Merge tag 'upstream/2.3.1' into debian/sid
Upstream version 2.3.1
Luca Bruno
7 years ago
1 | 1 | =============================================================================== |
2 | 2 | https://github.com/seccomp/libseccomp |
3 | 3 | |
4 | * Version 2.3.0 - February 29, 2015 | |
4 | * Version 2.3.1 - April 20, 2016 | |
5 | - Fixed a problem with 32-bit x86 socket syscalls on some systems | |
6 | - Fixed problems with ipc syscalls on 32-bit x86 | |
7 | - Fixed problems with socket and ipc syscalls on s390 and s390x | |
8 | ||
9 | * Version 2.3.0 - February 29, 2016 | |
5 | 10 | - Added support for the s390 and s390x architectures |
6 | 11 | - Added support for the ppc, ppc64, and ppc64le architectures |
7 | 12 | - Update the internal syscall tables to match the Linux 4.5-rcX releases |
100 | 100 | $(top_srcdir)/configure $(am__configure_deps) \ |
101 | 101 | $(srcdir)/configure.h.in $(srcdir)/libseccomp.pc.in README \ |
102 | 102 | build-aux/ar-lib build-aux/compile build-aux/config.guess \ |
103 | build-aux/config.sub build-aux/install-sh build-aux/missing \ | |
104 | build-aux/ltmain.sh $(top_srcdir)/build-aux/ar-lib \ | |
105 | $(top_srcdir)/build-aux/compile \ | |
103 | build-aux/config.sub build-aux/depcomp build-aux/install-sh \ | |
104 | build-aux/missing build-aux/ltmain.sh \ | |
105 | $(top_srcdir)/build-aux/ar-lib $(top_srcdir)/build-aux/compile \ | |
106 | 106 | $(top_srcdir)/build-aux/config.guess \ |
107 | 107 | $(top_srcdir)/build-aux/config.sub \ |
108 | 108 | $(top_srcdir)/build-aux/install-sh \ |
0 | 0 | #! /bin/sh |
1 | 1 | # Guess values for system-dependent variables and create Makefiles. |
2 | # Generated by GNU Autoconf 2.69 for libseccomp 2.3.0. | |
2 | # Generated by GNU Autoconf 2.69 for libseccomp 2.3.1. | |
3 | 3 | # |
4 | 4 | # |
5 | 5 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
586 | 586 | # Identity of this package. |
587 | 587 | PACKAGE_NAME='libseccomp' |
588 | 588 | PACKAGE_TARNAME='libseccomp' |
589 | PACKAGE_VERSION='2.3.0' | |
590 | PACKAGE_STRING='libseccomp 2.3.0' | |
589 | PACKAGE_VERSION='2.3.1' | |
590 | PACKAGE_STRING='libseccomp 2.3.1' | |
591 | 591 | PACKAGE_BUGREPORT='' |
592 | 592 | PACKAGE_URL='' |
593 | 593 | |
1322 | 1322 | # Omit some internal or obsolete options to make the list less imposing. |
1323 | 1323 | # This message is too long to be a string in the A/UX 3.1 sh. |
1324 | 1324 | cat <<_ACEOF |
1325 | \`configure' configures libseccomp 2.3.0 to adapt to many kinds of systems. | |
1325 | \`configure' configures libseccomp 2.3.1 to adapt to many kinds of systems. | |
1326 | 1326 | |
1327 | 1327 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1328 | 1328 | |
1392 | 1392 | |
1393 | 1393 | if test -n "$ac_init_help"; then |
1394 | 1394 | case $ac_init_help in |
1395 | short | recursive ) echo "Configuration of libseccomp 2.3.0:";; | |
1395 | short | recursive ) echo "Configuration of libseccomp 2.3.1:";; | |
1396 | 1396 | esac |
1397 | 1397 | cat <<\_ACEOF |
1398 | 1398 | |
1503 | 1503 | test -n "$ac_init_help" && exit $ac_status |
1504 | 1504 | if $ac_init_version; then |
1505 | 1505 | cat <<\_ACEOF |
1506 | libseccomp configure 2.3.0 | |
1506 | libseccomp configure 2.3.1 | |
1507 | 1507 | generated by GNU Autoconf 2.69 |
1508 | 1508 | |
1509 | 1509 | Copyright (C) 2012 Free Software Foundation, Inc. |
1781 | 1781 | This file contains any messages produced by compilers while |
1782 | 1782 | running configure, to aid debugging if configure makes a mistake. |
1783 | 1783 | |
1784 | It was created by libseccomp $as_me 2.3.0, which was | |
1784 | It was created by libseccomp $as_me 2.3.1, which was | |
1785 | 1785 | generated by GNU Autoconf 2.69. Invocation command line was |
1786 | 1786 | |
1787 | 1787 | $ $0 $@ |
2651 | 2651 | |
2652 | 2652 | # Define the identity of the package. |
2653 | 2653 | PACKAGE='libseccomp' |
2654 | VERSION='2.3.0' | |
2654 | VERSION='2.3.1' | |
2655 | 2655 | |
2656 | 2656 | |
2657 | 2657 | cat >>confdefs.h <<_ACEOF |
12868 | 12868 | # report actual input values of CONFIG_FILES etc. instead of their |
12869 | 12869 | # values after options handling. |
12870 | 12870 | ac_log=" |
12871 | This file was extended by libseccomp $as_me 2.3.0, which was | |
12871 | This file was extended by libseccomp $as_me 2.3.1, which was | |
12872 | 12872 | generated by GNU Autoconf 2.69. Invocation command line was |
12873 | 12873 | |
12874 | 12874 | CONFIG_FILES = $CONFIG_FILES |
12934 | 12934 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
12935 | 12935 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
12936 | 12936 | ac_cs_version="\\ |
12937 | libseccomp config.status 2.3.0 | |
12937 | libseccomp config.status 2.3.1 | |
12938 | 12938 | configured by $0, generated by GNU Autoconf 2.69, |
12939 | 12939 | with options \\"\$ac_cs_config\\" |
12940 | 12940 |
18 | 18 | dnl #### |
19 | 19 | dnl libseccomp defines |
20 | 20 | dnl #### |
21 | AC_INIT([libseccomp], [2.3.0]) | |
21 | AC_INIT([libseccomp], [2.3.1]) | |
22 | 22 | |
23 | 23 | dnl #### |
24 | 24 | dnl autoconf configuration |
36 | 36 | |
37 | 37 | #define SCMP_VER_MAJOR 2 |
38 | 38 | #define SCMP_VER_MINOR 3 |
39 | #define SCMP_VER_MICRO 0 | |
39 | #define SCMP_VER_MICRO 1 | |
40 | 40 | |
41 | 41 | struct scmp_version { |
42 | 42 | unsigned int major; |
452 | 452 | const struct arch_syscall_def *table = s390_syscall_table; |
453 | 453 | |
454 | 454 | /* XXX - plenty of room for future improvement here */ |
455 | ||
456 | if (strcmp(name, "accept") == 0) | |
457 | return __PNR_accept; | |
458 | if (strcmp(name, "accept4") == 0) | |
459 | return __PNR_accept4; | |
460 | else if (strcmp(name, "bind") == 0) | |
461 | return __PNR_bind; | |
462 | else if (strcmp(name, "connect") == 0) | |
463 | return __PNR_connect; | |
464 | else if (strcmp(name, "getpeername") == 0) | |
465 | return __PNR_getpeername; | |
466 | else if (strcmp(name, "getsockname") == 0) | |
467 | return __PNR_getsockname; | |
468 | else if (strcmp(name, "getsockopt") == 0) | |
469 | return __PNR_getsockopt; | |
470 | else if (strcmp(name, "listen") == 0) | |
471 | return __PNR_listen; | |
472 | else if (strcmp(name, "recv") == 0) | |
473 | return __PNR_recv; | |
474 | else if (strcmp(name, "recvfrom") == 0) | |
475 | return __PNR_recvfrom; | |
476 | else if (strcmp(name, "recvmsg") == 0) | |
477 | return __PNR_recvmsg; | |
478 | else if (strcmp(name, "recvmmsg") == 0) | |
479 | return __PNR_recvmmsg; | |
480 | else if (strcmp(name, "send") == 0) | |
481 | return __PNR_send; | |
482 | else if (strcmp(name, "sendmsg") == 0) | |
483 | return __PNR_sendmsg; | |
484 | else if (strcmp(name, "sendmmsg") == 0) | |
485 | return __PNR_sendmmsg; | |
486 | else if (strcmp(name, "sendto") == 0) | |
487 | return __PNR_sendto; | |
488 | else if (strcmp(name, "setsockopt") == 0) | |
489 | return __PNR_setsockopt; | |
490 | else if (strcmp(name, "shutdown") == 0) | |
491 | return __PNR_shutdown; | |
492 | else if (strcmp(name, "socket") == 0) | |
493 | return __PNR_socket; | |
494 | else if (strcmp(name, "socketpair") == 0) | |
495 | return __PNR_socketpair; | |
496 | ||
455 | 497 | for (iter = 0; table[iter].name != NULL; iter++) { |
456 | 498 | if (strcmp(name, table[iter].name) == 0) |
457 | 499 | return table[iter].num; |
475 | 517 | const struct arch_syscall_def *table = s390_syscall_table; |
476 | 518 | |
477 | 519 | /* XXX - plenty of room for future improvement here */ |
520 | ||
521 | if (num == __PNR_accept) | |
522 | return "accept"; | |
523 | else if (num == __PNR_accept4) | |
524 | return "accept4"; | |
525 | else if (num == __PNR_bind) | |
526 | return "bind"; | |
527 | else if (num == __PNR_connect) | |
528 | return "connect"; | |
529 | else if (num == __PNR_getpeername) | |
530 | return "getpeername"; | |
531 | else if (num == __PNR_getsockname) | |
532 | return "getsockname"; | |
533 | else if (num == __PNR_getsockopt) | |
534 | return "getsockopt"; | |
535 | else if (num == __PNR_listen) | |
536 | return "listen"; | |
537 | else if (num == __PNR_recv) | |
538 | return "recv"; | |
539 | else if (num == __PNR_recvfrom) | |
540 | return "recvfrom"; | |
541 | else if (num == __PNR_recvmsg) | |
542 | return "recvmsg"; | |
543 | else if (num == __PNR_recvmmsg) | |
544 | return "recvmmsg"; | |
545 | else if (num == __PNR_send) | |
546 | return "send"; | |
547 | else if (num == __PNR_sendmsg) | |
548 | return "sendmsg"; | |
549 | else if (num == __PNR_sendmmsg) | |
550 | return "sendmmsg"; | |
551 | else if (num == __PNR_sendto) | |
552 | return "sendto"; | |
553 | else if (num == __PNR_setsockopt) | |
554 | return "setsockopt"; | |
555 | else if (num == __PNR_shutdown) | |
556 | return "shutdown"; | |
557 | else if (num == __PNR_socket) | |
558 | return "socket"; | |
559 | else if (num == __PNR_socketpair) | |
560 | return "socketpair"; | |
561 | ||
478 | 562 | for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { |
479 | 563 | if (num == table[iter].num) |
480 | 564 | return table[iter].name; |
4 | 4 | |
5 | 5 | #include <stdlib.h> |
6 | 6 | #include <errno.h> |
7 | #include <string.h> | |
7 | 8 | #include <linux/audit.h> |
8 | 9 | |
9 | 10 | #include "arch.h" |
10 | 11 | #include "arch-s390.h" |
12 | ||
13 | /* s390 syscall numbers */ | |
14 | #define __s390_NR_socketcall 102 | |
15 | #define __s390_NR_ipc 117 | |
11 | 16 | |
12 | 17 | const struct arch_def arch_def_s390 = { |
13 | 18 | .token = SCMP_ARCH_S390, |
16 | 21 | .endian = ARCH_ENDIAN_BIG, |
17 | 22 | .syscall_resolve_name = s390_syscall_resolve_name, |
18 | 23 | .syscall_resolve_num = s390_syscall_resolve_num, |
19 | .syscall_rewrite = NULL, | |
20 | .rule_add = NULL, | |
24 | .syscall_rewrite = s390_syscall_rewrite, | |
25 | .rule_add = s390_rule_add, | |
21 | 26 | }; |
27 | ||
28 | /** | |
29 | * Convert a multiplexed pseudo socket syscall into a direct syscall | |
30 | * @param socketcall the multiplexed pseudo syscall number | |
31 | * | |
32 | * Return the related direct syscall number, __NR_SCMP_UNDEF is there is | |
33 | * no related syscall, or __NR_SCMP_ERROR otherwise. | |
34 | * | |
35 | */ | |
36 | int _s390_sock_demux(int socketcall) | |
37 | { | |
38 | switch (socketcall) { | |
39 | case -101: | |
40 | /* socket */ | |
41 | return 359; | |
42 | case -102: | |
43 | /* bind */ | |
44 | return 361; | |
45 | case -103: | |
46 | /* connect */ | |
47 | return 362; | |
48 | case -104: | |
49 | /* listen */ | |
50 | return 363; | |
51 | case -105: | |
52 | /* accept - not defined */ | |
53 | return __NR_SCMP_UNDEF; | |
54 | case -106: | |
55 | /* getsockname */ | |
56 | return 367; | |
57 | case -107: | |
58 | /* getpeername */ | |
59 | return 368; | |
60 | case -108: | |
61 | /* socketpair */ | |
62 | return 360; | |
63 | case -109: | |
64 | /* send - not defined */ | |
65 | return __NR_SCMP_UNDEF; | |
66 | case -110: | |
67 | /* recv - not defined */ | |
68 | return __NR_SCMP_UNDEF; | |
69 | case -111: | |
70 | /* sendto */ | |
71 | return 369; | |
72 | case -112: | |
73 | /* recvfrom */ | |
74 | return 371; | |
75 | case -113: | |
76 | /* shutdown */ | |
77 | return 373; | |
78 | case -114: | |
79 | /* setsockopt */ | |
80 | return 366; | |
81 | case -115: | |
82 | /* getsockopt */ | |
83 | return 365; | |
84 | case -116: | |
85 | /* sendmsg */ | |
86 | return 370; | |
87 | case -117: | |
88 | /* recvmsg */ | |
89 | return 372; | |
90 | case -118: | |
91 | /* accept4 */ | |
92 | return 364; | |
93 | case -119: | |
94 | /* recvmmsg */ | |
95 | return 337; | |
96 | case -120: | |
97 | /* sendmmsg */ | |
98 | return 345; | |
99 | } | |
100 | ||
101 | return __NR_SCMP_ERROR; | |
102 | } | |
103 | ||
104 | /** | |
105 | * Convert a direct socket syscall into multiplexed pseudo socket syscall | |
106 | * @param syscall the direct syscall | |
107 | * | |
108 | * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is | |
109 | * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. | |
110 | * | |
111 | */ | |
112 | int _s390_sock_mux(int syscall) | |
113 | { | |
114 | switch (syscall) { | |
115 | case 337: | |
116 | /* recvmmsg */ | |
117 | return -119; | |
118 | case 345: | |
119 | /* sendmmsg */ | |
120 | return -120; | |
121 | case 359: | |
122 | /* socket */ | |
123 | return -101; | |
124 | case 360: | |
125 | /* socketpair */ | |
126 | return -108; | |
127 | case 361: | |
128 | /* bind */ | |
129 | return -102; | |
130 | case 362: | |
131 | /* connect */ | |
132 | return -103; | |
133 | case 363: | |
134 | /* listen */ | |
135 | return -104; | |
136 | case 364: | |
137 | /* accept4 */ | |
138 | return -118; | |
139 | case 365: | |
140 | /* getsockopt */ | |
141 | return -115; | |
142 | case 366: | |
143 | /* setsockopt */ | |
144 | return -114; | |
145 | case 367: | |
146 | /* getsockname */ | |
147 | return -106; | |
148 | case 368: | |
149 | /* getpeername */ | |
150 | return -107; | |
151 | case 369: | |
152 | /* sendto */ | |
153 | return -111; | |
154 | case 370: | |
155 | /* sendmsg */ | |
156 | return -116; | |
157 | case 371: | |
158 | /* recvfrom */ | |
159 | return -112; | |
160 | case 372: | |
161 | /* recvmsg */ | |
162 | return -117; | |
163 | case 373: | |
164 | /* shutdown */ | |
165 | return -113; | |
166 | } | |
167 | ||
168 | return __NR_SCMP_ERROR; | |
169 | } | |
170 | ||
171 | /** | |
172 | * Rewrite a syscall value to match the architecture | |
173 | * @param syscall the syscall number | |
174 | * | |
175 | * Syscalls can vary across different architectures so this function rewrites | |
176 | * the syscall into the correct value for the specified architecture. Returns | |
177 | * zero on success, negative values on failure. | |
178 | * | |
179 | */ | |
180 | int s390_syscall_rewrite(int *syscall) | |
181 | { | |
182 | int sys = *syscall; | |
183 | ||
184 | if (sys <= -100 && sys >= -120) | |
185 | *syscall = __s390_NR_socketcall; | |
186 | else if (sys <= -200 && sys >= -224) | |
187 | *syscall = __s390_NR_ipc; | |
188 | else if (sys < 0) | |
189 | return -EDOM; | |
190 | ||
191 | return 0; | |
192 | } | |
193 | ||
194 | /** | |
195 | * add a new rule to the s390 seccomp filter | |
196 | * @param col the filter collection | |
197 | * @param db the seccomp filter db | |
198 | * @param strict the strict flag | |
199 | * @param rule the filter rule | |
200 | * | |
201 | * This function adds a new syscall filter to the seccomp filter db, making any | |
202 | * necessary adjustments for the s390 ABI. Returns zero on success, negative | |
203 | * values on failure. | |
204 | * | |
205 | */ | |
206 | int s390_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, | |
207 | struct db_api_rule_list *rule) | |
208 | { | |
209 | int rc; | |
210 | unsigned int iter; | |
211 | size_t args_size; | |
212 | int sys = rule->syscall; | |
213 | int sys_a, sys_b; | |
214 | struct db_api_rule_list *rule_a, *rule_b; | |
215 | ||
216 | if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { | |
217 | /* (-100 to -120) : multiplexed socket syscalls | |
218 | (359 to 373) : direct socket syscalls, Linux 4.3+ */ | |
219 | ||
220 | /* strict check for the multiplexed socket syscalls */ | |
221 | for (iter = 0; iter < rule->args_cnt; iter++) { | |
222 | if ((rule->args[iter].valid != 0) && (strict)) | |
223 | return -EINVAL; | |
224 | } | |
225 | ||
226 | /* determine both the muxed and direct syscall numbers */ | |
227 | if (sys > 0) { | |
228 | sys_a = _s390_sock_mux(sys); | |
229 | if (sys_a == __NR_SCMP_ERROR) | |
230 | return __NR_SCMP_ERROR; | |
231 | sys_b = sys; | |
232 | } else { | |
233 | sys_a = sys; | |
234 | sys_b = _s390_sock_demux(sys); | |
235 | if (sys_b == __NR_SCMP_ERROR) | |
236 | return __NR_SCMP_ERROR; | |
237 | } | |
238 | ||
239 | /* use rule_a for the multiplexed syscall and use rule_b for | |
240 | * the direct wired syscall */ | |
241 | ||
242 | if (sys_a == __NR_SCMP_UNDEF) { | |
243 | rule_a = NULL; | |
244 | rule_b = rule; | |
245 | } else if (sys_b == __NR_SCMP_UNDEF) { | |
246 | rule_a = rule; | |
247 | rule_b = NULL; | |
248 | } else { | |
249 | /* need two rules, dup the first and link together */ | |
250 | rule_a = rule; | |
251 | rule_b = malloc(sizeof(*rule_b)); | |
252 | if (rule_b == NULL) | |
253 | return -ENOMEM; | |
254 | args_size = sizeof(*rule_b->args) * rule_a->args_cnt; | |
255 | rule_b->args = malloc(args_size); | |
256 | if (rule_b->args == NULL) { | |
257 | free(rule_b); | |
258 | return -ENOMEM; | |
259 | } | |
260 | rule_b->action = rule_a->action; | |
261 | rule_b->syscall = rule_a->syscall; | |
262 | rule_b->args_cnt = rule_a->args_cnt; | |
263 | memcpy(rule_b->args, rule_a->args, args_size); | |
264 | rule_b->prev = rule_a; | |
265 | rule_b->next = NULL; | |
266 | rule_a->next = rule_b; | |
267 | } | |
268 | ||
269 | /* multiplexed socket syscalls */ | |
270 | if (rule_a != NULL) { | |
271 | rule_a->syscall = __s390_NR_socketcall; | |
272 | rule_a->args[0].arg = 0; | |
273 | rule_a->args[0].op = SCMP_CMP_EQ; | |
274 | rule_a->args[0].mask = DATUM_MAX; | |
275 | rule_a->args[0].datum = (-sys_a) % 100; | |
276 | rule_a->args[0].valid = 1; | |
277 | } | |
278 | ||
279 | /* direct wired socket syscalls */ | |
280 | if (rule_b != NULL) | |
281 | rule_b->syscall = sys_b; | |
282 | ||
283 | /* add the rules as a single transaction */ | |
284 | rc = db_col_transaction_start(col); | |
285 | if (rc < 0) | |
286 | return rc; | |
287 | if (rule_a != NULL) { | |
288 | rc = db_rule_add(db, rule_a); | |
289 | if (rc < 0) | |
290 | goto fail_transaction; | |
291 | } | |
292 | if (rule_b != NULL) { | |
293 | rc = db_rule_add(db, rule_b); | |
294 | if (rc < 0) | |
295 | goto fail_transaction; | |
296 | } | |
297 | db_col_transaction_commit(col); | |
298 | } else if (sys <= -200 && sys >= -224) { | |
299 | /* multiplexed ipc syscalls */ | |
300 | for (iter = 0; iter < ARG_COUNT_MAX; iter++) { | |
301 | if ((rule->args[iter].valid != 0) && (strict)) | |
302 | return -EINVAL; | |
303 | } | |
304 | rule->args[0].arg = 0; | |
305 | rule->args[0].op = SCMP_CMP_EQ; | |
306 | rule->args[0].mask = DATUM_MAX; | |
307 | rule->args[0].datum = abs(sys) % 200; | |
308 | rule->args[0].valid = 1; | |
309 | rule->syscall = __s390_NR_ipc; | |
310 | ||
311 | rc = db_rule_add(db, rule); | |
312 | if (rc < 0) | |
313 | return rc; | |
314 | } else if (sys >= 0) { | |
315 | /* normal syscall processing */ | |
316 | rc = db_rule_add(db, rule); | |
317 | if (rc < 0) | |
318 | return rc; | |
319 | } else if (strict) | |
320 | return -EDOM; | |
321 | ||
322 | return 0; | |
323 | ||
324 | fail_transaction: | |
325 | db_col_transaction_abort(col); | |
326 | return rc; | |
327 | } |
2 | 2 | * Author: Jan Willeke <willeke@linux.vnet.com.com> |
3 | 3 | */ |
4 | 4 | |
5 | #ifndef _ARCH_s390_H | |
6 | #define _ARCH_s390_H | |
5 | #ifndef _ARCH_S390_H | |
6 | #define _ARCH_S390_H | |
7 | 7 | |
8 | 8 | #include <inttypes.h> |
9 | 9 | |
10 | 10 | #include "arch.h" |
11 | #include "db.h" | |
11 | 12 | #include "system.h" |
12 | 13 | |
13 | 14 | #define s390_arg_count_max 6 |
17 | 18 | |
18 | 19 | int s390_syscall_resolve_name(const char *name); |
19 | 20 | const char *s390_syscall_resolve_num(int num); |
21 | ||
20 | 22 | const char *s390_syscall_iterate_name(unsigned int spot); |
21 | 23 | |
24 | int s390_syscall_rewrite(int *syscall); | |
25 | ||
26 | int s390_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, | |
27 | struct db_api_rule_list *rule); | |
28 | ||
22 | 29 | #endif |
452 | 452 | const struct arch_syscall_def *table = s390x_syscall_table; |
453 | 453 | |
454 | 454 | /* XXX - plenty of room for future improvement here */ |
455 | ||
456 | if (strcmp(name, "accept") == 0) | |
457 | return __PNR_accept; | |
458 | if (strcmp(name, "accept4") == 0) | |
459 | return __PNR_accept4; | |
460 | else if (strcmp(name, "bind") == 0) | |
461 | return __PNR_bind; | |
462 | else if (strcmp(name, "connect") == 0) | |
463 | return __PNR_connect; | |
464 | else if (strcmp(name, "getpeername") == 0) | |
465 | return __PNR_getpeername; | |
466 | else if (strcmp(name, "getsockname") == 0) | |
467 | return __PNR_getsockname; | |
468 | else if (strcmp(name, "getsockopt") == 0) | |
469 | return __PNR_getsockopt; | |
470 | else if (strcmp(name, "listen") == 0) | |
471 | return __PNR_listen; | |
472 | else if (strcmp(name, "recv") == 0) | |
473 | return __PNR_recv; | |
474 | else if (strcmp(name, "recvfrom") == 0) | |
475 | return __PNR_recvfrom; | |
476 | else if (strcmp(name, "recvmsg") == 0) | |
477 | return __PNR_recvmsg; | |
478 | else if (strcmp(name, "recvmmsg") == 0) | |
479 | return __PNR_recvmmsg; | |
480 | else if (strcmp(name, "send") == 0) | |
481 | return __PNR_send; | |
482 | else if (strcmp(name, "sendmsg") == 0) | |
483 | return __PNR_sendmsg; | |
484 | else if (strcmp(name, "sendmmsg") == 0) | |
485 | return __PNR_sendmmsg; | |
486 | else if (strcmp(name, "sendto") == 0) | |
487 | return __PNR_sendto; | |
488 | else if (strcmp(name, "setsockopt") == 0) | |
489 | return __PNR_setsockopt; | |
490 | else if (strcmp(name, "shutdown") == 0) | |
491 | return __PNR_shutdown; | |
492 | else if (strcmp(name, "socket") == 0) | |
493 | return __PNR_socket; | |
494 | else if (strcmp(name, "socketpair") == 0) | |
495 | return __PNR_socketpair; | |
496 | ||
455 | 497 | for (iter = 0; table[iter].name != NULL; iter++) { |
456 | 498 | if (strcmp(name, table[iter].name) == 0) |
457 | 499 | return table[iter].num; |
475 | 517 | const struct arch_syscall_def *table = s390x_syscall_table; |
476 | 518 | |
477 | 519 | /* XXX - plenty of room for future improvement here */ |
520 | ||
521 | if (num == __PNR_accept) | |
522 | return "accept"; | |
523 | else if (num == __PNR_accept4) | |
524 | return "accept4"; | |
525 | else if (num == __PNR_bind) | |
526 | return "bind"; | |
527 | else if (num == __PNR_connect) | |
528 | return "connect"; | |
529 | else if (num == __PNR_getpeername) | |
530 | return "getpeername"; | |
531 | else if (num == __PNR_getsockname) | |
532 | return "getsockname"; | |
533 | else if (num == __PNR_getsockopt) | |
534 | return "getsockopt"; | |
535 | else if (num == __PNR_listen) | |
536 | return "listen"; | |
537 | else if (num == __PNR_recv) | |
538 | return "recv"; | |
539 | else if (num == __PNR_recvfrom) | |
540 | return "recvfrom"; | |
541 | else if (num == __PNR_recvmsg) | |
542 | return "recvmsg"; | |
543 | else if (num == __PNR_recvmmsg) | |
544 | return "recvmmsg"; | |
545 | else if (num == __PNR_send) | |
546 | return "send"; | |
547 | else if (num == __PNR_sendmsg) | |
548 | return "sendmsg"; | |
549 | else if (num == __PNR_sendmmsg) | |
550 | return "sendmmsg"; | |
551 | else if (num == __PNR_sendto) | |
552 | return "sendto"; | |
553 | else if (num == __PNR_setsockopt) | |
554 | return "setsockopt"; | |
555 | else if (num == __PNR_shutdown) | |
556 | return "shutdown"; | |
557 | else if (num == __PNR_socket) | |
558 | return "socket"; | |
559 | else if (num == __PNR_socketpair) | |
560 | return "socketpair"; | |
561 | ||
478 | 562 | for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { |
479 | 563 | if (num == table[iter].num) |
480 | 564 | return table[iter].name; |
4 | 4 | |
5 | 5 | #include <stdlib.h> |
6 | 6 | #include <errno.h> |
7 | #include <string.h> | |
7 | 8 | #include <linux/audit.h> |
8 | 9 | |
9 | 10 | #include "arch.h" |
10 | 11 | #include "arch-s390x.h" |
12 | ||
13 | /* s390x syscall numbers */ | |
14 | #define __s390x_NR_socketcall 102 | |
15 | #define __s390x_NR_ipc 117 | |
11 | 16 | |
12 | 17 | const struct arch_def arch_def_s390x = { |
13 | 18 | .token = SCMP_ARCH_S390X, |
16 | 21 | .endian = ARCH_ENDIAN_BIG, |
17 | 22 | .syscall_resolve_name = s390x_syscall_resolve_name, |
18 | 23 | .syscall_resolve_num = s390x_syscall_resolve_num, |
19 | .syscall_rewrite = NULL, | |
20 | .rule_add = NULL, | |
24 | .syscall_rewrite = s390x_syscall_rewrite, | |
25 | .rule_add = s390x_rule_add, | |
21 | 26 | }; |
27 | ||
28 | /** | |
29 | * Convert a multiplexed pseudo socket syscall into a direct syscall | |
30 | * @param socketcall the multiplexed pseudo syscall number | |
31 | * | |
32 | * Return the related direct syscall number, __NR_SCMP_UNDEF is there is | |
33 | * no related syscall, or __NR_SCMP_ERROR otherwise. | |
34 | * | |
35 | */ | |
36 | int _s390x_sock_demux(int socketcall) | |
37 | { | |
38 | switch (socketcall) { | |
39 | case -101: | |
40 | /* socket */ | |
41 | return 359; | |
42 | case -102: | |
43 | /* bind */ | |
44 | return 361; | |
45 | case -103: | |
46 | /* connect */ | |
47 | return 362; | |
48 | case -104: | |
49 | /* listen */ | |
50 | return 363; | |
51 | case -105: | |
52 | /* accept - not defined */ | |
53 | return __NR_SCMP_UNDEF; | |
54 | case -106: | |
55 | /* getsockname */ | |
56 | return 367; | |
57 | case -107: | |
58 | /* getpeername */ | |
59 | return 368; | |
60 | case -108: | |
61 | /* socketpair */ | |
62 | return 360; | |
63 | case -109: | |
64 | /* send - not defined */ | |
65 | return __NR_SCMP_UNDEF; | |
66 | case -110: | |
67 | /* recv - not defined */ | |
68 | return __NR_SCMP_UNDEF; | |
69 | case -111: | |
70 | /* sendto */ | |
71 | return 369; | |
72 | case -112: | |
73 | /* recvfrom */ | |
74 | return 371; | |
75 | case -113: | |
76 | /* shutdown */ | |
77 | return 373; | |
78 | case -114: | |
79 | /* setsockopt */ | |
80 | return 366; | |
81 | case -115: | |
82 | /* getsockopt */ | |
83 | return 365; | |
84 | case -116: | |
85 | /* sendmsg */ | |
86 | return 370; | |
87 | case -117: | |
88 | /* recvmsg */ | |
89 | return 372; | |
90 | case -118: | |
91 | /* accept4 */ | |
92 | return 364; | |
93 | case -119: | |
94 | /* recvmmsg */ | |
95 | return 337; | |
96 | case -120: | |
97 | /* sendmmsg */ | |
98 | return 345; | |
99 | } | |
100 | ||
101 | return __NR_SCMP_ERROR; | |
102 | } | |
103 | ||
104 | /** | |
105 | * Convert a direct socket syscall into multiplexed pseudo socket syscall | |
106 | * @param syscall the direct syscall | |
107 | * | |
108 | * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is | |
109 | * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise. | |
110 | * | |
111 | */ | |
112 | int _s390x_sock_mux(int syscall) | |
113 | { | |
114 | switch (syscall) { | |
115 | case 337: | |
116 | /* recvmmsg */ | |
117 | return -119; | |
118 | case 345: | |
119 | /* sendmmsg */ | |
120 | return -120; | |
121 | case 359: | |
122 | /* socket */ | |
123 | return -101; | |
124 | case 360: | |
125 | /* socketpair */ | |
126 | return -108; | |
127 | case 361: | |
128 | /* bind */ | |
129 | return -102; | |
130 | case 362: | |
131 | /* connect */ | |
132 | return -103; | |
133 | case 363: | |
134 | /* listen */ | |
135 | return -104; | |
136 | case 364: | |
137 | /* accept4 */ | |
138 | return -118; | |
139 | case 365: | |
140 | /* getsockopt */ | |
141 | return -115; | |
142 | case 366: | |
143 | /* setsockopt */ | |
144 | return -114; | |
145 | case 367: | |
146 | /* getsockname */ | |
147 | return -106; | |
148 | case 368: | |
149 | /* getpeername */ | |
150 | return -107; | |
151 | case 369: | |
152 | /* sendto */ | |
153 | return -111; | |
154 | case 370: | |
155 | /* sendmsg */ | |
156 | return -116; | |
157 | case 371: | |
158 | /* recvfrom */ | |
159 | return -112; | |
160 | case 372: | |
161 | /* recvmsg */ | |
162 | return -117; | |
163 | case 373: | |
164 | /* shutdown */ | |
165 | return -113; | |
166 | } | |
167 | ||
168 | return __NR_SCMP_ERROR; | |
169 | } | |
170 | ||
171 | /** | |
172 | * Rewrite a syscall value to match the architecture | |
173 | * @param syscall the syscall number | |
174 | * | |
175 | * Syscalls can vary across different architectures so this function rewrites | |
176 | * the syscall into the correct value for the specified architecture. Returns | |
177 | * zero on success, negative values on failure. | |
178 | * | |
179 | */ | |
180 | int s390x_syscall_rewrite(int *syscall) | |
181 | { | |
182 | int sys = *syscall; | |
183 | ||
184 | if (sys <= -100 && sys >= -120) | |
185 | *syscall = __s390x_NR_socketcall; | |
186 | else if (sys <= -200 && sys >= -224) | |
187 | *syscall = __s390x_NR_ipc; | |
188 | else if (sys < 0) | |
189 | return -EDOM; | |
190 | ||
191 | return 0; | |
192 | } | |
193 | ||
194 | /** | |
195 | * add a new rule to the s390x seccomp filter | |
196 | * @param col the filter collection | |
197 | * @param db the seccomp filter db | |
198 | * @param strict the strict flag | |
199 | * @param rule the filter rule | |
200 | * | |
201 | * This function adds a new syscall filter to the seccomp filter db, making any | |
202 | * necessary adjustments for the s390x ABI. Returns zero on success, negative | |
203 | * values on failure. | |
204 | * | |
205 | */ | |
206 | int s390x_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, | |
207 | struct db_api_rule_list *rule) | |
208 | { | |
209 | int rc; | |
210 | unsigned int iter; | |
211 | size_t args_size; | |
212 | int sys = rule->syscall; | |
213 | int sys_a, sys_b; | |
214 | struct db_api_rule_list *rule_a, *rule_b; | |
215 | ||
216 | if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { | |
217 | /* (-100 to -120) : multiplexed socket syscalls | |
218 | (359 to 373) : direct socket syscalls, Linux 4.3+ */ | |
219 | ||
220 | /* strict check for the multiplexed socket syscalls */ | |
221 | for (iter = 0; iter < rule->args_cnt; iter++) { | |
222 | if ((rule->args[iter].valid != 0) && (strict)) | |
223 | return -EINVAL; | |
224 | } | |
225 | ||
226 | /* determine both the muxed and direct syscall numbers */ | |
227 | if (sys > 0) { | |
228 | sys_a = _s390x_sock_mux(sys); | |
229 | if (sys_a == __NR_SCMP_ERROR) | |
230 | return __NR_SCMP_ERROR; | |
231 | sys_b = sys; | |
232 | } else { | |
233 | sys_a = sys; | |
234 | sys_b = _s390x_sock_demux(sys); | |
235 | if (sys_b == __NR_SCMP_ERROR) | |
236 | return __NR_SCMP_ERROR; | |
237 | } | |
238 | ||
239 | /* use rule_a for the multiplexed syscall and use rule_b for | |
240 | * the direct wired syscall */ | |
241 | ||
242 | if (sys_a == __NR_SCMP_UNDEF) { | |
243 | rule_a = NULL; | |
244 | rule_b = rule; | |
245 | } else if (sys_b == __NR_SCMP_UNDEF) { | |
246 | rule_a = rule; | |
247 | rule_b = NULL; | |
248 | } else { | |
249 | /* need two rules, dup the first and link together */ | |
250 | rule_a = rule; | |
251 | rule_b = malloc(sizeof(*rule_b)); | |
252 | if (rule_b == NULL) | |
253 | return -ENOMEM; | |
254 | args_size = sizeof(*rule_b->args) * rule_a->args_cnt; | |
255 | rule_b->args = malloc(args_size); | |
256 | if (rule_b->args == NULL) { | |
257 | free(rule_b); | |
258 | return -ENOMEM; | |
259 | } | |
260 | rule_b->action = rule_a->action; | |
261 | rule_b->syscall = rule_a->syscall; | |
262 | rule_b->args_cnt = rule_a->args_cnt; | |
263 | memcpy(rule_b->args, rule_a->args, args_size); | |
264 | rule_b->prev = rule_a; | |
265 | rule_b->next = NULL; | |
266 | rule_a->next = rule_b; | |
267 | } | |
268 | ||
269 | /* multiplexed socket syscalls */ | |
270 | if (rule_a != NULL) { | |
271 | rule_a->syscall = __s390x_NR_socketcall; | |
272 | rule_a->args[0].arg = 0; | |
273 | rule_a->args[0].op = SCMP_CMP_EQ; | |
274 | rule_a->args[0].mask = DATUM_MAX; | |
275 | rule_a->args[0].datum = (-sys_a) % 100; | |
276 | rule_a->args[0].valid = 1; | |
277 | } | |
278 | ||
279 | /* direct wired socket syscalls */ | |
280 | if (rule_b != NULL) | |
281 | rule_b->syscall = sys_b; | |
282 | ||
283 | /* add the rules as a single transaction */ | |
284 | rc = db_col_transaction_start(col); | |
285 | if (rc < 0) | |
286 | return rc; | |
287 | if (rule_a != NULL) { | |
288 | rc = db_rule_add(db, rule_a); | |
289 | if (rc < 0) | |
290 | goto fail_transaction; | |
291 | } | |
292 | if (rule_b != NULL) { | |
293 | rc = db_rule_add(db, rule_b); | |
294 | if (rc < 0) | |
295 | goto fail_transaction; | |
296 | } | |
297 | db_col_transaction_commit(col); | |
298 | } else if (sys <= -200 && sys >= -224) { | |
299 | /* multiplexed ipc syscalls */ | |
300 | for (iter = 0; iter < ARG_COUNT_MAX; iter++) { | |
301 | if ((rule->args[iter].valid != 0) && (strict)) | |
302 | return -EINVAL; | |
303 | } | |
304 | rule->args[0].arg = 0; | |
305 | rule->args[0].op = SCMP_CMP_EQ; | |
306 | rule->args[0].mask = DATUM_MAX; | |
307 | rule->args[0].datum = abs(sys) % 200; | |
308 | rule->args[0].valid = 1; | |
309 | rule->syscall = __s390x_NR_ipc; | |
310 | ||
311 | rc = db_rule_add(db, rule); | |
312 | if (rc < 0) | |
313 | return rc; | |
314 | } else if (sys >= 0) { | |
315 | /* normal syscall processing */ | |
316 | rc = db_rule_add(db, rule); | |
317 | if (rc < 0) | |
318 | return rc; | |
319 | } else if (strict) | |
320 | return -EDOM; | |
321 | ||
322 | return 0; | |
323 | ||
324 | fail_transaction: | |
325 | db_col_transaction_abort(col); | |
326 | return rc; | |
327 | } |
2 | 2 | * Author: Jan Willeke <willeke@linux.vnet.com.com> |
3 | 3 | */ |
4 | 4 | |
5 | #ifndef _ARCH_s390x_H | |
6 | #define _ARCH_s390x_H | |
5 | #ifndef _ARCH_S390X_H | |
6 | #define _ARCH_S390X_H | |
7 | 7 | |
8 | 8 | #include <inttypes.h> |
9 | 9 | |
10 | 10 | #include "arch.h" |
11 | #include "db.h" | |
11 | 12 | #include "system.h" |
12 | 13 | |
13 | 14 | #define s390x_arg_count_max 6 |
20 | 21 | |
21 | 22 | int s390x_syscall_resolve_name(const char *name); |
22 | 23 | const char *s390x_syscall_resolve_num(int num); |
24 | ||
23 | 25 | const char *s390x_syscall_iterate_name(unsigned int spot); |
24 | const char *s390x_syscall_iterate_name(unsigned int spot); | |
26 | ||
27 | int s390x_syscall_rewrite(int *syscall); | |
28 | ||
29 | int s390x_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, | |
30 | struct db_api_rule_list *rule); | |
31 | ||
25 | 32 | #endif |
468 | 468 | const struct arch_syscall_def *table = x86_syscall_table; |
469 | 469 | |
470 | 470 | /* XXX - plenty of room for future improvement here */ |
471 | ||
472 | if (strcmp(name, "accept") == 0) | |
473 | return __PNR_accept; | |
474 | if (strcmp(name, "accept4") == 0) | |
475 | return __PNR_accept4; | |
476 | else if (strcmp(name, "bind") == 0) | |
477 | return __PNR_bind; | |
478 | else if (strcmp(name, "connect") == 0) | |
479 | return __PNR_connect; | |
480 | else if (strcmp(name, "getpeername") == 0) | |
481 | return __PNR_getpeername; | |
482 | else if (strcmp(name, "getsockname") == 0) | |
483 | return __PNR_getsockname; | |
484 | else if (strcmp(name, "getsockopt") == 0) | |
485 | return __PNR_getsockopt; | |
486 | else if (strcmp(name, "listen") == 0) | |
487 | return __PNR_listen; | |
488 | else if (strcmp(name, "recv") == 0) | |
489 | return __PNR_recv; | |
490 | else if (strcmp(name, "recvfrom") == 0) | |
491 | return __PNR_recvfrom; | |
492 | else if (strcmp(name, "recvmsg") == 0) | |
493 | return __PNR_recvmsg; | |
494 | else if (strcmp(name, "recvmmsg") == 0) | |
495 | return __PNR_recvmmsg; | |
496 | else if (strcmp(name, "send") == 0) | |
497 | return __PNR_send; | |
498 | else if (strcmp(name, "sendmsg") == 0) | |
499 | return __PNR_sendmsg; | |
500 | else if (strcmp(name, "sendmmsg") == 0) | |
501 | return __PNR_sendmmsg; | |
502 | else if (strcmp(name, "sendto") == 0) | |
503 | return __PNR_sendto; | |
504 | else if (strcmp(name, "setsockopt") == 0) | |
505 | return __PNR_setsockopt; | |
506 | else if (strcmp(name, "shutdown") == 0) | |
507 | return __PNR_shutdown; | |
508 | else if (strcmp(name, "socket") == 0) | |
509 | return __PNR_socket; | |
510 | else if (strcmp(name, "socketpair") == 0) | |
511 | return __PNR_socketpair; | |
512 | ||
471 | 513 | for (iter = 0; table[iter].name != NULL; iter++) { |
472 | 514 | if (strcmp(name, table[iter].name) == 0) |
473 | 515 | return table[iter].num; |
491 | 533 | const struct arch_syscall_def *table = x86_syscall_table; |
492 | 534 | |
493 | 535 | /* XXX - plenty of room for future improvement here */ |
536 | ||
537 | if (num == __PNR_accept) | |
538 | return "accept"; | |
539 | else if (num == __PNR_accept4) | |
540 | return "accept4"; | |
541 | else if (num == __PNR_bind) | |
542 | return "bind"; | |
543 | else if (num == __PNR_connect) | |
544 | return "connect"; | |
545 | else if (num == __PNR_getpeername) | |
546 | return "getpeername"; | |
547 | else if (num == __PNR_getsockname) | |
548 | return "getsockname"; | |
549 | else if (num == __PNR_getsockopt) | |
550 | return "getsockopt"; | |
551 | else if (num == __PNR_listen) | |
552 | return "listen"; | |
553 | else if (num == __PNR_recv) | |
554 | return "recv"; | |
555 | else if (num == __PNR_recvfrom) | |
556 | return "recvfrom"; | |
557 | else if (num == __PNR_recvmsg) | |
558 | return "recvmsg"; | |
559 | else if (num == __PNR_recvmmsg) | |
560 | return "recvmmsg"; | |
561 | else if (num == __PNR_send) | |
562 | return "send"; | |
563 | else if (num == __PNR_sendmsg) | |
564 | return "sendmsg"; | |
565 | else if (num == __PNR_sendmmsg) | |
566 | return "sendmmsg"; | |
567 | else if (num == __PNR_sendto) | |
568 | return "sendto"; | |
569 | else if (num == __PNR_setsockopt) | |
570 | return "setsockopt"; | |
571 | else if (num == __PNR_shutdown) | |
572 | return "shutdown"; | |
573 | else if (num == __PNR_socket) | |
574 | return "socket"; | |
575 | else if (num == __PNR_socketpair) | |
576 | return "socketpair"; | |
577 | ||
494 | 578 | for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { |
495 | 579 | if (num == table[iter].num) |
496 | 580 | return table[iter].name; |
103 | 103 | case -117: |
104 | 104 | /* recvmsg */ |
105 | 105 | return 372; |
106 | case -118: | |
107 | /* accept4 */ | |
108 | return 364; | |
109 | case -119: | |
110 | /* recvmmsg */ | |
111 | return 337; | |
112 | case -120: | |
113 | /* sendmmsg */ | |
114 | return 345; | |
106 | 115 | } |
107 | 116 | |
108 | 117 | return __NR_SCMP_ERROR; |
119 | 128 | int _x86_sock_mux(int syscall) |
120 | 129 | { |
121 | 130 | switch (syscall) { |
131 | case 337: | |
132 | /* recvmmsg */ | |
133 | return -119; | |
134 | case 345: | |
135 | /* sendmmsg */ | |
136 | return -120; | |
122 | 137 | case 359: |
123 | 138 | /* socket */ |
124 | 139 | return -101; |
136 | 151 | return -104; |
137 | 152 | case 364: |
138 | 153 | /* accept4 */ |
139 | return __NR_SCMP_UNDEF; | |
154 | return -118; | |
140 | 155 | case 365: |
141 | 156 | /* getsockopt */ |
142 | 157 | return -115; |
182 | 197 | { |
183 | 198 | int sys = *syscall; |
184 | 199 | |
185 | if (sys <= -100 && sys >= -117) | |
200 | if (sys <= -100 && sys >= -120) | |
186 | 201 | *syscall = __x86_NR_socketcall; |
187 | else if (sys <= -200 && sys >= -211) | |
202 | else if (sys <= -200 && sys >= -224) | |
188 | 203 | *syscall = __x86_NR_ipc; |
189 | 204 | else if (sys < 0) |
190 | 205 | return -EDOM; |
214 | 229 | int sys_a, sys_b; |
215 | 230 | struct db_api_rule_list *rule_a, *rule_b; |
216 | 231 | |
217 | if ((sys <= -100 && sys >= -117) || (sys >= 359 && sys <= 373)) { | |
218 | /* (-100 to -117) : multiplexed socket syscalls | |
219 | (359 to 373) : direct socket syscalls, Linux 4.4+ */ | |
232 | if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { | |
233 | /* (-100 to -120) : multiplexed socket syscalls | |
234 | (359 to 373) : direct socket syscalls, Linux 4.3+ */ | |
220 | 235 | |
221 | 236 | /* strict check for the multiplexed socket syscalls */ |
222 | 237 | for (iter = 0; iter < rule->args_cnt; iter++) { |
296 | 311 | goto fail_transaction; |
297 | 312 | } |
298 | 313 | db_col_transaction_commit(col); |
299 | } else if (sys <= -200 && sys >= -211) { | |
314 | } else if (sys <= -200 && sys >= -224) { | |
300 | 315 | /* multiplexed ipc syscalls */ |
301 | 316 | for (iter = 0; iter < ARG_COUNT_MAX; iter++) { |
302 | 317 | if ((rule->args[iter].valid != 0) && (strict)) |
30 | 30 | |
31 | 31 | if (seccomp_syscall_resolve_name("open") != __NR_open) |
32 | 32 | goto fail; |
33 | if (seccomp_syscall_resolve_name("socket") != __NR_socket) | |
33 | if (seccomp_syscall_resolve_name("read") != __NR_read) | |
34 | 34 | goto fail; |
35 | 35 | if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) |
36 | 36 | goto fail; |
39 | 39 | "open") != __NR_open) |
40 | 40 | goto fail; |
41 | 41 | if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, |
42 | "socket") != __NR_socket) | |
42 | "read") != __NR_read) | |
43 | 43 | goto fail; |
44 | 44 | if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, |
45 | 45 | "INVALID") != __NR_SCMP_ERROR) |
50 | 50 | goto fail; |
51 | 51 | free(name); |
52 | 52 | |
53 | name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_socket); | |
54 | if (name == NULL || strcmp(name, "socket") != 0) | |
53 | name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_read); | |
54 | if (name == NULL || strcmp(name, "read") != 0) | |
55 | 55 | goto fail; |
56 | 56 | free(name); |
57 | 57 |
32 | 32 | # this differs from the native test as we don't support the syscall |
33 | 33 | # resolution functions by themselves |
34 | 34 | f.add_rule(ALLOW, "open") |
35 | f.add_rule(ALLOW, "socket") | |
35 | f.add_rule(ALLOW, "read") | |
36 | 36 | try: |
37 | 37 | f.add_rule(ALLOW, "INVALID") |
38 | 38 | except RuntimeError: |
42 | 42 | sys_name = resolve_syscall(Arch(), sys_num) |
43 | 43 | if (sys_name != "open"): |
44 | 44 | raise RuntimeError("Test failure") |
45 | sys_num = resolve_syscall(Arch(), "socket") | |
45 | sys_num = resolve_syscall(Arch(), "read") | |
46 | 46 | sys_name = resolve_syscall(Arch(), sys_num) |
47 | if (sys_name != "socket"): | |
47 | if (sys_name != "read"): | |
48 | 48 | raise RuntimeError("Test failure") |
49 | 49 | |
50 | 50 | test() |
17 | 17 | 30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW |
18 | 18 | 30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW |
19 | 19 | 30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL |
20 | 30-sim-socket_syscalls +x86 accept4 0 1 2 N N N ALLOW | |
20 | 30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW | |
21 | 30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL | |
21 | 22 | 30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW |
22 | 23 | 30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW |
23 | 24 | 30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW |
0 | /** | |
1 | * Seccomp Library test program | |
2 | * | |
3 | * Copyright (c) 2016 Red Hat <pmoore@redhat.com> | |
4 | * Author: Paul Moore <paul@paul-moore.com> | |
5 | */ | |
6 | ||
7 | /* | |
8 | * This library is free software; you can redistribute it and/or modify it | |
9 | * under the terms of version 2.1 of the GNU Lesser General Public License as | |
10 | * published by the Free Software Foundation. | |
11 | * | |
12 | * This library is distributed in the hope that it will be useful, but WITHOUT | |
13 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
14 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | |
15 | * for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU Lesser General Public License | |
18 | * along with this library; if not, see <http://www.gnu.org/licenses>. | |
19 | */ | |
20 | ||
21 | #include <errno.h> | |
22 | #include <unistd.h> | |
23 | ||
24 | #include <seccomp.h> | |
25 | ||
26 | #include "util.h" | |
27 | ||
28 | int main(int argc, char *argv[]) | |
29 | { | |
30 | int rc; | |
31 | struct util_options opts; | |
32 | scmp_filter_ctx ctx = NULL; | |
33 | ||
34 | rc = util_getopt(argc, argv, &opts); | |
35 | if (rc < 0) | |
36 | goto out; | |
37 | ||
38 | ctx = seccomp_init(SCMP_ACT_KILL); | |
39 | if (ctx == NULL) | |
40 | return ENOMEM; | |
41 | ||
42 | rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); | |
43 | if (rc != 0) | |
44 | goto out; | |
45 | ||
46 | rc = seccomp_arch_add(ctx, SCMP_ARCH_S390); | |
47 | if (rc != 0) | |
48 | goto out; | |
49 | rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); | |
50 | if (rc != 0) | |
51 | goto out; | |
52 | ||
53 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); | |
54 | if (rc != 0) | |
55 | goto out; | |
56 | ||
57 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); | |
58 | if (rc != 0) | |
59 | goto out; | |
60 | ||
61 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); | |
62 | if (rc != 0) | |
63 | goto out; | |
64 | ||
65 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); | |
66 | if (rc != 0) | |
67 | goto out; | |
68 | ||
69 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); | |
70 | if (rc != 0) | |
71 | goto out; | |
72 | ||
73 | rc = util_filter_output(&opts, ctx); | |
74 | if (rc) | |
75 | goto out; | |
76 | ||
77 | out: | |
78 | seccomp_release(ctx); | |
79 | return (rc < 0 ? -rc : rc); | |
80 | } |
0 | #!/usr/bin/env python | |
1 | ||
2 | # | |
3 | # Seccomp Library test program | |
4 | # | |
5 | # Copyright (c) 2016 Red Hat <pmoore@redhat.com> | |
6 | # Author: Paul Moore <paul@paul-moore.com> | |
7 | # | |
8 | ||
9 | # | |
10 | # This library is free software; you can redistribute it and/or modify it | |
11 | # under the terms of version 2.1 of the GNU Lesser General Public License as | |
12 | # published by the Free Software Foundation. | |
13 | # | |
14 | # This library is distributed in the hope that it will be useful, but WITHOUT | |
15 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
16 | # FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | |
17 | # for more details. | |
18 | # | |
19 | # You should have received a copy of the GNU Lesser General Public License | |
20 | # along with this library; if not, see <http://www.gnu.org/licenses>. | |
21 | # | |
22 | ||
23 | import argparse | |
24 | import sys | |
25 | ||
26 | import util | |
27 | ||
28 | from seccomp import * | |
29 | ||
30 | def test(args): | |
31 | f = SyscallFilter(KILL) | |
32 | f.remove_arch(Arch()) | |
33 | f.add_arch(Arch("s390")) | |
34 | f.add_arch(Arch("s390x")) | |
35 | f.add_rule(ALLOW, "socket") | |
36 | f.add_rule(ALLOW, "connect") | |
37 | f.add_rule(ALLOW, "accept") | |
38 | f.add_rule(ALLOW, "accept4") | |
39 | f.add_rule(ALLOW, "shutdown") | |
40 | return f | |
41 | ||
42 | args = util.get_opt() | |
43 | ctx = test(args) | |
44 | util.filter_output(args, ctx) | |
45 | ||
46 | # kate: syntax python; | |
47 | # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; |
0 | # | |
1 | # libseccomp regression test automation data | |
2 | # | |
3 | # Copyright (c) 2016 Red Hat <pmoore@redhat.com> | |
4 | # Author: Paul Moore <paul@paul-moore.com> | |
5 | # | |
6 | ||
7 | test type: bpf-sim | |
8 | ||
9 | # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result | |
10 | 33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW | |
11 | 33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW | |
12 | 33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW | |
13 | 33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW | |
14 | 33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW | |
15 | 33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW | |
16 | 33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW | |
17 | 33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW | |
18 | 33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW | |
19 | 33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL | |
20 | 33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW | |
21 | 33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL | |
22 | 33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW | |
23 | 33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW | |
24 | 33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW | |
25 | 33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW | |
26 | 33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW | |
27 | 33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW | |
28 | 33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW | |
29 | 33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW | |
30 | 33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW | |
31 | 33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL | |
32 | 33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW | |
33 | 33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL | |
34 | ||
35 | test type: bpf-valgrind | |
36 | ||
37 | # Testname | |
38 | 33-sim-socket_syscalls_be |
59 | 59 | 29-sim-pseudo_syscall \ |
60 | 60 | 30-sim-socket_syscalls \ |
61 | 61 | 31-basic-version_check \ |
62 | 32-live-tsync_allow | |
62 | 32-live-tsync_allow \ | |
63 | 33-sim-socket_syscalls_be | |
63 | 64 | |
64 | 65 | EXTRA_DIST_TESTPYTHON = \ |
65 | 66 | util.py \ |
94 | 95 | 29-sim-pseudo_syscall.py \ |
95 | 96 | 30-sim-socket_syscalls.py \ |
96 | 97 | 31-basic-version_check.py \ |
97 | 32-live-tsync_allow.py | |
98 | 32-live-tsync_allow.py \ | |
99 | 33-sim-socket_syscalls_be.py | |
98 | 100 | |
99 | 101 | EXTRA_DIST_TESTCFGS = \ |
100 | 102 | 01-sim-allow.tests \ |
128 | 130 | 29-sim-pseudo_syscall.tests \ |
129 | 131 | 30-sim-socket_syscalls.tests \ |
130 | 132 | 31-basic-version_check.tests \ |
131 | 32-live-tsync_allow.tests | |
133 | 32-live-tsync_allow.tests \ | |
134 | 33-sim-socket_syscalls_be.tests | |
132 | 135 | |
133 | 136 | EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen |
134 | 137 |
114 | 114 | 26-sim-arch_all_be_basic$(EXEEXT) \ |
115 | 115 | 27-sim-bpf_blk_state$(EXEEXT) 28-sim-arch_x86$(EXEEXT) \ |
116 | 116 | 29-sim-pseudo_syscall$(EXEEXT) 30-sim-socket_syscalls$(EXEEXT) \ |
117 | 31-basic-version_check$(EXEEXT) 32-live-tsync_allow$(EXEEXT) | |
117 | 31-basic-version_check$(EXEEXT) 32-live-tsync_allow$(EXEEXT) \ | |
118 | 33-sim-socket_syscalls_be$(EXEEXT) | |
118 | 119 | EXTRA_PROGRAMS = 00-test$(EXEEXT) |
119 | 120 | subdir = tests |
120 | 121 | DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ |
279 | 280 | 32_live_tsync_allow_OBJECTS = 32-live-tsync_allow.$(OBJEXT) |
280 | 281 | 32_live_tsync_allow_LDADD = $(LDADD) |
281 | 282 | 32_live_tsync_allow_DEPENDENCIES = util.la ../src/libseccomp.la |
283 | 33_sim_socket_syscalls_be_SOURCES = 33-sim-socket_syscalls_be.c | |
284 | 33_sim_socket_syscalls_be_OBJECTS = \ | |
285 | 33-sim-socket_syscalls_be.$(OBJEXT) | |
286 | 33_sim_socket_syscalls_be_LDADD = $(LDADD) | |
287 | 33_sim_socket_syscalls_be_DEPENDENCIES = util.la ../src/libseccomp.la | |
282 | 288 | miniseq_SOURCES = miniseq.c |
283 | 289 | miniseq_OBJECTS = miniseq.$(OBJEXT) |
284 | 290 | miniseq_DEPENDENCIES = |
331 | 337 | 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \ |
332 | 338 | 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \ |
333 | 339 | 30-sim-socket_syscalls.c 31-basic-version_check.c \ |
334 | 32-live-tsync_allow.c miniseq.c | |
340 | 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c miniseq.c | |
335 | 341 | DIST_SOURCES = $(util_la_SOURCES) 01-sim-allow.c 02-sim-basic.c \ |
336 | 342 | 03-sim-basic_chains.c 04-sim-multilevel_chains.c \ |
337 | 343 | 05-sim-long_jumps.c 06-sim-actions.c 07-sim-db_bug_looping.c \ |
346 | 352 | 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \ |
347 | 353 | 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \ |
348 | 354 | 30-sim-socket_syscalls.c 31-basic-version_check.c \ |
349 | 32-live-tsync_allow.c miniseq.c | |
355 | 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c miniseq.c | |
350 | 356 | am__can_run_installinfo = \ |
351 | 357 | case $$AM_UPDATE_INFO_DIR in \ |
352 | 358 | n|no|NO) false;; \ |
556 | 562 | 29-sim-pseudo_syscall.py \ |
557 | 563 | 30-sim-socket_syscalls.py \ |
558 | 564 | 31-basic-version_check.py \ |
559 | 32-live-tsync_allow.py | |
565 | 32-live-tsync_allow.py \ | |
566 | 33-sim-socket_syscalls_be.py | |
560 | 567 | |
561 | 568 | EXTRA_DIST_TESTCFGS = \ |
562 | 569 | 01-sim-allow.tests \ |
590 | 597 | 29-sim-pseudo_syscall.tests \ |
591 | 598 | 30-sim-socket_syscalls.tests \ |
592 | 599 | 31-basic-version_check.tests \ |
593 | 32-live-tsync_allow.tests | |
600 | 32-live-tsync_allow.tests \ | |
601 | 33-sim-socket_syscalls_be.tests | |
594 | 602 | |
595 | 603 | EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen |
596 | 604 | EXTRA_DIST_TESTVALGRIND = valgrind_test.supp |
790 | 798 | 32-live-tsync_allow$(EXEEXT): $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_DEPENDENCIES) $(EXTRA_32_live_tsync_allow_DEPENDENCIES) |
791 | 799 | @rm -f 32-live-tsync_allow$(EXEEXT) |
792 | 800 | $(AM_V_CCLD)$(LINK) $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_LDADD) $(LIBS) |
801 | ||
802 | 33-sim-socket_syscalls_be$(EXEEXT): $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_DEPENDENCIES) $(EXTRA_33_sim_socket_syscalls_be_DEPENDENCIES) | |
803 | @rm -f 33-sim-socket_syscalls_be$(EXEEXT) | |
804 | $(AM_V_CCLD)$(LINK) $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_LDADD) $(LIBS) | |
793 | 805 | |
794 | 806 | miniseq$(EXEEXT): $(miniseq_OBJECTS) $(miniseq_DEPENDENCIES) $(EXTRA_miniseq_DEPENDENCIES) |
795 | 807 | @rm -f miniseq$(EXEEXT) |
834 | 846 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/30-sim-socket_syscalls.Po@am__quote@ |
835 | 847 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/31-basic-version_check.Po@am__quote@ |
836 | 848 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/32-live-tsync_allow.Po@am__quote@ |
849 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/33-sim-socket_syscalls_be.Po@am__quote@ | |
837 | 850 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/miniseq.Po@am__quote@ |
838 | 851 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ |
839 | 852 |