Signed-off-by: Paul Moore <[email protected]>
---
include/seccomp.h.in | 53 ++++++
src/Makefile | 1
src/arch-x32-syscalls.c | 415 +++++++++++++++++++++++++++++++++++++++++++++
src/arch-x32.c | 35 ++++
src/arch-x32.h | 35 ++++
src/arch.c | 14 ++
src/gen_bpf.c | 25 +++
src/gen_pfc.c | 2
src/python/libseccomp.pxd | 1
src/python/seccomp.pyx | 2
tools/bpf_sim.c | 2
tools/sys_resolver.c | 3
12 files changed, 587 insertions(+), 1 deletion(-)
create mode 100644 src/arch-x32-syscalls.c
create mode 100644 src/arch-x32.c
create mode 100644 src/arch-x32.h
diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index b21205c..9c36534 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -108,6 +108,14 @@ struct scmp_arg_cmp {
#define SCMP_ARCH_X86_64 AUDIT_ARCH_X86_64
/**
+ * The x32 (32-bit x86_64) architecture token
+ *
+ * NOTE: this is different from the value used by the kernel because we need to
+ * be able to distinguish between x32 and x86_64
+ */
+#define SCMP_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE)
+
+/**
* Convert a syscall name into the associated syscall number
* @param x the syscall name
*/
@@ -967,6 +975,51 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
#define __NR_waitpid __PNR_waitpid
#endif /* __NR_waitpid */
+#define __PNR_create_module -10074
+#ifndef __NR_create_module
+#define __NR_create_module __PNR_create_module
+#endif /* __NR_create_module */
+
+#define __PNR_get_kernel_syms -10075
+#ifndef __NR_get_kernel_syms
+#define __NR_get_kernel_syms __PNR_get_kernel_syms
+#endif /* __NR_get_kernel_syms */
+
+#define __PNR_get_thread_area -10076
+#ifndef __NR_get_thread_area
+#define __NR_get_thread_area __PNR_get_thread_area
+#endif /* __NR_get_thread_area */
+
+#define __PNR_nfsservctl -10077
+#ifndef __NR_nfsservctl
+#define __NR_nfsservctl __PNR_nfsservctl
+#endif /* __NR_nfsservctl */
+
+#define __PNR_query_module -10078
+#ifndef __NR_query_module
+#define __NR_query_module __PNR_query_module
+#endif /* __NR_query_module */
+
+#define __PNR_set_thread_area -10079
+#ifndef __NR_set_thread_area
+#define __NR_set_thread_area __PNR_set_thread_area
+#endif /* __NR_set_thread_area */
+
+#define __PNR__sysctl -10080
+#ifndef __NR__sysctl
+#define __NR__sysctl __PNR__sysctl
+#endif /* __NR__sysctl */
+
+#define __PNR_uselib -10081
+#ifndef __NR_uselib
+#define __NR_uselib __PNR_uselib
+#endif /* __NR_uselib */
+
+#define __PNR_vserver -10082
+#ifndef __NR_vserver
+#define __NR_vserver __PNR_vserver
+#endif /* __NR_vserver */
+
#ifdef __cplusplus
}
#endif
diff --git a/src/Makefile b/src/Makefile
index 8f4063e..bc186b7 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -40,6 +40,7 @@ OBJS = \
api.o db.o arch.o \
arch-i386.o arch-i386-syscalls.o \
arch-x86_64.o arch-x86_64-syscalls.o \
+ arch-x32.o arch-x32-syscalls.o \
hash.o \
gen_pfc.o gen_bpf.o
diff --git a/src/arch-x32-syscalls.c b/src/arch-x32-syscalls.c
new file mode 100644
index 0000000..0985f2a
--- /dev/null
+++ b/src/arch-x32-syscalls.c
@@ -0,0 +1,415 @@
+/**
+ * Enhanced Seccomp x32 Syscall Table
+ *
+ * Copyright (c) 2013 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <seccomp.h>
+
+#include "arch.h"
+#include "arch-x32.h"
+
+#define __X32_SYSCALL_BIT 0x40000000
+
+/* NOTE: based on Linux 3.7.3 */
+const struct arch_syscall_def x32_syscall_table[] = \
+{
+ { "accept", (__X32_SYSCALL_BIT + 43) },
+ { "accept4", (__X32_SYSCALL_BIT + 288) },
+ { "access", (__X32_SYSCALL_BIT + 21) },
+ { "acct", (__X32_SYSCALL_BIT + 163) },
+ { "add_key", (__X32_SYSCALL_BIT + 248) },
+ { "adjtimex", (__X32_SYSCALL_BIT + 159) },
+ { "afs_syscall", (__X32_SYSCALL_BIT + 183) },
+ { "alarm", (__X32_SYSCALL_BIT + 37) },
+ { "arch_prctl", (__X32_SYSCALL_BIT + 158) },
+ { "bdflush", __PNR_bdflush },
+ { "bind", (__X32_SYSCALL_BIT + 49) },
+ { "break", __PNR_break },
+ { "brk", (__X32_SYSCALL_BIT + 12) },
+ { "capget", (__X32_SYSCALL_BIT + 125) },
+ { "capset", (__X32_SYSCALL_BIT + 126) },
+ { "chdir", (__X32_SYSCALL_BIT + 80) },
+ { "chmod", (__X32_SYSCALL_BIT + 90) },
+ { "chown", (__X32_SYSCALL_BIT + 92) },
+ { "chown32", __PNR_chown32 },
+ { "chroot", (__X32_SYSCALL_BIT + 161) },
+ { "clock_adjtime", (__X32_SYSCALL_BIT + 305) },
+ { "clock_getres", (__X32_SYSCALL_BIT + 229) },
+ { "clock_gettime", (__X32_SYSCALL_BIT + 228) },
+ { "clock_nanosleep", (__X32_SYSCALL_BIT + 230) },
+ { "clock_settime", (__X32_SYSCALL_BIT + 227) },
+ { "clone", (__X32_SYSCALL_BIT + 56) },
+ { "close", (__X32_SYSCALL_BIT + 3) },
+ { "connect", (__X32_SYSCALL_BIT + 42) },
+ { "creat", (__X32_SYSCALL_BIT + 85) },
+ { "create_module", __PNR_create_module },
+ { "delete_module", (__X32_SYSCALL_BIT + 176) },
+ { "dup", (__X32_SYSCALL_BIT + 32) },
+ { "dup2", (__X32_SYSCALL_BIT + 33) },
+ { "dup3", (__X32_SYSCALL_BIT + 292) },
+ { "epoll_create", (__X32_SYSCALL_BIT + 213) },
+ { "epoll_create1", (__X32_SYSCALL_BIT + 291) },
+ { "epoll_ctl", (__X32_SYSCALL_BIT + 233) },
+ { "epoll_ctl_old", __PNR_epoll_ctl_old },
+ { "epoll_pwait", (__X32_SYSCALL_BIT + 281) },
+ { "epoll_wait", (__X32_SYSCALL_BIT + 232) },
+ { "epoll_wait_old", __PNR_epoll_wait_old },
+ { "eventfd", (__X32_SYSCALL_BIT + 284) },
+ { "eventfd2", (__X32_SYSCALL_BIT + 290) },
+ { "execve", (__X32_SYSCALL_BIT + 520) },
+ { "exit", (__X32_SYSCALL_BIT + 60) },
+ { "exit_group", (__X32_SYSCALL_BIT + 231) },
+ { "faccessat", (__X32_SYSCALL_BIT + 269) },
+ { "fadvise64", (__X32_SYSCALL_BIT + 221) },
+ { "fadvise64_64", __PNR_fadvise64_64 },
+ { "fallocate", (__X32_SYSCALL_BIT + 285) },
+ { "fanotify_init", (__X32_SYSCALL_BIT + 300) },
+ { "fanotify_mark", (__X32_SYSCALL_BIT + 301) },
+ { "fchdir", (__X32_SYSCALL_BIT + 81) },
+ { "fchmod", (__X32_SYSCALL_BIT + 91) },
+ { "fchmodat", (__X32_SYSCALL_BIT + 268) },
+ { "fchown", (__X32_SYSCALL_BIT + 93) },
+ { "fchown32", __PNR_fchown32 },
+ { "fchownat", (__X32_SYSCALL_BIT + 260) },
+ { "fcntl", (__X32_SYSCALL_BIT + 72) },
+ { "fcntl64", __PNR_fcntl64 },
+ { "fdatasync", (__X32_SYSCALL_BIT + 75) },
+ { "fgetxattr", (__X32_SYSCALL_BIT + 193) },
+ { "flistxattr", (__X32_SYSCALL_BIT + 196) },
+ { "flock", (__X32_SYSCALL_BIT + 73) },
+ { "fork", (__X32_SYSCALL_BIT + 57) },
+ { "fremovexattr", (__X32_SYSCALL_BIT + 199) },
+ { "fsetxattr", (__X32_SYSCALL_BIT + 190) },
+ { "fstat", (__X32_SYSCALL_BIT + 5) },
+ { "fstat64", __PNR_fstat64 },
+ { "fstatat64", __PNR_fstatat64 },
+ { "fstatfs64", __PNR_fstatfs64 },
+ { "fstatfs", (__X32_SYSCALL_BIT + 138) },
+ { "fsync", (__X32_SYSCALL_BIT + 74) },
+ { "ftime", __PNR_ftime },
+ { "ftruncate", (__X32_SYSCALL_BIT + 77) },
+ { "ftruncate64", __PNR_ftruncate64 },
+ { "futex", (__X32_SYSCALL_BIT + 202) },
+ { "futimesat", (__X32_SYSCALL_BIT + 261) },
+ { "get_kernel_syms", __PNR_get_kernel_syms },
+ { "get_mempolicy", (__X32_SYSCALL_BIT + 239) },
+ { "get_robust_list", (__X32_SYSCALL_BIT + 531) },
+ { "get_thread_area", __PNR_get_thread_area },
+ { "getcpu", (__X32_SYSCALL_BIT + 309) },
+ { "getcwd", (__X32_SYSCALL_BIT + 79) },
+ { "getdents", (__X32_SYSCALL_BIT + 78) },
+ { "getdents64", (__X32_SYSCALL_BIT + 217) },
+ { "getegid", (__X32_SYSCALL_BIT + 108) },
+ { "getegid32", __PNR_getegid32 },
+ { "geteuid", (__X32_SYSCALL_BIT + 107) },
+ { "geteuid32", __PNR_geteuid32 },
+ { "getgid", (__X32_SYSCALL_BIT + 104) },
+ { "getgid32", __PNR_getgid32 },
+ { "getgroups", (__X32_SYSCALL_BIT + 115) },
+ { "getgroups32", __PNR_getgroups32 },
+ { "getitimer", (__X32_SYSCALL_BIT + 36) },
+ { "getpeername", (__X32_SYSCALL_BIT + 52) },
+ { "getpgid", (__X32_SYSCALL_BIT + 121) },
+ { "getpgrp", (__X32_SYSCALL_BIT + 111) },
+ { "getpid", (__X32_SYSCALL_BIT + 39) },
+ { "getpmsg", (__X32_SYSCALL_BIT + 181) },
+ { "getppid", (__X32_SYSCALL_BIT + 110) },
+ { "getpriority", (__X32_SYSCALL_BIT + 140) },
+ { "getresgid", (__X32_SYSCALL_BIT + 120) },
+ { "getresgid32", __PNR_getresgid32 },
+ { "getresuid", (__X32_SYSCALL_BIT + 118) },
+ { "getresuid32", __PNR_getresuid32 },
+ { "getrlimit", (__X32_SYSCALL_BIT + 97) },
+ { "getrusage", (__X32_SYSCALL_BIT + 98) },
+ { "getsid", (__X32_SYSCALL_BIT + 124) },
+ { "getsockname", (__X32_SYSCALL_BIT + 51) },
+ { "getsockopt", (__X32_SYSCALL_BIT + 542) },
+ { "gettid", (__X32_SYSCALL_BIT + 186) },
+ { "gettimeofday", (__X32_SYSCALL_BIT + 96) },
+ { "getuid", (__X32_SYSCALL_BIT + 102) },
+ { "getuid32", __PNR_getuid32 },
+ { "getxattr", (__X32_SYSCALL_BIT + 191) },
+ { "gtty", __PNR_gtty },
+ { "idle", __PNR_idle },
+ { "init_module", (__X32_SYSCALL_BIT + 175) },
+ { "inotify_add_watch", (__X32_SYSCALL_BIT + 254) },
+ { "inotify_init", (__X32_SYSCALL_BIT + 253) },
+ { "inotify_init1", (__X32_SYSCALL_BIT + 294) },
+ { "inotify_rm_watch", (__X32_SYSCALL_BIT + 255) },
+ { "io_cancel", (__X32_SYSCALL_BIT + 210) },
+ { "io_destroy", (__X32_SYSCALL_BIT + 207) },
+ { "io_getevents", (__X32_SYSCALL_BIT + 208) },
+ { "io_setup", (__X32_SYSCALL_BIT + 206) },
+ { "io_submit", (__X32_SYSCALL_BIT + 209) },
+ { "ioctl", (__X32_SYSCALL_BIT + 514) },
+ { "ioperm", (__X32_SYSCALL_BIT + 173) },
+ { "iopl", (__X32_SYSCALL_BIT + 172) },
+ { "ioprio_get", (__X32_SYSCALL_BIT + 252) },
+ { "ioprio_set", (__X32_SYSCALL_BIT + 251) },
+ { "ipc", __PNR_ipc },
+ { "kcmp", (__X32_SYSCALL_BIT + 312) },
+ { "kexec_load", (__X32_SYSCALL_BIT + 528) },
+ { "keyctl", (__X32_SYSCALL_BIT + 250) },
+ { "kill", (__X32_SYSCALL_BIT + 62) },
+ { "lchown", (__X32_SYSCALL_BIT + 94) },
+ { "lchown32", __PNR_lchown32 },
+ { "lgetxattr", (__X32_SYSCALL_BIT + 192) },
+ { "link", (__X32_SYSCALL_BIT + 86) },
+ { "linkat", (__X32_SYSCALL_BIT + 265) },
+ { "listen", (__X32_SYSCALL_BIT + 50) },
+ { "listxattr", (__X32_SYSCALL_BIT + 194) },
+ { "llistxattr", (__X32_SYSCALL_BIT + 195) },
+ { "_llseek", __PNR__llseek },
+ { "lock", __PNR_lock },
+ { "lookup_dcookie", (__X32_SYSCALL_BIT + 212) },
+ { "lremovexattr", (__X32_SYSCALL_BIT + 198) },
+ { "lseek", (__X32_SYSCALL_BIT + 8) },
+ { "lsetxattr", (__X32_SYSCALL_BIT + 189) },
+ { "lstat", (__X32_SYSCALL_BIT + 6) },
+ { "lstat64", __PNR_lstat64 },
+ { "madvise", (__X32_SYSCALL_BIT + 28) },
+ { "mbind", (__X32_SYSCALL_BIT + 237) },
+ { "migrate_pages", (__X32_SYSCALL_BIT + 256) },
+ { "mincore", (__X32_SYSCALL_BIT + 27) },
+ { "mkdir", (__X32_SYSCALL_BIT + 83) },
+ { "mkdirat", (__X32_SYSCALL_BIT + 258) },
+ { "mknod", (__X32_SYSCALL_BIT + 133) },
+ { "mknodat", (__X32_SYSCALL_BIT + 259) },
+ { "mlock", (__X32_SYSCALL_BIT + 149) },
+ { "mlockall", (__X32_SYSCALL_BIT + 151) },
+ { "mmap", (__X32_SYSCALL_BIT + 9) },
+ { "mmap2", __PNR_mmap2 },
+ { "modify_ldt", (__X32_SYSCALL_BIT + 154) },
+ { "mount", (__X32_SYSCALL_BIT + 165) },
+ { "move_pages", (__X32_SYSCALL_BIT + 533) },
+ { "mprotect", (__X32_SYSCALL_BIT + 10) },
+ { "mpx", __PNR_mpx },
+ { "mq_getsetattr", (__X32_SYSCALL_BIT + 245) },
+ { "mq_notify", (__X32_SYSCALL_BIT + 527) },
+ { "mq_open", (__X32_SYSCALL_BIT + 240) },
+ { "mq_timedreceive", (__X32_SYSCALL_BIT + 243) },
+ { "mq_timedsend", (__X32_SYSCALL_BIT + 242) },
+ { "mq_unlink", (__X32_SYSCALL_BIT + 241) },
+ { "mremap", (__X32_SYSCALL_BIT + 25) },
+ { "msgctl", (__X32_SYSCALL_BIT + 71) },
+ { "msgget", (__X32_SYSCALL_BIT + 68) },
+ { "msgrcv", (__X32_SYSCALL_BIT + 70) },
+ { "msgsnd", (__X32_SYSCALL_BIT + 69) },
+ { "msync", (__X32_SYSCALL_BIT + 26) },
+ { "munlock", (__X32_SYSCALL_BIT + 150) },
+ { "munlockall", (__X32_SYSCALL_BIT + 152) },
+ { "munmap", (__X32_SYSCALL_BIT + 11) },
+ { "name_to_handle_at", (__X32_SYSCALL_BIT + 303) },
+ { "nanosleep", (__X32_SYSCALL_BIT + 35) },
+ { "_newselect", __PNR__newselect },
+ { "newfstatat", (__X32_SYSCALL_BIT + 262) },
+ { "nice", __PNR_nice },
+ { "nfsservctl", __PNR_nfsservctl },
+ { "oldfstat", __PNR_oldfstat },
+ { "oldlstat", __PNR_oldlstat },
+ { "oldolduname", __PNR_oldolduname },
+ { "oldstat", __PNR_oldstat },
+ { "olduname", __PNR_olduname },
+ { "open", (__X32_SYSCALL_BIT + 2) },
+ { "open_by_handle_at", (__X32_SYSCALL_BIT + 304) },
+ { "openat", (__X32_SYSCALL_BIT + 257) },
+ { "pause", (__X32_SYSCALL_BIT + 34) },
+ { "perf_event_open", (__X32_SYSCALL_BIT + 298) },
+ { "personality", (__X32_SYSCALL_BIT + 135) },
+ { "pipe", (__X32_SYSCALL_BIT + 22) },
+ { "pipe2", (__X32_SYSCALL_BIT + 293) },
+ { "pivot_root", (__X32_SYSCALL_BIT + 155) },
+ { "poll", (__X32_SYSCALL_BIT + 7) },
+ { "ppoll", (__X32_SYSCALL_BIT + 271) },
+ { "prctl", (__X32_SYSCALL_BIT + 157) },
+ { "pread64", (__X32_SYSCALL_BIT + 17) },
+ { "preadv", (__X32_SYSCALL_BIT + 534) },
+ { "prlimit64", (__X32_SYSCALL_BIT + 302) },
+ { "process_vm_readv", (__X32_SYSCALL_BIT + 539) },
+ { "process_vm_writev", (__X32_SYSCALL_BIT + 540) },
+ { "prof", __PNR_prof },
+ { "profil", __PNR_profil },
+ { "pselect6", (__X32_SYSCALL_BIT + 270) },
+ { "ptrace", (__X32_SYSCALL_BIT + 521) },
+ { "putpmsg", (__X32_SYSCALL_BIT + 182) },
+ { "pwrite64", (__X32_SYSCALL_BIT + 18) },
+ { "pwritev", (__X32_SYSCALL_BIT + 535) },
+ { "query_module", __PNR_query_module },
+ { "quotactl", (__X32_SYSCALL_BIT + 179) },
+ { "read", (__X32_SYSCALL_BIT + 0) },
+ { "readahead", (__X32_SYSCALL_BIT + 187) },
+ { "readdir", __PNR_readdir },
+ { "readlink", (__X32_SYSCALL_BIT + 89) },
+ { "readlinkat", (__X32_SYSCALL_BIT + 267) },
+ { "readv", (__X32_SYSCALL_BIT + 515) },
+ { "reboot", (__X32_SYSCALL_BIT + 169) },
+ { "recv", __PNR_recv },
+ { "recvfrom", (__X32_SYSCALL_BIT + 517) },
+ { "recvmmsg", (__X32_SYSCALL_BIT + 537) },
+ { "recvmsg", (__X32_SYSCALL_BIT + 519) },
+ { "remap_file_pages", (__X32_SYSCALL_BIT + 216) },
+ { "removexattr", (__X32_SYSCALL_BIT + 197) },
+ { "rename", (__X32_SYSCALL_BIT + 82) },
+ { "renameat", (__X32_SYSCALL_BIT + 264) },
+ { "request_key", (__X32_SYSCALL_BIT + 249) },
+ { "restart_syscall", (__X32_SYSCALL_BIT + 219) },
+ { "rmdir", (__X32_SYSCALL_BIT + 84) },
+ { "rt_sigaction", (__X32_SYSCALL_BIT + 512) },
+ { "rt_sigpending", (__X32_SYSCALL_BIT + 522) },
+ { "rt_sigprocmask", (__X32_SYSCALL_BIT + 14) },
+ { "rt_sigqueueinfo", (__X32_SYSCALL_BIT + 524) },
+ { "rt_sigreturn", (__X32_SYSCALL_BIT + 513) },
+ { "rt_sigsuspend", (__X32_SYSCALL_BIT + 130) },
+ { "rt_sigtimedwait", (__X32_SYSCALL_BIT + 523) },
+ { "rt_tgsigqueueinfo", (__X32_SYSCALL_BIT + 536) },
+ { "sched_get_priority_max", (__X32_SYSCALL_BIT + 146) },
+ { "sched_get_priority_min", (__X32_SYSCALL_BIT + 147) },
+ { "sched_getaffinity", (__X32_SYSCALL_BIT + 204) },
+ { "sched_getparam", (__X32_SYSCALL_BIT + 143) },
+ { "sched_getscheduler", (__X32_SYSCALL_BIT + 145) },
+ { "sched_rr_get_interval", (__X32_SYSCALL_BIT + 148) },
+ { "sched_setaffinity", (__X32_SYSCALL_BIT + 203) },
+ { "sched_setparam", (__X32_SYSCALL_BIT + 142) },
+ { "sched_setscheduler", (__X32_SYSCALL_BIT + 144) },
+ { "sched_yield", (__X32_SYSCALL_BIT + 24) },
+ { "security", (__X32_SYSCALL_BIT + 185) },
+ { "select", (__X32_SYSCALL_BIT + 23) },
+ { "semctl", (__X32_SYSCALL_BIT + 66) },
+ { "semget", (__X32_SYSCALL_BIT + 64) },
+ { "semop", (__X32_SYSCALL_BIT + 65) },
+ { "semtimedop", (__X32_SYSCALL_BIT + 220) },
+ { "send", __PNR_send },
+ { "sendfile", (__X32_SYSCALL_BIT + 40) },
+ { "sendfile64", __PNR_sendfile64 },
+ { "sendmmsg", (__X32_SYSCALL_BIT + 538) },
+ { "sendmsg", (__X32_SYSCALL_BIT + 518) },
+ { "sendto", (__X32_SYSCALL_BIT + 44) },
+ { "set_mempolicy", (__X32_SYSCALL_BIT + 238) },
+ { "set_robust_list", (__X32_SYSCALL_BIT + 530) },
+ { "set_thread_area", __PNR_set_thread_area },
+ { "set_tid_address", (__X32_SYSCALL_BIT + 218) },
+ { "setdomainname", (__X32_SYSCALL_BIT + 171) },
+ { "setfsgid", (__X32_SYSCALL_BIT + 123) },
+ { "setfsgid32", __PNR_setfsgid32 },
+ { "setfsuid", (__X32_SYSCALL_BIT + 122) },
+ { "setfsuid32", __PNR_setfsuid32 },
+ { "setgid", (__X32_SYSCALL_BIT + 106) },
+ { "setgid32", __PNR_setgid32 },
+ { "setgroups", (__X32_SYSCALL_BIT + 116) },
+ { "setgroups32", __PNR_setgroups32 },
+ { "sethostname", (__X32_SYSCALL_BIT + 170) },
+ { "setitimer", (__X32_SYSCALL_BIT + 38) },
+ { "setns", (__X32_SYSCALL_BIT + 308) },
+ { "setpgid", (__X32_SYSCALL_BIT + 109) },
+ { "setpriority", (__X32_SYSCALL_BIT + 141) },
+ { "setregid", (__X32_SYSCALL_BIT + 114) },
+ { "setregid32", __PNR_setregid32 },
+ { "setresgid", (__X32_SYSCALL_BIT + 119) },
+ { "setresgid32", __PNR_setresgid32 },
+ { "setresuid", (__X32_SYSCALL_BIT + 117) },
+ { "setresuid32", __PNR_setresuid32 },
+ { "setreuid", (__X32_SYSCALL_BIT + 113) },
+ { "setreuid32", __PNR_setreuid32 },
+ { "setrlimit", (__X32_SYSCALL_BIT + 160) },
+ { "setsid", (__X32_SYSCALL_BIT + 112) },
+ { "setsockopt", (__X32_SYSCALL_BIT + 541) },
+ { "settimeofday", (__X32_SYSCALL_BIT + 164) },
+ { "setuid", (__X32_SYSCALL_BIT + 105) },
+ { "setuid32", __PNR_setuid32 },
+ { "setxattr", (__X32_SYSCALL_BIT + 188) },
+ { "sgetmask", __PNR_sgetmask },
+ { "shmat", (__X32_SYSCALL_BIT + 30) },
+ { "shmctl", (__X32_SYSCALL_BIT + 31) },
+ { "shmdt", (__X32_SYSCALL_BIT + 67) },
+ { "shmget", (__X32_SYSCALL_BIT + 29) },
+ { "shutdown", (__X32_SYSCALL_BIT + 48) },
+ { "sigaction", __PNR_sigaction },
+ { "sigaltstack", (__X32_SYSCALL_BIT + 525) },
+ { "signal", __PNR_signal },
+ { "signalfd", (__X32_SYSCALL_BIT + 282) },
+ { "signalfd4", (__X32_SYSCALL_BIT + 289) },
+ { "sigpending", __PNR_sigpending },
+ { "sigprocmask", __PNR_sigprocmask },
+ { "sigreturn", __PNR_sigreturn },
+ { "sigsuspend", __PNR_sigsuspend },
+ { "socket", (__X32_SYSCALL_BIT + 41) },
+ { "socketcall", __PNR_socketcall },
+ { "socketpair", (__X32_SYSCALL_BIT + 53) },
+ { "splice", (__X32_SYSCALL_BIT + 275) },
+ { "ssetmask", __PNR_ssetmask },
+ { "stat", (__X32_SYSCALL_BIT + 4) },
+ { "stat64", __PNR_stat64 },
+ { "statfs", (__X32_SYSCALL_BIT + 137) },
+ { "statfs64", __PNR_statfs64 },
+ { "stime", __PNR_stime },
+ { "stty", __PNR_stty },
+ { "swapoff", (__X32_SYSCALL_BIT + 168) },
+ { "swapon", (__X32_SYSCALL_BIT + 167) },
+ { "symlink", (__X32_SYSCALL_BIT + 88) },
+ { "symlinkat", (__X32_SYSCALL_BIT + 266) },
+ { "sync", (__X32_SYSCALL_BIT + 162) },
+ { "sync_file_range", (__X32_SYSCALL_BIT + 277) },
+ { "syncfs", (__X32_SYSCALL_BIT + 306) },
+ { "_sysctl", __PNR__sysctl },
+ { "sysfs", (__X32_SYSCALL_BIT + 139) },
+ { "sysinfo", (__X32_SYSCALL_BIT + 99) },
+ { "syslog", (__X32_SYSCALL_BIT + 103) },
+ { "tee", (__X32_SYSCALL_BIT + 276) },
+ { "tgkill", (__X32_SYSCALL_BIT + 234) },
+ { "time", (__X32_SYSCALL_BIT + 201) },
+ { "timer_create", (__X32_SYSCALL_BIT + 526) },
+ { "timer_delete", (__X32_SYSCALL_BIT + 226) },
+ { "timer_getoverrun", (__X32_SYSCALL_BIT + 225) },
+ { "timer_gettime", (__X32_SYSCALL_BIT + 224) },
+ { "timer_settime", (__X32_SYSCALL_BIT + 223) },
+ { "timerfd_create", (__X32_SYSCALL_BIT + 283) },
+ { "timerfd_gettime", (__X32_SYSCALL_BIT + 287) },
+ { "timerfd_settime", (__X32_SYSCALL_BIT + 286) },
+ { "times", (__X32_SYSCALL_BIT + 100) },
+ { "tkill", (__X32_SYSCALL_BIT + 200) },
+ { "truncate", (__X32_SYSCALL_BIT + 76) },
+ { "truncate64", __PNR_truncate64 },
+ { "tuxcall", (__X32_SYSCALL_BIT + 184) },
+ { "ugetrlimit", __PNR_ugetrlimit },
+ { "ulimit", __PNR_ulimit },
+ { "umask", (__X32_SYSCALL_BIT + 95) },
+ { "umount", __PNR_umount },
+ { "umount2", (__X32_SYSCALL_BIT + 166) },
+ { "uname", (__X32_SYSCALL_BIT + 63) },
+ { "unlink", (__X32_SYSCALL_BIT + 87) },
+ { "unlinkat", (__X32_SYSCALL_BIT + 263) },
+ { "unshare", (__X32_SYSCALL_BIT + 272) },
+ { "uselib", __PNR_uselib },
+ { "ustat", (__X32_SYSCALL_BIT + 136) },
+ { "utime", (__X32_SYSCALL_BIT + 132) },
+ { "utimensat", (__X32_SYSCALL_BIT + 280) },
+ { "utimes", (__X32_SYSCALL_BIT + 235) },
+ { "vfork", (__X32_SYSCALL_BIT + 58) },
+ { "vhangup", (__X32_SYSCALL_BIT + 153) },
+ { "vm86", __PNR_vm86 },
+ { "vm86old", __PNR_vm86old },
+ { "vmsplice", (__X32_SYSCALL_BIT + 532) },
+ { "vserver", __PNR_vserver },
+ { "wait4", (__X32_SYSCALL_BIT + 61) },
+ { "waitid", (__X32_SYSCALL_BIT + 529) },
+ { "waitpid", __PNR_waitpid },
+ { "write", (__X32_SYSCALL_BIT + 1) },
+ { "writev", (__X32_SYSCALL_BIT + 516) },
+ { NULL, __NR_SCMP_ERROR },
+};
diff --git a/src/arch-x32.c b/src/arch-x32.c
new file mode 100644
index 0000000..8b5dd97
--- /dev/null
+++ b/src/arch-x32.c
@@ -0,0 +1,35 @@
+/**
+ * Enhanced Seccomp x32 Specific Code
+ *
+ * Copyright (c) 2013 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <linux/audit.h>
+
+#include "arch.h"
+#include "arch-x32.h"
+
+const struct arch_def arch_def_x32 = {
+ .token = SCMP_ARCH_X32,
+ /* NOTE: this seems odd but the kernel treats x32 like x86_64 here */
+ .token_bpf = AUDIT_ARCH_X86_64,
+ .size = ARCH_SIZE_32,
+ .endian = ARCH_ENDIAN_LITTLE,
+};
diff --git a/src/arch-x32.h b/src/arch-x32.h
new file mode 100644
index 0000000..9f54e81
--- /dev/null
+++ b/src/arch-x32.h
@@ -0,0 +1,35 @@
+/**
+ * Enhanced Seccomp x32 Specific Code
+ *
+ * Copyright (c) 2013 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _ARCH_X32_H
+#define _ARCH_X32_H
+
+#include <inttypes.h>
+
+#include "arch.h"
+#include "system.h"
+
+#define x32_arg_count_max 6
+
+extern const struct arch_def arch_def_x32;
+extern const struct arch_syscall_def x32_syscall_table[];
+
+#endif
diff --git a/src/arch.c b/src/arch.c
index c515e34..00c190f 100644
--- a/src/arch.c
+++ b/src/arch.c
@@ -30,12 +30,17 @@
#include "arch.h"
#include "arch-i386.h"
#include "arch-x86_64.h"
+#include "arch-x32.h"
#include "system.h"
#if __i386__
const struct arch_def *arch_def_native = &arch_def_i386;
#elif __x86_64__
+#ifdef __ILP32__
+const struct arch_def *arch_def_native = &arch_def_x32;
+#else
const struct arch_def *arch_def_native = &arch_def_x86_64;
+#endif /* __ILP32__ */
#else
#error the arch code needs to know about your machine type
#endif /* machine type guess */
@@ -52,6 +57,7 @@ int arch_valid(uint32_t arch)
switch (arch) {
case SCMP_ARCH_X86:
case SCMP_ARCH_X86_64:
+ case SCMP_ARCH_X32:
return 0;
}
@@ -74,6 +80,9 @@ static const struct arch_syscall_def
*_arch_syscall_lookup(uint32_t token)
case SCMP_ARCH_X86_64:
return x86_64_syscall_table;
break;
+ case SCMP_ARCH_X32:
+ return x32_syscall_table;
+ break;
}
return NULL;
@@ -95,6 +104,9 @@ const struct arch_def *arch_def_lookup(uint32_t token)
case SCMP_ARCH_X86_64:
return &arch_def_x86_64;
break;
+ case SCMP_ARCH_X32:
+ return &arch_def_x32;
+ break;
}
return NULL;
@@ -115,6 +127,8 @@ int arch_arg_count_max(const struct arch_def *arch)
return i386_arg_count_max;
case SCMP_ARCH_X86_64:
return x86_64_arg_count_max;
+ case SCMP_ARCH_X32:
+ return x32_arg_count_max;
default:
return -EDOM;
}
diff --git a/src/gen_bpf.c b/src/gen_bpf.c
index c82452f..df3de49 100644
--- a/src/gen_bpf.c
+++ b/src/gen_bpf.c
@@ -1388,10 +1388,12 @@ static int _gen_bpf_build_bpf(struct bpf_state *state,
uint64_t h_val;
unsigned int res_cnt;
unsigned int jmp_len;
+ int arch_x86_64 = -1, arch_x32 = -1;
struct bpf_instr instr;
struct bpf_instr *i_iter;
struct bpf_blk *b_badarch, *b_default;
struct bpf_blk *b_head = NULL, *b_tail = NULL, *b_iter, *b_new, *b_jmp;
+ struct db_filter *db_secondary = NULL;
if (col->filter_cnt == 0)
return -EINVAL;
@@ -1426,7 +1428,28 @@ static int _gen_bpf_build_bpf(struct bpf_state *state,
/* generate the per-architecture filters */
for (iter = 0; iter < col->filter_cnt; iter++) {
- b_new = _gen_bpf_arch(state, col->filters[iter], NULL);
+ if (col->filters[iter]->arch->token == SCMP_ARCH_X86_64)
+ arch_x86_64 = iter;
+ if (col->filters[iter]->arch->token == SCMP_ARCH_X32)
+ arch_x32 = iter;
+ }
+ for (iter = 0; iter < col->filter_cnt; iter++) {
+ /* figure out the secondary arch filter mess */
+ if (iter == arch_x86_64) {
+ if (arch_x32 > iter)
+ db_secondary = col->filters[arch_x32];
+ else if (arch_x32 >= 0)
+ continue;
+ } else if (iter == arch_x32) {
+ if (arch_x86_64 > iter)
+ db_secondary = col->filters[arch_x86_64];
+ else if (arch_x86_64 >= 0)
+ continue;
+ } else
+ db_secondary = NULL;
+
+ /* create the filter for the architecture(s) */
+ b_new = _gen_bpf_arch(state, col->filters[iter], db_secondary);
if (b_new == NULL)
return -ENOMEM;
b_new->prev = b_tail;
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
index e19d053..37460a9 100644
--- a/src/gen_pfc.c
+++ b/src/gen_pfc.c
@@ -53,6 +53,8 @@ static const char *_pfc_arch(const struct arch_def *arch)
return "x86";
case SCMP_ARCH_X86_64:
return "x86_64";
+ case SCMP_ARCH_X32:
+ return "x32";
default:
return "UNKNOWN";
}
diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
index 1af4a30..85be924 100644
--- a/src/python/libseccomp.pxd
+++ b/src/python/libseccomp.pxd
@@ -29,6 +29,7 @@ cdef extern from "seccomp.h":
SCMP_ARCH_NATIVE
SCMP_ARCH_X86
SCMP_ARCH_X86_64
+ SCMP_ARCH_X32
cdef enum scmp_filter_attr:
SCMP_FLTATR_ACT_DEFAULT
diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
index 9ceee14..22d6e4e 100644
--- a/src/python/seccomp.pyx
+++ b/src/python/seccomp.pyx
@@ -124,11 +124,13 @@ cdef class Arch:
NATIVE - the native architecture
X86 - 32-bit x86
X86_64 - 64-bit x86
+ X32 - 64-bit x86 using the x32 ABI
"""
NATIVE = libseccomp.SCMP_ARCH_NATIVE
X86 = libseccomp.SCMP_ARCH_X86
X86_64 = libseccomp.SCMP_ARCH_X86_64
+ X32 = libseccomp.SCMP_ARCH_X32
cdef class Attr:
""" Python object representing the SyscallFilter attributes.
diff --git a/tools/bpf_sim.c b/tools/bpf_sim.c
index 6bd1f20..476a00e 100644
--- a/tools/bpf_sim.c
+++ b/tools/bpf_sim.c
@@ -233,6 +233,8 @@ int main(int argc, char *argv[])
sys_data.arch = AUDIT_ARCH_I386;
else if (strcmp(optarg, "x86_64") == 0)
sys_data.arch = AUDIT_ARCH_X86_64;
+ else if (strcmp(optarg, "x32") == 0)
+ sys_data.arch = AUDIT_ARCH_X86_64;
else if (strcmp(optarg, "ia64") == 0)
sys_data.arch = AUDIT_ARCH_IA64;
else if (strcmp(optarg, "ppc") == 0)
diff --git a/tools/sys_resolver.c b/tools/sys_resolver.c
index 8a7f361..f3669a8 100644
--- a/tools/sys_resolver.c
+++ b/tools/sys_resolver.c
@@ -28,6 +28,7 @@
#include "../src/arch.h"
#include "../src/arch-i386.h"
#include "../src/arch-x86_64.h"
+#include "../src/arch-x32.h"
/**
* Print the usage information to stderr and exit
@@ -62,6 +63,8 @@ int main(int argc, char *argv[])
arch = &arch_def_i386;
else if (strcmp(optarg, "x86_64") == 0)
arch = &arch_def_x86_64;
+ else if (strcmp(optarg, "x32") == 0)
+ arch = &arch_def_x32;
else
exit_usage(argv[0]);
break;
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
