packages/libseccomp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b2a8f8c25bb8b50134c372c247bdf65b86ad5b80
Branches Tags
packages:main
..
compare: packages:bac749a341c37bdc4250281af6caa9d24477a218
Branches Tags
packages:main

No commits in common. "b2a8f8c25bb8b50134c372c247bdf65b86ad5b80" and "bac749a341c37bdc4250281af6caa9d24477a218" have entirely different histories.
b2a8f8c25b ... bac749a341

7 changed files with 3 additions and 2464 deletions
Show Stats Expand all files Collapse all files

1979
Add-64-bit-LoongArch-support.patch
View File

File diff suppressed because it is too large Load Diff

45
backport-arch-disambiguate-in-arch-syscall-validate.patch
View File

@ -1,45 +0,0 @@
From 94f684f858673365c8dc103affe54de698f63421 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 31 Aug 2022 10:34:39 -0700
Subject: [PATCH] arch: disambiguate $(( in arch-syscall-validate
shellcheck complains:
> In arch-syscall-validate line 785:
> sc_list=$((for abi in $abi_list; do
> ^-- SC1102 (error): Shells disambiguate $((
> differently or not at all. For $(command substitution)
, add space after $( . For $((arithmetics)), fix parsing errors.
Another tool, shfmt, can't even parse the file:
> arch-syscall-validate:785:17: not a valid arithmetic operator: abi
Add a space to resolve this.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
src/arch-syscall-validate | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate
index 3b69e9b..91b6bef 100755
--- a/src/arch-syscall-validate
+++ b/src/arch-syscall-validate
@@ -728,9 +728,9 @@ function gen_csv() {
eval output_$abi=$(mktemp -t syscall_validate_XXXXXX)
dump_$2_$abi "$1" > $(eval echo $`eval echo output_$abi`)
done
- sc_list=$((for abi in $abi_list; do
+ sc_list=$( (for abi in $abi_list; do
cat $(eval echo $`eval echo output_$abi`);
- done) | awk -F "," '{ print $1 }' | sort -u)
+ done) | awk -F "," '{ print $1 }' | sort -u)
# output a simple header
printf "#syscall (v%s %s)" \
--
2.27.0

383
fix-build-error-for-libseccomp.patch
View File

@ -1,383 +0,0 @@
From 60f25b4dbe9b769df6a77f326e2bf811ea52d083 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 May 2023 09:03:05 +0000
Subject: [PATCH] fix build error for libseccomp
---
include/seccomp-syscalls.h | 1 +
tests/06-sim-actions.tests | 1 -
tests/38-basic-pfc_coverage.c | 3 --
tests/38-basic-pfc_coverage.pfc | 33 ----------------
tests/53-sim-binary_tree.c | 1 -
tests/53-sim-binary_tree.py | 2 -
tests/53-sim-binary_tree.tests | 1 -
tests/55-basic-pfc_binary_tree.c | 1 -
tests/55-basic-pfc_binary_tree.pfc | 61 +++++++++++-------------------
9 files changed, 24 insertions(+), 80 deletions(-)
diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
index 8019d29..5468aee 100644
--- a/include/seccomp-syscalls.h
+++ b/include/seccomp-syscalls.h
@@ -276,6 +276,7 @@
#define __PNR_renameat -10242
#define __PNR_riscv_flush_icache -10243
#define __PNR_memfd_secret -10244
+#define __PNR_fstat -10245
/*
* libseccomp syscall definitions
diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests
index 1ef38b3..993d340 100644
--- a/tests/06-sim-actions.tests
+++ b/tests/06-sim-actions.tests
@@ -12,7 +12,6 @@ test type: bpf-sim
06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
06-sim-actions all close 4 N N N N N TRAP
06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234)
-06-sim-actions all fstat N N N N N N KILL_PROCESS
06-sim-actions all rt_sigreturn N N N N N N LOG
06-sim-actions x86 0-2 N N N N N N KILL
06-sim-actions x86 7-107 N N N N N N KILL
diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c
index d6ac796..b06b05a 100644
--- a/tests/38-basic-pfc_coverage.c
+++ b/tests/38-basic-pfc_coverage.c
@@ -109,9 +109,6 @@ int main(int argc, char *argv[])
if (rc < 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0);
- if (rc < 0)
- goto out;
- rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
if (rc < 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0);
diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc
index f287f1d..c4bec83 100644
--- a/tests/38-basic-pfc_coverage.pfc
+++ b/tests/38-basic-pfc_coverage.pfc
@@ -9,9 +9,6 @@ if ($arch == 3221225534)
# filter for syscall "exit" (60) [priority: 65535]
if ($syscall == 60)
action TRACE(1);
- # filter for syscall "fstat" (5) [priority: 65535]
- if ($syscall == 5)
- action KILL_PROCESS;
# filter for syscall "close" (3) [priority: 65535]
if ($syscall == 3)
action ERRNO(1);
@@ -103,9 +100,6 @@ if ($arch == 1073741827)
# filter for syscall "exit_group" (252) [priority: 65535]
if ($syscall == 252)
action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
# filter for syscall "close" (6) [priority: 65535]
if ($syscall == 6)
action ERRNO(1);
@@ -141,9 +135,6 @@ if ($arch == 3221225534)
# filter for syscall "exit" (1073741884) [priority: 65535]
if ($syscall == 1073741884)
action TRACE(1);
- # filter for syscall "fstat" (1073741829) [priority: 65535]
- if ($syscall == 1073741829)
- action KILL_PROCESS;
# filter for syscall "close" (1073741827) [priority: 65535]
if ($syscall == 1073741827)
action ERRNO(1);
@@ -173,9 +164,6 @@ if ($arch == 1073741864)
# filter for syscall "exit_group" (248) [priority: 65535]
if ($syscall == 248)
action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
# filter for syscall "close" (6) [priority: 65535]
if ($syscall == 6)
action ERRNO(1);
@@ -214,9 +202,6 @@ if ($arch == 3221225655)
# filter for syscall "exit" (93) [priority: 65535]
if ($syscall == 93)
action TRACE(1);
- # filter for syscall "fstat" (80) [priority: 65535]
- if ($syscall == 80)
- action KILL_PROCESS;
# filter for syscall "close" (57) [priority: 65535]
if ($syscall == 57)
action ERRNO(1);
@@ -311,9 +296,6 @@ if ($arch == 3221225730)
# filter for syscall "exit" (93) [priority: 65535]
if ($syscall == 93)
action TRACE(1);
- # filter for syscall "fstat" (80) [priority: 65535]
- if ($syscall == 80)
- action KILL_PROCESS;
# filter for syscall "close" (57) [priority: 65535]
if ($syscall == 57)
action ERRNO(1);
@@ -402,9 +384,6 @@ if ($arch == 1073741832)
# filter for syscall "exit_group" (4246) [priority: 65535]
if ($syscall == 4246)
action LOG;
- # filter for syscall "fstat" (4108) [priority: 65535]
- if ($syscall == 4108)
- action KILL_PROCESS;
# filter for syscall "close" (4006) [priority: 65535]
if ($syscall == 4006)
action ERRNO(1);
@@ -440,9 +419,6 @@ if ($arch == 3221225480)
# filter for syscall "exit" (5058) [priority: 65535]
if ($syscall == 5058)
action TRACE(1);
- # filter for syscall "fstat" (5005) [priority: 65535]
- if ($syscall == 5005)
- action KILL_PROCESS;
# filter for syscall "close" (5003) [priority: 65535]
if ($syscall == 5003)
action ERRNO(1);
@@ -537,9 +513,6 @@ if ($arch == 3758096392)
# filter for syscall "exit" (6058) [priority: 65535]
if ($syscall == 6058)
action TRACE(1);
- # filter for syscall "fstat" (6005) [priority: 65535]
- if ($syscall == 6005)
- action KILL_PROCESS;
# filter for syscall "close" (6003) [priority: 65535]
if ($syscall == 6003)
action ERRNO(1);
@@ -569,9 +542,6 @@ if ($arch == 3221225493)
# filter for syscall "exit_group" (234) [priority: 65535]
if ($syscall == 234)
action LOG;
- # filter for syscall "fstat" (108) [priority: 65535]
- if ($syscall == 108)
- action KILL_PROCESS;
# filter for syscall "close" (6) [priority: 65535]
if ($syscall == 6)
action ERRNO(1);
@@ -672,9 +642,6 @@ if ($arch == 3221225715)
# filter for syscall "exit" (93) [priority: 65535]
if ($syscall == 93)
action TRACE(1);
- # filter for syscall "fstat" (80) [priority: 65535]
- if ($syscall == 80)
- action KILL_PROCESS;
# filter for syscall "close" (57) [priority: 65535]
if ($syscall == 57)
action ERRNO(1);
diff --git a/tests/53-sim-binary_tree.c b/tests/53-sim-binary_tree.c
index 98b9e2c..39acbe7 100644
--- a/tests/53-sim-binary_tree.c
+++ b/tests/53-sim-binary_tree.c
@@ -48,7 +48,6 @@ struct syscall_errno table[] = {
{ SCMP_SYS(open), 2, 0, { 0, 0 } },
{ SCMP_SYS(close), 3, 2, { 100, 101 } },
{ SCMP_SYS(stat), 4, 0, { 0, 0 } },
- { SCMP_SYS(fstat), 5, 0, { 0, 0 } },
{ SCMP_SYS(lstat), 6, 0, { 0, 0 } },
{ SCMP_SYS(poll), 7, 1, { 102, 0 } },
{ SCMP_SYS(lseek), 8, 2, { 103, 104 } },
diff --git a/tests/53-sim-binary_tree.py b/tests/53-sim-binary_tree.py
index cc49890..75e7bd3 100755
--- a/tests/53-sim-binary_tree.py
+++ b/tests/53-sim-binary_tree.py
@@ -34,7 +34,6 @@ table = [
{"syscall": "open", "error": 2, "arg_cnt": 0 },
{"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 },
{"syscall": "stat", "error": 4, "arg_cnt": 0 },
- {"syscall": "fstat", "error": 5, "arg_cnt": 0 },
{"syscall": "lstat", "error": 6, "arg_cnt": 0 },
{"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 },
{"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 },
@@ -71,7 +70,6 @@ def test(args):
f.remove_arch(Arch())
f.add_arch(Arch("aarch64"))
- f.add_arch(Arch("loongarch64"))
f.add_arch(Arch("ppc64le"))
f.add_arch(Arch("x86_64"))
diff --git a/tests/53-sim-binary_tree.tests b/tests/53-sim-binary_tree.tests
index 87380d6..2cdb076 100644
--- a/tests/53-sim-binary_tree.tests
+++ b/tests/53-sim-binary_tree.tests
@@ -17,7 +17,6 @@ test type: bpf-sim
53-sim-binary_tree +x86_64,+ppc64le,+aarch64,+loongarch64 close 100 101 N N N N ERRNO(3)
53-sim-binary_tree +x86_64,+ppc64le stat N N N N N N ERRNO(4)
53-sim-binary_tree +aarch64,+loongarch64 stat N N N N N N ALLOW
-53-sim-binary_tree +x86_64,+ppc64le,+aarch64,+loongarch64 fstat N N N N N N ERRNO(5)
53-sim-binary_tree +x86_64,+ppc64le lstat N N N N N N ERRNO(6)
53-sim-binary_tree +aarch64,+loongarch64 lstat N N N N N N ALLOW
53-sim-binary_tree +x86_64,+ppc64le poll 102 N N N N N ERRNO(7)
diff --git a/tests/55-basic-pfc_binary_tree.c b/tests/55-basic-pfc_binary_tree.c
index 0919f6b..d542e5b 100644
--- a/tests/55-basic-pfc_binary_tree.c
+++ b/tests/55-basic-pfc_binary_tree.c
@@ -48,7 +48,6 @@ struct syscall_errno table[] = {
{ SCMP_SYS(open), 2, 0, { 0, 0 } },
{ SCMP_SYS(close), 3, 0, { 0, 0 } },
{ SCMP_SYS(stat), 4, 0, { 0, 0 } },
- { SCMP_SYS(fstat), 5, 1, { 103, 0 } },
{ SCMP_SYS(lstat), 6, 0, { 0, 0 } },
{ SCMP_SYS(poll), 7, 0, { 0, 0 } },
{ SCMP_SYS(lseek), 8, 1, { 104, 0 } },
diff --git a/tests/55-basic-pfc_binary_tree.pfc b/tests/55-basic-pfc_binary_tree.pfc
index e63aa12..44f8498 100644
--- a/tests/55-basic-pfc_binary_tree.pfc
+++ b/tests/55-basic-pfc_binary_tree.pfc
@@ -3,7 +3,7 @@
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
- if ($syscall > 2)
+ if ($syscall > 1)
if ($syscall > 10)
if ($syscall > 14)
# filter for syscall "pwrite64" (18) [priority: 65531]
@@ -59,21 +59,16 @@ if ($arch == 3221225534)
# filter for syscall "lstat" (6) [priority: 65535]
if ($syscall == 6)
action ERRNO(6);
- # filter for syscall "fstat" (5) [priority: 65533]
- if ($syscall == 5)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 103)
- action ERRNO(5);
# filter for syscall "stat" (4) [priority: 65535]
if ($syscall == 4)
action ERRNO(4);
# filter for syscall "close" (3) [priority: 65535]
if ($syscall == 3)
action ERRNO(3);
- else # ($syscall <= 2)
- # filter for syscall "open" (2) [priority: 65535]
- if ($syscall == 2)
- action ERRNO(2);
+ # filter for syscall "open" (2) [priority: 65535]
+ if ($syscall == 2)
+ action ERRNO(2);
+ else # ($syscall <= 1)
# filter for syscall "write" (1) [priority: 65533]
if ($syscall == 1)
if ($a0.hi32 == 0)
@@ -90,7 +85,7 @@ if ($arch == 3221225534)
action ALLOW;
# filter for arch aarch64 (3221225655)
if ($arch == 3221225655)
- if ($syscall > 62)
+ if ($syscall > 57)
if ($syscall > 139)
if ($syscall > 226)
# filter for syscall "lstat" (4294957133) [priority: 65535]
@@ -121,7 +116,7 @@ if ($arch == 3221225655)
if ($syscall == 214)
action ERRNO(12);
else # ($syscall <= 139)
- if ($syscall > 68)
+ if ($syscall > 67)
# filter for syscall "rt_sigreturn" (139) [priority: 65535]
if ($syscall == 139)
action ERRNO(15);
@@ -131,12 +126,6 @@ if ($arch == 3221225655)
# filter for syscall "rt_sigaction" (134) [priority: 65535]
if ($syscall == 134)
action ERRNO(13);
- # filter for syscall "fstat" (80) [priority: 65533]
- if ($syscall == 80)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 103)
- action ERRNO(5);
- else # ($syscall <= 68)
# filter for syscall "pwrite64" (68) [priority: 65531]
if ($syscall == 68)
if ($a0.hi32 == 0)
@@ -144,6 +133,7 @@ if ($arch == 3221225655)
if ($a1.hi32 == 0)
if ($a1.lo32 == 108)
action ERRNO(18);
+ else # ($syscall <= 67)
# filter for syscall "pread64" (67) [priority: 65533]
if ($syscall == 67)
if ($a0.hi32 == 0)
@@ -161,12 +151,12 @@ if ($arch == 3221225655)
if ($a1.hi32 == 0)
if ($a1.lo32 == 101)
action ERRNO(0);
- else # ($syscall <= 62)
- # filter for syscall "lseek" (62) [priority: 65533]
- if ($syscall == 62)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 104)
- action ERRNO(8);
+ # filter for syscall "lseek" (62) [priority: 65533]
+ if ($syscall == 62)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 104)
+ action ERRNO(8);
+ else # ($syscall <= 57)
# filter for syscall "close" (57) [priority: 65535]
if ($syscall == 57)
action ERRNO(3);
@@ -177,7 +167,7 @@ if ($arch == 3221225655)
action ALLOW;
# filter for arch loongarch64 (3221225730)
if ($arch == 3221225730)
- if ($syscall > 62)
+ if ($syscall > 57)
if ($syscall > 139)
if ($syscall > 226)
# filter for syscall "lstat" (4294957133) [priority: 65535]
@@ -208,7 +198,7 @@ if ($arch == 3221225730)
if ($syscall == 214)
action ERRNO(12);
else # ($syscall <= 139)
- if ($syscall > 68)
+ if ($syscall > 67)
# filter for syscall "rt_sigreturn" (139) [priority: 65535]
if ($syscall == 139)
action ERRNO(15);
@@ -218,12 +208,6 @@ if ($arch == 3221225730)
# filter for syscall "rt_sigaction" (134) [priority: 65535]
if ($syscall == 134)
action ERRNO(13);
- # filter for syscall "fstat" (80) [priority: 65533]
- if ($syscall == 80)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 103)
- action ERRNO(5);
- else # ($syscall <= 68)
# filter for syscall "pwrite64" (68) [priority: 65531]
if ($syscall == 68)
if ($a0.hi32 == 0)
@@ -231,6 +215,7 @@ if ($arch == 3221225730)
if ($a1.hi32 == 0)
if ($a1.lo32 == 108)
action ERRNO(18);
+ else # ($syscall <= 67)
# filter for syscall "pread64" (67) [priority: 65533]
if ($syscall == 67)
if ($a0.hi32 == 0)
@@ -248,12 +233,12 @@ if ($arch == 3221225730)
if ($a1.hi32 == 0)
if ($a1.lo32 == 101)
action ERRNO(0);
- else # ($syscall <= 62)
- # filter for syscall "lseek" (62) [priority: 65533]
- if ($syscall == 62)
- if ($a0.hi32 == 0)
- if ($a0.lo32 == 104)
- action ERRNO(8);
+ # filter for syscall "lseek" (62) [priority: 65533]
+ if ($syscall == 62)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 104)
+ action ERRNO(8);
+ else # ($syscall <= 57)
# filter for syscall "close" (57) [priority: 65535]
if ($syscall == 57)
action ERRNO(3);
--
2.33.0

25
fix_undefined_behavior_in_scmp_bpf_sim.patch
View File

@ -1,25 +0,0 @@
From 3292da1d4dafab2d18c7b750fa278bcc8a362d04 Mon Sep 17 00:00:00 2001
From: q66 <q66@chimera-linux.org>
Date: Wed, 20 Dec 2023 04:01:42 +0100
Subject: [PATCH] fix UB-ass UB in scmp_bpf_sim
---
tools/scmp_bpf_sim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c
index a381314..eeaa5bc 100644
--- a/tools/scmp_bpf_sim.c
+++ b/tools/scmp_bpf_sim.c
@@ -182,7 +182,8 @@ static void bpf_execute(const struct bpf_program *prg,
switch (code) {
case BPF_LD+BPF_W+BPF_ABS:
if (k < BPF_SYSCALL_MAX) {
- uint32_t val = *((uint32_t *)&sys_data_b[k]);
+ uint32_t val;
+ memcpy(&val, &sys_data_b[k], sizeof(val));
state.acc = ttoh32(arch, val);
} else
exit_error(ERANGE, ip_c);
--
2.43.0

BIN
libseccomp-2.5.3.tar.gz Normal file
View File

Binary file not shown.

BIN
libseccomp-2.5.4.tar.gz
View File

Binary file not shown.

35
libseccomp.spec
View File

@ -1,18 +1,12 @@
Name: libseccomp
Version: 2.5.4
Release: 3
Version: 2.5.3
Release: 1
Summary: Interface to the syscall filtering mechanism
License: LGPLv2
URL: https://github.com/seccomp/libseccomp
Source0: https://github.com/seccomp/libseccomp/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch2: backport-arch-disambiguate-in-arch-syscall-validate.patch
Patch3: Add-64-bit-LoongArch-support.patch
Patch4: fix-build-error-for-libseccomp.patch
# https://github.com/chimera-linux/cports/pull/1099
Patch5: fix_undefined_behavior_in_scmp_bpf_sim.patch
BuildRequires: gcc gperf autoconf automake
BuildRequires: gcc gperf
%description
The libseccomp library provides an easy to use, platform independent, interface to
@ -35,13 +29,8 @@ developing applications that use %{name}.
%prep
%autosetup -n %{name}-%{version} -p1
%ifnarch loongarch64
%patch4 -R -p1
%patch3 -R -p1
%endif
%build
autoreconf
%configure
%make_build
@ -50,10 +39,7 @@ autoreconf
%delete_la
%check
#Temporarily disable check on loongarch64
%ifnarch loongarch64
make check
%endif
%pre
@ -81,21 +67,6 @@ make check
%{_mandir}/man*/*
%changelog
* Fri May 10 2024 jchzhou <zhoujiacheng@iscas.ac.cn> - 2.5.4-3
- fix undefined behavior in scmp_bpf_sim.c causing issues when building with clang
* Mon Jul 31 2023 Jingyun Hua<huajingyun@loongson.cn> - 2.5.4-2
- add loongarch64 support for libseccomp
* Sat Jan 28 2023 shixuantong <shixuantong1@huawei.com> - 2.5.4-1
- upgrade version to 2.5.4
* Mon Nov 14 2022 shixuantong <shixuantong1@huawei.com> - 2.5.3-3
- arch: disambiguate in arch-syscall-validate
* Sat Aug 27 2022 zoulin <zoulin13@h-partners.com> - 2.5.3-2
- backport patches from upstream
* Tue Dec 28 2021 fuanan <fuanan3@huawei.com> - 2.5.3-1
- update version to 2.5.3