| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit bca4e115715174a64c7b5f56430a51f3e676c34a.
Now, since we're using a sane sequence number generator, we can
re-enable the problematic test.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because of incorrect number sequence generation by seq(1) on at least 32
bit ARM systems using coreutils v8.23/v8.24 we provide a minimal seq(1)
implementation that fits our needs.
This fixes the bug mentioned in the following mailing thread:
https://groups.google.com/forum/#!topic/libseccomp/VtrClkXxLGA
Signed-off-by: Mathias Krause <minipli@googlemail.com>
[PM: subject line, build locations, and vertical whitespace tweaks]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
(imported from commit 7932b4fa24c1add0d7a315de8387d216334fbcf7)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
See the mailing list thread below:
-> https://groups.google.com/forum/#!topic/libseccomp/VtrClkXxLGA
... unfortunately the 32-bit ARM userspace has problems with this
particular test so we need to disable it for the time being. It is
important to note that this is only a problem with the test and not
with libseccomp in general.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also correct some typos in the existing CHANGELOG entries.
Signed-off-by: Paul Moore <pmoore@redhat.com>
(imported from commit d7a29fefb03d9c3658854ea7b3cb6a8f082cfb90)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the masked compare is a tautology we don't need to generate
instructions for the runtime test. It'll always be true.
This patch handles the case for 32 bit arches and partially for 64 bit
arches. The cases where either the upper half or the lower half is a
tautology is still TODO.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
[PM: minor function name changes to better match existing style]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the mask is 0 and we do a masked compare we shouldn't "optimize" this
case to a compare against zero. "(arg & 0) eq 0" != "(arg & ~0) eq 0".
The former is a tautology while the latter depends on the value of "arg".
Just mask "datum" instead to fix this bug. We'll do an unnecessary runtime
test for the tautology in this case but follow up patches will take care
of this.
This fixes the failing test cases of 12-sim-basic_masked_ops with 64 bit
argument values.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add test vectors with bits set in the upper half of the syscall argument.
They trigger a bug with mask values having the upper half set to 0. We
accidentally emit a test for 0 in this case when we should not test the
upper half at all.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
No need to use unsigned int here, use the enum instead.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Also do some minor cleanup while we are touching the file.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The symbols are prefixed with __ARM_NR_, not __NR_. We still shoehorn
the symbols into the __NR_ format for libseccomp though. Doing so keeps
SCMP_SYS simple.
Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Test 28-sim-arch_x86 points out a flaw in the x32 arch handling as we
wrongly jump to the next architecture check while we should jump to the
bad_arch handling instruction instead. See below:
$ ./tests/28-sim-arch_x86 -b | ./tools/scmp_bpf_disasm
line OP JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 ld $data[4]
0001: 0x15 0x00 0x03 0xc000003e jeq 3221225534 true:0002 false:0005
0002: 0x20 0x00 0x00 0x00000000 ld $data[0]
0003: 0x35 0x01 0x00 0x40000000 jge 1073741824 true:0005 false:0004
0004: 0x15 0x04 0x03 0x00000003 jeq 3 true:0009 false:0008
0005: 0x15 0x00 0x04 0x40000003 jeq 1073741827 true:0006 false:0010
0006: 0x20 0x00 0x00 0x00000000 ld $data[0]
0007: 0x15 0x01 0x00 0x00000006 jeq 6 true:0009 false:0008
0008: 0x06 0x00 0x00 0x7fff0000 ret ALLOW
0009: 0x06 0x00 0x00 0x00050001 ret ERRNO(1)
0010: 0x06 0x00 0x00 0x00000000 ret KILL
When we reach the test at 0003 the accumulator register was changed
from holding the audit architecture to contain the syscall number
instead. This is needed to actually test for the x32 sub-architecture
as it, unfortunately, got no dedicated audit arch value. However, if
that test succeeds, we end up jumping to the next architecture check
at 0005 which is wrong. We should jump to the bad_arch handling at
0010 instead as x32 is an unsupported architecture for that test
program. Even worse, the next architecture check now operates on the
wrong data as it's no longer testing the audit arch but the syscall
number instead. As it happen to be, the syscall number for x32's
close() is 0x40000003. That exactly matches the audit arch value for
the x86 architecture. So what this filter does is allowing the x32
close() call while it should not.
As we already successfully checked the arch to be SCMP_ARCH_X86_64 in
0001 it cannot have a different value. Testing for other values just
makes no sense. So instead of reloading the accumulator register on a
successful x32 test fix this by jumping to the bad_arch handling block
instead.
The generated BPF program now looks as follows:
$ ./tests/28-sim-arch_x86 -b | ./tools/scmp_bpf_disasm
line OP JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 ld $data[4]
0001: 0x15 0x00 0x03 0xc000003e jeq 3221225534 true:0002 false:0005
0002: 0x20 0x00 0x00 0x00000000 ld $data[0]
0003: 0x35 0x06 0x00 0x40000000 jge 1073741824 true:0010 false:0004
0004: 0x15 0x04 0x03 0x00000003 jeq 3 true:0009 false:0008
0005: 0x15 0x00 0x04 0x40000003 jeq 1073741827 true:0006 false:0010
0006: 0x20 0x00 0x00 0x00000000 ld $data[0]
0007: 0x15 0x01 0x00 0x00000006 jeq 6 true:0009 false:0008
0008: 0x06 0x00 0x00 0x7fff0000 ret ALLOW
0009: 0x06 0x00 0x00 0x00050001 ret ERRNO(1)
0010: 0x06 0x00 0x00 0x00000000 ret KILL
It now correctly jumps to the bad_arch handling at 0010 when the x32
test in 0003 succeeds.
This fixes test 28-sim-arch_x86.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
[PM: subject tweak, renamed 'bad_arch_hash' to 'bad_arch_hsh']
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We currently allow calling close() on the x32 architecture when we're
generating a blacklist filter for x86 and x86_64, i.e. one with an
ALLOW policy. We shouldn't as the default handling for unsupported
architectures should be defined by the bad_arch handling -- not the
default policy.
The reason for the faulty behaviour is the wrong jump target for the
x32 architecture test. It should jump to the KILL label, not the next
architecture test instruction. That one won't test the architecture
any more as the accumulator register was already overwritten with the
syscall number for the x32 test.
This test generates a filter that should return ERRNO(1) on calls to
close() for supported architectures or KILL on unsupported ones. But,
currently, does not do so for x32 and ALLOWs the syscall instead.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
[PM: added a python version of the test]
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
See https://github.com/cgwalters/build-api/blob/master/build-api.md
Signed-off-by: Colin Walters <walters@verbum.org>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Using any of the socket related syscalls is always problematic, use
a generic syscall number for this test since it isn't syscall
specific.
Reported-by: Jan Willeke <willeke@linux.vnet.ibm.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
(imported from commit f506e0844372b2c404baa482defb62f6846d0e3e)
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | | |
Reported-by: Brian Cain <brian.cain@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On some really old systems the ELF and or Audit ABI/arch defines are
missing, this patch provides our own #defines in these cases.
Reported-by: Vincent.Riera@imgtec.com
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Retrieving attributes using the Python bindings fails on some platforms.
The attributes are encoded in a 32-bit mask. Python variables are
usually larger (64 bits); Cython is not capable of recognizing that it
should only use a 32-bit number on every platform. This patch ensures
that the variable used to store the value of the attribute is only 32 bits.
Signed-off-by: Michael Strosaker <strosake@linux.vnet.ibm.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add the following syscalls to the ARM arch/ABI and update the syscall
validation script.
* breakpoint()
* cacheflush()
* usr26()
* usr32()
* set_tls()
Reported-by: Purcareata Bogdan <b43198@freescale.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The 32-bit ARM syscall table mistakenly included syscall definitions
for the syscalls below. This patch redefines those syscalls to
libseccomp's pseudo-syscall numbers and corrects the
arch-syscall-validate to correctly list the 32-bit ARM syscalls.
* time
* umount
* stime
* alarm
* utime
* getrlimit
* select
* readdir
* mmap
* socketcall
* syscall
* ipc
Reported-by: Andreas Farber <afaerber@suse.de>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
That would be a type-o which results in bad style :)
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It turns out there are a few corner cases where we incorrectly
generate seccomp BPF due to poor accumulator state tracking for each
BPF instruction block. This patch adds accumulator state tracking
such that we know what any given instruction block expects from the
accumulator and what value it leaves in the accumulator when it is
finished. This allows us to veryify the accumulator state when
assembling the instruction blocks into the final BPF program and if
necessary we can insert accumulator load/mask instructions to
maintain the proper accumulator state.
Reported-by: Matthew Heon <mheon@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When building the BPF filter code we need to ensure that we take the
state of the BPF state machine accumulator into account. This test
creates a situation where the BPF filter code generator needs to
perform some extra work to ensure the accumulator state is correct.
This test is based on a bug reproducer by Matthew Heon.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixed a couple of warnings -- 'rc' was used-uninitialized IIRC and
missing enums from the switch.
Signed-off-by: Brian Cain <brian.cain@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
These were likely vestiges from the C implementation of the
corresponding tests. But in python, we've been liberated from the
bonds of semicolons, let us rejoice and instead serve our
new whitespace masters!
Signed-off-by: Brian Cain <brian.cain@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
seccomp_syscall_resolve_num_arch() returns a string from strdup() that
needs to be reaped. I found this bug using clang and
address-sanitizer.
Signed-off-by: Brian Cain <brian.cain@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | |/
|/|
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
|
|
|
| |
In many of the manpages we use the term "process" when in reality we
should be using "thread".
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
|
|
|
| |
Also display the build revision to make things easier when submitting
builds for scanning.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
|
|
|
| |
As noted in the previous commit, I made some style changes, but forgot
to include them in the commit. This patch includes those tweaks.
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is based on the following patch written by Richard W.M. Jones
from RedHat:
https://www.redhat.com/archives/libguestfs/2013-February/msg00102.html
Earlier versions of automake complain if they get a configuration
parameter which they don't understand. The error is:
configure.ac:27: error: option 'serial-tests' not recognized
Use some m4 hackery to work around this.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
(minor style tweaks to the comments)
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
