1
0
forked from jengelh/libseccomp

Accepting request 395558 from security

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/395558
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libseccomp?expand=0&rev=17
This commit is contained in:
Dominique Leuenberger 2016-05-24 07:33:31 +00:00 committed by Git OBS Bridge
commit bfa03c5070
8 changed files with 38 additions and 310 deletions

View File

@ -1,204 +0,0 @@
From 73d83e45efbe8c31067c97155162f17ca51b7435 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Fri, 8 Apr 2016 17:10:03 -0400
Subject: [PATCH] arch: fix a number of 32-bit x86 failures related to socket
syscalls
It turns out there was still a few bugs with the 32-bit x86 socket
syscalls, especially on systems with older kernel headers installed.
This patch corrects these problems and perhaps more importantly,
returns the resolver API functions to returning the negative pseudo
syscall numbers in the case of 32-bit x86, this helps ensure things
continue to work as they did before as the API does not change.
It it important to note that libseccomp still generates filter code
for both multiplexed and direct socket syscalls regardless.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/arch-x86-syscalls.c | 84 ++++++++++++++++++++++++++++++++++++++
src/arch-x86.c | 23 +++++++++--
tests/30-sim-socket_syscalls.tests | 3 +-
3 files changed, 105 insertions(+), 5 deletions(-)
diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c
index e51dd83..58e0597 100644
--- a/src/arch-x86-syscalls.c
+++ b/src/arch-x86-syscalls.c
@@ -469,6 +469,48 @@ int x86_syscall_resolve_name(const char *name)
const struct arch_syscall_def *table = x86_syscall_table;
/* XXX - plenty of room for future improvement here */
+
+ if (strcmp(name, "accept") == 0)
+ return __PNR_accept;
+ if (strcmp(name, "accept4") == 0)
+ return __PNR_accept4;
+ else if (strcmp(name, "bind") == 0)
+ return __PNR_bind;
+ else if (strcmp(name, "connect") == 0)
+ return __PNR_connect;
+ else if (strcmp(name, "getpeername") == 0)
+ return __PNR_getpeername;
+ else if (strcmp(name, "getsockname") == 0)
+ return __PNR_getsockname;
+ else if (strcmp(name, "getsockopt") == 0)
+ return __PNR_getsockopt;
+ else if (strcmp(name, "listen") == 0)
+ return __PNR_listen;
+ else if (strcmp(name, "recv") == 0)
+ return __PNR_recv;
+ else if (strcmp(name, "recvfrom") == 0)
+ return __PNR_recvfrom;
+ else if (strcmp(name, "recvmsg") == 0)
+ return __PNR_recvmsg;
+ else if (strcmp(name, "recvmmsg") == 0)
+ return __PNR_recvmmsg;
+ else if (strcmp(name, "send") == 0)
+ return __PNR_send;
+ else if (strcmp(name, "sendmsg") == 0)
+ return __PNR_sendmsg;
+ else if (strcmp(name, "sendmmsg") == 0)
+ return __PNR_sendmmsg;
+ else if (strcmp(name, "sendto") == 0)
+ return __PNR_sendto;
+ else if (strcmp(name, "setsockopt") == 0)
+ return __PNR_setsockopt;
+ else if (strcmp(name, "shutdown") == 0)
+ return __PNR_shutdown;
+ else if (strcmp(name, "socket") == 0)
+ return __PNR_socket;
+ else if (strcmp(name, "socketpair") == 0)
+ return __PNR_socketpair;
+
for (iter = 0; table[iter].name != NULL; iter++) {
if (strcmp(name, table[iter].name) == 0)
return table[iter].num;
@@ -492,6 +534,48 @@ const char *x86_syscall_resolve_num(int num)
const struct arch_syscall_def *table = x86_syscall_table;
/* XXX - plenty of room for future improvement here */
+
+ if (num == __PNR_accept)
+ return "accept";
+ else if (num == __PNR_accept4)
+ return "accept4";
+ else if (num == __PNR_bind)
+ return "bind";
+ else if (num == __PNR_connect)
+ return "connect";
+ else if (num == __PNR_getpeername)
+ return "getpeername";
+ else if (num == __PNR_getsockname)
+ return "getsockname";
+ else if (num == __PNR_getsockopt)
+ return "getsockopt";
+ else if (num == __PNR_listen)
+ return "listen";
+ else if (num == __PNR_recv)
+ return "recv";
+ else if (num == __PNR_recvfrom)
+ return "recvfrom";
+ else if (num == __PNR_recvmsg)
+ return "recvmsg";
+ else if (num == __PNR_recvmmsg)
+ return "recvmmsg";
+ else if (num == __PNR_send)
+ return "send";
+ else if (num == __PNR_sendmsg)
+ return "sendmsg";
+ else if (num == __PNR_sendmmsg)
+ return "sendmmsg";
+ else if (num == __PNR_sendto)
+ return "sendto";
+ else if (num == __PNR_setsockopt)
+ return "setsockopt";
+ else if (num == __PNR_shutdown)
+ return "shutdown";
+ else if (num == __PNR_socket)
+ return "socket";
+ else if (num == __PNR_socketpair)
+ return "socketpair";
+
for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) {
if (num == table[iter].num)
return table[iter].name;
diff --git a/src/arch-x86.c b/src/arch-x86.c
index 76a1e7e..1bab53f 100644
--- a/src/arch-x86.c
+++ b/src/arch-x86.c
@@ -104,6 +104,15 @@ int _x86_sock_demux(int socketcall)
case -117:
/* recvmsg */
return 372;
+ case -118:
+ /* accept4 */
+ return 364;
+ case -119:
+ /* recvmmsg */
+ return 337;
+ case -120:
+ /* sendmmsg */
+ return 345;
}
return __NR_SCMP_ERROR;
@@ -120,6 +129,12 @@ int _x86_sock_demux(int socketcall)
int _x86_sock_mux(int syscall)
{
switch (syscall) {
+ case 337:
+ /* recvmmsg */
+ return -119;
+ case 345:
+ /* sendmmsg */
+ return -120;
case 359:
/* socket */
return -101;
@@ -137,7 +152,7 @@ int _x86_sock_mux(int syscall)
return -104;
case 364:
/* accept4 */
- return __NR_SCMP_UNDEF;
+ return -118;
case 365:
/* getsockopt */
return -115;
@@ -183,7 +198,7 @@ int x86_syscall_rewrite(int *syscall)
{
int sys = *syscall;
- if (sys <= -100 && sys >= -117)
+ if (sys <= -100 && sys >= -120)
*syscall = __x86_NR_socketcall;
else if (sys <= -200 && sys >= -211)
*syscall = __x86_NR_ipc;
@@ -215,8 +230,8 @@ int x86_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict,
int sys_a, sys_b;
struct db_api_rule_list *rule_a, *rule_b;
- if ((sys <= -100 && sys >= -117) || (sys >= 359 && sys <= 373)) {
- /* (-100 to -117) : multiplexed socket syscalls
+ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
+ /* (-100 to -120) : multiplexed socket syscalls
(359 to 373) : direct socket syscalls, Linux 4.4+ */
/* strict check for the multiplexed socket syscalls */
diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests
index 413629f..9d54b0e 100644
--- a/tests/30-sim-socket_syscalls.tests
+++ b/tests/30-sim-socket_syscalls.tests
@@ -18,7 +18,8 @@ test type: bpf-sim
30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW
30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL
-30-sim-socket_syscalls +x86 accept4 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL
30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
--
2.6.6

View File

@ -1,76 +0,0 @@
From 13e0bae9571c195ee979a66b329aa538b87ee65d Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 19 Apr 2016 10:58:34 -0400
Subject: [PATCH] tests: replace socket syscall references in 15-basic-resolver
On 32-bit x86 the resolved socket syscall() doesn't always resolve to
the __NR_socket value due to the direct wired socket syscall so
replace it with the read() syscall to ensure the test doesn't fail.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
tests/15-basic-resolver.c | 8 ++++----
tests/15-basic-resolver.py | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
index eff54fe..b3c9497 100644
--- a/tests/15-basic-resolver.c
+++ b/tests/15-basic-resolver.c
@@ -31,7 +31,7 @@ int main(int argc, char *argv[])
if (seccomp_syscall_resolve_name("open") != __NR_open)
goto fail;
- if (seccomp_syscall_resolve_name("socket") != __NR_socket)
+ if (seccomp_syscall_resolve_name("read") != __NR_read)
goto fail;
if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
goto fail;
@@ -40,7 +40,7 @@ int main(int argc, char *argv[])
"open") != __NR_open)
goto fail;
if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE,
- "socket") != __NR_socket)
+ "read") != __NR_read)
goto fail;
if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE,
"INVALID") != __NR_SCMP_ERROR)
@@ -51,8 +51,8 @@ int main(int argc, char *argv[])
goto fail;
free(name);
- name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_socket);
- if (name == NULL || strcmp(name, "socket") != 0)
+ name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_read);
+ if (name == NULL || strcmp(name, "read") != 0)
goto fail;
free(name);
diff --git a/tests/15-basic-resolver.py b/tests/15-basic-resolver.py
index 329754e..12c4d7d 100755
--- a/tests/15-basic-resolver.py
+++ b/tests/15-basic-resolver.py
@@ -33,7 +33,7 @@ def test():
# this differs from the native test as we don't support the syscall
# resolution functions by themselves
f.add_rule(ALLOW, "open")
- f.add_rule(ALLOW, "socket")
+ f.add_rule(ALLOW, "read")
try:
f.add_rule(ALLOW, "INVALID")
except RuntimeError:
@@ -43,9 +43,9 @@ def test():
sys_name = resolve_syscall(Arch(), sys_num)
if (sys_name != "open"):
raise RuntimeError("Test failure")
- sys_num = resolve_syscall(Arch(), "socket")
+ sys_num = resolve_syscall(Arch(), "read")
sys_name = resolve_syscall(Arch(), sys_num)
- if (sys_name != "socket"):
+ if (sys_name != "read"):
raise RuntimeError("Test failure")
test()
--
2.6.6

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d
size 546948

View File

@ -1,21 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d libseccomp-2.3.0.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW1FzeAAoJEFXkWlroynyKK8QP/RsRk8DTEunGO2eWpUpMYSOO
oBog4vn3zjqhgWd9kJOPCf3IYaEE2fC/Z87hvGm/2NWP6wNMnZ1g1D+W38TI2mq2
P0ztM1rFgWCK/6tZ3O+255OLvgFpC3D7Dqfr+4BniGPyBedYV7d/4fC0qed3rMHY
Y2wWRcjET5HlrWb4ef/uWWWN39YT1hRg1SSzShebKKOfGKTr6C458ggYIgBtBP/y
1nid2Ym/oQwDlKqQV1pGHwf4q0dPBog2GTnavMM+ge7L1FbvRKWFEGex9C36wcN/
hzxUTG9q7+w5l4YaFpc32TTzmLLRdEb9Ykhu4qJ2Il7x/LKVaavWfJMjSt/X4/65
Ika+tPAUbyA4aWB+c0cBpRMmFtXJHueZCbb2edMGTwPJzkJnNWh1YIK9SBcCXF+8
SZ85LdyFbK98tFMuUj+oSJLlFtxnsUshrN7+qPRXLfkIQ7tKaIE+GuLT3oDqwHOL
q5H++4WJv63jFNLSkHoOJe9YSrUITqjKo6zDKMLkSsgbu8UNQrLLn4f8XZV0K352
qHKP/PxaVaZvshrKZ4VR9/r8sihMtWpqYx/GpaQoJID9GI6z5L0b741FeJ4w0Enw
IXRh4NIBe77LuRRy5I35diGoaiTlhDhOPUg7LCYHht/GTHkGgZ9Y06fhzCWuUNDA
FS9ak169Uod6oSnX3X7Y
=kJQO
-----END PGP SIGNATURE-----

3
libseccomp-2.3.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b
size 552299

View File

@ -0,0 +1,21 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b libseccomp-2.3.1.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXF+KwAAoJEFXkWlroynyKcUcP/18AlU1aohqM1V3KkUQgLv6P
Ka6ZPddIdS3BqcXxScPhNUQuSK2QuxcxZb+RBXGS9Cx/zYrlcXrv6M0Uzgc5q9jB
IS4fYHj8yB4odmjMWb1wohrwXHrt5+lmTsGmw7apKkuqeOjwFdKqaR10eWd7DaSq
tJAQ7evImCRM3rsIXk0hvtkDCon5K5LZieHjejJ59D2z9Nrghp2Urf8dXwT1uFPq
bFZ4AngMzs41K5052iWVZGAskcyi4tc8f11gd2Ao34rP6hmW0VaJCKszyvC0gOqV
jBtHMwf3OwjuU9xUKHEqEB1uoF1AxZnwS3mkXBeli414XXXI8rKLtJUylyjJ+3b0
CT6puXmoscBJaDxe6oVm6yRZrHOp3TtQzTVV0uAABiQcDbbIlmjRMvOTYcjispH8
73CRupEb3eTl5Kwx/yB/0Z+ml0FI9pnB8UtaiBGJIfqL/uIEPcio4UxR4YJR0NiN
Euc2pBVUHdK6bVIcc4ntLc9aaqxVvGj5Nvsy+ptfnUTWJ0MvzyX6mYsp5/iUNAL2
lLux66+rUqr+GU2o+USNXIQ+CIb1mLZizYtgxYrEjE+fyVJWb9hoEHRIzuzdLI4d
ZMJcCxe2QdHzl1CNtGalC0q4XDXJf9swxW4WjGFODkrdt5tG2zyjJ0WkscgduWCZ
1BBGwp05jg84FtP5DzNE
=JDAl
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Sat May 7 23:11:02 UTC 2016 - jengelh@inai.de
- Update to new upstream release 2.3.1
* arch: fix the multiplexed ipc() syscalls
* s390: handle multiplexed syscalls correctly
- Remove 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch,
0001-tests-replace-socket-syscall-references-in-15-basic-.patch
(fixed upstream)
-------------------------------------------------------------------
Tue Apr 19 16:00:29 UTC 2016 - jengelh@inai.de

View File

@ -18,7 +18,7 @@
Name: libseccomp
%define lname libseccomp2
Version: 2.3.0
Version: 2.3.1
Release: 0
Summary: An enhanced Seccomp (mode 2) helper library
License: LGPL-2.1
@ -30,8 +30,6 @@ Source: https://github.com/seccomp/libseccomp/releases/download/v%versio
Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/%name-%version.tar.gz.SHA256SUM.asc
Source99: baselibs.conf
Patch1: no-static.diff
Patch2: 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch
Patch3: 0001-tests-replace-socket-syscall-references-in-15-basic-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf
BuildRequires: automake >= 1.11
@ -99,15 +97,15 @@ This subpackage contains debug utilities for the seccomp interface.
%prep
%setup -q
%patch -P 1 -P 2 -P 3 -p1
%patch -P 1 -p1
%build
if [ ! -e configure ]; then
if [ ! -f configure ]; then
perl -i -pe 's{AC_INIT\(\[libseccomp\], \[0\.0\.0\]\)}{AC_INIT([libseccomp], [2.3.0])}' configure.ac
fi
autoreconf -fi
%configure --includedir="%_includedir/%name" --disable-static
make %{?_smp_mflags};
make %{?_smp_mflags}
%install
%make_install