Codebase list libseccomp / 5556a3e
Drop all patches, as they have been applied upstream. Felix Geyer 3 years ago
7 changed file(s) with 1 addition(s) and 1084 deletion(s). Raw diff Collapse all Expand all
+1
-0
debian/changelog less more
00 libseccomp (2.5.1-1) UNRELEASED; urgency=medium
11
22 * New upstream release.
3 * Drop all patches as they have been applied upstream.
34
45 -- Felix Geyer <fgeyer@debian.org> Sat, 21 Nov 2020 11:16:08 +0100
56
+0
-629
debian/patches/all_only_request_the_userspace_notification_fd_once.patch less more
0 From 8147801fbc73016491d9caaab0fc740dbdbc989d Mon Sep 17 00:00:00 2001
1 From: Paul Moore <paul@paul-moore.com>
2 Date: Sun, 26 Jul 2020 11:01:49 -0400
3 Subject: [PATCH] all: only request the userspace notification fd once
4
5 It turns out that requesting the seccomp userspace notifcation fd
6 more than once is a bad thing which causes the kernel to complain
7 (rightfully so for a variety of reasons). Unfortunately as we were
8 always requesting the notification fd whenever possible this results
9 in problems at filter load time.
10
11 Our solution is to move the notification fd out of the filter context
12 and into the global task context, using a newly created task_state
13 structure. This allows us to store, and retrieve the notification
14 outside the scope of an individual filter context. It also provides
15 some implementation improvements by giving us a convenient place to
16 stash all of the API level related support variables. We also extend
17 the seccomp_reset() API call to reset this internal global state when
18 passed a NULL filter context.
19
20 There is one potential case which we don't currently handle well:
21 threads. At the moment libseccomp is thread ignorant, and that works
22 well as the only global state up to this point was the currently
23 supported API level information which was common to all threads in a
24 process. Unfortunately, it appears that the notification fd need not
25 be common to all threads in a process, yet this patch treats it as if
26 it is common. I suspect this is a very unusual use case so I decided
27 to keep this patch simple and ignore this case, but in the future if
28 we need to support this properly we should be able to do so without
29 API changes by keeping an internal list of notification fds indexed
30 by gettid(2).
31
32 This fixes the GitHub issue below:
33 * https://github.com/seccomp/libseccomp/issues/273
34
35 Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
36 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
37 Signed-off-by: Paul Moore <paul@paul-moore.com>
38 (imported from commit ce314fe4111887c593e3c6b17c60d93bc6ab66b9)
39 ---
40 doc/man/man3/seccomp_init.3 | 10 +-
41 doc/man/man3/seccomp_notify_alloc.3 | 3 +-
42 src/api.c | 19 ++-
43 src/db.c | 1 -
44 src/db.h | 3 +-
45 src/system.c | 204 ++++++++++++++++++----------
46 src/system.h | 3 +
47 tests/11-basic-basic_errors.c | 9 +-
48 tests/51-live-user_notification.c | 21 +++
49 tests/51-live-user_notification.py | 4 +
50 10 files changed, 187 insertions(+), 90 deletions(-)
51
52 diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
53 index 3ab68fef..87520cd3 100644
54 --- a/doc/man/man3/seccomp_init.3
55 +++ b/doc/man/man3/seccomp_init.3
56 @@ -36,7 +36,15 @@ The
57 function releases the existing filter context state before reinitializing it
58 and can only be called after a call to
59 .BR seccomp_init ()
60 -has succeeded.
61 +has succeeded. If
62 +.BR seccomp_reset ()
63 +is called with a NULL filter, it resets the library's global task state;
64 +normally this is not needed, but it may be required to continue using the
65 +library after a
66 +.BR fork ()
67 +or
68 +.BR clone ()
69 +call to ensure the API level and user notification state is properly reset.
70 .P
71 When the caller is finished configuring the seccomp filter and has loaded it
72 into the kernel, the caller should call
73 diff --git a/doc/man/man3/seccomp_notify_alloc.3 b/doc/man/man3/seccomp_notify_alloc.3
74 index 50c89706..cb1c0480 100644
75 --- a/doc/man/man3/seccomp_notify_alloc.3
76 +++ b/doc/man/man3/seccomp_notify_alloc.3
77 @@ -59,7 +59,8 @@ returns the notification fd of a filter after it has been loaded.
78 .\" //////////////////////////////////////////////////////////////////////////
79 The
80 .BR seccomp_notify_fd ()
81 -returns the notification fd of the loaded filter.
82 +returns the notification fd of the loaded filter, -1 if a notification fd has
83 +not yet been created, and -EINVAL if the filter context is invalid.
84 .P
85 The
86 .BR seccomp_notify_id_valid ()
87 diff --git a/src/api.c b/src/api.c
88 index 00975ad5..5cec0883 100644
89 --- a/src/api.c
90 +++ b/src/api.c
91 @@ -301,10 +301,18 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
92 {
93 struct db_filter_col *col = (struct db_filter_col *)ctx;
94
95 - /* use a NULL filter collection here since we are resetting it */
96 - if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0)
97 + /* a NULL filter context indicates we are resetting the global state */
98 + if (ctx == NULL) {
99 + /* reset the global state and redetermine the api level */
100 + sys_reset_state();
101 + _seccomp_api_update();
102 + return _rc_filter(0);
103 + }
104 + /* ensure the default action is valid */
105 + if (db_col_action_valid(NULL, def_action) < 0)
106 return _rc_filter(-EINVAL);
107
108 + /* reset the filter */
109 return _rc_filter(db_col_reset(col, def_action));
110 }
111
112 @@ -675,16 +683,17 @@ API int seccomp_notify_id_valid(int fd, uint64_t id)
113 /* NOTE - function header comment in include/seccomp.h */
114 API int seccomp_notify_fd(const scmp_filter_ctx ctx)
115 {
116 - struct db_filter_col *col;
117 + /* NOTE: for historical reasons, and possibly future use, we require a
118 + * valid filter context even though we don't actual use it here; the
119 + * api update is also not strictly necessary, but keep it for now */
120
121 /* force a runtime api level detection */
122 _seccomp_api_update();
123
124 if (_ctx_valid(ctx))
125 return _rc_filter(-EINVAL);
126 - col = (struct db_filter_col *)ctx;
127
128 - return _rc_filter(col->notify_fd);
129 + return _rc_filter(sys_notify_fd());
130 }
131
132 /* NOTE - function header comment in include/seccomp.h */
133 diff --git a/src/db.c b/src/db.c
134 index 4a87ea36..836171ae 100644
135 --- a/src/db.c
136 +++ b/src/db.c
137 @@ -1057,7 +1057,6 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
138 if (col->filters)
139 free(col->filters);
140 col->filters = NULL;
141 - col->notify_fd = -1;
142
143 /* set the endianess to undefined */
144 col->endian = 0;
145 diff --git a/src/db.h b/src/db.h
146 index b96b1049..765c607e 100644
147 --- a/src/db.h
148 +++ b/src/db.h
149 @@ -160,8 +160,7 @@ struct db_filter_col {
150 /* transaction snapshots */
151 struct db_filter_snap *snapshots;
152
153 - /* notification fd that was returned from seccomp() */
154 - int notify_fd;
155 + /* userspace notification */
156 bool notify_used;
157 };
158
159 diff --git a/src/system.c b/src/system.c
160 index 6cdfc16a..3b43b2a9 100644
161 --- a/src/system.c
162 +++ b/src/system.c
163 @@ -40,16 +40,61 @@
164 * our next release we may have to enable the allowlist */
165 #define SYSCALL_ALLOWLIST_ENABLE 0
166
167 -static int _nr_seccomp = -1;
168 -static int _support_seccomp_syscall = -1;
169 -static int _support_seccomp_flag_tsync = -1;
170 -static int _support_seccomp_flag_log = -1;
171 -static int _support_seccomp_action_log = -1;
172 -static int _support_seccomp_kill_process = -1;
173 -static int _support_seccomp_flag_spec_allow = -1;
174 -static int _support_seccomp_flag_new_listener = -1;
175 -static int _support_seccomp_user_notif = -1;
176 -static int _support_seccomp_flag_tsync_esrch = -1;
177 +/* task global state */
178 +struct task_state {
179 + /* seccomp(2) syscall */
180 + int nr_seccomp;
181 +
182 + /* userspace notification fd */
183 + int notify_fd;
184 +
185 + /* runtime support flags */
186 + int sup_syscall;
187 + int sup_flag_tsync;
188 + int sup_flag_log;
189 + int sup_action_log;
190 + int sup_kill_process;
191 + int sup_flag_spec_allow;
192 + int sup_flag_new_listener;
193 + int sup_user_notif;
194 + int sup_flag_tsync_esrch;
195 +};
196 +static struct task_state state = {
197 + .nr_seccomp = -1,
198 +
199 + .notify_fd = -1,
200 +
201 + .sup_syscall = -1,
202 + .sup_flag_tsync = -1,
203 + .sup_flag_log = -1,
204 + .sup_action_log = -1,
205 + .sup_kill_process = -1,
206 + .sup_flag_spec_allow = -1,
207 + .sup_flag_new_listener = -1,
208 + .sup_user_notif = -1,
209 + .sup_flag_tsync_esrch = -1,
210 +};
211 +
212 +/**
213 + * Reset the task state
214 + *
215 + * This function fully resets the library's global "system task state".
216 + *
217 + */
218 +void sys_reset_state(void)
219 +{
220 + state.nr_seccomp = -1;
221 + state.notify_fd = -1;
222 + state.sup_syscall = -1;
223 + state.sup_flag_tsync = -1;
224 + state.sup_flag_log = -1;
225 + state.sup_action_log = -1;
226 + state.sup_kill_process = -1;
227 + state.sup_flag_spec_allow = -1;
228 + state.sup_flag_new_listener = -1;
229 + state.sup_user_notif = -1;
230 + state.sup_flag_tsync_esrch = -1;
231 +}
232
233 /**
234 * Check to see if the seccomp() syscall is supported
235 @@ -68,8 +113,8 @@ int sys_chk_seccomp_syscall(void)
236 /* NOTE: it is reasonably safe to assume that we should be able to call
237 * seccomp() when the caller first starts, but we can't rely on
238 * it later so we need to cache our findings for use later */
239 - if (_support_seccomp_syscall >= 0)
240 - return _support_seccomp_syscall;
241 + if (state.sup_syscall >= 0)
242 + return state.sup_syscall;
243
244 #if SYSCALL_ALLOWLIST_ENABLE
245 /* architecture allowlist */
246 @@ -100,11 +145,11 @@ int sys_chk_seccomp_syscall(void)
247 goto supported;
248
249 unsupported:
250 - _support_seccomp_syscall = 0;
251 + state.sup_syscall = 0;
252 return 0;
253 supported:
254 - _nr_seccomp = nr_seccomp;
255 - _support_seccomp_syscall = 1;
256 + state.nr_seccomp = nr_seccomp;
257 + state.sup_syscall = 1;
258 return 1;
259 }
260
261 @@ -118,7 +163,7 @@ int sys_chk_seccomp_syscall(void)
262 */
263 void sys_set_seccomp_syscall(bool enable)
264 {
265 - _support_seccomp_syscall = (enable ? 1 : 0);
266 + state.sup_syscall = (enable ? 1 : 0);
267 }
268
269 /**
270 @@ -132,16 +177,16 @@ void sys_set_seccomp_syscall(bool enable)
271 int sys_chk_seccomp_action(uint32_t action)
272 {
273 if (action == SCMP_ACT_KILL_PROCESS) {
274 - if (_support_seccomp_kill_process < 0) {
275 + if (state.sup_kill_process < 0) {
276 if (sys_chk_seccomp_syscall() == 1 &&
277 - syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
278 - &action) == 0)
279 - _support_seccomp_kill_process = 1;
280 + syscall(state.nr_seccomp,
281 + SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
282 + state.sup_kill_process = 1;
283 else
284 - _support_seccomp_kill_process = 0;
285 + state.sup_kill_process = 0;
286 }
287
288 - return _support_seccomp_kill_process;
289 + return state.sup_kill_process;
290 } else if (action == SCMP_ACT_KILL_THREAD) {
291 return 1;
292 } else if (action == SCMP_ACT_TRAP) {
293 @@ -152,30 +197,30 @@ int sys_chk_seccomp_action(uint32_t action)
294 } else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
295 return 1;
296 } else if (action == SCMP_ACT_LOG) {
297 - if (_support_seccomp_action_log < 0) {
298 + if (state.sup_action_log < 0) {
299 if (sys_chk_seccomp_syscall() == 1 &&
300 - syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
301 - &action) == 0)
302 - _support_seccomp_action_log = 1;
303 + syscall(state.nr_seccomp,
304 + SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
305 + state.sup_action_log = 1;
306 else
307 - _support_seccomp_action_log = 0;
308 + state.sup_action_log = 0;
309 }
310
311 - return _support_seccomp_action_log;
312 + return state.sup_action_log;
313 } else if (action == SCMP_ACT_ALLOW) {
314 return 1;
315 } else if (action == SCMP_ACT_NOTIFY) {
316 - if (_support_seccomp_user_notif < 0) {
317 + if (state.sup_user_notif < 0) {
318 struct seccomp_notif_sizes sizes;
319 if (sys_chk_seccomp_syscall() == 1 &&
320 - syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
321 - &sizes) == 0)
322 - _support_seccomp_user_notif = 1;
323 + syscall(state.nr_seccomp,
324 + SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0)
325 + state.sup_user_notif = 1;
326 else
327 - _support_seccomp_user_notif = 0;
328 + state.sup_user_notif = 0;
329 }
330
331 - return _support_seccomp_user_notif;
332 + return state.sup_user_notif;
333 }
334
335 return 0;
336 @@ -193,13 +238,13 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
337 {
338 switch (action) {
339 case SCMP_ACT_LOG:
340 - _support_seccomp_action_log = (enable ? 1 : 0);
341 + state.sup_action_log = (enable ? 1 : 0);
342 break;
343 case SCMP_ACT_KILL_PROCESS:
344 - _support_seccomp_kill_process = (enable ? 1 : 0);
345 + state.sup_kill_process = (enable ? 1 : 0);
346 break;
347 case SCMP_ACT_NOTIFY:
348 - _support_seccomp_user_notif = (enable ? 1 : 0);
349 + state.sup_user_notif = (enable ? 1 : 0);
350 break;
351 }
352 }
353 @@ -212,13 +257,14 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
354 * Return one if the flag is supported, zero otherwise.
355 *
356 */
357 -static int _sys_chk_seccomp_flag_kernel(int flag)
358 +static int _sys_chk_flag_kernel(int flag)
359 {
360 /* this is an invalid seccomp(2) call because the last argument
361 * is NULL, but depending on the errno value of EFAULT we can
362 * guess if the filter flag is supported or not */
363 if (sys_chk_seccomp_syscall() == 1 &&
364 - syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
365 + syscall(state.nr_seccomp,
366 + SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
367 errno == EFAULT)
368 return 1;
369
370 @@ -238,29 +284,25 @@ int sys_chk_seccomp_flag(int flag)
371 {
372 switch (flag) {
373 case SECCOMP_FILTER_FLAG_TSYNC:
374 - if (_support_seccomp_flag_tsync < 0)
375 - _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag);
376 -
377 - return _support_seccomp_flag_tsync;
378 + if (state.sup_flag_tsync < 0)
379 + state.sup_flag_tsync = _sys_chk_flag_kernel(flag);
380 + return state.sup_flag_tsync;
381 case SECCOMP_FILTER_FLAG_LOG:
382 - if (_support_seccomp_flag_log < 0)
383 - _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
384 -
385 - return _support_seccomp_flag_log;
386 + if (state.sup_flag_log < 0)
387 + state.sup_flag_log = _sys_chk_flag_kernel(flag);
388 + return state.sup_flag_log;
389 case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
390 - if (_support_seccomp_flag_spec_allow < 0)
391 - _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
392 -
393 - return _support_seccomp_flag_spec_allow;
394 + if (state.sup_flag_spec_allow < 0)
395 + state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag);
396 + return state.sup_flag_spec_allow;
397 case SECCOMP_FILTER_FLAG_NEW_LISTENER:
398 - if (_support_seccomp_flag_new_listener < 0)
399 - _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
400 -
401 - return _support_seccomp_flag_new_listener;
402 + if (state.sup_flag_new_listener < 0)
403 + state.sup_flag_new_listener = _sys_chk_flag_kernel(flag);
404 + return state.sup_flag_new_listener;
405 case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
406 - if (_support_seccomp_flag_tsync_esrch < 0)
407 - _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
408 - return _support_seccomp_flag_tsync_esrch;
409 + if (state.sup_flag_tsync_esrch < 0)
410 + state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
411 + return state.sup_flag_tsync_esrch;
412 }
413
414 return -EOPNOTSUPP;
415 @@ -279,19 +321,19 @@ void sys_set_seccomp_flag(int flag, bool enable)
416 {
417 switch (flag) {
418 case SECCOMP_FILTER_FLAG_TSYNC:
419 - _support_seccomp_flag_tsync = (enable ? 1 : 0);
420 + state.sup_flag_tsync = (enable ? 1 : 0);
421 break;
422 case SECCOMP_FILTER_FLAG_LOG:
423 - _support_seccomp_flag_log = (enable ? 1 : 0);
424 + state.sup_flag_log = (enable ? 1 : 0);
425 break;
426 case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
427 - _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
428 + state.sup_flag_spec_allow = (enable ? 1 : 0);
429 break;
430 case SECCOMP_FILTER_FLAG_NEW_LISTENER:
431 - _support_seccomp_flag_new_listener = (enable ? 1 : 0);
432 + state.sup_flag_new_listener = (enable ? 1 : 0);
433 break;
434 case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
435 - _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
436 + state.sup_flag_tsync_esrch = (enable ? 1 : 0);
437 break;
438 }
439 }
440 @@ -324,7 +366,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
441 goto filter_load_out;
442 }
443
444 - tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
445 + tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
446
447 /* load the filter into the kernel */
448 if (sys_chk_seccomp_syscall() == 1) {
449 @@ -333,28 +375,29 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
450 if (col->attr.tsync_enable)
451 flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
452 SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
453 - if (_support_seccomp_user_notif > 0)
454 + if (state.sup_user_notif > 0)
455 flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
456 } else if (col->attr.tsync_enable)
457 flgs |= SECCOMP_FILTER_FLAG_TSYNC;
458 - else if (_support_seccomp_user_notif > 0)
459 + else if (state.sup_user_notif > 0 && state.notify_fd == -1)
460 flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
461 if (col->attr.log_enable)
462 flgs |= SECCOMP_FILTER_FLAG_LOG;
463 if (col->attr.spec_allow)
464 flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
465 - rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
466 + rc = syscall(state.nr_seccomp,
467 + SECCOMP_SET_MODE_FILTER, flgs, prgm);
468 if (tsync_notify && rc > 0) {
469 /* return 0 on NEW_LISTENER success, but save the fd */
470 - col->notify_fd = rc;
471 + state.notify_fd = rc;
472 rc = 0;
473 } else if (rc > 0 && col->attr.tsync_enable) {
474 /* always return -ESRCH if we fail to sync threads */
475 errno = ESRCH;
476 rc = -errno;
477 - } else if (rc > 0 && _support_seccomp_user_notif > 0) {
478 + } else if (rc > 0 && state.sup_user_notif > 0) {
479 /* return 0 on NEW_LISTENER success, but save the fd */
480 - col->notify_fd = rc;
481 + state.notify_fd = rc;
482 rc = 0;
483 }
484 } else
485 @@ -370,6 +413,19 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
486 return rc;
487 }
488
489 +/**
490 + * Return the userspace notification fd
491 + *
492 + * This function returns the userspace notification fd from
493 + * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been
494 + * set, or an error has occurred, -1 is returned.
495 + *
496 + */
497 +int sys_notify_fd(void)
498 +{
499 + return state.notify_fd;
500 +}
501 +
502 /**
503 * Allocate a pair of notification request/response structures
504 * @param req the request location
505 @@ -386,7 +442,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
506 int rc;
507 static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
508
509 - if (_support_seccomp_syscall <= 0)
510 + if (state.sup_syscall <= 0)
511 return -EOPNOTSUPP;
512
513 if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
514 @@ -427,7 +483,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
515 */
516 int sys_notify_receive(int fd, struct seccomp_notif *req)
517 {
518 - if (_support_seccomp_user_notif <= 0)
519 + if (state.sup_user_notif <= 0)
520 return -EOPNOTSUPP;
521
522 if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
523 @@ -448,7 +504,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req)
524 */
525 int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
526 {
527 - if (_support_seccomp_user_notif <= 0)
528 + if (state.sup_user_notif <= 0)
529 return -EOPNOTSUPP;
530
531 if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
532 @@ -467,7 +523,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
533 */
534 int sys_notify_id_valid(int fd, uint64_t id)
535 {
536 - if (_support_seccomp_user_notif <= 0)
537 + if (state.sup_user_notif <= 0)
538 return -EOPNOTSUPP;
539
540 if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
541 diff --git a/src/system.h b/src/system.h
542 index 133f9b11..096f3cad 100644
543 --- a/src/system.h
544 +++ b/src/system.h
545 @@ -182,6 +182,8 @@ struct seccomp_notif_resp {
546 #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
547 #endif /* SECCOMP_RET_USER_NOTIF */
548
549 +void sys_reset_state(void);
550 +
551 int sys_chk_seccomp_syscall(void);
552 void sys_set_seccomp_syscall(bool enable);
553
554 @@ -193,6 +195,7 @@ void sys_set_seccomp_flag(int flag, bool enable);
555
556 int sys_filter_load(struct db_filter_col *col, bool rawrc);
557
558 +int sys_notify_fd(void);
559 int sys_notify_alloc(struct seccomp_notif **req,
560 struct seccomp_notif_resp **resp);
561 int sys_notify_receive(int fd, struct seccomp_notif *req);
562 diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
563 index d3b22566..da059df2 100644
564 --- a/tests/11-basic-basic_errors.c
565 +++ b/tests/11-basic-basic_errors.c
566 @@ -41,12 +41,9 @@ int main(int argc, char *argv[])
567 seccomp_release(ctx);
568 ctx = NULL;
569
570 - /* seccomp_reset error */
571 - rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1);
572 - if (rc != -EINVAL)
573 - return -1;
574 - rc = seccomp_reset(ctx, SCMP_ACT_KILL);
575 - if (rc != -EINVAL)
576 + /* ensure that seccomp_reset(NULL, ...) is accepted */
577 + rc = seccomp_reset(NULL, SCMP_ACT_ALLOW);
578 + if (rc != 0)
579 return -1;
580
581 /* seccomp_load error */
582 diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c
583 index 4340194c..4847d8b1 100644
584 --- a/tests/51-live-user_notification.c
585 +++ b/tests/51-live-user_notification.c
586 @@ -99,6 +99,27 @@ int main(int argc, char *argv[])
587 goto out;
588 }
589
590 + rc = seccomp_reset(ctx, SCMP_ACT_ALLOW);
591 + if (rc < 0)
592 + goto out;
593 +
594 + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL);
595 + if (rc)
596 + goto out;
597 +
598 + rc = seccomp_load(ctx);
599 + if (rc < 0)
600 + goto out;
601 +
602 + rc = seccomp_notify_fd(ctx);
603 + if (rc < 0)
604 + goto out;
605 + if (rc != fd) {
606 + rc = -EFAULT;
607 + goto out;
608 + } else
609 + rc = 0;
610 +
611 out:
612 if (fd >= 0)
613 close(fd);
614 diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py
615 index 0d81f5e1..3449c44c 100755
616 --- a/tests/51-live-user_notification.py
617 +++ b/tests/51-live-user_notification.py
618 @@ -52,6 +52,10 @@ def test():
619 raise RuntimeError("Child process error")
620 if os.WEXITSTATUS(rc) != 0:
621 raise RuntimeError("Child process error")
622 + f.reset(ALLOW)
623 + f.add_rule(NOTIFY, "getppid")
624 + f.load()
625 + # no easy way to check the notification fd here
626 quit(160)
627
628 test()
+0
-165
debian/patches/arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch less more
0 From d1482eaf5a3643f73bc7f599876e7000c502b3d5 Mon Sep 17 00:00:00 2001
1 From: Paul Moore <paul@paul-moore.com>
2 Date: Sun, 16 Aug 2020 09:56:36 -0400
3 Subject: [PATCH] arch: ensure we don't "munge" pseudo syscall numbers
4
5 A number of arches/ABIs have either syscall offsets (the MIPS
6 family) or specific bits (x32) which are applied to their normal
7 syscall numbers. We generally handle that via "munging" in
8 libseccomp, and it works reasonably well. Unfortunately we were
9 applying this munging process to the negative pseudo syscall
10 numbers as well and this was causing problems.
11
12 This patch fixes the various offset/bit arches/ABIs by not applying
13 the munging to the negative pseudo syscall numbers.
14
15 This resolves GH issue #284:
16 * https://github.com/seccomp/libseccomp/issues/284
17
18 Reported-by: Harald van Dijk <harald@gigawatt.nl>
19 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
20 Signed-off-by: Paul Moore <paul@paul-moore.com>
21 (imported from commit 34cde704979defcbddb8eea64295acf0e477c250)
22 ---
23 src/arch-arm.c | 8 ++++++--
24 src/arch-mips.c | 8 ++++++--
25 src/arch-mips64.c | 8 ++++++--
26 src/arch-mips64n32.c | 8 ++++++--
27 src/arch-x32.c | 8 ++++++--
28 5 files changed, 30 insertions(+), 10 deletions(-)
29
30 diff --git a/src/arch-arm.c b/src/arch-arm.c
31 index 4dd4b631..9c9153ae 100644
32 --- a/src/arch-arm.c
33 +++ b/src/arch-arm.c
34 @@ -50,8 +50,9 @@ int arm_syscall_resolve_name_munge(const char *name)
35 {
36 int sys;
37
38 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
39 sys = arm_syscall_resolve_name(name);
40 - if (sys == __NR_SCMP_ERROR)
41 + if (sys == __NR_SCMP_ERROR || sys < 0)
42 return sys;
43
44 return (sys | __SCMP_NR_BASE);
45 @@ -68,7 +69,10 @@ int arm_syscall_resolve_name_munge(const char *name)
46 */
47 const char *arm_syscall_resolve_num_munge(int num)
48 {
49 - return arm_syscall_resolve_num(num & (~__SCMP_NR_BASE));
50 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
51 + if (num >= 0)
52 + num &= ~__SCMP_NR_BASE;
53 + return arm_syscall_resolve_num(num);
54 }
55
56 const struct arch_def arch_def_arm = {
57 diff --git a/src/arch-mips.c b/src/arch-mips.c
58 index f0e6a143..06741c7f 100644
59 --- a/src/arch-mips.c
60 +++ b/src/arch-mips.c
61 @@ -43,8 +43,9 @@ int mips_syscall_resolve_name_munge(const char *name)
62 {
63 int sys;
64
65 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
66 sys = mips_syscall_resolve_name(name);
67 - if (sys == __NR_SCMP_ERROR)
68 + if (sys == __NR_SCMP_ERROR || sys < 0)
69 return sys;
70
71 return sys + __SCMP_NR_BASE;
72 @@ -61,7 +62,10 @@ int mips_syscall_resolve_name_munge(const char *name)
73 */
74 const char *mips_syscall_resolve_num_munge(int num)
75 {
76 - return mips_syscall_resolve_num(num - __SCMP_NR_BASE);
77 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
78 + if (num >= __SCMP_NR_BASE)
79 + num -= __SCMP_NR_BASE;
80 + return mips_syscall_resolve_num(num);
81 }
82
83 const struct arch_def arch_def_mips = {
84 diff --git a/src/arch-mips64.c b/src/arch-mips64.c
85 index 9707d1c5..342d0d88 100644
86 --- a/src/arch-mips64.c
87 +++ b/src/arch-mips64.c
88 @@ -41,8 +41,9 @@ int mips64_syscall_resolve_name_munge(const char *name)
89 {
90 int sys;
91
92 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
93 sys = mips64_syscall_resolve_name(name);
94 - if (sys == __NR_SCMP_ERROR)
95 + if (sys == __NR_SCMP_ERROR || sys < 0)
96 return sys;
97
98 return sys + __SCMP_NR_BASE;
99 @@ -59,7 +60,10 @@ int mips64_syscall_resolve_name_munge(const char *name)
100 */
101 const char *mips64_syscall_resolve_num_munge(int num)
102 {
103 - return mips64_syscall_resolve_num(num - __SCMP_NR_BASE);
104 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
105 + if (num >= __SCMP_NR_BASE)
106 + num -= __SCMP_NR_BASE;
107 + return mips64_syscall_resolve_num(num);
108 }
109
110 const struct arch_def arch_def_mips64 = {
111 diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c
112 index f8088aee..098864be 100644
113 --- a/src/arch-mips64n32.c
114 +++ b/src/arch-mips64n32.c
115 @@ -43,8 +43,9 @@ int mips64n32_syscall_resolve_name_munge(const char *name)
116 {
117 int sys;
118
119 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
120 sys = mips64n32_syscall_resolve_name(name);
121 - if (sys == __NR_SCMP_ERROR)
122 + if (sys == __NR_SCMP_ERROR || sys < 0)
123 return sys;
124
125 return sys + __SCMP_NR_BASE;
126 @@ -61,7 +62,10 @@ int mips64n32_syscall_resolve_name_munge(const char *name)
127 */
128 const char *mips64n32_syscall_resolve_num_munge(int num)
129 {
130 - return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE);
131 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
132 + if (num >= __SCMP_NR_BASE)
133 + num -= __SCMP_NR_BASE;
134 + return mips64n32_syscall_resolve_num(num);
135 }
136
137 const struct arch_def arch_def_mips64n32 = {
138 diff --git a/src/arch-x32.c b/src/arch-x32.c
139 index 38909681..50c502ee 100644
140 --- a/src/arch-x32.c
141 +++ b/src/arch-x32.c
142 @@ -39,8 +39,9 @@ int x32_syscall_resolve_name_munge(const char *name)
143 {
144 int sys;
145
146 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
147 sys = x32_syscall_resolve_name(name);
148 - if (sys == __NR_SCMP_ERROR)
149 + if (sys == __NR_SCMP_ERROR || sys < 0)
150 return sys;
151
152 return (sys | X32_SYSCALL_BIT);
153 @@ -57,7 +58,10 @@ int x32_syscall_resolve_name_munge(const char *name)
154 */
155 const char *x32_syscall_resolve_num_munge(int num)
156 {
157 - return x32_syscall_resolve_num(num & (~X32_SYSCALL_BIT));
158 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
159 + if (num >= 0)
160 + num &= ~X32_SYSCALL_BIT;
161 + return x32_syscall_resolve_num(num);
162 }
163
164 const struct arch_def arch_def_x32 = {
+0
-55
debian/patches/build_undefine_mips_to_prevent_build_problems.patch less more
0 From 3e1a828777f097e55cd831cf7e7f617057c801c5 Mon Sep 17 00:00:00 2001
1 From: Paul Moore <paul@paul-moore.com>
2 Date: Sun, 2 Aug 2020 09:57:39 -0400
3 Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS
4 targets
5
6 It turns out that the MIPS GCC compiler defines a "mips" cpp macro
7 which was resulting in build failures on MIPS so we need to
8 undefine the "mips" macro during build. As this should be safe
9 to do in all architectures, just add it to the compiler flags by
10 default.
11
12 This was reported in the following GH issue:
13 * https://github.com/seccomp/libseccomp/issues/274
14
15 Reported-by: Rongwei Zhang <pudh4418@gmail.com>
16 Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
17 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
18 Signed-off-by: Paul Moore <paul@paul-moore.com>
19 (imported from commit 5cd9059618a0810ee47c21e6b44c5a876b75e23d)
20 ---
21 configure.ac | 4 +++-
22 src/Makefile.am | 2 +-
23 2 files changed, 4 insertions(+), 2 deletions(-)
24
25 diff --git a/configure.ac b/configure.ac
26 index d47c25ca..7b91c7af 100644
27 --- a/configure.ac
28 +++ b/configure.ac
29 @@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
30
31 dnl ####
32 dnl build flags
33 +dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it
34 +dnl for us which wreaks havoc on the build
35 dnl ####
36 AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
37 -AM_CFLAGS="-Wall"
38 +AM_CFLAGS="-Wall -Umips"
39 AM_LDFLAGS="-Wl,-z -Wl,relro"
40 AC_SUBST([AM_CPPFLAGS])
41 AC_SUBST([AM_CFLAGS])
42 diff --git a/src/Makefile.am b/src/Makefile.am
43 index 8d8b97ff..10154e14 100644
44 --- a/src/Makefile.am
45 +++ b/src/Makefile.am
46 @@ -61,7 +61,7 @@ lib_LTLIBRARIES = libseccomp.la
47 arch_syscall_dump_SOURCES = arch-syscall-dump.c ${SOURCES_ALL}
48
49 arch_syscall_check_SOURCES = arch-syscall-check.c ${SOURCES_ALL}
50 -arch_syscall_check_CFLAGS = ${CODE_COVERAGE_CFLAGS}
51 +arch_syscall_check_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS}
52 arch_syscall_check_LDFLAGS = ${CODE_COVERAGE_LDFLAGS}
53
54 libseccomp_la_SOURCES = ${SOURCES_ALL}
+0
-5
debian/patches/series less more
0 all_only_request_the_userspace_notification_fd_once.patch
1 system_change_our_notification_fd_handling.patch
2 build_undefine_mips_to_prevent_build_problems.patch
3 tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch
4 arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch
+0
-92
debian/patches/system_change_our_notification_fd_handling.patch less more
0 From 1db3b323d8b61eb83a186013422e57b75b18ace0 Mon Sep 17 00:00:00 2001
1 From: Paul Moore <paul@paul-moore.com>
2 Date: Tue, 4 Aug 2020 10:52:08 -0400
3 Subject: [PATCH] system: change our notification fd handling
4
5 This commit changes how we handle the notification fd by only
6 requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
7 in it. We also augment the seccomp_reset(NULL, ...) behavior so
8 that it closes the notification fd before resetting the global
9 state; applications that need to keep their notification fd open
10 across a call to seccomp_reset(NULL, ...) can simply dup() it.
11 Although one would have to wonder why the application would be
12 calling seccomp_reset(NULL, ...) in that case.
13
14 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
15 Signed-off-by: Paul Moore <paul@paul-moore.com>
16 (imported from commit 02812f99e8d1df2e671dac675b4af663d0266303)
17 ---
18 doc/man/man3/seccomp_init.3 | 6 ++++--
19 src/system.c | 18 +++++++++++++++---
20 2 files changed, 19 insertions(+), 5 deletions(-)
21
22 diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
23 index 87520cd3..7881c357 100644
24 --- a/doc/man/man3/seccomp_init.3
25 +++ b/doc/man/man3/seccomp_init.3
26 @@ -38,8 +38,10 @@ and can only be called after a call to
27 .BR seccomp_init ()
28 has succeeded. If
29 .BR seccomp_reset ()
30 -is called with a NULL filter, it resets the library's global task state;
31 -normally this is not needed, but it may be required to continue using the
32 +is called with a NULL filter, it resets the library's global task state,
33 +including any notification file descriptors retrieved by
34 +.BR seccomp_notify_fd(3) .
35 +Normally this is not needed, but it may be required to continue using the
36 library after a
37 .BR fork ()
38 or
39 diff --git a/src/system.c b/src/system.c
40 index 3b43b2a9..c646c65e 100644
41 --- a/src/system.c
42 +++ b/src/system.c
43 @@ -84,7 +84,11 @@ static struct task_state state = {
44 void sys_reset_state(void)
45 {
46 state.nr_seccomp = -1;
47 +
48 + if (state.notify_fd > 0)
49 + close(state.notify_fd);
50 state.notify_fd = -1;
51 +
52 state.sup_syscall = -1;
53 state.sup_flag_tsync = -1;
54 state.sup_flag_log = -1;
55 @@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
56 {
57 int rc;
58 bool tsync_notify;
59 + bool listener_req;
60 struct bpf_program *prgm = NULL;
61
62 rc = gen_bpf_generate(col, &prgm);
63 @@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
64 }
65
66 tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
67 + listener_req = state.sup_user_notif > 0 && \
68 + col->notify_used && state.notify_fd == -1;
69
70 /* load the filter into the kernel */
71 if (sys_chk_seccomp_syscall() == 1) {
72 @@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
73 if (col->attr.tsync_enable)
74 flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
75 SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
76 - if (state.sup_user_notif > 0)
77 + if (listener_req)
78 flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
79 - } else if (col->attr.tsync_enable)
80 + } else if (col->attr.tsync_enable) {
81 + if (listener_req) {
82 + /* NOTE: we _should_ catch this in db.c */
83 + rc = -EFAULT;
84 + goto filter_load_out;
85 + }
86 flgs |= SECCOMP_FILTER_FLAG_TSYNC;
87 - else if (state.sup_user_notif > 0 && state.notify_fd == -1)
88 + } else if (listener_req)
89 flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
90 if (col->attr.log_enable)
91 flgs |= SECCOMP_FILTER_FLAG_LOG;
+0
-138
debian/patches/tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch less more
0 From cc580a514f05a7fc1f412f66ed002dd8aee89618 Mon Sep 17 00:00:00 2001
1 From: Andreas Schwab <schwab@suse.de>
2 Date: Tue, 18 Aug 2020 15:59:54 +0200
3 Subject: [PATCH] tests: use openat and fstat instead of open and stat syscalls
4 in tests 04 and 06
5
6 Architectures like aarch64 and riscv64, and all future architectures that
7 use the generic syscall table, do not support the open and stat syscalls.
8 Use the openat and fstat syscalls instead.
9
10 Signed-off-by: Andreas Schwab <schwab@suse.de>
11 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
12 Signed-off-by: Paul Moore <paul@paul-moore.com>
13 (imported from commit a317fabc1fd915f19f7e7326bf7dcb77493f1210)
14 ---
15 tests/04-sim-multilevel_chains.c | 2 +-
16 tests/04-sim-multilevel_chains.py | 2 +-
17 tests/04-sim-multilevel_chains.tests | 8 +++++---
18 tests/06-sim-actions.c | 4 ++--
19 tests/06-sim-actions.py | 4 ++--
20 tests/06-sim-actions.tests | 16 +++++++++-------
21 6 files changed, 20 insertions(+), 16 deletions(-)
22
23 diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c
24 index a660b40d..e3e4f9bd 100644
25 --- a/tests/04-sim-multilevel_chains.c
26 +++ b/tests/04-sim-multilevel_chains.c
27 @@ -41,7 +41,7 @@ int main(int argc, char *argv[])
28 if (ctx == NULL)
29 return ENOMEM;
30
31 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
32 + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
33 if (rc != 0)
34 goto out;
35
36 diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py
37 index bcf1ee46..a5127a2b 100755
38 --- a/tests/04-sim-multilevel_chains.py
39 +++ b/tests/04-sim-multilevel_chains.py
40 @@ -30,7 +30,7 @@
41
42 def test(args):
43 f = SyscallFilter(KILL)
44 - f.add_rule(ALLOW, "open")
45 + f.add_rule(ALLOW, "openat")
46 f.add_rule(ALLOW, "close")
47 f.add_rule(ALLOW, "read",
48 Arg(0, EQ, sys.stdin.fileno()),
49 diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests
50 index 6613f9a0..b6f75761 100644
51 --- a/tests/04-sim-multilevel_chains.tests
52 +++ b/tests/04-sim-multilevel_chains.tests
53 @@ -8,7 +8,7 @@
54 test type: bpf-sim
55
56 # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
57 -04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW
58 +04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW
59 04-sim-multilevel_chains all close 4 N N N N N ALLOW
60 04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW
61 04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
62 @@ -27,9 +27,11 @@ test type: bpf-sim
63 04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW
64 04-sim-multilevel_chains x86 0-2 N N N N N N KILL
65 04-sim-multilevel_chains x86 7-172 N N N N N N KILL
66 -04-sim-multilevel_chains x86 174-350 N N N N N N KILL
67 +04-sim-multilevel_chains x86 174-294 N N N N N N KILL
68 +04-sim-multilevel_chains x86 296-350 N N N N N N KILL
69 04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL
70 -04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL
71 +04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL
72 +04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL
73
74 test type: bpf-sim-fuzz
75
76 diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c
77 index 10b366c9..da636c94 100644
78 --- a/tests/06-sim-actions.c
79 +++ b/tests/06-sim-actions.c
80 @@ -60,11 +60,11 @@ int main(int argc, char *argv[])
81 if (rc != 0)
82 goto out;
83
84 - rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0);
85 + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0);
86 if (rc != 0)
87 goto out;
88
89 - rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(stat), 0);
90 + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
91 if (rc != 0)
92 goto out;
93
94 diff --git a/tests/06-sim-actions.py b/tests/06-sim-actions.py
95 index f14d6ed8..253061df 100755
96 --- a/tests/06-sim-actions.py
97 +++ b/tests/06-sim-actions.py
98 @@ -37,8 +37,8 @@ def test(args):
99 f.add_rule(LOG, "rt_sigreturn")
100 f.add_rule(ERRNO(errno.EPERM), "write")
101 f.add_rule(TRAP, "close")
102 - f.add_rule(TRACE(1234), "open")
103 - f.add_rule(KILL_PROCESS, "stat")
104 + f.add_rule(TRACE(1234), "openat")
105 + f.add_rule(KILL_PROCESS, "fstat")
106 return f
107
108 args = util.get_opt()
109 diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests
110 index b830917e..1ef38b32 100644
111 --- a/tests/06-sim-actions.tests
112 +++ b/tests/06-sim-actions.tests
113 @@ -11,15 +11,17 @@ test type: bpf-sim
114 06-sim-actions all read 4 0x856B008 80 N N N ALLOW
115 06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
116 06-sim-actions all close 4 N N N N N TRAP
117 -06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234)
118 -06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS
119 +06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234)
120 +06-sim-actions all fstat N N N N N N KILL_PROCESS
121 06-sim-actions all rt_sigreturn N N N N N N LOG
122 06-sim-actions x86 0-2 N N N N N N KILL
123 -06-sim-actions x86 7-105 N N N N N N KILL
124 -06-sim-actions x86 107-172 N N N N N N KILL
125 -06-sim-actions x86 174-350 N N N N N N KILL
126 -06-sim-actions x86_64 5-14 N N N N N N KILL
127 -06-sim-actions x86_64 16-350 N N N N N N KILL
128 +06-sim-actions x86 7-107 N N N N N N KILL
129 +06-sim-actions x86 109-172 N N N N N N KILL
130 +06-sim-actions x86 174-294 N N N N N N KILL
131 +06-sim-actions x86 296-350 N N N N N N KILL
132 +06-sim-actions x86_64 6-14 N N N N N N KILL
133 +06-sim-actions x86_64 16-256 N N N N N N KILL
134 +06-sim-actions x86_64 258-350 N N N N N N KILL
135
136 test type: bpf-sim-fuzz
137