Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libseccomp for openSUSE:Factory checked in at 2021-06-02 22:10:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libseccomp (Old) and /work/SRC/openSUSE:Factory/.libseccomp.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libseccomp" Wed Jun 2 22:10:26 2021 rev:30 rq:895486 version:2.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libseccomp/libseccomp.changes 2020-09-14 12:03:18.755624926 +0200 +++ /work/SRC/openSUSE:Factory/.libseccomp.new.1898/libseccomp.changes 2021-06-02 22:10:31.552127555 +0200 @@ -1,0 +2,11 @@ +Sat Nov 21 16:59:46 UTC 2020 - Dirk Mueller <[email protected]> + +- update to 2.5.1: + * Fix a bug where seccomp_load() could only be called once + * Change the notification fd handling to only request a notification fd if + * the filter has a _NOTIFY action + * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage + * Clarify the maintainers' GPG keys +- remove testsuite-riscv64-missing-syscalls.patch + +------------------------------------------------------------------- Old: ---- libseccomp-2.5.0.tar.gz libseccomp-2.5.0.tar.gz.asc testsuite-riscv64-missing-syscalls.patch New: ---- libseccomp-2.5.1.tar.gz libseccomp-2.5.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libseccomp.spec ++++++ --- /var/tmp/diff_new_pack.Qe2VTA/_old 2021-06-02 22:10:33.428127402 +0200 +++ /var/tmp/diff_new_pack.Qe2VTA/_new 2021-06-02 22:10:33.428127402 +0200 @@ -1,7 +1,7 @@ # # spec file for package libseccomp # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define lname libseccomp2 Name: libseccomp -Version: 2.5.0 +Version: 2.5.1 Release: 0 Summary: A Seccomp (mode 2) helper library License: LGPL-2.1-only @@ -28,7 +28,6 @@ Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/libseccomp-%version.tar.gz.asc Source3: %name.keyring Source99: baselibs.conf -Patch: testsuite-riscv64-missing-syscalls.patch BuildRequires: autoconf BuildRequires: automake >= 1.11 BuildRequires: fdupes @@ -49,16 +48,6 @@ The libseccomp library provides an interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API abstracts away the underlying BPF-based syscall filter language and presents a -more conventional function-call based filtering interface. - -%package -n python-%name -Summary: Python bindings for Seccomp (mode 2) -Group: Development/Languages/Python - -%description -n python-%name -The libseccomp library provides an interface to the Linux Kernel's -syscall filtering mechanism, seccomp. The libseccomp API abstracts -away the underlying BPF-based syscall filter language and presents a more conventional function-call based filtering interface. %package devel ++++++ libseccomp-2.5.0.tar.gz -> libseccomp-2.5.1.tar.gz ++++++ ++++ 4265 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/CHANGELOG new/libseccomp-2.5.1/CHANGELOG --- old/libseccomp-2.5.0/CHANGELOG 2020-07-20 20:11:29.655957185 +0200 +++ new/libseccomp-2.5.1/CHANGELOG 2020-11-17 00:31:58.811574715 +0100 @@ -2,6 +2,13 @@ =============================================================================== https://github.com/seccomp/libseccomp +* Version 2.5.1 - November 20, 2020 +- Fix a bug where seccomp_load() could only be called once +- Change the notification fd handling to only request a notification fd if + the filter has a _NOTIFY action +- Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage +- Clarify the maintainers' GPG keys + * Version 2.5.0 - July 20, 2020 - Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/CREDITS new/libseccomp-2.5.1/CREDITS --- old/libseccomp-2.5.0/CREDITS 2020-07-15 23:10:25.945498969 +0200 +++ new/libseccomp-2.5.1/CREDITS 2020-11-16 23:51:08.133273022 +0100 @@ -40,11 +40,14 @@ Markos Chandras <[email protected]> Mathias Krause <[email protected]> Michael Forney <[email protected]> +Michael Karcher <[email protected]> Mike Frysinger <[email protected]> Mike Strosaker <[email protected]> Miroslav Lichvar <[email protected]> Paul Moore <[email protected]> +Rodrigo Campos <[email protected]> Rolf Eike Beer <[email protected]> +Samanta Navarro <[email protected]> Serge Hallyn <[email protected]> St??phane Graber <[email protected]> Stephen Coleman <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/README.md new/libseccomp-2.5.1/README.md --- old/libseccomp-2.5.0/README.md 2020-06-27 23:19:46.869035254 +0200 +++ new/libseccomp-2.5.1/README.md 2020-11-16 23:04:38.777027338 +0100 @@ -74,8 +74,8 @@ # gpg --verify file.asc file -At present, only the following keys are authorized to sign official libseccomp -releases: +At present, only the following keys, specified via the fingerprints below, are +authorized to sign official libseccomp releases: Paul Moore <[email protected]> 7100 AADF AE6E 6E94 0D2E 0AD6 55E4 5A5A E8CA 7C8A @@ -83,6 +83,8 @@ Tom Hromatka <[email protected]> 47A6 8FCE 37C7 D702 4FD6 5E11 356C E62C 2B52 4099 +More information on GnuPG can be found at their website, https://gnupg.org. + ## Building and Installing the Library If you are building the libseccomp library from an official release tarball, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/build-aux/ar-lib new/libseccomp-2.5.1/build-aux/ar-lib --- old/libseccomp-2.5.0/build-aux/ar-lib 2020-07-20 20:16:16.547106232 +0200 +++ new/libseccomp-2.5.1/build-aux/ar-lib 2020-11-17 00:47:44.758797059 +0100 @@ -2,9 +2,9 @@ # Wrapper for Microsoft lib.exe me=ar-lib -scriptversion=2019-07-04.01; # UTC +scriptversion=2012-03-01.08; # UTC -# Copyright (C) 2010-2020 Free Software Foundation, Inc. +# Copyright (C) 2010-2018 Free Software Foundation, Inc. # Written by Peter Rosin <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN* | MSYS*) + CYGWIN*) file_conv=cygwin ;; *) @@ -65,7 +65,7 @@ mingw) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin | msys) + cygwin) file=`cygpath -m "$file" || echo "$file"` ;; wine) @@ -224,11 +224,10 @@ esac done else - $AR -NOLOGO -LIST "$archive" | tr -d '\r' | sed -e 's/\\/\\\\/g' \ - | while read member - do - $AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $? - done + $AR -NOLOGO -LIST "$archive" | sed -e 's/\\/\\\\/g' | while read member + do + $AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $? + done fi elif test -n "$quick$replace"; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/build-aux/compile new/libseccomp-2.5.1/build-aux/compile --- old/libseccomp-2.5.0/build-aux/compile 2020-07-20 20:16:16.547106232 +0200 +++ new/libseccomp-2.5.1/build-aux/compile 2020-11-17 00:47:44.759797067 +0100 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN* | MSYS*) + CYGWIN*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/* | msys/*) + cygwin/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/build-aux/missing new/libseccomp-2.5.1/build-aux/missing --- old/libseccomp-2.5.0/build-aux/missing 2020-07-20 20:16:16.550439580 +0200 +++ new/libseccomp-2.5.1/build-aux/missing 2020-11-17 00:47:44.763797102 +0100 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/configure.ac new/libseccomp-2.5.1/configure.ac --- old/libseccomp-2.5.0/configure.ac 2020-07-20 20:13:58.853216246 +0200 +++ new/libseccomp-2.5.1/configure.ac 2020-11-17 00:33:43.291482888 +0100 @@ -19,7 +19,7 @@ dnl #### dnl libseccomp defines dnl #### -AC_INIT([libseccomp], [2.5.0]) +AC_INIT([libseccomp], [2.5.1]) dnl #### dnl autoconf configuration @@ -65,9 +65,11 @@ dnl #### dnl build flags +dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it +dnl for us which wreaks havoc on the build dnl #### AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" -AM_CFLAGS="-Wall" +AM_CFLAGS="-Wall -Umips" AM_LDFLAGS="-Wl,-z -Wl,relro" AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/doc/man/man3/seccomp_api_get.3 new/libseccomp-2.5.1/doc/man/man3/seccomp_api_get.3 --- old/libseccomp-2.5.0/doc/man/man3/seccomp_api_get.3 2020-06-30 03:47:49.223363531 +0200 +++ new/libseccomp-2.5.1/doc/man/man3/seccomp_api_get.3 2020-11-16 23:04:38.777027338 +0100 @@ -1,4 +1,4 @@ -.TH "seccomp_api_get" 3 "13 June 2020" "[email protected]" "libseccomp Documentation" +.TH "seccomp_api_get" 3 "6 November 2020" "[email protected]" "libseccomp Documentation" .\" ////////////////////////////////////////////////////////////////////////// .SH NAME .\" ////////////////////////////////////////////////////////////////////////// @@ -58,7 +58,7 @@ .B 5 The SCMP_ACT_NOTIFY action and the notify APIs are supported. .TP -.B 5 +.B 6 The simultaneous use of SCMP_FLTATR_CTL_TSYNC and the notify APIs are supported. .\" ////////////////////////////////////////////////////////////////////////// .SH RETURN VALUE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/doc/man/man3/seccomp_export_bpf.3 new/libseccomp-2.5.1/doc/man/man3/seccomp_export_bpf.3 --- old/libseccomp-2.5.0/doc/man/man3/seccomp_export_bpf.3 2020-06-27 23:13:34.390347801 +0200 +++ new/libseccomp-2.5.1/doc/man/man3/seccomp_export_bpf.3 2020-11-16 23:04:38.778027347 +0100 @@ -24,7 +24,7 @@ .BR seccomp_export_bpf () and .BR seccomp_export_pfc () -functions generate and output the current seccomp filter in either BPF (Berkley +functions generate and output the current seccomp filter in either BPF (Berkeley Packet Filter) or PFC (Pseudo Filter Code). The output of .BR seccomp_export_bpf () is suitable for loading into the kernel, while the output of diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/doc/man/man3/seccomp_init.3 new/libseccomp-2.5.1/doc/man/man3/seccomp_init.3 --- old/libseccomp-2.5.0/doc/man/man3/seccomp_init.3 2020-06-27 23:13:34.390347801 +0200 +++ new/libseccomp-2.5.1/doc/man/man3/seccomp_init.3 2020-11-16 23:04:38.778027347 +0100 @@ -36,7 +36,17 @@ function releases the existing filter context state before reinitializing it and can only be called after a call to .BR seccomp_init () -has succeeded. +has succeeded. If +.BR seccomp_reset () +is called with a NULL filter, it resets the library's global task state, +including any notification file descriptors retrieved by +.BR seccomp_notify_fd(3) . +Normally this is not needed, but it may be required to continue using the +library after a +.BR fork () +or +.BR clone () +call to ensure the API level and user notification state is properly reset. .P When the caller is finished configuring the seccomp filter and has loaded it into the kernel, the caller should call diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/doc/man/man3/seccomp_notify_alloc.3 new/libseccomp-2.5.1/doc/man/man3/seccomp_notify_alloc.3 --- old/libseccomp-2.5.0/doc/man/man3/seccomp_notify_alloc.3 2020-06-27 23:13:34.393681153 +0200 +++ new/libseccomp-2.5.1/doc/man/man3/seccomp_notify_alloc.3 2020-11-16 23:04:38.778027347 +0100 @@ -59,7 +59,8 @@ .\" ////////////////////////////////////////////////////////////////////////// The .BR seccomp_notify_fd () -returns the notification fd of the loaded filter. +returns the notification fd of the loaded filter, -1 if a notification fd has +not yet been created, and -EINVAL if the filter context is invalid. .P The .BR seccomp_notify_id_valid () diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/doc/man/man3/seccomp_rule_add.3 new/libseccomp-2.5.1/doc/man/man3/seccomp_rule_add.3 --- old/libseccomp-2.5.0/doc/man/man3/seccomp_rule_add.3 2020-07-15 03:38:33.533233115 +0200 +++ new/libseccomp-2.5.1/doc/man/man3/seccomp_rule_add.3 2020-11-16 23:04:38.778027347 +0100 @@ -209,6 +209,22 @@ .B SCMP_ACT_ALLOW The seccomp filter will have no effect on the thread calling the syscall if it matches the filter rule. +.TP +.B SCMP_ACT_NOTIFY +A monitoring process will be notified when a process running the seccomp +filter calls a syscall that matches the filter rule. The process that invokes +the syscall waits in the kernel until the monitoring process has responded via +.B seccomp_notify_respond(3) +\&. + +When a filter utilizing +.B SCMP_ACT_NOTIFY +is loaded into the kernel, the kernel generates a notification fd that must be +used to communicate between the monitoring process and the process(es) being +filtered. See +.B seccomp_notif_fd(3) +for more information. + .P Valid comparison .I op diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/include/seccomp.h new/libseccomp-2.5.1/include/seccomp.h --- old/libseccomp-2.5.0/include/seccomp.h 2020-07-20 20:16:24.970474721 +0200 +++ new/libseccomp-2.5.1/include/seccomp.h 2020-11-17 00:47:49.885841627 +0100 @@ -40,7 +40,7 @@ #define SCMP_VER_MAJOR 2 #define SCMP_VER_MINOR 5 -#define SCMP_VER_MICRO 0 +#define SCMP_VER_MICRO 1 struct scmp_version { unsigned int major; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/m4/libtool.m4 new/libseccomp-2.5.1/m4/libtool.m4 --- old/libseccomp-2.5.0/m4/libtool.m4 2020-07-20 20:16:12.500422677 +0200 +++ new/libseccomp-2.5.1/m4/libtool.m4 2020-11-17 00:47:42.473777197 +0100 @@ -1,6 +1,6 @@ # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- # -# Copyright (C) 1996-2001, 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2001, 2003-2015 Free Software Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is free software; the Free Software Foundation gives @@ -219,8 +219,8 @@ ofile=libtool can_build_shared=yes -# All known linkers require a '.a' archive for static linking (except MSVC and -# ICC, which need '.lib'). +# All known linkers require a '.a' archive for static linking (except MSVC, +# which needs '.lib'). libext=a with_gnu_ld=$lt_cv_prog_gnu_ld @@ -728,6 +728,7 @@ cat <<_LT_EOF >> "$cfgfile" #! $SHELL # Generated automatically by $as_me ($PACKAGE) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: # NOTE: Changes made to this file will be lost: look at ltmain.sh. # Provide generalized library-building support services. @@ -1041,8 +1042,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR $AR_FLAGS libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR $AR_FLAGS libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1492,22 +1493,9 @@ m4_defun([_LT_PROG_AR], [AC_CHECK_TOOLS(AR, [ar], false) : ${AR=ar} +: ${AR_FLAGS=cru} _LT_DECL([], [AR], [1], [The archiver]) - -# Use ARFLAGS variable as AR's operation code to sync the variable naming with -# Automake. If both AR_FLAGS and ARFLAGS are specified, AR_FLAGS should have -# higher priority because thats what people were doing historically (setting -# ARFLAGS for automake and AR_FLAGS for libtool). FIXME: Make the AR_FLAGS -# variable obsoleted/removed. - -test ${AR_FLAGS+y} || AR_FLAGS=${ARFLAGS-cr} -lt_ar_flags=$AR_FLAGS -_LT_DECL([], [lt_ar_flags], [0], [Flags to create an archive (by configure)]) - -# Make AR_FLAGS overridable by 'make ARFLAGS='. Don't try to run-time override -# by AR_FLAGS because that was never working and AR_FLAGS is about to die. -_LT_DECL([], [AR_FLAGS], [\@S|@{ARFLAGS-"\@S|@lt_ar_flags"}], - [Flags to create an archive]) +_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file], [lt_cv_ar_at_file=no @@ -2219,35 +2207,26 @@ striplib= old_striplib= AC_MSG_CHECKING([whether stripping libraries is possible]) -if test -z "$STRIP"; then - AC_MSG_RESULT([no]) +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + AC_MSG_RESULT([yes]) else - if $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then - old_striplib="$STRIP --strip-debug" - striplib="$STRIP --strip-unneeded" - AC_MSG_RESULT([yes]) - else - case $host_os in - darwin*) - # FIXME - insert some real tests, host_os isn't really good enough +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP"; then striplib="$STRIP -x" old_striplib="$STRIP -S" AC_MSG_RESULT([yes]) - ;; - freebsd*) - if $STRIP -V 2>&1 | $GREP "elftoolchain" >/dev/null; then - old_striplib="$STRIP --strip-debug" - striplib="$STRIP --strip-unneeded" - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) - fi - ;; - *) + else AC_MSG_RESULT([no]) - ;; - esac - fi + fi + ;; + *) + AC_MSG_RESULT([no]) + ;; + esac fi _LT_DECL([], [old_striplib], [1], [Commands to strip libraries]) _LT_DECL([], [striplib], [1]) @@ -2586,8 +2565,8 @@ dynamic_linker='Win32 ld.exe' ;; - *,cl* | *,icl*) - # Native MSVC or ICC + *,cl*) + # Native MSVC libname_spec='$name' soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext' library_names_spec='$libname.dll.lib' @@ -2643,7 +2622,7 @@ ;; *) - # Assume MSVC and ICC wrapper + # Assume MSVC wrapper library_names_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext $libname.lib' dynamic_linker='Win32 ld.exe' ;; @@ -2888,6 +2867,9 @@ # before this can be enabled. hardcode_into_libs=yes + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + # Ideally, we could use ldconfig to report *all* directores which are # searched for libraries, however this is still not possible. Aside from not # being certain /sbin/ldconfig is available, command @@ -2896,7 +2878,7 @@ # appending ld.so.conf contents (and includes) to the search path. if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -4031,7 +4013,7 @@ if test "$lt_cv_nm_interface" = "MS dumpbin"; then # Fake it for dumpbin and say T for any non-static function, # D for any global variable and I for any imported variable. - # Also find C++ and __fastcall symbols from MSVC++ or ICC, + # Also find C++ and __fastcall symbols from MSVC++, # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK ['"\ " {last_section=section; section=\$ 3};"\ @@ -4940,7 +4922,7 @@ if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols' else - _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "L") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' + _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' fi ;; pw32*) @@ -4948,7 +4930,7 @@ ;; cygwin* | mingw* | cegcc*) case $cc_basename in - cl* | icl*) + cl*) _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' ;; *) @@ -5005,15 +4987,15 @@ case $host_os in cygwin* | mingw* | pw32* | cegcc*) - # FIXME: the MSVC++ and ICC port hasn't been tested in a loooong time + # FIXME: the MSVC++ port hasn't been tested in a loooong time # When not using gcc, we currently assume that we are using - # Microsoft Visual C++ or Intel C++ Compiler. + # Microsoft Visual C++. if test yes != "$GCC"; then with_gnu_ld=no fi ;; interix*) - # we just hope/assume this is gcc and not c89 (= MSVC++ or ICC) + # we just hope/assume this is gcc and not c89 (= MSVC++) with_gnu_ld=yes ;; openbsd* | bitrig*) @@ -5177,7 +5159,6 @@ emximp -o $lib $output_objdir/$libname.def' _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - _LT_TAGVAR(file_list_spec, $1)='@' ;; interix[[3-9]]*) @@ -5395,7 +5376,7 @@ if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols' else - _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "L") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' + _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' fi aix_use_runtimelinking=no @@ -5578,12 +5559,12 @@ cygwin* | mingw* | pw32* | cegcc*) # When not using gcc, we currently assume that we are using - # Microsoft Visual C++ or Intel C++ Compiler. + # Microsoft Visual C++. # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. case $cc_basename in - cl* | icl*) - # Native MSVC or ICC + cl*) + # Native MSVC _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported _LT_TAGVAR(always_export_symbols, $1)=yes @@ -5624,7 +5605,7 @@ fi' ;; *) - # Assume MSVC and ICC wrapper + # Assume MSVC wrapper _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' _LT_TAGVAR(allow_undefined_flag, $1)=unsupported # Tell ltmain to make .lib files, not .a files. @@ -5883,7 +5864,6 @@ emximp -o $lib $output_objdir/$libname.def' _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - _LT_TAGVAR(file_list_spec, $1)='@' ;; osf3*) @@ -6654,8 +6634,8 @@ cygwin* | mingw* | pw32* | cegcc*) case $GXX,$cc_basename in - ,cl* | no,cl* | ,icl* | no,icl*) - # Native MSVC or ICC + ,cl* | no,cl*) + # Native MSVC # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' @@ -6753,7 +6733,6 @@ emximp -o $lib $output_objdir/$libname.def' _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes - _LT_TAGVAR(file_list_spec, $1)='@' ;; dgux*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/m4/ltoptions.m4 new/libseccomp-2.5.1/m4/ltoptions.m4 --- old/libseccomp-2.5.0/m4/ltoptions.m4 2020-07-20 20:16:12.510422719 +0200 +++ new/libseccomp-2.5.1/m4/ltoptions.m4 2020-11-17 00:47:42.482777275 +0100 @@ -1,6 +1,6 @@ # Helper functions for option handling. -*- Autoconf -*- # -# Copyright (C) 2004-2005, 2007-2009, 2011-2018 Free Software +# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software # Foundation, Inc. # Written by Gary V. Vaughan, 2004 # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/m4/ltsugar.m4 new/libseccomp-2.5.1/m4/ltsugar.m4 --- old/libseccomp-2.5.0/m4/ltsugar.m4 2020-07-20 20:16:12.520422761 +0200 +++ new/libseccomp-2.5.1/m4/ltsugar.m4 2020-11-17 00:47:42.494777380 +0100 @@ -1,6 +1,6 @@ # ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- # -# Copyright (C) 2004-2005, 2007-2008, 2011-2018 Free Software +# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software # Foundation, Inc. # Written by Gary V. Vaughan, 2004 # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/m4/ltversion.m4 new/libseccomp-2.5.1/m4/ltversion.m4 --- old/libseccomp-2.5.0/m4/ltversion.m4 2020-07-20 20:16:12.530422802 +0200 +++ new/libseccomp-2.5.1/m4/ltversion.m4 2020-11-17 00:47:42.506777484 +0100 @@ -1,6 +1,6 @@ # ltversion.m4 -- version numbers -*- Autoconf -*- # -# Copyright (C) 2004, 2011-2018 Free Software Foundation, Inc. +# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc. # Written by Scott James Remnant, 2004 # # This file is free software; the Free Software Foundation gives @@ -9,15 +9,15 @@ # @configure_input@ -# serial 4221 ltversion.m4 +# serial 4179 ltversion.m4 # This file is part of GNU Libtool -m4_define([LT_PACKAGE_VERSION], [2.4.6.42-b88ce-dirty]) -m4_define([LT_PACKAGE_REVISION], [2.4.6.42]) +m4_define([LT_PACKAGE_VERSION], [2.4.6]) +m4_define([LT_PACKAGE_REVISION], [2.4.6]) AC_DEFUN([LTVERSION_VERSION], -[macro_version='2.4.6.42-b88ce-dirty' -macro_revision='2.4.6.42' +[macro_version='2.4.6' +macro_revision='2.4.6' _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) _LT_DECL(, macro_revision, 0) ]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/m4/lt~obsolete.m4 new/libseccomp-2.5.1/m4/lt~obsolete.m4 --- old/libseccomp-2.5.0/m4/lt~obsolete.m4 2020-07-20 20:16:12.543756191 +0200 +++ new/libseccomp-2.5.1/m4/lt~obsolete.m4 2020-11-17 00:47:42.519777597 +0100 @@ -1,6 +1,6 @@ # lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- # -# Copyright (C) 2004-2005, 2007, 2009, 2011-2018 Free Software +# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software # Foundation, Inc. # Written by Scott James Remnant, 2004. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/Makefile.am new/libseccomp-2.5.1/src/Makefile.am --- old/libseccomp-2.5.0/src/Makefile.am 2020-06-27 23:13:34.393681153 +0200 +++ new/libseccomp-2.5.1/src/Makefile.am 2020-11-16 23:04:38.779027356 +0100 @@ -61,7 +61,7 @@ arch_syscall_dump_SOURCES = arch-syscall-dump.c ${SOURCES_ALL} arch_syscall_check_SOURCES = arch-syscall-check.c ${SOURCES_ALL} -arch_syscall_check_CFLAGS = ${CODE_COVERAGE_CFLAGS} +arch_syscall_check_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} arch_syscall_check_LDFLAGS = ${CODE_COVERAGE_LDFLAGS} libseccomp_la_SOURCES = ${SOURCES_ALL} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/api.c new/libseccomp-2.5.1/src/api.c --- old/libseccomp-2.5.0/src/api.c 2020-06-30 03:47:49.223363531 +0200 +++ new/libseccomp-2.5.1/src/api.c 2020-11-16 23:04:38.779027356 +0100 @@ -301,10 +301,18 @@ { struct db_filter_col *col = (struct db_filter_col *)ctx; - /* use a NULL filter collection here since we are resetting it */ - if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0) + /* a NULL filter context indicates we are resetting the global state */ + if (ctx == NULL) { + /* reset the global state and redetermine the api level */ + sys_reset_state(); + _seccomp_api_update(); + return _rc_filter(0); + } + /* ensure the default action is valid */ + if (db_col_action_valid(NULL, def_action) < 0) return _rc_filter(-EINVAL); + /* reset the filter */ return _rc_filter(db_col_reset(col, def_action)); } @@ -675,16 +683,17 @@ /* NOTE - function header comment in include/seccomp.h */ API int seccomp_notify_fd(const scmp_filter_ctx ctx) { - struct db_filter_col *col; + /* NOTE: for historical reasons, and possibly future use, we require a + * valid filter context even though we don't actual use it here; the + * api update is also not strictly necessary, but keep it for now */ /* force a runtime api level detection */ _seccomp_api_update(); if (_ctx_valid(ctx)) return _rc_filter(-EINVAL); - col = (struct db_filter_col *)ctx; - return _rc_filter(col->notify_fd); + return _rc_filter(sys_notify_fd()); } /* NOTE - function header comment in include/seccomp.h */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/arch-arm.c new/libseccomp-2.5.1/src/arch-arm.c --- old/libseccomp-2.5.0/src/arch-arm.c 2020-07-14 03:25:38.112974892 +0200 +++ new/libseccomp-2.5.1/src/arch-arm.c 2020-11-16 23:04:38.779027356 +0100 @@ -50,8 +50,9 @@ { int sys; + /* NOTE: we don't want to modify the pseudo-syscall numbers */ sys = arm_syscall_resolve_name(name); - if (sys == __NR_SCMP_ERROR) + if (sys == __NR_SCMP_ERROR || sys < 0) return sys; return (sys | __SCMP_NR_BASE); @@ -68,7 +69,10 @@ */ const char *arm_syscall_resolve_num_munge(int num) { - return arm_syscall_resolve_num(num & (~__SCMP_NR_BASE)); + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= 0) + num &= ~__SCMP_NR_BASE; + return arm_syscall_resolve_num(num); } const struct arch_def arch_def_arm = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/arch-mips.c new/libseccomp-2.5.1/src/arch-mips.c --- old/libseccomp-2.5.0/src/arch-mips.c 2020-06-27 23:13:34.393681153 +0200 +++ new/libseccomp-2.5.1/src/arch-mips.c 2020-11-16 23:04:38.779027356 +0100 @@ -43,8 +43,9 @@ { int sys; + /* NOTE: we don't want to modify the pseudo-syscall numbers */ sys = mips_syscall_resolve_name(name); - if (sys == __NR_SCMP_ERROR) + if (sys == __NR_SCMP_ERROR || sys < 0) return sys; return sys + __SCMP_NR_BASE; @@ -61,7 +62,10 @@ */ const char *mips_syscall_resolve_num_munge(int num) { - return mips_syscall_resolve_num(num - __SCMP_NR_BASE); + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= __SCMP_NR_BASE) + num -= __SCMP_NR_BASE; + return mips_syscall_resolve_num(num); } const struct arch_def arch_def_mips = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/arch-mips64.c new/libseccomp-2.5.1/src/arch-mips64.c --- old/libseccomp-2.5.0/src/arch-mips64.c 2020-06-27 23:13:34.397014505 +0200 +++ new/libseccomp-2.5.1/src/arch-mips64.c 2020-11-16 23:04:38.779027356 +0100 @@ -41,8 +41,9 @@ { int sys; + /* NOTE: we don't want to modify the pseudo-syscall numbers */ sys = mips64_syscall_resolve_name(name); - if (sys == __NR_SCMP_ERROR) + if (sys == __NR_SCMP_ERROR || sys < 0) return sys; return sys + __SCMP_NR_BASE; @@ -59,7 +60,10 @@ */ const char *mips64_syscall_resolve_num_munge(int num) { - return mips64_syscall_resolve_num(num - __SCMP_NR_BASE); + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= __SCMP_NR_BASE) + num -= __SCMP_NR_BASE; + return mips64_syscall_resolve_num(num); } const struct arch_def arch_def_mips64 = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/arch-mips64n32.c new/libseccomp-2.5.1/src/arch-mips64n32.c --- old/libseccomp-2.5.0/src/arch-mips64n32.c 2020-06-27 23:13:34.397014505 +0200 +++ new/libseccomp-2.5.1/src/arch-mips64n32.c 2020-11-16 23:04:38.779027356 +0100 @@ -43,8 +43,9 @@ { int sys; + /* NOTE: we don't want to modify the pseudo-syscall numbers */ sys = mips64n32_syscall_resolve_name(name); - if (sys == __NR_SCMP_ERROR) + if (sys == __NR_SCMP_ERROR || sys < 0) return sys; return sys + __SCMP_NR_BASE; @@ -61,7 +62,10 @@ */ const char *mips64n32_syscall_resolve_num_munge(int num) { - return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE); + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= __SCMP_NR_BASE) + num -= __SCMP_NR_BASE; + return mips64n32_syscall_resolve_num(num); } const struct arch_def arch_def_mips64n32 = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/arch-x32.c new/libseccomp-2.5.1/src/arch-x32.c --- old/libseccomp-2.5.0/src/arch-x32.c 2020-07-14 03:25:38.112974892 +0200 +++ new/libseccomp-2.5.1/src/arch-x32.c 2020-11-16 23:04:38.781027373 +0100 @@ -39,8 +39,9 @@ { int sys; + /* NOTE: we don't want to modify the pseudo-syscall numbers */ sys = x32_syscall_resolve_name(name); - if (sys == __NR_SCMP_ERROR) + if (sys == __NR_SCMP_ERROR || sys < 0) return sys; return (sys | X32_SYSCALL_BIT); @@ -57,7 +58,10 @@ */ const char *x32_syscall_resolve_num_munge(int num) { - return x32_syscall_resolve_num(num & (~X32_SYSCALL_BIT)); + /* NOTE: we don't want to modify the pseudo-syscall numbers */ + if (num >= 0) + num &= ~X32_SYSCALL_BIT; + return x32_syscall_resolve_num(num); } const struct arch_def arch_def_x32 = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/db.c new/libseccomp-2.5.1/src/db.c --- old/libseccomp-2.5.0/src/db.c 2020-06-30 03:47:49.226696886 +0200 +++ new/libseccomp-2.5.1/src/db.c 2020-11-16 23:04:59.764209764 +0100 @@ -1057,7 +1057,6 @@ if (col->filters) free(col->filters); col->filters = NULL; - col->notify_fd = -1; /* set the endianess to undefined */ col->endian = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/db.h new/libseccomp-2.5.1/src/db.h --- old/libseccomp-2.5.0/src/db.h 2020-06-27 23:13:34.400347855 +0200 +++ new/libseccomp-2.5.1/src/db.h 2020-11-16 23:04:38.781027373 +0100 @@ -160,8 +160,7 @@ /* transaction snapshots */ struct db_filter_snap *snapshots; - /* notification fd that was returned from seccomp() */ - int notify_fd; + /* userspace notification */ bool notify_used; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/python/seccomp.pyx new/libseccomp-2.5.1/src/python/seccomp.pyx --- old/libseccomp-2.5.0/src/python/seccomp.pyx 2020-06-27 23:13:34.403681207 +0200 +++ new/libseccomp-2.5.1/src/python/seccomp.pyx 2020-11-16 23:04:38.782027382 +0100 @@ -1023,7 +1023,7 @@ file - the output file Description: - Output the filter in Berkley Packet Filter (BPF) to the given + Output the filter in Berkeley Packet Filter (BPF) to the given file. The output is identical to what is loaded into the Linux Kernel. """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/system.c new/libseccomp-2.5.1/src/system.c --- old/libseccomp-2.5.0/src/system.c 2020-06-30 03:47:49.226696886 +0200 +++ new/libseccomp-2.5.1/src/system.c 2020-11-16 23:04:38.782027382 +0100 @@ -40,16 +40,65 @@ * our next release we may have to enable the allowlist */ #define SYSCALL_ALLOWLIST_ENABLE 0 -static int _nr_seccomp = -1; -static int _support_seccomp_syscall = -1; -static int _support_seccomp_flag_tsync = -1; -static int _support_seccomp_flag_log = -1; -static int _support_seccomp_action_log = -1; -static int _support_seccomp_kill_process = -1; -static int _support_seccomp_flag_spec_allow = -1; -static int _support_seccomp_flag_new_listener = -1; -static int _support_seccomp_user_notif = -1; -static int _support_seccomp_flag_tsync_esrch = -1; +/* task global state */ +struct task_state { + /* seccomp(2) syscall */ + int nr_seccomp; + + /* userspace notification fd */ + int notify_fd; + + /* runtime support flags */ + int sup_syscall; + int sup_flag_tsync; + int sup_flag_log; + int sup_action_log; + int sup_kill_process; + int sup_flag_spec_allow; + int sup_flag_new_listener; + int sup_user_notif; + int sup_flag_tsync_esrch; +}; +static struct task_state state = { + .nr_seccomp = -1, + + .notify_fd = -1, + + .sup_syscall = -1, + .sup_flag_tsync = -1, + .sup_flag_log = -1, + .sup_action_log = -1, + .sup_kill_process = -1, + .sup_flag_spec_allow = -1, + .sup_flag_new_listener = -1, + .sup_user_notif = -1, + .sup_flag_tsync_esrch = -1, +}; + +/** + * Reset the task state + * + * This function fully resets the library's global "system task state". + * + */ +void sys_reset_state(void) +{ + state.nr_seccomp = -1; + + if (state.notify_fd > 0) + close(state.notify_fd); + state.notify_fd = -1; + + state.sup_syscall = -1; + state.sup_flag_tsync = -1; + state.sup_flag_log = -1; + state.sup_action_log = -1; + state.sup_kill_process = -1; + state.sup_flag_spec_allow = -1; + state.sup_flag_new_listener = -1; + state.sup_user_notif = -1; + state.sup_flag_tsync_esrch = -1; +} /** * Check to see if the seccomp() syscall is supported @@ -68,8 +117,8 @@ /* NOTE: it is reasonably safe to assume that we should be able to call * seccomp() when the caller first starts, but we can't rely on * it later so we need to cache our findings for use later */ - if (_support_seccomp_syscall >= 0) - return _support_seccomp_syscall; + if (state.sup_syscall >= 0) + return state.sup_syscall; #if SYSCALL_ALLOWLIST_ENABLE /* architecture allowlist */ @@ -100,11 +149,11 @@ goto supported; unsupported: - _support_seccomp_syscall = 0; + state.sup_syscall = 0; return 0; supported: - _nr_seccomp = nr_seccomp; - _support_seccomp_syscall = 1; + state.nr_seccomp = nr_seccomp; + state.sup_syscall = 1; return 1; } @@ -118,7 +167,7 @@ */ void sys_set_seccomp_syscall(bool enable) { - _support_seccomp_syscall = (enable ? 1 : 0); + state.sup_syscall = (enable ? 1 : 0); } /** @@ -132,16 +181,16 @@ int sys_chk_seccomp_action(uint32_t action) { if (action == SCMP_ACT_KILL_PROCESS) { - if (_support_seccomp_kill_process < 0) { + if (state.sup_kill_process < 0) { if (sys_chk_seccomp_syscall() == 1 && - syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0, - &action) == 0) - _support_seccomp_kill_process = 1; + syscall(state.nr_seccomp, + SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) + state.sup_kill_process = 1; else - _support_seccomp_kill_process = 0; + state.sup_kill_process = 0; } - return _support_seccomp_kill_process; + return state.sup_kill_process; } else if (action == SCMP_ACT_KILL_THREAD) { return 1; } else if (action == SCMP_ACT_TRAP) { @@ -152,30 +201,30 @@ } else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) { return 1; } else if (action == SCMP_ACT_LOG) { - if (_support_seccomp_action_log < 0) { + if (state.sup_action_log < 0) { if (sys_chk_seccomp_syscall() == 1 && - syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0, - &action) == 0) - _support_seccomp_action_log = 1; + syscall(state.nr_seccomp, + SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) + state.sup_action_log = 1; else - _support_seccomp_action_log = 0; + state.sup_action_log = 0; } - return _support_seccomp_action_log; + return state.sup_action_log; } else if (action == SCMP_ACT_ALLOW) { return 1; } else if (action == SCMP_ACT_NOTIFY) { - if (_support_seccomp_user_notif < 0) { + if (state.sup_user_notif < 0) { struct seccomp_notif_sizes sizes; if (sys_chk_seccomp_syscall() == 1 && - syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, - &sizes) == 0) - _support_seccomp_user_notif = 1; + syscall(state.nr_seccomp, + SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0) + state.sup_user_notif = 1; else - _support_seccomp_user_notif = 0; + state.sup_user_notif = 0; } - return _support_seccomp_user_notif; + return state.sup_user_notif; } return 0; @@ -193,13 +242,13 @@ { switch (action) { case SCMP_ACT_LOG: - _support_seccomp_action_log = (enable ? 1 : 0); + state.sup_action_log = (enable ? 1 : 0); break; case SCMP_ACT_KILL_PROCESS: - _support_seccomp_kill_process = (enable ? 1 : 0); + state.sup_kill_process = (enable ? 1 : 0); break; case SCMP_ACT_NOTIFY: - _support_seccomp_user_notif = (enable ? 1 : 0); + state.sup_user_notif = (enable ? 1 : 0); break; } } @@ -212,13 +261,14 @@ * Return one if the flag is supported, zero otherwise. * */ -static int _sys_chk_seccomp_flag_kernel(int flag) +static int _sys_chk_flag_kernel(int flag) { /* this is an invalid seccomp(2) call because the last argument * is NULL, but depending on the errno value of EFAULT we can * guess if the filter flag is supported or not */ if (sys_chk_seccomp_syscall() == 1 && - syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && + syscall(state.nr_seccomp, + SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 && errno == EFAULT) return 1; @@ -238,29 +288,25 @@ { switch (flag) { case SECCOMP_FILTER_FLAG_TSYNC: - if (_support_seccomp_flag_tsync < 0) - _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag); - - return _support_seccomp_flag_tsync; + if (state.sup_flag_tsync < 0) + state.sup_flag_tsync = _sys_chk_flag_kernel(flag); + return state.sup_flag_tsync; case SECCOMP_FILTER_FLAG_LOG: - if (_support_seccomp_flag_log < 0) - _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag); - - return _support_seccomp_flag_log; + if (state.sup_flag_log < 0) + state.sup_flag_log = _sys_chk_flag_kernel(flag); + return state.sup_flag_log; case SECCOMP_FILTER_FLAG_SPEC_ALLOW: - if (_support_seccomp_flag_spec_allow < 0) - _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag); - - return _support_seccomp_flag_spec_allow; + if (state.sup_flag_spec_allow < 0) + state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag); + return state.sup_flag_spec_allow; case SECCOMP_FILTER_FLAG_NEW_LISTENER: - if (_support_seccomp_flag_new_listener < 0) - _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag); - - return _support_seccomp_flag_new_listener; + if (state.sup_flag_new_listener < 0) + state.sup_flag_new_listener = _sys_chk_flag_kernel(flag); + return state.sup_flag_new_listener; case SECCOMP_FILTER_FLAG_TSYNC_ESRCH: - if (_support_seccomp_flag_tsync_esrch < 0) - _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag); - return _support_seccomp_flag_tsync_esrch; + if (state.sup_flag_tsync_esrch < 0) + state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag); + return state.sup_flag_tsync_esrch; } return -EOPNOTSUPP; @@ -279,19 +325,19 @@ { switch (flag) { case SECCOMP_FILTER_FLAG_TSYNC: - _support_seccomp_flag_tsync = (enable ? 1 : 0); + state.sup_flag_tsync = (enable ? 1 : 0); break; case SECCOMP_FILTER_FLAG_LOG: - _support_seccomp_flag_log = (enable ? 1 : 0); + state.sup_flag_log = (enable ? 1 : 0); break; case SECCOMP_FILTER_FLAG_SPEC_ALLOW: - _support_seccomp_flag_spec_allow = (enable ? 1 : 0); + state.sup_flag_spec_allow = (enable ? 1 : 0); break; case SECCOMP_FILTER_FLAG_NEW_LISTENER: - _support_seccomp_flag_new_listener = (enable ? 1 : 0); + state.sup_flag_new_listener = (enable ? 1 : 0); break; case SECCOMP_FILTER_FLAG_TSYNC_ESRCH: - _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0); + state.sup_flag_tsync_esrch = (enable ? 1 : 0); break; } } @@ -311,6 +357,7 @@ { int rc; bool tsync_notify; + bool listener_req; struct bpf_program *prgm = NULL; rc = gen_bpf_generate(col, &prgm); @@ -324,7 +371,9 @@ goto filter_load_out; } - tsync_notify = (_support_seccomp_flag_tsync_esrch > 0); + tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1; + listener_req = state.sup_user_notif > 0 && \ + col->notify_used && state.notify_fd == -1; /* load the filter into the kernel */ if (sys_chk_seccomp_syscall() == 1) { @@ -333,28 +382,34 @@ if (col->attr.tsync_enable) flgs |= SECCOMP_FILTER_FLAG_TSYNC | \ SECCOMP_FILTER_FLAG_TSYNC_ESRCH; - if (_support_seccomp_user_notif > 0) + if (listener_req) flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; - } else if (col->attr.tsync_enable) + } else if (col->attr.tsync_enable) { + if (listener_req) { + /* NOTE: we _should_ catch this in db.c */ + rc = -EFAULT; + goto filter_load_out; + } flgs |= SECCOMP_FILTER_FLAG_TSYNC; - else if (_support_seccomp_user_notif > 0) + } else if (listener_req) flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER; if (col->attr.log_enable) flgs |= SECCOMP_FILTER_FLAG_LOG; if (col->attr.spec_allow) flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW; - rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm); + rc = syscall(state.nr_seccomp, + SECCOMP_SET_MODE_FILTER, flgs, prgm); if (tsync_notify && rc > 0) { /* return 0 on NEW_LISTENER success, but save the fd */ - col->notify_fd = rc; + state.notify_fd = rc; rc = 0; } else if (rc > 0 && col->attr.tsync_enable) { /* always return -ESRCH if we fail to sync threads */ errno = ESRCH; rc = -errno; - } else if (rc > 0 && _support_seccomp_user_notif > 0) { + } else if (rc > 0 && state.sup_user_notif > 0) { /* return 0 on NEW_LISTENER success, but save the fd */ - col->notify_fd = rc; + state.notify_fd = rc; rc = 0; } } else @@ -371,6 +426,19 @@ } /** + * Return the userspace notification fd + * + * This function returns the userspace notification fd from + * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been + * set, or an error has occurred, -1 is returned. + * + */ +int sys_notify_fd(void) +{ + return state.notify_fd; +} + +/** * Allocate a pair of notification request/response structures * @param req the request location * @param resp the response location @@ -386,7 +454,7 @@ int rc; static struct seccomp_notif_sizes sizes = { 0, 0, 0 }; - if (_support_seccomp_syscall <= 0) + if (state.sup_syscall <= 0) return -EOPNOTSUPP; if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) { @@ -427,7 +495,7 @@ */ int sys_notify_receive(int fd, struct seccomp_notif *req) { - if (_support_seccomp_user_notif <= 0) + if (state.sup_user_notif <= 0) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) @@ -448,7 +516,7 @@ */ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp) { - if (_support_seccomp_user_notif <= 0) + if (state.sup_user_notif <= 0) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) @@ -467,7 +535,7 @@ */ int sys_notify_id_valid(int fd, uint64_t id) { - if (_support_seccomp_user_notif <= 0) + if (state.sup_user_notif <= 0) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/src/system.h new/libseccomp-2.5.1/src/system.h --- old/libseccomp-2.5.0/src/system.h 2020-06-30 03:47:49.226696886 +0200 +++ new/libseccomp-2.5.1/src/system.h 2020-11-16 23:04:59.764209764 +0100 @@ -182,6 +182,8 @@ #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64) #endif /* SECCOMP_RET_USER_NOTIF */ +void sys_reset_state(void); + int sys_chk_seccomp_syscall(void); void sys_set_seccomp_syscall(bool enable); @@ -193,6 +195,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc); +int sys_notify_fd(void); int sys_notify_alloc(struct seccomp_notif **req, struct seccomp_notif_resp **resp); int sys_notify_receive(int fd, struct seccomp_notif *req); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.c new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.c --- old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.c 2020-06-17 01:25:28.000000000 +0200 +++ new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.c 2020-11-16 23:04:38.783027390 +0100 @@ -41,7 +41,7 @@ if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); if (rc != 0) goto out; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.py new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.py --- old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.py 2018-12-04 00:53:10.000000000 +0100 +++ new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.py 2020-11-16 23:04:38.783027390 +0100 @@ -30,7 +30,7 @@ def test(args): f = SyscallFilter(KILL) - f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") f.add_rule(ALLOW, "close") f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.tests new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.tests --- old/libseccomp-2.5.0/tests/04-sim-multilevel_chains.tests 2018-12-04 00:53:10.000000000 +0100 +++ new/libseccomp-2.5.1/tests/04-sim-multilevel_chains.tests 2020-11-16 23:04:38.783027390 +0100 @@ -8,7 +8,7 @@ test type: bpf-sim # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW +04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW 04-sim-multilevel_chains all close 4 N N N N N ALLOW 04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW 04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW @@ -27,9 +27,11 @@ 04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW 04-sim-multilevel_chains x86 0-2 N N N N N N KILL 04-sim-multilevel_chains x86 7-172 N N N N N N KILL -04-sim-multilevel_chains x86 174-350 N N N N N N KILL +04-sim-multilevel_chains x86 174-294 N N N N N N KILL +04-sim-multilevel_chains x86 296-350 N N N N N N KILL 04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL -04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL +04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL +04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL test type: bpf-sim-fuzz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/06-sim-actions.c new/libseccomp-2.5.1/tests/06-sim-actions.c --- old/libseccomp-2.5.0/tests/06-sim-actions.c 2020-06-17 01:25:28.000000000 +0200 +++ new/libseccomp-2.5.1/tests/06-sim-actions.c 2020-11-16 23:04:38.783027390 +0100 @@ -60,11 +60,11 @@ if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0); if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(stat), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); if (rc != 0) goto out; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/06-sim-actions.py new/libseccomp-2.5.1/tests/06-sim-actions.py --- old/libseccomp-2.5.0/tests/06-sim-actions.py 2018-12-04 00:53:10.000000000 +0100 +++ new/libseccomp-2.5.1/tests/06-sim-actions.py 2020-11-16 23:04:38.783027390 +0100 @@ -37,8 +37,8 @@ f.add_rule(LOG, "rt_sigreturn") f.add_rule(ERRNO(errno.EPERM), "write") f.add_rule(TRAP, "close") - f.add_rule(TRACE(1234), "open") - f.add_rule(KILL_PROCESS, "stat") + f.add_rule(TRACE(1234), "openat") + f.add_rule(KILL_PROCESS, "fstat") return f args = util.get_opt() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/06-sim-actions.tests new/libseccomp-2.5.1/tests/06-sim-actions.tests --- old/libseccomp-2.5.0/tests/06-sim-actions.tests 2020-07-14 03:25:38.116308244 +0200 +++ new/libseccomp-2.5.1/tests/06-sim-actions.tests 2020-11-16 23:04:38.783027390 +0100 @@ -11,15 +11,17 @@ 06-sim-actions all read 4 0x856B008 80 N N N ALLOW 06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) 06-sim-actions all close 4 N N N N N TRAP -06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234) -06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS +06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234) +06-sim-actions all fstat N N N N N N KILL_PROCESS 06-sim-actions all rt_sigreturn N N N N N N LOG 06-sim-actions x86 0-2 N N N N N N KILL -06-sim-actions x86 7-105 N N N N N N KILL -06-sim-actions x86 107-172 N N N N N N KILL -06-sim-actions x86 174-350 N N N N N N KILL -06-sim-actions x86_64 5-14 N N N N N N KILL -06-sim-actions x86_64 16-350 N N N N N N KILL +06-sim-actions x86 7-107 N N N N N N KILL +06-sim-actions x86 109-172 N N N N N N KILL +06-sim-actions x86 174-294 N N N N N N KILL +06-sim-actions x86 296-350 N N N N N N KILL +06-sim-actions x86_64 6-14 N N N N N N KILL +06-sim-actions x86_64 16-256 N N N N N N KILL +06-sim-actions x86_64 258-350 N N N N N N KILL test type: bpf-sim-fuzz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/11-basic-basic_errors.c new/libseccomp-2.5.1/tests/11-basic-basic_errors.c --- old/libseccomp-2.5.0/tests/11-basic-basic_errors.c 2020-06-27 23:13:34.407014558 +0200 +++ new/libseccomp-2.5.1/tests/11-basic-basic_errors.c 2020-11-16 23:04:38.783027390 +0100 @@ -41,12 +41,9 @@ seccomp_release(ctx); ctx = NULL; - /* seccomp_reset error */ - rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1); - if (rc != -EINVAL) - return -1; - rc = seccomp_reset(ctx, SCMP_ACT_KILL); - if (rc != -EINVAL) + /* ensure that seccomp_reset(NULL, ...) is accepted */ + rc = seccomp_reset(NULL, SCMP_ACT_ALLOW); + if (rc != 0) return -1; /* seccomp_load error */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/51-live-user_notification.c new/libseccomp-2.5.1/tests/51-live-user_notification.c --- old/libseccomp-2.5.0/tests/51-live-user_notification.c 2020-06-27 23:13:34.413681261 +0200 +++ new/libseccomp-2.5.1/tests/51-live-user_notification.c 2020-11-16 23:04:38.786027416 +0100 @@ -21,6 +21,7 @@ #include <sys/types.h> #include <sys/wait.h> +#include <asm/unistd.h> #include <unistd.h> #include <seccomp.h> #include <signal.h> @@ -30,15 +31,15 @@ #include "util.h" -#define MAGIC 0x1122334455667788UL - int main(int argc, char *argv[]) { int rc, fd = -1, status; struct seccomp_notif *req = NULL; struct seccomp_notif_resp *resp = NULL; scmp_filter_ctx ctx = NULL; - pid_t pid = 0; + pid_t pid = 0, magic; + + magic = getpid(); ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) @@ -59,7 +60,7 @@ pid = fork(); if (pid == 0) - exit(syscall(SCMP_SYS(getpid)) != MAGIC); + exit(syscall(__NR_getpid) != magic); rc = seccomp_notify_alloc(&req, &resp); if (rc) @@ -68,7 +69,7 @@ rc = seccomp_notify_receive(fd, req); if (rc) goto out; - if (req->data.nr != SCMP_SYS(getpid)) { + if (req->data.nr != __NR_getpid) { rc = -EFAULT; goto out; } @@ -77,7 +78,7 @@ goto out; resp->id = req->id; - resp->val = MAGIC; + resp->val = magic; resp->error = 0; resp->flags = 0; rc = seccomp_notify_respond(fd, resp); @@ -98,6 +99,27 @@ goto out; } + rc = seccomp_reset(ctx, SCMP_ACT_ALLOW); + if (rc < 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL); + if (rc) + goto out; + + rc = seccomp_load(ctx); + if (rc < 0) + goto out; + + rc = seccomp_notify_fd(ctx); + if (rc < 0) + goto out; + if (rc != fd) { + rc = -EFAULT; + goto out; + } else + rc = 0; + out: if (fd >= 0) close(fd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/51-live-user_notification.py new/libseccomp-2.5.1/tests/51-live-user_notification.py --- old/libseccomp-2.5.0/tests/51-live-user_notification.py 2020-06-27 23:13:34.413681261 +0200 +++ new/libseccomp-2.5.1/tests/51-live-user_notification.py 2020-11-16 23:04:38.786027416 +0100 @@ -52,6 +52,10 @@ raise RuntimeError("Child process error") if os.WEXITSTATUS(rc) != 0: raise RuntimeError("Child process error") + f.reset(ALLOW) + f.add_rule(NOTIFY, "getppid") + f.load() + # no easy way to check the notification fd here quit(160) test() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.5.0/tests/58-live-tsync_notify.c new/libseccomp-2.5.1/tests/58-live-tsync_notify.c --- old/libseccomp-2.5.0/tests/58-live-tsync_notify.c 2020-06-30 03:47:49.226696886 +0200 +++ new/libseccomp-2.5.1/tests/58-live-tsync_notify.c 2020-11-16 23:04:38.787027425 +0100 @@ -21,6 +21,7 @@ #include <sys/types.h> #include <sys/wait.h> +#include <asm/unistd.h> #include <unistd.h> #include <seccomp.h> #include <signal.h> @@ -30,15 +31,15 @@ #include "util.h" -#define MAGIC 0x1122334455667788UL - int main(int argc, char *argv[]) { int rc, fd = -1, status; struct seccomp_notif *req = NULL; struct seccomp_notif_resp *resp = NULL; scmp_filter_ctx ctx = NULL; - pid_t pid = 0; + pid_t pid = 0, magic; + + magic = getpid(); ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) @@ -63,7 +64,7 @@ pid = fork(); if (pid == 0) - exit(syscall(SCMP_SYS(getpid)) != MAGIC); + exit(syscall(__NR_getpid) != magic); rc = seccomp_notify_alloc(&req, &resp); if (rc) @@ -72,7 +73,7 @@ rc = seccomp_notify_receive(fd, req); if (rc) goto out; - if (req->data.nr != SCMP_SYS(getpid)) { + if (req->data.nr != __NR_getpid) { rc = -EFAULT; goto out; } @@ -81,7 +82,7 @@ goto out; resp->id = req->id; - resp->val = MAGIC; + resp->val = magic; resp->error = 0; resp->flags = 0; rc = seccomp_notify_respond(fd, resp); ++++++ libseccomp.keyring ++++++ --- /var/tmp/diff_new_pack.Qe2VTA/_old 2021-06-02 22:10:33.680127381 +0200 +++ /var/tmp/diff_new_pack.Qe2VTA/_new 2021-06-02 22:10:33.680127381 +0200 @@ -668,6 +668,53 @@ NGzZbc+QvC6gkaaoyXON79wn0PyGc6mfoOdcCVloDfcAI+tnaA+MeiZVYNewGZul kaBkI7Jcg1LgRN2bWXdl16XOz/625n2UAnK9VtYfJqAZJ21Nnjo4v3FC4BjN2PFu Vd0cDYA+yBRwyq9SNfT8gRDK/kJPilR6bMNPUsTraiR3Y7Ssczq4C9Kxvp9FWMen -Zdi7eA== -=qH7J +Zdi7eJkCDQRdwuAJARAA0MaeI38Zmyd7f2binLFeCcRvJobhlwZMzAdJNrhlCwqW +OMoe3bDeDwVOz7h4FDJMSZyZW4NMVUdp7sdtCDc66GJ/Mc0Xvo0pik1tH07zR/jc +cq+JPioKplWQnH8r8F7i+yDnxuZbnP6ElyVetrvixz/PdXVXCZVTdBH/YuUs/YkZ +JDFJJ8KE6zivatZ2TTgPl6CzIQiHcliD8eoxZj8X2aYBCcOmCHsjkkSD2LR+LcLg +4+dG80Lk030N6YfRXXF1S2MD9wWsr3xWrBocienGqlVvRqTA2vzj77XjZrdlm6mk +YHF/QlljiqJ4RapGlgF49JWBZDOuQ080lCqTbaIdjEVQO6shmds5R6HDVkqZUPFS +ZZcunIfTveVBF5UiCRcQIv+zQTbhvwnpB0McUGYXbJVHuyyLLo5SkvBctG6WLEwz +2/4Pq1LiB1gjoRAvgdKjmFRH/sHHPY00I2X+jT98yFeHTvjHPRlU/ndys9MtdYNT +jdG/Nqstjjb0crNTZqlwtrwp18ygkOlEx0WLfhHVdJ5aOfRvpaJQp0/LdbFu3s7g +cgOM1jCOoS8pNDS2/McDyvQU+99kRoc22u2uxGgK0wbDwN61rzmwtZEFkmsPrpXu +a5p0y+UOCcN6g4YDPW9gYN4S2D+f1FNCDau5Kx+Ndyop9AtvU9WjZi3zE35kuRMA +EQEAAbQmVG9tIEhyb21hdGthIDx0b20uaHJvbWF0a2FAb3JhY2xlLmNvbT6JAk4E +EwEIADgWIQRHpo/ON8fXAk/WXhE1bOYsK1JAmQUCXcLgCQIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRA1bOYsK1JAmTS9D/9yhcq1l1uaLj7gM1njDFGa0Jss +99U+9IlUkvD7T1m/EtkMUHc4KXVT678U/sH6ucyW3c91+bj73Tl1Hsr9GwEEamEF +V/7ZM9dM7uvpvgYMdB+iOV5PRexA72oNRAw7PwQ0i4fVW7E5ZUmjaS4RY0kY9HVZ +hNQ4GlA1+Reup6WDIEiLKbAIxCNTGdTw2EH4aMsRDIs9JXdeMr+hxO4QT3pHEFtp +gFs5aWZoMPTVSHKkoct85yTRhqUFGyxLRm67/8ETDVoxljycnxOXSw75H0I63bE0 +Vr+fknef8938KdBvHVKtYlnnoLuphXtCkSwec95XHPkCUpVnrcsqGFjoatSc59EB +42pGadjW+K7aff2/U3Ybw+XDo6bBApi+ajK4tZp/4+BetwBuMi0GmK8MI1sw3M/o +0PMDbspe3F0BQ+lGG8sAtbQvQxNFaaVdpzoq7Uzj8/PnrVzMerIONEkyeHW2J/4C +S4YsnEmlAKhpEh6QtuBW3L5FcCs+TAVGLixIDR90cjSlYJ2+SVmaHxO3oTlQnPlQ +JszMqG4xPu9RUV5T3Zqg/4puL2A7Ks29ecF+/VbF6iNG4o/sVWGkexqEG031UNGu +n+rJVnsej5ijp2U43yy+7BLtSYQLXqpSPSNDZTSQRf8t9k+pUKTvtwiRoWPtq0og +qZyN9TTLrAJHLn58arkCDQRdwuAJARAAvUXjs2H+p68ky5/JRoOjNJKTF9z+7/Bp +TldYWfIUw5VBE6aPscUdxbzY1hAzcrmsAqbzc/D7tziqsSgyIr8lXSTRHN9+YJbD +GOwZgHry7wLcn429Kzszl6i34XbJ9dPDa+gIvpZDLPMZStocRiN6qQx8yJjmJoVg ++CdfNYMZY+Rmo/HzslfCWb32OgGXHotrc5Zh6Y/Ukoeyufba1GbWlA5Y1HlQBD+C +n1NbCxGMtwVM0vnm+EMNbZXrovvPRPyeMz64MMLi4OTlPknE4oH2xBf9OTDFAMko +ionioafCBbE+NfhVzpaLQZdMM+iW6OB8TbWOT7a6b+gTqwZWH4X4WXgDZOPsuTpy +6kY44E739afQh5rILOrMf5ZDcl6c6MSkfPUc8R8Z64FAE0mvNCSvaP9LT2ZDd9xy +iZZEp3T0BDOLi607CMbzbAUjjyCgtPbIjG2wXiNLfNdT9aTIfM7050ZdhUkI4rpi +6FYa/scWdsFoj8c7VUJDC7rll5M3MUFH7sOZxEAh/lnamCjZleq8NpFOo9dKtJL7 +7KVjzE27CP7wWNysoj9RfHU6F4sLpTU9VNOTRidtGG8xB52BCmrQavWSCy8et3PH +i2elaaZABNGZZoLDr5/syHL/NT+MfZgy77qkzs0Y/0bgwGOqiR7iAqbFdxeQNN8/ +Z3v2fbtJsEsAEQEAAYkCNgQYAQgAIBYhBEemj843x9cCT9ZeETVs5iwrUkCZBQJd +wuAJAhsMAAoJEDVs5iwrUkCZIkAP/AptO20H9hSCk3cERAiTu6b6bnN8xNV7Eri8 +ruNKqbFl9uC5fe0u3KTiu6zdo0melA6F6TYF1Yjs5mucogvhjulFFsa/MRPwg13r +msMR1LdF65/lEJ1rIq7K2Yn41T5F6Lu9UDPpGkPal8uJYjqUWiY3/Ae4s94pYDFA +ApzHMDlZ/o27MC0KTXrbCpPr6y8EJSCz5FnChsSLtSK6NxO1qCD6Ixx7U+wqO5kk +c2jSNNFVO4zMGcFxUC/yG3hrCpWgMsYdQc0S5y3TzfIcYmLRKtiBuulKtxJooLcD +r4dOnf0Iv4AR+glsXWoUZOx8AE8qzb2433bszZ4RfpTwN/YiqyOfiBmrCui6fR5J +VCQ9EPSSu8mnP3FI+S6bWPzwRQu3iShyS8qIZr5V2IEUngFxJu7hqVOZP41GQzOG +daOSW6IjVUKKg1rOog2CW/NnEYyipbwtndpRSsbQTkd8SWVFLCKaEK7LcZ9SwOQ3 +AaLD73fSEsiGbN/FMiTU89OxlHnRKXhN2IS5HrHOp9oi/Q9mI8/0uADbpMZfWGQ1 +vhBUvC7U3IbytdTh1rm71sVhVe7cSxZpAWEMJNpKwotjFYLkWRo/G6Hao7ctR/GT +HwOTWMACnskJrJkx6jZkdVrP3HUAle/t6vUbq5VLWNQFcceC7Z0tehl/jlQsm1s2 +ytbqi636 +=l1C4 -----END PGP PUBLIC KEY BLOCK-----
