Merge branch 'sniffglue'
Peter Michael Green
3 years ago
0 | rust-sniffglue (0.11.1-6) UNRELEASED-FIXME-AUTOGENERATED-DEBCARGO; urgency=medium | |
1 | ||
2 | * Team upload. | |
3 | * Package sniffglue 0.11.1 from crates.io using debcargo 2.4.0 | |
4 | * Drop dev-dependency on boxxy and remove examples/boxxy.rs | |
5 | to allow the rest of the tests to run. | |
6 | * Fix a couple of compile errors in benches/bench.rs | |
7 | ||
8 | [ kpcyrd ] | |
9 | * Add missing syscalls to seccomp filter (Closes: #985858) | |
10 | ||
11 | -- Peter Michael Green <plugwash@debian.org> Thu, 25 Mar 2021 19:15:48 +0000 | |
12 | ||
0 | 13 | rust-sniffglue (0.11.1-5) unstable; urgency=medium |
1 | 14 | |
2 | 15 | * Team upload. |
8 | 8 | |
9 | 9 | Files: debian/* |
10 | 10 | Copyright: |
11 | 2018-2020 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
12 | 2018-2020 kpcyrd <git@rxv.cc> | |
11 | 2018-2021 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
12 | 2018-2021 kpcyrd <git@rxv.cc> | |
13 | 13 | License: GPL-3.0 |
14 | 14 | |
15 | 15 | License: GPL-3.0 |
20 | 20 | |
21 | 21 | Files: debian/* |
22 | 22 | Copyright: |
23 | 2018-2020 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
24 | 2018-2020 kpcyrd <git@rxv.cc> | |
23 | 2018-2021 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
24 | 2018-2021 kpcyrd <git@rxv.cc> | |
25 | 25 | License: GPL-3.0 |
26 | 26 | |
27 | 27 | License: GPL-3.0 |
0 | Index: sniffglue/benches/bench.rs | |
1 | =================================================================== | |
2 | --- sniffglue.orig/benches/bench.rs | |
3 | +++ sniffglue/benches/bench.rs | |
4 | @@ -43,7 +43,8 @@ mod tests { | |
5 | use structs::tcp::TCP::Text; | |
6 | ||
7 | use pktparse::ethernet::{MacAddress, EtherType, EthernetFrame}; | |
8 | - use pktparse::ipv4::{IPv4Header, IPv4Protocol}; | |
9 | + use pktparse::ipv4::IPv4Header; | |
10 | + use pktparse::ip::IPProtocol; | |
11 | use pktparse::tcp::TcpHeader; | |
12 | ||
13 | let mut pkt = Vec::new(); | |
14 | @@ -72,7 +73,7 @@ mod tests { | |
15 | flags: 2, | |
16 | fragment_offset: 0, | |
17 | ttl: 55, | |
18 | - protocol: IPv4Protocol::TCP, | |
19 | + protocol: IPProtocol::TCP, | |
20 | chksum: 64371, | |
21 | source_addr: "93.184.216.34".parse().unwrap(), | |
22 | dest_addr: "192.168.44.55".parse().unwrap(), | |
23 | @@ -98,14 +99,14 @@ mod tests { | |
24 | Text(String::from_utf8(HTML.to_vec()).unwrap()) | |
25 | )))); | |
26 | ||
27 | - let x = centrifuge::parse(&pkt); | |
28 | + let x = centrifuge::parse_eth(&pkt); | |
29 | assert_eq!(expected, x); | |
30 | } | |
31 | ||
32 | #[bench] | |
33 | fn bench_empty(b: &mut Bencher) { | |
34 | b.iter(|| { | |
35 | - centrifuge::parse(&[]).ok(); | |
36 | + centrifuge::parse_eth(&[]).ok(); | |
37 | }); | |
38 | } | |
39 | ||
40 | @@ -123,7 +124,7 @@ mod tests { | |
41 | pkt.extend(HTML.iter()); | |
42 | ||
43 | b.iter(|| { | |
44 | - centrifuge::parse(&pkt).ok(); | |
45 | + centrifuge::parse_eth(&pkt).ok(); | |
46 | }); | |
47 | } | |
48 | } |
0 | Index: sniffglue/Cargo.toml | |
1 | =================================================================== | |
2 | --- sniffglue.orig/Cargo.toml | |
3 | +++ sniffglue/Cargo.toml | |
4 | @@ -102,8 +102,6 @@ version = "0.5" | |
5 | ||
6 | [dependencies.users] | |
7 | version = "0.10" | |
8 | -[dev-dependencies.boxxy] | |
9 | -version = "0.11" | |
10 | [target."cfg(target_os=\"linux\")".dependencies.syscallz] | |
11 | version = "0.15.0" | |
12 | [badges.travis-ci] | |
13 | Index: sniffglue/examples/boxxy.rs | |
14 | =================================================================== | |
15 | --- sniffglue.orig/examples/boxxy.rs | |
16 | +++ /dev/null | |
17 | @@ -1,30 +0,0 @@ | |
18 | -#[macro_use] extern crate boxxy; | |
19 | -extern crate sniffglue; | |
20 | -extern crate env_logger; | |
21 | - | |
22 | -fn stage1(sh: &mut boxxy::Shell, _args: Vec<String>) -> Result<(), boxxy::Error> { | |
23 | - shprintln!(sh, "[*] starting stage1"); | |
24 | - sniffglue::sandbox::activate_stage1().unwrap(); | |
25 | - shprintln!(sh, "[+] activated!"); | |
26 | - Ok(()) | |
27 | -} | |
28 | - | |
29 | -fn stage2(sh: &mut boxxy::Shell, _args: Vec<String>) -> Result<(), boxxy::Error> { | |
30 | - shprintln!(sh, "[*] starting stage2"); | |
31 | - sniffglue::sandbox::activate_stage2().unwrap(); | |
32 | - shprintln!(sh, "[+] activated!"); | |
33 | - Ok(()) | |
34 | -} | |
35 | - | |
36 | -fn main() { | |
37 | - env_logger::init(); | |
38 | - | |
39 | - println!("stage1 activate sandbox stage1/2"); | |
40 | - println!("stage2 activate sandbox stage2/2"); | |
41 | - | |
42 | - let toolbox = boxxy::Toolbox::new().with(vec![ | |
43 | - ("stage1", stage1), | |
44 | - ("stage2", stage2), | |
45 | - ]); | |
46 | - boxxy::Shell::new(toolbox).run() | |
47 | -} |
0 | diff --git a/src/sandbox/seccomp.rs b/src/sandbox/seccomp.rs | |
1 | index bfa2e49..0cb5837 100644 | |
2 | --- a/src/sandbox/seccomp.rs | |
3 | +++ b/src/sandbox/seccomp.rs | |
4 | @@ -43,6 +44,8 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
5 | #[cfg(target_arch = "arm")] | |
6 | ctx.allow_syscall(Syscall::send)?; | |
7 | ctx.allow_syscall(Syscall::sendto)?; | |
8 | + #[cfg(target_arch = "arm")] | |
9 | + ctx.allow_syscall(Syscall::recv)?; | |
10 | ctx.allow_syscall(Syscall::recvfrom)?; | |
11 | ctx.allow_syscall(Syscall::sendmsg)?; | |
12 | ctx.allow_syscall(Syscall::recvmsg)?; | |
13 | @@ -99,7 +102,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
14 | ctx.allow_syscall(Syscall::exit_group)?; | |
15 | ctx.allow_syscall(Syscall::set_robust_list)?; | |
16 | ctx.allow_syscall(Syscall::openat)?; | |
17 | - #[cfg(target_arch = "aarch64")] | |
18 | + #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] | |
19 | ctx.allow_syscall(Syscall::newfstatat)?; | |
20 | ctx.allow_syscall(Syscall::seccomp)?; // needed for stage2 | |
21 | ctx.allow_syscall(Syscall::getrandom)?; | |
22 | @@ -117,6 +120,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
23 | #[cfg(not(target_arch = "aarch64"))] | |
24 | ctx.allow_syscall(Syscall::access)?; // needed for debian /etc/ld.so.nohwcap | |
25 | ctx.allow_syscall(Syscall::faccessat)?; // needed for debian /etc/ld.so.nohwcap | |
26 | + ctx.allow_syscall(Syscall::eventfd2)?; | |
27 | ||
28 | ctx.load()?; | |
29 | ||
30 | @@ -153,13 +157,15 @@ pub fn activate_stage2() -> Result<(), syscallz::Error> { | |
31 | // ctx.allow_syscall(Syscall::socket)?; | |
32 | // ctx.allow_syscall(Syscall::connect)?; | |
33 | // ctx.allow_syscall(Syscall::sendto)?; | |
34 | + #[cfg(target_arch = "arm")] | |
35 | + ctx.allow_syscall(Syscall::recv)?; | |
36 | // ctx.allow_syscall(Syscall::recvfrom)?; | |
37 | // ctx.allow_syscall(Syscall::sendmsg)?; | |
38 | // ctx.allow_syscall(Syscall::recvmsg)?; | |
39 | // ctx.allow_syscall(Syscall::bind)?; | |
40 | - // ctx.allow_syscall(Syscall::getsockname)?; | |
41 | + ctx.allow_syscall(Syscall::getsockname)?; | |
42 | ctx.allow_syscall(Syscall::setsockopt)?; | |
43 | - // ctx.allow_syscall(Syscall::getsockopt)?; | |
44 | + ctx.allow_syscall(Syscall::getsockopt)?; | |
45 | ctx.allow_syscall(Syscall::clone)?; | |
46 | // ctx.allow_syscall(Syscall::uname)?; | |
47 | // ctx.allow_syscall(Syscall::fcntl)?; |