backport patches from upstream
This commit is contained in:
zou_lin77
parent
bac749a341
commit
05dce15b2d
@ -0,0 +1,49 @@
|
||||
From 2de3b87122c18b58b3e2b32ab2e81ac43774a7aa Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
Date: Wed, 16 Mar 2022 11:19:14 -0600
|
||||
Subject: [PATCH] bpf: pfc: Add handling for 0 syscalls in the binary tree
|
||||
|
||||
Handle the unlikely case where a user has chosen the
|
||||
binary tree optimization but has zero syscalls in their
|
||||
filter.
|
||||
|
||||
Fixes: https://github.com/seccomp/libseccomp/issues/370
|
||||
Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree")
|
||||
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
Acked-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
src/gen_bpf.c | 3 +++
|
||||
src/gen_pfc.c | 3 +++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/gen_bpf.c b/src/gen_bpf.c
|
||||
index c878f44..7131761 100644
|
||||
--- a/src/gen_bpf.c
|
||||
+++ b/src/gen_bpf.c
|
||||
@@ -1348,6 +1348,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt)
|
||||
{
|
||||
unsigned int i = 2, max_level = SYSCALLS_PER_NODE * 2;
|
||||
|
||||
+ if (syscall_cnt == 0)
|
||||
+ return 0;
|
||||
+
|
||||
while (max_level < syscall_cnt) {
|
||||
max_level <<= 1;
|
||||
i++;
|
||||
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
|
||||
index c7fb536..4916055 100644
|
||||
--- a/src/gen_pfc.c
|
||||
+++ b/src/gen_pfc.c
|
||||
@@ -275,6 +275,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt,
|
||||
/* Only use a binary tree if requested */
|
||||
return 0;
|
||||
|
||||
+ if (syscall_cnt == 0)
|
||||
+ return 0;
|
||||
+
|
||||
do {
|
||||
max_level = SYSCALLS_PER_NODE << i;
|
||||
i++;
|
||||
--
|
||||
2.27.0
|
||||
|
||||
187
backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch
Normal file
187
backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch
Normal file
@ -0,0 +1,187 @@
|
||||
From 5731dd9f73df9025b2c8924e2f4ce78a7d94af00 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
Date: Wed, 16 Mar 2022 11:24:40 -0600
|
||||
Subject: [PATCH] tests: Add a binary tree test with zero syscalls
|
||||
|
||||
Add a test that exercises the binary tree optimization but
|
||||
the seccomp filter has zero syscalls in it.
|
||||
|
||||
Related-bug: https://github.com/seccomp/libseccomp/issues/370
|
||||
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
Acked-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
tests/59-basic-empty_binary_tree.c | 54 ++++++++++++++++++++++++++
|
||||
tests/59-basic-empty_binary_tree.py | 41 +++++++++++++++++++
|
||||
tests/59-basic-empty_binary_tree.tests | 16 ++++++++
|
||||
tests/Makefile.am | 9 +++--
|
||||
4 files changed, 117 insertions(+), 3 deletions(-)
|
||||
create mode 100644 tests/59-basic-empty_binary_tree.c
|
||||
create mode 100755 tests/59-basic-empty_binary_tree.py
|
||||
create mode 100644 tests/59-basic-empty_binary_tree.tests
|
||||
|
||||
diff --git a/tests/59-basic-empty_binary_tree.c b/tests/59-basic-empty_binary_tree.c
|
||||
new file mode 100644
|
||||
index 0000000..6b6485e
|
||||
--- /dev/null
|
||||
+++ b/tests/59-basic-empty_binary_tree.c
|
||||
@@ -0,0 +1,54 @@
|
||||
+/**
|
||||
+ * Seccomp Library test program
|
||||
+ *
|
||||
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
|
||||
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This library is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
|
||||
+ * published by the Free Software Foundation.
|
||||
+ *
|
||||
+ * This library is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
||||
+ * for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU Lesser General Public License
|
||||
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
|
||||
+ */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+#include <seccomp.h>
|
||||
+
|
||||
+#include "util.h"
|
||||
+
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ int rc;
|
||||
+ struct util_options opts;
|
||||
+ scmp_filter_ctx ctx = NULL;
|
||||
+
|
||||
+ rc = util_getopt(argc, argv, &opts);
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
|
||||
+ if (ctx == NULL)
|
||||
+ return ENOMEM;
|
||||
+
|
||||
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ rc = util_filter_output(&opts, ctx);
|
||||
+ if (rc)
|
||||
+ goto out;
|
||||
+
|
||||
+out:
|
||||
+ seccomp_release(ctx);
|
||||
+ return (rc < 0 ? -rc : rc);
|
||||
+}
|
||||
diff --git a/tests/59-basic-empty_binary_tree.py b/tests/59-basic-empty_binary_tree.py
|
||||
new file mode 100755
|
||||
index 0000000..5acbbd4
|
||||
--- /dev/null
|
||||
+++ b/tests/59-basic-empty_binary_tree.py
|
||||
@@ -0,0 +1,41 @@
|
||||
+#!/usr/bin/env python
|
||||
+
|
||||
+#
|
||||
+# Seccomp Library test program
|
||||
+#
|
||||
+# Copyright (c) 2022 Oracle and/or its affiliates.
|
||||
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
+#
|
||||
+
|
||||
+#
|
||||
+# This library is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of version 2.1 of the GNU Lesser General Public License as
|
||||
+# published by the Free Software Foundation.
|
||||
+#
|
||||
+# This library is distributed in the hope that it will be useful, but WITHOUT
|
||||
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
|
||||
+# for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU Lesser General Public License
|
||||
+# along with this library; if not, see <http://www.gnu.org/licenses>.
|
||||
+#
|
||||
+
|
||||
+import argparse
|
||||
+import sys
|
||||
+
|
||||
+import util
|
||||
+
|
||||
+from seccomp import *
|
||||
+
|
||||
+def test(args):
|
||||
+ f = SyscallFilter(ALLOW)
|
||||
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
|
||||
+ return f
|
||||
+
|
||||
+args = util.get_opt()
|
||||
+ctx = test(args)
|
||||
+util.filter_output(args, ctx)
|
||||
+
|
||||
+# kate: syntax python;
|
||||
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
|
||||
diff --git a/tests/59-basic-empty_binary_tree.tests b/tests/59-basic-empty_binary_tree.tests
|
||||
new file mode 100644
|
||||
index 0000000..ff6dbc3
|
||||
--- /dev/null
|
||||
+++ b/tests/59-basic-empty_binary_tree.tests
|
||||
@@ -0,0 +1,16 @@
|
||||
+#
|
||||
+# libseccomp regression test automation data
|
||||
+#
|
||||
+# Copyright (c) 2022 Oracle and/or its affiliates.
|
||||
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
|
||||
+#
|
||||
+
|
||||
+test type: bpf-sim
|
||||
+
|
||||
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
|
||||
+59-basic-empty_binary_tree all,-x32 0-350 N N N N N N ALLOW
|
||||
+
|
||||
+test type: bpf-valgrind
|
||||
+
|
||||
+# Testname
|
||||
+59-basic-empty_binary_tree
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index b39ee06..f0a1f8e 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -93,7 +93,8 @@ check_PROGRAMS = \
|
||||
55-basic-pfc_binary_tree \
|
||||
56-basic-iterate_syscalls \
|
||||
57-basic-rawsysrc \
|
||||
- 58-live-tsync_notify
|
||||
+ 58-live-tsync_notify \
|
||||
+ 59-basic-empty_binary_tree
|
||||
|
||||
EXTRA_DIST_TESTPYTHON = \
|
||||
util.py \
|
||||
@@ -152,7 +153,8 @@ EXTRA_DIST_TESTPYTHON = \
|
||||
54-live-binary_tree.py \
|
||||
56-basic-iterate_syscalls.py \
|
||||
57-basic-rawsysrc.py \
|
||||
- 58-live-tsync_notify.py
|
||||
+ 58-live-tsync_notify.py \
|
||||
+ 59-basic-empty_binary_tree.py
|
||||
|
||||
EXTRA_DIST_TESTCFGS = \
|
||||
01-sim-allow.tests \
|
||||
@@ -212,7 +214,8 @@ EXTRA_DIST_TESTCFGS = \
|
||||
55-basic-pfc_binary_tree.tests \
|
||||
56-basic-iterate_syscalls.tests \
|
||||
57-basic-rawsysrc.tests \
|
||||
- 58-live-tsync_notify.tests
|
||||
+ 58-live-tsync_notify.tests \
|
||||
+ 59-basic-empty_binary_tree.tests
|
||||
|
||||
EXTRA_DIST_TESTSCRIPTS = \
|
||||
38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,12 +1,15 @@
|
||||
Name: libseccomp
|
||||
Version: 2.5.3
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Interface to the syscall filtering mechanism
|
||||
License: LGPLv2
|
||||
URL: https://github.com/seccomp/libseccomp
|
||||
Source0: https://github.com/seccomp/libseccomp/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
BuildRequires: gcc gperf
|
||||
Patch0: backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch
|
||||
Patch1: backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch
|
||||
|
||||
BuildRequires: gcc gperf autoconf automake
|
||||
|
||||
%description
|
||||
The libseccomp library provides an easy to use, platform independent, interface to
|
||||
@ -31,6 +34,7 @@ developing applications that use %{name}.
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
|
||||
%build
|
||||
autoreconf
|
||||
%configure
|
||||
%make_build
|
||||
|
||||
@ -67,6 +71,9 @@ make check
|
||||
%{_mandir}/man*/*
|
||||
|
||||
%changelog
|
||||
* Sat Aug 27 2022 zoulin <zoulin13@h-partners.com> - 2.5.3-2
|
||||
- backport patches from upstream
|
||||
|
||||
* Tue Dec 28 2021 fuanan <fuanan3@huawei.com> - 2.5.3-1
|
||||
- update version to 2.5.3
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user