From ab63dc7fec3d4e5552bf5f363231c3fe1a7436d7 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Thu, 21 Aug 2014 17:30:40 +0200 Subject: arch: Add AArch64 support This patch adds support for AArch64 (64-bit ARM) architecture. Signed-off-by: Marcin Juszkiewicz (Additional fixes/corrections/etc.) Signed-off-by: Paul Moore --- include/seccomp.h.in | 184 ++++++++++++- src/Makefile.am | 1 + src/arch-aarch64-syscalls.c | 495 +++++++++++++++++++++++++++++++++++ src/arch-aarch64.c | 34 +++ src/arch-aarch64.h | 42 +++ src/arch-arm-syscalls.c | 1 + src/arch-mips-syscalls.c | 1 + src/arch-mips64-syscalls.c | 1 + src/arch-mips64n32-syscalls.c | 1 + src/arch-syscall-check.c | 14 +- src/arch-syscall-dump.c | 4 + src/arch-syscall-validate | 48 +++- src/arch-x32-syscalls.c | 1 + src/arch-x86-syscalls.c | 1 + src/arch-x86_64-syscalls.c | 1 + src/arch.c | 20 ++ src/gen_pfc.c | 2 + src/python/libseccomp.pxd | 1 + src/python/seccomp.pyx | 4 + tests/04-sim-multilevel_chains.c | 33 ++- tests/04-sim-multilevel_chains.py | 32 +-- tests/04-sim-multilevel_chains.tests | 46 ++-- tests/06-sim-actions.c | 10 +- tests/06-sim-actions.tests | 16 +- tests/16-sim-arch_basic.c | 3 + tests/16-sim-arch_basic.py | 1 + tests/20-live-basic_die.c | 6 +- tests/20-live-basic_die.py | 4 +- tests/21-live-basic_allow.c | 15 +- tests/21-live-basic_allow.py | 23 +- tests/23-sim-arch_all_le_basic.c | 3 + tests/23-sim-arch_all_le_basic.py | 1 + tests/24-live-arg_allow.c | 12 +- tests/24-live-arg_allow.py | 10 +- tests/regression | 4 +- tools/scmp_arch_detect.c | 3 + tools/scmp_bpf_disasm.c | 2 + tools/scmp_bpf_sim.c | 2 + tools/util.c | 2 + tools/util.h | 6 + 40 files changed, 978 insertions(+), 112 deletions(-) create mode 100644 src/arch-aarch64-syscalls.c create mode 100644 src/arch-aarch64.c create mode 100644 src/arch-aarch64.h diff --git a/include/seccomp.h.in b/include/seccomp.h.in index 99a0bc5..658107e 100644 --- a/include/seccomp.h.in +++ b/include/seccomp.h.in @@ -118,9 +118,14 @@ struct scmp_arg_cmp { #define SCMP_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE) /** - * The ARM architecture token + * The ARM architecture tokens */ #define SCMP_ARCH_ARM AUDIT_ARCH_ARM +#ifndef AUDIT_ARCH_AARCH64 +/* AArch64 support for audit was merged in 3.17-rc1 */ +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif +#define SCMP_ARCH_AARCH64 AUDIT_ARCH_AARCH64 /** * The MIPS architecture tokens @@ -1232,7 +1237,7 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); #define __PNR_getrandom -10109 #ifndef __NR_getrandom #define __NR_getrandom __PNR_getrandom -#endif /* __NR_time */ +#endif /* __NR_getrandom */ #define __PNR_memfd_create -10110 #ifndef __NR_memfd_create @@ -1244,6 +1249,181 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); #define __NR_kexec_file_load __PNR_kexec_file_load #endif /* __NR_kexec_file_load */ +#define __PNR_sysfs -10145 +#ifndef __NR_sysfs +#define __NR_sysfs __PNR_sysfs +#endif /* __NR_sysfs */ + +#define __PNR_oldwait4 -10146 +#ifndef __NR_oldwait4 +#define __NR_oldwait4 __PNR_oldwait4 +#endif /* __NR_sysfs */ + +#define __PNR_access -10147 +#ifndef __NR_access +#define __NR_access __PNR_access +#endif /* __NR_access */ + +#define __PNR_alarm -10148 +#ifndef __NR_alarm +#define __NR_alarm __PNR_alarm +#endif /* __NR_alarm */ + +#define __PNR_chmod -10149 +#ifndef __NR_chmod +#define __NR_chmod __PNR_chmod +#endif /* __NR_chmod */ + +#define __PNR_chown -10150 +#ifndef __NR_chown +#define __NR_chown __PNR_chown +#endif /* __NR_chown */ + +#define __PNR_creat -10151 +#ifndef __NR_creat +#define __NR_creat __PNR_creat +#endif /* __NR_creat */ + +#define __PNR_dup2 -10152 +#ifndef __NR_dup2 +#define __NR_dup2 __PNR_dup2 +#endif /* __NR_dup2 */ + +#define __PNR_epoll_create -10153 +#ifndef __NR_epoll_create +#define __NR_epoll_create __PNR_epoll_create +#endif /* __NR_epoll_create */ + +#define __PNR_epoll_wait -10154 +#ifndef __NR_epoll_wait +#define __NR_epoll_wait __PNR_epoll_wait +#endif /* __NR_epoll_wait */ + +#define __PNR_eventfd -10155 +#ifndef __NR_eventfd +#define __NR_eventfd __PNR_eventfd +#endif /* __NR_eventfd */ + +#define __PNR_fork -10156 +#ifndef __NR_fork +#define __NR_fork __PNR_fork +#endif /* __NR_fork */ + +#define __PNR_futimesat -10157 +#ifndef __NR_futimesat +#define __NR_futimesat __PNR_futimesat +#endif /* __NR_futimesat */ + +#define __PNR_getdents -10158 +#ifndef __NR_getdents +#define __NR_getdents __PNR_getdents +#endif /* __NR_getdents */ + +#define __PNR_getpgrp -10159 +#ifndef __NR_getpgrp +#define __NR_getpgrp __PNR_getpgrp +#endif /* __NR_getpgrp */ + +#define __PNR_inotify_init -10160 +#ifndef __NR_inotify_init +#define __NR_inotify_init __PNR_inotify_init +#endif /* __NR_inotify_init */ + +#define __PNR_lchown -10161 +#ifndef __NR_lchown +#define __NR_lchown __PNR_lchown +#endif /* __NR_lchown */ + +#define __PNR_link -10162 +#ifndef __NR_link +#define __NR_link __PNR_link +#endif /* __NR_link */ + +#define __PNR_lstat -10163 +#ifndef __NR_lstat +#define __NR_lstat __PNR_lstat +#endif /* __NR_lstat */ + +#define __PNR_mkdir -10164 +#ifndef __NR_mkdir +#define __NR_mkdir __PNR_mkdir +#endif /* __NR_mkdir */ + +#define __PNR_mknod -10165 +#ifndef __NR_mknod +#define __NR_mknod __PNR_mknod +#endif /* __NR_mknod */ + +#define __PNR_open -10166 +#ifndef __NR_open +#define __NR_open __PNR_open +#endif /* __NR_open */ + +#define __PNR_pause -10167 +#ifndef __NR_pause +#define __NR_pause __PNR_pause +#endif /* __NR_pause */ + +#define __PNR_pipe -10168 +#ifndef __NR_pipe +#define __NR_pipe __PNR_pipe +#endif /* __NR_pipe */ + +#define __PNR_poll -10169 +#ifndef __NR_poll +#define __NR_poll __PNR_poll +#endif /* __NR_poll */ + +#define __PNR_readlink -10170 +#ifndef __NR_readlink +#define __NR_readlink __PNR_readlink +#endif /* __NR_readlink */ + +#define __PNR_rename -10171 +#ifndef __NR_rename +#define __NR_rename __PNR_rename +#endif /* __NR_rename */ + +#define __PNR_rmdir -10172 +#ifndef __NR_rmdir +#define __NR_rmdir __PNR_rmdir +#endif /* __NR_rmdir */ + +#define __PNR_signalfd -10173 +#ifndef __NR_signalfd +#define __NR_signalfd __PNR_signalfd +#endif /* __NR_signalfd */ + +#define __PNR_stat -10174 +#ifndef __NR_stat +#define __NR_stat __PNR_stat +#endif /* __NR_stat */ + +#define __PNR_symlink -10175 +#ifndef __NR_symlink +#define __NR_symlink __PNR_symlink +#endif /* __NR_symlink */ + +#define __PNR_unlink -10176 +#ifndef __NR_unlink +#define __NR_unlink __PNR_unlink +#endif /* __NR_unlink */ + +#define __PNR_ustat -10177 +#ifndef __NR_ustat +#define __NR_ustat __PNR_ustat +#endif /* __NR_ustat */ + +#define __PNR_utime -10178 +#ifndef __NR_utime +#define __NR_utime __PNR_utime +#endif /* __NR_utime */ + +#define __PNR_utimes -10179 +#ifndef __NR_utimes +#define __NR_utimes __PNR_utimes +#endif /* __NR_utimes */ + #ifdef __cplusplus } #endif diff --git a/src/Makefile.am b/src/Makefile.am index 2d1db37..f3cce7b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -27,6 +27,7 @@ SOURCES_ARCH = \ arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \ arch-x32.h arch-x32.c arch-x32-syscalls.c \ arch-arm.h arch-arm.c arch-arm-syscalls.c \ + arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c \ arch-mips.h arch-mips.c arch-mips-syscalls.c \ arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \ arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c diff --git a/src/arch-aarch64-syscalls.c b/src/arch-aarch64-syscalls.c new file mode 100644 index 0000000..650c50c --- /dev/null +++ b/src/arch-aarch64-syscalls.c @@ -0,0 +1,495 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ + +#include + +#include + +#include "arch.h" +#include "arch-aarch64.h" + +/* NOTE: based on Linux 3.17-rc1+ */ +const struct arch_syscall_def aarch64_syscall_table[] = { \ + { "_llseek", __PNR__llseek }, + { "_newselect", __PNR__newselect }, + { "_sysctl", __PNR__sysctl }, + { "accept", 202 }, + { "accept4", 242 }, + { "access", __PNR_access }, + { "acct", 89 }, + { "add_key", 217 }, + { "adjtimex", 171 }, + { "afs_syscall", __PNR_afs_syscall }, + { "alarm", __PNR_alarm }, + { "arm_fadvise64_64", __PNR_arm_fadvise64_64 }, + { "arm_sync_file_range", __PNR_arm_sync_file_range }, + { "arch_prctl", __PNR_arch_prctl }, + { "bdflush", __PNR_bdflush }, + { "bind", 200 }, + { "break", __PNR_break }, + { "brk", 214 }, + { "cachectl", __PNR_cachectl }, + { "cacheflush", __PNR_cacheflush }, + { "capget", 90 }, + { "capset", 91 }, + { "chdir", 49 }, + { "chmod", __PNR_chmod }, + { "chown", __PNR_chown }, + { "chown32", __PNR_chown32 }, + { "chroot", 51 }, + { "clock_adjtime", 266 }, + { "clock_getres", 114 }, + { "clock_gettime", 113 }, + { "clock_nanosleep", 115 }, + { "clock_settime", 112 }, + { "clone", 220 }, + { "close", 57 }, + { "connect", 203 }, + { "creat", __PNR_creat }, + { "create_module", __PNR_create_module }, + { "delete_module", 106 }, + { "dup", 23 }, + { "dup2", __PNR_dup2 }, + { "dup3", 24 }, + { "epoll_create", __PNR_epoll_create }, + { "epoll_create1", 20 }, + { "epoll_ctl", 21 }, + { "epoll_ctl_old", __PNR_epoll_ctl_old }, + { "epoll_pwait", 22 }, + { "epoll_wait", __PNR_epoll_wait }, + { "epoll_wait_old", __PNR_epoll_wait_old }, + { "eventfd", __PNR_eventfd }, + { "eventfd2", 19 }, + { "execve", 221 }, + { "exit", 93 }, + { "exit_group", 94 }, + { "faccessat", 48 }, + { "fadvise64", 223 }, + { "fadvise64_64", __PNR_fadvise64_64 }, + { "fallocate", 47 }, + { "fanotify_init", 262 }, + { "fanotify_mark", 263 }, + { "fchdir", 50 }, + { "fchmod", 52 }, + { "fchmodat", 53 }, + { "fchown", 55 }, + { "fchown32", __PNR_fchown32 }, + { "fchownat", 54 }, + { "fcntl", 25 }, + { "fcntl64", __PNR_fcntl64 }, + { "fdatasync", 83 }, + { "fgetxattr", 10 }, + { "finit_module", 273 }, + { "flistxattr", 13 }, + { "flock", 32 }, + { "fork", __PNR_fork }, + { "fremovexattr", 16 }, + { "fsetxattr", 7 }, + { "fstat", 80 }, + { "fstat64", __PNR_fstat64 }, + { "fstatat64", __PNR_fstatat64 }, + { "fstatfs", 44 }, + { "fstatfs64", __PNR_fstatfs64 }, + { "fsync", 82 }, + { "ftime", __PNR_ftime }, + { "ftruncate", 46 }, + { "ftruncate64", __PNR_ftruncate64 }, + { "futex", 98 }, + { "futimesat", __PNR_futimesat }, + { "get_kernel_syms", __PNR_get_kernel_syms }, + { "get_mempolicy", 236 }, + { "get_robust_list", 100 }, + { "get_thread_area", __PNR_get_thread_area }, + { "getcpu", 168 }, + { "getcwd", 17 }, + { "getdents", __PNR_getdents }, + { "getdents64", 61 }, + { "getegid", 177 }, + { "getegid32", __PNR_getegid32 }, + { "geteuid", 175 }, + { "geteuid32", __PNR_geteuid32 }, + { "getgid", 176 }, + { "getgid32", __PNR_getgid32 }, + { "getgroups", 158 }, + { "getgroups32", __PNR_getgroups32 }, + { "getitimer", 102 }, + { "getpeername", 205 }, + { "getpgid", 155 }, + { "getpgrp", __PNR_getpgrp }, + { "getpid", 172 }, + { "getpmsg", __PNR_getpmsg }, + { "getppid", 173 }, + { "getpriority", 141 }, + { "getrandom", 278 }, + { "getresgid", 150 }, + { "getresgid32", __PNR_getresgid32 }, + { "getresuid", 148 }, + { "getresuid32", __PNR_getresuid32 }, + { "getrlimit", 163 }, + { "getrusage", 165 }, + { "getsid", 156 }, + { "getsockname", 204 }, + { "getsockopt", 209 }, + { "gettid", 178 }, + { "gettimeofday", 169 }, + { "getuid", 174 }, + { "getuid32", __PNR_getuid32 }, + { "getxattr", 8 }, + { "gtty", __PNR_gtty }, + { "idle", __PNR_idle }, + { "init_module", 105 }, + { "inotify_add_watch", 27 }, + { "inotify_init", __PNR_inotify_init }, + { "inotify_init1", 26 }, + { "inotify_rm_watch", 28 }, + { "io_cancel", 3 }, + { "io_destroy", 1 }, + { "io_getevents", 4 }, + { "io_setup", 0 }, + { "io_submit", 2 }, + { "ioctl", 29 }, + { "ioperm", __PNR_ioperm }, + { "iopl", __PNR_iopl }, + { "ioprio_get", 31 }, + { "ioprio_set", 30 }, + { "ipc", __PNR_ipc }, + { "kcmp", 272 }, + { "kexec_file_load", __PNR_kexec_file_load }, + { "kexec_load", 104 }, + { "keyctl", 219 }, + { "kill", 129 }, + { "lchown", __PNR_lchown }, + { "lchown32", __PNR_lchown32 }, + { "lgetxattr", 9 }, + { "link", __PNR_link }, + { "linkat", 37 }, + { "listen", 201 }, + { "listxattr", 11 }, + { "llistxattr", 12 }, + { "lock", __PNR_lock }, + { "lookup_dcookie", 18 }, + { "lremovexattr", 15 }, + { "lseek", 62 }, + { "lsetxattr", 6 }, + { "lstat", __PNR_lstat }, + { "lstat64", __PNR_lstat64 }, + { "madvise", 233 }, + { "mbind", 235 }, + { "memfd_create", __PNR_memfd_create }, + { "migrate_pages", 238 }, + { "mincore", 232 }, + { "mkdir", __PNR_mkdir }, + { "mkdirat", 34 }, + { "mknod", __PNR_mknod }, + { "mknodat", 33 }, + { "mlock", 228 }, + { "mlockall", 230 }, + { "mmap", 222 }, + { "mmap2", __PNR_mmap2 }, + { "modify_ldt", __PNR_modify_ldt }, + { "mount", 40 }, + { "move_pages", 239 }, + { "mprotect", 226 }, + { "mpx", __PNR_mpx }, + { "mq_getsetattr", 185 }, + { "mq_notify", 184 }, + { "mq_open", 180 }, + { "mq_timedreceive", 183 }, + { "mq_timedsend", 182 }, + { "mq_unlink", 181 }, + { "mremap", 216 }, + { "msgctl", 187 }, + { "msgget", 186 }, + { "msgrcv", 188 }, + { "msgsnd", 189 }, + { "msync", 227 }, + { "munlock", 229 }, + { "munlockall", 231 }, + { "munmap", 215 }, + { "name_to_handle_at", 264 }, + { "nanosleep", 101 }, + { "newfstatat", 79 }, + { "nfsservctl", 42 }, + { "nice", __PNR_nice }, + { "oldfstat", __PNR_oldfstat }, + { "oldlstat", __PNR_oldlstat }, + { "oldolduname", __PNR_oldolduname }, + { "oldstat", __PNR_oldstat }, + { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, + { "open", __PNR_open }, + { "open_by_handle_at", 265 }, + { "openat", 56 }, + { "pause", __PNR_pause }, + { "pciconfig_iobase", __PNR_pciconfig_iobase }, + { "pciconfig_read", __PNR_pciconfig_read }, + { "pciconfig_write", __PNR_pciconfig_write }, + { "perf_event_open", 241 }, + { "personality", 92 }, + { "pipe", __PNR_pipe }, + { "pipe2", 59 }, + { "pivot_root", 41 }, + { "poll", __PNR_poll }, + { "ppoll", 73 }, + { "prctl", 167 }, + { "pread64", 67 }, + { "preadv", 69 }, + { "prlimit64", 261 }, + { "process_vm_readv", 270 }, + { "process_vm_writev", 271 }, + { "prof", __PNR_prof }, + { "profil", __PNR_profil }, + { "pselect6", 72 }, + { "ptrace", 117 }, + { "putpmsg", __PNR_putpmsg }, + { "pwrite64", 68 }, + { "pwritev", 70 }, + { "query_module", __PNR_query_module }, + { "quotactl", 60 }, + { "read", 63 }, + { "readahead", 213 }, + { "readdir", __PNR_readdir }, + { "readlink", __PNR_readlink }, + { "readlinkat", 78 }, + { "readv", 65 }, + { "reboot", 142 }, + { "recv", __PNR_recv }, + { "recvfrom", 207 }, + { "recvmmsg", 243 }, + { "recvmsg", 212 }, + { "remap_file_pages", 234 }, + { "removexattr", 14 }, + { "rename", __PNR_rename }, + { "renameat", 38 }, + { "renameat2", 276 }, + { "request_key", 218 }, + { "restart_syscall", 128 }, + { "rmdir", __PNR_rmdir }, + { "rt_sigaction", 134 }, + { "rt_sigpending", 136 }, + { "rt_sigprocmask", 135 }, + { "rt_sigqueueinfo", 138 }, + { "rt_sigreturn", 139 }, + { "rt_sigsuspend", 133 }, + { "rt_sigtimedwait", 137 }, + { "rt_tgsigqueueinfo", 240 }, + { "sched_get_priority_max", 125 }, + { "sched_get_priority_min", 126 }, + { "sched_getaffinity", 123 }, + { "sched_getattr", 275 }, + { "sched_getparam", 121 }, + { "sched_getscheduler", 120 }, + { "sched_rr_get_interval", 127 }, + { "sched_setaffinity", 122 }, + { "sched_setattr", 274 }, + { "sched_setparam", 118 }, + { "sched_setscheduler", 119 }, + { "sched_yield", 124 }, + { "seccomp", 277 }, + { "security", __PNR_security }, + { "select", __PNR_select }, + { "semctl", 191 }, + { "semget", 190 }, + { "semop", 193 }, + { "semtimedop", 192 }, + { "send", __PNR_send }, + { "sendfile", 71 }, + { "sendfile64", __PNR_sendfile64 }, + { "sendmmsg", 269 }, + { "sendmsg", 211 }, + { "sendto", 206 }, + { "set_mempolicy", 237 }, + { "set_robust_list", 99 }, + { "set_thread_area", __PNR_set_thread_area }, + { "set_tid_address", 96 }, + { "setdomainname", 162 }, + { "setfsgid", 152 }, + { "setfsgid32", __PNR_setfsgid32 }, + { "setfsuid", 151 }, + { "setfsuid32", __PNR_setfsuid32 }, + { "setgid", 144 }, + { "setgid32", __PNR_setgid32 }, + { "setgroups", 159 }, + { "setgroups32", __PNR_setgroups32 }, + { "sethostname", 161 }, + { "setitimer", 103 }, + { "setns", 268 }, + { "setpgid", 154 }, + { "setpriority", 140 }, + { "setregid", 143 }, + { "setregid32", __PNR_setregid32 }, + { "setresgid", 149 }, + { "setresgid32", __PNR_setresgid32 }, + { "setresuid", 147 }, + { "setresuid32", __PNR_setresuid32 }, + { "setreuid", 145 }, + { "setreuid32", __PNR_setreuid32 }, + { "setrlimit", 164 }, + { "setsid", 157 }, + { "setsockopt", 208 }, + { "settimeofday", 170 }, + { "setuid", 146 }, + { "setuid32", __PNR_setuid32 }, + { "setxattr", 5 }, + { "sgetmask", __PNR_sgetmask }, + { "shmat", 196 }, + { "shmctl", 195 }, + { "shmdt", 197 }, + { "shmget", 194 }, + { "shutdown", 210 }, + { "sigaction", __PNR_sigaction }, + { "sigaltstack", 132 }, + { "signal", __PNR_signal }, + { "signalfd", __PNR_signalfd }, + { "signalfd4", 74 }, + { "sigpending", __PNR_sigpending }, + { "sigprocmask", __PNR_sigprocmask }, + { "sigreturn", __PNR_sigreturn }, + { "sigsuspend", __PNR_sigsuspend }, + { "socket", 198 }, + { "socketcall", __PNR_socketcall }, + { "socketpair", 199 }, + { "splice", 76 }, + { "ssetmask", __PNR_ssetmask }, + { "stat", __PNR_stat }, + { "stat64", __PNR_stat64 }, + { "statfs", 43 }, + { "statfs64", __PNR_statfs64 }, + { "stime", __PNR_stime }, + { "stty", __PNR_stty }, + { "swapoff", 225 }, + { "swapon", 224 }, + { "symlink", __PNR_symlink }, + { "symlinkat", 36 }, + { "sync", 81 }, + { "sync_file_range", 84 }, + { "sync_file_range2", __PNR_sync_file_range2 }, + { "syncfs", 267 }, + { "syscall", __PNR_syscall }, + { "sysfs", __PNR_sysfs }, + { "sysinfo", 179 }, + { "syslog", 116 }, + { "sysmips", __PNR_sysmips }, + { "tee", 77 }, + { "tgkill", 131 }, + { "time", __PNR_time }, + { "timer_create", 107 }, + { "timer_delete", 111 }, + { "timer_getoverrun", 109 }, + { "timer_gettime", 108 }, + { "timer_settime", 110 }, + { "timerfd", __PNR_timerfd }, + { "timerfd_create", 85 }, + { "timerfd_gettime", 87 }, + { "timerfd_settime", 86 }, + { "times", 153 }, + { "tkill", 130 }, + { "truncate", 45 }, + { "truncate64", __PNR_truncate64 }, + { "tuxcall", __PNR_tuxcall }, + { "ugetrlimit", __PNR_ugetrlimit }, + { "ulimit", __PNR_ulimit }, + { "umask", 166 }, + { "umount", __PNR_umount }, + { "umount2", 39 }, + { "uname", 160 }, + { "unlink", __PNR_unlink }, + { "unlinkat", 35 }, + { "unshare", 97 }, + { "uselib", __PNR_uselib }, + { "ustat", __PNR_ustat }, + { "utime", __PNR_utime }, + { "utimensat", 88 }, + { "utimes", __PNR_utimes }, + { "vfork", __PNR_vfork }, + { "vhangup", 58 }, + { "vm86", __PNR_vm86 }, + { "vm86old", __PNR_vm86old }, + { "vmsplice", 75 }, + { "vserver", __PNR_vserver }, + { "wait4", 260 }, + { "waitid", 95 }, + { "waitpid", __PNR_waitpid }, + { "write", 64 }, + { "writev", 66 }, + { NULL, __NR_SCMP_ERROR }, +}; + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int aarch64_syscall_resolve_name(const char *name) +{ + unsigned int iter; + const struct arch_syscall_def *table = aarch64_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].name != NULL; iter++) { + if (strcmp(name, table[iter].name) == 0) + return table[iter].num; + } + + return __NR_SCMP_ERROR; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *aarch64_syscall_resolve_num(int num) +{ + unsigned int iter; + const struct arch_syscall_def *table = aarch64_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { + if (num == table[iter].num) + return table[iter].name; + } + + return NULL; +} + + +/** + * Iterate through the syscall table and return the syscall name + * @param spot the offset into the syscall table + * + * Return the syscall name at position @spot or NULL on failure. This function + * should only ever be used internally by libseccomp. + * + */ +const char *aarch64_syscall_iterate_name(unsigned int spot) +{ + /* XXX - no safety checks here */ + return aarch64_syscall_table[spot].name; +} diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c new file mode 100644 index 0000000..a4fbffb --- /dev/null +++ b/src/arch-aarch64.c @@ -0,0 +1,34 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ + +#include +#include +#include + +#include "arch.h" +#include "arch-aarch64.h" + +const struct arch_def arch_def_aarch64 = { + .token = SCMP_ARCH_AARCH64, + .token_bpf = AUDIT_ARCH_AARCH64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +}; diff --git a/src/arch-aarch64.h b/src/arch-aarch64.h new file mode 100644 index 0000000..9d80311 --- /dev/null +++ b/src/arch-aarch64.h @@ -0,0 +1,42 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ + +#ifndef _ARCH_AARCH64_H +#define _ARCH_AARCH64_H + +#include + +#include "arch.h" +#include "system.h" + +#define aarch64_arg_count_max 6 + +extern const struct arch_def arch_def_aarch64; + +#define aarch64_arg_offset(x) (offsetof(struct seccomp_data, args[x])) +#define aarch64_arg_offset_lo(x) (aarch64_arg_offset(x)) +#define aarch64_arg_offset_hi(x) (aarch64_arg_offset(x) + 4) + +int aarch64_syscall_resolve_name(const char *name); +const char *aarch64_syscall_resolve_num(int num); + +const char *aarch64_syscall_iterate_name(unsigned int spot); +#endif diff --git a/src/arch-arm-syscalls.c b/src/arch-arm-syscalls.c index 80ca92f..79af9f0 100644 --- a/src/arch-arm-syscalls.c +++ b/src/arch-arm-syscalls.c @@ -245,6 +245,7 @@ const struct arch_syscall_def arm_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", (__NR_SYSCALL_BASE + 5) }, { "open_by_handle_at", (__NR_SYSCALL_BASE + 371) }, { "openat", (__NR_SYSCALL_BASE + 322) }, diff --git a/src/arch-mips-syscalls.c b/src/arch-mips-syscalls.c index 0ae3f06..3a5cec4 100644 --- a/src/arch-mips-syscalls.c +++ b/src/arch-mips-syscalls.c @@ -238,6 +238,7 @@ const struct arch_syscall_def mips_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", (__NR_SYSCALL_BASE + 5) }, { "open_by_handle_at", (__NR_SYSCALL_BASE + 340) }, { "openat", (__NR_SYSCALL_BASE + 288) }, diff --git a/src/arch-mips64-syscalls.c b/src/arch-mips64-syscalls.c index c4eaa97..9300f75 100644 --- a/src/arch-mips64-syscalls.c +++ b/src/arch-mips64-syscalls.c @@ -238,6 +238,7 @@ const struct arch_syscall_def mips64_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", (__NR_SYSCALL_BASE + 2) }, { "open_by_handle_at", (__NR_SYSCALL_BASE + 299) }, { "openat", (__NR_SYSCALL_BASE + 247) }, diff --git a/src/arch-mips64n32-syscalls.c b/src/arch-mips64n32-syscalls.c index 3aa5269..47ce97a 100644 --- a/src/arch-mips64n32-syscalls.c +++ b/src/arch-mips64n32-syscalls.c @@ -238,6 +238,7 @@ const struct arch_syscall_def mips64n32_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", (__NR_SYSCALL_BASE + 2) }, { "open_by_handle_at", (__NR_SYSCALL_BASE + 304) }, { "openat", (__NR_SYSCALL_BASE + 251) }, diff --git a/src/arch-syscall-check.c b/src/arch-syscall-check.c index 7a14a8b..e60050e 100644 --- a/src/arch-syscall-check.c +++ b/src/arch-syscall-check.c @@ -28,6 +28,7 @@ #include "arch-x86.h" #include "arch-x86_64.h" #include "arch-arm.h" +#include "arch-aarch64.h" #include "arch-mips.h" #include "arch-mips64.h" #include "arch-mips64n32.h" @@ -60,6 +61,7 @@ int main(int argc, char *argv[]) int i_x86 = 0; int i_x86_64 = 0; int i_arm = 0; + int i_aarch64 = 0; int i_mips = 0; int i_mips64 = 0; int i_mips64n32 = 0; @@ -77,6 +79,8 @@ int main(int argc, char *argv[]) x86_64_syscall_iterate_name(i_x86_64)); syscall_check(str_miss, sys_name, "arm", arm_syscall_iterate_name(i_arm)); + syscall_check(str_miss, sys_name, "aarch64", + aarch64_syscall_iterate_name(i_aarch64)); syscall_check(str_miss, sys_name, "mips", mips_syscall_iterate_name(i_mips)); syscall_check(str_miss, sys_name, "mips64", @@ -105,7 +109,10 @@ int main(int argc, char *argv[]) i_mips64 = -1; if (!mips64n32_syscall_iterate_name(++i_mips64n32)) i_mips64n32 = -1; - } while (i_x86_64 >= 0 && i_arm >= 0 && + if (!aarch64_syscall_iterate_name(++i_aarch64)) + i_aarch64 = -1; + } while (i_x86_64 >= 0 && + i_arm >= 0 && i_aarch64 >= 0 && i_mips >= 0 && i_mips64 >= 0 && i_mips64n32 >= 0); /* check for any leftovers */ @@ -124,6 +131,11 @@ int main(int argc, char *argv[]) arm_syscall_iterate_name(i_arm)); return 1; } + if (i_aarch64 >= 0) { + printf("%s: ERROR, aarch64 has additional syscalls\n", + aarch64_syscall_iterate_name(i_aarch64)); + return 1; + } if (i_mips >= 0) { printf("%s: ERROR, mips has additional syscalls\n", mips_syscall_iterate_name(i_mips)); diff --git a/src/arch-syscall-dump.c b/src/arch-syscall-dump.c index 9b5e181..4a4d22e 100644 --- a/src/arch-syscall-dump.c +++ b/src/arch-syscall-dump.c @@ -37,6 +37,7 @@ #include "arch-mips.h" #include "arch-mips64.h" #include "arch-mips64n32.h" +#include "arch-aarch64.h" /** * Print the usage information to stderr and exit @@ -111,6 +112,9 @@ int main(int argc, char *argv[]) case SCMP_ARCH_MIPSEL64N32: sys_name = mips64n32_syscall_iterate_name(iter); break; + case SCMP_ARCH_AARCH64: + sys_name = aarch64_syscall_iterate_name(iter); + break; default: /* invalid arch */ exit_usage(argv[0]); diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate index 7c7cd7f..2cbf696 100755 --- a/src/arch-syscall-validate +++ b/src/arch-syscall-validate @@ -165,6 +165,44 @@ function dump_lib_arm() { sed -e '/sync_file_range2[ \t]\+341/d' } +# +# Dump the aarch64 system syscall table +# +# Arguments: +# 1 path to the kernel source +# +# Dump the architecture's syscall table to stdout. +# +function dump_sys_aarch64() { + gcc -E -dM -I$1/include/uapi -D__BITS_PER_LONG=64 $1/include/uapi/asm-generic/unistd.h | \ + grep "^#define __NR_" | sort | \ + sed -e '/__NR_syscalls/d' | \ + sed -e '/__NR_arch_specific_syscall/d' | \ + sed -e 's/#define[ \t]\+__NR_\([^ \t]\+\)[ \t]\+\(.*\)/\1\t\2/' | \ + sed -e 's/__NR3264_statfs/43/' | \ + sed -e 's/__NR3264_ftruncate/46/' | \ + sed -e 's/__NR3264_truncate/45/' | \ + sed -e 's/__NR3264_lseek/62/' | \ + sed -e 's/__NR3264_sendfile/71/' | \ + sed -e 's/__NR3264_fstatat/79/' | \ + sed -e 's/__NR3264_fstatfs/44/' | \ + sed -e 's/__NR3264_fcntl/25/' | \ + sed -e 's/__NR3264_fadvise64/223/' | \ + sed -e 's/__NR3264_mmap/222/' | \ + sed -e 's/__NR3264_fstat/80/' | \ + sed -e 's/__NR3264_lstat/1039/' | \ + sed -e 's/__NR3264_stat/1038/' +} + +# +# Dump the aarch64 library syscall table +# +# Dump the library's syscall table to stdout. +# +function dump_lib_aarch64() { + $LIB_SYS_DUMP -a aarch64 | sed -e '/[^\t]\+\t-[0-9]\+/d' +} + # # Dump the mips system syscall table # @@ -287,6 +325,9 @@ function dump_sys() { arm) dump_sys_arm "$2" ;; + aarch64) + dump_sys_aarch64 "$2" + ;; mips) dump_sys_mips "$2" ;; @@ -324,6 +365,9 @@ function dump_lib() { arm) dump_lib_arm "$2" ;; + aarch64) + dump_lib_aarch64 "$2" + ;; mips) dump_lib_mips "$2" ;; @@ -368,7 +412,9 @@ done shift $(($OPTIND - 1)) # defaults -[[ $arches == "" ]] && arches="x86 x86_64 x32 arm mips mips64 mips64n32" +if [[ $arches == "" ]]; then + arches="x86 x86_64 x32 arm aarch64 mips mips64 mips64n32" +fi # sanity checks kernel_dir="$1" diff --git a/src/arch-x32-syscalls.c b/src/arch-x32-syscalls.c index 3d4d5ec..9e6b7c8 100644 --- a/src/arch-x32-syscalls.c +++ b/src/arch-x32-syscalls.c @@ -232,6 +232,7 @@ const struct arch_syscall_def x32_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", (X32_SYSCALL_BIT + 2) }, { "open_by_handle_at", (X32_SYSCALL_BIT + 304) }, { "openat", (X32_SYSCALL_BIT + 257) }, diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c index b8bcd48..8005d28 100644 --- a/src/arch-x86-syscalls.c +++ b/src/arch-x86-syscalls.c @@ -234,6 +234,7 @@ const struct arch_syscall_def x86_syscall_table[] = { \ { "oldolduname", 59 }, { "oldstat", 18 }, { "olduname", 109 }, + { "oldwait4", __PNR_oldwait4 }, { "open", 5 }, { "open_by_handle_at", 342 }, { "openat", 295 }, diff --git a/src/arch-x86_64-syscalls.c b/src/arch-x86_64-syscalls.c index aa901e3..1f4d67c 100644 --- a/src/arch-x86_64-syscalls.c +++ b/src/arch-x86_64-syscalls.c @@ -234,6 +234,7 @@ const struct arch_syscall_def x86_64_syscall_table[] = { \ { "oldolduname", __PNR_oldolduname }, { "oldstat", __PNR_oldstat }, { "olduname", __PNR_olduname }, + { "oldwait4", __PNR_oldwait4 }, { "open", 2 }, { "open_by_handle_at", 304 }, { "openat", 257 }, diff --git a/src/arch.c b/src/arch.c index 3b2903d..12acfbf 100644 --- a/src/arch.c +++ b/src/arch.c @@ -34,6 +34,7 @@ #include "arch-x86_64.h" #include "arch-x32.h" #include "arch-arm.h" +#include "arch-aarch64.h" #include "arch-mips.h" #include "arch-mips64.h" #include "arch-mips64n32.h" @@ -49,6 +50,8 @@ const struct arch_def *arch_def_native = &arch_def_x86_64; #endif /* __ILP32__ */ #elif __arm__ const struct arch_def *arch_def_native = &arch_def_arm; +#elif __aarch64__ +const struct arch_def *arch_def_native = &arch_def_aarch64; #elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI32 #if __MIPSEB__ const struct arch_def *arch_def_native = &arch_def_mips; @@ -91,6 +94,7 @@ int arch_valid(uint32_t arch) case SCMP_ARCH_MIPSEL64: case SCMP_ARCH_MIPS64N32: case SCMP_ARCH_MIPSEL64N32: + case SCMP_ARCH_AARCH64: return 0; } @@ -115,6 +119,8 @@ const struct arch_def *arch_def_lookup(uint32_t token) return &arch_def_x32; case SCMP_ARCH_ARM: return &arch_def_arm; + case SCMP_ARCH_AARCH64: + return &arch_def_aarch64; case SCMP_ARCH_MIPS: return &arch_def_mips; case SCMP_ARCH_MIPSEL: @@ -149,6 +155,8 @@ const struct arch_def *arch_def_lookup_name(const char *arch_name) return &arch_def_x32; else if (strcmp(arch_name, "arm") == 0) return &arch_def_arm; + else if (strcmp(arch_name, "aarch64") == 0) + return &arch_def_aarch64; else if (strcmp(arch_name, "mips") == 0) return &arch_def_mips; else if (strcmp(arch_name, "mipsel") == 0) @@ -184,6 +192,8 @@ int arch_arg_count_max(const struct arch_def *arch) return x32_arg_count_max; case SCMP_ARCH_ARM: return arm_arg_count_max; + case SCMP_ARCH_AARCH64: + return aarch64_arg_count_max; case SCMP_ARCH_MIPS: case SCMP_ARCH_MIPSEL: return mips_arg_count_max; @@ -213,6 +223,8 @@ int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg) switch (arch->token) { case SCMP_ARCH_X86_64: return x86_64_arg_offset_lo(arg); + case SCMP_ARCH_AARCH64: + return aarch64_arg_offset_lo(arg); case SCMP_ARCH_MIPS64: return mips64_arg_offset_lo(arg); case SCMP_ARCH_MIPSEL64: @@ -237,6 +249,8 @@ int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg) switch (arch->token) { case SCMP_ARCH_X86_64: return x86_64_arg_offset_hi(arg); + case SCMP_ARCH_AARCH64: + return aarch64_arg_offset_hi(arg); case SCMP_ARCH_MIPS64: return mips64_arg_offset_hi(arg); case SCMP_ARCH_MIPSEL64: @@ -267,6 +281,8 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg) return x32_arg_offset(arg); case SCMP_ARCH_ARM: return arm_arg_offset(arg); + case SCMP_ARCH_AARCH64: + return aarch64_arg_offset(arg); case SCMP_ARCH_MIPS: return mips_arg_offset(arg); case SCMP_ARCH_MIPSEL: @@ -305,6 +321,8 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name) return x32_syscall_resolve_name(name); case SCMP_ARCH_ARM: return arm_syscall_resolve_name(name); + case SCMP_ARCH_AARCH64: + return aarch64_syscall_resolve_name(name); case SCMP_ARCH_MIPS: case SCMP_ARCH_MIPSEL: return mips_syscall_resolve_name(name); @@ -340,6 +358,8 @@ const char *arch_syscall_resolve_num(const struct arch_def *arch, int num) return x32_syscall_resolve_num(num); case SCMP_ARCH_ARM: return arm_syscall_resolve_num(num); + case SCMP_ARCH_AARCH64: + return aarch64_syscall_resolve_num(num); case SCMP_ARCH_MIPS: case SCMP_ARCH_MIPSEL: return mips_syscall_resolve_num(num); diff --git a/src/gen_pfc.c b/src/gen_pfc.c index 8fb66f1..3484dab 100644 --- a/src/gen_pfc.c +++ b/src/gen_pfc.c @@ -57,6 +57,8 @@ static const char *_pfc_arch(const struct arch_def *arch) return "x32"; case SCMP_ARCH_ARM: return "arm"; + case SCMP_ARCH_AARCH64: + return "aarch64"; case SCMP_ARCH_MIPS: return "mips"; case SCMP_ARCH_MIPSEL: diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd index 24cbe68..2b50f3f 100644 --- a/src/python/libseccomp.pxd +++ b/src/python/libseccomp.pxd @@ -31,6 +31,7 @@ cdef extern from "seccomp.h": SCMP_ARCH_X86_64 SCMP_ARCH_X32 SCMP_ARCH_ARM + SCMP_ARCH_AARCH64 SCMP_ARCH_MIPS SCMP_ARCH_MIPS64 SCMP_ARCH_MIPS64N32 diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 3721c50..d2f7c90 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -140,6 +140,7 @@ cdef class Arch: X86_64 - 64-bit x86 X32 - 64-bit x86 using the x32 ABI ARM - ARM + AARCH64 - 64-bit ARM MIPS - MIPS O32 ABI MIPS64 - MIPS 64-bit ABI MIPS64N32 - MIPS N32 ABI @@ -155,6 +156,7 @@ cdef class Arch: X86_64 = libseccomp.SCMP_ARCH_X86_64 X32 = libseccomp.SCMP_ARCH_X32 ARM = libseccomp.SCMP_ARCH_ARM + AARCH64 = libseccomp.SCMP_ARCH_AARCH64 MIPS = libseccomp.SCMP_ARCH_MIPS MIPS64 = libseccomp.SCMP_ARCH_MIPS64 MIPS64N32 = libseccomp.SCMP_ARCH_MIPS64N32 @@ -182,6 +184,8 @@ cdef class Arch: self._token = libseccomp.SCMP_ARCH_X32 elif arch == libseccomp.SCMP_ARCH_ARM: self._token = libseccomp.SCMP_ARCH_ARM + elif arch == libseccomp.SCMP_ARCH_AARCH64: + self._token = libseccomp.SCMP_ARCH_AARCH64 elif arch == libseccomp.SCMP_ARCH_MIPS: self._token = libseccomp.SCMP_ARCH_MIPS elif arch == libseccomp.SCMP_ARCH_MIPS64: diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c index 83bbfd5..20577ef 100644 --- a/tests/04-sim-multilevel_chains.c +++ b/tests/04-sim-multilevel_chains.c @@ -41,40 +41,39 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, - SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO), - SCMP_A1(SCMP_CMP_NE, 0x0), - SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, - SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO), - SCMP_A1(SCMP_CMP_NE, 0x0), - SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, - SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), - SCMP_A1(SCMP_CMP_NE, 0x0), - SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py index e40deee..73a6921 100755 --- a/tests/04-sim-multilevel_chains.py +++ b/tests/04-sim-multilevel_chains.py @@ -30,22 +30,22 @@ from seccomp import * def test(args): f = SyscallFilter(KILL) - f.add_rule_exactly(ALLOW, "open"); - f.add_rule_exactly(ALLOW, "close"); - f.add_rule_exactly(ALLOW, "read", - Arg(0, EQ, sys.stdin.fileno()), - Arg(1, NE, 0), - Arg(2, LT, sys.maxsize)); - f.add_rule_exactly(ALLOW, "write", - Arg(0, EQ, sys.stdout.fileno()), - Arg(1, NE, 0), - Arg(2, LT, sys.maxsize)); - f.add_rule_exactly(ALLOW, "write", - Arg(0, EQ, sys.stderr.fileno()), - Arg(1, NE, 0), - Arg(2, LT, sys.maxsize)); - f.add_rule_exactly(ALLOW, "close"); - f.add_rule_exactly(ALLOW, "rt_sigreturn"); + f.add_rule(ALLOW, "open"); + f.add_rule(ALLOW, "close"); + f.add_rule(ALLOW, "read", + Arg(0, EQ, sys.stdin.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule(ALLOW, "write", + Arg(0, EQ, sys.stdout.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule(ALLOW, "write", + Arg(0, EQ, sys.stderr.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule(ALLOW, "close"); + f.add_rule(ALLOW, "rt_sigreturn"); return f args = util.get_opt() diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests index cefbc4f..6613f9a 100644 --- a/tests/04-sim-multilevel_chains.tests +++ b/tests/04-sim-multilevel_chains.tests @@ -7,29 +7,29 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -04-sim-multilevel_chains all open 0x856B008 4 N N N N ALLOW -04-sim-multilevel_chains all close 4 N N N N N ALLOW -04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW -04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW -04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL -04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL -04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL -04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL -04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL -04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW -04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW -04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL -04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL -04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL -04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL -04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL -04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW -04-sim-multilevel_chains x86 0-2 N N N N N N KILL -04-sim-multilevel_chains x86 7-172 N N N N N N KILL -04-sim-multilevel_chains x86 174-350 N N N N N N KILL -04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL -04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW +04-sim-multilevel_chains all close 4 N N N N N ALLOW +04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW +04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL +04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL +04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL +04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW +04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL +04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL +04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL +04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW +04-sim-multilevel_chains x86 0-2 N N N N N N KILL +04-sim-multilevel_chains x86 7-172 N N N N N N KILL +04-sim-multilevel_chains x86 174-350 N N N N N N KILL +04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL +04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL test type: bpf-sim-fuzz diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c index 4dbe19f..0490783 100644 --- a/tests/06-sim-actions.c +++ b/tests/06-sim-actions.c @@ -40,21 +40,19 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0); if (rc != 0) goto out; diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests index f09f0a0..d0c2e44 100644 --- a/tests/06-sim-actions.tests +++ b/tests/06-sim-actions.tests @@ -7,14 +7,14 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -06-sim-actions all read 4 0x856B008 80 N N N ALLOW -06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) -06-sim-actions all close 4 N N N N N TRAP -06-sim-actions all open 0x856B008 4 N N N N TRACE(1234) -06-sim-actions x86 0-2 N N N N N N KILL -06-sim-actions x86 7-350 N N N N N N KILL -06-sim-actions x86_64 4-350 N N N N N N KILL +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +06-sim-actions all read 4 0x856B008 80 N N N ALLOW +06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) +06-sim-actions all close 4 N N N N N TRAP +06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234) +06-sim-actions x86 0-2 N N N N N N KILL +06-sim-actions x86 7-350 N N N N N N KILL +06-sim-actions x86_64 4-350 N N N N N N KILL test type: bpf-sim-fuzz diff --git a/tests/16-sim-arch_basic.c b/tests/16-sim-arch_basic.c index efc8696..9771913 100644 --- a/tests/16-sim-arch_basic.c +++ b/tests/16-sim-arch_basic.c @@ -54,6 +54,9 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); diff --git a/tests/16-sim-arch_basic.py b/tests/16-sim-arch_basic.py index ddd3f65..57a5ac3 100755 --- a/tests/16-sim-arch_basic.py +++ b/tests/16-sim-arch_basic.py @@ -35,6 +35,7 @@ def test(args): f.add_arch(Arch("x86_64")) f.add_arch(Arch("x32")) f.add_arch(Arch("arm")) + f.add_arch(Arch("aarch64")) f.add_arch(Arch("mipsel")) f.add_arch(Arch("mipsel64")) f.add_arch(Arch("mipsel64n32")) diff --git a/tests/20-live-basic_die.c b/tests/20-live-basic_die.c index 5e6a99b..926875f 100644 --- a/tests/20-live-basic_die.c +++ b/tests/20-live-basic_die.c @@ -47,12 +47,10 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (rc != 0) goto out; diff --git a/tests/20-live-basic_die.py b/tests/20-live-basic_die.py index 2b07776..c9f437f 100755 --- a/tests/20-live-basic_die.py +++ b/tests/20-live-basic_die.py @@ -33,8 +33,8 @@ def test(): if action == TRAP: util.install_trap() f = SyscallFilter(action) - f.add_rule_exactly(ALLOW, "rt_sigreturn") - f.add_rule_exactly(ALLOW, "exit_group") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "exit_group") f.load() try: util.write_file("/dev/null") diff --git a/tests/21-live-basic_allow.c b/tests/21-live-basic_allow.c index 690f98e..4960e1b 100644 --- a/tests/21-live-basic_allow.c +++ b/tests/21-live-basic_allow.c @@ -45,21 +45,22 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (rc != 0) goto out; diff --git a/tests/21-live-basic_allow.py b/tests/21-live-basic_allow.py index 1332f2e..97dd61a 100755 --- a/tests/21-live-basic_allow.py +++ b/tests/21-live-basic_allow.py @@ -35,17 +35,18 @@ def test(): util.install_trap() f = SyscallFilter(TRAP) # NOTE: additional syscalls required for python - f.add_rule_exactly(ALLOW, "stat") - f.add_rule_exactly(ALLOW, "fstat") - f.add_rule_exactly(ALLOW, "open") - f.add_rule_exactly(ALLOW, "mmap") - f.add_rule_exactly(ALLOW, "munmap") - f.add_rule_exactly(ALLOW, "read") - f.add_rule_exactly(ALLOW, "write") - f.add_rule_exactly(ALLOW, "close") - f.add_rule_exactly(ALLOW, "rt_sigaction") - f.add_rule_exactly(ALLOW, "rt_sigreturn") - f.add_rule_exactly(ALLOW, "exit_group") + f.add_rule(ALLOW, "stat") + f.add_rule(ALLOW, "fstat") + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "mmap") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "read") + f.add_rule(ALLOW, "write") + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "exit_group") f.load() try: util.write_file("/dev/null") diff --git a/tests/23-sim-arch_all_le_basic.c b/tests/23-sim-arch_all_le_basic.c index 9e820e1..eeb8556 100644 --- a/tests/23-sim-arch_all_le_basic.c +++ b/tests/23-sim-arch_all_le_basic.c @@ -54,6 +54,9 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("arm")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("aarch64")); if (rc != 0) goto out; rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel")); diff --git a/tests/23-sim-arch_all_le_basic.py b/tests/23-sim-arch_all_le_basic.py index eba5152..36ab139 100755 --- a/tests/23-sim-arch_all_le_basic.py +++ b/tests/23-sim-arch_all_le_basic.py @@ -35,6 +35,7 @@ def test(args): f.add_arch(Arch("x86_64")) f.add_arch(Arch("x32")) f.add_arch(Arch("arm")) + f.add_arch(Arch("aarch64")) f.add_arch(Arch("mipsel")) f.add_arch(Arch("mipsel64")) f.add_arch(Arch("mipsel64n32")) diff --git a/tests/24-live-arg_allow.c b/tests/24-live-arg_allow.c index 2ee8377..a13caa8 100644 --- a/tests/24-live-arg_allow.c +++ b/tests/24-live-arg_allow.c @@ -58,19 +58,17 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, - SCMP_A0(SCMP_CMP_EQ, fd)); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, fd)); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); if (rc != 0) goto out; - rc = seccomp_rule_add_exact(ctx, - SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (rc != 0) goto out; diff --git a/tests/24-live-arg_allow.py b/tests/24-live-arg_allow.py index 32c63ec..7df970a 100755 --- a/tests/24-live-arg_allow.py +++ b/tests/24-live-arg_allow.py @@ -39,11 +39,11 @@ def test(): f = SyscallFilter(TRAP) # NOTE: additional syscalls required for python - f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, fd)) - f.add_rule_exactly(ALLOW, "close") - f.add_rule_exactly(ALLOW, "rt_sigaction") - f.add_rule_exactly(ALLOW, "rt_sigreturn") - f.add_rule_exactly(ALLOW, "exit_group") + f.add_rule(ALLOW, "write", Arg(0, EQ, fd)) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "exit_group") f.load() try: diff --git a/tests/regression b/tests/regression index e7465d3..1d68ebc 100755 --- a/tests/regression +++ b/tests/regression @@ -21,7 +21,7 @@ # along with this library; if not, see . # -GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm mipsel mipsel64 mipsel64n32" +GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm aarch64 mipsel mipsel64 mipsel64n32" GLBL_ARCH_BE_SUPPORT="mips mips64 mips64n32" GLBL_SYS_ARCH="../tools/scmp_arch_detect" @@ -669,7 +669,7 @@ function run_test_live() { # setup the arch specific return values case "$arch" in - x86|x86_64|x32|arm) + x86|x86_64|x32|arm|aarch64) rc_kill=159 rc_allow=160 rc_trap=161 diff --git a/tools/scmp_arch_detect.c b/tools/scmp_arch_detect.c index d7f91b3..5a87252 100644 --- a/tools/scmp_arch_detect.c +++ b/tools/scmp_arch_detect.c @@ -78,6 +78,9 @@ int main(int argc, char *argv[]) case SCMP_ARCH_ARM: printf("arm\n"); break; + case SCMP_ARCH_AARCH64: + printf("aarch64\n"); + break; case SCMP_ARCH_MIPS: printf("mips\n"); break; diff --git a/tools/scmp_bpf_disasm.c b/tools/scmp_bpf_disasm.c index 98021dc..349b8a8 100644 --- a/tools/scmp_bpf_disasm.c +++ b/tools/scmp_bpf_disasm.c @@ -320,6 +320,8 @@ int main(int argc, char *argv[]) arch = AUDIT_ARCH_X86_64; else if (strcmp(optarg, "arm") == 0) arch = AUDIT_ARCH_ARM; + else if (strcmp(optarg, "aarch64") == 0) + arch = AUDIT_ARCH_AARCH64; else if (strcmp(optarg, "mips") == 0) arch = AUDIT_ARCH_MIPS; else if (strcmp(optarg, "mipsel") == 0) diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c index c9333f3..bb3a2e7 100644 --- a/tools/scmp_bpf_sim.c +++ b/tools/scmp_bpf_sim.c @@ -235,6 +235,8 @@ int main(int argc, char *argv[]) arch = AUDIT_ARCH_X86_64; else if (strcmp(optarg, "arm") == 0) arch = AUDIT_ARCH_ARM; + else if (strcmp(optarg, "aarch64") == 0) + arch = AUDIT_ARCH_AARCH64; else if (strcmp(optarg, "mips") == 0) arch = AUDIT_ARCH_MIPS; else if (strcmp(optarg, "mipsel") == 0) diff --git a/tools/util.c b/tools/util.c index 4927faa..9b58bbb 100644 --- a/tools/util.c +++ b/tools/util.c @@ -42,6 +42,8 @@ #endif /* __ILP32__ */ #elif __arm__ #define ARCH_NATIVE AUDIT_ARCH_ARM +#elif __aarch64__ +#define ARCH_NATIVE AUDIT_ARCH_AARCH64 #elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI32 #if __MIPSEB__ #define ARCH_NATIVE AUDIT_ARCH_MIPS diff --git a/tools/util.h b/tools/util.h index 6564472..13ef59f 100644 --- a/tools/util.h +++ b/tools/util.h @@ -23,6 +23,7 @@ #define _UTIL_H #include +#include #ifndef __AUDIT_ARCH_CONVENTION_MIPS64_N32 #define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000 @@ -40,6 +41,11 @@ __AUDIT_ARCH_CONVENTION_MIPS64_N32) #endif +#ifndef AUDIT_ARCH_AARCH64 +/* AArch64 support for audit was merged in 3.17-rc1 */ +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + extern uint32_t arch; void exit_usage(const char *program); -- cgit v1.2.1