Codebase list libseccomp / 93d69fb
Revert mips and powerpc multiplexed syscall handling. Fixes test suite failures. (Closes: #994285) Felix Geyer 2 years ago
6 changed file(s) with 6776 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+7
-0
debian/changelog less more
0 libseccomp (2.5.2-2) UNRELEASED; urgency=medium
1
2 * Revert mips and powerpc multiplexed syscall handling.
3 - Fixes test suite failures. (Closes: #994285)
4
5 -- Felix Geyer <fgeyer@debian.org> Thu, 30 Sep 2021 19:43:25 +0200
6
07 libseccomp (2.5.2-1) unstable; urgency=medium
18
29 * New upstream release.
+4520
-0
debian/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch less more
0 REVERTS
1
2 From f454456e261930d94b3a1a444b6bac75c11c3cb0 Mon Sep 17 00:00:00 2001
3 From: Paul Moore <paul@paul-moore.com>
4 Date: Wed, 4 Aug 2021 11:51:12 -0400
5 Subject: [PATCH] arch: consolidate all of the multiplexed syscall handling
6
7 Not only does this reduce the amount of duplicated code
8 significantly, it removes a lot of the "magic" numbers in the
9 code, and it happened to catch some bugs too.
10
11 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
12 Signed-off-by: Paul Moore <paul@paul-moore.com>
13
14 (imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc)
15
16 diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c
17 --- a/src/arch-aarch64.c
18 +++ b/src/arch-aarch64.c
19 @@ -31,8 +31,8 @@ const struct arch_def arch_def_aarch64 = {
20 .token_bpf = AUDIT_ARCH_AARCH64,
21 .size = ARCH_SIZE_64,
22 .endian = ARCH_ENDIAN_LITTLE,
23 - .syscall_resolve_name_raw = aarch64_syscall_resolve_name,
24 - .syscall_resolve_num_raw = aarch64_syscall_resolve_num,
25 + .syscall_resolve_name = aarch64_syscall_resolve_name,
26 + .syscall_resolve_num = aarch64_syscall_resolve_num,
27 .syscall_rewrite = NULL,
28 .rule_add = NULL,
29 };
30 diff --git a/src/arch-arm.c b/src/arch-arm.c
31 --- a/src/arch-arm.c
32 +++ b/src/arch-arm.c
33 @@ -39,7 +39,6 @@
34
35 /**
36 * Resolve a syscall name to a number
37 - * @param arch the architecture definition
38 * @param name the syscall name
39 *
40 * Resolve the given syscall name to the syscall number using the syscall table.
41 @@ -47,13 +46,12 @@
42 * numbers; returns __NR_SCMP_ERROR on failure.
43 *
44 */
45 -int arm_syscall_resolve_name_munge(const struct arch_def *arch,
46 - const char *name)
47 +int arm_syscall_resolve_name_munge(const char *name)
48 {
49 int sys;
50
51 /* NOTE: we don't want to modify the pseudo-syscall numbers */
52 - sys = arch->syscall_resolve_name_raw(name);
53 + sys = arm_syscall_resolve_name(name);
54 if (sys == __NR_SCMP_ERROR || sys < 0)
55 return sys;
56
57 @@ -62,7 +60,6 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch,
58
59 /**
60 * Resolve a syscall number to a name
61 - * @param arch the architecture definition
62 * @param num the syscall number
63 *
64 * Resolve the given syscall number to the syscall name using the syscall table.
65 @@ -70,12 +67,12 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch,
66 * syscall names; returns NULL on failure.
67 *
68 */
69 -const char *arm_syscall_resolve_num_munge(const struct arch_def *arch, int num)
70 +const char *arm_syscall_resolve_num_munge(int num)
71 {
72 /* NOTE: we don't want to modify the pseudo-syscall numbers */
73 if (num >= 0)
74 num &= ~__SCMP_NR_BASE;
75 - return arch->syscall_resolve_num_raw(num);
76 + return arm_syscall_resolve_num(num);
77 }
78
79 const struct arch_def arch_def_arm = {
80 @@ -84,9 +81,7 @@ const struct arch_def arch_def_arm = {
81 .size = ARCH_SIZE_32,
82 .endian = ARCH_ENDIAN_LITTLE,
83 .syscall_resolve_name = arm_syscall_resolve_name_munge,
84 - .syscall_resolve_name_raw = arm_syscall_resolve_name,
85 .syscall_resolve_num = arm_syscall_resolve_num_munge,
86 - .syscall_resolve_num_raw = arm_syscall_resolve_num,
87 .syscall_rewrite = NULL,
88 .rule_add = NULL,
89 };
90 diff --git a/src/arch-mips.c b/src/arch-mips.c
91 --- a/src/arch-mips.c
92 +++ b/src/arch-mips.c
93 @@ -30,23 +30,535 @@
94 #include "arch.h"
95 #include "arch-mips.h"
96
97 +/* O32 ABI */
98 +#define __SCMP_NR_BASE 4000
99 +
100 /* mips syscall numbers */
101 #define __mips_NR_socketcall 102
102 #define __mips_NR_ipc 117
103
104 +/**
105 + * Resolve a syscall name to a number
106 + * @param name the syscall name
107 + *
108 + * Resolve the given syscall name to the syscall number using the syscall table.
109 + * Returns the syscall number on success, including negative pseudo syscall
110 + * numbers; returns __NR_SCMP_ERROR on failure.
111 + *
112 + */
113 +int mips_syscall_resolve_name_munge(const char *name)
114 +{
115 +
116 +#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
117 + if (!strcmp(name, #NAME)) return __PNR_##NAME;
118 +
119 + _ABI_SYSCALL_RES_NAME_CHK(socket)
120 + _ABI_SYSCALL_RES_NAME_CHK(bind)
121 + _ABI_SYSCALL_RES_NAME_CHK(connect)
122 + _ABI_SYSCALL_RES_NAME_CHK(listen)
123 + _ABI_SYSCALL_RES_NAME_CHK(accept)
124 + _ABI_SYSCALL_RES_NAME_CHK(getsockname)
125 + _ABI_SYSCALL_RES_NAME_CHK(getpeername)
126 + _ABI_SYSCALL_RES_NAME_CHK(socketpair)
127 + _ABI_SYSCALL_RES_NAME_CHK(send)
128 + _ABI_SYSCALL_RES_NAME_CHK(recv)
129 + _ABI_SYSCALL_RES_NAME_CHK(sendto)
130 + _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
131 + _ABI_SYSCALL_RES_NAME_CHK(shutdown)
132 + _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
133 + _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
134 + _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
135 + _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
136 + _ABI_SYSCALL_RES_NAME_CHK(accept4)
137 + _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
138 + _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
139 + _ABI_SYSCALL_RES_NAME_CHK(semop)
140 + _ABI_SYSCALL_RES_NAME_CHK(semget)
141 + _ABI_SYSCALL_RES_NAME_CHK(semctl)
142 + _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
143 + _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
144 + _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
145 + _ABI_SYSCALL_RES_NAME_CHK(msgget)
146 + _ABI_SYSCALL_RES_NAME_CHK(msgctl)
147 + _ABI_SYSCALL_RES_NAME_CHK(shmat)
148 + _ABI_SYSCALL_RES_NAME_CHK(shmdt)
149 + _ABI_SYSCALL_RES_NAME_CHK(shmget)
150 + _ABI_SYSCALL_RES_NAME_CHK(shmctl)
151 +
152 + return mips_syscall_resolve_name(name);
153 +}
154 +
155 +/**
156 + * Resolve a syscall number to a name
157 + * @param num the syscall number
158 + *
159 + * Resolve the given syscall number to the syscall name using the syscall table.
160 + * Returns a pointer to the syscall name string on success, including pseudo
161 + * syscall names; returns NULL on failure.
162 + *
163 + */
164 +const char *mips_syscall_resolve_num_munge(int num)
165 +{
166 +
167 +#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
168 + if (num == __PNR_##NAME) return #NAME;
169 +
170 + _ABI_SYSCALL_RES_NUM_CHK(socket)
171 + _ABI_SYSCALL_RES_NUM_CHK(bind)
172 + _ABI_SYSCALL_RES_NUM_CHK(connect)
173 + _ABI_SYSCALL_RES_NUM_CHK(listen)
174 + _ABI_SYSCALL_RES_NUM_CHK(accept)
175 + _ABI_SYSCALL_RES_NUM_CHK(getsockname)
176 + _ABI_SYSCALL_RES_NUM_CHK(getpeername)
177 + _ABI_SYSCALL_RES_NUM_CHK(socketpair)
178 + _ABI_SYSCALL_RES_NUM_CHK(send)
179 + _ABI_SYSCALL_RES_NUM_CHK(recv)
180 + _ABI_SYSCALL_RES_NUM_CHK(sendto)
181 + _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
182 + _ABI_SYSCALL_RES_NUM_CHK(shutdown)
183 + _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
184 + _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
185 + _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
186 + _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
187 + _ABI_SYSCALL_RES_NUM_CHK(accept4)
188 + _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
189 + _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
190 + _ABI_SYSCALL_RES_NUM_CHK(semop)
191 + _ABI_SYSCALL_RES_NUM_CHK(semget)
192 + _ABI_SYSCALL_RES_NUM_CHK(semctl)
193 + _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
194 + _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
195 + _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
196 + _ABI_SYSCALL_RES_NUM_CHK(msgget)
197 + _ABI_SYSCALL_RES_NUM_CHK(msgctl)
198 + _ABI_SYSCALL_RES_NUM_CHK(shmat)
199 + _ABI_SYSCALL_RES_NUM_CHK(shmdt)
200 + _ABI_SYSCALL_RES_NUM_CHK(shmget)
201 + _ABI_SYSCALL_RES_NUM_CHK(shmctl)
202 +
203 + return mips_syscall_resolve_num(num);
204 +}
205 +
206 +/**
207 + * Check if a syscall is a socket syscall
208 + * @param sys the syscall number
209 + *
210 + * Returns true if the syscall is a socket related syscall, false otherwise.
211 + *
212 + */
213 +static bool _mips_syscall_socket_test(int sys)
214 +{
215 + const char *name;
216 +
217 + /* multiplexed pseduo-syscalls */
218 + if (sys <= -100 && sys >= -120)
219 + return true;
220 +
221 + name = mips_syscall_resolve_num(sys);
222 + if (!name)
223 + return false;
224 +
225 +#define _ABI_SYSCALL_SOCK_CHK(NAME) \
226 + if (!strcmp(name, #NAME)) return true;
227 +
228 + _ABI_SYSCALL_SOCK_CHK(socket)
229 + _ABI_SYSCALL_SOCK_CHK(bind)
230 + _ABI_SYSCALL_SOCK_CHK(connect)
231 + _ABI_SYSCALL_SOCK_CHK(listen)
232 + _ABI_SYSCALL_SOCK_CHK(accept)
233 + _ABI_SYSCALL_SOCK_CHK(getsockname)
234 + _ABI_SYSCALL_SOCK_CHK(getpeername)
235 + _ABI_SYSCALL_SOCK_CHK(socketpair)
236 + _ABI_SYSCALL_SOCK_CHK(send)
237 + _ABI_SYSCALL_SOCK_CHK(recv)
238 + _ABI_SYSCALL_SOCK_CHK(sendto)
239 + _ABI_SYSCALL_SOCK_CHK(recvfrom)
240 + _ABI_SYSCALL_SOCK_CHK(shutdown)
241 + _ABI_SYSCALL_SOCK_CHK(setsockopt)
242 + _ABI_SYSCALL_SOCK_CHK(getsockopt)
243 + _ABI_SYSCALL_SOCK_CHK(sendmsg)
244 + _ABI_SYSCALL_SOCK_CHK(recvmsg)
245 + _ABI_SYSCALL_SOCK_CHK(accept4)
246 + _ABI_SYSCALL_SOCK_CHK(recvmmsg)
247 + _ABI_SYSCALL_SOCK_CHK(sendmmsg)
248 +
249 + return false;
250 +}
251 +
252 +/**
253 + * Check if a syscall is an ipc syscall
254 + * @param sys the syscall number
255 + *
256 + * Returns true if the syscall is an ipc related syscall, false otherwise.
257 + *
258 + */
259 +static bool _mips_syscall_ipc_test(int sys)
260 +{
261 + const char *name;
262 +
263 + /* multiplexed pseduo-syscalls */
264 + if (sys <= -200 && sys >= -224)
265 + return true;
266 +
267 + name = mips_syscall_resolve_num(sys);
268 + if (!name)
269 + return false;
270 +
271 +#define _ABI_SYSCALL_IPC_CHK(NAME) \
272 + if (!strcmp(name, #NAME)) return true;
273 +
274 + _ABI_SYSCALL_IPC_CHK(semop)
275 + _ABI_SYSCALL_IPC_CHK(semget)
276 + _ABI_SYSCALL_IPC_CHK(semctl)
277 + _ABI_SYSCALL_IPC_CHK(semtimedop)
278 + _ABI_SYSCALL_IPC_CHK(msgsnd)
279 + _ABI_SYSCALL_IPC_CHK(msgrcv)
280 + _ABI_SYSCALL_IPC_CHK(msgget)
281 + _ABI_SYSCALL_IPC_CHK(msgctl)
282 + _ABI_SYSCALL_IPC_CHK(shmat)
283 + _ABI_SYSCALL_IPC_CHK(shmdt)
284 + _ABI_SYSCALL_IPC_CHK(shmget)
285 + _ABI_SYSCALL_IPC_CHK(shmctl)
286 +
287 + return false;
288 +}
289 +
290 +/**
291 + * Convert a multiplexed pseudo syscall into a direct syscall
292 + * @param syscall the multiplexed pseudo syscall number
293 + *
294 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
295 + * no related syscall, or __NR_SCMP_ERROR otherwise.
296 + *
297 + */
298 +static int _mips_syscall_demux(int syscall)
299 +{
300 + int sys = __NR_SCMP_UNDEF;
301 +
302 +#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
303 +case __PNR_##NAME: \
304 + sys = mips_syscall_resolve_name(#NAME); break;
305 +
306 + switch (syscall) {
307 + _ABI_SYSCALL_DEMUX_CHK(socket)
308 + _ABI_SYSCALL_DEMUX_CHK(bind)
309 + _ABI_SYSCALL_DEMUX_CHK(connect)
310 + _ABI_SYSCALL_DEMUX_CHK(listen)
311 + _ABI_SYSCALL_DEMUX_CHK(accept)
312 + _ABI_SYSCALL_DEMUX_CHK(getsockname)
313 + _ABI_SYSCALL_DEMUX_CHK(getpeername)
314 + _ABI_SYSCALL_DEMUX_CHK(socketpair)
315 + _ABI_SYSCALL_DEMUX_CHK(send)
316 + _ABI_SYSCALL_DEMUX_CHK(recv)
317 + _ABI_SYSCALL_DEMUX_CHK(sendto)
318 + _ABI_SYSCALL_DEMUX_CHK(recvfrom)
319 + _ABI_SYSCALL_DEMUX_CHK(shutdown)
320 + _ABI_SYSCALL_DEMUX_CHK(setsockopt)
321 + _ABI_SYSCALL_DEMUX_CHK(getsockopt)
322 + _ABI_SYSCALL_DEMUX_CHK(sendmsg)
323 + _ABI_SYSCALL_DEMUX_CHK(recvmsg)
324 + _ABI_SYSCALL_DEMUX_CHK(accept4)
325 + _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
326 + _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
327 + _ABI_SYSCALL_DEMUX_CHK(semop)
328 + _ABI_SYSCALL_DEMUX_CHK(semget)
329 + _ABI_SYSCALL_DEMUX_CHK(semctl)
330 + _ABI_SYSCALL_DEMUX_CHK(semtimedop)
331 + _ABI_SYSCALL_DEMUX_CHK(msgsnd)
332 + _ABI_SYSCALL_DEMUX_CHK(msgrcv)
333 + _ABI_SYSCALL_DEMUX_CHK(msgget)
334 + _ABI_SYSCALL_DEMUX_CHK(msgctl)
335 + _ABI_SYSCALL_DEMUX_CHK(shmat)
336 + _ABI_SYSCALL_DEMUX_CHK(shmdt)
337 + _ABI_SYSCALL_DEMUX_CHK(shmget)
338 + _ABI_SYSCALL_DEMUX_CHK(shmctl)
339 + }
340 +
341 + /* this looks odd because the arch resolver returns _ERROR if it can't
342 + * resolve the syscall, but we want to use _UNDEF for that, so we set
343 + * 'sys' to a sentinel value of _UNDEF and if it is error here we know
344 + * the resolve failed to find a match */
345 + if (sys == __NR_SCMP_UNDEF)
346 + sys = __NR_SCMP_ERROR;
347 + else if (sys == __NR_SCMP_ERROR)
348 + sys = __NR_SCMP_UNDEF;
349 +
350 + return sys;
351 +}
352 +
353 +/**
354 + * Convert a direct syscall into multiplexed pseudo socket syscall
355 + * @param syscall the direct syscall
356 + *
357 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
358 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
359 + *
360 + */
361 +static int _mips_syscall_mux(int syscall)
362 +{
363 + const char *sys;
364 +
365 + sys = mips_syscall_resolve_num(syscall);
366 + if (!sys)
367 + return __NR_SCMP_ERROR;
368 +
369 +#define _ABI_SYSCALL_MUX_CHK(NAME) \
370 + if (!strcmp(sys, #NAME)) return __PNR_##NAME;
371 +
372 + _ABI_SYSCALL_MUX_CHK(socket)
373 + _ABI_SYSCALL_MUX_CHK(bind)
374 + _ABI_SYSCALL_MUX_CHK(connect)
375 + _ABI_SYSCALL_MUX_CHK(listen)
376 + _ABI_SYSCALL_MUX_CHK(accept)
377 + _ABI_SYSCALL_MUX_CHK(getsockname)
378 + _ABI_SYSCALL_MUX_CHK(getpeername)
379 + _ABI_SYSCALL_MUX_CHK(socketpair)
380 + _ABI_SYSCALL_MUX_CHK(send)
381 + _ABI_SYSCALL_MUX_CHK(recv)
382 + _ABI_SYSCALL_MUX_CHK(sendto)
383 + _ABI_SYSCALL_MUX_CHK(recvfrom)
384 + _ABI_SYSCALL_MUX_CHK(shutdown)
385 + _ABI_SYSCALL_MUX_CHK(setsockopt)
386 + _ABI_SYSCALL_MUX_CHK(getsockopt)
387 + _ABI_SYSCALL_MUX_CHK(sendmsg)
388 + _ABI_SYSCALL_MUX_CHK(recvmsg)
389 + _ABI_SYSCALL_MUX_CHK(accept4)
390 + _ABI_SYSCALL_MUX_CHK(recvmmsg)
391 + _ABI_SYSCALL_MUX_CHK(sendmmsg)
392 + _ABI_SYSCALL_MUX_CHK(semop)
393 + _ABI_SYSCALL_MUX_CHK(semget)
394 + _ABI_SYSCALL_MUX_CHK(semctl)
395 + _ABI_SYSCALL_MUX_CHK(semtimedop)
396 + _ABI_SYSCALL_MUX_CHK(msgsnd)
397 + _ABI_SYSCALL_MUX_CHK(msgrcv)
398 + _ABI_SYSCALL_MUX_CHK(msgget)
399 + _ABI_SYSCALL_MUX_CHK(msgctl)
400 + _ABI_SYSCALL_MUX_CHK(shmat)
401 + _ABI_SYSCALL_MUX_CHK(shmdt)
402 + _ABI_SYSCALL_MUX_CHK(shmget)
403 + _ABI_SYSCALL_MUX_CHK(shmctl)
404 +
405 + return __NR_SCMP_ERROR;
406 +}
407 +
408 +/**
409 + * Rewrite a syscall value to match the architecture
410 + * @param syscall the syscall number
411 + *
412 + * Syscalls can vary across different architectures so this function rewrites
413 + * the syscall into the correct value for the specified architecture. Returns
414 + * zero on success, negative values on failure.
415 + *
416 + */
417 +int mips_syscall_rewrite(int *syscall)
418 +{
419 + int sys = *syscall;
420 +
421 + if (sys <= -100 && sys >= -120)
422 + *syscall = __mips_NR_socketcall;
423 + else if (sys <= -200 && sys >= -224)
424 + *syscall = __mips_NR_ipc;
425 + else if (sys < 0)
426 + return -EDOM;
427 +
428 + return 0;
429 +}
430 +
431 +/**
432 + * add a new rule to the mips seccomp filter
433 + * @param db the seccomp filter db
434 + * @param rule the filter rule
435 + *
436 + * This function adds a new syscall filter to the seccomp filter db, making any
437 + * necessary adjustments for the mips ABI. Returns zero on success, negative
438 + * values on failure.
439 + *
440 + * It is important to note that in the case of failure the db may be corrupted,
441 + * the caller must use the transaction mechanism if the db integrity is
442 + * important.
443 + *
444 + */
445 +int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
446 +{
447 + int rc = 0;
448 + unsigned int iter;
449 + int sys = rule->syscall;
450 + int sys_a, sys_b;
451 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
452 +
453 + if (_mips_syscall_socket_test(sys)) {
454 + /* socket syscalls */
455 +
456 + /* strict check for the multiplexed socket syscalls */
457 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
458 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
459 + rc = -EINVAL;
460 + goto add_return;
461 + }
462 + }
463 +
464 + /* determine both the muxed and direct syscall numbers */
465 + if (sys > 0) {
466 + sys_a = _mips_syscall_mux(sys);
467 + if (sys_a == __NR_SCMP_ERROR) {
468 + rc = __NR_SCMP_ERROR;
469 + goto add_return;
470 + }
471 + sys_b = sys;
472 + } else {
473 + sys_a = sys;
474 + sys_b = _mips_syscall_demux(sys);
475 + if (sys_b == __NR_SCMP_ERROR) {
476 + rc = __NR_SCMP_ERROR;
477 + goto add_return;
478 + }
479 + }
480 +
481 + /* use rule_a for the multiplexed syscall and use rule_b for
482 + * the direct wired syscall */
483 +
484 + if (sys_a == __NR_SCMP_UNDEF) {
485 + rule_a = NULL;
486 + rule_b = rule;
487 + } else if (sys_b == __NR_SCMP_UNDEF) {
488 + rule_a = rule;
489 + rule_b = NULL;
490 + } else {
491 + /* need two rules, dup the first and link together */
492 + rule_a = rule;
493 + rule_dup = db_rule_dup(rule_a);
494 + rule_b = rule_dup;
495 + if (rule_b == NULL)
496 + goto add_return;
497 + rule_b->prev = rule_a;
498 + rule_b->next = NULL;
499 + rule_a->next = rule_b;
500 + }
501 +
502 + /* multiplexed socket syscalls */
503 + if (rule_a != NULL) {
504 + rule_a->syscall = __mips_NR_socketcall;
505 + rule_a->args[0].arg = 0;
506 + rule_a->args[0].op = SCMP_CMP_EQ;
507 + rule_a->args[0].mask = DATUM_MAX;
508 + rule_a->args[0].datum = (-sys_a) % 100;
509 + rule_a->args[0].valid = 1;
510 + }
511 +
512 + /* direct wired socket syscalls */
513 + if (rule_b != NULL)
514 + rule_b->syscall = sys_b;
515 +
516 + /* we should be protected by a transaction checkpoint */
517 + if (rule_a != NULL) {
518 + rc = db_rule_add(db, rule_a);
519 + if (rc < 0)
520 + goto add_return;
521 + }
522 + if (rule_b != NULL) {
523 + rc = db_rule_add(db, rule_b);
524 + if (rc < 0)
525 + goto add_return;
526 + }
527 + } else if (_mips_syscall_ipc_test(sys)) {
528 + /* ipc syscalls */
529 +
530 + /* strict check for the multiplexed socket syscalls */
531 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
532 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
533 + rc = -EINVAL;
534 + goto add_return;
535 + }
536 + }
537 +
538 + /* determine both the muxed and direct syscall numbers */
539 + if (sys > 0) {
540 + sys_a = _mips_syscall_mux(sys);
541 + if (sys_a == __NR_SCMP_ERROR) {
542 + rc = __NR_SCMP_ERROR;
543 + goto add_return;
544 + }
545 + sys_b = sys;
546 + } else {
547 + sys_a = sys;
548 + sys_b = _mips_syscall_demux(sys);
549 + if (sys_b == __NR_SCMP_ERROR) {
550 + rc = __NR_SCMP_ERROR;
551 + goto add_return;
552 + }
553 + }
554 +
555 + /* use rule_a for the multiplexed syscall and use rule_b for
556 + * the direct wired syscall */
557 +
558 + if (sys_a == __NR_SCMP_UNDEF) {
559 + rule_a = NULL;
560 + rule_b = rule;
561 + } else if (sys_b == __NR_SCMP_UNDEF) {
562 + rule_a = rule;
563 + rule_b = NULL;
564 + } else {
565 + /* need two rules, dup the first and link together */
566 + rule_a = rule;
567 + rule_dup = db_rule_dup(rule_a);
568 + rule_b = rule_dup;
569 + if (rule_b == NULL)
570 + goto add_return;
571 + rule_b->prev = rule_a;
572 + rule_b->next = NULL;
573 + rule_a->next = rule_b;
574 + }
575 +
576 + /* multiplexed socket syscalls */
577 + if (rule_a != NULL) {
578 + rule_a->syscall = __mips_NR_ipc;
579 + rule_a->args[0].arg = 0;
580 + rule_a->args[0].op = SCMP_CMP_EQ;
581 + rule_a->args[0].mask = DATUM_MAX;
582 + rule_a->args[0].datum = (-sys_a) % 200;
583 + rule_a->args[0].valid = 1;
584 + }
585 +
586 + /* direct wired socket syscalls */
587 + if (rule_b != NULL)
588 + rule_b->syscall = sys_b;
589 +
590 + /* we should be protected by a transaction checkpoint */
591 + if (rule_a != NULL) {
592 + rc = db_rule_add(db, rule_a);
593 + if (rc < 0)
594 + goto add_return;
595 + }
596 + if (rule_b != NULL) {
597 + rc = db_rule_add(db, rule_b);
598 + if (rc < 0)
599 + goto add_return;
600 + }
601 + } else if (sys >= 0) {
602 + /* normal syscall processing */
603 + rc = db_rule_add(db, rule);
604 + if (rc < 0)
605 + goto add_return;
606 + } else if (rule->strict) {
607 + rc = -EDOM;
608 + goto add_return;
609 + }
610 +
611 +add_return:
612 + if (rule_dup != NULL)
613 + free(rule_dup);
614 + return rc;
615 +}
616 +
617 const struct arch_def arch_def_mips = {
618 .token = SCMP_ARCH_MIPS,
619 .token_bpf = AUDIT_ARCH_MIPS,
620 .size = ARCH_SIZE_32,
621 .endian = ARCH_ENDIAN_BIG,
622 - .sys_socketcall = __mips_NR_socketcall,
623 - .sys_ipc = __mips_NR_ipc,
624 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
625 - .syscall_resolve_name_raw = mips_syscall_resolve_name,
626 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
627 - .syscall_resolve_num_raw = mips_syscall_resolve_num,
628 - .syscall_rewrite = abi_syscall_rewrite,
629 - .rule_add = abi_rule_add,
630 + .syscall_resolve_name = mips_syscall_resolve_name_munge,
631 + .syscall_resolve_num = mips_syscall_resolve_num_munge,
632 + .syscall_rewrite = mips_syscall_rewrite,
633 + .rule_add = mips_rule_add,
634 };
635
636 const struct arch_def arch_def_mipsel = {
637 @@ -54,12 +566,8 @@ const struct arch_def arch_def_mipsel = {
638 .token_bpf = AUDIT_ARCH_MIPSEL,
639 .size = ARCH_SIZE_32,
640 .endian = ARCH_ENDIAN_LITTLE,
641 - .sys_socketcall = __mips_NR_socketcall,
642 - .sys_ipc = __mips_NR_ipc,
643 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
644 - .syscall_resolve_name_raw = mips_syscall_resolve_name,
645 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
646 - .syscall_resolve_num_raw = mips_syscall_resolve_num,
647 - .syscall_rewrite = abi_syscall_rewrite,
648 - .rule_add = abi_rule_add,
649 + .syscall_resolve_name = mips_syscall_resolve_name_munge,
650 + .syscall_resolve_num = mips_syscall_resolve_num_munge,
651 + .syscall_rewrite = mips_syscall_rewrite,
652 + .rule_add = mips_rule_add,
653 };
654 diff --git a/src/arch-mips64.c b/src/arch-mips64.c
655 --- a/src/arch-mips64.c
656 +++ b/src/arch-mips64.c
657 @@ -30,7 +30,6 @@
658
659 /**
660 * Resolve a syscall name to a number
661 - * @param arch the architecture definition
662 * @param name the syscall name
663 *
664 * Resolve the given syscall name to the syscall number using the syscall table.
665 @@ -38,13 +37,12 @@
666 * numbers; returns __NR_SCMP_ERROR on failure.
667 *
668 */
669 -int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
670 - const char *name)
671 +int mips64_syscall_resolve_name_munge(const char *name)
672 {
673 int sys;
674
675 /* NOTE: we don't want to modify the pseudo-syscall numbers */
676 - sys = arch->syscall_resolve_name_raw(name);
677 + sys = mips64_syscall_resolve_name(name);
678 if (sys == __NR_SCMP_ERROR || sys < 0)
679 return sys;
680
681 @@ -53,7 +51,6 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
682
683 /**
684 * Resolve a syscall number to a name
685 - * @param arch the architecture definition
686 * @param num the syscall number
687 *
688 * Resolve the given syscall number to the syscall name using the syscall table.
689 @@ -61,13 +58,12 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
690 * syscall names; returns NULL on failure.
691 *
692 */
693 -const char *mips64_syscall_resolve_num_munge(const struct arch_def *arch,
694 - int num)
695 +const char *mips64_syscall_resolve_num_munge(int num)
696 {
697 /* NOTE: we don't want to modify the pseudo-syscall numbers */
698 if (num >= __SCMP_NR_BASE)
699 num -= __SCMP_NR_BASE;
700 - return arch->syscall_resolve_num_raw(num);
701 + return mips64_syscall_resolve_num(num);
702 }
703
704 const struct arch_def arch_def_mips64 = {
705 @@ -76,9 +72,7 @@ const struct arch_def arch_def_mips64 = {
706 .size = ARCH_SIZE_64,
707 .endian = ARCH_ENDIAN_BIG,
708 .syscall_resolve_name = mips64_syscall_resolve_name_munge,
709 - .syscall_resolve_name_raw = mips64_syscall_resolve_name,
710 .syscall_resolve_num = mips64_syscall_resolve_num_munge,
711 - .syscall_resolve_num_raw = mips64_syscall_resolve_num,
712 .syscall_rewrite = NULL,
713 .rule_add = NULL,
714 };
715 @@ -89,9 +83,7 @@ const struct arch_def arch_def_mipsel64 = {
716 .size = ARCH_SIZE_64,
717 .endian = ARCH_ENDIAN_LITTLE,
718 .syscall_resolve_name = mips64_syscall_resolve_name_munge,
719 - .syscall_resolve_name_raw = mips64_syscall_resolve_name,
720 .syscall_resolve_num = mips64_syscall_resolve_num_munge,
721 - .syscall_resolve_num_raw = mips64_syscall_resolve_num,
722 .syscall_rewrite = NULL,
723 .rule_add = NULL,
724 };
725 diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c
726 --- a/src/arch-mips64n32.c
727 +++ b/src/arch-mips64n32.c
728 @@ -32,7 +32,6 @@
729
730 /**
731 * Resolve a syscall name to a number
732 - * @param arch the architecture definition
733 * @param name the syscall name
734 *
735 * Resolve the given syscall name to the syscall number using the syscall table.
736 @@ -40,8 +39,7 @@
737 * numbers; returns __NR_SCMP_ERROR on failure.
738 *
739 */
740 -int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
741 - const char *name)
742 +int mips64n32_syscall_resolve_name_munge(const char *name)
743 {
744 int sys;
745
746 @@ -55,7 +53,6 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
747
748 /**
749 * Resolve a syscall number to a name
750 - * @param arch the architecture definition
751 * @param num the syscall number
752 *
753 * Resolve the given syscall number to the syscall name using the syscall table.
754 @@ -63,8 +60,7 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
755 * syscall names; returns NULL on failure.
756 *
757 */
758 -const char *mips64n32_syscall_resolve_num_munge(const struct arch_def *arch,
759 - int num)
760 +const char *mips64n32_syscall_resolve_num_munge(int num)
761 {
762 /* NOTE: we don't want to modify the pseudo-syscall numbers */
763 if (num >= __SCMP_NR_BASE)
764 @@ -78,9 +74,7 @@ const struct arch_def arch_def_mips64n32 = {
765 .size = ARCH_SIZE_32,
766 .endian = ARCH_ENDIAN_BIG,
767 .syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
768 - .syscall_resolve_name_raw = mips64n32_syscall_resolve_name,
769 .syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
770 - .syscall_resolve_num_raw = mips64n32_syscall_resolve_num,
771 .syscall_rewrite = NULL,
772 .rule_add = NULL,
773 };
774 @@ -91,9 +85,7 @@ const struct arch_def arch_def_mipsel64n32 = {
775 .size = ARCH_SIZE_32,
776 .endian = ARCH_ENDIAN_LITTLE,
777 .syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
778 - .syscall_resolve_name_raw = mips64n32_syscall_resolve_name,
779 .syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
780 - .syscall_resolve_num_raw = mips64n32_syscall_resolve_num,
781 .syscall_rewrite = NULL,
782 .rule_add = NULL,
783 };
784 diff --git a/src/arch-parisc.c b/src/arch-parisc.c
785 --- a/src/arch-parisc.c
786 +++ b/src/arch-parisc.c
787 @@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc = {
788 .token_bpf = AUDIT_ARCH_PARISC,
789 .size = ARCH_SIZE_32,
790 .endian = ARCH_ENDIAN_BIG,
791 - .syscall_resolve_name_raw = parisc_syscall_resolve_name,
792 - .syscall_resolve_num_raw = parisc_syscall_resolve_num,
793 + .syscall_resolve_name = parisc_syscall_resolve_name,
794 + .syscall_resolve_num = parisc_syscall_resolve_num,
795 .syscall_rewrite = NULL,
796 .rule_add = NULL,
797 };
798 diff --git a/src/arch-parisc64.c b/src/arch-parisc64.c
799 --- a/src/arch-parisc64.c
800 +++ b/src/arch-parisc64.c
801 @@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc64 = {
802 .token_bpf = AUDIT_ARCH_PARISC64,
803 .size = ARCH_SIZE_64,
804 .endian = ARCH_ENDIAN_BIG,
805 - .syscall_resolve_name_raw = parisc64_syscall_resolve_name,
806 - .syscall_resolve_num_raw = parisc64_syscall_resolve_num,
807 + .syscall_resolve_name = parisc64_syscall_resolve_name,
808 + .syscall_resolve_num = parisc64_syscall_resolve_num,
809 .syscall_rewrite = NULL,
810 .rule_add = NULL,
811 };
812 diff --git a/src/arch-ppc.c b/src/arch-ppc.c
813 --- a/src/arch-ppc.c
814 +++ b/src/arch-ppc.c
815 @@ -34,17 +34,526 @@
816 #define __ppc_NR_socketcall 102
817 #define __ppc_NR_ipc 117
818
819 +/**
820 + * Resolve a syscall name to a number
821 + * @param name the syscall name
822 + *
823 + * Resolve the given syscall name to the syscall number using the syscall table.
824 + * Returns the syscall number on success, including negative pseudo syscall
825 + * numbers; returns __NR_SCMP_ERROR on failure.
826 + *
827 + */
828 +int ppc_syscall_resolve_name_munge(const char *name)
829 +{
830 +
831 +#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
832 + if (!strcmp(name, #NAME)) return __PNR_##NAME;
833 +
834 + _ABI_SYSCALL_RES_NAME_CHK(socket)
835 + _ABI_SYSCALL_RES_NAME_CHK(bind)
836 + _ABI_SYSCALL_RES_NAME_CHK(connect)
837 + _ABI_SYSCALL_RES_NAME_CHK(listen)
838 + _ABI_SYSCALL_RES_NAME_CHK(accept)
839 + _ABI_SYSCALL_RES_NAME_CHK(getsockname)
840 + _ABI_SYSCALL_RES_NAME_CHK(getpeername)
841 + _ABI_SYSCALL_RES_NAME_CHK(socketpair)
842 + _ABI_SYSCALL_RES_NAME_CHK(send)
843 + _ABI_SYSCALL_RES_NAME_CHK(recv)
844 + _ABI_SYSCALL_RES_NAME_CHK(sendto)
845 + _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
846 + _ABI_SYSCALL_RES_NAME_CHK(shutdown)
847 + _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
848 + _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
849 + _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
850 + _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
851 + _ABI_SYSCALL_RES_NAME_CHK(accept4)
852 + _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
853 + _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
854 + _ABI_SYSCALL_RES_NAME_CHK(semop)
855 + _ABI_SYSCALL_RES_NAME_CHK(semget)
856 + _ABI_SYSCALL_RES_NAME_CHK(semctl)
857 + _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
858 + _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
859 + _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
860 + _ABI_SYSCALL_RES_NAME_CHK(msgget)
861 + _ABI_SYSCALL_RES_NAME_CHK(msgctl)
862 + _ABI_SYSCALL_RES_NAME_CHK(shmat)
863 + _ABI_SYSCALL_RES_NAME_CHK(shmdt)
864 + _ABI_SYSCALL_RES_NAME_CHK(shmget)
865 + _ABI_SYSCALL_RES_NAME_CHK(shmctl)
866 +
867 + return ppc_syscall_resolve_name(name);
868 +}
869 +
870 +/**
871 + * Resolve a syscall number to a name
872 + * @param num the syscall number
873 + *
874 + * Resolve the given syscall number to the syscall name using the syscall table.
875 + * Returns a pointer to the syscall name string on success, including pseudo
876 + * syscall names; returns NULL on failure.
877 + *
878 + */
879 +const char *ppc_syscall_resolve_num_munge(int num)
880 +{
881 +
882 +#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
883 + if (num == __PNR_##NAME) return #NAME;
884 +
885 + _ABI_SYSCALL_RES_NUM_CHK(socket)
886 + _ABI_SYSCALL_RES_NUM_CHK(bind)
887 + _ABI_SYSCALL_RES_NUM_CHK(connect)
888 + _ABI_SYSCALL_RES_NUM_CHK(listen)
889 + _ABI_SYSCALL_RES_NUM_CHK(accept)
890 + _ABI_SYSCALL_RES_NUM_CHK(getsockname)
891 + _ABI_SYSCALL_RES_NUM_CHK(getpeername)
892 + _ABI_SYSCALL_RES_NUM_CHK(socketpair)
893 + _ABI_SYSCALL_RES_NUM_CHK(send)
894 + _ABI_SYSCALL_RES_NUM_CHK(recv)
895 + _ABI_SYSCALL_RES_NUM_CHK(sendto)
896 + _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
897 + _ABI_SYSCALL_RES_NUM_CHK(shutdown)
898 + _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
899 + _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
900 + _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
901 + _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
902 + _ABI_SYSCALL_RES_NUM_CHK(accept4)
903 + _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
904 + _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
905 + _ABI_SYSCALL_RES_NUM_CHK(semop)
906 + _ABI_SYSCALL_RES_NUM_CHK(semget)
907 + _ABI_SYSCALL_RES_NUM_CHK(semctl)
908 + _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
909 + _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
910 + _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
911 + _ABI_SYSCALL_RES_NUM_CHK(msgget)
912 + _ABI_SYSCALL_RES_NUM_CHK(msgctl)
913 + _ABI_SYSCALL_RES_NUM_CHK(shmat)
914 + _ABI_SYSCALL_RES_NUM_CHK(shmdt)
915 + _ABI_SYSCALL_RES_NUM_CHK(shmget)
916 + _ABI_SYSCALL_RES_NUM_CHK(shmctl)
917 +
918 + return ppc_syscall_resolve_num(num);
919 +}
920 +
921 +/**
922 + * Check if a syscall is a socket syscall
923 + * @param sys the syscall number
924 + *
925 + * Returns true if the syscall is a socket related syscall, false otherwise.
926 + *
927 + */
928 +static bool _ppc_syscall_socket_test(int sys)
929 +{
930 + const char *name;
931 +
932 + /* multiplexed pseduo-syscalls */
933 + if (sys <= -100 && sys >= -120)
934 + return true;
935 +
936 + name = ppc_syscall_resolve_num(sys);
937 + if (!name)
938 + return false;
939 +
940 +#define _ABI_SYSCALL_SOCK_CHK(NAME) \
941 + if (!strcmp(name, #NAME)) return true;
942 +
943 + _ABI_SYSCALL_SOCK_CHK(socket)
944 + _ABI_SYSCALL_SOCK_CHK(bind)
945 + _ABI_SYSCALL_SOCK_CHK(connect)
946 + _ABI_SYSCALL_SOCK_CHK(listen)
947 + _ABI_SYSCALL_SOCK_CHK(accept)
948 + _ABI_SYSCALL_SOCK_CHK(getsockname)
949 + _ABI_SYSCALL_SOCK_CHK(getpeername)
950 + _ABI_SYSCALL_SOCK_CHK(socketpair)
951 + _ABI_SYSCALL_SOCK_CHK(send)
952 + _ABI_SYSCALL_SOCK_CHK(recv)
953 + _ABI_SYSCALL_SOCK_CHK(sendto)
954 + _ABI_SYSCALL_SOCK_CHK(recvfrom)
955 + _ABI_SYSCALL_SOCK_CHK(shutdown)
956 + _ABI_SYSCALL_SOCK_CHK(setsockopt)
957 + _ABI_SYSCALL_SOCK_CHK(getsockopt)
958 + _ABI_SYSCALL_SOCK_CHK(sendmsg)
959 + _ABI_SYSCALL_SOCK_CHK(recvmsg)
960 + _ABI_SYSCALL_SOCK_CHK(accept4)
961 + _ABI_SYSCALL_SOCK_CHK(recvmmsg)
962 + _ABI_SYSCALL_SOCK_CHK(sendmmsg)
963 +
964 + return false;
965 +}
966 +
967 +/**
968 + * Check if a syscall is an ipc syscall
969 + * @param sys the syscall number
970 + *
971 + * Returns true if the syscall is an ipc related syscall, false otherwise.
972 + *
973 + */
974 +static bool _ppc_syscall_ipc_test(int sys)
975 +{
976 + const char *name;
977 +
978 + /* multiplexed pseduo-syscalls */
979 + if (sys <= -200 && sys >= -224)
980 + return true;
981 +
982 + name = ppc_syscall_resolve_num(sys);
983 + if (!name)
984 + return false;
985 +
986 +#define _ABI_SYSCALL_IPC_CHK(NAME) \
987 + if (!strcmp(name, #NAME)) return true;
988 +
989 + _ABI_SYSCALL_IPC_CHK(semop)
990 + _ABI_SYSCALL_IPC_CHK(semget)
991 + _ABI_SYSCALL_IPC_CHK(semctl)
992 + _ABI_SYSCALL_IPC_CHK(semtimedop)
993 + _ABI_SYSCALL_IPC_CHK(msgsnd)
994 + _ABI_SYSCALL_IPC_CHK(msgrcv)
995 + _ABI_SYSCALL_IPC_CHK(msgget)
996 + _ABI_SYSCALL_IPC_CHK(msgctl)
997 + _ABI_SYSCALL_IPC_CHK(shmat)
998 + _ABI_SYSCALL_IPC_CHK(shmdt)
999 + _ABI_SYSCALL_IPC_CHK(shmget)
1000 + _ABI_SYSCALL_IPC_CHK(shmctl)
1001 +
1002 + return false;
1003 +}
1004 +
1005 +/**
1006 + * Convert a multiplexed pseudo syscall into a direct syscall
1007 + * @param syscall the multiplexed pseudo syscall number
1008 + *
1009 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
1010 + * no related syscall, or __NR_SCMP_ERROR otherwise.
1011 + *
1012 + */
1013 +static int _ppc_syscall_demux(int syscall)
1014 +{
1015 + int sys = __NR_SCMP_UNDEF;
1016 +
1017 +#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
1018 +case __PNR_##NAME: \
1019 + sys = ppc_syscall_resolve_name(#NAME); break;
1020 +
1021 + switch (syscall) {
1022 + _ABI_SYSCALL_DEMUX_CHK(socket)
1023 + _ABI_SYSCALL_DEMUX_CHK(bind)
1024 + _ABI_SYSCALL_DEMUX_CHK(connect)
1025 + _ABI_SYSCALL_DEMUX_CHK(listen)
1026 + _ABI_SYSCALL_DEMUX_CHK(accept)
1027 + _ABI_SYSCALL_DEMUX_CHK(getsockname)
1028 + _ABI_SYSCALL_DEMUX_CHK(getpeername)
1029 + _ABI_SYSCALL_DEMUX_CHK(socketpair)
1030 + _ABI_SYSCALL_DEMUX_CHK(send)
1031 + _ABI_SYSCALL_DEMUX_CHK(recv)
1032 + _ABI_SYSCALL_DEMUX_CHK(sendto)
1033 + _ABI_SYSCALL_DEMUX_CHK(recvfrom)
1034 + _ABI_SYSCALL_DEMUX_CHK(shutdown)
1035 + _ABI_SYSCALL_DEMUX_CHK(setsockopt)
1036 + _ABI_SYSCALL_DEMUX_CHK(getsockopt)
1037 + _ABI_SYSCALL_DEMUX_CHK(sendmsg)
1038 + _ABI_SYSCALL_DEMUX_CHK(recvmsg)
1039 + _ABI_SYSCALL_DEMUX_CHK(accept4)
1040 + _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
1041 + _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
1042 + _ABI_SYSCALL_DEMUX_CHK(semop)
1043 + _ABI_SYSCALL_DEMUX_CHK(semget)
1044 + _ABI_SYSCALL_DEMUX_CHK(semctl)
1045 + _ABI_SYSCALL_DEMUX_CHK(semtimedop)
1046 + _ABI_SYSCALL_DEMUX_CHK(msgsnd)
1047 + _ABI_SYSCALL_DEMUX_CHK(msgrcv)
1048 + _ABI_SYSCALL_DEMUX_CHK(msgget)
1049 + _ABI_SYSCALL_DEMUX_CHK(msgctl)
1050 + _ABI_SYSCALL_DEMUX_CHK(shmat)
1051 + _ABI_SYSCALL_DEMUX_CHK(shmdt)
1052 + _ABI_SYSCALL_DEMUX_CHK(shmget)
1053 + _ABI_SYSCALL_DEMUX_CHK(shmctl)
1054 + }
1055 +
1056 + /* this looks odd because the arch resolver returns _ERROR if it can't
1057 + * resolve the syscall, but we want to use _UNDEF for that, so we set
1058 + * 'sys' to a sentinel value of _UNDEF and if it is error here we know
1059 + * the resolve failed to find a match */
1060 + if (sys == __NR_SCMP_UNDEF)
1061 + sys = __NR_SCMP_ERROR;
1062 + else if (sys == __NR_SCMP_ERROR)
1063 + sys = __NR_SCMP_UNDEF;
1064 +
1065 + return sys;
1066 +}
1067 +
1068 +/**
1069 + * Convert a direct syscall into multiplexed pseudo socket syscall
1070 + * @param syscall the direct syscall
1071 + *
1072 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
1073 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
1074 + *
1075 + */
1076 +static int _ppc_syscall_mux(int syscall)
1077 +{
1078 + const char *sys;
1079 +
1080 + sys = ppc_syscall_resolve_num(syscall);
1081 + if (!sys)
1082 + return __NR_SCMP_ERROR;
1083 +
1084 +#define _ABI_SYSCALL_MUX_CHK(NAME) \
1085 + if (!strcmp(sys, #NAME)) return __PNR_##NAME;
1086 +
1087 + _ABI_SYSCALL_MUX_CHK(socket)
1088 + _ABI_SYSCALL_MUX_CHK(bind)
1089 + _ABI_SYSCALL_MUX_CHK(connect)
1090 + _ABI_SYSCALL_MUX_CHK(listen)
1091 + _ABI_SYSCALL_MUX_CHK(accept)
1092 + _ABI_SYSCALL_MUX_CHK(getsockname)
1093 + _ABI_SYSCALL_MUX_CHK(getpeername)
1094 + _ABI_SYSCALL_MUX_CHK(socketpair)
1095 + _ABI_SYSCALL_MUX_CHK(send)
1096 + _ABI_SYSCALL_MUX_CHK(recv)
1097 + _ABI_SYSCALL_MUX_CHK(sendto)
1098 + _ABI_SYSCALL_MUX_CHK(recvfrom)
1099 + _ABI_SYSCALL_MUX_CHK(shutdown)
1100 + _ABI_SYSCALL_MUX_CHK(setsockopt)
1101 + _ABI_SYSCALL_MUX_CHK(getsockopt)
1102 + _ABI_SYSCALL_MUX_CHK(sendmsg)
1103 + _ABI_SYSCALL_MUX_CHK(recvmsg)
1104 + _ABI_SYSCALL_MUX_CHK(accept4)
1105 + _ABI_SYSCALL_MUX_CHK(recvmmsg)
1106 + _ABI_SYSCALL_MUX_CHK(sendmmsg)
1107 + _ABI_SYSCALL_MUX_CHK(semop)
1108 + _ABI_SYSCALL_MUX_CHK(semget)
1109 + _ABI_SYSCALL_MUX_CHK(semctl)
1110 + _ABI_SYSCALL_MUX_CHK(semtimedop)
1111 + _ABI_SYSCALL_MUX_CHK(msgsnd)
1112 + _ABI_SYSCALL_MUX_CHK(msgrcv)
1113 + _ABI_SYSCALL_MUX_CHK(msgget)
1114 + _ABI_SYSCALL_MUX_CHK(msgctl)
1115 + _ABI_SYSCALL_MUX_CHK(shmat)
1116 + _ABI_SYSCALL_MUX_CHK(shmdt)
1117 + _ABI_SYSCALL_MUX_CHK(shmget)
1118 + _ABI_SYSCALL_MUX_CHK(shmctl)
1119 +
1120 + return __NR_SCMP_ERROR;
1121 +}
1122 +
1123 +/**
1124 + * Rewrite a syscall value to match the architecture
1125 + * @param syscall the syscall number
1126 + *
1127 + * Syscalls can vary across different architectures so this function rewrites
1128 + * the syscall into the correct value for the specified architecture. Returns
1129 + * zero on success, negative values on failure.
1130 + *
1131 + */
1132 +int ppc_syscall_rewrite(int *syscall)
1133 +{
1134 + int sys = *syscall;
1135 +
1136 + if (sys <= -100 && sys >= -120)
1137 + *syscall = __ppc_NR_socketcall;
1138 + else if (sys <= -200 && sys >= -224)
1139 + *syscall = __ppc_NR_ipc;
1140 + else if (sys < 0)
1141 + return -EDOM;
1142 +
1143 + return 0;
1144 +}
1145 +
1146 +/**
1147 + * add a new rule to the ppc seccomp filter
1148 + * @param db the seccomp filter db
1149 + * @param rule the filter rule
1150 + *
1151 + * This function adds a new syscall filter to the seccomp filter db, making any
1152 + * necessary adjustments for the ppc ABI. Returns zero on success, negative
1153 + * values on failure.
1154 + *
1155 + * It is important to note that in the case of failure the db may be corrupted,
1156 + * the caller must use the transaction mechanism if the db integrity is
1157 + * important.
1158 + *
1159 + */
1160 +int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
1161 +{
1162 + int rc = 0;
1163 + unsigned int iter;
1164 + int sys = rule->syscall;
1165 + int sys_a, sys_b;
1166 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
1167 +
1168 + if (_ppc_syscall_socket_test(sys)) {
1169 + /* socket syscalls */
1170 +
1171 + /* strict check for the multiplexed socket syscalls */
1172 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
1173 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
1174 + rc = -EINVAL;
1175 + goto add_return;
1176 + }
1177 + }
1178 +
1179 + /* determine both the muxed and direct syscall numbers */
1180 + if (sys > 0) {
1181 + sys_a = _ppc_syscall_mux(sys);
1182 + if (sys_a == __NR_SCMP_ERROR) {
1183 + rc = __NR_SCMP_ERROR;
1184 + goto add_return;
1185 + }
1186 + sys_b = sys;
1187 + } else {
1188 + sys_a = sys;
1189 + sys_b = _ppc_syscall_demux(sys);
1190 + if (sys_b == __NR_SCMP_ERROR) {
1191 + rc = __NR_SCMP_ERROR;
1192 + goto add_return;
1193 + }
1194 + }
1195 +
1196 + /* use rule_a for the multiplexed syscall and use rule_b for
1197 + * the direct wired syscall */
1198 +
1199 + if (sys_a == __NR_SCMP_UNDEF) {
1200 + rule_a = NULL;
1201 + rule_b = rule;
1202 + } else if (sys_b == __NR_SCMP_UNDEF) {
1203 + rule_a = rule;
1204 + rule_b = NULL;
1205 + } else {
1206 + /* need two rules, dup the first and link together */
1207 + rule_a = rule;
1208 + rule_dup = db_rule_dup(rule_a);
1209 + rule_b = rule_dup;
1210 + if (rule_b == NULL)
1211 + goto add_return;
1212 + rule_b->prev = rule_a;
1213 + rule_b->next = NULL;
1214 + rule_a->next = rule_b;
1215 + }
1216 +
1217 + /* multiplexed socket syscalls */
1218 + if (rule_a != NULL) {
1219 + rule_a->syscall = __ppc_NR_socketcall;
1220 + rule_a->args[0].arg = 0;
1221 + rule_a->args[0].op = SCMP_CMP_EQ;
1222 + rule_a->args[0].mask = DATUM_MAX;
1223 + rule_a->args[0].datum = (-sys_a) % 100;
1224 + rule_a->args[0].valid = 1;
1225 + }
1226 +
1227 + /* direct wired socket syscalls */
1228 + if (rule_b != NULL)
1229 + rule_b->syscall = sys_b;
1230 +
1231 + /* we should be protected by a transaction checkpoint */
1232 + if (rule_a != NULL) {
1233 + rc = db_rule_add(db, rule_a);
1234 + if (rc < 0)
1235 + goto add_return;
1236 + }
1237 + if (rule_b != NULL) {
1238 + rc = db_rule_add(db, rule_b);
1239 + if (rc < 0)
1240 + goto add_return;
1241 + }
1242 + } else if (_ppc_syscall_ipc_test(sys)) {
1243 + /* ipc syscalls */
1244 +
1245 + /* strict check for the multiplexed socket syscalls */
1246 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
1247 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
1248 + rc = -EINVAL;
1249 + goto add_return;
1250 + }
1251 + }
1252 +
1253 + /* determine both the muxed and direct syscall numbers */
1254 + if (sys > 0) {
1255 + sys_a = _ppc_syscall_mux(sys);
1256 + if (sys_a == __NR_SCMP_ERROR) {
1257 + rc = __NR_SCMP_ERROR;
1258 + goto add_return;
1259 + }
1260 + sys_b = sys;
1261 + } else {
1262 + sys_a = sys;
1263 + sys_b = _ppc_syscall_demux(sys);
1264 + if (sys_b == __NR_SCMP_ERROR) {
1265 + rc = __NR_SCMP_ERROR;
1266 + goto add_return;
1267 + }
1268 + }
1269 +
1270 + /* use rule_a for the multiplexed syscall and use rule_b for
1271 + * the direct wired syscall */
1272 +
1273 + if (sys_a == __NR_SCMP_UNDEF) {
1274 + rule_a = NULL;
1275 + rule_b = rule;
1276 + } else if (sys_b == __NR_SCMP_UNDEF) {
1277 + rule_a = rule;
1278 + rule_b = NULL;
1279 + } else {
1280 + /* need two rules, dup the first and link together */
1281 + rule_a = rule;
1282 + rule_dup = db_rule_dup(rule_a);
1283 + rule_b = rule_dup;
1284 + if (rule_b == NULL)
1285 + goto add_return;
1286 + rule_b->prev = rule_a;
1287 + rule_b->next = NULL;
1288 + rule_a->next = rule_b;
1289 + }
1290 +
1291 + /* multiplexed socket syscalls */
1292 + if (rule_a != NULL) {
1293 + rule_a->syscall = __ppc_NR_ipc;
1294 + rule_a->args[0].arg = 0;
1295 + rule_a->args[0].op = SCMP_CMP_EQ;
1296 + rule_a->args[0].mask = DATUM_MAX;
1297 + rule_a->args[0].datum = (-sys_a) % 200;
1298 + rule_a->args[0].valid = 1;
1299 + }
1300 +
1301 + /* direct wired socket syscalls */
1302 + if (rule_b != NULL)
1303 + rule_b->syscall = sys_b;
1304 +
1305 + /* we should be protected by a transaction checkpoint */
1306 + if (rule_a != NULL) {
1307 + rc = db_rule_add(db, rule_a);
1308 + if (rc < 0)
1309 + goto add_return;
1310 + }
1311 + if (rule_b != NULL) {
1312 + rc = db_rule_add(db, rule_b);
1313 + if (rc < 0)
1314 + goto add_return;
1315 + }
1316 + } else if (sys >= 0) {
1317 + /* normal syscall processing */
1318 + rc = db_rule_add(db, rule);
1319 + if (rc < 0)
1320 + goto add_return;
1321 + } else if (rule->strict) {
1322 + rc = -EDOM;
1323 + goto add_return;
1324 + }
1325 +
1326 +add_return:
1327 + if (rule_dup != NULL)
1328 + free(rule_dup);
1329 + return rc;
1330 +}
1331 +
1332 const struct arch_def arch_def_ppc = {
1333 .token = SCMP_ARCH_PPC,
1334 .token_bpf = AUDIT_ARCH_PPC,
1335 .size = ARCH_SIZE_32,
1336 .endian = ARCH_ENDIAN_BIG,
1337 - .sys_socketcall = __ppc_NR_socketcall,
1338 - .sys_ipc = __ppc_NR_ipc,
1339 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
1340 - .syscall_resolve_name_raw = ppc_syscall_resolve_name,
1341 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
1342 - .syscall_resolve_num_raw = ppc_syscall_resolve_num,
1343 - .syscall_rewrite = abi_syscall_rewrite,
1344 - .rule_add = abi_rule_add,
1345 + .syscall_resolve_name = ppc_syscall_resolve_name_munge,
1346 + .syscall_resolve_num = ppc_syscall_resolve_num_munge,
1347 + .syscall_rewrite = ppc_syscall_rewrite,
1348 + .rule_add = ppc_rule_add,
1349 };
1350 diff --git a/src/arch-ppc64.c b/src/arch-ppc64.c
1351 --- a/src/arch-ppc64.c
1352 +++ b/src/arch-ppc64.c
1353 @@ -26,7 +26,6 @@
1354 #include <linux/audit.h>
1355
1356 #include "db.h"
1357 -#include "syscalls.h"
1358 #include "arch.h"
1359 #include "arch-ppc64.h"
1360
1361 @@ -34,19 +33,605 @@
1362 #define __ppc64_NR_socketcall 102
1363 #define __ppc64_NR_ipc 117
1364
1365 +/**
1366 + * Resolve a syscall name to a number
1367 + * @param name the syscall name
1368 + *
1369 + * Resolve the given syscall name to the syscall number using the syscall table.
1370 + * Returns the syscall number on success, including negative pseudo syscall
1371 + * numbers; returns __NR_SCMP_ERROR on failure.
1372 + *
1373 + */
1374 +int ppc64_syscall_resolve_name_munge(const char *name)
1375 +{
1376 + if (strcmp(name, "accept") == 0)
1377 + return __PNR_accept;
1378 + if (strcmp(name, "accept4") == 0)
1379 + return __PNR_accept4;
1380 + else if (strcmp(name, "bind") == 0)
1381 + return __PNR_bind;
1382 + else if (strcmp(name, "connect") == 0)
1383 + return __PNR_connect;
1384 + else if (strcmp(name, "getpeername") == 0)
1385 + return __PNR_getpeername;
1386 + else if (strcmp(name, "getsockname") == 0)
1387 + return __PNR_getsockname;
1388 + else if (strcmp(name, "getsockopt") == 0)
1389 + return __PNR_getsockopt;
1390 + else if (strcmp(name, "listen") == 0)
1391 + return __PNR_listen;
1392 + else if (strcmp(name, "msgctl") == 0)
1393 + return __PNR_msgctl;
1394 + else if (strcmp(name, "msgget") == 0)
1395 + return __PNR_msgget;
1396 + else if (strcmp(name, "msgrcv") == 0)
1397 + return __PNR_msgrcv;
1398 + else if (strcmp(name, "msgsnd") == 0)
1399 + return __PNR_msgsnd;
1400 + else if (strcmp(name, "recv") == 0)
1401 + return __PNR_recv;
1402 + else if (strcmp(name, "recvfrom") == 0)
1403 + return __PNR_recvfrom;
1404 + else if (strcmp(name, "recvmsg") == 0)
1405 + return __PNR_recvmsg;
1406 + else if (strcmp(name, "recvmmsg") == 0)
1407 + return __PNR_recvmmsg;
1408 + else if (strcmp(name, "semctl") == 0)
1409 + return __PNR_semctl;
1410 + else if (strcmp(name, "semget") == 0)
1411 + return __PNR_semget;
1412 + else if (strcmp(name, "semtimedop") == 0)
1413 + return __PNR_semtimedop;
1414 + else if (strcmp(name, "send") == 0)
1415 + return __PNR_send;
1416 + else if (strcmp(name, "sendmsg") == 0)
1417 + return __PNR_sendmsg;
1418 + else if (strcmp(name, "sendmmsg") == 0)
1419 + return __PNR_sendmmsg;
1420 + else if (strcmp(name, "sendto") == 0)
1421 + return __PNR_sendto;
1422 + else if (strcmp(name, "setsockopt") == 0)
1423 + return __PNR_setsockopt;
1424 + else if (strcmp(name, "shmat") == 0)
1425 + return __PNR_shmat;
1426 + else if (strcmp(name, "shmdt") == 0)
1427 + return __PNR_shmdt;
1428 + else if (strcmp(name, "shmget") == 0)
1429 + return __PNR_shmget;
1430 + else if (strcmp(name, "shmctl") == 0)
1431 + return __PNR_shmctl;
1432 + else if (strcmp(name, "shutdown") == 0)
1433 + return __PNR_shutdown;
1434 + else if (strcmp(name, "socket") == 0)
1435 + return __PNR_socket;
1436 + else if (strcmp(name, "socketpair") == 0)
1437 + return __PNR_socketpair;
1438 +
1439 + return ppc64_syscall_resolve_name(name);
1440 +}
1441 +
1442 +/**
1443 + * Resolve a syscall number to a name
1444 + * @param num the syscall number
1445 + *
1446 + * Resolve the given syscall number to the syscall name using the syscall table.
1447 + * Returns a pointer to the syscall name string on success, including pseudo
1448 + * syscall names; returns NULL on failure.
1449 + *
1450 + */
1451 +const char *ppc64_syscall_resolve_num_munge(int num)
1452 +{
1453 + if (num == __PNR_accept)
1454 + return "accept";
1455 + else if (num == __PNR_accept4)
1456 + return "accept4";
1457 + else if (num == __PNR_bind)
1458 + return "bind";
1459 + else if (num == __PNR_connect)
1460 + return "connect";
1461 + else if (num == __PNR_getpeername)
1462 + return "getpeername";
1463 + else if (num == __PNR_getsockname)
1464 + return "getsockname";
1465 + else if (num == __PNR_getsockopt)
1466 + return "getsockopt";
1467 + else if (num == __PNR_listen)
1468 + return "listen";
1469 + else if (num == __PNR_msgctl)
1470 + return "msgctl";
1471 + else if (num == __PNR_msgget)
1472 + return "msgget";
1473 + else if (num == __PNR_msgrcv)
1474 + return "msgrcv";
1475 + else if (num == __PNR_msgsnd)
1476 + return "msgsnd";
1477 + else if (num == __PNR_recv)
1478 + return "recv";
1479 + else if (num == __PNR_recvfrom)
1480 + return "recvfrom";
1481 + else if (num == __PNR_recvmsg)
1482 + return "recvmsg";
1483 + else if (num == __PNR_recvmmsg)
1484 + return "recvmmsg";
1485 + else if (num == __PNR_semctl)
1486 + return "semctl";
1487 + else if (num == __PNR_semget)
1488 + return "semget";
1489 + else if (num == __PNR_semtimedop)
1490 + return "semtimedop";
1491 + else if (num == __PNR_send)
1492 + return "send";
1493 + else if (num == __PNR_sendmsg)
1494 + return "sendmsg";
1495 + else if (num == __PNR_sendmmsg)
1496 + return "sendmmsg";
1497 + else if (num == __PNR_sendto)
1498 + return "sendto";
1499 + else if (num == __PNR_setsockopt)
1500 + return "setsockopt";
1501 + else if (num == __PNR_shmat)
1502 + return "shmat";
1503 + else if (num == __PNR_shmdt)
1504 + return "shmdt";
1505 + else if (num == __PNR_shmget)
1506 + return "shmget";
1507 + else if (num == __PNR_shmctl)
1508 + return "shmctl";
1509 + else if (num == __PNR_shutdown)
1510 + return "shutdown";
1511 + else if (num == __PNR_socket)
1512 + return "socket";
1513 + else if (num == __PNR_socketpair)
1514 + return "socketpair";
1515 +
1516 + return ppc64_syscall_resolve_num(num);
1517 +}
1518 +
1519 +/**
1520 + * Convert a multiplexed pseudo socket syscall into a direct syscall
1521 + * @param syscall the multiplexed pseudo syscall number
1522 + *
1523 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
1524 + * no related syscall, or __NR_SCMP_ERROR otherwise.
1525 + *
1526 + */
1527 +static int _ppc64_syscall_demux(int syscall)
1528 +{
1529 + switch (syscall) {
1530 + case -101:
1531 + /* socket */
1532 + return 326;
1533 + case -102:
1534 + /* bind */
1535 + return 327;
1536 + case -103:
1537 + /* connect */
1538 + return 328;
1539 + case -104:
1540 + /* listen */
1541 + return 329;
1542 + case -105:
1543 + /* accept */
1544 + return 330;
1545 + case -106:
1546 + /* getsockname */
1547 + return 331;
1548 + case -107:
1549 + /* getpeername */
1550 + return 332;
1551 + case -108:
1552 + /* socketpair */
1553 + return 333;
1554 + case -109:
1555 + /* send */
1556 + return 334;
1557 + case -110:
1558 + /* recv */
1559 + return 336;
1560 + case -111:
1561 + /* sendto */
1562 + return 335;
1563 + case -112:
1564 + /* recvfrom */
1565 + return 337;
1566 + case -113:
1567 + /* shutdown */
1568 + return 338;
1569 + case -114:
1570 + /* setsockopt */
1571 + return 339;
1572 + case -115:
1573 + /* getsockopt */
1574 + return 340;
1575 + case -116:
1576 + /* sendmsg */
1577 + return 341;
1578 + case -117:
1579 + /* recvmsg */
1580 + return 342;
1581 + case -118:
1582 + /* accept4 */
1583 + return 344;
1584 + case -119:
1585 + /* recvmmsg */
1586 + return 343;
1587 + case -120:
1588 + /* sendmmsg */
1589 + return 349;
1590 + case -201:
1591 + /* semop - not defined */
1592 + return __NR_SCMP_UNDEF;
1593 + case -202:
1594 + /* semget */
1595 + return 393;
1596 + case -203:
1597 + /* semctl */
1598 + return 394;
1599 + case -204:
1600 + /* semtimedop */
1601 + return 392;
1602 + case -211:
1603 + /* msgsnd */
1604 + return 400;
1605 + case -212:
1606 + /* msgrcv */
1607 + return 401;
1608 + case -213:
1609 + /* msgget */
1610 + return 399;
1611 + case -214:
1612 + /* msgctl */
1613 + return 402;
1614 + case -221:
1615 + /* shmat */
1616 + return 397;
1617 + case -222:
1618 + /* shmdt */
1619 + return 398;
1620 + case -223:
1621 + /* shmget */
1622 + return 395;
1623 + case -224:
1624 + /* shmctl */
1625 + return 396;
1626 + }
1627 +
1628 + return __NR_SCMP_ERROR;
1629 +}
1630 +
1631 +/**
1632 + * Convert a direct socket syscall into multiplexed pseudo socket syscall
1633 + * @param syscall the direct syscall
1634 + *
1635 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
1636 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
1637 + *
1638 + */
1639 +static int _ppc64_syscall_mux(int syscall)
1640 +{
1641 + switch (syscall) {
1642 + case 326:
1643 + /* socket */
1644 + return -101;
1645 + case 327:
1646 + /* bind */
1647 + return -102;
1648 + case 328:
1649 + /* connect */
1650 + return -103;
1651 + case 329:
1652 + /* listen */
1653 + return -104;
1654 + case 330:
1655 + /* accept */
1656 + return -105;
1657 + case 331:
1658 + /* getsockname */
1659 + return -106;
1660 + case 332:
1661 + /* getpeername */
1662 + return -107;
1663 + case 333:
1664 + /* socketpair */
1665 + return -108;
1666 + case 334:
1667 + /* send */
1668 + return -109;
1669 + case 335:
1670 + /* sendto */
1671 + return -111;
1672 + case 336:
1673 + /* recv */
1674 + return -110;
1675 + case 337:
1676 + /* recvfrom */
1677 + return -112;
1678 + case 338:
1679 + /* shutdown */
1680 + return -113;
1681 + case 339:
1682 + /* setsockopt */
1683 + return -114;
1684 + case 340:
1685 + /* getsockopt */
1686 + return -115;
1687 + case 341:
1688 + /* sendmsg */
1689 + return -116;
1690 + case 342:
1691 + /* recvmsg */
1692 + return -117;
1693 + case 343:
1694 + /* recvmmsg */
1695 + return -119;
1696 + case 344:
1697 + /* accept4 */
1698 + return -118;
1699 + case 349:
1700 + /* sendmmsg */
1701 + return -120;
1702 + case 392:
1703 + /* semtimedop */
1704 + return -204;
1705 + case 393:
1706 + /* semget */
1707 + return -202;
1708 + case 394:
1709 + /* semctl */
1710 + return -203;
1711 + case 395:
1712 + /* shmget */
1713 + return -223;
1714 + case 396:
1715 + /* shmctl */
1716 + return -224;
1717 + case 397:
1718 + /* shmat */
1719 + return -221;
1720 + case 398:
1721 + /* shmdt */
1722 + return -222;
1723 + case 399:
1724 + /* msgget */
1725 + return -213;
1726 + case 400:
1727 + /* msgsnd */
1728 + return -211;
1729 + case 401:
1730 + /* msgrcv */
1731 + return -212;
1732 + case 402:
1733 + /* msgctl */
1734 + return -214;
1735 + }
1736 +
1737 + return __NR_SCMP_ERROR;
1738 +}
1739 +
1740 +/**
1741 + * Rewrite a syscall value to match the architecture
1742 + * @param syscall the syscall number
1743 + *
1744 + * Syscalls can vary across different architectures so this function rewrites
1745 + * the syscall into the correct value for the specified architecture. Returns
1746 + * zero on success, negative values on failure.
1747 + *
1748 + */
1749 +int ppc64_syscall_rewrite(int *syscall)
1750 +{
1751 + int sys = *syscall;
1752 +
1753 + if (sys <= -100 && sys >= -120)
1754 + *syscall = __ppc64_NR_socketcall;
1755 + else if (sys <= -200 && sys >= -224)
1756 + *syscall = __ppc64_NR_ipc;
1757 + else if (sys < 0)
1758 + return -EDOM;
1759 +
1760 + return 0;
1761 +}
1762 +
1763 +/**
1764 + * add a new rule to the ppc64 seccomp filter
1765 + * @param db the seccomp filter db
1766 + * @param rule the filter rule
1767 + *
1768 + * This function adds a new syscall filter to the seccomp filter db, making any
1769 + * necessary adjustments for the ppc64 ABI. Returns zero on success, negative
1770 + * values on failure.
1771 + *
1772 + * It is important to note that in the case of failure the db may be corrupted,
1773 + * the caller must use the transaction mechanism if the db integrity is
1774 + * important.
1775 + *
1776 + */
1777 +int ppc64_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
1778 +{
1779 + int rc = 0;
1780 + unsigned int iter;
1781 + int sys = rule->syscall;
1782 + int sys_a, sys_b;
1783 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
1784 +
1785 + if ((sys <= -100 && sys >= -120) || (sys >= 326 && sys <= 344) ||
1786 + (sys == 349)) {
1787 + /* (-100 to -120) : multiplexed socket syscalls
1788 + (326 to 344) : direct socket syscalls, Linux 4.3+
1789 + (349) : sendmmsg */
1790 +
1791 + /* strict check for the multiplexed socket syscalls */
1792 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
1793 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
1794 + rc = -EINVAL;
1795 + goto add_return;
1796 + }
1797 + }
1798 +
1799 + /* determine both the muxed and direct syscall numbers */
1800 + if (sys > 0) {
1801 + sys_a = _ppc64_syscall_mux(sys);
1802 + if (sys_a == __NR_SCMP_ERROR) {
1803 + rc = __NR_SCMP_ERROR;
1804 + goto add_return;
1805 + }
1806 + sys_b = sys;
1807 + } else {
1808 + sys_a = sys;
1809 + sys_b = _ppc64_syscall_demux(sys);
1810 + if (sys_b == __NR_SCMP_ERROR) {
1811 + rc = __NR_SCMP_ERROR;
1812 + goto add_return;
1813 + }
1814 + }
1815 +
1816 + /* use rule_a for the multiplexed syscall and use rule_b for
1817 + * the direct wired syscall */
1818 +
1819 + if (sys_a == __NR_SCMP_UNDEF) {
1820 + rule_a = NULL;
1821 + rule_b = rule;
1822 + } else if (sys_b == __NR_SCMP_UNDEF) {
1823 + rule_a = rule;
1824 + rule_b = NULL;
1825 + } else {
1826 + /* need two rules, dup the first and link together */
1827 + rule_a = rule;
1828 + rule_dup = db_rule_dup(rule_a);
1829 + rule_b = rule_dup;
1830 + if (rule_b == NULL) {
1831 + rc = -ENOMEM;
1832 + goto add_return;
1833 + }
1834 + rule_b->prev = rule_a;
1835 + rule_b->next = NULL;
1836 + rule_a->next = rule_b;
1837 + }
1838 +
1839 + /* multiplexed socket syscalls */
1840 + if (rule_a != NULL) {
1841 + rule_a->syscall = __ppc64_NR_socketcall;
1842 + rule_a->args[0].arg = 0;
1843 + rule_a->args[0].op = SCMP_CMP_EQ;
1844 + rule_a->args[0].mask = DATUM_MAX;
1845 + rule_a->args[0].datum = (-sys_a) % 100;
1846 + rule_a->args[0].valid = 1;
1847 + }
1848 +
1849 + /* direct wired socket syscalls */
1850 + if (rule_b != NULL)
1851 + rule_b->syscall = sys_b;
1852 +
1853 + /* we should be protected by a transaction checkpoint */
1854 + if (rule_a != NULL) {
1855 + rc = db_rule_add(db, rule_a);
1856 + if (rc < 0)
1857 + goto add_return;
1858 + }
1859 + if (rule_b != NULL) {
1860 + rc = db_rule_add(db, rule_b);
1861 + if (rc < 0)
1862 + goto add_return;
1863 + }
1864 + } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) {
1865 + /* (-200 to -224) : multiplexed ipc syscalls
1866 + (392 to 402) : direct ipc syscalls */
1867 +
1868 + /* strict check for the multiplexed socket syscalls */
1869 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
1870 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
1871 + rc = -EINVAL;
1872 + goto add_return;
1873 + }
1874 + }
1875 +
1876 + /* determine both the muxed and direct syscall numbers */
1877 + if (sys > 0) {
1878 + sys_a = _ppc64_syscall_mux(sys);
1879 + if (sys_a == __NR_SCMP_ERROR) {
1880 + rc = __NR_SCMP_ERROR;
1881 + goto add_return;
1882 + }
1883 + sys_b = sys;
1884 + } else {
1885 + sys_a = sys;
1886 + sys_b = _ppc64_syscall_demux(sys);
1887 + if (sys_b == __NR_SCMP_ERROR) {
1888 + rc = __NR_SCMP_ERROR;
1889 + goto add_return;
1890 + }
1891 + }
1892 +
1893 + /* use rule_a for the multiplexed syscall and use rule_b for
1894 + * the direct wired syscall */
1895 +
1896 + if (sys_a == __NR_SCMP_UNDEF) {
1897 + rule_a = NULL;
1898 + rule_b = rule;
1899 + } else if (sys_b == __NR_SCMP_UNDEF) {
1900 + rule_a = rule;
1901 + rule_b = NULL;
1902 + } else {
1903 + /* need two rules, dup the first and link together */
1904 + rule_a = rule;
1905 + rule_dup = db_rule_dup(rule_a);
1906 + rule_b = rule_dup;
1907 + if (rule_b == NULL)
1908 + goto add_return;
1909 + rule_b->prev = rule_a;
1910 + rule_b->next = NULL;
1911 + rule_a->next = rule_b;
1912 + }
1913 +
1914 + /* multiplexed socket syscalls */
1915 + if (rule_a != NULL) {
1916 + rule_a->syscall = __ppc64_NR_ipc;
1917 + rule_a->args[0].arg = 0;
1918 + rule_a->args[0].op = SCMP_CMP_EQ;
1919 + rule_a->args[0].mask = DATUM_MAX;
1920 + rule_a->args[0].datum = (-sys_a) % 200;
1921 + rule_a->args[0].valid = 1;
1922 + }
1923 +
1924 + /* direct wired socket syscalls */
1925 + if (rule_b != NULL)
1926 + rule_b->syscall = sys_b;
1927 +
1928 + /* we should be protected by a transaction checkpoint */
1929 + if (rule_a != NULL) {
1930 + rc = db_rule_add(db, rule_a);
1931 + if (rc < 0)
1932 + goto add_return;
1933 + }
1934 + if (rule_b != NULL) {
1935 + rc = db_rule_add(db, rule_b);
1936 + if (rc < 0)
1937 + goto add_return;
1938 + }
1939 + } else if (sys >= 0) {
1940 + /* normal syscall processing */
1941 + rc = db_rule_add(db, rule);
1942 + if (rc < 0)
1943 + goto add_return;
1944 + } else if (rule->strict) {
1945 + rc = -EDOM;
1946 + goto add_return;
1947 + }
1948 +
1949 +add_return:
1950 + if (rule_dup != NULL)
1951 + free(rule_dup);
1952 + return rc;
1953 +}
1954 +
1955 const struct arch_def arch_def_ppc64 = {
1956 .token = SCMP_ARCH_PPC64,
1957 .token_bpf = AUDIT_ARCH_PPC64,
1958 .size = ARCH_SIZE_64,
1959 .endian = ARCH_ENDIAN_BIG,
1960 - .sys_socketcall = __ppc64_NR_socketcall,
1961 - .sys_ipc = __ppc64_NR_ipc,
1962 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
1963 - .syscall_resolve_name_raw = ppc64_syscall_resolve_name,
1964 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
1965 - .syscall_resolve_num_raw = ppc64_syscall_resolve_num,
1966 - .syscall_rewrite = abi_syscall_rewrite,
1967 - .rule_add = abi_rule_add,
1968 + .syscall_resolve_name = ppc64_syscall_resolve_name_munge,
1969 + .syscall_resolve_num = ppc64_syscall_resolve_num_munge,
1970 + .syscall_rewrite = ppc64_syscall_rewrite,
1971 + .rule_add = ppc64_rule_add,
1972 };
1973
1974 const struct arch_def arch_def_ppc64le = {
1975 @@ -54,12 +639,8 @@ const struct arch_def arch_def_ppc64le = {
1976 .token_bpf = AUDIT_ARCH_PPC64LE,
1977 .size = ARCH_SIZE_64,
1978 .endian = ARCH_ENDIAN_LITTLE,
1979 - .sys_socketcall = __ppc64_NR_socketcall,
1980 - .sys_ipc = __ppc64_NR_ipc,
1981 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
1982 - .syscall_resolve_name_raw = ppc64_syscall_resolve_name,
1983 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
1984 - .syscall_resolve_num_raw = ppc64_syscall_resolve_num,
1985 - .syscall_rewrite = abi_syscall_rewrite,
1986 - .rule_add = abi_rule_add,
1987 + .syscall_resolve_name = ppc64_syscall_resolve_name_munge,
1988 + .syscall_resolve_num = ppc64_syscall_resolve_num_munge,
1989 + .syscall_rewrite = ppc64_syscall_rewrite,
1990 + .rule_add = ppc64_rule_add,
1991 };
1992 diff --git a/src/arch-riscv64.c b/src/arch-riscv64.c
1993 --- a/src/arch-riscv64.c
1994 +++ b/src/arch-riscv64.c
1995 @@ -24,8 +24,8 @@ const struct arch_def arch_def_riscv64 = {
1996 .token_bpf = AUDIT_ARCH_RISCV64,
1997 .size = ARCH_SIZE_64,
1998 .endian = ARCH_ENDIAN_LITTLE,
1999 - .syscall_resolve_name_raw = riscv64_syscall_resolve_name,
2000 - .syscall_resolve_num_raw = riscv64_syscall_resolve_num,
2001 + .syscall_resolve_name = riscv64_syscall_resolve_name,
2002 + .syscall_resolve_num = riscv64_syscall_resolve_num,
2003 .syscall_rewrite = NULL,
2004 .rule_add = NULL,
2005 };
2006 diff --git a/src/arch-s390.c b/src/arch-s390.c
2007 --- a/src/arch-s390.c
2008 +++ b/src/arch-s390.c
2009 @@ -17,17 +17,593 @@
2010 #define __s390_NR_socketcall 102
2011 #define __s390_NR_ipc 117
2012
2013 +/**
2014 + * Resolve a syscall name to a number
2015 + * @param name the syscall name
2016 + *
2017 + * Resolve the given syscall name to the syscall number using the syscall table.
2018 + * Returns the syscall number on success, including negative pseudo syscall
2019 + * numbers; returns __NR_SCMP_ERROR on failure.
2020 + *
2021 + */
2022 +int s390_syscall_resolve_name_munge(const char *name)
2023 +{
2024 + if (strcmp(name, "accept") == 0)
2025 + return __PNR_accept;
2026 + if (strcmp(name, "accept4") == 0)
2027 + return __PNR_accept4;
2028 + else if (strcmp(name, "bind") == 0)
2029 + return __PNR_bind;
2030 + else if (strcmp(name, "connect") == 0)
2031 + return __PNR_connect;
2032 + else if (strcmp(name, "getpeername") == 0)
2033 + return __PNR_getpeername;
2034 + else if (strcmp(name, "getsockname") == 0)
2035 + return __PNR_getsockname;
2036 + else if (strcmp(name, "getsockopt") == 0)
2037 + return __PNR_getsockopt;
2038 + else if (strcmp(name, "listen") == 0)
2039 + return __PNR_listen;
2040 + else if (strcmp(name, "msgctl") == 0)
2041 + return __PNR_msgctl;
2042 + else if (strcmp(name, "msgget") == 0)
2043 + return __PNR_msgget;
2044 + else if (strcmp(name, "msgrcv") == 0)
2045 + return __PNR_msgrcv;
2046 + else if (strcmp(name, "msgsnd") == 0)
2047 + return __PNR_msgsnd;
2048 + else if (strcmp(name, "recv") == 0)
2049 + return __PNR_recv;
2050 + else if (strcmp(name, "recvfrom") == 0)
2051 + return __PNR_recvfrom;
2052 + else if (strcmp(name, "recvmsg") == 0)
2053 + return __PNR_recvmsg;
2054 + else if (strcmp(name, "semctl") == 0)
2055 + return __PNR_semctl;
2056 + else if (strcmp(name, "semget") == 0)
2057 + return __PNR_semget;
2058 + else if (strcmp(name, "semtimedop") == 0)
2059 + return __PNR_semtimedop;
2060 + else if (strcmp(name, "recvmmsg") == 0)
2061 + return __PNR_recvmmsg;
2062 + else if (strcmp(name, "send") == 0)
2063 + return __PNR_send;
2064 + else if (strcmp(name, "sendmsg") == 0)
2065 + return __PNR_sendmsg;
2066 + else if (strcmp(name, "sendmmsg") == 0)
2067 + return __PNR_sendmmsg;
2068 + else if (strcmp(name, "sendto") == 0)
2069 + return __PNR_sendto;
2070 + else if (strcmp(name, "setsockopt") == 0)
2071 + return __PNR_setsockopt;
2072 + else if (strcmp(name, "shmat") == 0)
2073 + return __PNR_shmat;
2074 + else if (strcmp(name, "shmdt") == 0)
2075 + return __PNR_shmdt;
2076 + else if (strcmp(name, "shmget") == 0)
2077 + return __PNR_shmget;
2078 + else if (strcmp(name, "shmctl") == 0)
2079 + return __PNR_shmctl;
2080 + else if (strcmp(name, "shutdown") == 0)
2081 + return __PNR_shutdown;
2082 + else if (strcmp(name, "socket") == 0)
2083 + return __PNR_socket;
2084 + else if (strcmp(name, "socketpair") == 0)
2085 + return __PNR_socketpair;
2086 +
2087 + return s390_syscall_resolve_name(name);
2088 +}
2089 +
2090 +/**
2091 + * Resolve a syscall number to a name
2092 + * @param num the syscall number
2093 + *
2094 + * Resolve the given syscall number to the syscall name using the syscall table.
2095 + * Returns a pointer to the syscall name string on success, including pseudo
2096 + * syscall names; returns NULL on failure.
2097 + *
2098 + */
2099 +const char *s390_syscall_resolve_num_munge(int num)
2100 +{
2101 + if (num == __PNR_accept)
2102 + return "accept";
2103 + else if (num == __PNR_accept4)
2104 + return "accept4";
2105 + else if (num == __PNR_bind)
2106 + return "bind";
2107 + else if (num == __PNR_connect)
2108 + return "connect";
2109 + else if (num == __PNR_getpeername)
2110 + return "getpeername";
2111 + else if (num == __PNR_getsockname)
2112 + return "getsockname";
2113 + else if (num == __PNR_getsockopt)
2114 + return "getsockopt";
2115 + else if (num == __PNR_listen)
2116 + return "listen";
2117 + else if (num == __PNR_msgctl)
2118 + return "msgctl";
2119 + else if (num == __PNR_msgget)
2120 + return "msgget";
2121 + else if (num == __PNR_msgrcv)
2122 + return "msgrcv";
2123 + else if (num == __PNR_msgsnd)
2124 + return "msgsnd";
2125 + else if (num == __PNR_recv)
2126 + return "recv";
2127 + else if (num == __PNR_recvfrom)
2128 + return "recvfrom";
2129 + else if (num == __PNR_recvmsg)
2130 + return "recvmsg";
2131 + else if (num == __PNR_recvmmsg)
2132 + return "recvmmsg";
2133 + else if (num == __PNR_semctl)
2134 + return "semctl";
2135 + else if (num == __PNR_semget)
2136 + return "semget";
2137 + else if (num == __PNR_semtimedop)
2138 + return "semtimedop";
2139 + else if (num == __PNR_send)
2140 + return "send";
2141 + else if (num == __PNR_sendmsg)
2142 + return "sendmsg";
2143 + else if (num == __PNR_sendmmsg)
2144 + return "sendmmsg";
2145 + else if (num == __PNR_sendto)
2146 + return "sendto";
2147 + else if (num == __PNR_setsockopt)
2148 + return "setsockopt";
2149 + else if (num == __PNR_shmat)
2150 + return "shmat";
2151 + else if (num == __PNR_shmdt)
2152 + return "shmdt";
2153 + else if (num == __PNR_shmget)
2154 + return "shmget";
2155 + else if (num == __PNR_shmctl)
2156 + return "shmctl";
2157 + else if (num == __PNR_shutdown)
2158 + return "shutdown";
2159 + else if (num == __PNR_socket)
2160 + return "socket";
2161 + else if (num == __PNR_socketpair)
2162 + return "socketpair";
2163 +
2164 + return s390_syscall_resolve_num(num);
2165 +}
2166 +
2167 +/**
2168 + * Convert a multiplexed pseudo syscall into a direct syscall
2169 + * @param syscall the multiplexed pseudo syscall number
2170 + *
2171 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
2172 + * no related syscall, or __NR_SCMP_ERROR otherwise.
2173 + *
2174 + */
2175 +static int _s390_syscall_demux(int syscall)
2176 +{
2177 + switch (syscall) {
2178 + case -101:
2179 + /* socket */
2180 + return 359;
2181 + case -102:
2182 + /* bind */
2183 + return 361;
2184 + case -103:
2185 + /* connect */
2186 + return 362;
2187 + case -104:
2188 + /* listen */
2189 + return 363;
2190 + case -105:
2191 + /* accept - not defined */
2192 + return __NR_SCMP_UNDEF;
2193 + case -106:
2194 + /* getsockname */
2195 + return 367;
2196 + case -107:
2197 + /* getpeername */
2198 + return 368;
2199 + case -108:
2200 + /* socketpair */
2201 + return 360;
2202 + case -109:
2203 + /* send - not defined */
2204 + return __NR_SCMP_UNDEF;
2205 + case -110:
2206 + /* recv - not defined */
2207 + return __NR_SCMP_UNDEF;
2208 + case -111:
2209 + /* sendto */
2210 + return 369;
2211 + case -112:
2212 + /* recvfrom */
2213 + return 371;
2214 + case -113:
2215 + /* shutdown */
2216 + return 373;
2217 + case -114:
2218 + /* setsockopt */
2219 + return 366;
2220 + case -115:
2221 + /* getsockopt */
2222 + return 365;
2223 + case -116:
2224 + /* sendmsg */
2225 + return 370;
2226 + case -117:
2227 + /* recvmsg */
2228 + return 372;
2229 + case -118:
2230 + /* accept4 */
2231 + return 364;
2232 + case -119:
2233 + /* recvmmsg */
2234 + return 337;
2235 + case -120:
2236 + /* sendmmsg */
2237 + return 345;
2238 + case -201:
2239 + /* semop - not defined */
2240 + return __NR_SCMP_UNDEF;
2241 + case -202:
2242 + /* semget */
2243 + return 393;
2244 + case -203:
2245 + /* semctl */
2246 + return 394;
2247 + case -204:
2248 + /* semtimedop */
2249 + return 392;
2250 + case -211:
2251 + /* msgsnd */
2252 + return 400;
2253 + case -212:
2254 + /* msgrcv */
2255 + return 401;
2256 + case -213:
2257 + /* msgget */
2258 + return 399;
2259 + case -214:
2260 + /* msgctl */
2261 + return 402;
2262 + case -221:
2263 + /* shmat */
2264 + return 397;
2265 + case -222:
2266 + /* shmdt */
2267 + return 398;
2268 + case -223:
2269 + /* shmget */
2270 + return 395;
2271 + case -224:
2272 + /* shmctl */
2273 + return 396;
2274 +
2275 + }
2276 +
2277 + return __NR_SCMP_ERROR;
2278 +}
2279 +
2280 +/**
2281 + * Convert a direct socket syscall into multiplexed pseudo socket syscall
2282 + * @param syscall the direct syscall
2283 + *
2284 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
2285 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
2286 + *
2287 + */
2288 +static int _s390_syscall_mux(int syscall)
2289 +{
2290 + switch (syscall) {
2291 + case 337:
2292 + /* recvmmsg */
2293 + return -119;
2294 + case 345:
2295 + /* sendmmsg */
2296 + return -120;
2297 + case 359:
2298 + /* socket */
2299 + return -101;
2300 + case 360:
2301 + /* socketpair */
2302 + return -108;
2303 + case 361:
2304 + /* bind */
2305 + return -102;
2306 + case 362:
2307 + /* connect */
2308 + return -103;
2309 + case 363:
2310 + /* listen */
2311 + return -104;
2312 + case 364:
2313 + /* accept4 */
2314 + return -118;
2315 + case 365:
2316 + /* getsockopt */
2317 + return -115;
2318 + case 366:
2319 + /* setsockopt */
2320 + return -114;
2321 + case 367:
2322 + /* getsockname */
2323 + return -106;
2324 + case 368:
2325 + /* getpeername */
2326 + return -107;
2327 + case 369:
2328 + /* sendto */
2329 + return -111;
2330 + case 370:
2331 + /* sendmsg */
2332 + return -116;
2333 + case 371:
2334 + /* recvfrom */
2335 + return -112;
2336 + case 372:
2337 + /* recvmsg */
2338 + return -117;
2339 + case 373:
2340 + /* shutdown */
2341 + return -113;
2342 + case 393:
2343 + /* semget */
2344 + return -202;
2345 + case 394:
2346 + /* semctl */
2347 + return -203;
2348 + case 400:
2349 + /* msgsnd */
2350 + return -211;
2351 + case 401:
2352 + /* msgrcv */
2353 + return -212;
2354 + case 399:
2355 + /* msgget */
2356 + return -213;
2357 + case 402:
2358 + /* msgctl */
2359 + return -214;
2360 + case 397:
2361 + /* shmat */
2362 + return -221;
2363 + case 398:
2364 + /* shmdt */
2365 + return -222;
2366 + case 395:
2367 + /* shmget */
2368 + return -223;
2369 + case 396:
2370 + /* shmctl */
2371 + return -224;
2372 + case 392:
2373 + /* semtimedop */
2374 + return -204;
2375 + }
2376 +
2377 + return __NR_SCMP_ERROR;
2378 +}
2379 +
2380 +/**
2381 + * Rewrite a syscall value to match the architecture
2382 + * @param syscall the syscall number
2383 + *
2384 + * Syscalls can vary across different architectures so this function rewrites
2385 + * the syscall into the correct value for the specified architecture. Returns
2386 + * zero on success, negative values on failure.
2387 + *
2388 + */
2389 +int s390_syscall_rewrite(int *syscall)
2390 +{
2391 + int sys = *syscall;
2392 +
2393 + if (sys <= -100 && sys >= -120)
2394 + *syscall = __s390_NR_socketcall;
2395 + else if (sys <= -200 && sys >= -224)
2396 + *syscall = __s390_NR_ipc;
2397 + else if (sys < 0)
2398 + return -EDOM;
2399 +
2400 + return 0;
2401 +}
2402 +
2403 +/**
2404 + * add a new rule to the s390 seccomp filter
2405 + * @param db the seccomp filter db
2406 + * @param rule the filter rule
2407 + *
2408 + * This function adds a new syscall filter to the seccomp filter db, making any
2409 + * necessary adjustments for the s390 ABI. Returns zero on success, negative
2410 + * values on failure.
2411 + *
2412 + * It is important to note that in the case of failure the db may be corrupted,
2413 + * the caller must use the transaction mechanism if the db integrity is
2414 + * important.
2415 + *
2416 + */
2417 +int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
2418 +{
2419 + int rc = 0;
2420 + unsigned int iter;
2421 + int sys = rule->syscall;
2422 + int sys_a, sys_b;
2423 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
2424 +
2425 + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
2426 + /* (-100 to -120) : multiplexed socket syscalls
2427 + (359 to 373) : direct socket syscalls, Linux 4.3+ */
2428 +
2429 + /* strict check for the multiplexed socket syscalls */
2430 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
2431 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
2432 + rc = -EINVAL;
2433 + goto add_return;
2434 + }
2435 + }
2436 +
2437 + /* determine both the muxed and direct syscall numbers */
2438 + if (sys > 0) {
2439 + sys_a = _s390_syscall_mux(sys);
2440 + if (sys_a == __NR_SCMP_ERROR) {
2441 + rc = __NR_SCMP_ERROR;
2442 + goto add_return;
2443 + }
2444 + sys_b = sys;
2445 + } else {
2446 + sys_a = sys;
2447 + sys_b = _s390_syscall_demux(sys);
2448 + if (sys_b == __NR_SCMP_ERROR) {
2449 + rc = __NR_SCMP_ERROR;
2450 + goto add_return;
2451 + }
2452 + }
2453 +
2454 + /* use rule_a for the multiplexed syscall and use rule_b for
2455 + * the direct wired syscall */
2456 +
2457 + if (sys_a == __NR_SCMP_UNDEF) {
2458 + rule_a = NULL;
2459 + rule_b = rule;
2460 + } else if (sys_b == __NR_SCMP_UNDEF) {
2461 + rule_a = rule;
2462 + rule_b = NULL;
2463 + } else {
2464 + /* need two rules, dup the first and link together */
2465 + rule_a = rule;
2466 + rule_dup = db_rule_dup(rule_a);
2467 + rule_b = rule_dup;
2468 + if (rule_b == NULL) {
2469 + rc = -ENOMEM;
2470 + goto add_return;
2471 + }
2472 + rule_b->prev = rule_a;
2473 + rule_b->next = NULL;
2474 + rule_a->next = rule_b;
2475 + }
2476 +
2477 + /* multiplexed socket syscalls */
2478 + if (rule_a != NULL) {
2479 + rule_a->syscall = __s390_NR_socketcall;
2480 + rule_a->args[0].arg = 0;
2481 + rule_a->args[0].op = SCMP_CMP_EQ;
2482 + rule_a->args[0].mask = DATUM_MAX;
2483 + rule_a->args[0].datum = (-sys_a) % 100;
2484 + rule_a->args[0].valid = 1;
2485 + }
2486 +
2487 + /* direct wired socket syscalls */
2488 + if (rule_b != NULL)
2489 + rule_b->syscall = sys_b;
2490 +
2491 + /* we should be protected by a transaction checkpoint */
2492 + if (rule_a != NULL) {
2493 + rc = db_rule_add(db, rule_a);
2494 + if (rc < 0)
2495 + goto add_return;
2496 + }
2497 + if (rule_b != NULL) {
2498 + rc = db_rule_add(db, rule_b);
2499 + if (rc < 0)
2500 + goto add_return;
2501 + }
2502 + } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) {
2503 + /* (-200 to -224) : multiplexed ipc syscalls
2504 + (393 to 402) : direct ipc syscalls */
2505 +
2506 + /* strict check for the multiplexed socket syscalls */
2507 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
2508 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
2509 + rc = -EINVAL;
2510 + goto add_return;
2511 + }
2512 + }
2513 +
2514 + /* determine both the muxed and direct syscall numbers */
2515 + if (sys > 0) {
2516 + sys_a = _s390_syscall_mux(sys);
2517 + if (sys_a == __NR_SCMP_ERROR) {
2518 + rc = __NR_SCMP_ERROR;
2519 + goto add_return;
2520 + }
2521 + sys_b = sys;
2522 + } else {
2523 + sys_a = sys;
2524 + sys_b = _s390_syscall_demux(sys);
2525 + if (sys_b == __NR_SCMP_ERROR) {
2526 + rc = __NR_SCMP_ERROR;
2527 + goto add_return;
2528 + }
2529 + }
2530 +
2531 + /* use rule_a for the multiplexed syscall and use rule_b for
2532 + * the direct wired syscall */
2533 +
2534 + if (sys_a == __NR_SCMP_UNDEF) {
2535 + rule_a = NULL;
2536 + rule_b = rule;
2537 + } else if (sys_b == __NR_SCMP_UNDEF) {
2538 + rule_a = rule;
2539 + rule_b = NULL;
2540 + } else {
2541 + /* need two rules, dup the first and link together */
2542 + rule_a = rule;
2543 + rule_dup = db_rule_dup(rule_a);
2544 + rule_b = rule_dup;
2545 + if (rule_b == NULL)
2546 + goto add_return;
2547 + rule_b->prev = rule_a;
2548 + rule_b->next = NULL;
2549 + rule_a->next = rule_b;
2550 + }
2551 +
2552 + /* multiplexed socket syscalls */
2553 + if (rule_a != NULL) {
2554 + rule_a->syscall = __s390_NR_ipc;
2555 + rule_a->args[0].arg = 0;
2556 + rule_a->args[0].op = SCMP_CMP_EQ;
2557 + rule_a->args[0].mask = DATUM_MAX;
2558 + rule_a->args[0].datum = (-sys_a) % 200;
2559 + rule_a->args[0].valid = 1;
2560 + }
2561 +
2562 + /* direct wired socket syscalls */
2563 + if (rule_b != NULL)
2564 + rule_b->syscall = sys_b;
2565 +
2566 + /* we should be protected by a transaction checkpoint */
2567 + if (rule_a != NULL) {
2568 + rc = db_rule_add(db, rule_a);
2569 + if (rc < 0)
2570 + goto add_return;
2571 + }
2572 + if (rule_b != NULL) {
2573 + rc = db_rule_add(db, rule_b);
2574 + if (rc < 0)
2575 + goto add_return;
2576 + }
2577 + } else if (sys >= 0) {
2578 + /* normal syscall processing */
2579 + rc = db_rule_add(db, rule);
2580 + if (rc < 0)
2581 + goto add_return;
2582 + } else if (rule->strict) {
2583 + rc = -EDOM;
2584 + goto add_return;
2585 + }
2586 +
2587 +add_return:
2588 + if (rule_dup != NULL)
2589 + free(rule_dup);
2590 + return rc;
2591 +}
2592 +
2593 const struct arch_def arch_def_s390 = {
2594 .token = SCMP_ARCH_S390,
2595 .token_bpf = AUDIT_ARCH_S390,
2596 .size = ARCH_SIZE_32,
2597 .endian = ARCH_ENDIAN_BIG,
2598 - .sys_socketcall = __s390_NR_socketcall,
2599 - .sys_ipc = __s390_NR_ipc,
2600 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
2601 - .syscall_resolve_name_raw = s390_syscall_resolve_name,
2602 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
2603 - .syscall_resolve_num_raw = s390_syscall_resolve_num,
2604 - .syscall_rewrite = abi_syscall_rewrite,
2605 - .rule_add = abi_rule_add,
2606 + .syscall_resolve_name = s390_syscall_resolve_name_munge,
2607 + .syscall_resolve_num = s390_syscall_resolve_num_munge,
2608 + .syscall_rewrite = s390_syscall_rewrite,
2609 + .rule_add = s390_rule_add,
2610 };
2611 diff --git a/src/arch-s390x.c b/src/arch-s390x.c
2612 --- a/src/arch-s390x.c
2613 +++ b/src/arch-s390x.c
2614 @@ -17,17 +17,592 @@
2615 #define __s390x_NR_socketcall 102
2616 #define __s390x_NR_ipc 117
2617
2618 +/**
2619 + * Resolve a syscall name to a number
2620 + * @param name the syscall name
2621 + *
2622 + * Resolve the given syscall name to the syscall number using the syscall table.
2623 + * Returns the syscall number on success, including negative pseudo syscall
2624 + * numbers; returns __NR_SCMP_ERROR on failure.
2625 + *
2626 + */
2627 +int s390x_syscall_resolve_name_munge(const char *name)
2628 +{
2629 + if (strcmp(name, "accept") == 0)
2630 + return __PNR_accept;
2631 + if (strcmp(name, "accept4") == 0)
2632 + return __PNR_accept4;
2633 + else if (strcmp(name, "bind") == 0)
2634 + return __PNR_bind;
2635 + else if (strcmp(name, "connect") == 0)
2636 + return __PNR_connect;
2637 + else if (strcmp(name, "getpeername") == 0)
2638 + return __PNR_getpeername;
2639 + else if (strcmp(name, "getsockname") == 0)
2640 + return __PNR_getsockname;
2641 + else if (strcmp(name, "getsockopt") == 0)
2642 + return __PNR_getsockopt;
2643 + else if (strcmp(name, "listen") == 0)
2644 + return __PNR_listen;
2645 + else if (strcmp(name, "msgctl") == 0)
2646 + return __PNR_msgctl;
2647 + else if (strcmp(name, "msgget") == 0)
2648 + return __PNR_msgget;
2649 + else if (strcmp(name, "msgrcv") == 0)
2650 + return __PNR_msgrcv;
2651 + else if (strcmp(name, "msgsnd") == 0)
2652 + return __PNR_msgsnd;
2653 + else if (strcmp(name, "recv") == 0)
2654 + return __PNR_recv;
2655 + else if (strcmp(name, "recvfrom") == 0)
2656 + return __PNR_recvfrom;
2657 + else if (strcmp(name, "recvmsg") == 0)
2658 + return __PNR_recvmsg;
2659 + else if (strcmp(name, "recvmmsg") == 0)
2660 + return __PNR_recvmmsg;
2661 + else if (strcmp(name, "semctl") == 0)
2662 + return __PNR_semctl;
2663 + else if (strcmp(name, "semget") == 0)
2664 + return __PNR_semget;
2665 + else if (strcmp(name, "semtimedop") == 0)
2666 + return __PNR_semtimedop;
2667 + else if (strcmp(name, "send") == 0)
2668 + return __PNR_send;
2669 + else if (strcmp(name, "sendmsg") == 0)
2670 + return __PNR_sendmsg;
2671 + else if (strcmp(name, "sendmmsg") == 0)
2672 + return __PNR_sendmmsg;
2673 + else if (strcmp(name, "sendto") == 0)
2674 + return __PNR_sendto;
2675 + else if (strcmp(name, "setsockopt") == 0)
2676 + return __PNR_setsockopt;
2677 + else if (strcmp(name, "shmat") == 0)
2678 + return __PNR_shmat;
2679 + else if (strcmp(name, "shmdt") == 0)
2680 + return __PNR_shmdt;
2681 + else if (strcmp(name, "shmget") == 0)
2682 + return __PNR_shmget;
2683 + else if (strcmp(name, "shmctl") == 0)
2684 + return __PNR_shmctl;
2685 + else if (strcmp(name, "shutdown") == 0)
2686 + return __PNR_shutdown;
2687 + else if (strcmp(name, "socket") == 0)
2688 + return __PNR_socket;
2689 + else if (strcmp(name, "socketpair") == 0)
2690 + return __PNR_socketpair;
2691 +
2692 + return s390x_syscall_resolve_name(name);
2693 +}
2694 +
2695 +/**
2696 + * Resolve a syscall number to a name
2697 + * @param num the syscall number
2698 + *
2699 + * Resolve the given syscall number to the syscall name using the syscall table.
2700 + * Returns a pointer to the syscall name string on success, including pseudo
2701 + * syscall names; returns NULL on failure.
2702 + *
2703 + */
2704 +const char *s390x_syscall_resolve_num_munge(int num)
2705 +{
2706 + if (num == __PNR_accept)
2707 + return "accept";
2708 + else if (num == __PNR_accept4)
2709 + return "accept4";
2710 + else if (num == __PNR_bind)
2711 + return "bind";
2712 + else if (num == __PNR_connect)
2713 + return "connect";
2714 + else if (num == __PNR_getpeername)
2715 + return "getpeername";
2716 + else if (num == __PNR_getsockname)
2717 + return "getsockname";
2718 + else if (num == __PNR_getsockopt)
2719 + return "getsockopt";
2720 + else if (num == __PNR_listen)
2721 + return "listen";
2722 + else if (num == __PNR_msgctl)
2723 + return "msgctl";
2724 + else if (num == __PNR_msgget)
2725 + return "msgget";
2726 + else if (num == __PNR_msgrcv)
2727 + return "msgrcv";
2728 + else if (num == __PNR_msgsnd)
2729 + return "msgsnd";
2730 + else if (num == __PNR_recv)
2731 + return "recv";
2732 + else if (num == __PNR_recvfrom)
2733 + return "recvfrom";
2734 + else if (num == __PNR_recvmsg)
2735 + return "recvmsg";
2736 + else if (num == __PNR_recvmmsg)
2737 + return "recvmmsg";
2738 + else if (num == __PNR_semctl)
2739 + return "semctl";
2740 + else if (num == __PNR_semget)
2741 + return "semget";
2742 + else if (num == __PNR_semtimedop)
2743 + return "semtimedop";
2744 + else if (num == __PNR_send)
2745 + return "send";
2746 + else if (num == __PNR_sendmsg)
2747 + return "sendmsg";
2748 + else if (num == __PNR_sendmmsg)
2749 + return "sendmmsg";
2750 + else if (num == __PNR_sendto)
2751 + return "sendto";
2752 + else if (num == __PNR_setsockopt)
2753 + return "setsockopt";
2754 + else if (num == __PNR_shmat)
2755 + return "shmat";
2756 + else if (num == __PNR_shmdt)
2757 + return "shmdt";
2758 + else if (num == __PNR_shmget)
2759 + return "shmget";
2760 + else if (num == __PNR_shmctl)
2761 + return "shmctl";
2762 + else if (num == __PNR_shutdown)
2763 + return "shutdown";
2764 + else if (num == __PNR_socket)
2765 + return "socket";
2766 + else if (num == __PNR_socketpair)
2767 + return "socketpair";
2768 +
2769 + return s390x_syscall_resolve_num(num);
2770 +}
2771 +
2772 +/**
2773 + * Convert a multiplexed pseudo socket syscall into a direct syscall
2774 + * @param syscall the multiplexed pseudo syscall number
2775 + *
2776 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
2777 + * no related syscall, or __NR_SCMP_ERROR otherwise.
2778 + *
2779 + */
2780 +static int _s390x_syscall_demux(int syscall)
2781 +{
2782 + switch (syscall) {
2783 + case -101:
2784 + /* socket */
2785 + return 359;
2786 + case -102:
2787 + /* bind */
2788 + return 361;
2789 + case -103:
2790 + /* connect */
2791 + return 362;
2792 + case -104:
2793 + /* listen */
2794 + return 363;
2795 + case -105:
2796 + /* accept - not defined */
2797 + return __NR_SCMP_UNDEF;
2798 + case -106:
2799 + /* getsockname */
2800 + return 367;
2801 + case -107:
2802 + /* getpeername */
2803 + return 368;
2804 + case -108:
2805 + /* socketpair */
2806 + return 360;
2807 + case -109:
2808 + /* send - not defined */
2809 + return __NR_SCMP_UNDEF;
2810 + case -110:
2811 + /* recv - not defined */
2812 + return __NR_SCMP_UNDEF;
2813 + case -111:
2814 + /* sendto */
2815 + return 369;
2816 + case -112:
2817 + /* recvfrom */
2818 + return 371;
2819 + case -113:
2820 + /* shutdown */
2821 + return 373;
2822 + case -114:
2823 + /* setsockopt */
2824 + return 366;
2825 + case -115:
2826 + /* getsockopt */
2827 + return 365;
2828 + case -116:
2829 + /* sendmsg */
2830 + return 370;
2831 + case -117:
2832 + /* recvmsg */
2833 + return 372;
2834 + case -118:
2835 + /* accept4 */
2836 + return 364;
2837 + case -119:
2838 + /* recvmmsg */
2839 + return 337;
2840 + case -120:
2841 + /* sendmmsg */
2842 + return 345;
2843 + case -201:
2844 + /* semop - not defined */
2845 + return __NR_SCMP_UNDEF;
2846 + case -202:
2847 + /* semget */
2848 + return 393;
2849 + case -203:
2850 + /* semctl */
2851 + return 394;
2852 + case -204:
2853 + /* semtimedop */
2854 + return 392;
2855 + case -211:
2856 + /* msgsnd */
2857 + return 400;
2858 + case -212:
2859 + /* msgrcv */
2860 + return 401;
2861 + case -213:
2862 + /* msgget */
2863 + return 399;
2864 + case -214:
2865 + /* msgctl */
2866 + return 402;
2867 + case -221:
2868 + /* shmat */
2869 + return 397;
2870 + case -222:
2871 + /* shmdt */
2872 + return 398;
2873 + case -223:
2874 + /* shmget */
2875 + return 395;
2876 + case -224:
2877 + /* shmctl */
2878 + return 396;
2879 + }
2880 +
2881 + return __NR_SCMP_ERROR;
2882 +}
2883 +
2884 +/**
2885 + * Convert a direct socket syscall into multiplexed pseudo socket syscall
2886 + * @param syscall the direct syscall
2887 + *
2888 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
2889 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
2890 + *
2891 + */
2892 +static int _s390x_syscall_mux(int syscall)
2893 +{
2894 + switch (syscall) {
2895 + case 337:
2896 + /* recvmmsg */
2897 + return -119;
2898 + case 345:
2899 + /* sendmmsg */
2900 + return -120;
2901 + case 359:
2902 + /* socket */
2903 + return -101;
2904 + case 360:
2905 + /* socketpair */
2906 + return -108;
2907 + case 361:
2908 + /* bind */
2909 + return -102;
2910 + case 362:
2911 + /* connect */
2912 + return -103;
2913 + case 363:
2914 + /* listen */
2915 + return -104;
2916 + case 364:
2917 + /* accept4 */
2918 + return -118;
2919 + case 365:
2920 + /* getsockopt */
2921 + return -115;
2922 + case 366:
2923 + /* setsockopt */
2924 + return -114;
2925 + case 367:
2926 + /* getsockname */
2927 + return -106;
2928 + case 368:
2929 + /* getpeername */
2930 + return -107;
2931 + case 369:
2932 + /* sendto */
2933 + return -111;
2934 + case 370:
2935 + /* sendmsg */
2936 + return -116;
2937 + case 371:
2938 + /* recvfrom */
2939 + return -112;
2940 + case 372:
2941 + /* recvmsg */
2942 + return -117;
2943 + case 373:
2944 + /* shutdown */
2945 + return -113;
2946 + case 392:
2947 + /* semtimedop */
2948 + return -204;
2949 + case 393:
2950 + /* semget */
2951 + return -202;
2952 + case 394:
2953 + /* semctl */
2954 + return -203;
2955 + case 400:
2956 + /* msgsnd */
2957 + return -211;
2958 + case 401:
2959 + /* msgrcv */
2960 + return -212;
2961 + case 399:
2962 + /* msgget */
2963 + return -213;
2964 + case 402:
2965 + /* msgctl */
2966 + return -214;
2967 + case 397:
2968 + /* shmat */
2969 + return -221;
2970 + case 398:
2971 + /* shmdt */
2972 + return -222;
2973 + case 395:
2974 + /* shmget */
2975 + return -223;
2976 + case 396:
2977 + /* shmctl */
2978 + return -224;
2979 + }
2980 +
2981 + return __NR_SCMP_ERROR;
2982 +}
2983 +
2984 +/**
2985 + * Rewrite a syscall value to match the architecture
2986 + * @param syscall the syscall number
2987 + *
2988 + * Syscalls can vary across different architectures so this function rewrites
2989 + * the syscall into the correct value for the specified architecture. Returns
2990 + * zero on success, negative values on failure.
2991 + *
2992 + */
2993 +int s390x_syscall_rewrite(int *syscall)
2994 +{
2995 + int sys = *syscall;
2996 +
2997 + if (sys <= -100 && sys >= -120)
2998 + *syscall = __s390x_NR_socketcall;
2999 + else if (sys <= -200 && sys >= -224)
3000 + *syscall = __s390x_NR_ipc;
3001 + else if (sys < 0)
3002 + return -EDOM;
3003 +
3004 + return 0;
3005 +}
3006 +
3007 +/**
3008 + * add a new rule to the s390x seccomp filter
3009 + * @param db the seccomp filter db
3010 + * @param rule the filter rule
3011 + *
3012 + * This function adds a new syscall filter to the seccomp filter db, making any
3013 + * necessary adjustments for the s390x ABI. Returns zero on success, negative
3014 + * values on failure.
3015 + *
3016 + * It is important to note that in the case of failure the db may be corrupted,
3017 + * the caller must use the transaction mechanism if the db integrity is
3018 + * important.
3019 + *
3020 + */
3021 +int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
3022 +{
3023 + int rc = 0;
3024 + unsigned int iter;
3025 + int sys = rule->syscall;
3026 + int sys_a, sys_b;
3027 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
3028 +
3029 + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
3030 + /* (-100 to -120) : multiplexed socket syscalls
3031 + (359 to 373) : direct socket syscalls, Linux 4.3+ */
3032 +
3033 + /* strict check for the multiplexed socket syscalls */
3034 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
3035 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
3036 + rc = -EINVAL;
3037 + goto add_return;
3038 + }
3039 + }
3040 +
3041 + /* determine both the muxed and direct syscall numbers */
3042 + if (sys > 0) {
3043 + sys_a = _s390x_syscall_mux(sys);
3044 + if (sys_a == __NR_SCMP_ERROR) {
3045 + rc = __NR_SCMP_ERROR;
3046 + goto add_return;
3047 + }
3048 + sys_b = sys;
3049 + } else {
3050 + sys_a = sys;
3051 + sys_b = _s390x_syscall_demux(sys);
3052 + if (sys_b == __NR_SCMP_ERROR) {
3053 + rc = __NR_SCMP_ERROR;
3054 + goto add_return;
3055 + }
3056 + }
3057 +
3058 + /* use rule_a for the multiplexed syscall and use rule_b for
3059 + * the direct wired syscall */
3060 +
3061 + if (sys_a == __NR_SCMP_UNDEF) {
3062 + rule_a = NULL;
3063 + rule_b = rule;
3064 + } else if (sys_b == __NR_SCMP_UNDEF) {
3065 + rule_a = rule;
3066 + rule_b = NULL;
3067 + } else {
3068 + /* need two rules, dup the first and link together */
3069 + rule_a = rule;
3070 + rule_dup = db_rule_dup(rule_a);
3071 + rule_b = rule_dup;
3072 + if (rule_b == NULL) {
3073 + rc = -ENOMEM;
3074 + goto add_return;
3075 + }
3076 + rule_b->prev = rule_a;
3077 + rule_b->next = NULL;
3078 + rule_a->next = rule_b;
3079 + }
3080 +
3081 + /* multiplexed socket syscalls */
3082 + if (rule_a != NULL) {
3083 + rule_a->syscall = __s390x_NR_socketcall;
3084 + rule_a->args[0].arg = 0;
3085 + rule_a->args[0].op = SCMP_CMP_EQ;
3086 + rule_a->args[0].mask = DATUM_MAX;
3087 + rule_a->args[0].datum = (-sys_a) % 100;
3088 + rule_a->args[0].valid = 1;
3089 + }
3090 +
3091 + /* direct wired socket syscalls */
3092 + if (rule_b != NULL)
3093 + rule_b->syscall = sys_b;
3094 +
3095 + /* we should be protected by a transaction checkpoint */
3096 + if (rule_a != NULL) {
3097 + rc = db_rule_add(db, rule_a);
3098 + if (rc < 0)
3099 + goto add_return;
3100 + }
3101 + if (rule_b != NULL) {
3102 + rc = db_rule_add(db, rule_b);
3103 + if (rc < 0)
3104 + goto add_return;
3105 + }
3106 + } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) {
3107 + /* (-200 to -224) : multiplexed ipc syscalls
3108 + (392 to 402) : direct ipc syscalls */
3109 +
3110 + /* strict check for the multiplexed socket syscalls */
3111 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
3112 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
3113 + rc = -EINVAL;
3114 + goto add_return;
3115 + }
3116 + }
3117 +
3118 + /* determine both the muxed and direct syscall numbers */
3119 + if (sys > 0) {
3120 + sys_a = _s390x_syscall_mux(sys);
3121 + if (sys_a == __NR_SCMP_ERROR) {
3122 + rc = __NR_SCMP_ERROR;
3123 + goto add_return;
3124 + }
3125 + sys_b = sys;
3126 + } else {
3127 + sys_a = sys;
3128 + sys_b = _s390x_syscall_demux(sys);
3129 + if (sys_b == __NR_SCMP_ERROR) {
3130 + rc = __NR_SCMP_ERROR;
3131 + goto add_return;
3132 + }
3133 + }
3134 +
3135 + /* use rule_a for the multiplexed syscall and use rule_b for
3136 + * the direct wired syscall */
3137 +
3138 + if (sys_a == __NR_SCMP_UNDEF) {
3139 + rule_a = NULL;
3140 + rule_b = rule;
3141 + } else if (sys_b == __NR_SCMP_UNDEF) {
3142 + rule_a = rule;
3143 + rule_b = NULL;
3144 + } else {
3145 + /* need two rules, dup the first and link together */
3146 + rule_a = rule;
3147 + rule_dup = db_rule_dup(rule_a);
3148 + rule_b = rule_dup;
3149 + if (rule_b == NULL)
3150 + goto add_return;
3151 + rule_b->prev = rule_a;
3152 + rule_b->next = NULL;
3153 + rule_a->next = rule_b;
3154 + }
3155 +
3156 + /* multiplexed socket syscalls */
3157 + if (rule_a != NULL) {
3158 + rule_a->syscall = __s390x_NR_ipc;
3159 + rule_a->args[0].arg = 0;
3160 + rule_a->args[0].op = SCMP_CMP_EQ;
3161 + rule_a->args[0].mask = DATUM_MAX;
3162 + rule_a->args[0].datum = (-sys_a) % 200;
3163 + rule_a->args[0].valid = 1;
3164 + }
3165 +
3166 + /* direct wired socket syscalls */
3167 + if (rule_b != NULL)
3168 + rule_b->syscall = sys_b;
3169 +
3170 + /* we should be protected by a transaction checkpoint */
3171 + if (rule_a != NULL) {
3172 + rc = db_rule_add(db, rule_a);
3173 + if (rc < 0)
3174 + goto add_return;
3175 + }
3176 + if (rule_b != NULL) {
3177 + rc = db_rule_add(db, rule_b);
3178 + if (rc < 0)
3179 + goto add_return;
3180 + }
3181 + } else if (sys >= 0) {
3182 + /* normal syscall processing */
3183 + rc = db_rule_add(db, rule);
3184 + if (rc < 0)
3185 + goto add_return;
3186 + } else if (rule->strict) {
3187 + rc = -EDOM;
3188 + goto add_return;
3189 + }
3190 +
3191 +add_return:
3192 + if (rule_dup != NULL)
3193 + free(rule_dup);
3194 + return rc;
3195 +}
3196 +
3197 const struct arch_def arch_def_s390x = {
3198 .token = SCMP_ARCH_S390X,
3199 .token_bpf = AUDIT_ARCH_S390X,
3200 .size = ARCH_SIZE_64,
3201 .endian = ARCH_ENDIAN_BIG,
3202 - .sys_socketcall = __s390x_NR_socketcall,
3203 - .sys_ipc = __s390x_NR_ipc,
3204 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
3205 - .syscall_resolve_name_raw = s390x_syscall_resolve_name,
3206 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
3207 - .syscall_resolve_num_raw = s390x_syscall_resolve_num,
3208 - .syscall_rewrite = abi_syscall_rewrite,
3209 - .rule_add = abi_rule_add,
3210 + .syscall_resolve_name = s390x_syscall_resolve_name_munge,
3211 + .syscall_resolve_num = s390x_syscall_resolve_num_munge,
3212 + .syscall_rewrite = s390x_syscall_rewrite,
3213 + .rule_add = s390x_rule_add,
3214 };
3215 diff --git a/src/arch-x32.c b/src/arch-x32.c
3216 --- a/src/arch-x32.c
3217 +++ b/src/arch-x32.c
3218 @@ -28,7 +28,6 @@
3219
3220 /**
3221 * Resolve a syscall name to a number
3222 - * @param arch the architecture definition
3223 * @param name the syscall name
3224 *
3225 * Resolve the given syscall name to the syscall number using the syscall table.
3226 @@ -36,13 +35,12 @@
3227 * numbers; returns __NR_SCMP_ERROR on failure.
3228 *
3229 */
3230 -int x32_syscall_resolve_name_munge(const struct arch_def *arch,
3231 - const char *name)
3232 +int x32_syscall_resolve_name_munge(const char *name)
3233 {
3234 int sys;
3235
3236 /* NOTE: we don't want to modify the pseudo-syscall numbers */
3237 - sys = arch->syscall_resolve_name_raw(name);
3238 + sys = x32_syscall_resolve_name(name);
3239 if (sys == __NR_SCMP_ERROR || sys < 0)
3240 return sys;
3241
3242 @@ -51,7 +49,6 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch,
3243
3244 /**
3245 * Resolve a syscall number to a name
3246 - * @param arch the architecture definition
3247 * @param num the syscall number
3248 *
3249 * Resolve the given syscall number to the syscall name using the syscall table.
3250 @@ -59,13 +56,12 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch,
3251 * syscall names; returns NULL on failure.
3252 *
3253 */
3254 -const char *x32_syscall_resolve_num_munge(const struct arch_def *arch,
3255 - int num)
3256 +const char *x32_syscall_resolve_num_munge(int num)
3257 {
3258 /* NOTE: we don't want to modify the pseudo-syscall numbers */
3259 if (num >= 0)
3260 num &= ~X32_SYSCALL_BIT;
3261 - return arch->syscall_resolve_num_raw(num);
3262 + return x32_syscall_resolve_num(num);
3263 }
3264
3265 const struct arch_def arch_def_x32 = {
3266 @@ -75,9 +71,7 @@ const struct arch_def arch_def_x32 = {
3267 .size = ARCH_SIZE_32,
3268 .endian = ARCH_ENDIAN_LITTLE,
3269 .syscall_resolve_name = x32_syscall_resolve_name_munge,
3270 - .syscall_resolve_name_raw = x32_syscall_resolve_name,
3271 .syscall_resolve_num = x32_syscall_resolve_num_munge,
3272 - .syscall_resolve_num_raw = x32_syscall_resolve_num,
3273 .syscall_rewrite = NULL,
3274 .rule_add = NULL,
3275 };
3276 diff --git a/src/arch-x86.c b/src/arch-x86.c
3277 --- a/src/arch-x86.c
3278 +++ b/src/arch-x86.c
3279 @@ -33,17 +33,593 @@
3280 #define __x86_NR_socketcall 102
3281 #define __x86_NR_ipc 117
3282
3283 +/**
3284 + * Resolve a syscall name to a number
3285 + * @param name the syscall name
3286 + *
3287 + * Resolve the given syscall name to the syscall number using the syscall table.
3288 + * Returns the syscall number on success, including negative pseudo syscall
3289 + * numbers; returns __NR_SCMP_ERROR on failure.
3290 + *
3291 + */
3292 +int x86_syscall_resolve_name_munge(const char *name)
3293 +{
3294 + if (strcmp(name, "accept") == 0)
3295 + return __PNR_accept;
3296 + else if (strcmp(name, "accept4") == 0)
3297 + return __PNR_accept4;
3298 + else if (strcmp(name, "bind") == 0)
3299 + return __PNR_bind;
3300 + else if (strcmp(name, "connect") == 0)
3301 + return __PNR_connect;
3302 + else if (strcmp(name, "getpeername") == 0)
3303 + return __PNR_getpeername;
3304 + else if (strcmp(name, "getsockname") == 0)
3305 + return __PNR_getsockname;
3306 + else if (strcmp(name, "getsockopt") == 0)
3307 + return __PNR_getsockopt;
3308 + else if (strcmp(name, "listen") == 0)
3309 + return __PNR_listen;
3310 + else if (strcmp(name, "recv") == 0)
3311 + return __PNR_recv;
3312 + else if (strcmp(name, "recvfrom") == 0)
3313 + return __PNR_recvfrom;
3314 + else if (strcmp(name, "recvmsg") == 0)
3315 + return __PNR_recvmsg;
3316 + else if (strcmp(name, "recvmmsg") == 0)
3317 + return __PNR_recvmmsg;
3318 + else if (strcmp(name, "send") == 0)
3319 + return __PNR_send;
3320 + else if (strcmp(name, "sendmsg") == 0)
3321 + return __PNR_sendmsg;
3322 + else if (strcmp(name, "sendmmsg") == 0)
3323 + return __PNR_sendmmsg;
3324 + else if (strcmp(name, "sendto") == 0)
3325 + return __PNR_sendto;
3326 + else if (strcmp(name, "setsockopt") == 0)
3327 + return __PNR_setsockopt;
3328 + else if (strcmp(name, "shutdown") == 0)
3329 + return __PNR_shutdown;
3330 + else if (strcmp(name, "socket") == 0)
3331 + return __PNR_socket;
3332 + else if (strcmp(name, "socketpair") == 0)
3333 + return __PNR_socketpair;
3334 +
3335 + if (strcmp(name, "semop") == 0)
3336 + return __PNR_semop;
3337 + else if (strcmp(name, "semget") == 0)
3338 + return __PNR_semget;
3339 + else if (strcmp(name, "semctl") == 0)
3340 + return __PNR_semctl;
3341 + else if (strcmp(name, "semtimedop") == 0)
3342 + return __PNR_semtimedop;
3343 + else if (strcmp(name, "msgsnd") == 0)
3344 + return __PNR_msgsnd;
3345 + else if (strcmp(name, "msgrcv") == 0)
3346 + return __PNR_msgrcv;
3347 + else if (strcmp(name, "msgget") == 0)
3348 + return __PNR_msgget;
3349 + else if (strcmp(name, "msgctl") == 0)
3350 + return __PNR_msgctl;
3351 + else if (strcmp(name, "shmat") == 0)
3352 + return __PNR_shmat;
3353 + else if (strcmp(name, "shmdt") == 0)
3354 + return __PNR_shmdt;
3355 + else if (strcmp(name, "shmget") == 0)
3356 + return __PNR_shmget;
3357 + else if (strcmp(name, "shmctl") == 0)
3358 + return __PNR_shmctl;
3359 +
3360 + return x86_syscall_resolve_name(name);
3361 +}
3362 +
3363 +/**
3364 + * Resolve a syscall number to a name
3365 + * @param num the syscall number
3366 + *
3367 + * Resolve the given syscall number to the syscall name using the syscall table.
3368 + * Returns a pointer to the syscall name string on success, including pseudo
3369 + * syscall names; returns NULL on failure.
3370 + *
3371 + */
3372 +const char *x86_syscall_resolve_num_munge(int num)
3373 +{
3374 + if (num == __PNR_accept)
3375 + return "accept";
3376 + else if (num == __PNR_accept4)
3377 + return "accept4";
3378 + else if (num == __PNR_bind)
3379 + return "bind";
3380 + else if (num == __PNR_connect)
3381 + return "connect";
3382 + else if (num == __PNR_getpeername)
3383 + return "getpeername";
3384 + else if (num == __PNR_getsockname)
3385 + return "getsockname";
3386 + else if (num == __PNR_getsockopt)
3387 + return "getsockopt";
3388 + else if (num == __PNR_listen)
3389 + return "listen";
3390 + else if (num == __PNR_recv)
3391 + return "recv";
3392 + else if (num == __PNR_recvfrom)
3393 + return "recvfrom";
3394 + else if (num == __PNR_recvmsg)
3395 + return "recvmsg";
3396 + else if (num == __PNR_recvmmsg)
3397 + return "recvmmsg";
3398 + else if (num == __PNR_send)
3399 + return "send";
3400 + else if (num == __PNR_sendmsg)
3401 + return "sendmsg";
3402 + else if (num == __PNR_sendmmsg)
3403 + return "sendmmsg";
3404 + else if (num == __PNR_sendto)
3405 + return "sendto";
3406 + else if (num == __PNR_setsockopt)
3407 + return "setsockopt";
3408 + else if (num == __PNR_shutdown)
3409 + return "shutdown";
3410 + else if (num == __PNR_socket)
3411 + return "socket";
3412 + else if (num == __PNR_socketpair)
3413 + return "socketpair";
3414 +
3415 + if (num == __PNR_semop)
3416 + return "semop";
3417 + else if (num == __PNR_semget)
3418 + return "semget";
3419 + else if (num == __PNR_semctl)
3420 + return "semctl";
3421 + else if (num == __PNR_semtimedop)
3422 + return "semtimedop";
3423 + else if (num == __PNR_msgsnd)
3424 + return "msgsnd";
3425 + else if (num == __PNR_msgrcv)
3426 + return "msgrcv";
3427 + else if (num == __PNR_msgget)
3428 + return "msgget";
3429 + else if (num == __PNR_msgctl)
3430 + return "msgctl";
3431 + else if (num == __PNR_shmat)
3432 + return "shmat";
3433 + else if (num == __PNR_shmdt)
3434 + return "shmdt";
3435 + else if (num == __PNR_shmget)
3436 + return "shmget";
3437 + else if (num == __PNR_shmctl)
3438 + return "shmctl";
3439 +
3440 + return x86_syscall_resolve_num(num);
3441 +}
3442 +
3443 +/**
3444 + * Convert a multiplexed pseudo syscall into a direct syscall
3445 + * @param syscall the multiplexed pseudo syscall number
3446 + *
3447 + * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
3448 + * no related syscall, or __NR_SCMP_ERROR otherwise.
3449 + *
3450 + */
3451 +static int _x86_syscall_demux(int syscall)
3452 +{
3453 + switch (syscall) {
3454 + case -101:
3455 + /* socket */
3456 + return 359;
3457 + case -102:
3458 + /* bind */
3459 + return 361;
3460 + case -103:
3461 + /* connect */
3462 + return 362;
3463 + case -104:
3464 + /* listen */
3465 + return 363;
3466 + case -105:
3467 + /* accept - not defined */
3468 + return __NR_SCMP_UNDEF;
3469 + case -106:
3470 + /* getsockname */
3471 + return 367;
3472 + case -107:
3473 + /* getpeername */
3474 + return 368;
3475 + case -108:
3476 + /* socketpair */
3477 + return 360;
3478 + case -109:
3479 + /* send - not defined */
3480 + return __NR_SCMP_UNDEF;
3481 + case -110:
3482 + /* recv - not defined */
3483 + return __NR_SCMP_UNDEF;
3484 + case -111:
3485 + /* sendto */
3486 + return 369;
3487 + case -112:
3488 + /* recvfrom */
3489 + return 371;
3490 + case -113:
3491 + /* shutdown */
3492 + return 373;
3493 + case -114:
3494 + /* setsockopt */
3495 + return 366;
3496 + case -115:
3497 + /* getsockopt */
3498 + return 365;
3499 + case -116:
3500 + /* sendmsg */
3501 + return 370;
3502 + case -117:
3503 + /* recvmsg */
3504 + return 372;
3505 + case -118:
3506 + /* accept4 */
3507 + return 364;
3508 + case -119:
3509 + /* recvmmsg */
3510 + return 337;
3511 + case -120:
3512 + /* sendmmsg */
3513 + return 345;
3514 + case -201:
3515 + /* semop - not defined */
3516 + return __NR_SCMP_UNDEF;
3517 + case -202:
3518 + /* semget */
3519 + return 393;
3520 + case -203:
3521 + /* semctl */
3522 + return 394;
3523 + case -204:
3524 + /* semtimedop - not defined */
3525 + return __NR_SCMP_UNDEF;
3526 + case -211:
3527 + /* msgsnd */
3528 + return 400;
3529 + case -212:
3530 + /* msgrcv */
3531 + return 401;
3532 + case -213:
3533 + /* msgget */
3534 + return 399;
3535 + case -214:
3536 + /* msgctl */
3537 + return 402;
3538 + case -221:
3539 + /* shmat */
3540 + return 397;
3541 + case -222:
3542 + /* shmdt */
3543 + return 398;
3544 + case -223:
3545 + /* shmget */
3546 + return 395;
3547 + case -224:
3548 + /* shmctl */
3549 + return 396;
3550 + }
3551 +
3552 + return __NR_SCMP_ERROR;
3553 +}
3554 +
3555 +/**
3556 + * Convert a direct syscall into multiplexed pseudo socket syscall
3557 + * @param syscall the direct syscall
3558 + *
3559 + * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
3560 + * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
3561 + *
3562 + */
3563 +static int _x86_syscall_mux(int syscall)
3564 +{
3565 + switch (syscall) {
3566 + case 337:
3567 + /* recvmmsg */
3568 + return -119;
3569 + case 345:
3570 + /* sendmmsg */
3571 + return -120;
3572 + case 359:
3573 + /* socket */
3574 + return -101;
3575 + case 360:
3576 + /* socketpair */
3577 + return -108;
3578 + case 361:
3579 + /* bind */
3580 + return -102;
3581 + case 362:
3582 + /* connect */
3583 + return -103;
3584 + case 363:
3585 + /* listen */
3586 + return -104;
3587 + case 364:
3588 + /* accept4 */
3589 + return -118;
3590 + case 365:
3591 + /* getsockopt */
3592 + return -115;
3593 + case 366:
3594 + /* setsockopt */
3595 + return -114;
3596 + case 367:
3597 + /* getsockname */
3598 + return -106;
3599 + case 368:
3600 + /* getpeername */
3601 + return -107;
3602 + case 369:
3603 + /* sendto */
3604 + return -111;
3605 + case 370:
3606 + /* sendmsg */
3607 + return -116;
3608 + case 371:
3609 + /* recvfrom */
3610 + return -112;
3611 + case 372:
3612 + /* recvmsg */
3613 + return -117;
3614 + case 373:
3615 + /* shutdown */
3616 + return -113;
3617 + case 393:
3618 + /* semget */
3619 + return -202;
3620 + case 394:
3621 + /* semctl */
3622 + return -203;
3623 + case 400:
3624 + /* msgsnd */
3625 + return -211;
3626 + case 401:
3627 + /* msgrcv */
3628 + return -212;
3629 + case 399:
3630 + /* msgget */
3631 + return -213;
3632 + case 402:
3633 + /* msgctl */
3634 + return -214;
3635 + case 397:
3636 + /* shmat */
3637 + return -221;
3638 + case 398:
3639 + /* shmdt */
3640 + return -222;
3641 + case 395:
3642 + /* shmget */
3643 + return -223;
3644 + case 396:
3645 + /* shmctl */
3646 + return -224;
3647 + }
3648 +
3649 + return __NR_SCMP_ERROR;
3650 +}
3651 +
3652 +/**
3653 + * Rewrite a syscall value to match the architecture
3654 + * @param syscall the syscall number
3655 + *
3656 + * Syscalls can vary across different architectures so this function rewrites
3657 + * the syscall into the correct value for the specified architecture. Returns
3658 + * zero on success, negative values on failure.
3659 + *
3660 + */
3661 +int x86_syscall_rewrite(int *syscall)
3662 +{
3663 + int sys = *syscall;
3664 +
3665 + if (sys <= -100 && sys >= -120)
3666 + *syscall = __x86_NR_socketcall;
3667 + else if (sys <= -200 && sys >= -224)
3668 + *syscall = __x86_NR_ipc;
3669 + else if (sys < 0)
3670 + return -EDOM;
3671 +
3672 + return 0;
3673 +}
3674 +
3675 +/**
3676 + * add a new rule to the x86 seccomp filter
3677 + * @param db the seccomp filter db
3678 + * @param rule the filter rule
3679 + *
3680 + * This function adds a new syscall filter to the seccomp filter db, making any
3681 + * necessary adjustments for the x86 ABI. Returns zero on success, negative
3682 + * values on failure.
3683 + *
3684 + * It is important to note that in the case of failure the db may be corrupted,
3685 + * the caller must use the transaction mechanism if the db integrity is
3686 + * important.
3687 + *
3688 + */
3689 +int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
3690 +{
3691 + int rc = 0;
3692 + unsigned int iter;
3693 + int sys = rule->syscall;
3694 + int sys_a, sys_b;
3695 + struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
3696 +
3697 + if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
3698 + /* (-100 to -120) : multiplexed socket syscalls
3699 + (359 to 373) : direct socket syscalls, Linux 4.3+ */
3700 +
3701 + /* strict check for the multiplexed socket syscalls */
3702 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
3703 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
3704 + rc = -EINVAL;
3705 + goto add_return;
3706 + }
3707 + }
3708 +
3709 + /* determine both the muxed and direct syscall numbers */
3710 + if (sys > 0) {
3711 + sys_a = _x86_syscall_mux(sys);
3712 + if (sys_a == __NR_SCMP_ERROR) {
3713 + rc = __NR_SCMP_ERROR;
3714 + goto add_return;
3715 + }
3716 + sys_b = sys;
3717 + } else {
3718 + sys_a = sys;
3719 + sys_b = _x86_syscall_demux(sys);
3720 + if (sys_b == __NR_SCMP_ERROR) {
3721 + rc = __NR_SCMP_ERROR;
3722 + goto add_return;
3723 + }
3724 + }
3725 +
3726 + /* use rule_a for the multiplexed syscall and use rule_b for
3727 + * the direct wired syscall */
3728 +
3729 + if (sys_a == __NR_SCMP_UNDEF) {
3730 + rule_a = NULL;
3731 + rule_b = rule;
3732 + } else if (sys_b == __NR_SCMP_UNDEF) {
3733 + rule_a = rule;
3734 + rule_b = NULL;
3735 + } else {
3736 + /* need two rules, dup the first and link together */
3737 + rule_a = rule;
3738 + rule_dup = db_rule_dup(rule_a);
3739 + rule_b = rule_dup;
3740 + if (rule_b == NULL)
3741 + goto add_return;
3742 + rule_b->prev = rule_a;
3743 + rule_b->next = NULL;
3744 + rule_a->next = rule_b;
3745 + }
3746 +
3747 + /* multiplexed socket syscalls */
3748 + if (rule_a != NULL) {
3749 + rule_a->syscall = __x86_NR_socketcall;
3750 + rule_a->args[0].arg = 0;
3751 + rule_a->args[0].op = SCMP_CMP_EQ;
3752 + rule_a->args[0].mask = DATUM_MAX;
3753 + rule_a->args[0].datum = (-sys_a) % 100;
3754 + rule_a->args[0].valid = 1;
3755 + }
3756 +
3757 + /* direct wired socket syscalls */
3758 + if (rule_b != NULL)
3759 + rule_b->syscall = sys_b;
3760 +
3761 + /* we should be protected by a transaction checkpoint */
3762 + if (rule_a != NULL) {
3763 + rc = db_rule_add(db, rule_a);
3764 + if (rc < 0)
3765 + goto add_return;
3766 + }
3767 + if (rule_b != NULL) {
3768 + rc = db_rule_add(db, rule_b);
3769 + if (rc < 0)
3770 + goto add_return;
3771 + }
3772 + } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) {
3773 + /* (-200 to -224) : multiplexed ipc syscalls
3774 + (393 to 402) : direct ipc syscalls */
3775 +
3776 + /* strict check for the multiplexed socket syscalls */
3777 + for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
3778 + if ((rule->args[iter].valid != 0) && (rule->strict)) {
3779 + rc = -EINVAL;
3780 + goto add_return;
3781 + }
3782 + }
3783 +
3784 + /* determine both the muxed and direct syscall numbers */
3785 + if (sys > 0) {
3786 + sys_a = _x86_syscall_mux(sys);
3787 + if (sys_a == __NR_SCMP_ERROR) {
3788 + rc = __NR_SCMP_ERROR;
3789 + goto add_return;
3790 + }
3791 + sys_b = sys;
3792 + } else {
3793 + sys_a = sys;
3794 + sys_b = _x86_syscall_demux(sys);
3795 + if (sys_b == __NR_SCMP_ERROR) {
3796 + rc = __NR_SCMP_ERROR;
3797 + goto add_return;
3798 + }
3799 + }
3800 +
3801 + /* use rule_a for the multiplexed syscall and use rule_b for
3802 + * the direct wired syscall */
3803 +
3804 + if (sys_a == __NR_SCMP_UNDEF) {
3805 + rule_a = NULL;
3806 + rule_b = rule;
3807 + } else if (sys_b == __NR_SCMP_UNDEF) {
3808 + rule_a = rule;
3809 + rule_b = NULL;
3810 + } else {
3811 + /* need two rules, dup the first and link together */
3812 + rule_a = rule;
3813 + rule_dup = db_rule_dup(rule_a);
3814 + rule_b = rule_dup;
3815 + if (rule_b == NULL)
3816 + goto add_return;
3817 + rule_b->prev = rule_a;
3818 + rule_b->next = NULL;
3819 + rule_a->next = rule_b;
3820 + }
3821 +
3822 + /* multiplexed socket syscalls */
3823 + if (rule_a != NULL) {
3824 + rule_a->syscall = __x86_NR_ipc;
3825 + rule_a->args[0].arg = 0;
3826 + rule_a->args[0].op = SCMP_CMP_EQ;
3827 + rule_a->args[0].mask = DATUM_MAX;
3828 + rule_a->args[0].datum = (-sys_a) % 200;
3829 + rule_a->args[0].valid = 1;
3830 + }
3831 +
3832 + /* direct wired socket syscalls */
3833 + if (rule_b != NULL)
3834 + rule_b->syscall = sys_b;
3835 +
3836 + /* we should be protected by a transaction checkpoint */
3837 + if (rule_a != NULL) {
3838 + rc = db_rule_add(db, rule_a);
3839 + if (rc < 0)
3840 + goto add_return;
3841 + }
3842 + if (rule_b != NULL) {
3843 + rc = db_rule_add(db, rule_b);
3844 + if (rc < 0)
3845 + goto add_return;
3846 + }
3847 + } else if (sys >= 0) {
3848 + /* normal syscall processing */
3849 + rc = db_rule_add(db, rule);
3850 + if (rc < 0)
3851 + goto add_return;
3852 + } else if (rule->strict) {
3853 + rc = -EDOM;
3854 + goto add_return;
3855 + }
3856 +
3857 +add_return:
3858 + if (rule_dup != NULL)
3859 + free(rule_dup);
3860 + return rc;
3861 +}
3862 +
3863 const struct arch_def arch_def_x86 = {
3864 .token = SCMP_ARCH_X86,
3865 .token_bpf = AUDIT_ARCH_I386,
3866 .size = ARCH_SIZE_32,
3867 .endian = ARCH_ENDIAN_LITTLE,
3868 - .sys_socketcall = __x86_NR_socketcall,
3869 - .sys_ipc = __x86_NR_ipc,
3870 - .syscall_resolve_name = abi_syscall_resolve_name_munge,
3871 - .syscall_resolve_name_raw = x86_syscall_resolve_name,
3872 - .syscall_resolve_num = abi_syscall_resolve_num_munge,
3873 - .syscall_resolve_num_raw = x86_syscall_resolve_num,
3874 - .syscall_rewrite = abi_syscall_rewrite,
3875 - .rule_add = abi_rule_add,
3876 + .syscall_resolve_name = x86_syscall_resolve_name_munge,
3877 + .syscall_resolve_num = x86_syscall_resolve_num_munge,
3878 + .syscall_rewrite = x86_syscall_rewrite,
3879 + .rule_add = x86_rule_add,
3880 };
3881 diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c
3882 --- a/src/arch-x86_64.c
3883 +++ b/src/arch-x86_64.c
3884 @@ -31,8 +31,8 @@ const struct arch_def arch_def_x86_64 = {
3885 .token_bpf = AUDIT_ARCH_X86_64,
3886 .size = ARCH_SIZE_64,
3887 .endian = ARCH_ENDIAN_LITTLE,
3888 - .syscall_resolve_name_raw = x86_64_syscall_resolve_name,
3889 - .syscall_resolve_num_raw = x86_64_syscall_resolve_num,
3890 + .syscall_resolve_name = x86_64_syscall_resolve_name,
3891 + .syscall_resolve_num = x86_64_syscall_resolve_num,
3892 .syscall_rewrite = NULL,
3893 .rule_add = NULL,
3894 };
3895 diff --git a/src/arch.c b/src/arch.c
3896 --- a/src/arch.c
3897 +++ b/src/arch.c
3898 @@ -300,9 +300,7 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg)
3899 int arch_syscall_resolve_name(const struct arch_def *arch, const char *name)
3900 {
3901 if (arch->syscall_resolve_name)
3902 - return (*arch->syscall_resolve_name)(arch, name);
3903 - if (arch->syscall_resolve_name_raw)
3904 - return (*arch->syscall_resolve_name_raw)(name);
3905 + return (*arch->syscall_resolve_name)(name);
3906
3907 return __NR_SCMP_ERROR;
3908 }
3909 @@ -320,9 +318,7 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name)
3910 const char *arch_syscall_resolve_num(const struct arch_def *arch, int num)
3911 {
3912 if (arch->syscall_resolve_num)
3913 - return (*arch->syscall_resolve_num)(arch, num);
3914 - if (arch->syscall_resolve_num_raw)
3915 - return (*arch->syscall_resolve_num_raw)(num);
3916 + return (*arch->syscall_resolve_num)(num);
3917
3918 return NULL;
3919 }
3920 @@ -385,7 +381,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, int *syscall)
3921 } else if (sys > -10000) {
3922 /* rewritable syscalls */
3923 if (arch->syscall_rewrite)
3924 - (*arch->syscall_rewrite)(arch, syscall);
3925 + (*arch->syscall_rewrite)(syscall);
3926 }
3927
3928 /* syscalls not defined on this architecture */
3929 diff --git a/src/arch.h b/src/arch.h
3930 --- a/src/arch.h
3931 +++ b/src/arch.h
3932 @@ -49,18 +49,10 @@ struct arch_def {
3933 ARCH_ENDIAN_BIG,
3934 } endian;
3935
3936 - /* arch specific constants */
3937 - int sys_socketcall;
3938 - int sys_ipc;
3939 -
3940 /* arch specific functions */
3941 - int (*syscall_resolve_name)(const struct arch_def *arch,
3942 - const char *name);
3943 - int (*syscall_resolve_name_raw)(const char *name);
3944 - const char *(*syscall_resolve_num)(const struct arch_def *arch,
3945 - int num);
3946 - const char *(*syscall_resolve_num_raw)(int num);
3947 - int (*syscall_rewrite)(const struct arch_def *arch, int *syscall);
3948 + int (*syscall_resolve_name)(const char *name);
3949 + const char *(*syscall_resolve_num)(int num);
3950 + int (*syscall_rewrite)(int *syscall);
3951 int (*rule_add)(struct db_filter *db, struct db_api_rule_list *rule);
3952 };
3953
3954 diff --git a/src/syscalls.c b/src/syscalls.c
3955 --- a/src/syscalls.c
3956 +++ b/src/syscalls.c
3957 @@ -1,5 +1,5 @@
3958 /**
3959 - * Enhanced Seccomp Syscall Table Functions
3960 + * Enhanced Seccomp x86_64 Syscall Table
3961 *
3962 * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
3963 * Author: Paul Moore <paul@paul-moore.com>
3964 @@ -19,13 +19,9 @@
3965 * You should have received a copy of the GNU Lesser General Public License
3966 * along with this library; if not, see <http://www.gnu.org/licenses>.
3967 */
3968 -
3969 -#include <stdlib.h>
3970 -#include <errno.h>
3971 -#include <string.h>
3972 #include <seccomp.h>
3973 +#include <string.h>
3974
3975 -#include "db.h"
3976 #include "arch.h"
3977 #include "syscalls.h"
3978
3979 @@ -58,524 +54,3 @@ ARCH_DEF(s390x)
3980 ARCH_DEF(x32)
3981 ARCH_DEF(x86)
3982 ARCH_DEF(riscv64)
3983 -
3984 -/**
3985 - * Resolve a syscall name to a number
3986 - * @param arch the arch definition
3987 - * @param name the syscall name
3988 - *
3989 - * Resolve the given syscall name to the syscall number using the syscall table.
3990 - * Returns the syscall number on success, including negative pseudo syscall
3991 - * numbers; returns __NR_SCMP_ERROR on failure.
3992 - *
3993 - */
3994 -int abi_syscall_resolve_name_munge(const struct arch_def *arch,
3995 - const char *name)
3996 -{
3997 -
3998 -#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
3999 - if (!strcmp(name, #NAME)) return __PNR_##NAME;
4000 -
4001 - _ABI_SYSCALL_RES_NAME_CHK(socket)
4002 - _ABI_SYSCALL_RES_NAME_CHK(bind)
4003 - _ABI_SYSCALL_RES_NAME_CHK(connect)
4004 - _ABI_SYSCALL_RES_NAME_CHK(listen)
4005 - _ABI_SYSCALL_RES_NAME_CHK(accept)
4006 - _ABI_SYSCALL_RES_NAME_CHK(getsockname)
4007 - _ABI_SYSCALL_RES_NAME_CHK(getpeername)
4008 - _ABI_SYSCALL_RES_NAME_CHK(socketpair)
4009 - _ABI_SYSCALL_RES_NAME_CHK(send)
4010 - _ABI_SYSCALL_RES_NAME_CHK(recv)
4011 - _ABI_SYSCALL_RES_NAME_CHK(sendto)
4012 - _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
4013 - _ABI_SYSCALL_RES_NAME_CHK(shutdown)
4014 - _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
4015 - _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
4016 - _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
4017 - _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
4018 - _ABI_SYSCALL_RES_NAME_CHK(accept4)
4019 - _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
4020 - _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
4021 - _ABI_SYSCALL_RES_NAME_CHK(semop)
4022 - _ABI_SYSCALL_RES_NAME_CHK(semget)
4023 - _ABI_SYSCALL_RES_NAME_CHK(semctl)
4024 - _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
4025 - _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
4026 - _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
4027 - _ABI_SYSCALL_RES_NAME_CHK(msgget)
4028 - _ABI_SYSCALL_RES_NAME_CHK(msgctl)
4029 - _ABI_SYSCALL_RES_NAME_CHK(shmat)
4030 - _ABI_SYSCALL_RES_NAME_CHK(shmdt)
4031 - _ABI_SYSCALL_RES_NAME_CHK(shmget)
4032 - _ABI_SYSCALL_RES_NAME_CHK(shmctl)
4033 -
4034 - return arch->syscall_resolve_name_raw(name);
4035 -}
4036 -
4037 -/**
4038 - * Resolve a syscall number to a name
4039 - * @param arch the arch definition
4040 - * @param num the syscall number
4041 - *
4042 - * Resolve the given syscall number to the syscall name using the syscall table.
4043 - * Returns a pointer to the syscall name string on success, including pseudo
4044 - * syscall names; returns NULL on failure.
4045 - *
4046 - */
4047 -const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num)
4048 -{
4049 -
4050 -#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
4051 - if (num == __PNR_##NAME) return #NAME;
4052 -
4053 - _ABI_SYSCALL_RES_NUM_CHK(socket)
4054 - _ABI_SYSCALL_RES_NUM_CHK(bind)
4055 - _ABI_SYSCALL_RES_NUM_CHK(connect)
4056 - _ABI_SYSCALL_RES_NUM_CHK(listen)
4057 - _ABI_SYSCALL_RES_NUM_CHK(accept)
4058 - _ABI_SYSCALL_RES_NUM_CHK(getsockname)
4059 - _ABI_SYSCALL_RES_NUM_CHK(getpeername)
4060 - _ABI_SYSCALL_RES_NUM_CHK(socketpair)
4061 - _ABI_SYSCALL_RES_NUM_CHK(send)
4062 - _ABI_SYSCALL_RES_NUM_CHK(recv)
4063 - _ABI_SYSCALL_RES_NUM_CHK(sendto)
4064 - _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
4065 - _ABI_SYSCALL_RES_NUM_CHK(shutdown)
4066 - _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
4067 - _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
4068 - _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
4069 - _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
4070 - _ABI_SYSCALL_RES_NUM_CHK(accept4)
4071 - _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
4072 - _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
4073 - _ABI_SYSCALL_RES_NUM_CHK(semop)
4074 - _ABI_SYSCALL_RES_NUM_CHK(semget)
4075 - _ABI_SYSCALL_RES_NUM_CHK(semctl)
4076 - _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
4077 - _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
4078 - _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
4079 - _ABI_SYSCALL_RES_NUM_CHK(msgget)
4080 - _ABI_SYSCALL_RES_NUM_CHK(msgctl)
4081 - _ABI_SYSCALL_RES_NUM_CHK(shmat)
4082 - _ABI_SYSCALL_RES_NUM_CHK(shmdt)
4083 - _ABI_SYSCALL_RES_NUM_CHK(shmget)
4084 - _ABI_SYSCALL_RES_NUM_CHK(shmctl)
4085 -
4086 - return arch->syscall_resolve_num_raw(num);
4087 -}
4088 -
4089 -/**
4090 - * Check if a syscall is a socket syscall
4091 - * @param arch the arch definition
4092 - * @param sys the syscall number
4093 - *
4094 - * Returns true if the syscall is a socket related syscall, false otherwise.
4095 - *
4096 - */
4097 -static bool _abi_syscall_socket_test(const struct arch_def *arch, int sys)
4098 -{
4099 - const char *name;
4100 -
4101 - /* multiplexed pseduo-syscalls */
4102 - if (sys <= -100 && sys >= -120)
4103 - return true;
4104 -
4105 - name = arch->syscall_resolve_num_raw(sys);
4106 - if (!name)
4107 - return false;
4108 -
4109 -#define _ABI_SYSCALL_SOCK_CHK(NAME) \
4110 - if (!strcmp(name, #NAME)) return true;
4111 -
4112 - _ABI_SYSCALL_SOCK_CHK(socket)
4113 - _ABI_SYSCALL_SOCK_CHK(bind)
4114 - _ABI_SYSCALL_SOCK_CHK(connect)
4115 - _ABI_SYSCALL_SOCK_CHK(listen)
4116 - _ABI_SYSCALL_SOCK_CHK(accept)
4117 - _ABI_SYSCALL_SOCK_CHK(getsockname)
4118 - _ABI_SYSCALL_SOCK_CHK(getpeername)
4119 - _ABI_SYSCALL_SOCK_CHK(socketpair)
4120 - _ABI_SYSCALL_SOCK_CHK(send)
4121 - _ABI_SYSCALL_SOCK_CHK(recv)
4122 - _ABI_SYSCALL_SOCK_CHK(sendto)
4123 - _ABI_SYSCALL_SOCK_CHK(recvfrom)
4124 - _ABI_SYSCALL_SOCK_CHK(shutdown)
4125 - _ABI_SYSCALL_SOCK_CHK(setsockopt)
4126 - _ABI_SYSCALL_SOCK_CHK(getsockopt)
4127 - _ABI_SYSCALL_SOCK_CHK(sendmsg)
4128 - _ABI_SYSCALL_SOCK_CHK(recvmsg)
4129 - _ABI_SYSCALL_SOCK_CHK(accept4)
4130 - _ABI_SYSCALL_SOCK_CHK(recvmmsg)
4131 - _ABI_SYSCALL_SOCK_CHK(sendmmsg)
4132 -
4133 - return false;
4134 -}
4135 -
4136 -/**
4137 - * Check if a syscall is an ipc syscall
4138 - * @param arch the arch definition
4139 - * @param sys the syscall number
4140 - *
4141 - * Returns true if the syscall is an ipc related syscall, false otherwise.
4142 - *
4143 - */
4144 -static bool _abi_syscall_ipc_test(const struct arch_def *arch, int sys)
4145 -{
4146 - const char *name;
4147 -
4148 - /* multiplexed pseduo-syscalls */
4149 - if (sys <= -200 && sys >= -224)
4150 - return true;
4151 -
4152 - name = arch->syscall_resolve_num_raw(sys);
4153 - if (!name)
4154 - return false;
4155 -
4156 -#define _ABI_SYSCALL_IPC_CHK(NAME) \
4157 - if (!strcmp(name, #NAME)) return true;
4158 -
4159 - _ABI_SYSCALL_IPC_CHK(semop)
4160 - _ABI_SYSCALL_IPC_CHK(semget)
4161 - _ABI_SYSCALL_IPC_CHK(semctl)
4162 - _ABI_SYSCALL_IPC_CHK(semtimedop)
4163 - _ABI_SYSCALL_IPC_CHK(msgsnd)
4164 - _ABI_SYSCALL_IPC_CHK(msgrcv)
4165 - _ABI_SYSCALL_IPC_CHK(msgget)
4166 - _ABI_SYSCALL_IPC_CHK(msgctl)
4167 - _ABI_SYSCALL_IPC_CHK(shmat)
4168 - _ABI_SYSCALL_IPC_CHK(shmdt)
4169 - _ABI_SYSCALL_IPC_CHK(shmget)
4170 - _ABI_SYSCALL_IPC_CHK(shmctl)
4171 -
4172 - return false;
4173 -}
4174 -
4175 -/**
4176 - * Convert a multiplexed pseudo syscall into a direct syscall
4177 - * @param arch the arch definition
4178 - * @param syscall the multiplexed pseudo syscall number
4179 - *
4180 - * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
4181 - * no related syscall, or __NR_SCMP_ERROR otherwise.
4182 - *
4183 - */
4184 -static int _abi_syscall_demux(const struct arch_def *arch, int syscall)
4185 -{
4186 - int sys = __NR_SCMP_UNDEF;
4187 -
4188 -#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
4189 -case __PNR_##NAME: \
4190 - sys = arch->syscall_resolve_name_raw(#NAME); break;
4191 -
4192 - switch (syscall) {
4193 - _ABI_SYSCALL_DEMUX_CHK(socket)
4194 - _ABI_SYSCALL_DEMUX_CHK(bind)
4195 - _ABI_SYSCALL_DEMUX_CHK(connect)
4196 - _ABI_SYSCALL_DEMUX_CHK(listen)
4197 - _ABI_SYSCALL_DEMUX_CHK(accept)
4198 - _ABI_SYSCALL_DEMUX_CHK(getsockname)
4199 - _ABI_SYSCALL_DEMUX_CHK(getpeername)
4200 - _ABI_SYSCALL_DEMUX_CHK(socketpair)
4201 - _ABI_SYSCALL_DEMUX_CHK(send)
4202 - _ABI_SYSCALL_DEMUX_CHK(recv)
4203 - _ABI_SYSCALL_DEMUX_CHK(sendto)
4204 - _ABI_SYSCALL_DEMUX_CHK(recvfrom)
4205 - _ABI_SYSCALL_DEMUX_CHK(shutdown)
4206 - _ABI_SYSCALL_DEMUX_CHK(setsockopt)
4207 - _ABI_SYSCALL_DEMUX_CHK(getsockopt)
4208 - _ABI_SYSCALL_DEMUX_CHK(sendmsg)
4209 - _ABI_SYSCALL_DEMUX_CHK(recvmsg)
4210 - _ABI_SYSCALL_DEMUX_CHK(accept4)
4211 - _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
4212 - _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
4213 - _ABI_SYSCALL_DEMUX_CHK(semop)
4214 - _ABI_SYSCALL_DEMUX_CHK(semget)
4215 - _ABI_SYSCALL_DEMUX_CHK(semctl)
4216 - _ABI_SYSCALL_DEMUX_CHK(semtimedop)
4217 - _ABI_SYSCALL_DEMUX_CHK(msgsnd)
4218 - _ABI_SYSCALL_DEMUX_CHK(msgrcv)
4219 - _ABI_SYSCALL_DEMUX_CHK(msgget)
4220 - _ABI_SYSCALL_DEMUX_CHK(msgctl)
4221 - _ABI_SYSCALL_DEMUX_CHK(shmat)
4222 - _ABI_SYSCALL_DEMUX_CHK(shmdt)
4223 - _ABI_SYSCALL_DEMUX_CHK(shmget)
4224 - _ABI_SYSCALL_DEMUX_CHK(shmctl)
4225 - }
4226 -
4227 - /* this looks odd because the arch resolver returns _ERROR if it can't
4228 - * resolve the syscall, but we want to use _UNDEF for that, so we set
4229 - * 'sys' to a sentinel value of _UNDEF and if it is error here we know
4230 - * the resolve failed to find a match */
4231 - if (sys == __NR_SCMP_UNDEF)
4232 - sys = __NR_SCMP_ERROR;
4233 - else if (sys == __NR_SCMP_ERROR)
4234 - sys = __NR_SCMP_UNDEF;
4235 -
4236 - return sys;
4237 -}
4238 -
4239 -/**
4240 - * Convert a direct syscall into multiplexed pseudo socket syscall
4241 - * @param arch the arch definition
4242 - * @param syscall the direct syscall
4243 - *
4244 - * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
4245 - * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
4246 - *
4247 - */
4248 -static int _abi_syscall_mux(const struct arch_def *arch, int syscall)
4249 -{
4250 - const char *sys;
4251 -
4252 - sys = arch->syscall_resolve_num_raw(syscall);
4253 - if (!sys)
4254 - return __NR_SCMP_ERROR;
4255 -
4256 -#define _ABI_SYSCALL_MUX_CHK(NAME) \
4257 - if (!strcmp(sys, #NAME)) return __PNR_##NAME;
4258 -
4259 - _ABI_SYSCALL_MUX_CHK(socket)
4260 - _ABI_SYSCALL_MUX_CHK(bind)
4261 - _ABI_SYSCALL_MUX_CHK(connect)
4262 - _ABI_SYSCALL_MUX_CHK(listen)
4263 - _ABI_SYSCALL_MUX_CHK(accept)
4264 - _ABI_SYSCALL_MUX_CHK(getsockname)
4265 - _ABI_SYSCALL_MUX_CHK(getpeername)
4266 - _ABI_SYSCALL_MUX_CHK(socketpair)
4267 - _ABI_SYSCALL_MUX_CHK(send)
4268 - _ABI_SYSCALL_MUX_CHK(recv)
4269 - _ABI_SYSCALL_MUX_CHK(sendto)
4270 - _ABI_SYSCALL_MUX_CHK(recvfrom)
4271 - _ABI_SYSCALL_MUX_CHK(shutdown)
4272 - _ABI_SYSCALL_MUX_CHK(setsockopt)
4273 - _ABI_SYSCALL_MUX_CHK(getsockopt)
4274 - _ABI_SYSCALL_MUX_CHK(sendmsg)
4275 - _ABI_SYSCALL_MUX_CHK(recvmsg)
4276 - _ABI_SYSCALL_MUX_CHK(accept4)
4277 - _ABI_SYSCALL_MUX_CHK(recvmmsg)
4278 - _ABI_SYSCALL_MUX_CHK(sendmmsg)
4279 - _ABI_SYSCALL_MUX_CHK(semop)
4280 - _ABI_SYSCALL_MUX_CHK(semget)
4281 - _ABI_SYSCALL_MUX_CHK(semctl)
4282 - _ABI_SYSCALL_MUX_CHK(semtimedop)
4283 - _ABI_SYSCALL_MUX_CHK(msgsnd)
4284 - _ABI_SYSCALL_MUX_CHK(msgrcv)
4285 - _ABI_SYSCALL_MUX_CHK(msgget)
4286 - _ABI_SYSCALL_MUX_CHK(msgctl)
4287 - _ABI_SYSCALL_MUX_CHK(shmat)
4288 - _ABI_SYSCALL_MUX_CHK(shmdt)
4289 - _ABI_SYSCALL_MUX_CHK(shmget)
4290 - _ABI_SYSCALL_MUX_CHK(shmctl)
4291 -
4292 - return __NR_SCMP_ERROR;
4293 -}
4294 -
4295 -/**
4296 - * Rewrite a syscall value to match the architecture
4297 - * @param arch the arch definition
4298 - * @param syscall the syscall number
4299 - *
4300 - * Syscalls can vary across different architectures so this function rewrites
4301 - * the syscall into the correct value for the specified architecture. Returns
4302 - * zero on success, negative values on failure.
4303 - *
4304 - */
4305 -int abi_syscall_rewrite(const struct arch_def *arch, int *syscall)
4306 -{
4307 - int sys = *syscall;
4308 -
4309 - if (sys <= -100 && sys >= -120)
4310 - *syscall = arch->sys_socketcall;
4311 - else if (sys <= -200 && sys >= -224)
4312 - *syscall = arch->sys_ipc;
4313 - else if (sys < 0)
4314 - return -EDOM;
4315 -
4316 - return 0;
4317 -}
4318 -
4319 -/**
4320 - * add a new rule to the abi seccomp filter
4321 - * @param db the seccomp filter db
4322 - * @param rule the filter rule
4323 - *
4324 - * This function adds a new syscall filter to the seccomp filter db, making any
4325 - * necessary adjustments for the abi ABI. Returns zero on success, negative
4326 - * values on failure.
4327 - *
4328 - * It is important to note that in the case of failure the db may be corrupted,
4329 - * the caller must use the transaction mechanism if the db integrity is
4330 - * important.
4331 - *
4332 - */
4333 -int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
4334 -{
4335 - int rc = 0;
4336 - unsigned int iter;
4337 - int sys = rule->syscall;
4338 - int sys_a, sys_b;
4339 - struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
4340 -
4341 - if (_abi_syscall_socket_test(db->arch, sys)) {
4342 - /* socket syscalls */
4343 -
4344 - /* strict check for the multiplexed socket syscalls */
4345 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
4346 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
4347 - rc = -EINVAL;
4348 - goto add_return;
4349 - }
4350 - }
4351 -
4352 - /* determine both the muxed and direct syscall numbers */
4353 - if (sys > 0) {
4354 - sys_a = _abi_syscall_mux(db->arch, sys);
4355 - if (sys_a == __NR_SCMP_ERROR) {
4356 - rc = __NR_SCMP_ERROR;
4357 - goto add_return;
4358 - }
4359 - sys_b = sys;
4360 - } else {
4361 - sys_a = sys;
4362 - sys_b = _abi_syscall_demux(db->arch, sys);
4363 - if (sys_b == __NR_SCMP_ERROR) {
4364 - rc = __NR_SCMP_ERROR;
4365 - goto add_return;
4366 - }
4367 - }
4368 -
4369 - /* use rule_a for the multiplexed syscall and use rule_b for
4370 - * the direct wired syscall */
4371 -
4372 - if (sys_a == __NR_SCMP_UNDEF) {
4373 - rule_a = NULL;
4374 - rule_b = rule;
4375 - } else if (sys_b == __NR_SCMP_UNDEF) {
4376 - rule_a = rule;
4377 - rule_b = NULL;
4378 - } else {
4379 - /* need two rules, dup the first and link together */
4380 - rule_a = rule;
4381 - rule_dup = db_rule_dup(rule_a);
4382 - rule_b = rule_dup;
4383 - if (rule_b == NULL)
4384 - goto add_return;
4385 - rule_b->prev = rule_a;
4386 - rule_b->next = NULL;
4387 - rule_a->next = rule_b;
4388 - }
4389 -
4390 - /* multiplexed socket syscalls */
4391 - if (rule_a != NULL) {
4392 - rule_a->syscall = db->arch->sys_socketcall;
4393 - rule_a->args[0].arg = 0;
4394 - rule_a->args[0].op = SCMP_CMP_EQ;
4395 - rule_a->args[0].mask = DATUM_MAX;
4396 - rule_a->args[0].datum = (-sys_a) % 100;
4397 - rule_a->args[0].valid = 1;
4398 - }
4399 -
4400 - /* direct wired socket syscalls */
4401 - if (rule_b != NULL)
4402 - rule_b->syscall = sys_b;
4403 -
4404 - /* we should be protected by a transaction checkpoint */
4405 - if (rule_a != NULL) {
4406 - rc = db_rule_add(db, rule_a);
4407 - if (rc < 0)
4408 - goto add_return;
4409 - }
4410 - if (rule_b != NULL) {
4411 - rc = db_rule_add(db, rule_b);
4412 - if (rc < 0)
4413 - goto add_return;
4414 - }
4415 - } else if (_abi_syscall_ipc_test(db->arch, sys)) {
4416 - /* ipc syscalls */
4417 -
4418 - /* strict check for the multiplexed socket syscalls */
4419 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
4420 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
4421 - rc = -EINVAL;
4422 - goto add_return;
4423 - }
4424 - }
4425 -
4426 - /* determine both the muxed and direct syscall numbers */
4427 - if (sys > 0) {
4428 - sys_a = _abi_syscall_mux(db->arch, sys);
4429 - if (sys_a == __NR_SCMP_ERROR) {
4430 - rc = __NR_SCMP_ERROR;
4431 - goto add_return;
4432 - }
4433 - sys_b = sys;
4434 - } else {
4435 - sys_a = sys;
4436 - sys_b = _abi_syscall_demux(db->arch, sys);
4437 - if (sys_b == __NR_SCMP_ERROR) {
4438 - rc = __NR_SCMP_ERROR;
4439 - goto add_return;
4440 - }
4441 - }
4442 -
4443 - /* use rule_a for the multiplexed syscall and use rule_b for
4444 - * the direct wired syscall */
4445 -
4446 - if (sys_a == __NR_SCMP_UNDEF) {
4447 - rule_a = NULL;
4448 - rule_b = rule;
4449 - } else if (sys_b == __NR_SCMP_UNDEF) {
4450 - rule_a = rule;
4451 - rule_b = NULL;
4452 - } else {
4453 - /* need two rules, dup the first and link together */
4454 - rule_a = rule;
4455 - rule_dup = db_rule_dup(rule_a);
4456 - rule_b = rule_dup;
4457 - if (rule_b == NULL)
4458 - goto add_return;
4459 - rule_b->prev = rule_a;
4460 - rule_b->next = NULL;
4461 - rule_a->next = rule_b;
4462 - }
4463 -
4464 - /* multiplexed socket syscalls */
4465 - if (rule_a != NULL) {
4466 - rule_a->syscall = db->arch->sys_ipc;
4467 - rule_a->args[0].arg = 0;
4468 - rule_a->args[0].op = SCMP_CMP_EQ;
4469 - rule_a->args[0].mask = DATUM_MAX;
4470 - rule_a->args[0].datum = (-sys_a) % 200;
4471 - rule_a->args[0].valid = 1;
4472 - }
4473 -
4474 - /* direct wired socket syscalls */
4475 - if (rule_b != NULL)
4476 - rule_b->syscall = sys_b;
4477 -
4478 - /* we should be protected by a transaction checkpoint */
4479 - if (rule_a != NULL) {
4480 - rc = db_rule_add(db, rule_a);
4481 - if (rc < 0)
4482 - goto add_return;
4483 - }
4484 - if (rule_b != NULL) {
4485 - rc = db_rule_add(db, rule_b);
4486 - if (rc < 0)
4487 - goto add_return;
4488 - }
4489 - } else if (sys >= 0) {
4490 - /* normal syscall processing */
4491 - rc = db_rule_add(db, rule);
4492 - if (rc < 0)
4493 - goto add_return;
4494 - } else if (rule->strict) {
4495 - rc = -EDOM;
4496 - goto add_return;
4497 - }
4498 -
4499 -add_return:
4500 - if (rule_dup != NULL)
4501 - free(rule_dup);
4502 - return rc;
4503 -}
4504 diff --git a/src/syscalls.h b/src/syscalls.h
4505 --- a/src/syscalls.h
4506 +++ b/src/syscalls.h
4507 @@ -59,12 +59,4 @@ int syscall_resolve_name(const char *name, int offset);
4508 const char *syscall_resolve_num(int num, int offset);
4509 const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset);
4510
4511 -/* helper functions for multiplexed syscalls, e.g. socketcall(2) and ipc(2) */
4512 -int abi_syscall_resolve_name_munge(const struct arch_def *arch,
4513 - const char *name);
4514 -const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num);
4515 -int abi_syscall_rewrite(const struct arch_def *arch, int *syscall);
4516 -int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule);
4517 -
4518 -
4519 #endif
+572
-0
debian/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch less more
0 REVERTS
1
2 From e976080ac5547a46f4654abc710e89bed992bb63 Mon Sep 17 00:00:00 2001
3 From: Paul Moore <paul@paul-moore.com>
4 Date: Tue, 3 Aug 2021 23:09:04 -0400
5 Subject: [PATCH] mips: add multiplexed syscall support to MIPS
6
7 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
8 Signed-off-by: Paul Moore <paul@paul-moore.com>
9
10 (imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae)
11 ---
12 src/arch-mips.c | 508 ++++++++++++++++++++++++++++++++++++++++++++++--
13 1 file changed, 495 insertions(+), 13 deletions(-)
14
15 diff --git a/src/arch-mips.c b/src/arch-mips.c
16 --- a/src/arch-mips.c
17 +++ b/src/arch-mips.c
18 @@ -22,21 +22,14 @@
19
20 #include <stdlib.h>
21 #include <errno.h>
22 -#include <string.h>
23 #include <linux/audit.h>
24
25 -#include "db.h"
26 -#include "syscalls.h"
27 #include "arch.h"
28 #include "arch-mips.h"
29
30 /* O32 ABI */
31 #define __SCMP_NR_BASE 4000
32
33 -/* mips syscall numbers */
34 -#define __mips_NR_socketcall 102
35 -#define __mips_NR_ipc 117
36 -
37 /**
38 * Resolve a syscall name to a number
39 * @param name the syscall name
40 @@ -48,44 +41,14 @@
41 */
42 int mips_syscall_resolve_name_munge(const char *name)
43 {
44 + int sys;
45
46 -#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
47 - if (!strcmp(name, #NAME)) return __PNR_##NAME;
48 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
49 + sys = mips_syscall_resolve_name(name);
50 + if (sys == __NR_SCMP_ERROR || sys < 0)
51 + return sys;
52
53 - _ABI_SYSCALL_RES_NAME_CHK(socket)
54 - _ABI_SYSCALL_RES_NAME_CHK(bind)
55 - _ABI_SYSCALL_RES_NAME_CHK(connect)
56 - _ABI_SYSCALL_RES_NAME_CHK(listen)
57 - _ABI_SYSCALL_RES_NAME_CHK(accept)
58 - _ABI_SYSCALL_RES_NAME_CHK(getsockname)
59 - _ABI_SYSCALL_RES_NAME_CHK(getpeername)
60 - _ABI_SYSCALL_RES_NAME_CHK(socketpair)
61 - _ABI_SYSCALL_RES_NAME_CHK(send)
62 - _ABI_SYSCALL_RES_NAME_CHK(recv)
63 - _ABI_SYSCALL_RES_NAME_CHK(sendto)
64 - _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
65 - _ABI_SYSCALL_RES_NAME_CHK(shutdown)
66 - _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
67 - _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
68 - _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
69 - _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
70 - _ABI_SYSCALL_RES_NAME_CHK(accept4)
71 - _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
72 - _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
73 - _ABI_SYSCALL_RES_NAME_CHK(semop)
74 - _ABI_SYSCALL_RES_NAME_CHK(semget)
75 - _ABI_SYSCALL_RES_NAME_CHK(semctl)
76 - _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
77 - _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
78 - _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
79 - _ABI_SYSCALL_RES_NAME_CHK(msgget)
80 - _ABI_SYSCALL_RES_NAME_CHK(msgctl)
81 - _ABI_SYSCALL_RES_NAME_CHK(shmat)
82 - _ABI_SYSCALL_RES_NAME_CHK(shmdt)
83 - _ABI_SYSCALL_RES_NAME_CHK(shmget)
84 - _ABI_SYSCALL_RES_NAME_CHK(shmctl)
85 -
86 - return mips_syscall_resolve_name(name);
87 + return sys + __SCMP_NR_BASE;
88 }
89
90 /**
91 @@ -99,457 +62,12 @@ int mips_syscall_resolve_name_munge(const char *name)
92 */
93 const char *mips_syscall_resolve_num_munge(int num)
94 {
95 -
96 -#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
97 - if (num == __PNR_##NAME) return #NAME;
98 -
99 - _ABI_SYSCALL_RES_NUM_CHK(socket)
100 - _ABI_SYSCALL_RES_NUM_CHK(bind)
101 - _ABI_SYSCALL_RES_NUM_CHK(connect)
102 - _ABI_SYSCALL_RES_NUM_CHK(listen)
103 - _ABI_SYSCALL_RES_NUM_CHK(accept)
104 - _ABI_SYSCALL_RES_NUM_CHK(getsockname)
105 - _ABI_SYSCALL_RES_NUM_CHK(getpeername)
106 - _ABI_SYSCALL_RES_NUM_CHK(socketpair)
107 - _ABI_SYSCALL_RES_NUM_CHK(send)
108 - _ABI_SYSCALL_RES_NUM_CHK(recv)
109 - _ABI_SYSCALL_RES_NUM_CHK(sendto)
110 - _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
111 - _ABI_SYSCALL_RES_NUM_CHK(shutdown)
112 - _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
113 - _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
114 - _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
115 - _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
116 - _ABI_SYSCALL_RES_NUM_CHK(accept4)
117 - _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
118 - _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
119 - _ABI_SYSCALL_RES_NUM_CHK(semop)
120 - _ABI_SYSCALL_RES_NUM_CHK(semget)
121 - _ABI_SYSCALL_RES_NUM_CHK(semctl)
122 - _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
123 - _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
124 - _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
125 - _ABI_SYSCALL_RES_NUM_CHK(msgget)
126 - _ABI_SYSCALL_RES_NUM_CHK(msgctl)
127 - _ABI_SYSCALL_RES_NUM_CHK(shmat)
128 - _ABI_SYSCALL_RES_NUM_CHK(shmdt)
129 - _ABI_SYSCALL_RES_NUM_CHK(shmget)
130 - _ABI_SYSCALL_RES_NUM_CHK(shmctl)
131 -
132 + /* NOTE: we don't want to modify the pseudo-syscall numbers */
133 + if (num >= __SCMP_NR_BASE)
134 + num -= __SCMP_NR_BASE;
135 return mips_syscall_resolve_num(num);
136 }
137
138 -/**
139 - * Check if a syscall is a socket syscall
140 - * @param sys the syscall number
141 - *
142 - * Returns true if the syscall is a socket related syscall, false otherwise.
143 - *
144 - */
145 -static bool _mips_syscall_socket_test(int sys)
146 -{
147 - const char *name;
148 -
149 - /* multiplexed pseduo-syscalls */
150 - if (sys <= -100 && sys >= -120)
151 - return true;
152 -
153 - name = mips_syscall_resolve_num(sys);
154 - if (!name)
155 - return false;
156 -
157 -#define _ABI_SYSCALL_SOCK_CHK(NAME) \
158 - if (!strcmp(name, #NAME)) return true;
159 -
160 - _ABI_SYSCALL_SOCK_CHK(socket)
161 - _ABI_SYSCALL_SOCK_CHK(bind)
162 - _ABI_SYSCALL_SOCK_CHK(connect)
163 - _ABI_SYSCALL_SOCK_CHK(listen)
164 - _ABI_SYSCALL_SOCK_CHK(accept)
165 - _ABI_SYSCALL_SOCK_CHK(getsockname)
166 - _ABI_SYSCALL_SOCK_CHK(getpeername)
167 - _ABI_SYSCALL_SOCK_CHK(socketpair)
168 - _ABI_SYSCALL_SOCK_CHK(send)
169 - _ABI_SYSCALL_SOCK_CHK(recv)
170 - _ABI_SYSCALL_SOCK_CHK(sendto)
171 - _ABI_SYSCALL_SOCK_CHK(recvfrom)
172 - _ABI_SYSCALL_SOCK_CHK(shutdown)
173 - _ABI_SYSCALL_SOCK_CHK(setsockopt)
174 - _ABI_SYSCALL_SOCK_CHK(getsockopt)
175 - _ABI_SYSCALL_SOCK_CHK(sendmsg)
176 - _ABI_SYSCALL_SOCK_CHK(recvmsg)
177 - _ABI_SYSCALL_SOCK_CHK(accept4)
178 - _ABI_SYSCALL_SOCK_CHK(recvmmsg)
179 - _ABI_SYSCALL_SOCK_CHK(sendmmsg)
180 -
181 - return false;
182 -}
183 -
184 -/**
185 - * Check if a syscall is an ipc syscall
186 - * @param sys the syscall number
187 - *
188 - * Returns true if the syscall is an ipc related syscall, false otherwise.
189 - *
190 - */
191 -static bool _mips_syscall_ipc_test(int sys)
192 -{
193 - const char *name;
194 -
195 - /* multiplexed pseduo-syscalls */
196 - if (sys <= -200 && sys >= -224)
197 - return true;
198 -
199 - name = mips_syscall_resolve_num(sys);
200 - if (!name)
201 - return false;
202 -
203 -#define _ABI_SYSCALL_IPC_CHK(NAME) \
204 - if (!strcmp(name, #NAME)) return true;
205 -
206 - _ABI_SYSCALL_IPC_CHK(semop)
207 - _ABI_SYSCALL_IPC_CHK(semget)
208 - _ABI_SYSCALL_IPC_CHK(semctl)
209 - _ABI_SYSCALL_IPC_CHK(semtimedop)
210 - _ABI_SYSCALL_IPC_CHK(msgsnd)
211 - _ABI_SYSCALL_IPC_CHK(msgrcv)
212 - _ABI_SYSCALL_IPC_CHK(msgget)
213 - _ABI_SYSCALL_IPC_CHK(msgctl)
214 - _ABI_SYSCALL_IPC_CHK(shmat)
215 - _ABI_SYSCALL_IPC_CHK(shmdt)
216 - _ABI_SYSCALL_IPC_CHK(shmget)
217 - _ABI_SYSCALL_IPC_CHK(shmctl)
218 -
219 - return false;
220 -}
221 -
222 -/**
223 - * Convert a multiplexed pseudo syscall into a direct syscall
224 - * @param syscall the multiplexed pseudo syscall number
225 - *
226 - * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
227 - * no related syscall, or __NR_SCMP_ERROR otherwise.
228 - *
229 - */
230 -static int _mips_syscall_demux(int syscall)
231 -{
232 - int sys = __NR_SCMP_UNDEF;
233 -
234 -#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
235 -case __PNR_##NAME: \
236 - sys = mips_syscall_resolve_name(#NAME); break;
237 -
238 - switch (syscall) {
239 - _ABI_SYSCALL_DEMUX_CHK(socket)
240 - _ABI_SYSCALL_DEMUX_CHK(bind)
241 - _ABI_SYSCALL_DEMUX_CHK(connect)
242 - _ABI_SYSCALL_DEMUX_CHK(listen)
243 - _ABI_SYSCALL_DEMUX_CHK(accept)
244 - _ABI_SYSCALL_DEMUX_CHK(getsockname)
245 - _ABI_SYSCALL_DEMUX_CHK(getpeername)
246 - _ABI_SYSCALL_DEMUX_CHK(socketpair)
247 - _ABI_SYSCALL_DEMUX_CHK(send)
248 - _ABI_SYSCALL_DEMUX_CHK(recv)
249 - _ABI_SYSCALL_DEMUX_CHK(sendto)
250 - _ABI_SYSCALL_DEMUX_CHK(recvfrom)
251 - _ABI_SYSCALL_DEMUX_CHK(shutdown)
252 - _ABI_SYSCALL_DEMUX_CHK(setsockopt)
253 - _ABI_SYSCALL_DEMUX_CHK(getsockopt)
254 - _ABI_SYSCALL_DEMUX_CHK(sendmsg)
255 - _ABI_SYSCALL_DEMUX_CHK(recvmsg)
256 - _ABI_SYSCALL_DEMUX_CHK(accept4)
257 - _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
258 - _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
259 - _ABI_SYSCALL_DEMUX_CHK(semop)
260 - _ABI_SYSCALL_DEMUX_CHK(semget)
261 - _ABI_SYSCALL_DEMUX_CHK(semctl)
262 - _ABI_SYSCALL_DEMUX_CHK(semtimedop)
263 - _ABI_SYSCALL_DEMUX_CHK(msgsnd)
264 - _ABI_SYSCALL_DEMUX_CHK(msgrcv)
265 - _ABI_SYSCALL_DEMUX_CHK(msgget)
266 - _ABI_SYSCALL_DEMUX_CHK(msgctl)
267 - _ABI_SYSCALL_DEMUX_CHK(shmat)
268 - _ABI_SYSCALL_DEMUX_CHK(shmdt)
269 - _ABI_SYSCALL_DEMUX_CHK(shmget)
270 - _ABI_SYSCALL_DEMUX_CHK(shmctl)
271 - }
272 -
273 - /* this looks odd because the arch resolver returns _ERROR if it can't
274 - * resolve the syscall, but we want to use _UNDEF for that, so we set
275 - * 'sys' to a sentinel value of _UNDEF and if it is error here we know
276 - * the resolve failed to find a match */
277 - if (sys == __NR_SCMP_UNDEF)
278 - sys = __NR_SCMP_ERROR;
279 - else if (sys == __NR_SCMP_ERROR)
280 - sys = __NR_SCMP_UNDEF;
281 -
282 - return sys;
283 -}
284 -
285 -/**
286 - * Convert a direct syscall into multiplexed pseudo socket syscall
287 - * @param syscall the direct syscall
288 - *
289 - * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
290 - * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
291 - *
292 - */
293 -static int _mips_syscall_mux(int syscall)
294 -{
295 - const char *sys;
296 -
297 - sys = mips_syscall_resolve_num(syscall);
298 - if (!sys)
299 - return __NR_SCMP_ERROR;
300 -
301 -#define _ABI_SYSCALL_MUX_CHK(NAME) \
302 - if (!strcmp(sys, #NAME)) return __PNR_##NAME;
303 -
304 - _ABI_SYSCALL_MUX_CHK(socket)
305 - _ABI_SYSCALL_MUX_CHK(bind)
306 - _ABI_SYSCALL_MUX_CHK(connect)
307 - _ABI_SYSCALL_MUX_CHK(listen)
308 - _ABI_SYSCALL_MUX_CHK(accept)
309 - _ABI_SYSCALL_MUX_CHK(getsockname)
310 - _ABI_SYSCALL_MUX_CHK(getpeername)
311 - _ABI_SYSCALL_MUX_CHK(socketpair)
312 - _ABI_SYSCALL_MUX_CHK(send)
313 - _ABI_SYSCALL_MUX_CHK(recv)
314 - _ABI_SYSCALL_MUX_CHK(sendto)
315 - _ABI_SYSCALL_MUX_CHK(recvfrom)
316 - _ABI_SYSCALL_MUX_CHK(shutdown)
317 - _ABI_SYSCALL_MUX_CHK(setsockopt)
318 - _ABI_SYSCALL_MUX_CHK(getsockopt)
319 - _ABI_SYSCALL_MUX_CHK(sendmsg)
320 - _ABI_SYSCALL_MUX_CHK(recvmsg)
321 - _ABI_SYSCALL_MUX_CHK(accept4)
322 - _ABI_SYSCALL_MUX_CHK(recvmmsg)
323 - _ABI_SYSCALL_MUX_CHK(sendmmsg)
324 - _ABI_SYSCALL_MUX_CHK(semop)
325 - _ABI_SYSCALL_MUX_CHK(semget)
326 - _ABI_SYSCALL_MUX_CHK(semctl)
327 - _ABI_SYSCALL_MUX_CHK(semtimedop)
328 - _ABI_SYSCALL_MUX_CHK(msgsnd)
329 - _ABI_SYSCALL_MUX_CHK(msgrcv)
330 - _ABI_SYSCALL_MUX_CHK(msgget)
331 - _ABI_SYSCALL_MUX_CHK(msgctl)
332 - _ABI_SYSCALL_MUX_CHK(shmat)
333 - _ABI_SYSCALL_MUX_CHK(shmdt)
334 - _ABI_SYSCALL_MUX_CHK(shmget)
335 - _ABI_SYSCALL_MUX_CHK(shmctl)
336 -
337 - return __NR_SCMP_ERROR;
338 -}
339 -
340 -/**
341 - * Rewrite a syscall value to match the architecture
342 - * @param syscall the syscall number
343 - *
344 - * Syscalls can vary across different architectures so this function rewrites
345 - * the syscall into the correct value for the specified architecture. Returns
346 - * zero on success, negative values on failure.
347 - *
348 - */
349 -int mips_syscall_rewrite(int *syscall)
350 -{
351 - int sys = *syscall;
352 -
353 - if (sys <= -100 && sys >= -120)
354 - *syscall = __mips_NR_socketcall;
355 - else if (sys <= -200 && sys >= -224)
356 - *syscall = __mips_NR_ipc;
357 - else if (sys < 0)
358 - return -EDOM;
359 -
360 - return 0;
361 -}
362 -
363 -/**
364 - * add a new rule to the mips seccomp filter
365 - * @param db the seccomp filter db
366 - * @param rule the filter rule
367 - *
368 - * This function adds a new syscall filter to the seccomp filter db, making any
369 - * necessary adjustments for the mips ABI. Returns zero on success, negative
370 - * values on failure.
371 - *
372 - * It is important to note that in the case of failure the db may be corrupted,
373 - * the caller must use the transaction mechanism if the db integrity is
374 - * important.
375 - *
376 - */
377 -int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
378 -{
379 - int rc = 0;
380 - unsigned int iter;
381 - int sys = rule->syscall;
382 - int sys_a, sys_b;
383 - struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
384 -
385 - if (_mips_syscall_socket_test(sys)) {
386 - /* socket syscalls */
387 -
388 - /* strict check for the multiplexed socket syscalls */
389 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
390 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
391 - rc = -EINVAL;
392 - goto add_return;
393 - }
394 - }
395 -
396 - /* determine both the muxed and direct syscall numbers */
397 - if (sys > 0) {
398 - sys_a = _mips_syscall_mux(sys);
399 - if (sys_a == __NR_SCMP_ERROR) {
400 - rc = __NR_SCMP_ERROR;
401 - goto add_return;
402 - }
403 - sys_b = sys;
404 - } else {
405 - sys_a = sys;
406 - sys_b = _mips_syscall_demux(sys);
407 - if (sys_b == __NR_SCMP_ERROR) {
408 - rc = __NR_SCMP_ERROR;
409 - goto add_return;
410 - }
411 - }
412 -
413 - /* use rule_a for the multiplexed syscall and use rule_b for
414 - * the direct wired syscall */
415 -
416 - if (sys_a == __NR_SCMP_UNDEF) {
417 - rule_a = NULL;
418 - rule_b = rule;
419 - } else if (sys_b == __NR_SCMP_UNDEF) {
420 - rule_a = rule;
421 - rule_b = NULL;
422 - } else {
423 - /* need two rules, dup the first and link together */
424 - rule_a = rule;
425 - rule_dup = db_rule_dup(rule_a);
426 - rule_b = rule_dup;
427 - if (rule_b == NULL)
428 - goto add_return;
429 - rule_b->prev = rule_a;
430 - rule_b->next = NULL;
431 - rule_a->next = rule_b;
432 - }
433 -
434 - /* multiplexed socket syscalls */
435 - if (rule_a != NULL) {
436 - rule_a->syscall = __mips_NR_socketcall;
437 - rule_a->args[0].arg = 0;
438 - rule_a->args[0].op = SCMP_CMP_EQ;
439 - rule_a->args[0].mask = DATUM_MAX;
440 - rule_a->args[0].datum = (-sys_a) % 100;
441 - rule_a->args[0].valid = 1;
442 - }
443 -
444 - /* direct wired socket syscalls */
445 - if (rule_b != NULL)
446 - rule_b->syscall = sys_b;
447 -
448 - /* we should be protected by a transaction checkpoint */
449 - if (rule_a != NULL) {
450 - rc = db_rule_add(db, rule_a);
451 - if (rc < 0)
452 - goto add_return;
453 - }
454 - if (rule_b != NULL) {
455 - rc = db_rule_add(db, rule_b);
456 - if (rc < 0)
457 - goto add_return;
458 - }
459 - } else if (_mips_syscall_ipc_test(sys)) {
460 - /* ipc syscalls */
461 -
462 - /* strict check for the multiplexed socket syscalls */
463 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
464 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
465 - rc = -EINVAL;
466 - goto add_return;
467 - }
468 - }
469 -
470 - /* determine both the muxed and direct syscall numbers */
471 - if (sys > 0) {
472 - sys_a = _mips_syscall_mux(sys);
473 - if (sys_a == __NR_SCMP_ERROR) {
474 - rc = __NR_SCMP_ERROR;
475 - goto add_return;
476 - }
477 - sys_b = sys;
478 - } else {
479 - sys_a = sys;
480 - sys_b = _mips_syscall_demux(sys);
481 - if (sys_b == __NR_SCMP_ERROR) {
482 - rc = __NR_SCMP_ERROR;
483 - goto add_return;
484 - }
485 - }
486 -
487 - /* use rule_a for the multiplexed syscall and use rule_b for
488 - * the direct wired syscall */
489 -
490 - if (sys_a == __NR_SCMP_UNDEF) {
491 - rule_a = NULL;
492 - rule_b = rule;
493 - } else if (sys_b == __NR_SCMP_UNDEF) {
494 - rule_a = rule;
495 - rule_b = NULL;
496 - } else {
497 - /* need two rules, dup the first and link together */
498 - rule_a = rule;
499 - rule_dup = db_rule_dup(rule_a);
500 - rule_b = rule_dup;
501 - if (rule_b == NULL)
502 - goto add_return;
503 - rule_b->prev = rule_a;
504 - rule_b->next = NULL;
505 - rule_a->next = rule_b;
506 - }
507 -
508 - /* multiplexed socket syscalls */
509 - if (rule_a != NULL) {
510 - rule_a->syscall = __mips_NR_ipc;
511 - rule_a->args[0].arg = 0;
512 - rule_a->args[0].op = SCMP_CMP_EQ;
513 - rule_a->args[0].mask = DATUM_MAX;
514 - rule_a->args[0].datum = (-sys_a) % 200;
515 - rule_a->args[0].valid = 1;
516 - }
517 -
518 - /* direct wired socket syscalls */
519 - if (rule_b != NULL)
520 - rule_b->syscall = sys_b;
521 -
522 - /* we should be protected by a transaction checkpoint */
523 - if (rule_a != NULL) {
524 - rc = db_rule_add(db, rule_a);
525 - if (rc < 0)
526 - goto add_return;
527 - }
528 - if (rule_b != NULL) {
529 - rc = db_rule_add(db, rule_b);
530 - if (rc < 0)
531 - goto add_return;
532 - }
533 - } else if (sys >= 0) {
534 - /* normal syscall processing */
535 - rc = db_rule_add(db, rule);
536 - if (rc < 0)
537 - goto add_return;
538 - } else if (rule->strict) {
539 - rc = -EDOM;
540 - goto add_return;
541 - }
542 -
543 -add_return:
544 - if (rule_dup != NULL)
545 - free(rule_dup);
546 - return rc;
547 -}
548 -
549 const struct arch_def arch_def_mips = {
550 .token = SCMP_ARCH_MIPS,
551 .token_bpf = AUDIT_ARCH_MIPS,
552 @@ -557,8 +75,8 @@ const struct arch_def arch_def_mips = {
553 .endian = ARCH_ENDIAN_BIG,
554 .syscall_resolve_name = mips_syscall_resolve_name_munge,
555 .syscall_resolve_num = mips_syscall_resolve_num_munge,
556 - .syscall_rewrite = mips_syscall_rewrite,
557 - .rule_add = mips_rule_add,
558 + .syscall_rewrite = NULL,
559 + .rule_add = NULL,
560 };
561
562 const struct arch_def arch_def_mipsel = {
563 @@ -568,6 +86,6 @@ const struct arch_def arch_def_mipsel = {
564 .endian = ARCH_ENDIAN_LITTLE,
565 .syscall_resolve_name = mips_syscall_resolve_name_munge,
566 .syscall_resolve_num = mips_syscall_resolve_num_munge,
567 - .syscall_rewrite = mips_syscall_rewrite,
568 - .rule_add = mips_rule_add,
569 + .syscall_rewrite = NULL,
570 + .rule_add = NULL,
571 };
+563
-0
debian/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch less more
0 REVERTS
1
2 From f93a872fbc404df3dd3739dd399ad67f139fb1fa Mon Sep 17 00:00:00 2001
3 From: Paul Moore <paul@paul-moore.com>
4 Date: Tue, 3 Aug 2021 23:21:55 -0400
5 Subject: [PATCH] ppc: add multiplexed syscall support to PPC
6
7 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
8 Signed-off-by: Paul Moore <paul@paul-moore.com>
9
10 (imported from commit 255801bccf89343c684b2b94e85d9e0df484c133)
11 ---
12 src/arch-ppc.c | 530 ++++++++++++++++++++++++++++++++++++++++++++++++-
13 1 file changed, 526 insertions(+), 4 deletions(-)
14
15 diff --git a/src/arch-ppc.c b/src/arch-ppc.c
16 --- a/src/arch-ppc.c
17 +++ b/src/arch-ppc.c
18 @@ -20,540 +20,18 @@
19 * along with this library; if not, see <http://www.gnu.org/licenses>.
20 */
21
22 -#include <stdlib.h>
23 -#include <errno.h>
24 -#include <string.h>
25 #include <linux/audit.h>
26
27 -#include "db.h"
28 -#include "syscalls.h"
29 #include "arch.h"
30 #include "arch-ppc.h"
31
32 -/* ppc syscall numbers */
33 -#define __ppc_NR_socketcall 102
34 -#define __ppc_NR_ipc 117
35 -
36 -/**
37 - * Resolve a syscall name to a number
38 - * @param name the syscall name
39 - *
40 - * Resolve the given syscall name to the syscall number using the syscall table.
41 - * Returns the syscall number on success, including negative pseudo syscall
42 - * numbers; returns __NR_SCMP_ERROR on failure.
43 - *
44 - */
45 -int ppc_syscall_resolve_name_munge(const char *name)
46 -{
47 -
48 -#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
49 - if (!strcmp(name, #NAME)) return __PNR_##NAME;
50 -
51 - _ABI_SYSCALL_RES_NAME_CHK(socket)
52 - _ABI_SYSCALL_RES_NAME_CHK(bind)
53 - _ABI_SYSCALL_RES_NAME_CHK(connect)
54 - _ABI_SYSCALL_RES_NAME_CHK(listen)
55 - _ABI_SYSCALL_RES_NAME_CHK(accept)
56 - _ABI_SYSCALL_RES_NAME_CHK(getsockname)
57 - _ABI_SYSCALL_RES_NAME_CHK(getpeername)
58 - _ABI_SYSCALL_RES_NAME_CHK(socketpair)
59 - _ABI_SYSCALL_RES_NAME_CHK(send)
60 - _ABI_SYSCALL_RES_NAME_CHK(recv)
61 - _ABI_SYSCALL_RES_NAME_CHK(sendto)
62 - _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
63 - _ABI_SYSCALL_RES_NAME_CHK(shutdown)
64 - _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
65 - _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
66 - _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
67 - _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
68 - _ABI_SYSCALL_RES_NAME_CHK(accept4)
69 - _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
70 - _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
71 - _ABI_SYSCALL_RES_NAME_CHK(semop)
72 - _ABI_SYSCALL_RES_NAME_CHK(semget)
73 - _ABI_SYSCALL_RES_NAME_CHK(semctl)
74 - _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
75 - _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
76 - _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
77 - _ABI_SYSCALL_RES_NAME_CHK(msgget)
78 - _ABI_SYSCALL_RES_NAME_CHK(msgctl)
79 - _ABI_SYSCALL_RES_NAME_CHK(shmat)
80 - _ABI_SYSCALL_RES_NAME_CHK(shmdt)
81 - _ABI_SYSCALL_RES_NAME_CHK(shmget)
82 - _ABI_SYSCALL_RES_NAME_CHK(shmctl)
83 -
84 - return ppc_syscall_resolve_name(name);
85 -}
86 -
87 -/**
88 - * Resolve a syscall number to a name
89 - * @param num the syscall number
90 - *
91 - * Resolve the given syscall number to the syscall name using the syscall table.
92 - * Returns a pointer to the syscall name string on success, including pseudo
93 - * syscall names; returns NULL on failure.
94 - *
95 - */
96 -const char *ppc_syscall_resolve_num_munge(int num)
97 -{
98 -
99 -#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
100 - if (num == __PNR_##NAME) return #NAME;
101 -
102 - _ABI_SYSCALL_RES_NUM_CHK(socket)
103 - _ABI_SYSCALL_RES_NUM_CHK(bind)
104 - _ABI_SYSCALL_RES_NUM_CHK(connect)
105 - _ABI_SYSCALL_RES_NUM_CHK(listen)
106 - _ABI_SYSCALL_RES_NUM_CHK(accept)
107 - _ABI_SYSCALL_RES_NUM_CHK(getsockname)
108 - _ABI_SYSCALL_RES_NUM_CHK(getpeername)
109 - _ABI_SYSCALL_RES_NUM_CHK(socketpair)
110 - _ABI_SYSCALL_RES_NUM_CHK(send)
111 - _ABI_SYSCALL_RES_NUM_CHK(recv)
112 - _ABI_SYSCALL_RES_NUM_CHK(sendto)
113 - _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
114 - _ABI_SYSCALL_RES_NUM_CHK(shutdown)
115 - _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
116 - _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
117 - _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
118 - _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
119 - _ABI_SYSCALL_RES_NUM_CHK(accept4)
120 - _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
121 - _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
122 - _ABI_SYSCALL_RES_NUM_CHK(semop)
123 - _ABI_SYSCALL_RES_NUM_CHK(semget)
124 - _ABI_SYSCALL_RES_NUM_CHK(semctl)
125 - _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
126 - _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
127 - _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
128 - _ABI_SYSCALL_RES_NUM_CHK(msgget)
129 - _ABI_SYSCALL_RES_NUM_CHK(msgctl)
130 - _ABI_SYSCALL_RES_NUM_CHK(shmat)
131 - _ABI_SYSCALL_RES_NUM_CHK(shmdt)
132 - _ABI_SYSCALL_RES_NUM_CHK(shmget)
133 - _ABI_SYSCALL_RES_NUM_CHK(shmctl)
134 -
135 - return ppc_syscall_resolve_num(num);
136 -}
137 -
138 -/**
139 - * Check if a syscall is a socket syscall
140 - * @param sys the syscall number
141 - *
142 - * Returns true if the syscall is a socket related syscall, false otherwise.
143 - *
144 - */
145 -static bool _ppc_syscall_socket_test(int sys)
146 -{
147 - const char *name;
148 -
149 - /* multiplexed pseduo-syscalls */
150 - if (sys <= -100 && sys >= -120)
151 - return true;
152 -
153 - name = ppc_syscall_resolve_num(sys);
154 - if (!name)
155 - return false;
156 -
157 -#define _ABI_SYSCALL_SOCK_CHK(NAME) \
158 - if (!strcmp(name, #NAME)) return true;
159 -
160 - _ABI_SYSCALL_SOCK_CHK(socket)
161 - _ABI_SYSCALL_SOCK_CHK(bind)
162 - _ABI_SYSCALL_SOCK_CHK(connect)
163 - _ABI_SYSCALL_SOCK_CHK(listen)
164 - _ABI_SYSCALL_SOCK_CHK(accept)
165 - _ABI_SYSCALL_SOCK_CHK(getsockname)
166 - _ABI_SYSCALL_SOCK_CHK(getpeername)
167 - _ABI_SYSCALL_SOCK_CHK(socketpair)
168 - _ABI_SYSCALL_SOCK_CHK(send)
169 - _ABI_SYSCALL_SOCK_CHK(recv)
170 - _ABI_SYSCALL_SOCK_CHK(sendto)
171 - _ABI_SYSCALL_SOCK_CHK(recvfrom)
172 - _ABI_SYSCALL_SOCK_CHK(shutdown)
173 - _ABI_SYSCALL_SOCK_CHK(setsockopt)
174 - _ABI_SYSCALL_SOCK_CHK(getsockopt)
175 - _ABI_SYSCALL_SOCK_CHK(sendmsg)
176 - _ABI_SYSCALL_SOCK_CHK(recvmsg)
177 - _ABI_SYSCALL_SOCK_CHK(accept4)
178 - _ABI_SYSCALL_SOCK_CHK(recvmmsg)
179 - _ABI_SYSCALL_SOCK_CHK(sendmmsg)
180 -
181 - return false;
182 -}
183 -
184 -/**
185 - * Check if a syscall is an ipc syscall
186 - * @param sys the syscall number
187 - *
188 - * Returns true if the syscall is an ipc related syscall, false otherwise.
189 - *
190 - */
191 -static bool _ppc_syscall_ipc_test(int sys)
192 -{
193 - const char *name;
194 -
195 - /* multiplexed pseduo-syscalls */
196 - if (sys <= -200 && sys >= -224)
197 - return true;
198 -
199 - name = ppc_syscall_resolve_num(sys);
200 - if (!name)
201 - return false;
202 -
203 -#define _ABI_SYSCALL_IPC_CHK(NAME) \
204 - if (!strcmp(name, #NAME)) return true;
205 -
206 - _ABI_SYSCALL_IPC_CHK(semop)
207 - _ABI_SYSCALL_IPC_CHK(semget)
208 - _ABI_SYSCALL_IPC_CHK(semctl)
209 - _ABI_SYSCALL_IPC_CHK(semtimedop)
210 - _ABI_SYSCALL_IPC_CHK(msgsnd)
211 - _ABI_SYSCALL_IPC_CHK(msgrcv)
212 - _ABI_SYSCALL_IPC_CHK(msgget)
213 - _ABI_SYSCALL_IPC_CHK(msgctl)
214 - _ABI_SYSCALL_IPC_CHK(shmat)
215 - _ABI_SYSCALL_IPC_CHK(shmdt)
216 - _ABI_SYSCALL_IPC_CHK(shmget)
217 - _ABI_SYSCALL_IPC_CHK(shmctl)
218 -
219 - return false;
220 -}
221 -
222 -/**
223 - * Convert a multiplexed pseudo syscall into a direct syscall
224 - * @param syscall the multiplexed pseudo syscall number
225 - *
226 - * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
227 - * no related syscall, or __NR_SCMP_ERROR otherwise.
228 - *
229 - */
230 -static int _ppc_syscall_demux(int syscall)
231 -{
232 - int sys = __NR_SCMP_UNDEF;
233 -
234 -#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
235 -case __PNR_##NAME: \
236 - sys = ppc_syscall_resolve_name(#NAME); break;
237 -
238 - switch (syscall) {
239 - _ABI_SYSCALL_DEMUX_CHK(socket)
240 - _ABI_SYSCALL_DEMUX_CHK(bind)
241 - _ABI_SYSCALL_DEMUX_CHK(connect)
242 - _ABI_SYSCALL_DEMUX_CHK(listen)
243 - _ABI_SYSCALL_DEMUX_CHK(accept)
244 - _ABI_SYSCALL_DEMUX_CHK(getsockname)
245 - _ABI_SYSCALL_DEMUX_CHK(getpeername)
246 - _ABI_SYSCALL_DEMUX_CHK(socketpair)
247 - _ABI_SYSCALL_DEMUX_CHK(send)
248 - _ABI_SYSCALL_DEMUX_CHK(recv)
249 - _ABI_SYSCALL_DEMUX_CHK(sendto)
250 - _ABI_SYSCALL_DEMUX_CHK(recvfrom)
251 - _ABI_SYSCALL_DEMUX_CHK(shutdown)
252 - _ABI_SYSCALL_DEMUX_CHK(setsockopt)
253 - _ABI_SYSCALL_DEMUX_CHK(getsockopt)
254 - _ABI_SYSCALL_DEMUX_CHK(sendmsg)
255 - _ABI_SYSCALL_DEMUX_CHK(recvmsg)
256 - _ABI_SYSCALL_DEMUX_CHK(accept4)
257 - _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
258 - _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
259 - _ABI_SYSCALL_DEMUX_CHK(semop)
260 - _ABI_SYSCALL_DEMUX_CHK(semget)
261 - _ABI_SYSCALL_DEMUX_CHK(semctl)
262 - _ABI_SYSCALL_DEMUX_CHK(semtimedop)
263 - _ABI_SYSCALL_DEMUX_CHK(msgsnd)
264 - _ABI_SYSCALL_DEMUX_CHK(msgrcv)
265 - _ABI_SYSCALL_DEMUX_CHK(msgget)
266 - _ABI_SYSCALL_DEMUX_CHK(msgctl)
267 - _ABI_SYSCALL_DEMUX_CHK(shmat)
268 - _ABI_SYSCALL_DEMUX_CHK(shmdt)
269 - _ABI_SYSCALL_DEMUX_CHK(shmget)
270 - _ABI_SYSCALL_DEMUX_CHK(shmctl)
271 - }
272 -
273 - /* this looks odd because the arch resolver returns _ERROR if it can't
274 - * resolve the syscall, but we want to use _UNDEF for that, so we set
275 - * 'sys' to a sentinel value of _UNDEF and if it is error here we know
276 - * the resolve failed to find a match */
277 - if (sys == __NR_SCMP_UNDEF)
278 - sys = __NR_SCMP_ERROR;
279 - else if (sys == __NR_SCMP_ERROR)
280 - sys = __NR_SCMP_UNDEF;
281 -
282 - return sys;
283 -}
284 -
285 -/**
286 - * Convert a direct syscall into multiplexed pseudo socket syscall
287 - * @param syscall the direct syscall
288 - *
289 - * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
290 - * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
291 - *
292 - */
293 -static int _ppc_syscall_mux(int syscall)
294 -{
295 - const char *sys;
296 -
297 - sys = ppc_syscall_resolve_num(syscall);
298 - if (!sys)
299 - return __NR_SCMP_ERROR;
300 -
301 -#define _ABI_SYSCALL_MUX_CHK(NAME) \
302 - if (!strcmp(sys, #NAME)) return __PNR_##NAME;
303 -
304 - _ABI_SYSCALL_MUX_CHK(socket)
305 - _ABI_SYSCALL_MUX_CHK(bind)
306 - _ABI_SYSCALL_MUX_CHK(connect)
307 - _ABI_SYSCALL_MUX_CHK(listen)
308 - _ABI_SYSCALL_MUX_CHK(accept)
309 - _ABI_SYSCALL_MUX_CHK(getsockname)
310 - _ABI_SYSCALL_MUX_CHK(getpeername)
311 - _ABI_SYSCALL_MUX_CHK(socketpair)
312 - _ABI_SYSCALL_MUX_CHK(send)
313 - _ABI_SYSCALL_MUX_CHK(recv)
314 - _ABI_SYSCALL_MUX_CHK(sendto)
315 - _ABI_SYSCALL_MUX_CHK(recvfrom)
316 - _ABI_SYSCALL_MUX_CHK(shutdown)
317 - _ABI_SYSCALL_MUX_CHK(setsockopt)
318 - _ABI_SYSCALL_MUX_CHK(getsockopt)
319 - _ABI_SYSCALL_MUX_CHK(sendmsg)
320 - _ABI_SYSCALL_MUX_CHK(recvmsg)
321 - _ABI_SYSCALL_MUX_CHK(accept4)
322 - _ABI_SYSCALL_MUX_CHK(recvmmsg)
323 - _ABI_SYSCALL_MUX_CHK(sendmmsg)
324 - _ABI_SYSCALL_MUX_CHK(semop)
325 - _ABI_SYSCALL_MUX_CHK(semget)
326 - _ABI_SYSCALL_MUX_CHK(semctl)
327 - _ABI_SYSCALL_MUX_CHK(semtimedop)
328 - _ABI_SYSCALL_MUX_CHK(msgsnd)
329 - _ABI_SYSCALL_MUX_CHK(msgrcv)
330 - _ABI_SYSCALL_MUX_CHK(msgget)
331 - _ABI_SYSCALL_MUX_CHK(msgctl)
332 - _ABI_SYSCALL_MUX_CHK(shmat)
333 - _ABI_SYSCALL_MUX_CHK(shmdt)
334 - _ABI_SYSCALL_MUX_CHK(shmget)
335 - _ABI_SYSCALL_MUX_CHK(shmctl)
336 -
337 - return __NR_SCMP_ERROR;
338 -}
339 -
340 -/**
341 - * Rewrite a syscall value to match the architecture
342 - * @param syscall the syscall number
343 - *
344 - * Syscalls can vary across different architectures so this function rewrites
345 - * the syscall into the correct value for the specified architecture. Returns
346 - * zero on success, negative values on failure.
347 - *
348 - */
349 -int ppc_syscall_rewrite(int *syscall)
350 -{
351 - int sys = *syscall;
352 -
353 - if (sys <= -100 && sys >= -120)
354 - *syscall = __ppc_NR_socketcall;
355 - else if (sys <= -200 && sys >= -224)
356 - *syscall = __ppc_NR_ipc;
357 - else if (sys < 0)
358 - return -EDOM;
359 -
360 - return 0;
361 -}
362 -
363 -/**
364 - * add a new rule to the ppc seccomp filter
365 - * @param db the seccomp filter db
366 - * @param rule the filter rule
367 - *
368 - * This function adds a new syscall filter to the seccomp filter db, making any
369 - * necessary adjustments for the ppc ABI. Returns zero on success, negative
370 - * values on failure.
371 - *
372 - * It is important to note that in the case of failure the db may be corrupted,
373 - * the caller must use the transaction mechanism if the db integrity is
374 - * important.
375 - *
376 - */
377 -int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
378 -{
379 - int rc = 0;
380 - unsigned int iter;
381 - int sys = rule->syscall;
382 - int sys_a, sys_b;
383 - struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
384 -
385 - if (_ppc_syscall_socket_test(sys)) {
386 - /* socket syscalls */
387 -
388 - /* strict check for the multiplexed socket syscalls */
389 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
390 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
391 - rc = -EINVAL;
392 - goto add_return;
393 - }
394 - }
395 -
396 - /* determine both the muxed and direct syscall numbers */
397 - if (sys > 0) {
398 - sys_a = _ppc_syscall_mux(sys);
399 - if (sys_a == __NR_SCMP_ERROR) {
400 - rc = __NR_SCMP_ERROR;
401 - goto add_return;
402 - }
403 - sys_b = sys;
404 - } else {
405 - sys_a = sys;
406 - sys_b = _ppc_syscall_demux(sys);
407 - if (sys_b == __NR_SCMP_ERROR) {
408 - rc = __NR_SCMP_ERROR;
409 - goto add_return;
410 - }
411 - }
412 -
413 - /* use rule_a for the multiplexed syscall and use rule_b for
414 - * the direct wired syscall */
415 -
416 - if (sys_a == __NR_SCMP_UNDEF) {
417 - rule_a = NULL;
418 - rule_b = rule;
419 - } else if (sys_b == __NR_SCMP_UNDEF) {
420 - rule_a = rule;
421 - rule_b = NULL;
422 - } else {
423 - /* need two rules, dup the first and link together */
424 - rule_a = rule;
425 - rule_dup = db_rule_dup(rule_a);
426 - rule_b = rule_dup;
427 - if (rule_b == NULL)
428 - goto add_return;
429 - rule_b->prev = rule_a;
430 - rule_b->next = NULL;
431 - rule_a->next = rule_b;
432 - }
433 -
434 - /* multiplexed socket syscalls */
435 - if (rule_a != NULL) {
436 - rule_a->syscall = __ppc_NR_socketcall;
437 - rule_a->args[0].arg = 0;
438 - rule_a->args[0].op = SCMP_CMP_EQ;
439 - rule_a->args[0].mask = DATUM_MAX;
440 - rule_a->args[0].datum = (-sys_a) % 100;
441 - rule_a->args[0].valid = 1;
442 - }
443 -
444 - /* direct wired socket syscalls */
445 - if (rule_b != NULL)
446 - rule_b->syscall = sys_b;
447 -
448 - /* we should be protected by a transaction checkpoint */
449 - if (rule_a != NULL) {
450 - rc = db_rule_add(db, rule_a);
451 - if (rc < 0)
452 - goto add_return;
453 - }
454 - if (rule_b != NULL) {
455 - rc = db_rule_add(db, rule_b);
456 - if (rc < 0)
457 - goto add_return;
458 - }
459 - } else if (_ppc_syscall_ipc_test(sys)) {
460 - /* ipc syscalls */
461 -
462 - /* strict check for the multiplexed socket syscalls */
463 - for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
464 - if ((rule->args[iter].valid != 0) && (rule->strict)) {
465 - rc = -EINVAL;
466 - goto add_return;
467 - }
468 - }
469 -
470 - /* determine both the muxed and direct syscall numbers */
471 - if (sys > 0) {
472 - sys_a = _ppc_syscall_mux(sys);
473 - if (sys_a == __NR_SCMP_ERROR) {
474 - rc = __NR_SCMP_ERROR;
475 - goto add_return;
476 - }
477 - sys_b = sys;
478 - } else {
479 - sys_a = sys;
480 - sys_b = _ppc_syscall_demux(sys);
481 - if (sys_b == __NR_SCMP_ERROR) {
482 - rc = __NR_SCMP_ERROR;
483 - goto add_return;
484 - }
485 - }
486 -
487 - /* use rule_a for the multiplexed syscall and use rule_b for
488 - * the direct wired syscall */
489 -
490 - if (sys_a == __NR_SCMP_UNDEF) {
491 - rule_a = NULL;
492 - rule_b = rule;
493 - } else if (sys_b == __NR_SCMP_UNDEF) {
494 - rule_a = rule;
495 - rule_b = NULL;
496 - } else {
497 - /* need two rules, dup the first and link together */
498 - rule_a = rule;
499 - rule_dup = db_rule_dup(rule_a);
500 - rule_b = rule_dup;
501 - if (rule_b == NULL)
502 - goto add_return;
503 - rule_b->prev = rule_a;
504 - rule_b->next = NULL;
505 - rule_a->next = rule_b;
506 - }
507 -
508 - /* multiplexed socket syscalls */
509 - if (rule_a != NULL) {
510 - rule_a->syscall = __ppc_NR_ipc;
511 - rule_a->args[0].arg = 0;
512 - rule_a->args[0].op = SCMP_CMP_EQ;
513 - rule_a->args[0].mask = DATUM_MAX;
514 - rule_a->args[0].datum = (-sys_a) % 200;
515 - rule_a->args[0].valid = 1;
516 - }
517 -
518 - /* direct wired socket syscalls */
519 - if (rule_b != NULL)
520 - rule_b->syscall = sys_b;
521 -
522 - /* we should be protected by a transaction checkpoint */
523 - if (rule_a != NULL) {
524 - rc = db_rule_add(db, rule_a);
525 - if (rc < 0)
526 - goto add_return;
527 - }
528 - if (rule_b != NULL) {
529 - rc = db_rule_add(db, rule_b);
530 - if (rc < 0)
531 - goto add_return;
532 - }
533 - } else if (sys >= 0) {
534 - /* normal syscall processing */
535 - rc = db_rule_add(db, rule);
536 - if (rc < 0)
537 - goto add_return;
538 - } else if (rule->strict) {
539 - rc = -EDOM;
540 - goto add_return;
541 - }
542 -
543 -add_return:
544 - if (rule_dup != NULL)
545 - free(rule_dup);
546 - return rc;
547 -}
548 -
549 const struct arch_def arch_def_ppc = {
550 .token = SCMP_ARCH_PPC,
551 .token_bpf = AUDIT_ARCH_PPC,
552 .size = ARCH_SIZE_32,
553 .endian = ARCH_ENDIAN_BIG,
554 - .syscall_resolve_name = ppc_syscall_resolve_name_munge,
555 - .syscall_resolve_num = ppc_syscall_resolve_num_munge,
556 - .syscall_rewrite = ppc_syscall_rewrite,
557 - .rule_add = ppc_rule_add,
558 + .syscall_resolve_name = ppc_syscall_resolve_name,
559 + .syscall_resolve_num = ppc_syscall_resolve_num,
560 + .syscall_rewrite = NULL,
561 + .rule_add = NULL,
562 };
+1110
-0
debian/patches/revert_various_additions_to_improve_code_coverage.patch less more
0 REVERTS
1
2 From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001
3 From: Paul Moore <paul@paul-moore.com>
4 Date: Tue, 3 Aug 2021 14:12:50 -0400
5 Subject: [PATCH] tests: various additions to improve code coverage
6
7 Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
8 Signed-off-by: Paul Moore <paul@paul-moore.com>
9
10 (imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65)
11 ---
12 tests/11-basic-basic_errors.c | 52 +++
13 tests/15-basic-resolver.c | 40 ++
14 tests/30-sim-socket_syscalls.c | 62 ++-
15 tests/33-sim-socket_syscalls_be.c | 3 +
16 tests/33-sim-socket_syscalls_be.py | 1 +
17 tests/33-sim-socket_syscalls_be.tests | 42 +-
18 tests/36-sim-ipc_syscalls.c | 3 +
19 tests/36-sim-ipc_syscalls.py | 1 +
20 tests/36-sim-ipc_syscalls.tests | 50 +--
21 tests/37-sim-ipc_syscalls_be.c | 3 +
22 tests/37-sim-ipc_syscalls_be.py | 1 +
23 tests/37-sim-ipc_syscalls_be.tests | 26 +-
24 tests/38-basic-pfc_coverage.c | 27 ++
25 tests/38-basic-pfc_coverage.pfc | 534 ++++++++++++++++++++++++++
26 tests/52-basic-load.c | 23 ++
27 15 files changed, 804 insertions(+), 64 deletions(-)
28
29 diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
30 --- a/tests/11-basic-basic_errors.c
31 +++ b/tests/11-basic-basic_errors.c
32 @@ -29,8 +29,6 @@ int main(int argc, char *argv[])
33 int rc;
34 scmp_filter_ctx ctx;
35 uint32_t attr;
36 - struct seccomp_notif *req = NULL;
37 - struct seccomp_notif_resp *resp = NULL;
38
39 /* seccomp_init errors */
40 ctx = seccomp_init(SCMP_ACT_ALLOW + 1);
41 @@ -125,9 +123,6 @@ int main(int argc, char *argv[])
42 return -1;
43 rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1,
44 SCMP_A0(SCMP_CMP_EQ, 2));
45 - if (rc != -EINVAL)
46 - return -1;
47 - rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0);
48 if (rc != -EINVAL)
49 return -1;
50 seccomp_release(ctx);
51 @@ -185,53 +180,6 @@ int main(int argc, char *argv[])
52 rc = seccomp_attr_set(ctx, 1000, 1);
53 if (rc != -EINVAL)
54 return -1;
55 - seccomp_release(ctx);
56 - ctx = NULL;
57 -
58 - /* seccomp_merge() errors */
59 - ctx = seccomp_init(SCMP_ACT_ALLOW);
60 - if (ctx == NULL)
61 - return -1;
62 - rc = seccomp_merge(ctx, NULL);
63 - if (rc == 0)
64 - return -1;
65 - seccomp_release(ctx);
66 - ctx = NULL;
67 -
68 - /* seccomp notify errors */
69 - ctx = seccomp_init(SCMP_ACT_ALLOW);
70 - if (ctx == NULL)
71 - return -1;
72 - rc = seccomp_notify_alloc(NULL, NULL);
73 - if (rc != 0)
74 - return -1;
75 - rc = seccomp_notify_alloc(&req, NULL);
76 - if (rc != 0)
77 - return -1;
78 - rc = seccomp_notify_alloc(NULL, &resp);
79 - if (rc != 0)
80 - return -1;
81 - seccomp_notify_free(NULL, NULL);
82 - seccomp_notify_free(req, resp);
83 - req = NULL;
84 - resp = NULL;
85 - rc = seccomp_notify_receive(-1, NULL);
86 - if (rc == 0)
87 - return -1;
88 - rc = seccomp_notify_respond(-1, NULL);
89 - if (rc == 0)
90 - return -1;
91 - rc = seccomp_notify_id_valid(-1, 0);
92 - if (rc == 0)
93 - return -1;
94 - rc = seccomp_notify_fd(NULL);
95 - if (rc == 0)
96 - return -1;
97 - rc = seccomp_notify_fd(ctx);
98 - if (rc == 0)
99 - return -1;
100 - seccomp_release(ctx);
101 - ctx = NULL;
102
103 return 0;
104 }
105 diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
106 --- a/tests/15-basic-resolver.c
107 +++ b/tests/15-basic-resolver.c
108 @@ -68,7 +68,6 @@ int main(int argc, char *argv[])
109 goto fail;
110
111 while ((arch = arch_list[iter++]) != -1) {
112 - int sys;
113 int nr_open;
114 int nr_read;
115 int nr_socket;
116 @@ -120,45 +119,6 @@ int main(int argc, char *argv[])
117 goto fail;
118 free(name);
119 name = NULL;
120 -
121 - /* socket pseudo-syscalls */
122 - if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) {
123 - for (sys = -101; sys >= -120; sys--) {
124 - name = seccomp_syscall_resolve_num_arch(arch,
125 - sys);
126 - if (name == NULL)
127 - goto fail;
128 - free(name);
129 - name = NULL;
130 - }
131 - }
132 - /* ipc pseudo-syscalls */
133 - if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) {
134 - for (sys = -201; sys >= -204; sys--) {
135 - name = seccomp_syscall_resolve_num_arch(arch,
136 - sys);
137 - if (name == NULL)
138 - goto fail;
139 - free(name);
140 - name = NULL;
141 - }
142 - for (sys = -211; sys >= -214; sys--) {
143 - name = seccomp_syscall_resolve_num_arch(arch,
144 - sys);
145 - if (name == NULL)
146 - goto fail;
147 - free(name);
148 - name = NULL;
149 - }
150 - for (sys = -221; sys >= -224; sys--) {
151 - name = seccomp_syscall_resolve_num_arch(arch,
152 - sys);
153 - if (name == NULL)
154 - goto fail;
155 - free(name);
156 - name = NULL;
157 - }
158 - }
159 }
160
161 return 0;
162 diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c
163 --- a/tests/30-sim-socket_syscalls.c
164 +++ b/tests/30-sim-socket_syscalls.c
165 @@ -61,79 +61,19 @@ int main(int argc, char *argv[])
166 if (rc != 0)
167 goto out;
168
169 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0);
170 - if (rc != 0)
171 - goto out;
172 -
173 rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
174 if (rc != 0)
175 goto out;
176
177 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0);
178 - if (rc != 0)
179 - goto out;
180 -
181 rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
182 if (rc != 0)
183 goto out;
184
185 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
186 - if (rc != 0)
187 - goto out;
188 -
189 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0);
190 - if (rc != 0)
191 - goto out;
192 -
193 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
194 - if (rc != 0)
195 - goto out;
196 -
197 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0);
198 - if (rc != 0)
199 - goto out;
200 -
201 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0);
202 - if (rc != 0)
203 - goto out;
204 -
205 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0);
206 - if (rc != 0)
207 - goto out;
208 -
209 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0);
210 - if (rc != 0)
211 - goto out;
212 -
213 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
214 - if (rc != 0)
215 - goto out;
216 -
217 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
218 - if (rc != 0)
219 - goto out;
220 -
221 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
222 - if (rc != 0)
223 - goto out;
224 -
225 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0);
226 - if (rc != 0)
227 - goto out;
228 -
229 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0);
230 - if (rc != 0)
231 - goto out;
232 -
233 rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
234 if (rc != 0)
235 goto out;
236
237 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0);
238 - if (rc != 0)
239 - goto out;
240 -
241 - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0);
242 + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
243 if (rc != 0)
244 goto out;
245
246 diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c
247 --- a/tests/33-sim-socket_syscalls_be.c
248 +++ b/tests/33-sim-socket_syscalls_be.c
249 @@ -48,9 +48,6 @@ int main(int argc, char *argv[])
250 if (rc != 0)
251 goto out;
252 rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
253 - if (rc != 0)
254 - goto out;
255 - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
256 if (rc != 0)
257 goto out;
258
259 diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py
260 --- a/tests/33-sim-socket_syscalls_be.py
261 +++ b/tests/33-sim-socket_syscalls_be.py
262 @@ -33,7 +33,6 @@ def test(args):
263 f.remove_arch(Arch())
264 f.add_arch(Arch("s390"))
265 f.add_arch(Arch("s390x"))
266 - f.add_arch(Arch("ppc"))
267 f.add_rule(ALLOW, "socket")
268 f.add_rule(ALLOW, "connect")
269 f.add_rule(ALLOW, "accept")
270 diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests
271 --- a/tests/33-sim-socket_syscalls_be.tests
272 +++ b/tests/33-sim-socket_syscalls_be.tests
273 @@ -7,23 +7,31 @@
274
275 test type: bpf-sim
276
277 -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
278 -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW
279 -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW
280 -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW
281 -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW
282 -33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW
283 -33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW
284 -33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW
285 -33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW
286 -33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW
287 -33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW
288 -33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW
289 -33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW
290 -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW
291 -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL
292 -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW
293 -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL
294 +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
295 +33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW
296 +33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW
297 +33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW
298 +33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW
299 +33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW
300 +33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW
301 +33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW
302 +33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW
303 +33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW
304 +33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL
305 +33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW
306 +33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL
307 +33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW
308 +33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW
309 +33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW
310 +33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW
311 +33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW
312 +33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW
313 +33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW
314 +33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW
315 +33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW
316 +33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL
317 +33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW
318 +33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL
319
320 test type: bpf-valgrind
321
322 diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c
323 --- a/tests/36-sim-ipc_syscalls.c
324 +++ b/tests/36-sim-ipc_syscalls.c
325 @@ -54,9 +54,6 @@ int main(int argc, char *argv[])
326 if (rc != 0)
327 goto out;
328 rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
329 - if (rc != 0)
330 - goto out;
331 - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
332 if (rc != 0)
333 goto out;
334
335 diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py
336 --- a/tests/36-sim-ipc_syscalls.py
337 +++ b/tests/36-sim-ipc_syscalls.py
338 @@ -35,7 +35,6 @@ def test(args):
339 f.add_arch(Arch("x86_64"))
340 f.add_arch(Arch("x32"))
341 f.add_arch(Arch("ppc64le"))
342 - f.add_arch(Arch("mipsel"))
343 f.add_rule(ALLOW, "semop")
344 f.add_rule(ALLOW, "semtimedop")
345 f.add_rule(ALLOW, "semget")
346 diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests
347 --- a/tests/36-sim-ipc_syscalls.tests
348 +++ b/tests/36-sim-ipc_syscalls.tests
349 @@ -7,31 +7,31 @@
350
351 test type: bpf-sim
352
353 -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
354 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW
355 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW
356 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW
357 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW
358 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW
359 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW
360 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW
361 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW
362 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW
363 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW
364 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW
365 -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW
366 -36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW
367 -36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW
368 -36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW
369 -36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW
370 -36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW
371 -36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW
372 -36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW
373 -36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW
374 -36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW
375 -36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW
376 -36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW
377 -36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW
378 +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
379 +36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW
380 +36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW
381 +36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW
382 +36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW
383 +36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW
384 +36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW
385 +36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW
386 +36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW
387 +36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW
388 +36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW
389 +36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW
390 +36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW
391 +36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW
392 +36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW
393 +36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW
394 +36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW
395 +36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW
396 +36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW
397 +36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW
398 +36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW
399 +36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW
400 +36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW
401 +36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW
402 +36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW
403
404 test type: bpf-valgrind
405
406 diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c
407 --- a/tests/37-sim-ipc_syscalls_be.c
408 +++ b/tests/37-sim-ipc_syscalls_be.c
409 @@ -48,9 +48,6 @@ int main(int argc, char *argv[])
410 if (rc != 0)
411 goto out;
412 rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
413 - if (rc != 0)
414 - goto out;
415 - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
416 if (rc != 0)
417 goto out;
418
419 diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py
420 --- a/tests/37-sim-ipc_syscalls_be.py
421 +++ b/tests/37-sim-ipc_syscalls_be.py
422 @@ -33,7 +33,6 @@ def test(args):
423 f.remove_arch(Arch())
424 f.add_arch(Arch("s390"))
425 f.add_arch(Arch("s390x"))
426 - f.add_arch(Arch("ppc"))
427 f.add_rule(ALLOW, "semop")
428 f.add_rule(ALLOW, "semtimedop")
429 f.add_rule(ALLOW, "semget")
430 diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests
431 --- a/tests/37-sim-ipc_syscalls_be.tests
432 +++ b/tests/37-sim-ipc_syscalls_be.tests
433 @@ -7,19 +7,19 @@
434
435 test type: bpf-sim
436
437 -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
438 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW
439 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW
440 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW
441 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW
442 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW
443 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW
444 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW
445 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW
446 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW
447 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW
448 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW
449 -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW
450 +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
451 +37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW
452 +37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW
453 +37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW
454 +37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW
455 +37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW
456 +37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW
457 +37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW
458 +37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW
459 +37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW
460 +37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW
461 +37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW
462 +37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW
463
464 test type: bpf-valgrind
465
466 diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c
467 --- a/tests/38-basic-pfc_coverage.c
468 +++ b/tests/38-basic-pfc_coverage.c
469 @@ -55,30 +55,6 @@ int main(int argc, char *argv[])
470 if (rc < 0)
471 goto out;
472 rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
473 - if (rc < 0)
474 - goto out;
475 - rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
476 - if (rc < 0)
477 - goto out;
478 - rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
479 - if (rc < 0)
480 - goto out;
481 - rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
482 - if (rc < 0)
483 - goto out;
484 - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
485 - if (rc < 0)
486 - goto out;
487 - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64);
488 - if (rc < 0)
489 - goto out;
490 - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32);
491 - if (rc < 0)
492 - goto out;
493 - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
494 - if (rc < 0)
495 - goto out;
496 - rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
497 if (rc < 0)
498 goto out;
499
500 @@ -109,9 +85,6 @@ int main(int argc, char *argv[])
501 if (rc < 0)
502 goto out;
503 rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
504 - if (rc < 0)
505 - goto out;
506 - rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0);
507 if (rc < 0)
508 goto out;
509
510 diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc
511 --- a/tests/38-basic-pfc_coverage.pfc
512 +++ b/tests/38-basic-pfc_coverage.pfc
513 @@ -3,9 +3,6 @@
514 #
515 # filter for arch x86_64 (3221225534)
516 if ($arch == 3221225534)
517 - # filter for syscall "exit_group" (231) [priority: 65535]
518 - if ($syscall == 231)
519 - action LOG;
520 # filter for syscall "exit" (60) [priority: 65535]
521 if ($syscall == 60)
522 action TRACE(1);
523 @@ -100,9 +97,6 @@ if ($arch == 3221225534)
524 action ALLOW;
525 # filter for arch x86 (1073741827)
526 if ($arch == 1073741827)
527 - # filter for syscall "exit_group" (252) [priority: 65535]
528 - if ($syscall == 252)
529 - action LOG;
530 # filter for syscall "fstat" (108) [priority: 65535]
531 if ($syscall == 108)
532 action KILL_PROCESS;
533 @@ -133,534 +127,6 @@ if ($arch == 1073741827)
534 action KILL;
535 # default action
536 action ALLOW;
537 -# filter for arch x32 (3221225534)
538 -if ($arch == 3221225534)
539 - # filter for syscall "exit_group" (1073742055) [priority: 65535]
540 - if ($syscall == 1073742055)
541 - action LOG;
542 - # filter for syscall "exit" (1073741884) [priority: 65535]
543 - if ($syscall == 1073741884)
544 - action TRACE(1);
545 - # filter for syscall "fstat" (1073741829) [priority: 65535]
546 - if ($syscall == 1073741829)
547 - action KILL_PROCESS;
548 - # filter for syscall "close" (1073741827) [priority: 65535]
549 - if ($syscall == 1073741827)
550 - action ERRNO(1);
551 - # filter for syscall "open" (1073741826) [priority: 65535]
552 - if ($syscall == 1073741826)
553 - action KILL;
554 - # filter for syscall "write" (1073741825) [priority: 65532]
555 - if ($syscall == 1073741825)
556 - if ($a0 == 0)
557 - else
558 - if ($a1 > 1)
559 - else
560 - if ($a2 >= 2)
561 - else
562 - action TRAP;
563 - # filter for syscall "read" (1073741824) [priority: 65531]
564 - if ($syscall == 1073741824)
565 - if ($a0 == 0)
566 - if ($a1 >= 1)
567 - if ($a2 > 2)
568 - if ($a3 & 0x0000000f == 3)
569 - action KILL;
570 - # default action
571 - action ALLOW;
572 -# filter for arch arm (1073741864)
573 -if ($arch == 1073741864)
574 - # filter for syscall "exit_group" (248) [priority: 65535]
575 - if ($syscall == 248)
576 - action LOG;
577 - # filter for syscall "fstat" (108) [priority: 65535]
578 - if ($syscall == 108)
579 - action KILL_PROCESS;
580 - # filter for syscall "close" (6) [priority: 65535]
581 - if ($syscall == 6)
582 - action ERRNO(1);
583 - # filter for syscall "open" (5) [priority: 65535]
584 - if ($syscall == 5)
585 - action KILL;
586 - # filter for syscall "exit" (1) [priority: 65535]
587 - if ($syscall == 1)
588 - action TRACE(1);
589 - # filter for syscall "write" (4) [priority: 65532]
590 - if ($syscall == 4)
591 - if ($a0 == 0)
592 - else
593 - if ($a1 > 1)
594 - else
595 - if ($a2 >= 2)
596 - else
597 - action TRAP;
598 - # filter for syscall "read" (3) [priority: 65531]
599 - if ($syscall == 3)
600 - if ($a0 == 0)
601 - if ($a1 >= 1)
602 - if ($a2 > 2)
603 - if ($a3 & 0x0000000f == 3)
604 - action KILL;
605 - # default action
606 - action ALLOW;
607 -# filter for arch aarch64 (3221225655)
608 -if ($arch == 3221225655)
609 - # filter for syscall "open" (4294957130) [priority: 65535]
610 - if ($syscall == 4294957130)
611 - action KILL;
612 - # filter for syscall "exit_group" (94) [priority: 65535]
613 - if ($syscall == 94)
614 - action LOG;
615 - # filter for syscall "exit" (93) [priority: 65535]
616 - if ($syscall == 93)
617 - action TRACE(1);
618 - # filter for syscall "fstat" (80) [priority: 65535]
619 - if ($syscall == 80)
620 - action KILL_PROCESS;
621 - # filter for syscall "close" (57) [priority: 65535]
622 - if ($syscall == 57)
623 - action ERRNO(1);
624 - # filter for syscall "write" (64) [priority: 65527]
625 - if ($syscall == 64)
626 - if ($a0.hi32 == 0)
627 - if ($a0.lo32 == 0)
628 - else
629 - if ($a1.hi32 > 0)
630 - else
631 - if ($a1.hi32 == 0)
632 - if ($a1.lo32 > 1)
633 - else
634 - if ($a2.hi32 > 0)
635 - else
636 - if ($a2.hi32 == 0)
637 - if ($a2.lo32 >= 2)
638 - else
639 - action TRAP;
640 - else
641 - action TRAP;
642 - else
643 - if ($a2.hi32 > 0)
644 - else
645 - if ($a2.hi32 == 0)
646 - if ($a2.lo32 >= 2)
647 - else
648 - action TRAP;
649 - else
650 - action TRAP;
651 - else
652 - if ($a1.hi32 > 0)
653 - else
654 - if ($a1.hi32 == 0)
655 - if ($a1.lo32 > 1)
656 - else
657 - if ($a2.hi32 > 0)
658 - else
659 - if ($a2.hi32 == 0)
660 - if ($a2.lo32 >= 2)
661 - else
662 - action TRAP;
663 - else
664 - action TRAP;
665 - else
666 - if ($a2.hi32 > 0)
667 - else
668 - if ($a2.hi32 == 0)
669 - if ($a2.lo32 >= 2)
670 - else
671 - action TRAP;
672 - else
673 - action TRAP;
674 - # filter for syscall "read" (63) [priority: 65525]
675 - if ($syscall == 63)
676 - if ($a0.hi32 == 0)
677 - if ($a0.lo32 == 0)
678 - if ($a1.hi32 > 0)
679 - if ($a2.hi32 > 0)
680 - if ($a3.hi32 & 0x00000000 == 0)
681 - if ($a3.lo32 & 0x0000000f == 3)
682 - action KILL;
683 - else
684 - if ($a2.hi32 == 0)
685 - if ($a2.lo32 > 2)
686 - if ($a3.hi32 & 0x00000000 == 0)
687 - if ($a3.lo32 & 0x0000000f == 3)
688 - action KILL;
689 - else
690 - if ($a1.hi32 == 0)
691 - if ($a1.lo32 >= 1)
692 - if ($a2.hi32 > 0)
693 - if ($a3.hi32 & 0x00000000 == 0)
694 - if ($a3.lo32 & 0x0000000f == 3)
695 - action KILL;
696 - else
697 - if ($a2.hi32 == 0)
698 - if ($a2.lo32 > 2)
699 - if ($a3.hi32 & 0x00000000 == 0)
700 - if ($a3.lo32 & 0x0000000f == 3)
701 - action KILL;
702 - # default action
703 - action ALLOW;
704 -# filter for arch mipsel (1073741832)
705 -if ($arch == 1073741832)
706 - # filter for syscall "exit_group" (246) [priority: 65535]
707 - if ($syscall == 246)
708 - action LOG;
709 - # filter for syscall "fstat" (108) [priority: 65535]
710 - if ($syscall == 108)
711 - action KILL_PROCESS;
712 - # filter for syscall "close" (6) [priority: 65535]
713 - if ($syscall == 6)
714 - action ERRNO(1);
715 - # filter for syscall "open" (5) [priority: 65535]
716 - if ($syscall == 5)
717 - action KILL;
718 - # filter for syscall "exit" (1) [priority: 65535]
719 - if ($syscall == 1)
720 - action TRACE(1);
721 - # filter for syscall "write" (4) [priority: 65532]
722 - if ($syscall == 4)
723 - if ($a0 == 0)
724 - else
725 - if ($a1 > 1)
726 - else
727 - if ($a2 >= 2)
728 - else
729 - action TRAP;
730 - # filter for syscall "read" (3) [priority: 65531]
731 - if ($syscall == 3)
732 - if ($a0 == 0)
733 - if ($a1 >= 1)
734 - if ($a2 > 2)
735 - if ($a3 & 0x0000000f == 3)
736 - action KILL;
737 - # default action
738 - action ALLOW;
739 -# filter for arch mipsel64 (3221225480)
740 -if ($arch == 3221225480)
741 - # filter for syscall "exit_group" (5205) [priority: 65535]
742 - if ($syscall == 5205)
743 - action LOG;
744 - # filter for syscall "exit" (5058) [priority: 65535]
745 - if ($syscall == 5058)
746 - action TRACE(1);
747 - # filter for syscall "fstat" (5005) [priority: 65535]
748 - if ($syscall == 5005)
749 - action KILL_PROCESS;
750 - # filter for syscall "close" (5003) [priority: 65535]
751 - if ($syscall == 5003)
752 - action ERRNO(1);
753 - # filter for syscall "open" (5002) [priority: 65535]
754 - if ($syscall == 5002)
755 - action KILL;
756 - # filter for syscall "write" (5001) [priority: 65527]
757 - if ($syscall == 5001)
758 - if ($a0.hi32 == 0)
759 - if ($a0.lo32 == 0)
760 - else
761 - if ($a1.hi32 > 0)
762 - else
763 - if ($a1.hi32 == 0)
764 - if ($a1.lo32 > 1)
765 - else
766 - if ($a2.hi32 > 0)
767 - else
768 - if ($a2.hi32 == 0)
769 - if ($a2.lo32 >= 2)
770 - else
771 - action TRAP;
772 - else
773 - action TRAP;
774 - else
775 - if ($a2.hi32 > 0)
776 - else
777 - if ($a2.hi32 == 0)
778 - if ($a2.lo32 >= 2)
779 - else
780 - action TRAP;
781 - else
782 - action TRAP;
783 - else
784 - if ($a1.hi32 > 0)
785 - else
786 - if ($a1.hi32 == 0)
787 - if ($a1.lo32 > 1)
788 - else
789 - if ($a2.hi32 > 0)
790 - else
791 - if ($a2.hi32 == 0)
792 - if ($a2.lo32 >= 2)
793 - else
794 - action TRAP;
795 - else
796 - action TRAP;
797 - else
798 - if ($a2.hi32 > 0)
799 - else
800 - if ($a2.hi32 == 0)
801 - if ($a2.lo32 >= 2)
802 - else
803 - action TRAP;
804 - else
805 - action TRAP;
806 - # filter for syscall "read" (5000) [priority: 65525]
807 - if ($syscall == 5000)
808 - if ($a0.hi32 == 0)
809 - if ($a0.lo32 == 0)
810 - if ($a1.hi32 > 0)
811 - if ($a2.hi32 > 0)
812 - if ($a3.hi32 & 0x00000000 == 0)
813 - if ($a3.lo32 & 0x0000000f == 3)
814 - action KILL;
815 - else
816 - if ($a2.hi32 == 0)
817 - if ($a2.lo32 > 2)
818 - if ($a3.hi32 & 0x00000000 == 0)
819 - if ($a3.lo32 & 0x0000000f == 3)
820 - action KILL;
821 - else
822 - if ($a1.hi32 == 0)
823 - if ($a1.lo32 >= 1)
824 - if ($a2.hi32 > 0)
825 - if ($a3.hi32 & 0x00000000 == 0)
826 - if ($a3.lo32 & 0x0000000f == 3)
827 - action KILL;
828 - else
829 - if ($a2.hi32 == 0)
830 - if ($a2.lo32 > 2)
831 - if ($a3.hi32 & 0x00000000 == 0)
832 - if ($a3.lo32 & 0x0000000f == 3)
833 - action KILL;
834 - # default action
835 - action ALLOW;
836 -# filter for arch mipsel64n32 (3758096392)
837 -if ($arch == 3758096392)
838 - # filter for syscall "exit_group" (6205) [priority: 65535]
839 - if ($syscall == 6205)
840 - action LOG;
841 - # filter for syscall "exit" (6058) [priority: 65535]
842 - if ($syscall == 6058)
843 - action TRACE(1);
844 - # filter for syscall "fstat" (6005) [priority: 65535]
845 - if ($syscall == 6005)
846 - action KILL_PROCESS;
847 - # filter for syscall "close" (6003) [priority: 65535]
848 - if ($syscall == 6003)
849 - action ERRNO(1);
850 - # filter for syscall "open" (6002) [priority: 65535]
851 - if ($syscall == 6002)
852 - action KILL;
853 - # filter for syscall "write" (6001) [priority: 65532]
854 - if ($syscall == 6001)
855 - if ($a0 == 0)
856 - else
857 - if ($a1 > 1)
858 - else
859 - if ($a2 >= 2)
860 - else
861 - action TRAP;
862 - # filter for syscall "read" (6000) [priority: 65531]
863 - if ($syscall == 6000)
864 - if ($a0 == 0)
865 - if ($a1 >= 1)
866 - if ($a2 > 2)
867 - if ($a3 & 0x0000000f == 3)
868 - action KILL;
869 - # default action
870 - action ALLOW;
871 -# filter for arch ppc64le (3221225493)
872 -if ($arch == 3221225493)
873 - # filter for syscall "exit_group" (234) [priority: 65535]
874 - if ($syscall == 234)
875 - action LOG;
876 - # filter for syscall "fstat" (108) [priority: 65535]
877 - if ($syscall == 108)
878 - action KILL_PROCESS;
879 - # filter for syscall "close" (6) [priority: 65535]
880 - if ($syscall == 6)
881 - action ERRNO(1);
882 - # filter for syscall "open" (5) [priority: 65535]
883 - if ($syscall == 5)
884 - action KILL;
885 - # filter for syscall "exit" (1) [priority: 65535]
886 - if ($syscall == 1)
887 - action TRACE(1);
888 - # filter for syscall "write" (4) [priority: 65527]
889 - if ($syscall == 4)
890 - if ($a0.hi32 == 0)
891 - if ($a0.lo32 == 0)
892 - else
893 - if ($a1.hi32 > 0)
894 - else
895 - if ($a1.hi32 == 0)
896 - if ($a1.lo32 > 1)
897 - else
898 - if ($a2.hi32 > 0)
899 - else
900 - if ($a2.hi32 == 0)
901 - if ($a2.lo32 >= 2)
902 - else
903 - action TRAP;
904 - else
905 - action TRAP;
906 - else
907 - if ($a2.hi32 > 0)
908 - else
909 - if ($a2.hi32 == 0)
910 - if ($a2.lo32 >= 2)
911 - else
912 - action TRAP;
913 - else
914 - action TRAP;
915 - else
916 - if ($a1.hi32 > 0)
917 - else
918 - if ($a1.hi32 == 0)
919 - if ($a1.lo32 > 1)
920 - else
921 - if ($a2.hi32 > 0)
922 - else
923 - if ($a2.hi32 == 0)
924 - if ($a2.lo32 >= 2)
925 - else
926 - action TRAP;
927 - else
928 - action TRAP;
929 - else
930 - if ($a2.hi32 > 0)
931 - else
932 - if ($a2.hi32 == 0)
933 - if ($a2.lo32 >= 2)
934 - else
935 - action TRAP;
936 - else
937 - action TRAP;
938 - # filter for syscall "read" (3) [priority: 65525]
939 - if ($syscall == 3)
940 - if ($a0.hi32 == 0)
941 - if ($a0.lo32 == 0)
942 - if ($a1.hi32 > 0)
943 - if ($a2.hi32 > 0)
944 - if ($a3.hi32 & 0x00000000 == 0)
945 - if ($a3.lo32 & 0x0000000f == 3)
946 - action KILL;
947 - else
948 - if ($a2.hi32 == 0)
949 - if ($a2.lo32 > 2)
950 - if ($a3.hi32 & 0x00000000 == 0)
951 - if ($a3.lo32 & 0x0000000f == 3)
952 - action KILL;
953 - else
954 - if ($a1.hi32 == 0)
955 - if ($a1.lo32 >= 1)
956 - if ($a2.hi32 > 0)
957 - if ($a3.hi32 & 0x00000000 == 0)
958 - if ($a3.lo32 & 0x0000000f == 3)
959 - action KILL;
960 - else
961 - if ($a2.hi32 == 0)
962 - if ($a2.lo32 > 2)
963 - if ($a3.hi32 & 0x00000000 == 0)
964 - if ($a3.lo32 & 0x0000000f == 3)
965 - action KILL;
966 - # default action
967 - action ALLOW;
968 -# filter for arch riscv64 (3221225715)
969 -if ($arch == 3221225715)
970 - # filter for syscall "open" (4294957130) [priority: 65535]
971 - if ($syscall == 4294957130)
972 - action KILL;
973 - # filter for syscall "exit_group" (94) [priority: 65535]
974 - if ($syscall == 94)
975 - action LOG;
976 - # filter for syscall "exit" (93) [priority: 65535]
977 - if ($syscall == 93)
978 - action TRACE(1);
979 - # filter for syscall "fstat" (80) [priority: 65535]
980 - if ($syscall == 80)
981 - action KILL_PROCESS;
982 - # filter for syscall "close" (57) [priority: 65535]
983 - if ($syscall == 57)
984 - action ERRNO(1);
985 - # filter for syscall "write" (64) [priority: 65527]
986 - if ($syscall == 64)
987 - if ($a0.hi32 == 0)
988 - if ($a0.lo32 == 0)
989 - else
990 - if ($a1.hi32 > 0)
991 - else
992 - if ($a1.hi32 == 0)
993 - if ($a1.lo32 > 1)
994 - else
995 - if ($a2.hi32 > 0)
996 - else
997 - if ($a2.hi32 == 0)
998 - if ($a2.lo32 >= 2)
999 - else
1000 - action TRAP;
1001 - else
1002 - action TRAP;
1003 - else
1004 - if ($a2.hi32 > 0)
1005 - else
1006 - if ($a2.hi32 == 0)
1007 - if ($a2.lo32 >= 2)
1008 - else
1009 - action TRAP;
1010 - else
1011 - action TRAP;
1012 - else
1013 - if ($a1.hi32 > 0)
1014 - else
1015 - if ($a1.hi32 == 0)
1016 - if ($a1.lo32 > 1)
1017 - else
1018 - if ($a2.hi32 > 0)
1019 - else
1020 - if ($a2.hi32 == 0)
1021 - if ($a2.lo32 >= 2)
1022 - else
1023 - action TRAP;
1024 - else
1025 - action TRAP;
1026 - else
1027 - if ($a2.hi32 > 0)
1028 - else
1029 - if ($a2.hi32 == 0)
1030 - if ($a2.lo32 >= 2)
1031 - else
1032 - action TRAP;
1033 - else
1034 - action TRAP;
1035 - # filter for syscall "read" (63) [priority: 65525]
1036 - if ($syscall == 63)
1037 - if ($a0.hi32 == 0)
1038 - if ($a0.lo32 == 0)
1039 - if ($a1.hi32 > 0)
1040 - if ($a2.hi32 > 0)
1041 - if ($a3.hi32 & 0x00000000 == 0)
1042 - if ($a3.lo32 & 0x0000000f == 3)
1043 - action KILL;
1044 - else
1045 - if ($a2.hi32 == 0)
1046 - if ($a2.lo32 > 2)
1047 - if ($a3.hi32 & 0x00000000 == 0)
1048 - if ($a3.lo32 & 0x0000000f == 3)
1049 - action KILL;
1050 - else
1051 - if ($a1.hi32 == 0)
1052 - if ($a1.lo32 >= 1)
1053 - if ($a2.hi32 > 0)
1054 - if ($a3.hi32 & 0x00000000 == 0)
1055 - if ($a3.lo32 & 0x0000000f == 3)
1056 - action KILL;
1057 - else
1058 - if ($a2.hi32 == 0)
1059 - if ($a2.lo32 > 2)
1060 - if ($a3.hi32 & 0x00000000 == 0)
1061 - if ($a3.lo32 & 0x0000000f == 3)
1062 - action KILL;
1063 - # default action
1064 - action ALLOW;
1065 # invalid architecture action
1066 action KILL;
1067 #
1068 diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c
1069 --- a/tests/52-basic-load.c
1070 +++ b/tests/52-basic-load.c
1071 @@ -31,38 +31,15 @@ int main(int argc, char *argv[])
1072 int rc;
1073 struct util_options opts;
1074 scmp_filter_ctx ctx = NULL;
1075 - unsigned int api;
1076
1077 rc = util_getopt(argc, argv, &opts);
1078 if (rc < 0)
1079 goto out;
1080
1081 - api = seccomp_api_get();
1082 - if (api == 0) {
1083 - rc = -EFAULT;
1084 - goto out;
1085 - }
1086 -
1087 ctx = seccomp_init(SCMP_ACT_ALLOW);
1088 if (ctx == NULL)
1089 return ENOMEM;
1090
1091 - if (api >= 2) {
1092 - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
1093 - if (rc != 0)
1094 - goto out;
1095 - }
1096 - if (api >= 3) {
1097 - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);
1098 - if (rc != 0)
1099 - goto out;
1100 - }
1101 - if (api >= 4) {
1102 - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
1103 - if (rc != 0)
1104 - goto out;
1105 - }
1106 -
1107 rc = seccomp_load(ctx);
1108
1109 out:
+4
-0
debian/patches/series less more
0 revert_various_additions_to_improve_code_coverage.patch
1 revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch
2 revert_ppc_add_multiplexed_syscall_support_to_PPC.patch
3 revert_mips_add_multiplexed_syscall_support_to_MIPS.patch