From b86b015d24759ed3d313ba469af0e09fdcb49e7880a2be25a0fac4fffe3bc707 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 7 May 2016 23:18:37 +0000 Subject: [PATCH] libseccomp-2.3.1 OBS-URL: https://build.opensuse.org/package/show/security/libseccomp?expand=0&rev=50 --- ...r-of-32-bit-x86-failures-related-to-.patch | 204 ------------------ ...cket-syscall-references-in-15-basic-.patch | 76 ------- libseccomp-2.3.0.tar.gz | 3 - libseccomp-2.3.0.tar.gz.SHA256SUM.asc | 21 -- libseccomp-2.3.1.tar.gz | 3 + libseccomp-2.3.1.tar.gz.SHA256SUM.asc | 21 ++ libseccomp.changes | 10 + libseccomp.spec | 10 +- 8 files changed, 38 insertions(+), 310 deletions(-) delete mode 100644 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch delete mode 100644 0001-tests-replace-socket-syscall-references-in-15-basic-.patch delete mode 100644 libseccomp-2.3.0.tar.gz delete mode 100644 libseccomp-2.3.0.tar.gz.SHA256SUM.asc create mode 100644 libseccomp-2.3.1.tar.gz create mode 100644 libseccomp-2.3.1.tar.gz.SHA256SUM.asc diff --git a/0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch b/0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch deleted file mode 100644 index c9f80eb..0000000 --- a/0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 73d83e45efbe8c31067c97155162f17ca51b7435 Mon Sep 17 00:00:00 2001 -From: Paul Moore -Date: Fri, 8 Apr 2016 17:10:03 -0400 -Subject: [PATCH] arch: fix a number of 32-bit x86 failures related to socket - syscalls - -It turns out there was still a few bugs with the 32-bit x86 socket -syscalls, especially on systems with older kernel headers installed. -This patch corrects these problems and perhaps more importantly, -returns the resolver API functions to returning the negative pseudo -syscall numbers in the case of 32-bit x86, this helps ensure things -continue to work as they did before as the API does not change. - -It it important to note that libseccomp still generates filter code -for both multiplexed and direct socket syscalls regardless. - -Signed-off-by: Paul Moore ---- - src/arch-x86-syscalls.c | 84 ++++++++++++++++++++++++++++++++++++++ - src/arch-x86.c | 23 +++++++++-- - tests/30-sim-socket_syscalls.tests | 3 +- - 3 files changed, 105 insertions(+), 5 deletions(-) - -diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c -index e51dd83..58e0597 100644 ---- a/src/arch-x86-syscalls.c -+++ b/src/arch-x86-syscalls.c -@@ -469,6 +469,48 @@ int x86_syscall_resolve_name(const char *name) - const struct arch_syscall_def *table = x86_syscall_table; - - /* XXX - plenty of room for future improvement here */ -+ -+ if (strcmp(name, "accept") == 0) -+ return __PNR_accept; -+ if (strcmp(name, "accept4") == 0) -+ return __PNR_accept4; -+ else if (strcmp(name, "bind") == 0) -+ return __PNR_bind; -+ else if (strcmp(name, "connect") == 0) -+ return __PNR_connect; -+ else if (strcmp(name, "getpeername") == 0) -+ return __PNR_getpeername; -+ else if (strcmp(name, "getsockname") == 0) -+ return __PNR_getsockname; -+ else if (strcmp(name, "getsockopt") == 0) -+ return __PNR_getsockopt; -+ else if (strcmp(name, "listen") == 0) -+ return __PNR_listen; -+ else if (strcmp(name, "recv") == 0) -+ return __PNR_recv; -+ else if (strcmp(name, "recvfrom") == 0) -+ return __PNR_recvfrom; -+ else if (strcmp(name, "recvmsg") == 0) -+ return __PNR_recvmsg; -+ else if (strcmp(name, "recvmmsg") == 0) -+ return __PNR_recvmmsg; -+ else if (strcmp(name, "send") == 0) -+ return __PNR_send; -+ else if (strcmp(name, "sendmsg") == 0) -+ return __PNR_sendmsg; -+ else if (strcmp(name, "sendmmsg") == 0) -+ return __PNR_sendmmsg; -+ else if (strcmp(name, "sendto") == 0) -+ return __PNR_sendto; -+ else if (strcmp(name, "setsockopt") == 0) -+ return __PNR_setsockopt; -+ else if (strcmp(name, "shutdown") == 0) -+ return __PNR_shutdown; -+ else if (strcmp(name, "socket") == 0) -+ return __PNR_socket; -+ else if (strcmp(name, "socketpair") == 0) -+ return __PNR_socketpair; -+ - for (iter = 0; table[iter].name != NULL; iter++) { - if (strcmp(name, table[iter].name) == 0) - return table[iter].num; -@@ -492,6 +534,48 @@ const char *x86_syscall_resolve_num(int num) - const struct arch_syscall_def *table = x86_syscall_table; - - /* XXX - plenty of room for future improvement here */ -+ -+ if (num == __PNR_accept) -+ return "accept"; -+ else if (num == __PNR_accept4) -+ return "accept4"; -+ else if (num == __PNR_bind) -+ return "bind"; -+ else if (num == __PNR_connect) -+ return "connect"; -+ else if (num == __PNR_getpeername) -+ return "getpeername"; -+ else if (num == __PNR_getsockname) -+ return "getsockname"; -+ else if (num == __PNR_getsockopt) -+ return "getsockopt"; -+ else if (num == __PNR_listen) -+ return "listen"; -+ else if (num == __PNR_recv) -+ return "recv"; -+ else if (num == __PNR_recvfrom) -+ return "recvfrom"; -+ else if (num == __PNR_recvmsg) -+ return "recvmsg"; -+ else if (num == __PNR_recvmmsg) -+ return "recvmmsg"; -+ else if (num == __PNR_send) -+ return "send"; -+ else if (num == __PNR_sendmsg) -+ return "sendmsg"; -+ else if (num == __PNR_sendmmsg) -+ return "sendmmsg"; -+ else if (num == __PNR_sendto) -+ return "sendto"; -+ else if (num == __PNR_setsockopt) -+ return "setsockopt"; -+ else if (num == __PNR_shutdown) -+ return "shutdown"; -+ else if (num == __PNR_socket) -+ return "socket"; -+ else if (num == __PNR_socketpair) -+ return "socketpair"; -+ - for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { - if (num == table[iter].num) - return table[iter].name; -diff --git a/src/arch-x86.c b/src/arch-x86.c -index 76a1e7e..1bab53f 100644 ---- a/src/arch-x86.c -+++ b/src/arch-x86.c -@@ -104,6 +104,15 @@ int _x86_sock_demux(int socketcall) - case -117: - /* recvmsg */ - return 372; -+ case -118: -+ /* accept4 */ -+ return 364; -+ case -119: -+ /* recvmmsg */ -+ return 337; -+ case -120: -+ /* sendmmsg */ -+ return 345; - } - - return __NR_SCMP_ERROR; -@@ -120,6 +129,12 @@ int _x86_sock_demux(int socketcall) - int _x86_sock_mux(int syscall) - { - switch (syscall) { -+ case 337: -+ /* recvmmsg */ -+ return -119; -+ case 345: -+ /* sendmmsg */ -+ return -120; - case 359: - /* socket */ - return -101; -@@ -137,7 +152,7 @@ int _x86_sock_mux(int syscall) - return -104; - case 364: - /* accept4 */ -- return __NR_SCMP_UNDEF; -+ return -118; - case 365: - /* getsockopt */ - return -115; -@@ -183,7 +198,7 @@ int x86_syscall_rewrite(int *syscall) - { - int sys = *syscall; - -- if (sys <= -100 && sys >= -117) -+ if (sys <= -100 && sys >= -120) - *syscall = __x86_NR_socketcall; - else if (sys <= -200 && sys >= -211) - *syscall = __x86_NR_ipc; -@@ -215,8 +230,8 @@ int x86_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict, - int sys_a, sys_b; - struct db_api_rule_list *rule_a, *rule_b; - -- if ((sys <= -100 && sys >= -117) || (sys >= 359 && sys <= 373)) { -- /* (-100 to -117) : multiplexed socket syscalls -+ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) { -+ /* (-100 to -120) : multiplexed socket syscalls - (359 to 373) : direct socket syscalls, Linux 4.4+ */ - - /* strict check for the multiplexed socket syscalls */ -diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests -index 413629f..9d54b0e 100644 ---- a/tests/30-sim-socket_syscalls.tests -+++ b/tests/30-sim-socket_syscalls.tests -@@ -18,7 +18,8 @@ test type: bpf-sim - 30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW - 30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW - 30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL --30-sim-socket_syscalls +x86 accept4 0 1 2 N N N ALLOW -+30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW -+30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL - 30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW - 30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW - 30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW --- -2.6.6 - diff --git a/0001-tests-replace-socket-syscall-references-in-15-basic-.patch b/0001-tests-replace-socket-syscall-references-in-15-basic-.patch deleted file mode 100644 index 12151ac..0000000 --- a/0001-tests-replace-socket-syscall-references-in-15-basic-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 13e0bae9571c195ee979a66b329aa538b87ee65d Mon Sep 17 00:00:00 2001 -From: Paul Moore -Date: Tue, 19 Apr 2016 10:58:34 -0400 -Subject: [PATCH] tests: replace socket syscall references in 15-basic-resolver - -On 32-bit x86 the resolved socket syscall() doesn't always resolve to -the __NR_socket value due to the direct wired socket syscall so -replace it with the read() syscall to ensure the test doesn't fail. - -Signed-off-by: Paul Moore ---- - tests/15-basic-resolver.c | 8 ++++---- - tests/15-basic-resolver.py | 6 +++--- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c -index eff54fe..b3c9497 100644 ---- a/tests/15-basic-resolver.c -+++ b/tests/15-basic-resolver.c -@@ -31,7 +31,7 @@ int main(int argc, char *argv[]) - - if (seccomp_syscall_resolve_name("open") != __NR_open) - goto fail; -- if (seccomp_syscall_resolve_name("socket") != __NR_socket) -+ if (seccomp_syscall_resolve_name("read") != __NR_read) - goto fail; - if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) - goto fail; -@@ -40,7 +40,7 @@ int main(int argc, char *argv[]) - "open") != __NR_open) - goto fail; - if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, -- "socket") != __NR_socket) -+ "read") != __NR_read) - goto fail; - if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, - "INVALID") != __NR_SCMP_ERROR) -@@ -51,8 +51,8 @@ int main(int argc, char *argv[]) - goto fail; - free(name); - -- name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_socket); -- if (name == NULL || strcmp(name, "socket") != 0) -+ name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_read); -+ if (name == NULL || strcmp(name, "read") != 0) - goto fail; - free(name); - -diff --git a/tests/15-basic-resolver.py b/tests/15-basic-resolver.py -index 329754e..12c4d7d 100755 ---- a/tests/15-basic-resolver.py -+++ b/tests/15-basic-resolver.py -@@ -33,7 +33,7 @@ def test(): - # this differs from the native test as we don't support the syscall - # resolution functions by themselves - f.add_rule(ALLOW, "open") -- f.add_rule(ALLOW, "socket") -+ f.add_rule(ALLOW, "read") - try: - f.add_rule(ALLOW, "INVALID") - except RuntimeError: -@@ -43,9 +43,9 @@ def test(): - sys_name = resolve_syscall(Arch(), sys_num) - if (sys_name != "open"): - raise RuntimeError("Test failure") -- sys_num = resolve_syscall(Arch(), "socket") -+ sys_num = resolve_syscall(Arch(), "read") - sys_name = resolve_syscall(Arch(), sys_num) -- if (sys_name != "socket"): -+ if (sys_name != "read"): - raise RuntimeError("Test failure") - - test() --- -2.6.6 - diff --git a/libseccomp-2.3.0.tar.gz b/libseccomp-2.3.0.tar.gz deleted file mode 100644 index df26433..0000000 --- a/libseccomp-2.3.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d -size 546948 diff --git a/libseccomp-2.3.0.tar.gz.SHA256SUM.asc b/libseccomp-2.3.0.tar.gz.SHA256SUM.asc deleted file mode 100644 index e4eab4d..0000000 --- a/libseccomp-2.3.0.tar.gz.SHA256SUM.asc +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d libseccomp-2.3.0.tar.gz ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQIcBAEBCAAGBQJW1FzeAAoJEFXkWlroynyKK8QP/RsRk8DTEunGO2eWpUpMYSOO -oBog4vn3zjqhgWd9kJOPCf3IYaEE2fC/Z87hvGm/2NWP6wNMnZ1g1D+W38TI2mq2 -P0ztM1rFgWCK/6tZ3O+255OLvgFpC3D7Dqfr+4BniGPyBedYV7d/4fC0qed3rMHY -Y2wWRcjET5HlrWb4ef/uWWWN39YT1hRg1SSzShebKKOfGKTr6C458ggYIgBtBP/y -1nid2Ym/oQwDlKqQV1pGHwf4q0dPBog2GTnavMM+ge7L1FbvRKWFEGex9C36wcN/ -hzxUTG9q7+w5l4YaFpc32TTzmLLRdEb9Ykhu4qJ2Il7x/LKVaavWfJMjSt/X4/65 -Ika+tPAUbyA4aWB+c0cBpRMmFtXJHueZCbb2edMGTwPJzkJnNWh1YIK9SBcCXF+8 -SZ85LdyFbK98tFMuUj+oSJLlFtxnsUshrN7+qPRXLfkIQ7tKaIE+GuLT3oDqwHOL -q5H++4WJv63jFNLSkHoOJe9YSrUITqjKo6zDKMLkSsgbu8UNQrLLn4f8XZV0K352 -qHKP/PxaVaZvshrKZ4VR9/r8sihMtWpqYx/GpaQoJID9GI6z5L0b741FeJ4w0Enw -IXRh4NIBe77LuRRy5I35diGoaiTlhDhOPUg7LCYHht/GTHkGgZ9Y06fhzCWuUNDA -FS9ak169Uod6oSnX3X7Y -=kJQO ------END PGP SIGNATURE----- diff --git a/libseccomp-2.3.1.tar.gz b/libseccomp-2.3.1.tar.gz new file mode 100644 index 0000000..e39b40d --- /dev/null +++ b/libseccomp-2.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b +size 552299 diff --git a/libseccomp-2.3.1.tar.gz.SHA256SUM.asc b/libseccomp-2.3.1.tar.gz.SHA256SUM.asc new file mode 100644 index 0000000..1afd0f5 --- /dev/null +++ b/libseccomp-2.3.1.tar.gz.SHA256SUM.asc @@ -0,0 +1,21 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b libseccomp-2.3.1.tar.gz +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCAAGBQJXF+KwAAoJEFXkWlroynyKcUcP/18AlU1aohqM1V3KkUQgLv6P +Ka6ZPddIdS3BqcXxScPhNUQuSK2QuxcxZb+RBXGS9Cx/zYrlcXrv6M0Uzgc5q9jB +IS4fYHj8yB4odmjMWb1wohrwXHrt5+lmTsGmw7apKkuqeOjwFdKqaR10eWd7DaSq +tJAQ7evImCRM3rsIXk0hvtkDCon5K5LZieHjejJ59D2z9Nrghp2Urf8dXwT1uFPq +bFZ4AngMzs41K5052iWVZGAskcyi4tc8f11gd2Ao34rP6hmW0VaJCKszyvC0gOqV +jBtHMwf3OwjuU9xUKHEqEB1uoF1AxZnwS3mkXBeli414XXXI8rKLtJUylyjJ+3b0 +CT6puXmoscBJaDxe6oVm6yRZrHOp3TtQzTVV0uAABiQcDbbIlmjRMvOTYcjispH8 +73CRupEb3eTl5Kwx/yB/0Z+ml0FI9pnB8UtaiBGJIfqL/uIEPcio4UxR4YJR0NiN +Euc2pBVUHdK6bVIcc4ntLc9aaqxVvGj5Nvsy+ptfnUTWJ0MvzyX6mYsp5/iUNAL2 +lLux66+rUqr+GU2o+USNXIQ+CIb1mLZizYtgxYrEjE+fyVJWb9hoEHRIzuzdLI4d +ZMJcCxe2QdHzl1CNtGalC0q4XDXJf9swxW4WjGFODkrdt5tG2zyjJ0WkscgduWCZ +1BBGwp05jg84FtP5DzNE +=JDAl +-----END PGP SIGNATURE----- diff --git a/libseccomp.changes b/libseccomp.changes index 6e1648c..b158ae9 100644 --- a/libseccomp.changes +++ b/libseccomp.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Sat May 7 23:11:02 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 2.3.1 +* arch: fix the multiplexed ipc() syscalls +* s390: handle multiplexed syscalls correctly +- Remove 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch, + 0001-tests-replace-socket-syscall-references-in-15-basic-.patch + (fixed upstream) + ------------------------------------------------------------------- Tue Apr 19 16:00:29 UTC 2016 - jengelh@inai.de diff --git a/libseccomp.spec b/libseccomp.spec index 276ac18..097bad9 100644 --- a/libseccomp.spec +++ b/libseccomp.spec @@ -18,7 +18,7 @@ Name: libseccomp %define lname libseccomp2 -Version: 2.3.0 +Version: 2.3.1 Release: 0 Summary: An enhanced Seccomp (mode 2) helper library License: LGPL-2.1 @@ -30,8 +30,6 @@ Source: https://github.com/seccomp/libseccomp/releases/download/v%versio Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/%name-%version.tar.gz.SHA256SUM.asc Source99: baselibs.conf Patch1: no-static.diff -Patch2: 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch -Patch3: 0001-tests-replace-socket-syscall-references-in-15-basic-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake >= 1.11 @@ -99,15 +97,15 @@ This subpackage contains debug utilities for the seccomp interface. %prep %setup -q -%patch -P 1 -P 2 -P 3 -p1 +%patch -P 1 -p1 %build -if [ ! -e configure ]; then +if [ ! -f configure ]; then perl -i -pe 's{AC_INIT\(\[libseccomp\], \[0\.0\.0\]\)}{AC_INIT([libseccomp], [2.3.0])}' configure.ac fi autoreconf -fi %configure --includedir="%_includedir/%name" --disable-static -make %{?_smp_mflags}; +make %{?_smp_mflags} %install %make_install