script_core 0.2.6 → 0.2.7

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_export_bpf.3

@@ -1,4 +1,4 @@
-.TH "seccomp_export_bpf" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_export_bpf" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -45,7 +45,25 @@ ordering, are not guaranteed to be the same in both the BPF and PFC formats.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
-Returns zero on success, negative errno values on failure.
+Return zero on success or one of the following error codes on
+failure:
+.TP
+.B -ECANCELED
+There was a system failure beyond the control of the library.
+.TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
+.P
+If the \fISCMP_FLTATR_API_SYSRAWRC\fP filter attribute is non-zero then
+additional error codes may be returned to the caller; these additional error
+codes are the negative \fIerrno\fP values returned by the system.  Unfortunately
+libseccomp can make no guarantees about these return values.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_init.3

@@ -1,4 +1,4 @@
-.TH "seccomp_init" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_init" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -98,7 +98,14 @@ The
 .BR seccomp_init ()
 function returns a filter context on success, NULL on failure.  The
 .BR seccomp_reset ()
-function returns zero on success, negative errno values on failure.
+function returns zero on success or one of the following error codes on
+failure:
+.TP
+.B -EINVAL
+Invalid input, either the context or action is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_load.3

@@ -1,4 +1,4 @@
-.TH "seccomp_load" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_load" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -23,10 +23,40 @@ Loads the seccomp filter provided by
 .I ctx
 into the kernel; if the function
 succeeds the new seccomp filter will be active when the function returns.
+.P
+As it is possible to have multiple stacked seccomp filters for a given task
+(defined as either a process or a thread), it is important to remember that
+each of the filters loaded for a given task are executed when a syscall is
+made and the "strictest" rule is the rule that is applied.  In the case of
+seccomp, "strictest" is defined as the action with the lowest value (e.g.
+.I SCMP_ACT_KILL
+is "stricter" than
+.I SCMP_ACT_ALLOW
+).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
-Returns zero on success, negative errno values on failure.
+Returns zero on success or one of the following error codes on failure:
+.TP
+.B -ECANCELED
+There was a system failure beyond the control of the library.
+.TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
+.TP
+.B -ESRCH
+Unable to load the filter due to thread issues.
+.P
+If the \fISCMP_FLTATR_API_SYSRAWRC\fP filter attribute is non-zero then
+additional error codes may be returned to the caller; these additional error
+codes are the negative \fIerrno\fP values returned by the system.  Unfortunately
+libseccomp can make no guarantees about these return values.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_merge.3

@@ -1,4 +1,4 @@
-.TH "seccomp_merge" 3 "28 September 2012" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_merge" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -41,7 +41,21 @@ attribute values and no overlapping architectures.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
-Returns zero on success and negative values on failure.
+Returns zero on success or one of the following error codes on
+failure:
+.TP
+.B -EDOM
+Unable to merge the filters due to architecture issues, e.g. byte endian
+mismatches.
+.TP
+.B -EEXIST
+The architecture already exists in the filter.
+.TP
+.B -EINVAL
+One of the filters is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_alloc.3

@@ -0,0 +1,113 @@
+.TH "seccomp_notify_alloc" 3 "30 May 2020" "tycho@tycho.ws" "libseccomp Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_notify_alloc, seccomp_notify_free, seccomp_notify_receive,
+seccomp_notify_respond, seccomp_notify_id_valid, seccomp_notify_fd \- Manage seccomp notifications
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.BI "int seccomp_notify_alloc(struct seccomp_notif **" req ", struct seccomp_notif_resp **" resp ")"
+.BI "void seccomp_notify_free(struct seccomp_notif *" req ", struct seccomp_notif_resp *" resp ")"
+.BI "int seccomp_notify_receive(int " fd ", struct seccomp_notif *" req ")"
+.BI "int seccomp_notify_respond(int " fd ", struct seccomp_notif_resp *" resp ")"
+.BI "int seccomp_notify_id_valid(int " fd ", uint64_t " id ")"
+.BI "int seccomp_notify_fd(const scmp_filter_ctx " ctx ")"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_notify_alloc ()
+function dynamically allocates enough memory for a seccomp notification and
+response. Note that one should always use these functions and not depend on the
+structure sizes in headers, since the size can vary depending on the kernel
+version. This function takes care to ask the kernel how big each structure
+should be, and allocates the right amount of memory. The
+.BR seccomp_notify_free ()
+function frees memory allocated by
+.BR seccomp_notify_alloc ().
+.P
+The
+.BR seccomp_notify_receive ()
+function receives a notification from a seccomp notify fd (obtained from
+.BR seccomp_notify_fd ()).
+.P
+The
+.BR seccomp_notify_respond ()
+function sends a response to a particular notification. The id field should be
+the same as the id from the request, so that the kernel knows which request
+this response corresponds to.
+.P
+The
+.BR seccomp_notify_id_valid ()
+function checks to see if the syscall from a particular notification request is
+still valid, i.e. if the task is still alive. See NOTES below for details on
+race conditions.
+.P
+The
+.BR seccomp_notify_fd ()
+returns the notification fd of a filter after it has been loaded.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+The
+.BR seccomp_notify_fd ()
+returns the notification fd of the loaded filter.
+.P
+The
+.BR seccomp_notify_id_valid ()
+returns 0 if the id is valid, and -ENOENT if it is not.
+.P
+The
+.BR seccomp_notify_alloc (),
+.BR seccomp_notify_receive (),
+and
+.BR seccomp_notify_respond ()
+functions return zero on success,  or one of the following error codes on
+failure:
+.TP
+.B -ECANCELED
+There was a system failure beyond the control of the library, check the
+\fIerrno\fP value for more information.
+.TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
+.TP
+.B -EOPNOTSUPP
+The library doesn't support the particular operation.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+Care should be taken to avoid two different time of check/time of use errors.
+First, after opening any resources relevant to the pid for a notification (e.g.
+/proc/pid/mem for reading tracee memory to make policy decisions), applications
+should call
+.BR seccomp_notify_id_valid ()
+to make sure that the resources the application has opened correspond to the
+right pid, i.e. that the pid didn't die and a different task take its place.
+.P
+Second, the classic time of check/time of use issue with seccomp memory should
+also be avoided: applications should copy any memory they wish to use to make
+decisions from the tracee into its own address space before applying any policy
+decisions, since a multi-threaded tracee may edit the memory at any time,
+including after it's used to make a policy decision.
+.P
+A complete example of how to avoid these two races is available in the Linux
+Kernel source tree at
+.BR /samples/seccomp/user-trap.c.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Tycho Andersen <tycho@tycho.ws>
+.\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_fd.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_free.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_id_valid.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_receive.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_notify_respond.3

@@ -0,0 +1 @@
+.so man3/seccomp_notify_alloc.3

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_rule_add.3

@@ -1,4 +1,4 @@
-.TH "seccomp_rule_add" 3 "17 February 2019" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_rule_add" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -87,6 +87,17 @@ do guarantee the same behavior regardless of the architecture.
 The newly added filter rule does not take effect until the entire filter is
 loaded into the kernel using
 .BR seccomp_load (3).
+When adding rules to a filter, it is important to consider the impact of
+previously loaded filters; see the
+.BR seccomp_load (3)
+documentation for more information.
+.P
+All of the filter rules supplied by the calling application are combined into
+a union, with additional logic to eliminate redundant syscall filters.  For
+example, if a rule is added which allows a given syscall with a specific set of
+argument values and later a rule is added which allows the same syscall
+regardless the argument values then the first, more specific rule, is
+effectively dropped from the filter by the second more generic rule.
 .P
 The
 .BR SCMP_CMP (),
@@ -120,6 +131,18 @@ macros and use the variants which are explicitly 32 or 64-bit.  This should
 help eliminate problems caused by an unwanted sign extension of negative datum
 values.
 .P
+If syscall argument comparisons are included in the filter rule, all of the
+comparisons must be true for the rule to match.
+.P
+When adding syscall argument comparisons to the filter it is important to
+remember that while it is possible to have multiple comparisons in a single
+rule, you can only compare each argument once in a single rule.  In other words,
+you can not have multiple comparisons of the 3rd syscall argument in a single
+rule.
+.P
+In a filter containing multiple architectures, it is an error to add a filter
+rule for a syscall that does not exist in all of the filter's architectures.
+.P
 While it is possible to specify the
 .I syscall
 value directly using the standard
@@ -127,7 +150,10 @@ value directly using the standard
 values, in order to ensure proper operation across multiple architectures it
 is highly recommended to use the
 .BR SCMP_SYS ()
-macro instead.  See the EXAMPLES section below.
+macro instead.  See the EXAMPLES section below.  It is also important to
+remember that regardless of the architectures present in the filter, the
+syscall numbers used in filter rules are interpreted in the context of the
+native architecture.
 .P
 Starting with Linux v4.8, there may be a need to create a rule with a syscall
 value of -1 to allow tracing programs to skip a syscall invocation; in order
@@ -259,12 +285,47 @@ SCMP_CMP(
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
 The
+.BR SCMP_SYS ()
+macro returns a value suitable for use as the
+.I syscall
+value in the
+.BR seccomp_rule_add* ()
+functions.  In a similar manner, the
+.BR SCMP_CMP ()
+and
+.BR SCMP_A* ()
+macros return values suitable for use as argument comparisons in the
+.BR seccomp_rule_add ()
+and
+.BR seccomp_rule_add_exact ()
+functions.
+.P
+The
 .BR seccomp_rule_add (),
 .BR seccomp_rule_add_array (),
 .BR seccomp_rule_add_exact (),
 and
 .BR seccomp_rule_add_exact_array ()
-functions return zero on success, negative errno values on failure.
+functions return zero on success or one of the following error codes on
+failure:
+.TP
+.B -EDOM
+Architecture specific failure.
+.TP
+.B -EEXIST
+The rule already exists.
+.TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
+.TP
+.B -EOPNOTSUPP
+The library doesn't support the particular operation.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/doc/man/man3/seccomp_syscall_priority.3

@@ -1,4 +1,4 @@
-.TH "seccomp_syscall_priority" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
+.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
 .\" //////////////////////////////////////////////////////////////////////////
 .SH NAME
 .\" //////////////////////////////////////////////////////////////////////////
@@ -53,13 +53,28 @@ is the value returned by the call to
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
 The
-.BR seccomp_syscall_priority ()
-function returns zero on success, negative errno values on failure.  The
 .BR SCMP_SYS ()
 macro returns a value suitable for use as the
 .I syscall
 value in
 .BR seccomp_syscall_priority ().
+.P
+The
+.BR seccomp_syscall_priority ()
+function returns zero on success or one of the following error codes on
+failure:
+.TP
+.B -EDOM
+Architecture specific failure.
+.TP
+.B -EFAULT
+Internal libseccomp failure.
+.TP
+.B -EINVAL
+Invalid input, either the context or architecture token is invalid.
+.TP
+.B -ENOMEM
+The library was unable to allocate enough memory.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH EXAMPLES
 .\" //////////////////////////////////////////////////////////////////////////

data/ext/enterprise_script_service/libseccomp/include/seccomp-syscalls.h

@@ -273,6 +273,8 @@
 #define __PNR_timerfd_settime64			-10239
 #define __PNR_utimensat_time64			-10240
 #define __PNR_ppoll				-10241
+#define __PNR_renameat				-10242
+#define __PNR_riscv_flush_icache		-10243
 
 /*
  * libseccomp syscall definitions
@@ -1494,7 +1496,11 @@
 #define __SNR_rename			__PNR_rename
 #endif
 
+#ifdef __NR_renameat
 #define __SNR_renameat			__NR_renameat
+#else
+#define __SNR_renameat			__PNR_renameat
+#endif
 
 #define __SNR_renameat2			__NR_renameat2
 
@@ -1502,6 +1508,12 @@
 
 #define __SNR_restart_syscall		__NR_restart_syscall
 
+#ifdef __NR_riscv_flush_icache
+#define __SNR_riscv_flush_icache	__NR_riscv_flush_icache
+#else
+#define __SNR_riscv_flush_icache	__PNR_riscv_flush_icache
+#endif
+
 #ifdef __NR_rmdir
 #define __SNR_rmdir			__NR_rmdir
 #else

data/ext/enterprise_script_service/libseccomp/include/seccomp.h.in

@@ -27,6 +27,8 @@
 #include <inttypes.h>
 #include <asm/unistd.h>
 #include <linux/audit.h>
+#include <linux/types.h>
+#include <linux/seccomp.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -66,6 +68,15 @@ enum scmp_filter_attr {
 	SCMP_FLTATR_CTL_TSYNC = 4,	/**< sync threads on filter load */
 	SCMP_FLTATR_API_TSKIP = 5,	/**< allow rules with a -1 syscall */
 	SCMP_FLTATR_CTL_LOG = 6,	/**< log not-allowed actions */
+	SCMP_FLTATR_CTL_SSB = 7,	/**< disable SSB mitigation */
+	SCMP_FLTATR_CTL_OPTIMIZE = 8,	/**< filter optimization level:
+					 * 0 - currently unused
+					 * 1 - rules weighted by priority and
+					 *     complexity (DEFAULT)
+					 * 2 - binary tree sorted by syscall
+					 *     number
+					 */
+	SCMP_FLTATR_API_SYSRAWRC = 9,	/**< return the system return codes */
 	_SCMP_FLTATR_MAX,
 };
 
@@ -193,6 +204,18 @@ struct scmp_arg_cmp {
 #define SCMP_ARCH_PARISC	AUDIT_ARCH_PARISC
 #define SCMP_ARCH_PARISC64	AUDIT_ARCH_PARISC64
 
+/**
+ * The RISC-V architecture tokens
+ */
+/* RISC-V support for audit was merged in 5.0-rc1 */
+#ifndef AUDIT_ARCH_RISCV64
+#ifndef EM_RISCV
+#define EM_RISCV		243
+#endif /* EM_RISCV */
+#define AUDIT_ARCH_RISCV64	(EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#endif /* AUDIT_ARCH_RISCV64 */
+#define SCMP_ARCH_RISCV64	AUDIT_ARCH_RISCV64
+
 /**
  * Convert a syscall name into the associated syscall number
  * @param x the syscall name
@@ -319,6 +342,10 @@ struct scmp_arg_cmp {
  * Throw a SIGSYS signal
  */
 #define SCMP_ACT_TRAP		0x00030000U
+/**
+ * Notifies userspace
+ */
+#define SCMP_ACT_NOTIFY	 	0x7fc00000U
 /**
  * Return the specified error code
  */
@@ -336,6 +363,25 @@ struct scmp_arg_cmp {
  */
 #define SCMP_ACT_ALLOW		0x7fff0000U
 
+/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */
+#ifndef SECCOMP_RET_USER_NOTIF
+#define SECCOMP_RET_USER_NOTIF	0x7fc00000U
+
+struct seccomp_notif {
+	__u64 id;
+	__u32 pid;
+	__u32 flags;
+	struct seccomp_data data;
+};
+
+struct seccomp_notif_resp {
+	__u64 id;
+	__s64 val;
+	__s32 error;
+	__u32 flags;
+};
+#endif
+
 /*
  * functions
  */
@@ -368,6 +414,9 @@ const struct scmp_version *seccomp_version(void);
  *  3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
  *      support for the SCMP_ACT_LOG action
  *      support for the SCMP_ACT_KILL_PROCESS action
+ *  4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute
+ *  5 : support for the SCMP_ACT_NOTIFY action and notify APIs
+ *  6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs
  *
  */
 unsigned int seccomp_api_get(void);
@@ -672,6 +721,73 @@ int seccomp_rule_add_exact_array(scmp_filter_ctx ctx,
 				 unsigned int arg_cnt,
 				 const struct scmp_arg_cmp *arg_array);
 
+/**
+ * Allocate a pair of notification request/response structures
+ * @param req the request location
+ * @param resp the response location
+ *
+ * This function allocates a pair of request/response structure by computing
+ * the correct sized based on the currently running kernel. It returns zero on
+ * success, and negative values on failure.
+ *
+ */
+int seccomp_notify_alloc(struct seccomp_notif **req,
+			 struct seccomp_notif_resp **resp);
+
+/**
+ * Free a pair of notification request/response structures.
+ * @param req the request location
+ * @param resp the response location
+ */
+void seccomp_notify_free(struct seccomp_notif *req,
+			 struct seccomp_notif_resp *resp);
+
+/**
+ * Receive a notification from a seccomp notification fd
+ * @param fd the notification fd
+ * @param req the request buffer to save into
+ *
+ * Blocks waiting for a notification on this fd. This function is thread safe
+ * (synchronization is performed in the kernel). Returns zero on success,
+ * negative values on error.
+ *
+ */
+int seccomp_notify_receive(int fd, struct seccomp_notif *req);
+
+/**
+ * Send a notification response to a seccomp notification fd
+ * @param fd the notification fd
+ * @param resp the response buffer to use
+ *
+ * Sends a notification response on this fd. This function is thread safe
+ * (synchronization is performed in the kernel). Returns zero on success,
+ * negative values on error.
+ *
+ */
+int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp);
+
+/**
+ * Check if a notification id is still valid
+ * @param fd the notification fd
+ * @param id the id to test
+ *
+ * Checks to see if a notification id is still valid. Returns 0 on success, and
+ * negative values on failure.
+ *
+ */
+int seccomp_notify_id_valid(int fd, uint64_t id);
+
+/**
+ * Return the notification fd from a filter that has already been loaded
+ * @param ctx the filter context
+ *
+ * This returns the listener fd that was generated when the seccomp policy was
+ * loaded. This is only valid after seccomp_load() with a filter that makes
+ * use of SCMP_ACT_NOTIFY.
+ *
+ */
+int seccomp_notify_fd(const scmp_filter_ctx ctx);
+
 /**
  * Generate seccomp Pseudo Filter Code (PFC) and export it to a file
  * @param ctx the filter context