backport patches from upstream

backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch

@@ -0,0 +1,49 @@
+From 2de3b87122c18b58b3e2b32ab2e81ac43774a7aa Mon Sep 17 00:00:00 2001
+From: Tom Hromatka <tom.hromatka@oracle.com>
+Date: Wed, 16 Mar 2022 11:19:14 -0600
+Subject: [PATCH] bpf: pfc: Add handling for 0 syscalls in the binary tree
+
+Handle the unlikely case where a user has chosen the
+binary tree optimization but has zero syscalls in their
+filter.
+
+Fixes: https://github.com/seccomp/libseccomp/issues/370
+Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree")
+Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+---
+ src/gen_bpf.c | 3 +++
+ src/gen_pfc.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/gen_bpf.c b/src/gen_bpf.c
+index c878f44..7131761 100644
+--- a/src/gen_bpf.c
++++ b/src/gen_bpf.c
+@@ -1348,6 +1348,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt)
+ {
+ 	unsigned int i = 2, max_level = SYSCALLS_PER_NODE * 2;
+ 
++	if (syscall_cnt == 0)
++		return 0;
++
+ 	while (max_level < syscall_cnt) {
+ 		max_level <<= 1;
+ 		i++;
+diff --git a/src/gen_pfc.c b/src/gen_pfc.c
+index c7fb536..4916055 100644
+--- a/src/gen_pfc.c
++++ b/src/gen_pfc.c
+@@ -275,6 +275,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt,
+ 		/* Only use a binary tree if requested */
+ 		return 0;
+ 
++	if (syscall_cnt == 0)
++		return 0;
++
+ 	do {
+ 		max_level = SYSCALLS_PER_NODE << i;
+ 		i++;
+-- 
+2.27.0
+

backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch

@@ -0,0 +1,187 @@
+From 5731dd9f73df9025b2c8924e2f4ce78a7d94af00 Mon Sep 17 00:00:00 2001
+From: Tom Hromatka <tom.hromatka@oracle.com>
+Date: Wed, 16 Mar 2022 11:24:40 -0600
+Subject: [PATCH] tests: Add a binary tree test with zero syscalls
+
+Add a test that exercises the binary tree optimization but
+the seccomp filter has zero syscalls in it.
+
+Related-bug: https://github.com/seccomp/libseccomp/issues/370
+Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+---
+ tests/59-basic-empty_binary_tree.c     | 54 ++++++++++++++++++++++++++
+ tests/59-basic-empty_binary_tree.py    | 41 +++++++++++++++++++
+ tests/59-basic-empty_binary_tree.tests | 16 ++++++++
+ tests/Makefile.am                      |  9 +++--
+ 4 files changed, 117 insertions(+), 3 deletions(-)
+ create mode 100644 tests/59-basic-empty_binary_tree.c
+ create mode 100755 tests/59-basic-empty_binary_tree.py
+ create mode 100644 tests/59-basic-empty_binary_tree.tests
+
+diff --git a/tests/59-basic-empty_binary_tree.c b/tests/59-basic-empty_binary_tree.c
+new file mode 100644
+index 0000000..6b6485e
+--- /dev/null
++++ b/tests/59-basic-empty_binary_tree.c
+@@ -0,0 +1,54 @@
++/**
++ * Seccomp Library test program
++ *
++ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
++ * Author: Tom Hromatka <tom.hromatka@oracle.com>
++ */
++
++/*
++ * This library is free software; you can redistribute it and/or modify it
++ * under the terms of version 2.1 of the GNU Lesser General Public License as
++ * published by the Free Software Foundation.
++ *
++ * This library is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
++ * for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this library; if not, see <http://www.gnu.org/licenses>.
++ */
++
++#include <errno.h>
++#include <unistd.h>
++
++#include <seccomp.h>
++
++#include "util.h"
++
++int main(int argc, char *argv[])
++{
++	int rc;
++	struct util_options opts;
++	scmp_filter_ctx ctx = NULL;
++
++	rc = util_getopt(argc, argv, &opts);
++	if (rc < 0)
++		goto out;
++
++	ctx = seccomp_init(SCMP_ACT_ALLOW);
++	if (ctx == NULL)
++		return ENOMEM;
++
++	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
++	if (rc < 0)
++		goto out;
++
++	rc = util_filter_output(&opts, ctx);
++	if (rc)
++		goto out;
++
++out:
++	seccomp_release(ctx);
++	return (rc < 0 ? -rc : rc);
++}
+diff --git a/tests/59-basic-empty_binary_tree.py b/tests/59-basic-empty_binary_tree.py
+new file mode 100755
+index 0000000..5acbbd4
+--- /dev/null
++++ b/tests/59-basic-empty_binary_tree.py
+@@ -0,0 +1,41 @@
++#!/usr/bin/env python
++
++#
++# Seccomp Library test program
++#
++# Copyright (c) 2022 Oracle and/or its affiliates.
++# Author: Tom Hromatka <tom.hromatka@oracle.com>
++#
++
++#
++# This library is free software; you can redistribute it and/or modify it
++# under the terms of version 2.1 of the GNU Lesser General Public License as
++# published by the Free Software Foundation.
++#
++# This library is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
++# for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with this library; if not, see <http://www.gnu.org/licenses>.
++#
++
++import argparse
++import sys
++
++import util
++
++from seccomp import *
++
++def test(args):
++    f = SyscallFilter(ALLOW)
++    f.set_attr(Attr.CTL_OPTIMIZE, 2)
++    return f
++
++args = util.get_opt()
++ctx = test(args)
++util.filter_output(args, ctx)
++
++# kate: syntax python;
++# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
+diff --git a/tests/59-basic-empty_binary_tree.tests b/tests/59-basic-empty_binary_tree.tests
+new file mode 100644
+index 0000000..ff6dbc3
+--- /dev/null
++++ b/tests/59-basic-empty_binary_tree.tests
+@@ -0,0 +1,16 @@
++#
++# libseccomp regression test automation data
++#
++# Copyright (c) 2022 Oracle and/or its affiliates.
++# Author: Tom Hromatka <tom.hromatka@oracle.com>
++#
++
++test type: bpf-sim
++
++# Testname	Arch		Syscall	Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
++59-basic-empty_binary_tree	all,-x32	0-350	N	N	N	N	N	N	ALLOW
++
++test type: bpf-valgrind
++
++# Testname
++59-basic-empty_binary_tree
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b39ee06..f0a1f8e 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -93,7 +93,8 @@ check_PROGRAMS = \
+ 	55-basic-pfc_binary_tree \
+ 	56-basic-iterate_syscalls \
+ 	57-basic-rawsysrc \
+-	58-live-tsync_notify
++	58-live-tsync_notify \
++	59-basic-empty_binary_tree
+ 
+ EXTRA_DIST_TESTPYTHON = \
+ 	util.py \
+@@ -152,7 +153,8 @@ EXTRA_DIST_TESTPYTHON = \
+ 	54-live-binary_tree.py \
+ 	56-basic-iterate_syscalls.py \
+ 	57-basic-rawsysrc.py \
+-	58-live-tsync_notify.py
++	58-live-tsync_notify.py \
++	59-basic-empty_binary_tree.py
+ 
+ EXTRA_DIST_TESTCFGS = \
+ 	01-sim-allow.tests \
+@@ -212,7 +214,8 @@ EXTRA_DIST_TESTCFGS = \
+ 	55-basic-pfc_binary_tree.tests \
+ 	56-basic-iterate_syscalls.tests \
+ 	57-basic-rawsysrc.tests \
+-	58-live-tsync_notify.tests
++	58-live-tsync_notify.tests \
++	59-basic-empty_binary_tree.tests
+ 
+ EXTRA_DIST_TESTSCRIPTS = \
+ 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \
+-- 
+2.27.0
+

libseccomp.spec

@@ -1,12 +1,15 @@
 Name:		libseccomp
 Version:	2.5.3
-Release:        1
+Release:        2
 Summary:	Interface to the syscall filtering mechanism
 License:	LGPLv2
 URL:		https://github.com/seccomp/libseccomp
 Source0:	https://github.com/seccomp/libseccomp/releases/download/v%{version}/%{name}-%{version}.tar.gz
 
-BuildRequires:	gcc gperf
+Patch0:         backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch
+Patch1:         backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch
+
+BuildRequires:	gcc gperf autoconf automake
 
 %description
 The libseccomp library provides an easy to use, platform independent, interface to
@@ -31,6 +34,7 @@ developing applications that use %{name}.
 %autosetup -n %{name}-%{version} -p1
 
 %build
+autoreconf
 %configure
 %make_build
 
@@ -67,6 +71,9 @@ make check
 %{_mandir}/man*/*
 
 %changelog
+* Sat Aug 27 2022 zoulin <zoulin13@h-partners.com> - 2.5.3-2
+- backport patches from upstream
+
 * Tue Dec 28 2021 fuanan <fuanan3@huawei.com> - 2.5.3-1
 - update version to 2.5.3