--- include/seccomp.h | 24 ++++++++++++++++++++++++ include/seccomp.h.in | 4 ++++ src/arch-ppc64-syscalls.c | 13 +++++++++++++ src/arch-ppc64.c | 11 +++++++---- src/arch-ppc64.h | 12 ++---------- src/arch-syscall-dump.c | 5 +++++ src/arch-syscall-validate | 37 ++++++++++++++++++++++++++++++++++++- src/arch.c | 12 +++++++++++- src/gen_pfc.c | 2 ++ tests/16-sim-arch_basic.c | 3 +++ tests/16-sim-arch_basic.py | 2 ++ tests/23-sim-arch_all_le_basic.c | 3 +++ tests/23-sim-arch_all_le_basic.py | 1 + tests/26-sim-arch_all_be_basic.c | 3 +++ tests/26-sim-arch_all_be_basic.py | 1 + tests/regression | 4 ++-- tools/scmp_arch_detect.c | 3 +++ tools/scmp_bpf_disasm.c | 4 ++++ tools/scmp_bpf_sim.c | 10 ++++++---- tools/util.c | 4 +++- tools/util.h | 4 ++++ 21 files changed, 139 insertions(+), 23 deletions(-) Index: libseccomp-2.2.1/include/seccomp.h =================================================================== --- libseccomp-2.2.1.orig/include/seccomp.h +++ libseccomp-2.2.1/include/seccomp.h @@ -163,6 +163,30 @@ struct scmp_arg_cmp { #define SCMP_ARCH_MIPSEL64N32 AUDIT_ARCH_MIPSEL64N32 /** + * The S390X architecture token + */ +#define SCMP_ARCH_S390X AUDIT_ARCH_S390X + +/** + * The S390 architecture token + */ +#define SCMP_ARCH_S390 AUDIT_ARCH_S390 + +/** + * The PowerPC architecture token + */ +#define SCMP_ARCH_PPC AUDIT_ARCH_PPC + +/** + * The PowerPC64 architecture token + */ +#define SCMP_ARCH_PPC64 AUDIT_ARCH_PPC64 +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif +#define SCMP_ARCH_PPC64LE AUDIT_ARCH_PPC64LE + +/** * Convert a syscall name into the associated syscall number * @param x the syscall name */ Index: libseccomp-2.2.1/include/seccomp.h.in =================================================================== --- libseccomp-2.2.1.orig/include/seccomp.h.in +++ libseccomp-2.2.1/include/seccomp.h.in @@ -181,6 +181,10 @@ struct scmp_arg_cmp { * The PowerPC64 architecture token */ #define SCMP_ARCH_PPC64 AUDIT_ARCH_PPC64 +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif +#define SCMP_ARCH_PPC64LE AUDIT_ARCH_PPC64LE /** * Convert a syscall name into the associated syscall number Index: libseccomp-2.2.1/src/arch-ppc64-syscalls.c =================================================================== --- libseccomp-2.2.1.orig/src/arch-ppc64-syscalls.c +++ libseccomp-2.2.1/src/arch-ppc64-syscalls.c @@ -425,3 +425,16 @@ const char *ppc64_syscall_resolve_num(in return NULL; } +/** + * Iterate through the syscall table and return the syscall name + * @param spot the offset into the syscall table + * + * Return the syscall name at position @spot or NULL on failure. This function + * should only ever be used internally by libseccomp. + * + */ +const char *ppc64_syscall_iterate_name(unsigned int spot) +{ + /* XXX - no safety checks here */ + return ppc64_syscall_table[spot].name; +} Index: libseccomp-2.2.1/src/arch-ppc64.c =================================================================== --- libseccomp-2.2.1.orig/src/arch-ppc64.c +++ libseccomp-2.2.1/src/arch-ppc64.c @@ -30,9 +30,12 @@ const struct arch_def arch_def_ppc64 = { .token = SCMP_ARCH_PPC64, .token_bpf = AUDIT_ARCH_PPC64, .size = ARCH_SIZE_64, -#ifdef __LITTLE_ENDIAN__ - .endian = ARCH_ENDIAN_LITTLE, -#else .endian = ARCH_ENDIAN_BIG, -#endif +}; + +const struct arch_def arch_def_ppc64le = { + .token = SCMP_ARCH_PPC64LE, + .token_bpf = AUDIT_ARCH_PPC64LE, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, }; Index: libseccomp-2.2.1/src/arch-ppc64.h =================================================================== --- libseccomp-2.2.1.orig/src/arch-ppc64.h +++ libseccomp-2.2.1/src/arch-ppc64.h @@ -27,19 +27,11 @@ #include "arch.h" #include "system.h" -#define ppc64_arg_count_max 6 - extern const struct arch_def arch_def_ppc64; - -#ifdef __LITTLE_ENDIAN__ -#define ppc64_arg_offset_lo(x) (arch_arg_offset(x)) -#define ppc64_arg_offset_hi(x) (arch_arg_offset(x) + 4) -#else -#define ppc64_arg_offset_lo(x) (arch_arg_offset(x) + 4) -#define ppc64_arg_offset_hi(x) (arch_arg_offset(x)) -#endif +extern const struct arch_def arch_def_ppc64le; int ppc64_syscall_resolve_name(const char *name); const char *ppc64_syscall_resolve_num(int num); +const char *ppc64_syscall_iterate_name(unsigned int spot); #endif Index: libseccomp-2.2.1/src/arch-syscall-dump.c =================================================================== --- libseccomp-2.2.1.orig/src/arch-syscall-dump.c +++ libseccomp-2.2.1/src/arch-syscall-dump.c @@ -38,6 +38,7 @@ #include "arch-mips64.h" #include "arch-mips64n32.h" #include "arch-aarch64.h" +#include "arch-ppc64.h" /** * Print the usage information to stderr and exit @@ -112,6 +113,10 @@ int main(int argc, char *argv[]) case SCMP_ARCH_AARCH64: sys_name = aarch64_syscall_iterate_name(iter); break; + case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: + sys_name = ppc64_syscall_iterate_name(iter); + break; default: /* invalid arch */ exit_usage(argv[0]); Index: libseccomp-2.2.1/src/arch-syscall-validate =================================================================== --- libseccomp-2.2.1.orig/src/arch-syscall-validate +++ libseccomp-2.2.1/src/arch-syscall-validate @@ -317,6 +317,35 @@ function dump_lib_mips64n32() { } # +# Dump the ppc64 system syscall table +# +# Arguments: +# 1 path to the kernel source +# +# Dump the architecture's syscall table to stdout. +# +function dump_sys_ppc64() { + gcc -E -dM -I$1/arch/powerpc/include/uapi $1/arch/powerpc/include/uapi/asm/unistd.h | \ + grep "^#define __NR_" | sort | \ + grep -v "^#define __NR_O32_" | \ + grep -v "^#define __NR_N32_" | \ + grep -v "^#define __NR_64_" | \ + grep -v "^#define __NR_Linux" | \ + grep -v "^#define __NR_unused" | \ + grep -v "^#define __NR_reserved" | \ + sed -e 's/#define[ \t]\+__NR_\([^ \t]\+\)[ \t]\+(__NR_Linux[ \t]*+[ \t]*\([0-9]\+\)).*/\1\t\2/' +} + +# +# Dump the ppc64 library syscall table +# +# Dump the library's syscall table to stdout. +# +function dump_lib_ppc64() { + $LIB_SYS_DUMP -a ppc64 | sed -e '/[^\t]\+\t-[0-9]\+/d' +} + +# # Dump the system syscall table # # Arguments: @@ -351,6 +380,9 @@ function dump_sys() { mips64n32) dump_sys_mips64n32 "$2" ;; + ppc64) + dump_sys_ppc64 "$2" + ;; *) echo "" ;; @@ -391,6 +423,9 @@ function dump_lib() { mips64n32) dump_lib_mips64n32 "$2" ;; + ppc64) + dump_lib_ppc64 "$2" + ;; *) echo "" ;; @@ -427,7 +462,7 @@ shift $(($OPTIND - 1)) # defaults if [[ $arches == "" ]]; then - arches="x86 x86_64 x32 arm aarch64 mips mips64 mips64n32" + arches="x86 x86_64 x32 arm aarch64 mips mips64 mips64n32 ppc64" fi # sanity checks Index: libseccomp-2.2.1/src/arch.c =================================================================== --- libseccomp-2.2.1.orig/src/arch.c +++ libseccomp-2.2.1/src/arch.c @@ -82,8 +82,10 @@ const struct arch_def *arch_def_native = const struct arch_def *arch_def_native = &arch_def_s390; #elif __s390x__ const struct arch_def *arch_def_native = &arch_def_s390x; -#elif __powerpc64__ +#elif __powerpc64__ && __BIG_ENDIAN__ const struct arch_def *arch_def_native = &arch_def_ppc64; +#elif __powerpc64__ && __LITTLE_ENDIAN__ +const struct arch_def *arch_def_native = &arch_def_ppc64le; #elif __powerpc__ const struct arch_def *arch_def_native = &arch_def_ppc; #else @@ -140,6 +142,8 @@ const struct arch_def *arch_def_lookup(u return &arch_def_s390x; case SCMP_ARCH_PPC64: return &arch_def_ppc64; + case SCMP_ARCH_PPC64LE: + return &arch_def_ppc64le; case SCMP_ARCH_PPC: return &arch_def_ppc; } @@ -178,6 +182,10 @@ const struct arch_def *arch_def_lookup_n return &arch_def_mips64n32; else if (strcmp(arch_name, "mipsel64n32") == 0) return &arch_def_mipsel64n32; + else if (strcmp(arch_name, "ppc64") == 0) + return &arch_def_ppc64; + else if (strcmp(arch_name, "ppc64le") == 0) + return &arch_def_ppc64le; return NULL; } @@ -301,6 +309,7 @@ int arch_syscall_resolve_name(const stru case SCMP_ARCH_S390X: return s390x_syscall_resolve_name(name); case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: return ppc64_syscall_resolve_name(name); case SCMP_ARCH_PPC: return ppc_syscall_resolve_name(name); @@ -346,6 +355,7 @@ const char *arch_syscall_resolve_num(con case SCMP_ARCH_S390X: return s390x_syscall_resolve_num(num); case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: return ppc64_syscall_resolve_num(num); case SCMP_ARCH_PPC: return ppc_syscall_resolve_num(num); Index: libseccomp-2.2.1/src/gen_pfc.c =================================================================== --- libseccomp-2.2.1.orig/src/gen_pfc.c +++ libseccomp-2.2.1/src/gen_pfc.c @@ -79,6 +79,8 @@ static const char *_pfc_arch(const struc return "ppc"; case SCMP_ARCH_PPC64: return "ppc64"; + case SCMP_ARCH_PPC64LE: + return "ppc64le"; default: return "UNKNOWN"; } Index: libseccomp-2.2.1/tests/16-sim-arch_basic.c =================================================================== --- libseccomp-2.2.1.orig/tests/16-sim-arch_basic.c +++ libseccomp-2.2.1/tests/16-sim-arch_basic.c @@ -68,6 +68,9 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); Index: libseccomp-2.2.1/tests/16-sim-arch_basic.py =================================================================== --- libseccomp-2.2.1.orig/tests/16-sim-arch_basic.py +++ libseccomp-2.2.1/tests/16-sim-arch_basic.py @@ -39,6 +39,8 @@ def test(args): f.add_arch(Arch("mipsel")) f.add_arch(Arch("mipsel64")) f.add_arch(Arch("mipsel64n32")) + f.add_arch(Arch("ppc64")) + f.add_arch(Arch("ppc64le")) f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) Index: libseccomp-2.2.1/tests/23-sim-arch_all_le_basic.c =================================================================== --- libseccomp-2.2.1.orig/tests/23-sim-arch_all_le_basic.c +++ libseccomp-2.2.1/tests/23-sim-arch_all_le_basic.c @@ -68,6 +68,9 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel64n32")); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le")); + if (rc != 0) + goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); Index: libseccomp-2.2.1/tests/23-sim-arch_all_le_basic.py =================================================================== --- libseccomp-2.2.1.orig/tests/23-sim-arch_all_le_basic.py +++ libseccomp-2.2.1/tests/23-sim-arch_all_le_basic.py @@ -39,6 +39,7 @@ def test(args): f.add_arch(Arch("mipsel")) f.add_arch(Arch("mipsel64")) f.add_arch(Arch("mipsel64n32")) + f.add_arch(Arch("ppc64le")) f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) Index: libseccomp-2.2.1/tests/26-sim-arch_all_be_basic.c =================================================================== --- libseccomp-2.2.1.orig/tests/26-sim-arch_all_be_basic.c +++ libseccomp-2.2.1/tests/26-sim-arch_all_be_basic.c @@ -52,6 +52,9 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64n32")); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64")); + if (rc != 0) + goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); Index: libseccomp-2.2.1/tests/26-sim-arch_all_be_basic.py =================================================================== --- libseccomp-2.2.1.orig/tests/26-sim-arch_all_be_basic.py +++ libseccomp-2.2.1/tests/26-sim-arch_all_be_basic.py @@ -33,6 +33,7 @@ def test(args): f.add_arch(Arch("mips")) f.add_arch(Arch("mips64")) f.add_arch(Arch("mips64n32")) + f.add_arch(Arch("ppc64")) f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) Index: libseccomp-2.2.1/tests/regression =================================================================== --- libseccomp-2.2.1.orig/tests/regression +++ libseccomp-2.2.1/tests/regression @@ -21,8 +21,8 @@ # along with this library; if not, see . # -GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm aarch64 mipsel mipsel64 mipsel64n32" -GLBL_ARCH_BE_SUPPORT="mips mips64 mips64n32" +GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm aarch64 mipsel mipsel64 mipsel64n32 ppc64le" +GLBL_ARCH_BE_SUPPORT="mips mips64 mips64n32 ppc64" GLBL_SYS_ARCH="../tools/scmp_arch_detect" GLBL_SYS_RESOLVER="../tools/scmp_sys_resolver" Index: libseccomp-2.2.1/tools/scmp_arch_detect.c =================================================================== --- libseccomp-2.2.1.orig/tools/scmp_arch_detect.c +++ libseccomp-2.2.1/tools/scmp_arch_detect.c @@ -111,6 +111,9 @@ int main(int argc, char *argv[]) case SCMP_ARCH_PPC64: printf("ppc64\n"); break; + case SCMP_ARCH_PPC64LE: + printf("ppc64le\n"); + break; default: printf("unknown\n"); } Index: libseccomp-2.2.1/tools/scmp_bpf_disasm.c =================================================================== --- libseccomp-2.2.1.orig/tools/scmp_bpf_disasm.c +++ libseccomp-2.2.1/tools/scmp_bpf_disasm.c @@ -334,6 +334,10 @@ int main(int argc, char *argv[]) arch = AUDIT_ARCH_MIPS64N32; else if (strcmp(optarg, "mipsel64n32") == 0) arch = AUDIT_ARCH_MIPSEL64N32; + else if (strcmp(optarg, "ppc64") == 0) + arch = AUDIT_ARCH_PPC64; + else if (strcmp(optarg, "ppc64le") == 0) + arch = AUDIT_ARCH_PPC64LE; else exit_usage(argv[0]); break; Index: libseccomp-2.2.1/tools/scmp_bpf_sim.c =================================================================== --- libseccomp-2.2.1.orig/tools/scmp_bpf_sim.c +++ libseccomp-2.2.1/tools/scmp_bpf_sim.c @@ -250,13 +250,15 @@ int main(int argc, char *argv[]) else if (strcmp(optarg, "mipsel64n32") == 0) arch = AUDIT_ARCH_MIPSEL64N32; else if (strcmp(optarg, "s390") == 0) - sys_data.arch = AUDIT_ARCH_S390; + arch = AUDIT_ARCH_S390; else if (strcmp(optarg, "s390x") == 0) - sys_data.arch = AUDIT_ARCH_S390X; + arch = AUDIT_ARCH_S390X; else if (strcmp(optarg, "ppc") == 0) - sys_data.arch = AUDIT_ARCH_PPC; + arch = AUDIT_ARCH_PPC; else if (strcmp(optarg, "ppc64") == 0) - sys_data.arch = AUDIT_ARCH_PPC64; + arch = AUDIT_ARCH_PPC64; + else if (strcmp(optarg, "ppc64le") == 0) + arch = AUDIT_ARCH_PPC64LE; else exit_fault(EINVAL); break; Index: libseccomp-2.2.1/tools/util.c =================================================================== --- libseccomp-2.2.1.orig/tools/util.c +++ libseccomp-2.2.1/tools/util.c @@ -66,8 +66,10 @@ #define ARCH_NATIVE AUDIT_ARCH_S390 #elif __s390x__ #define ARCH_NATIVE AUDIT_ARCH_S390X -#elif __powerpc64__ +#elif __powerpc64__ && __BIG_ENDIAN__ #define ARCH_NATIVE AUDIT_ARCH_PPC64 +#elif __powerpc64__ && __LITTLE_ENDIAN__ +#define ARCH_NATIVE AUDIT_ARCH_PPC64LE #elif __powerpc__ #define ARCH_NATIVE AUDIT_ARCH_PPC #else Index: libseccomp-2.2.1/tools/util.h =================================================================== --- libseccomp-2.2.1.orig/tools/util.h +++ libseccomp-2.2.1/tools/util.h @@ -63,6 +63,10 @@ __AUDIT_ARCH_CONVENTION_MIPS64_N32) #endif +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + extern uint32_t arch; void exit_usage(const char *program);