No code chanages here, just an effort to improve naming consistency
a bit.
Signed-off-by: Paul Moore <[email protected]>
---
src/Makefile | 2
src/arch-i386-syscalls.c | 421 ----------------------------------------------
src/arch-i386.c | 114 ------------
src/arch-i386.h | 41 ----
src/arch-x86-syscalls.c | 421 ++++++++++++++++++++++++++++++++++++++++++++++
src/arch-x86.c | 113 ++++++++++++
src/arch-x86.h | 40 ++++
src/arch.c | 15 +-
tools/sys_resolver.c | 4
9 files changed, 584 insertions(+), 587 deletions(-)
delete mode 100644 src/arch-i386-syscalls.c
delete mode 100644 src/arch-i386.c
delete mode 100644 src/arch-i386.h
create mode 100644 src/arch-x86-syscalls.c
create mode 100644 src/arch-x86.c
create mode 100644 src/arch-x86.h
diff --git a/src/Makefile b/src/Makefile
index e7c2304..ae50f86 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -38,7 +38,7 @@ LIB_SHARED = libseccomp.so.$(VERSION_RELEASE)
OBJS = \
api.o db.o arch.o \
- arch-i386.o arch-i386-syscalls.o \
+ arch-x86.o arch-x86-syscalls.o \
arch-x86_64.o arch-x86_64-syscalls.o \
arch-x32.o arch-x32-syscalls.o \
arch-arm.o arch-arm-syscalls.o \
diff --git a/src/arch-i386-syscalls.c b/src/arch-i386-syscalls.c
deleted file mode 100644
index 803b0e7..0000000
--- a/src/arch-i386-syscalls.c
+++ /dev/null
@@ -1,421 +0,0 @@
-/**
- * Enhanced Seccomp i386 Syscall Table
- *
- * Copyright (c) 2012 Red Hat <[email protected]>
- * Author: Paul Moore <[email protected]>
- */
-
-/*
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of version 2.1 of the GNU Lesser General Public License as
- * published by the Free Software Foundation.
- *
- * This library is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
- * for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this library; if not, see <http://www.gnu.org/licenses>.
- */
-
-#include <seccomp.h>
-
-#include "arch.h"
-#include "arch-i386.h"
-
-/* NOTE: based on Linux 3.4.7 */
-const struct arch_syscall_def i386_syscall_table[] = \
-{
- { "accept", __PNR_accept },
- { "accept4", __PNR_accept4 },
- { "access", 33 },
- { "acct", 51 },
- { "add_key", 286 },
- { "adjtimex", 124 },
- { "afs_syscall", 137 },
- { "alarm", 27 },
- { "arm_fadvise64_64", __PNR_arm_fadvise64_64 },
- { "arm_sync_file_range", __PNR_arm_sync_file_range },
- { "arch_prctl", __PNR_arch_prctl },
- { "bdflush", 134 },
- { "bind", __PNR_bind },
- { "break", 17 },
- { "brk", 45 },
- { "capget", 184 },
- { "capset", 185 },
- { "chdir", 12 },
- { "chmod", 15 },
- { "chown", 182 },
- { "chown32", 212 },
- { "chroot", 61 },
- { "clock_adjtime", 343 },
- { "clock_getres", 266 },
- { "clock_gettime", 265 },
- { "clock_nanosleep", 267 },
- { "clock_settime", 264 },
- { "clone", 120 },
- { "close", 6 },
- { "connect", __PNR_connect },
- { "creat", 8 },
- { "create_module", 127 },
- { "delete_module", 129 },
- { "dup", 41 },
- { "dup2", 63 },
- { "dup3", 330 },
- { "epoll_create", 254 },
- { "epoll_create1", 329 },
- { "epoll_ctl", 255 },
- { "epoll_ctl_old", __PNR_epoll_ctl_old },
- { "epoll_pwait", 319 },
- { "epoll_wait", 256 },
- { "epoll_wait_old", __PNR_epoll_wait_old },
- { "eventfd", 323 },
- { "eventfd2", 328 },
- { "execve", 11 },
- { "exit", 1 },
- { "exit_group", 252 },
- { "faccessat", 307 },
- { "fadvise64", 250 },
- { "fadvise64_64", 272 },
- { "fallocate", 324 },
- { "fanotify_init", 338 },
- { "fanotify_mark", 339 },
- { "fchdir", 133 },
- { "fchmod", 94 },
- { "fchmodat", 306 },
- { "fchown", 95 },
- { "fchown32", 207 },
- { "fchownat", 298 },
- { "fcntl", 55 },
- { "fcntl64", 221 },
- { "fdatasync", 148 },
- { "fgetxattr", 231 },
- { "finit_module", __PNR_finit_module },
- { "flistxattr", 234 },
- { "flock", 143 },
- { "fork", 2 },
- { "fremovexattr", 237 },
- { "fsetxattr", 228 },
- { "fstat", 108 },
- { "fstat64", 197 },
- { "fstatat64", 300 },
- { "fstatfs", 100 },
- { "fstatfs64", 269 },
- { "fsync", 118 },
- { "ftime", 35 },
- { "ftruncate", 93 },
- { "ftruncate64", 194 },
- { "futex", 240 },
- { "futimesat", 299 },
- { "get_kernel_syms", 130 },
- { "get_mempolicy", 275 },
- { "get_robust_list", 312 },
- { "get_thread_area", 244 },
- { "getcpu", 318 },
- { "getcwd", 183 },
- { "getdents", 141 },
- { "getdents64", 220 },
- { "getegid", 50 },
- { "getegid32", 202 },
- { "geteuid", 49 },
- { "geteuid32", 201 },
- { "getgid", 47 },
- { "getgid32", 200 },
- { "getgroups", 80 },
- { "getgroups32", 205 },
- { "getitimer", 105 },
- { "getpeername", __PNR_getpeername },
- { "getpgid", 132 },
- { "getpgrp", 65 },
- { "getpid", 20 },
- { "getpmsg", 188 },
- { "getppid", 64 },
- { "getpriority", 96 },
- { "getresgid", 171 },
- { "getresgid32", 211 },
- { "getresuid", 165 },
- { "getresuid32", 209 },
- { "getrlimit", 76 },
- { "getrusage", 77 },
- { "getsid", 147 },
- { "getsockname", __PNR_getsockname },
- { "getsockopt", __PNR_getsockopt },
- { "gettid", 224 },
- { "gettimeofday", 78 },
- { "getuid", 24 },
- { "getuid32", 199 },
- { "getxattr", 229 },
- { "gtty", 32 },
- { "idle", 112 },
- { "init_module", 128 },
- { "inotify_add_watch", 292 },
- { "inotify_init", 291 },
- { "inotify_init1", 332 },
- { "inotify_rm_watch", 293 },
- { "io_cancel", 249 },
- { "io_destroy", 246 },
- { "io_getevents", 247 },
- { "io_setup", 245 },
- { "io_submit", 248 },
- { "ioctl", 54 },
- { "ioperm", 101 },
- { "iopl", 110 },
- { "ioprio_get", 290 },
- { "ioprio_set", 289 },
- { "ipc", 117 },
- { "kcmp", 349 },
- { "kexec_load", 283 },
- { "keyctl", 288 },
- { "kill", 37 },
- { "lchown", 16 },
- { "lchown32", 198 },
- { "lgetxattr", 230 },
- { "link", 9 },
- { "linkat", 303 },
- { "listen", __PNR_listen },
- { "listxattr", 232 },
- { "llistxattr", 233 },
- { "_llseek", 140 },
- { "lock", 53 },
- { "lookup_dcookie", 253 },
- { "lremovexattr", 236 },
- { "lseek", 19 },
- { "lsetxattr", 227 },
- { "lstat", 107 },
- { "lstat64", 196 },
- { "madvise", 219 },
- { "mbind", 274 },
- { "migrate_pages", 294 },
- { "mincore", 218 },
- { "mkdir", 39 },
- { "mkdirat", 296 },
- { "mknod", 14 },
- { "mknodat", 297 },
- { "mlock", 150 },
- { "mlockall", 152 },
- { "mmap", 90 },
- { "mmap2", 192 },
- { "modify_ldt", 123 },
- { "mount", 21 },
- { "move_pages", 317 },
- { "mprotect", 125 },
- { "mpx", 56 },
- { "mq_getsetattr", 282 },
- { "mq_notify", 281 },
- { "mq_open", 277 },
- { "mq_timedreceive", 280 },
- { "mq_timedsend", 279 },
- { "mq_unlink", 278 },
- { "mremap", 163 },
- { "msgctl", __PNR_msgctl },
- { "msgget", __PNR_msgget },
- { "msgrcv", __PNR_msgrcv },
- { "msgsnd", __PNR_msgsnd },
- { "msync", 144 },
- { "munlock", 151 },
- { "munlockall", 153 },
- { "munmap", 91 },
- { "name_to_handle_at", 341 },
- { "nanosleep", 162 },
- { "_newselect", 142 },
- { "newfstatat", __PNR_newfstatat },
- { "nfsservctl", 169 },
- { "nice", 34 },
- { "oldfstat", 28 },
- { "oldlstat", 84 },
- { "oldolduname", 59 },
- { "oldstat", 18 },
- { "olduname", 109 },
- { "open", 5 },
- { "open_by_handle_at", 342 },
- { "openat", 295 },
- { "pause", 29 },
- { "pciconfig_iobase", __PNR_pciconfig_iobase },
- { "pciconfig_read", __PNR_pciconfig_read },
- { "pciconfig_write", __PNR_pciconfig_write },
- { "perf_event_open", 336 },
- { "personality", 136 },
- { "pipe", 42 },
- { "pipe2", 331 },
- { "pivot_root", 217 },
- { "poll", 168 },
- { "ppoll", 309 },
- { "prctl", 172 },
- { "pread64", 180 },
- { "preadv", 333 },
- { "prlimit64", 340 },
- { "process_vm_readv", 347 },
- { "process_vm_writev", 348 },
- { "prof", 44 },
- { "profil", 98 },
- { "pselect6", 308 },
- { "ptrace", 26 },
- { "putpmsg", 189 },
- { "pwrite64", 181 },
- { "pwritev", 334 },
- { "query_module", 167 },
- { "quotactl", 131 },
- { "read", 3 },
- { "readahead", 225 },
- { "readdir", 89 },
- { "readlink", 85 },
- { "readlinkat", 305 },
- { "readv", 145 },
- { "reboot", 88 },
- { "recv", __PNR_recv },
- { "recvfrom", __PNR_recvfrom },
- { "recvmmsg", 337 },
- { "recvmsg", __PNR_recvmsg },
- { "remap_file_pages", 257 },
- { "removexattr", 235 },
- { "rename", 38 },
- { "renameat", 302 },
- { "request_key", 287 },
- { "restart_syscall", 0 },
- { "rmdir", 40 },
- { "rt_sigaction", 174 },
- { "rt_sigpending", 176 },
- { "rt_sigprocmask", 175 },
- { "rt_sigqueueinfo", 178 },
- { "rt_sigreturn", 173 },
- { "rt_sigsuspend", 179 },
- { "rt_sigtimedwait", 177 },
- { "rt_tgsigqueueinfo", 335 },
- { "sched_get_priority_max", 159 },
- { "sched_get_priority_min", 160 },
- { "sched_getaffinity", 242 },
- { "sched_getparam", 155 },
- { "sched_getscheduler", 157 },
- { "sched_rr_get_interval", 161 },
- { "sched_setaffinity", 241 },
- { "sched_setparam", 154 },
- { "sched_setscheduler", 156 },
- { "sched_yield", 158 },
- { "security", __PNR_security },
- { "select", 82 },
- { "semctl", __PNR_semctl },
- { "semget", __PNR_semget },
- { "semop", __PNR_semop },
- { "semtimedop", __PNR_semtimedop },
- { "send", __PNR_send },
- { "sendfile", 187 },
- { "sendfile64", 239 },
- { "sendmmsg", 345 },
- { "sendmsg", __PNR_sendmsg },
- { "sendto", __PNR_sendto },
- { "set_mempolicy", 276 },
- { "set_robust_list", 311 },
- { "set_thread_area", 243 },
- { "set_tid_address", 258 },
- { "setdomainname", 121 },
- { "setfsgid", 139 },
- { "setfsgid32", 216 },
- { "setfsuid", 138 },
- { "setfsuid32", 215 },
- { "setgid", 46 },
- { "setgid32", 214 },
- { "setgroups", 81 },
- { "setgroups32", 206 },
- { "sethostname", 74 },
- { "setitimer", 104 },
- { "setns", 346 },
- { "setpgid", 57 },
- { "setpriority", 97 },
- { "setregid", 71 },
- { "setregid32", 204 },
- { "setresgid", 170 },
- { "setresgid32", 210 },
- { "setresuid", 164 },
- { "setresuid32", 208 },
- { "setreuid", 70 },
- { "setreuid32", 203 },
- { "setrlimit", 75 },
- { "setsid", 66 },
- { "setsockopt", __PNR_setsockopt },
- { "settimeofday", 79 },
- { "setuid", 23 },
- { "setuid32", 213 },
- { "setxattr", 226 },
- { "sgetmask", 68 },
- { "shmat", __PNR_shmat },
- { "shmctl", __PNR_shmctl },
- { "shmdt", __PNR_shmdt },
- { "shmget", __PNR_shmget },
- { "shutdown", __PNR_shutdown },
- { "sigaction", 67 },
- { "sigaltstack", 186 },
- { "signal", 48 },
- { "signalfd", 321 },
- { "signalfd4", 327 },
- { "sigpending", 73 },
- { "sigprocmask", 126 },
- { "sigreturn", 119 },
- { "sigsuspend", 72 },
- { "socket", __PNR_socket },
- { "socketcall", 102 },
- { "socketpair", __PNR_socketpair },
- { "splice", 313 },
- { "ssetmask", 69 },
- { "stat", 106 },
- { "stat64", 195 },
- { "statfs", 99 },
- { "statfs64", 268 },
- { "stime", 25 },
- { "stty", 31 },
- { "swapoff", 115 },
- { "swapon", 87 },
- { "symlink", 83 },
- { "symlinkat", 304 },
- { "sync", 36 },
- { "sync_file_range", 314 },
- { "sync_file_range2", __PNR_sync_file_range2 },
- { "syncfs", 344 },
- { "syscall", __PNR_syscall },
- { "_sysctl", 149 },
- { "sysfs", 135 },
- { "sysinfo", 116 },
- { "syslog", 103 },
- { "tee", 315 },
- { "tgkill", 270 },
- { "time", 13 },
- { "timer_create", 259 },
- { "timer_delete", 263 },
- { "timer_getoverrun", 262 },
- { "timer_gettime", 261 },
- { "timer_settime", 260 },
- { "timerfd_create", 322 },
- { "timerfd_gettime", 326 },
- { "timerfd_settime", 325 },
- { "times", 43 },
- { "tkill", 238 },
- { "truncate", 92 },
- { "truncate64", 193 },
- { "tuxcall", __PNR_tuxcall },
- { "ugetrlimit", 191 },
- { "ulimit", 58 },
- { "umask", 60 },
- { "umount", 22 },
- { "umount2", 52 },
- { "uname", 122 },
- { "unlink", 10 },
- { "unlinkat", 301 },
- { "unshare", 310 },
- { "uselib", 86 },
- { "ustat", 62 },
- { "utime", 30 },
- { "utimensat", 320 },
- { "utimes", 271 },
- { "vfork", 190 },
- { "vhangup", 111 },
- { "vm86", 166 },
- { "vm86old", 113 },
- { "vmsplice", 316 },
- { "vserver", 273 },
- { "wait4", 114 },
- { "waitid", 284 },
- { "waitpid", 7 },
- { "write", 4 },
- { "writev", 146 },
- { NULL, __NR_SCMP_ERROR },
-};
diff --git a/src/arch-i386.c b/src/arch-i386.c
deleted file mode 100644
index 3738da7..0000000
--- a/src/arch-i386.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/**
- * Enhanced Seccomp i386 Specific Code
- *
- * Copyright (c) 2012 Red Hat <[email protected]>
- * Author: Paul Moore <[email protected]>
- */
-
-/*
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of version 2.1 of the GNU Lesser General Public License as
- * published by the Free Software Foundation.
- *
- * This library is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
- * for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this library; if not, see <http://www.gnu.org/licenses>.
- */
-
-#include <stdlib.h>
-#include <errno.h>
-#include <linux/audit.h>
-
-#include "arch.h"
-#include "arch-i386.h"
-
-/* i386 syscall numbers */
-#define __i386_NR_socketcall 102
-#define __i386_NR_ipc 117
-
-const struct arch_def arch_def_i386 = {
- .token = SCMP_ARCH_X86,
- .token_bpf = AUDIT_ARCH_I386,
- .size = ARCH_SIZE_32,
- .endian = ARCH_ENDIAN_LITTLE,
-};
-
-/**
- * Rewrite a syscall value to match the architecture
- * @param arch the architecture definition
- * @param strict strict flag
- * @param syscall the syscall number
- *
- * Syscalls can vary across different architectures so this function rewrites
- * the syscall into the correct value for the specified architecture. If
- * @strict is true then the function will fail if the syscall can not be
- * preservered, however, if @strict is false the function will do a "best
- * effort" rewrite and not fail. Returns zero on success, negative values on
- * failure.
- *
- */
-int i386_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
- int *syscall)
-{
- if ((*syscall) <= -100 && (*syscall) >= -117)
- *syscall = __i386_NR_socketcall;
- else if ((*syscall) <= -200 && (*syscall) >= -211)
- *syscall = __i386_NR_ipc;
- else if (((*syscall) < 0) && (strict))
- return -EDOM;
-
- return 0;
-}
-
-/**
- * Rewrite a filter rule to match the architecture specifics
- * @param arch the architecture definition
- * @param strict strict flag
- * @param syscall the syscall number
- * @param chain the argument filter chain
- *
- * Syscalls can vary across different architectures so this function handles
- * the necessary seccomp rule rewrites to ensure the right thing is done
- * regardless of the rule or architecture. If @strict is true then the
- * function will fail if the entire filter can not be preservered, however,
- * if @strict is false the function will do a "best effort" rewrite and not
- * fail. Returns zero on success, negative values on failure.
- *
- */
-int i386_filter_rewrite(const struct arch_def *arch,
- unsigned int strict,
- int *syscall, struct db_api_arg *chain)
-{
- unsigned int iter;
-
- if ((*syscall) <= -100 && (*syscall) >= -117) {
- for (iter = 0; iter < i386_arg_count_max; iter++) {
- if ((chain[iter].valid != 0) && (strict))
- return -EINVAL;
- }
- chain[0].arg = 0;
- chain[0].op = SCMP_CMP_EQ;
- chain[0].mask = DATUM_MAX;
- chain[0].datum = abs(*syscall) % 100;
- chain[0].valid = 1;
- *syscall = __i386_NR_socketcall;
- } else if ((*syscall) <= -200 && (*syscall) >= -211) {
- for (iter = 0; iter < i386_arg_count_max; iter++) {
- if ((chain[iter].valid != 0) && (strict))
- return -EINVAL;
- }
- chain[0].arg = 0;
- chain[0].op = SCMP_CMP_EQ;
- chain[0].mask = DATUM_MAX;
- chain[0].datum = abs(*syscall) % 200;
- chain[0].valid = 1;
- *syscall = __i386_NR_ipc;
- } else if (((*syscall) < 0) && (strict))
- return -EDOM;
-
- return 0;
-}
diff --git a/src/arch-i386.h b/src/arch-i386.h
deleted file mode 100644
index 809b769..0000000
--- a/src/arch-i386.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Enhanced Seccomp i386 Specific Code
- *
- * Copyright (c) 2012 Red Hat <[email protected]>
- * Author: Paul Moore <[email protected]>
- */
-
-/*
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of version 2.1 of the GNU Lesser General Public License as
- * published by the Free Software Foundation.
- *
- * This library is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
- * for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this library; if not, see <http://www.gnu.org/licenses>.
- */
-
-#ifndef _ARCH_i386_H
-#define _ARCH_i386_H
-
-#include "arch.h"
-#include "db.h"
-#include "system.h"
-
-#define i386_arg_count_max 6
-
-extern const struct arch_def arch_def_i386;
-extern const struct arch_syscall_def i386_syscall_table[];
-
-int i386_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
- int *syscall);
-
-int i386_filter_rewrite(const struct arch_def *arch,
- unsigned int strict,
- int *syscall, struct db_api_arg *chain);
-
-#endif
diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c
new file mode 100644
index 0000000..b44f2a2
--- /dev/null
+++ b/src/arch-x86-syscalls.c
@@ -0,0 +1,421 @@
+/**
+ * Enhanced Seccomp x86 Syscall Table
+ *
+ * Copyright (c) 2012 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <seccomp.h>
+
+#include "arch.h"
+#include "arch-x86.h"
+
+/* NOTE: based on Linux 3.4.7 */
+const struct arch_syscall_def x86_syscall_table[] = \
+{
+ { "accept", __PNR_accept },
+ { "accept4", __PNR_accept4 },
+ { "access", 33 },
+ { "acct", 51 },
+ { "add_key", 286 },
+ { "adjtimex", 124 },
+ { "afs_syscall", 137 },
+ { "alarm", 27 },
+ { "arm_fadvise64_64", __PNR_arm_fadvise64_64 },
+ { "arm_sync_file_range", __PNR_arm_sync_file_range },
+ { "arch_prctl", __PNR_arch_prctl },
+ { "bdflush", 134 },
+ { "bind", __PNR_bind },
+ { "break", 17 },
+ { "brk", 45 },
+ { "capget", 184 },
+ { "capset", 185 },
+ { "chdir", 12 },
+ { "chmod", 15 },
+ { "chown", 182 },
+ { "chown32", 212 },
+ { "chroot", 61 },
+ { "clock_adjtime", 343 },
+ { "clock_getres", 266 },
+ { "clock_gettime", 265 },
+ { "clock_nanosleep", 267 },
+ { "clock_settime", 264 },
+ { "clone", 120 },
+ { "close", 6 },
+ { "connect", __PNR_connect },
+ { "creat", 8 },
+ { "create_module", 127 },
+ { "delete_module", 129 },
+ { "dup", 41 },
+ { "dup2", 63 },
+ { "dup3", 330 },
+ { "epoll_create", 254 },
+ { "epoll_create1", 329 },
+ { "epoll_ctl", 255 },
+ { "epoll_ctl_old", __PNR_epoll_ctl_old },
+ { "epoll_pwait", 319 },
+ { "epoll_wait", 256 },
+ { "epoll_wait_old", __PNR_epoll_wait_old },
+ { "eventfd", 323 },
+ { "eventfd2", 328 },
+ { "execve", 11 },
+ { "exit", 1 },
+ { "exit_group", 252 },
+ { "faccessat", 307 },
+ { "fadvise64", 250 },
+ { "fadvise64_64", 272 },
+ { "fallocate", 324 },
+ { "fanotify_init", 338 },
+ { "fanotify_mark", 339 },
+ { "fchdir", 133 },
+ { "fchmod", 94 },
+ { "fchmodat", 306 },
+ { "fchown", 95 },
+ { "fchown32", 207 },
+ { "fchownat", 298 },
+ { "fcntl", 55 },
+ { "fcntl64", 221 },
+ { "fdatasync", 148 },
+ { "fgetxattr", 231 },
+ { "finit_module", __PNR_finit_module },
+ { "flistxattr", 234 },
+ { "flock", 143 },
+ { "fork", 2 },
+ { "fremovexattr", 237 },
+ { "fsetxattr", 228 },
+ { "fstat", 108 },
+ { "fstat64", 197 },
+ { "fstatat64", 300 },
+ { "fstatfs", 100 },
+ { "fstatfs64", 269 },
+ { "fsync", 118 },
+ { "ftime", 35 },
+ { "ftruncate", 93 },
+ { "ftruncate64", 194 },
+ { "futex", 240 },
+ { "futimesat", 299 },
+ { "get_kernel_syms", 130 },
+ { "get_mempolicy", 275 },
+ { "get_robust_list", 312 },
+ { "get_thread_area", 244 },
+ { "getcpu", 318 },
+ { "getcwd", 183 },
+ { "getdents", 141 },
+ { "getdents64", 220 },
+ { "getegid", 50 },
+ { "getegid32", 202 },
+ { "geteuid", 49 },
+ { "geteuid32", 201 },
+ { "getgid", 47 },
+ { "getgid32", 200 },
+ { "getgroups", 80 },
+ { "getgroups32", 205 },
+ { "getitimer", 105 },
+ { "getpeername", __PNR_getpeername },
+ { "getpgid", 132 },
+ { "getpgrp", 65 },
+ { "getpid", 20 },
+ { "getpmsg", 188 },
+ { "getppid", 64 },
+ { "getpriority", 96 },
+ { "getresgid", 171 },
+ { "getresgid32", 211 },
+ { "getresuid", 165 },
+ { "getresuid32", 209 },
+ { "getrlimit", 76 },
+ { "getrusage", 77 },
+ { "getsid", 147 },
+ { "getsockname", __PNR_getsockname },
+ { "getsockopt", __PNR_getsockopt },
+ { "gettid", 224 },
+ { "gettimeofday", 78 },
+ { "getuid", 24 },
+ { "getuid32", 199 },
+ { "getxattr", 229 },
+ { "gtty", 32 },
+ { "idle", 112 },
+ { "init_module", 128 },
+ { "inotify_add_watch", 292 },
+ { "inotify_init", 291 },
+ { "inotify_init1", 332 },
+ { "inotify_rm_watch", 293 },
+ { "io_cancel", 249 },
+ { "io_destroy", 246 },
+ { "io_getevents", 247 },
+ { "io_setup", 245 },
+ { "io_submit", 248 },
+ { "ioctl", 54 },
+ { "ioperm", 101 },
+ { "iopl", 110 },
+ { "ioprio_get", 290 },
+ { "ioprio_set", 289 },
+ { "ipc", 117 },
+ { "kcmp", 349 },
+ { "kexec_load", 283 },
+ { "keyctl", 288 },
+ { "kill", 37 },
+ { "lchown", 16 },
+ { "lchown32", 198 },
+ { "lgetxattr", 230 },
+ { "link", 9 },
+ { "linkat", 303 },
+ { "listen", __PNR_listen },
+ { "listxattr", 232 },
+ { "llistxattr", 233 },
+ { "_llseek", 140 },
+ { "lock", 53 },
+ { "lookup_dcookie", 253 },
+ { "lremovexattr", 236 },
+ { "lseek", 19 },
+ { "lsetxattr", 227 },
+ { "lstat", 107 },
+ { "lstat64", 196 },
+ { "madvise", 219 },
+ { "mbind", 274 },
+ { "migrate_pages", 294 },
+ { "mincore", 218 },
+ { "mkdir", 39 },
+ { "mkdirat", 296 },
+ { "mknod", 14 },
+ { "mknodat", 297 },
+ { "mlock", 150 },
+ { "mlockall", 152 },
+ { "mmap", 90 },
+ { "mmap2", 192 },
+ { "modify_ldt", 123 },
+ { "mount", 21 },
+ { "move_pages", 317 },
+ { "mprotect", 125 },
+ { "mpx", 56 },
+ { "mq_getsetattr", 282 },
+ { "mq_notify", 281 },
+ { "mq_open", 277 },
+ { "mq_timedreceive", 280 },
+ { "mq_timedsend", 279 },
+ { "mq_unlink", 278 },
+ { "mremap", 163 },
+ { "msgctl", __PNR_msgctl },
+ { "msgget", __PNR_msgget },
+ { "msgrcv", __PNR_msgrcv },
+ { "msgsnd", __PNR_msgsnd },
+ { "msync", 144 },
+ { "munlock", 151 },
+ { "munlockall", 153 },
+ { "munmap", 91 },
+ { "name_to_handle_at", 341 },
+ { "nanosleep", 162 },
+ { "_newselect", 142 },
+ { "newfstatat", __PNR_newfstatat },
+ { "nfsservctl", 169 },
+ { "nice", 34 },
+ { "oldfstat", 28 },
+ { "oldlstat", 84 },
+ { "oldolduname", 59 },
+ { "oldstat", 18 },
+ { "olduname", 109 },
+ { "open", 5 },
+ { "open_by_handle_at", 342 },
+ { "openat", 295 },
+ { "pause", 29 },
+ { "pciconfig_iobase", __PNR_pciconfig_iobase },
+ { "pciconfig_read", __PNR_pciconfig_read },
+ { "pciconfig_write", __PNR_pciconfig_write },
+ { "perf_event_open", 336 },
+ { "personality", 136 },
+ { "pipe", 42 },
+ { "pipe2", 331 },
+ { "pivot_root", 217 },
+ { "poll", 168 },
+ { "ppoll", 309 },
+ { "prctl", 172 },
+ { "pread64", 180 },
+ { "preadv", 333 },
+ { "prlimit64", 340 },
+ { "process_vm_readv", 347 },
+ { "process_vm_writev", 348 },
+ { "prof", 44 },
+ { "profil", 98 },
+ { "pselect6", 308 },
+ { "ptrace", 26 },
+ { "putpmsg", 189 },
+ { "pwrite64", 181 },
+ { "pwritev", 334 },
+ { "query_module", 167 },
+ { "quotactl", 131 },
+ { "read", 3 },
+ { "readahead", 225 },
+ { "readdir", 89 },
+ { "readlink", 85 },
+ { "readlinkat", 305 },
+ { "readv", 145 },
+ { "reboot", 88 },
+ { "recv", __PNR_recv },
+ { "recvfrom", __PNR_recvfrom },
+ { "recvmmsg", 337 },
+ { "recvmsg", __PNR_recvmsg },
+ { "remap_file_pages", 257 },
+ { "removexattr", 235 },
+ { "rename", 38 },
+ { "renameat", 302 },
+ { "request_key", 287 },
+ { "restart_syscall", 0 },
+ { "rmdir", 40 },
+ { "rt_sigaction", 174 },
+ { "rt_sigpending", 176 },
+ { "rt_sigprocmask", 175 },
+ { "rt_sigqueueinfo", 178 },
+ { "rt_sigreturn", 173 },
+ { "rt_sigsuspend", 179 },
+ { "rt_sigtimedwait", 177 },
+ { "rt_tgsigqueueinfo", 335 },
+ { "sched_get_priority_max", 159 },
+ { "sched_get_priority_min", 160 },
+ { "sched_getaffinity", 242 },
+ { "sched_getparam", 155 },
+ { "sched_getscheduler", 157 },
+ { "sched_rr_get_interval", 161 },
+ { "sched_setaffinity", 241 },
+ { "sched_setparam", 154 },
+ { "sched_setscheduler", 156 },
+ { "sched_yield", 158 },
+ { "security", __PNR_security },
+ { "select", 82 },
+ { "semctl", __PNR_semctl },
+ { "semget", __PNR_semget },
+ { "semop", __PNR_semop },
+ { "semtimedop", __PNR_semtimedop },
+ { "send", __PNR_send },
+ { "sendfile", 187 },
+ { "sendfile64", 239 },
+ { "sendmmsg", 345 },
+ { "sendmsg", __PNR_sendmsg },
+ { "sendto", __PNR_sendto },
+ { "set_mempolicy", 276 },
+ { "set_robust_list", 311 },
+ { "set_thread_area", 243 },
+ { "set_tid_address", 258 },
+ { "setdomainname", 121 },
+ { "setfsgid", 139 },
+ { "setfsgid32", 216 },
+ { "setfsuid", 138 },
+ { "setfsuid32", 215 },
+ { "setgid", 46 },
+ { "setgid32", 214 },
+ { "setgroups", 81 },
+ { "setgroups32", 206 },
+ { "sethostname", 74 },
+ { "setitimer", 104 },
+ { "setns", 346 },
+ { "setpgid", 57 },
+ { "setpriority", 97 },
+ { "setregid", 71 },
+ { "setregid32", 204 },
+ { "setresgid", 170 },
+ { "setresgid32", 210 },
+ { "setresuid", 164 },
+ { "setresuid32", 208 },
+ { "setreuid", 70 },
+ { "setreuid32", 203 },
+ { "setrlimit", 75 },
+ { "setsid", 66 },
+ { "setsockopt", __PNR_setsockopt },
+ { "settimeofday", 79 },
+ { "setuid", 23 },
+ { "setuid32", 213 },
+ { "setxattr", 226 },
+ { "sgetmask", 68 },
+ { "shmat", __PNR_shmat },
+ { "shmctl", __PNR_shmctl },
+ { "shmdt", __PNR_shmdt },
+ { "shmget", __PNR_shmget },
+ { "shutdown", __PNR_shutdown },
+ { "sigaction", 67 },
+ { "sigaltstack", 186 },
+ { "signal", 48 },
+ { "signalfd", 321 },
+ { "signalfd4", 327 },
+ { "sigpending", 73 },
+ { "sigprocmask", 126 },
+ { "sigreturn", 119 },
+ { "sigsuspend", 72 },
+ { "socket", __PNR_socket },
+ { "socketcall", 102 },
+ { "socketpair", __PNR_socketpair },
+ { "splice", 313 },
+ { "ssetmask", 69 },
+ { "stat", 106 },
+ { "stat64", 195 },
+ { "statfs", 99 },
+ { "statfs64", 268 },
+ { "stime", 25 },
+ { "stty", 31 },
+ { "swapoff", 115 },
+ { "swapon", 87 },
+ { "symlink", 83 },
+ { "symlinkat", 304 },
+ { "sync", 36 },
+ { "sync_file_range", 314 },
+ { "sync_file_range2", __PNR_sync_file_range2 },
+ { "syncfs", 344 },
+ { "syscall", __PNR_syscall },
+ { "_sysctl", 149 },
+ { "sysfs", 135 },
+ { "sysinfo", 116 },
+ { "syslog", 103 },
+ { "tee", 315 },
+ { "tgkill", 270 },
+ { "time", 13 },
+ { "timer_create", 259 },
+ { "timer_delete", 263 },
+ { "timer_getoverrun", 262 },
+ { "timer_gettime", 261 },
+ { "timer_settime", 260 },
+ { "timerfd_create", 322 },
+ { "timerfd_gettime", 326 },
+ { "timerfd_settime", 325 },
+ { "times", 43 },
+ { "tkill", 238 },
+ { "truncate", 92 },
+ { "truncate64", 193 },
+ { "tuxcall", __PNR_tuxcall },
+ { "ugetrlimit", 191 },
+ { "ulimit", 58 },
+ { "umask", 60 },
+ { "umount", 22 },
+ { "umount2", 52 },
+ { "uname", 122 },
+ { "unlink", 10 },
+ { "unlinkat", 301 },
+ { "unshare", 310 },
+ { "uselib", 86 },
+ { "ustat", 62 },
+ { "utime", 30 },
+ { "utimensat", 320 },
+ { "utimes", 271 },
+ { "vfork", 190 },
+ { "vhangup", 111 },
+ { "vm86", 166 },
+ { "vm86old", 113 },
+ { "vmsplice", 316 },
+ { "vserver", 273 },
+ { "wait4", 114 },
+ { "waitid", 284 },
+ { "waitpid", 7 },
+ { "write", 4 },
+ { "writev", 146 },
+ { NULL, __NR_SCMP_ERROR },
+};
diff --git a/src/arch-x86.c b/src/arch-x86.c
new file mode 100644
index 0000000..42c0bb1
--- /dev/null
+++ b/src/arch-x86.c
@@ -0,0 +1,113 @@
+/**
+ * Enhanced Seccomp x86 Specific Code
+ *
+ * Copyright (c) 2012 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <linux/audit.h>
+
+#include "arch.h"
+#include "arch-x86.h"
+
+/* x86 syscall numbers */
+#define __x86_NR_socketcall 102
+#define __x86_NR_ipc 117
+
+const struct arch_def arch_def_x86 = {
+ .token = SCMP_ARCH_X86,
+ .token_bpf = AUDIT_ARCH_I386,
+ .size = ARCH_SIZE_32,
+ .endian = ARCH_ENDIAN_LITTLE,
+};
+
+/**
+ * Rewrite a syscall value to match the architecture
+ * @param arch the architecture definition
+ * @param strict strict flag
+ * @param syscall the syscall number
+ *
+ * Syscalls can vary across different architectures so this function rewrites
+ * the syscall into the correct value for the specified architecture. If
+ * @strict is true then the function will fail if the syscall can not be
+ * preservered, however, if @strict is false the function will do a "best
+ * effort" rewrite and not fail. Returns zero on success, negative values on
+ * failure.
+ *
+ */
+int x86_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
+ int *syscall)
+{
+ if ((*syscall) <= -100 && (*syscall) >= -117)
+ *syscall = __x86_NR_socketcall;
+ else if ((*syscall) <= -200 && (*syscall) >= -211)
+ *syscall = __x86_NR_ipc;
+ else if (((*syscall) < 0) && (strict))
+ return -EDOM;
+
+ return 0;
+}
+
+/**
+ * Rewrite a filter rule to match the architecture specifics
+ * @param arch the architecture definition
+ * @param strict strict flag
+ * @param syscall the syscall number
+ * @param chain the argument filter chain
+ *
+ * Syscalls can vary across different architectures so this function handles
+ * the necessary seccomp rule rewrites to ensure the right thing is done
+ * regardless of the rule or architecture. If @strict is true then the
+ * function will fail if the entire filter can not be preservered, however,
+ * if @strict is false the function will do a "best effort" rewrite and not
+ * fail. Returns zero on success, negative values on failure.
+ *
+ */
+int x86_filter_rewrite(const struct arch_def *arch, unsigned int strict,
+ int *syscall, struct db_api_arg *chain)
+{
+ unsigned int iter;
+
+ if ((*syscall) <= -100 && (*syscall) >= -117) {
+ for (iter = 0; iter < x86_arg_count_max; iter++) {
+ if ((chain[iter].valid != 0) && (strict))
+ return -EINVAL;
+ }
+ chain[0].arg = 0;
+ chain[0].op = SCMP_CMP_EQ;
+ chain[0].mask = DATUM_MAX;
+ chain[0].datum = abs(*syscall) % 100;
+ chain[0].valid = 1;
+ *syscall = __x86_NR_socketcall;
+ } else if ((*syscall) <= -200 && (*syscall) >= -211) {
+ for (iter = 0; iter < x86_arg_count_max; iter++) {
+ if ((chain[iter].valid != 0) && (strict))
+ return -EINVAL;
+ }
+ chain[0].arg = 0;
+ chain[0].op = SCMP_CMP_EQ;
+ chain[0].mask = DATUM_MAX;
+ chain[0].datum = abs(*syscall) % 200;
+ chain[0].valid = 1;
+ *syscall = __x86_NR_ipc;
+ } else if (((*syscall) < 0) && (strict))
+ return -EDOM;
+
+ return 0;
+}
diff --git a/src/arch-x86.h b/src/arch-x86.h
new file mode 100644
index 0000000..924a82f
--- /dev/null
+++ b/src/arch-x86.h
@@ -0,0 +1,40 @@
+/**
+ * Enhanced Seccomp x86 Specific Code
+ *
+ * Copyright (c) 2012 Red Hat <[email protected]>
+ * Author: Paul Moore <[email protected]>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _ARCH_X86_H
+#define _ARCH_X86_H
+
+#include "arch.h"
+#include "db.h"
+#include "system.h"
+
+#define x86_arg_count_max 6
+
+extern const struct arch_def arch_def_x86;
+extern const struct arch_syscall_def x86_syscall_table[];
+
+int x86_syscall_rewrite(const struct arch_def *arch, unsigned int strict,
+ int *syscall);
+
+int x86_filter_rewrite(const struct arch_def *arch, unsigned int strict,
+ int *syscall, struct db_api_arg *chain);
+
+#endif
diff --git a/src/arch.c b/src/arch.c
index 701b017..2002b6f 100644
--- a/src/arch.c
+++ b/src/arch.c
@@ -29,14 +29,14 @@
#include <seccomp.h>
#include "arch.h"
-#include "arch-i386.h"
+#include "arch-x86.h"
#include "arch-x86_64.h"
#include "arch-x32.h"
#include "arch-arm.h"
#include "system.h"
#if __i386__
-const struct arch_def *arch_def_native = &arch_def_i386;
+const struct arch_def *arch_def_native = &arch_def_x86;
#elif __x86_64__
#ifdef __ILP32__
const struct arch_def *arch_def_native = &arch_def_x32;
@@ -80,7 +80,7 @@ static const struct arch_syscall_def
*_arch_syscall_lookup(uint32_t token)
{
switch (token) {
case SCMP_ARCH_X86:
- return i386_syscall_table;
+ return x86_syscall_table;
case SCMP_ARCH_X86_64:
return x86_64_syscall_table;
case SCMP_ARCH_X32:
@@ -103,7 +103,7 @@ const struct arch_def *arch_def_lookup(uint32_t token)
{
switch (token) {
case SCMP_ARCH_X86:
- return &arch_def_i386;
+ return &arch_def_x86;
case SCMP_ARCH_X86_64:
return &arch_def_x86_64;
case SCMP_ARCH_X32:
@@ -127,7 +127,7 @@ int arch_arg_count_max(const struct arch_def *arch)
{
switch (arch->token) {
case SCMP_ARCH_X86:
- return i386_arg_count_max;
+ return x86_arg_count_max;
case SCMP_ARCH_X86_64:
return x86_64_arg_count_max;
case SCMP_ARCH_X32:
@@ -294,7 +294,7 @@ int arch_syscall_rewrite(const struct arch_def *arch,
unsigned int strict,
/* rewritable syscalls */
switch (arch->token) {
case SCMP_ARCH_X86:
- return i386_syscall_rewrite(arch, strict, syscall);
+ return x86_syscall_rewrite(arch, strict, syscall);
}
/* NOTE: we fall through to the default handling (strict?) if
* we don't support any rewriting for the architecture */
@@ -337,8 +337,7 @@ int arch_filter_rewrite(const struct arch_def *arch,
/* rewritable syscalls */
switch (arch->token) {
case SCMP_ARCH_X86:
- return i386_filter_rewrite(arch,
- strict, syscall, chain);
+ return x86_filter_rewrite(arch, strict, syscall, chain);
}
/* NOTE: we fall through to the default handling (strict?) if
* we don't support any rewriting for the architecture */
diff --git a/tools/sys_resolver.c b/tools/sys_resolver.c
index 5828737..af8cc46 100644
--- a/tools/sys_resolver.c
+++ b/tools/sys_resolver.c
@@ -26,7 +26,7 @@
#include <unistd.h>
#include "../src/arch.h"
-#include "../src/arch-i386.h"
+#include "../src/arch-x86.h"
#include "../src/arch-x86_64.h"
#include "../src/arch-x32.h"
#include "../src/arch-arm.h"
@@ -61,7 +61,7 @@ int main(int argc, char *argv[])
switch (opt) {
case 'a':
if (strcmp(optarg, "x86") == 0)
- arch = &arch_def_i386;
+ arch = &arch_def_x86;
else if (strcmp(optarg, "x86_64") == 0)
arch = &arch_def_x86_64;
else if (strcmp(optarg, "x32") == 0)
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
