Hello community, here is the log from the commit of package libseccomp for openSUSE:Factory checked in at 2016-05-24 09:33:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libseccomp (Old) and /work/SRC/openSUSE:Factory/.libseccomp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libseccomp" Changes: -------- --- /work/SRC/openSUSE:Factory/libseccomp/libseccomp.changes 2016-04-22 16:17:51.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libseccomp.new/libseccomp.changes 2016-05-24 09:33:32.000000000 +0200 @@ -1,0 +2,10 @@ +Sat May 7 23:11:02 UTC 2016 - [email protected] + +- Update to new upstream release 2.3.1 +* arch: fix the multiplexed ipc() syscalls +* s390: handle multiplexed syscalls correctly +- Remove 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch, + 0001-tests-replace-socket-syscall-references-in-15-basic-.patch + (fixed upstream) + +------------------------------------------------------------------- Old: ---- 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch 0001-tests-replace-socket-syscall-references-in-15-basic-.patch libseccomp-2.3.0.tar.gz libseccomp-2.3.0.tar.gz.SHA256SUM.asc New: ---- libseccomp-2.3.1.tar.gz libseccomp-2.3.1.tar.gz.SHA256SUM.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libseccomp.spec ++++++ --- /var/tmp/diff_new_pack.B5tgha/_old 2016-05-24 09:33:33.000000000 +0200 +++ /var/tmp/diff_new_pack.B5tgha/_new 2016-05-24 09:33:33.000000000 +0200 @@ -18,7 +18,7 @@ Name: libseccomp %define lname libseccomp2 -Version: 2.3.0 +Version: 2.3.1 Release: 0 Summary: An enhanced Seccomp (mode 2) helper library License: LGPL-2.1 @@ -30,8 +30,6 @@ Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/%name-%version.tar.gz.SHA256SUM.asc Source99: baselibs.conf Patch1: no-static.diff -Patch2: 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch -Patch3: 0001-tests-replace-socket-syscall-references-in-15-basic-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake >= 1.11 @@ -99,15 +97,15 @@ %prep %setup -q -%patch -P 1 -P 2 -P 3 -p1 +%patch -P 1 -p1 %build -if [ ! -e configure ]; then +if [ ! -f configure ]; then perl -i -pe 's{AC_INIT\(\[libseccomp\], \[0\.0\.0\]\)}{AC_INIT([libseccomp], [2.3.0])}' configure.ac fi autoreconf -fi %configure --includedir="%_includedir/%name" --disable-static -make %{?_smp_mflags}; +make %{?_smp_mflags} %install %make_install ++++++ libseccomp-2.3.0.tar.gz -> libseccomp-2.3.1.tar.gz ++++++ ++++ 1609 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/CHANGELOG new/libseccomp-2.3.1/CHANGELOG --- old/libseccomp-2.3.0/CHANGELOG 2016-02-26 21:27:18.000000000 +0100 +++ new/libseccomp-2.3.1/CHANGELOG 2016-04-20 22:07:54.000000000 +0200 @@ -2,7 +2,12 @@ =============================================================================== https://github.com/seccomp/libseccomp -* Version 2.3.0 - February 29, 2015 +* Version 2.3.1 - April 20, 2016 +- Fixed a problem with 32-bit x86 socket syscalls on some systems +- Fixed problems with ipc syscalls on 32-bit x86 +- Fixed problems with socket and ipc syscalls on s390 and s390x + +* Version 2.3.0 - February 29, 2016 - Added support for the s390 and s390x architectures - Added support for the ppc, ppc64, and ppc64le architectures - Update the internal syscall tables to match the Linux 4.5-rcX releases diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/configure.ac new/libseccomp-2.3.1/configure.ac --- old/libseccomp-2.3.0/configure.ac 2016-02-29 15:12:58.000000000 +0100 +++ new/libseccomp-2.3.1/configure.ac 2016-04-20 22:08:22.000000000 +0200 @@ -19,7 +19,7 @@ dnl #### dnl libseccomp defines dnl #### -AC_INIT([libseccomp], [2.3.0]) +AC_INIT([libseccomp], [2.3.1]) dnl #### dnl autoconf configuration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/include/seccomp.h new/libseccomp-2.3.1/include/seccomp.h --- old/libseccomp-2.3.0/include/seccomp.h 2016-02-29 15:16:26.000000000 +0100 +++ new/libseccomp-2.3.1/include/seccomp.h 2016-04-20 22:11:11.000000000 +0200 @@ -37,7 +37,7 @@ #define SCMP_VER_MAJOR 2 #define SCMP_VER_MINOR 3 -#define SCMP_VER_MICRO 0 +#define SCMP_VER_MICRO 1 struct scmp_version { unsigned int major; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390-syscalls.c new/libseccomp-2.3.1/src/arch-s390-syscalls.c --- old/libseccomp-2.3.0/src/arch-s390-syscalls.c 2016-02-19 17:05:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390-syscalls.c 2016-04-20 19:49:04.000000000 +0200 @@ -453,6 +453,48 @@ const struct arch_syscall_def *table = s390_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (strcmp(name, "accept") == 0) + return __PNR_accept; + if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + for (iter = 0; table[iter].name != NULL; iter++) { if (strcmp(name, table[iter].name) == 0) return table[iter].num; @@ -476,6 +518,48 @@ const struct arch_syscall_def *table = s390_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { if (num == table[iter].num) return table[iter].name; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390.c new/libseccomp-2.3.1/src/arch-s390.c --- old/libseccomp-2.3.0/src/arch-s390.c 2016-02-11 19:32:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390.c 2016-04-20 19:49:44.000000000 +0200 @@ -5,11 +5,16 @@ #include <stdlib.h> #include <errno.h> +#include <string.h> #include <linux/audit.h> #include "arch.h" #include "arch-s390.h" +/* s390 syscall numbers */ +#define __s390_NR_socketcall 102 +#define __s390_NR_ipc 117 + const struct arch_def arch_def_s390 = { .token = SCMP_ARCH_S390, .token_bpf = AUDIT_ARCH_S390, @@ -17,6 +22,307 @@ .endian = ARCH_ENDIAN_BIG, .syscall_resolve_name = s390_syscall_resolve_name, .syscall_resolve_num = s390_syscall_resolve_num, - .syscall_rewrite = NULL, - .rule_add = NULL, + .syscall_rewrite = s390_syscall_rewrite, + .rule_add = s390_rule_add, }; + +/** + * Convert a multiplexed pseudo socket syscall into a direct syscall + * @param socketcall the multiplexed pseudo syscall number + * + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is + * no related syscall, or __NR_SCMP_ERROR otherwise. + * + */ +int _s390_sock_demux(int socketcall) +{ + switch (socketcall) { + case -101: + /* socket */ + return 359; + case -102: + /* bind */ + return 361; + case -103: + /* connect */ + return 362; + case -104: + /* listen */ + return 363; + case -105: + /* accept - not defined */ + return __NR_SCMP_UNDEF; + case -106: + /* getsockname */ + return 367; + case -107: + /* getpeername */ + return 368; + case -108: + /* socketpair */ + return 360; + case -109: + /* send - not defined */ + return __NR_SCMP_UNDEF; + case -110: + /* recv - not defined */ + return __NR_SCMP_UNDEF; + case -111: + /* sendto */ + return 369; + case -112: + /* recvfrom */ + return 371; + case -113: + /* shutdown */ + return 373; + case -114: + /* setsockopt */ + return 366; + case -115: + /* getsockopt */ + return 365; + case -116: + /* sendmsg */ + return 370; + case -117: + /* recvmsg */ + return 372; + case -118: + /* accept4 */ + return 364; + case -119: + /* recvmmsg */ + return 337; + case -120: + /* sendmmsg */ + return 345; + } + + return __NR_SCMP_ERROR; +} + +/** + * Convert a direct socket syscall into multiplexed pseudo socket syscall + * @param syscall the direct syscall + * + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. + * + */ +int _s390_sock_mux(int syscall) +{ + switch (syscall) { + case 337: + /* recvmmsg */ + return -119; + case 345: + /* sendmmsg */ + return -120; + case 359: + /* socket */ + return -101; + case 360: + /* socketpair */ + return -108; + case 361: + /* bind */ + return -102; + case 362: + /* connect */ + return -103; + case 363: + /* listen */ + return -104; + case 364: + /* accept4 */ + return -118; + case 365: + /* getsockopt */ + return -115; + case 366: + /* setsockopt */ + return -114; + case 367: + /* getsockname */ + return -106; + case 368: + /* getpeername */ + return -107; + case 369: + /* sendto */ + return -111; + case 370: + /* sendmsg */ + return -116; + case 371: + /* recvfrom */ + return -112; + case 372: + /* recvmsg */ + return -117; + case 373: + /* shutdown */ + return -113; + } + + return __NR_SCMP_ERROR; +} + +/** + * Rewrite a syscall value to match the architecture + * @param syscall the syscall number + * + * Syscalls can vary across different architectures so this function rewrites + * the syscall into the correct value for the specified architecture. Returns + * zero on success, negative values on failure. + * + */ +int s390_syscall_rewrite(int *syscall) +{ + int sys = *syscall; + + if (sys <= -100 && sys >= -120) + *syscall = __s390_NR_socketcall; + else if (sys <= -200 && sys >= -224) + *syscall = __s390_NR_ipc; + else if (sys < 0) + return -EDOM; + + return 0; +} + +/** + * add a new rule to the s390 seccomp filter + * @param col the filter collection + * @param db the seccomp filter db + * @param strict the strict flag + * @param rule the filter rule + * + * This function adds a new syscall filter to the seccomp filter db, making any + * necessary adjustments for the s390 ABI. Returns zero on success, negative + * values on failure. + * + */ +int s390_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, + struct db_api_rule_list *rule) +{ + int rc; + unsigned int iter; + size_t args_size; + int sys = rule->syscall; + int sys_a, sys_b; + struct db_api_rule_list *rule_a, *rule_b; + + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { + /* (-100 to -120) : multiplexed socket syscalls + (359 to 373) : direct socket syscalls, Linux 4.3+ */ + + /* strict check for the multiplexed socket syscalls */ + for (iter = 0; iter < rule->args_cnt; iter++) { + if ((rule->args[iter].valid != 0) && (strict)) + return -EINVAL; + } + + /* determine both the muxed and direct syscall numbers */ + if (sys > 0) { + sys_a = _s390_sock_mux(sys); + if (sys_a == __NR_SCMP_ERROR) + return __NR_SCMP_ERROR; + sys_b = sys; + } else { + sys_a = sys; + sys_b = _s390_sock_demux(sys); + if (sys_b == __NR_SCMP_ERROR) + return __NR_SCMP_ERROR; + } + + /* use rule_a for the multiplexed syscall and use rule_b for + * the direct wired syscall */ + + if (sys_a == __NR_SCMP_UNDEF) { + rule_a = NULL; + rule_b = rule; + } else if (sys_b == __NR_SCMP_UNDEF) { + rule_a = rule; + rule_b = NULL; + } else { + /* need two rules, dup the first and link together */ + rule_a = rule; + rule_b = malloc(sizeof(*rule_b)); + if (rule_b == NULL) + return -ENOMEM; + args_size = sizeof(*rule_b->args) * rule_a->args_cnt; + rule_b->args = malloc(args_size); + if (rule_b->args == NULL) { + free(rule_b); + return -ENOMEM; + } + rule_b->action = rule_a->action; + rule_b->syscall = rule_a->syscall; + rule_b->args_cnt = rule_a->args_cnt; + memcpy(rule_b->args, rule_a->args, args_size); + rule_b->prev = rule_a; + rule_b->next = NULL; + rule_a->next = rule_b; + } + + /* multiplexed socket syscalls */ + if (rule_a != NULL) { + rule_a->syscall = __s390_NR_socketcall; + rule_a->args[0].arg = 0; + rule_a->args[0].op = SCMP_CMP_EQ; + rule_a->args[0].mask = DATUM_MAX; + rule_a->args[0].datum = (-sys_a) % 100; + rule_a->args[0].valid = 1; + } + + /* direct wired socket syscalls */ + if (rule_b != NULL) + rule_b->syscall = sys_b; + + /* add the rules as a single transaction */ + rc = db_col_transaction_start(col); + if (rc < 0) + return rc; + if (rule_a != NULL) { + rc = db_rule_add(db, rule_a); + if (rc < 0) + goto fail_transaction; + } + if (rule_b != NULL) { + rc = db_rule_add(db, rule_b); + if (rc < 0) + goto fail_transaction; + } + db_col_transaction_commit(col); + } else if (sys <= -200 && sys >= -224) { + /* multiplexed ipc syscalls */ + for (iter = 0; iter < ARG_COUNT_MAX; iter++) { + if ((rule->args[iter].valid != 0) && (strict)) + return -EINVAL; + } + rule->args[0].arg = 0; + rule->args[0].op = SCMP_CMP_EQ; + rule->args[0].mask = DATUM_MAX; + rule->args[0].datum = abs(sys) % 200; + rule->args[0].valid = 1; + rule->syscall = __s390_NR_ipc; + + rc = db_rule_add(db, rule); + if (rc < 0) + return rc; + } else if (sys >= 0) { + /* normal syscall processing */ + rc = db_rule_add(db, rule); + if (rc < 0) + return rc; + } else if (strict) + return -EDOM; + + return 0; + +fail_transaction: + db_col_transaction_abort(col); + return rc; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390.h new/libseccomp-2.3.1/src/arch-s390.h --- old/libseccomp-2.3.0/src/arch-s390.h 2016-02-11 19:32:39.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390.h 2016-04-20 19:49:04.000000000 +0200 @@ -3,12 +3,13 @@ * Author: Jan Willeke <[email protected]> */ -#ifndef _ARCH_s390_H -#define _ARCH_s390_H +#ifndef _ARCH_S390_H +#define _ARCH_S390_H #include <inttypes.h> #include "arch.h" +#include "db.h" #include "system.h" #define s390_arg_count_max 6 @@ -18,6 +19,12 @@ int s390_syscall_resolve_name(const char *name); const char *s390_syscall_resolve_num(int num); + const char *s390_syscall_iterate_name(unsigned int spot); +int s390_syscall_rewrite(int *syscall); + +int s390_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, + struct db_api_rule_list *rule); + #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390x-syscalls.c new/libseccomp-2.3.1/src/arch-s390x-syscalls.c --- old/libseccomp-2.3.0/src/arch-s390x-syscalls.c 2016-02-19 17:05:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390x-syscalls.c 2016-04-20 19:49:04.000000000 +0200 @@ -453,6 +453,48 @@ const struct arch_syscall_def *table = s390x_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (strcmp(name, "accept") == 0) + return __PNR_accept; + if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + for (iter = 0; table[iter].name != NULL; iter++) { if (strcmp(name, table[iter].name) == 0) return table[iter].num; @@ -476,6 +518,48 @@ const struct arch_syscall_def *table = s390x_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { if (num == table[iter].num) return table[iter].name; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390x.c new/libseccomp-2.3.1/src/arch-s390x.c --- old/libseccomp-2.3.0/src/arch-s390x.c 2016-02-11 19:32:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390x.c 2016-04-20 19:49:44.000000000 +0200 @@ -5,11 +5,16 @@ #include <stdlib.h> #include <errno.h> +#include <string.h> #include <linux/audit.h> #include "arch.h" #include "arch-s390x.h" +/* s390x syscall numbers */ +#define __s390x_NR_socketcall 102 +#define __s390x_NR_ipc 117 + const struct arch_def arch_def_s390x = { .token = SCMP_ARCH_S390X, .token_bpf = AUDIT_ARCH_S390X, @@ -17,6 +22,307 @@ .endian = ARCH_ENDIAN_BIG, .syscall_resolve_name = s390x_syscall_resolve_name, .syscall_resolve_num = s390x_syscall_resolve_num, - .syscall_rewrite = NULL, - .rule_add = NULL, + .syscall_rewrite = s390x_syscall_rewrite, + .rule_add = s390x_rule_add, }; + +/** + * Convert a multiplexed pseudo socket syscall into a direct syscall + * @param socketcall the multiplexed pseudo syscall number + * + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is + * no related syscall, or __NR_SCMP_ERROR otherwise. + * + */ +int _s390x_sock_demux(int socketcall) +{ + switch (socketcall) { + case -101: + /* socket */ + return 359; + case -102: + /* bind */ + return 361; + case -103: + /* connect */ + return 362; + case -104: + /* listen */ + return 363; + case -105: + /* accept - not defined */ + return __NR_SCMP_UNDEF; + case -106: + /* getsockname */ + return 367; + case -107: + /* getpeername */ + return 368; + case -108: + /* socketpair */ + return 360; + case -109: + /* send - not defined */ + return __NR_SCMP_UNDEF; + case -110: + /* recv - not defined */ + return __NR_SCMP_UNDEF; + case -111: + /* sendto */ + return 369; + case -112: + /* recvfrom */ + return 371; + case -113: + /* shutdown */ + return 373; + case -114: + /* setsockopt */ + return 366; + case -115: + /* getsockopt */ + return 365; + case -116: + /* sendmsg */ + return 370; + case -117: + /* recvmsg */ + return 372; + case -118: + /* accept4 */ + return 364; + case -119: + /* recvmmsg */ + return 337; + case -120: + /* sendmmsg */ + return 345; + } + + return __NR_SCMP_ERROR; +} + +/** + * Convert a direct socket syscall into multiplexed pseudo socket syscall + * @param syscall the direct syscall + * + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. + * + */ +int _s390x_sock_mux(int syscall) +{ + switch (syscall) { + case 337: + /* recvmmsg */ + return -119; + case 345: + /* sendmmsg */ + return -120; + case 359: + /* socket */ + return -101; + case 360: + /* socketpair */ + return -108; + case 361: + /* bind */ + return -102; + case 362: + /* connect */ + return -103; + case 363: + /* listen */ + return -104; + case 364: + /* accept4 */ + return -118; + case 365: + /* getsockopt */ + return -115; + case 366: + /* setsockopt */ + return -114; + case 367: + /* getsockname */ + return -106; + case 368: + /* getpeername */ + return -107; + case 369: + /* sendto */ + return -111; + case 370: + /* sendmsg */ + return -116; + case 371: + /* recvfrom */ + return -112; + case 372: + /* recvmsg */ + return -117; + case 373: + /* shutdown */ + return -113; + } + + return __NR_SCMP_ERROR; +} + +/** + * Rewrite a syscall value to match the architecture + * @param syscall the syscall number + * + * Syscalls can vary across different architectures so this function rewrites + * the syscall into the correct value for the specified architecture. Returns + * zero on success, negative values on failure. + * + */ +int s390x_syscall_rewrite(int *syscall) +{ + int sys = *syscall; + + if (sys <= -100 && sys >= -120) + *syscall = __s390x_NR_socketcall; + else if (sys <= -200 && sys >= -224) + *syscall = __s390x_NR_ipc; + else if (sys < 0) + return -EDOM; + + return 0; +} + +/** + * add a new rule to the s390x seccomp filter + * @param col the filter collection + * @param db the seccomp filter db + * @param strict the strict flag + * @param rule the filter rule + * + * This function adds a new syscall filter to the seccomp filter db, making any + * necessary adjustments for the s390x ABI. Returns zero on success, negative + * values on failure. + * + */ +int s390x_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, + struct db_api_rule_list *rule) +{ + int rc; + unsigned int iter; + size_t args_size; + int sys = rule->syscall; + int sys_a, sys_b; + struct db_api_rule_list *rule_a, *rule_b; + + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { + /* (-100 to -120) : multiplexed socket syscalls + (359 to 373) : direct socket syscalls, Linux 4.3+ */ + + /* strict check for the multiplexed socket syscalls */ + for (iter = 0; iter < rule->args_cnt; iter++) { + if ((rule->args[iter].valid != 0) && (strict)) + return -EINVAL; + } + + /* determine both the muxed and direct syscall numbers */ + if (sys > 0) { + sys_a = _s390x_sock_mux(sys); + if (sys_a == __NR_SCMP_ERROR) + return __NR_SCMP_ERROR; + sys_b = sys; + } else { + sys_a = sys; + sys_b = _s390x_sock_demux(sys); + if (sys_b == __NR_SCMP_ERROR) + return __NR_SCMP_ERROR; + } + + /* use rule_a for the multiplexed syscall and use rule_b for + * the direct wired syscall */ + + if (sys_a == __NR_SCMP_UNDEF) { + rule_a = NULL; + rule_b = rule; + } else if (sys_b == __NR_SCMP_UNDEF) { + rule_a = rule; + rule_b = NULL; + } else { + /* need two rules, dup the first and link together */ + rule_a = rule; + rule_b = malloc(sizeof(*rule_b)); + if (rule_b == NULL) + return -ENOMEM; + args_size = sizeof(*rule_b->args) * rule_a->args_cnt; + rule_b->args = malloc(args_size); + if (rule_b->args == NULL) { + free(rule_b); + return -ENOMEM; + } + rule_b->action = rule_a->action; + rule_b->syscall = rule_a->syscall; + rule_b->args_cnt = rule_a->args_cnt; + memcpy(rule_b->args, rule_a->args, args_size); + rule_b->prev = rule_a; + rule_b->next = NULL; + rule_a->next = rule_b; + } + + /* multiplexed socket syscalls */ + if (rule_a != NULL) { + rule_a->syscall = __s390x_NR_socketcall; + rule_a->args[0].arg = 0; + rule_a->args[0].op = SCMP_CMP_EQ; + rule_a->args[0].mask = DATUM_MAX; + rule_a->args[0].datum = (-sys_a) % 100; + rule_a->args[0].valid = 1; + } + + /* direct wired socket syscalls */ + if (rule_b != NULL) + rule_b->syscall = sys_b; + + /* add the rules as a single transaction */ + rc = db_col_transaction_start(col); + if (rc < 0) + return rc; + if (rule_a != NULL) { + rc = db_rule_add(db, rule_a); + if (rc < 0) + goto fail_transaction; + } + if (rule_b != NULL) { + rc = db_rule_add(db, rule_b); + if (rc < 0) + goto fail_transaction; + } + db_col_transaction_commit(col); + } else if (sys <= -200 && sys >= -224) { + /* multiplexed ipc syscalls */ + for (iter = 0; iter < ARG_COUNT_MAX; iter++) { + if ((rule->args[iter].valid != 0) && (strict)) + return -EINVAL; + } + rule->args[0].arg = 0; + rule->args[0].op = SCMP_CMP_EQ; + rule->args[0].mask = DATUM_MAX; + rule->args[0].datum = abs(sys) % 200; + rule->args[0].valid = 1; + rule->syscall = __s390x_NR_ipc; + + rc = db_rule_add(db, rule); + if (rc < 0) + return rc; + } else if (sys >= 0) { + /* normal syscall processing */ + rc = db_rule_add(db, rule); + if (rc < 0) + return rc; + } else if (strict) + return -EDOM; + + return 0; + +fail_transaction: + db_col_transaction_abort(col); + return rc; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-s390x.h new/libseccomp-2.3.1/src/arch-s390x.h --- old/libseccomp-2.3.0/src/arch-s390x.h 2016-02-11 19:32:39.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-s390x.h 2016-04-20 19:49:04.000000000 +0200 @@ -3,12 +3,13 @@ * Author: Jan Willeke <[email protected]> */ -#ifndef _ARCH_s390x_H -#define _ARCH_s390x_H +#ifndef _ARCH_S390X_H +#define _ARCH_S390X_H #include <inttypes.h> #include "arch.h" +#include "db.h" #include "system.h" #define s390x_arg_count_max 6 @@ -21,6 +22,12 @@ int s390x_syscall_resolve_name(const char *name); const char *s390x_syscall_resolve_num(int num); + const char *s390x_syscall_iterate_name(unsigned int spot); -const char *s390x_syscall_iterate_name(unsigned int spot); + +int s390x_syscall_rewrite(int *syscall); + +int s390x_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, + struct db_api_rule_list *rule); + #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-x86-syscalls.c new/libseccomp-2.3.1/src/arch-x86-syscalls.c --- old/libseccomp-2.3.0/src/arch-x86-syscalls.c 2016-02-19 17:05:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-x86-syscalls.c 2016-04-10 23:33:50.000000000 +0200 @@ -469,6 +469,48 @@ const struct arch_syscall_def *table = x86_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (strcmp(name, "accept") == 0) + return __PNR_accept; + if (strcmp(name, "accept4") == 0) + return __PNR_accept4; + else if (strcmp(name, "bind") == 0) + return __PNR_bind; + else if (strcmp(name, "connect") == 0) + return __PNR_connect; + else if (strcmp(name, "getpeername") == 0) + return __PNR_getpeername; + else if (strcmp(name, "getsockname") == 0) + return __PNR_getsockname; + else if (strcmp(name, "getsockopt") == 0) + return __PNR_getsockopt; + else if (strcmp(name, "listen") == 0) + return __PNR_listen; + else if (strcmp(name, "recv") == 0) + return __PNR_recv; + else if (strcmp(name, "recvfrom") == 0) + return __PNR_recvfrom; + else if (strcmp(name, "recvmsg") == 0) + return __PNR_recvmsg; + else if (strcmp(name, "recvmmsg") == 0) + return __PNR_recvmmsg; + else if (strcmp(name, "send") == 0) + return __PNR_send; + else if (strcmp(name, "sendmsg") == 0) + return __PNR_sendmsg; + else if (strcmp(name, "sendmmsg") == 0) + return __PNR_sendmmsg; + else if (strcmp(name, "sendto") == 0) + return __PNR_sendto; + else if (strcmp(name, "setsockopt") == 0) + return __PNR_setsockopt; + else if (strcmp(name, "shutdown") == 0) + return __PNR_shutdown; + else if (strcmp(name, "socket") == 0) + return __PNR_socket; + else if (strcmp(name, "socketpair") == 0) + return __PNR_socketpair; + for (iter = 0; table[iter].name != NULL; iter++) { if (strcmp(name, table[iter].name) == 0) return table[iter].num; @@ -492,6 +534,48 @@ const struct arch_syscall_def *table = x86_syscall_table; /* XXX - plenty of room for future improvement here */ + + if (num == __PNR_accept) + return "accept"; + else if (num == __PNR_accept4) + return "accept4"; + else if (num == __PNR_bind) + return "bind"; + else if (num == __PNR_connect) + return "connect"; + else if (num == __PNR_getpeername) + return "getpeername"; + else if (num == __PNR_getsockname) + return "getsockname"; + else if (num == __PNR_getsockopt) + return "getsockopt"; + else if (num == __PNR_listen) + return "listen"; + else if (num == __PNR_recv) + return "recv"; + else if (num == __PNR_recvfrom) + return "recvfrom"; + else if (num == __PNR_recvmsg) + return "recvmsg"; + else if (num == __PNR_recvmmsg) + return "recvmmsg"; + else if (num == __PNR_send) + return "send"; + else if (num == __PNR_sendmsg) + return "sendmsg"; + else if (num == __PNR_sendmmsg) + return "sendmmsg"; + else if (num == __PNR_sendto) + return "sendto"; + else if (num == __PNR_setsockopt) + return "setsockopt"; + else if (num == __PNR_shutdown) + return "shutdown"; + else if (num == __PNR_socket) + return "socket"; + else if (num == __PNR_socketpair) + return "socketpair"; + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { if (num == table[iter].num) return table[iter].name; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/src/arch-x86.c new/libseccomp-2.3.1/src/arch-x86.c --- old/libseccomp-2.3.0/src/arch-x86.c 2016-02-11 19:32:37.000000000 +0100 +++ new/libseccomp-2.3.1/src/arch-x86.c 2016-04-20 19:49:44.000000000 +0200 @@ -104,6 +104,15 @@ case -117: /* recvmsg */ return 372; + case -118: + /* accept4 */ + return 364; + case -119: + /* recvmmsg */ + return 337; + case -120: + /* sendmmsg */ + return 345; } return __NR_SCMP_ERROR; @@ -120,6 +129,12 @@ int _x86_sock_mux(int syscall) { switch (syscall) { + case 337: + /* recvmmsg */ + return -119; + case 345: + /* sendmmsg */ + return -120; case 359: /* socket */ return -101; @@ -137,7 +152,7 @@ return -104; case 364: /* accept4 */ - return __NR_SCMP_UNDEF; + return -118; case 365: /* getsockopt */ return -115; @@ -183,9 +198,9 @@ { int sys = *syscall; - if (sys <= -100 && sys >= -117) + if (sys <= -100 && sys >= -120) *syscall = __x86_NR_socketcall; - else if (sys <= -200 && sys >= -211) + else if (sys <= -200 && sys >= -224) *syscall = __x86_NR_ipc; else if (sys < 0) return -EDOM; @@ -215,9 +230,9 @@ int sys_a, sys_b; struct db_api_rule_list *rule_a, *rule_b; - if ((sys <= -100 && sys >= -117) || (sys >= 359 && sys <= 373)) { - /* (-100 to -117) : multiplexed socket syscalls - (359 to 373) : direct socket syscalls, Linux 4.4+ */ + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { + /* (-100 to -120) : multiplexed socket syscalls + (359 to 373) : direct socket syscalls, Linux 4.3+ */ /* strict check for the multiplexed socket syscalls */ for (iter = 0; iter < rule->args_cnt; iter++) { @@ -297,7 +312,7 @@ goto fail_transaction; } db_col_transaction_commit(col); - } else if (sys <= -200 && sys >= -211) { + } else if (sys <= -200 && sys >= -224) { /* multiplexed ipc syscalls */ for (iter = 0; iter < ARG_COUNT_MAX; iter++) { if ((rule->args[iter].valid != 0) && (strict)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/15-basic-resolver.c new/libseccomp-2.3.1/tests/15-basic-resolver.c --- old/libseccomp-2.3.0/tests/15-basic-resolver.c 2016-02-11 19:36:42.000000000 +0100 +++ new/libseccomp-2.3.1/tests/15-basic-resolver.c 2016-04-19 17:27:43.000000000 +0200 @@ -31,7 +31,7 @@ if (seccomp_syscall_resolve_name("open") != __NR_open) goto fail; - if (seccomp_syscall_resolve_name("socket") != __NR_socket) + if (seccomp_syscall_resolve_name("read") != __NR_read) goto fail; if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) goto fail; @@ -40,7 +40,7 @@ "open") != __NR_open) goto fail; if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, - "socket") != __NR_socket) + "read") != __NR_read) goto fail; if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, "INVALID") != __NR_SCMP_ERROR) @@ -51,8 +51,8 @@ goto fail; free(name); - name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_socket); - if (name == NULL || strcmp(name, "socket") != 0) + name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_read); + if (name == NULL || strcmp(name, "read") != 0) goto fail; free(name); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/15-basic-resolver.py new/libseccomp-2.3.1/tests/15-basic-resolver.py --- old/libseccomp-2.3.0/tests/15-basic-resolver.py 2016-02-11 19:36:42.000000000 +0100 +++ new/libseccomp-2.3.1/tests/15-basic-resolver.py 2016-04-19 17:27:43.000000000 +0200 @@ -33,7 +33,7 @@ # this differs from the native test as we don't support the syscall # resolution functions by themselves f.add_rule(ALLOW, "open") - f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "read") try: f.add_rule(ALLOW, "INVALID") except RuntimeError: @@ -43,9 +43,9 @@ sys_name = resolve_syscall(Arch(), sys_num) if (sys_name != "open"): raise RuntimeError("Test failure") - sys_num = resolve_syscall(Arch(), "socket") + sys_num = resolve_syscall(Arch(), "read") sys_name = resolve_syscall(Arch(), sys_num) - if (sys_name != "socket"): + if (sys_name != "read"): raise RuntimeError("Test failure") test() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/30-sim-socket_syscalls.tests new/libseccomp-2.3.1/tests/30-sim-socket_syscalls.tests --- old/libseccomp-2.3.0/tests/30-sim-socket_syscalls.tests 2016-02-11 19:36:42.000000000 +0100 +++ new/libseccomp-2.3.1/tests/30-sim-socket_syscalls.tests 2016-04-10 23:33:50.000000000 +0200 @@ -18,7 +18,8 @@ 30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW 30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW 30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL -30-sim-socket_syscalls +x86 accept4 0 1 2 N N N ALLOW +30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW +30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL 30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW 30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW 30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.c new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.c --- old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.c 2016-04-20 19:49:04.000000000 +0200 @@ -0,0 +1,81 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2016 Red Hat <[email protected]> + * Author: Paul Moore <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.py new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.py --- old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.py 1970-01-01 01:00:00.000000000 +0100 +++ new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.py 2016-04-20 19:49:04.000000000 +0200 @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2016 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "accept") + f.add_rule(ALLOW, "accept4") + f.add_rule(ALLOW, "shutdown") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.tests new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.tests --- old/libseccomp-2.3.0/tests/33-sim-socket_syscalls_be.tests 1970-01-01 01:00:00.000000000 +0100 +++ new/libseccomp-2.3.1/tests/33-sim-socket_syscalls_be.tests 2016-04-20 19:49:04.000000000 +0200 @@ -0,0 +1,39 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2016 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL + +test type: bpf-valgrind + +# Testname +33-sim-socket_syscalls_be diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libseccomp-2.3.0/tests/Makefile.am new/libseccomp-2.3.1/tests/Makefile.am --- old/libseccomp-2.3.0/tests/Makefile.am 2016-02-22 23:44:01.000000000 +0100 +++ new/libseccomp-2.3.1/tests/Makefile.am 2016-04-20 19:49:04.000000000 +0200 @@ -60,7 +60,8 @@ 29-sim-pseudo_syscall \ 30-sim-socket_syscalls \ 31-basic-version_check \ - 32-live-tsync_allow + 32-live-tsync_allow \ + 33-sim-socket_syscalls_be EXTRA_DIST_TESTPYTHON = \ util.py \ @@ -95,7 +96,8 @@ 29-sim-pseudo_syscall.py \ 30-sim-socket_syscalls.py \ 31-basic-version_check.py \ - 32-live-tsync_allow.py + 32-live-tsync_allow.py \ + 33-sim-socket_syscalls_be.py EXTRA_DIST_TESTCFGS = \ 01-sim-allow.tests \ @@ -129,7 +131,8 @@ 29-sim-pseudo_syscall.tests \ 30-sim-socket_syscalls.tests \ 31-basic-version_check.tests \ - 32-live-tsync_allow.tests + 32-live-tsync_allow.tests \ + 33-sim-socket_syscalls_be.tests EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen ++++++ libseccomp-2.3.0.tar.gz.SHA256SUM.asc -> libseccomp-2.3.1.tar.gz.SHA256SUM.asc ++++++ --- /work/SRC/openSUSE:Factory/libseccomp/libseccomp-2.3.0.tar.gz.SHA256SUM.asc 2016-03-31 13:01:54.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libseccomp.new/libseccomp-2.3.1.tar.gz.SHA256SUM.asc 2016-05-24 09:33:32.000000000 +0200 @@ -1,21 +1,21 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 -d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d libseccomp-2.3.0.tar.gz +ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b libseccomp-2.3.1.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iQIcBAEBCAAGBQJW1FzeAAoJEFXkWlroynyKK8QP/RsRk8DTEunGO2eWpUpMYSOO -oBog4vn3zjqhgWd9kJOPCf3IYaEE2fC/Z87hvGm/2NWP6wNMnZ1g1D+W38TI2mq2 -P0ztM1rFgWCK/6tZ3O+255OLvgFpC3D7Dqfr+4BniGPyBedYV7d/4fC0qed3rMHY -Y2wWRcjET5HlrWb4ef/uWWWN39YT1hRg1SSzShebKKOfGKTr6C458ggYIgBtBP/y -1nid2Ym/oQwDlKqQV1pGHwf4q0dPBog2GTnavMM+ge7L1FbvRKWFEGex9C36wcN/ -hzxUTG9q7+w5l4YaFpc32TTzmLLRdEb9Ykhu4qJ2Il7x/LKVaavWfJMjSt/X4/65 -Ika+tPAUbyA4aWB+c0cBpRMmFtXJHueZCbb2edMGTwPJzkJnNWh1YIK9SBcCXF+8 -SZ85LdyFbK98tFMuUj+oSJLlFtxnsUshrN7+qPRXLfkIQ7tKaIE+GuLT3oDqwHOL -q5H++4WJv63jFNLSkHoOJe9YSrUITqjKo6zDKMLkSsgbu8UNQrLLn4f8XZV0K352 -qHKP/PxaVaZvshrKZ4VR9/r8sihMtWpqYx/GpaQoJID9GI6z5L0b741FeJ4w0Enw -IXRh4NIBe77LuRRy5I35diGoaiTlhDhOPUg7LCYHht/GTHkGgZ9Y06fhzCWuUNDA -FS9ak169Uod6oSnX3X7Y -=kJQO +iQIcBAEBCAAGBQJXF+KwAAoJEFXkWlroynyKcUcP/18AlU1aohqM1V3KkUQgLv6P +Ka6ZPddIdS3BqcXxScPhNUQuSK2QuxcxZb+RBXGS9Cx/zYrlcXrv6M0Uzgc5q9jB +IS4fYHj8yB4odmjMWb1wohrwXHrt5+lmTsGmw7apKkuqeOjwFdKqaR10eWd7DaSq +tJAQ7evImCRM3rsIXk0hvtkDCon5K5LZieHjejJ59D2z9Nrghp2Urf8dXwT1uFPq +bFZ4AngMzs41K5052iWVZGAskcyi4tc8f11gd2Ao34rP6hmW0VaJCKszyvC0gOqV +jBtHMwf3OwjuU9xUKHEqEB1uoF1AxZnwS3mkXBeli414XXXI8rKLtJUylyjJ+3b0 +CT6puXmoscBJaDxe6oVm6yRZrHOp3TtQzTVV0uAABiQcDbbIlmjRMvOTYcjispH8 +73CRupEb3eTl5Kwx/yB/0Z+ml0FI9pnB8UtaiBGJIfqL/uIEPcio4UxR4YJR0NiN +Euc2pBVUHdK6bVIcc4ntLc9aaqxVvGj5Nvsy+ptfnUTWJ0MvzyX6mYsp5/iUNAL2 +lLux66+rUqr+GU2o+USNXIQ+CIb1mLZizYtgxYrEjE+fyVJWb9hoEHRIzuzdLI4d +ZMJcCxe2QdHzl1CNtGalC0q4XDXJf9swxW4WjGFODkrdt5tG2zyjJ0WkscgduWCZ +1BBGwp05jg84FtP5DzNE +=JDAl -----END PGP SIGNATURE-----
