N N N ALLOW
|
|
57
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 nanosleep N N N N N N ERRNO(35)
|
|
58
|
+
53-sim-binary_tree +x86_64,+ppc64le,+aarch64 getitimer N N N N N N ERRNO(36)
|
|
59
|
+
53-sim-binary_tree +x86_64,+ppc64le alarm N N N N N N ERRNO(37)
|
|
60
|
+
53-sim-binary_tree +aarch64 alarm N N N N N N ALLOW
|
|
61
|
+
|
|
62
|
+
test type: bpf-valgrind
|
|
63
|
+
|
|
64
|
+
# Testname
|
|
65
|
+
53-sim-binary_tree
|
|
@@ -0,0 +1,128 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Seccomp Library test program
|
|
3
|
+
*
|
|
4
|
+
* Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
|
|
5
|
+
* Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
6
|
+
*/
|
|
7
|
+
|
|
8
|
+
/*
|
|
9
|
+
* This library is free software; you can redistribute it and/or modify it
|
|
10
|
+
* under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
11
|
+
* published by the Free Software Foundation.
|
|
12
|
+
*
|
|
13
|
+
* This library is distributed in the hope that it will be useful, but WITHOUT
|
|
14
|
+
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
15
|
+
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
16
|
+
* for more details.
|
|
17
|
+
*
|
|
18
|
+
* You should have received a copy of the GNU Lesser General Public License
|
|
19
|
+
* along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
20
|
+
*/
|
|
21
|
+
|
|
22
|
+
#include <errno.h>
|
|
23
|
+
#include <fcntl.h>
|
|
24
|
+
#include <string.h>
|
|
25
|
+
#include <unistd.h>
|
|
26
|
+
#include <sys/types.h>
|
|
27
|
+
#include <sys/stat.h>
|
|
28
|
+
|
|
29
|
+
#include <seccomp.h>
|
|
30
|
+
|
|
31
|
+
#include "util.h"
|
|
32
|
+
|
|
33
|
+
/* arbitrary list of syscalls to force seccomp to generate a binary tree */
|
|
34
|
+
static const int denylist[] = {
|
|
35
|
+
SCMP_SYS(times),
|
|
36
|
+
SCMP_SYS(ptrace),
|
|
37
|
+
SCMP_SYS(getuid),
|
|
38
|
+
SCMP_SYS(syslog),
|
|
39
|
+
SCMP_SYS(getgid),
|
|
40
|
+
SCMP_SYS(setuid),
|
|
41
|
+
SCMP_SYS(setgid),
|
|
42
|
+
SCMP_SYS(geteuid),
|
|
43
|
+
SCMP_SYS(getegid),
|
|
44
|
+
SCMP_SYS(setpgid),
|
|
45
|
+
SCMP_SYS(getppid),
|
|
46
|
+
SCMP_SYS(getpgrp),
|
|
47
|
+
SCMP_SYS(setsid),
|
|
48
|
+
SCMP_SYS(setreuid),
|
|
49
|
+
SCMP_SYS(setregid),
|
|
50
|
+
SCMP_SYS(getgroups),
|
|
51
|
+
SCMP_SYS(setgroups),
|
|
52
|
+
SCMP_SYS(setresuid),
|
|
53
|
+
SCMP_SYS(getresuid),
|
|
54
|
+
SCMP_SYS(setresgid),
|
|
55
|
+
SCMP_SYS(getresgid),
|
|
56
|
+
SCMP_SYS(getpgid),
|
|
57
|
+
SCMP_SYS(setfsuid),
|
|
58
|
+
SCMP_SYS(setfsgid),
|
|
59
|
+
};
|
|
60
|
+
|
|
61
|
+
int main(int argc, char *argv[])
|
|
62
|
+
{
|
|
63
|
+
int rc;
|
|
64
|
+
int fd;
|
|
65
|
+
int i;
|
|
66
|
+
scmp_filter_ctx ctx = NULL;
|
|
67
|
+
const char buf[] = "testing";
|
|
68
|
+
ssize_t buf_len = strlen(buf);
|
|
69
|
+
|
|
70
|
+
rc = util_action_parse(argv[1]);
|
|
71
|
+
if (rc != SCMP_ACT_ALLOW) {
|
|
72
|
+
rc = 1;
|
|
73
|
+
goto out;
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
rc = util_trap_install();
|
|
77
|
+
if (rc != 0)
|
|
78
|
+
goto out;
|
|
79
|
+
|
|
80
|
+
fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
|
|
81
|
+
if (fd < 0) {
|
|
82
|
+
rc = errno;
|
|
83
|
+
goto out;
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
ctx = seccomp_init(SCMP_ACT_TRAP);
|
|
87
|
+
if (ctx == NULL)
|
|
88
|
+
return ENOMEM;
|
|
89
|
+
|
|
90
|
+
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
|
|
91
|
+
SCMP_A0(SCMP_CMP_EQ, fd));
|
|
92
|
+
if (rc != 0)
|
|
93
|
+
goto out;
|
|
94
|
+
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
|
|
95
|
+
if (rc != 0)
|
|
96
|
+
goto out;
|
|
97
|
+
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
|
|
98
|
+
if (rc != 0)
|
|
99
|
+
goto out;
|
|
100
|
+
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
|
|
101
|
+
if (rc != 0)
|
|
102
|
+
goto out;
|
|
103
|
+
|
|
104
|
+
for (i = 0; i < (sizeof(denylist) / sizeof(denylist[0])); i++) {
|
|
105
|
+
rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, denylist[i], 0);
|
|
106
|
+
if (rc != 0)
|
|
107
|
+
goto out;
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
rc = seccomp_load(ctx);
|
|
111
|
+
if (rc != 0)
|
|
112
|
+
goto out;
|
|
113
|
+
|
|
114
|
+
if (write(fd, buf, buf_len) < buf_len) {
|
|
115
|
+
rc = errno;
|
|
116
|
+
goto out;
|
|
117
|
+
}
|
|
118
|
+
if (close(fd) < 0) {
|
|
119
|
+
rc = errno;
|
|
120
|
+
goto out;
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
rc = 160;
|
|
124
|
+
|
|
125
|
+
out:
|
|
126
|
+
seccomp_release(ctx);
|
|
127
|
+
return (rc < 0 ? -rc : rc);
|
|
128
|
+
}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
#!/usr/bin/env python
|
|
2
|
+
|
|
3
|
+
#
|
|
4
|
+
# Seccomp Library test program
|
|
5
|
+
#
|
|
6
|
+
# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
|
|
7
|
+
# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
8
|
+
#
|
|
9
|
+
|
|
10
|
+
#
|
|
11
|
+
# This library is free software; you can redistribute it and/or modify it
|
|
12
|
+
# under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
13
|
+
# published by the Free Software Foundation.
|
|
14
|
+
#
|
|
15
|
+
# This library is distributed in the hope that it will be useful, but WITHOUT
|
|
16
|
+
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
17
|
+
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
18
|
+
# for more details.
|
|
19
|
+
#
|
|
20
|
+
# You should have received a copy of the GNU Lesser General Public License
|
|
21
|
+
# along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
22
|
+
#
|
|
23
|
+
|
|
24
|
+
import argparse
|
|
25
|
+
import sys
|
|
26
|
+
|
|
27
|
+
import util
|
|
28
|
+
|
|
29
|
+
from seccomp import *
|
|
30
|
+
|
|
31
|
+
denylist = [
|
|
32
|
+
"times",
|
|
33
|
+
"ptrace",
|
|
34
|
+
"getuid",
|
|
35
|
+
"syslog",
|
|
36
|
+
"getgid",
|
|
37
|
+
"setuid",
|
|
38
|
+
"setgid",
|
|
39
|
+
"geteuid",
|
|
40
|
+
"getegid",
|
|
41
|
+
"setpgid",
|
|
42
|
+
"getppid",
|
|
43
|
+
"getpgrp",
|
|
44
|
+
"setsid",
|
|
45
|
+
"setreuid",
|
|
46
|
+
"setregid",
|
|
47
|
+
"getgroups",
|
|
48
|
+
"setgroups",
|
|
49
|
+
"setresuid",
|
|
50
|
+
"getresuid",
|
|
51
|
+
"setresgid",
|
|
52
|
+
"getresgid",
|
|
53
|
+
"getpgid",
|
|
54
|
+
"setfsuid",
|
|
55
|
+
"setfsgid",
|
|
56
|
+
]
|
|
57
|
+
|
|
58
|
+
def test():
|
|
59
|
+
action = util.parse_action(sys.argv[1])
|
|
60
|
+
if not action == ALLOW:
|
|
61
|
+
quit(1)
|
|
62
|
+
util.install_trap()
|
|
63
|
+
f = SyscallFilter(TRAP)
|
|
64
|
+
f.set_attr(Attr.CTL_TSYNC, 1)
|
|
65
|
+
# NOTE: additional syscalls required for python
|
|
66
|
+
f.add_rule(ALLOW, "stat")
|
|
67
|
+
f.add_rule(ALLOW, "fstat")
|
|
68
|
+
f.add_rule(ALLOW, "open")
|
|
69
|
+
f.add_rule(ALLOW, "openat")
|
|
70
|
+
f.add_rule(ALLOW, "mmap")
|
|
71
|
+
f.add_rule(ALLOW, "munmap")
|
|
72
|
+
f.add_rule(ALLOW, "read")
|
|
73
|
+
f.add_rule(ALLOW, "write")
|
|
74
|
+
f.add_rule(ALLOW, "close")
|
|
75
|
+
f.add_rule(ALLOW, "rt_sigaction")
|
|
76
|
+
f.add_rule(ALLOW, "rt_sigreturn")
|
|
77
|
+
f.add_rule(ALLOW, "sigreturn")
|
|
78
|
+
f.add_rule(ALLOW, "sigaltstack")
|
|
79
|
+
f.add_rule(ALLOW, "brk")
|
|
80
|
+
f.add_rule(ALLOW, "exit_group")
|
|
81
|
+
|
|
82
|
+
for syscall in denylist:
|
|
83
|
+
f.add_rule(KILL, syscall)
|
|
84
|
+
|
|
85
|
+
f.load()
|
|
86
|
+
try:
|
|
87
|
+
util.write_file("/dev/null")
|
|
88
|
+
except OSError as ex:
|
|
89
|
+
quit(ex.errno)
|
|
90
|
+
quit(160)
|
|
91
|
+
|
|
92
|
+
test()
|
|
93
|
+
|
|
94
|
+
# kate: syntax python;
|
|
95
|
+
# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
#
|
|
2
|
+
# libseccomp regression test automation data
|
|
3
|
+
#
|
|
4
|
+
# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
|
|
5
|
+
# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
6
|
+
#
|
|
7
|
+
|
|
8
|
+
test type: live
|
|
9
|
+
|
|
10
|
+
# Testname API Result
|
|
11
|
+
54-live-binary_tree 1 ALLOW
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Seccomp Library test program
|
|
3
|
+
*
|
|
4
|
+
* Copyright (c) 2018-2020 Oracle and/or its affiliates.
|
|
5
|
+
* Author: Tom Hromatka <tom.hromatka@oracle.com>
|
|
6
|
+
*/
|
|
7
|
+
|
|
8
|
+
/*
|
|
9
|
+
* This library is free software; you can redistribute it and/or modify it
|
|
10
|
+
* under the terms of version 2.1 of the GNU Lesser General Public License as
|
|
11
|
+
* published by the Free Software Foundation.
|
|
12
|
+
*
|
|
13
|
+
* This library is distributed in the hope that it will be useful, but WITHOUT
|
|
14
|
+
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
15
|
+
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
|
16
|
+
* for more details.
|
|
17
|
+
*
|
|
18
|
+
* You should have received a copy of the GNU Lesser General Public License
|
|
19
|
+
* along with this library; if not, see <http://www.gnu.org/licenses>.
|
|
20
|
+
*/
|
|
21
|
+
|
|
22
|
+
#include <errno.h>
|
|
23
|
+
#include <fcntl.h>
|
|
24
|
+
#include <unistd.h>
|
|
25
|
+
#include <sys/types.h>
|
|
26
|
+
#include <sys/stat.h>
|
|
27
|
+
|
|
28
|
+
#include <seccomp.h>
|
|
29
|
+
|
|
30
|
+
#include "util.h"
|
|
31
|
+
|
|
32
|
+
#define ARG_COUNT_MAX 2
|
|
33
|
+
|
|
34
|
+
struct syscall_errno {
|
|
35
|
+
int syscall;
|
|
36
|
+
int error;
|
|
37
|
+
int arg_cnt;
|
|
38
|
+
/* To make the test more interesting, arguments are added to several
|
|
39
|
+
* syscalls. To keep the test simple, the arguments always use
|
|
40
|
+
* SCMP_CMP_EQ.
|
|
41
|
+
*/
|
|
42
|
+
int args[ARG_COUNT_MAX];
|
|
43
|
+
};
|
|
44
|
+
|
|
45
|
+
struct syscall_errno table[] = {
|
|
46
|
+
{ SCMP_SYS(read), 0, 2, { 100, 101 } },
|
|
47
|
+
{ SCMP_SYS(write), 1, 1, { 102, 0 } },
|
|
48
|
+
{ SCMP_SYS(open), 2, 0, { 0, 0 } },
|
|
49
|
+
{ SCMP_SYS(close), 3, 0, { 0, 0 } },
|
|
50
|
+
{ SCMP_SYS(stat), 4, 0, { 0, 0 } },
|
|
51
|
+
{ SCMP_SYS(fstat), 5, 1, { 103, 0 } },
|
|
52
|
+
{ SCMP_SYS(lstat), 6, 0, { 0, 0 } },
|
|
53
|
+
{ SCMP_SYS(poll), 7, 0, { 0, 0 } },
|
|
54
|
+
{ SCMP_SYS(lseek), 8, 1, { 104, 0 } },
|
|
55
|
+
{ SCMP_SYS(mmap), 9, 0, { 0, 0 } },
|
|
56
|
+
{ SCMP_SYS(mprotect), 10, 1, { 105, 0 } },
|
|
57
|
+
{ SCMP_SYS(munmap), 11, 0, { 0, 0 } },
|
|
58
|
+
{ SCMP_SYS(brk), 12, 0, { 0, 0 } },
|
|
59
|
+
{ SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } },
|
|
60
|
+
{ SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } },
|
|
61
|
+
{ SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } },
|
|
62
|
+
{ SCMP_SYS(ioctl), 16, 0, { 0, 0 } },
|
|
63
|
+
{ SCMP_SYS(pread64), 17, 1, { 106, 0 } },
|
|
64
|
+
{ SCMP_SYS(pwrite64), 18, 2, { 107, 108 } },
|
|
65
|
+
};
|
|
66
|
+
|
|
67
|
+
const int table_size = sizeof(table) / sizeof(table[0]);
|
|
68
|
+
|
|
69
|
+
int main(int argc, char *argv[])
|
|
70
|
+
{
|
|
71
|
+
int rc, fd, i;
|
|
72
|
+
scmp_filter_ctx ctx = NULL;
|
|
73
|
+
|
|
74
|
+
/* stdout */
|
|
75
|
+
fd = 1;
|
|
76
|
+
|
|
77
|
+
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
|
78
|
+
if (ctx == NULL) {
|
|
79
|
+
rc = ENOMEM;
|
|
80
|
+
goto out;
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
|
|
84
|
+
if (rc < 0)
|
|
85
|
+
goto out;
|
|
86
|
+
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
|
|
87
|
+
if (rc < 0)
|
|
88
|
+
goto out;
|
|
89
|
+
rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
|
|
90
|
+
if (rc < 0)
|
|
91
|
+
goto out;
|
|
92
|
+
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
|
93
|
+
if (rc < 0)
|
|
94
|
+
goto out;
|
|
95
|
+
|
|
96
|
+
for (i = 0; i < table_size; i++) {
|
|
97
|
+
switch (table[i].arg_cnt) {
|
|
98
|
+
case 2:
|
|
99
|
+
rc = seccomp_rule_add(ctx,
|
|
100
|
+
SCMP_ACT_ERRNO(table[i].error),
|
|
101
|
+
table[i].syscall, 2,
|
|
102
|
+
SCMP_A0(SCMP_CMP_EQ,
|
|
103
|
+
table[i].args[0]),
|
|
104
|
+
SCMP_A1(SCMP_CMP_EQ,
|
|
105
|
+
table[i].args[1]));
|
|
106
|
+
break;
|
|
107
|
+
case 1:
|
|
108
|
+
rc = seccomp_rule_add(ctx,
|
|
109
|
+
SCMP_ACT_ERRNO(table[i].error),
|
|
110
|
+
table[i].syscall, 1,
|
|
111
|
+
SCMP_A0(SCMP_CMP_EQ,
|
|
112
|
+
table[i].args[0]));
|
|
113
|
+
break;
|
|
114
|
+
case 0:
|
|
115
|
+
default:
|
|
116
|
+
rc = seccomp_rule_add(ctx,
|
|
117
|
+
SCMP_ACT_ERRNO(table[i].error),
|
|
118
|
+
table[i].syscall, 0);
|
|
119
|
+
break;
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
if (rc < 0)
|
|
123
|
+
goto out;
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
rc = seccomp_export_pfc(ctx, fd);
|
|
127
|
+
if (rc < 0)
|
|
128
|
+
goto out;
|
|
129
|
+
|
|
130
|
+
out:
|
|
131
|
+
seccomp_release(ctx);
|
|
132
|
+
close(fd);
|
|
133
|
+
return (rc < 0 ? -rc : rc);
|
|
134
|
+
}
|