libseccomp-2.3.1
OBS-URL: https://build.opensuse.org/package/show/security/libseccomp?expand=0&rev=50
This commit is contained in:
parent
0a5e04543b
commit
b86b015d24
@ -1,204 +0,0 @@
|
||||
From 73d83e45efbe8c31067c97155162f17ca51b7435 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moore <paul@paul-moore.com>
|
||||
Date: Fri, 8 Apr 2016 17:10:03 -0400
|
||||
Subject: [PATCH] arch: fix a number of 32-bit x86 failures related to socket
|
||||
syscalls
|
||||
|
||||
It turns out there was still a few bugs with the 32-bit x86 socket
|
||||
syscalls, especially on systems with older kernel headers installed.
|
||||
This patch corrects these problems and perhaps more importantly,
|
||||
returns the resolver API functions to returning the negative pseudo
|
||||
syscall numbers in the case of 32-bit x86, this helps ensure things
|
||||
continue to work as they did before as the API does not change.
|
||||
|
||||
It it important to note that libseccomp still generates filter code
|
||||
for both multiplexed and direct socket syscalls regardless.
|
||||
|
||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
src/arch-x86-syscalls.c | 84 ++++++++++++++++++++++++++++++++++++++
|
||||
src/arch-x86.c | 23 +++++++++--
|
||||
tests/30-sim-socket_syscalls.tests | 3 +-
|
||||
3 files changed, 105 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c
|
||||
index e51dd83..58e0597 100644
|
||||
--- a/src/arch-x86-syscalls.c
|
||||
+++ b/src/arch-x86-syscalls.c
|
||||
@@ -469,6 +469,48 @@ int x86_syscall_resolve_name(const char *name)
|
||||
const struct arch_syscall_def *table = x86_syscall_table;
|
||||
|
||||
/* XXX - plenty of room for future improvement here */
|
||||
+
|
||||
+ if (strcmp(name, "accept") == 0)
|
||||
+ return __PNR_accept;
|
||||
+ if (strcmp(name, "accept4") == 0)
|
||||
+ return __PNR_accept4;
|
||||
+ else if (strcmp(name, "bind") == 0)
|
||||
+ return __PNR_bind;
|
||||
+ else if (strcmp(name, "connect") == 0)
|
||||
+ return __PNR_connect;
|
||||
+ else if (strcmp(name, "getpeername") == 0)
|
||||
+ return __PNR_getpeername;
|
||||
+ else if (strcmp(name, "getsockname") == 0)
|
||||
+ return __PNR_getsockname;
|
||||
+ else if (strcmp(name, "getsockopt") == 0)
|
||||
+ return __PNR_getsockopt;
|
||||
+ else if (strcmp(name, "listen") == 0)
|
||||
+ return __PNR_listen;
|
||||
+ else if (strcmp(name, "recv") == 0)
|
||||
+ return __PNR_recv;
|
||||
+ else if (strcmp(name, "recvfrom") == 0)
|
||||
+ return __PNR_recvfrom;
|
||||
+ else if (strcmp(name, "recvmsg") == 0)
|
||||
+ return __PNR_recvmsg;
|
||||
+ else if (strcmp(name, "recvmmsg") == 0)
|
||||
+ return __PNR_recvmmsg;
|
||||
+ else if (strcmp(name, "send") == 0)
|
||||
+ return __PNR_send;
|
||||
+ else if (strcmp(name, "sendmsg") == 0)
|
||||
+ return __PNR_sendmsg;
|
||||
+ else if (strcmp(name, "sendmmsg") == 0)
|
||||
+ return __PNR_sendmmsg;
|
||||
+ else if (strcmp(name, "sendto") == 0)
|
||||
+ return __PNR_sendto;
|
||||
+ else if (strcmp(name, "setsockopt") == 0)
|
||||
+ return __PNR_setsockopt;
|
||||
+ else if (strcmp(name, "shutdown") == 0)
|
||||
+ return __PNR_shutdown;
|
||||
+ else if (strcmp(name, "socket") == 0)
|
||||
+ return __PNR_socket;
|
||||
+ else if (strcmp(name, "socketpair") == 0)
|
||||
+ return __PNR_socketpair;
|
||||
+
|
||||
for (iter = 0; table[iter].name != NULL; iter++) {
|
||||
if (strcmp(name, table[iter].name) == 0)
|
||||
return table[iter].num;
|
||||
@@ -492,6 +534,48 @@ const char *x86_syscall_resolve_num(int num)
|
||||
const struct arch_syscall_def *table = x86_syscall_table;
|
||||
|
||||
/* XXX - plenty of room for future improvement here */
|
||||
+
|
||||
+ if (num == __PNR_accept)
|
||||
+ return "accept";
|
||||
+ else if (num == __PNR_accept4)
|
||||
+ return "accept4";
|
||||
+ else if (num == __PNR_bind)
|
||||
+ return "bind";
|
||||
+ else if (num == __PNR_connect)
|
||||
+ return "connect";
|
||||
+ else if (num == __PNR_getpeername)
|
||||
+ return "getpeername";
|
||||
+ else if (num == __PNR_getsockname)
|
||||
+ return "getsockname";
|
||||
+ else if (num == __PNR_getsockopt)
|
||||
+ return "getsockopt";
|
||||
+ else if (num == __PNR_listen)
|
||||
+ return "listen";
|
||||
+ else if (num == __PNR_recv)
|
||||
+ return "recv";
|
||||
+ else if (num == __PNR_recvfrom)
|
||||
+ return "recvfrom";
|
||||
+ else if (num == __PNR_recvmsg)
|
||||
+ return "recvmsg";
|
||||
+ else if (num == __PNR_recvmmsg)
|
||||
+ return "recvmmsg";
|
||||
+ else if (num == __PNR_send)
|
||||
+ return "send";
|
||||
+ else if (num == __PNR_sendmsg)
|
||||
+ return "sendmsg";
|
||||
+ else if (num == __PNR_sendmmsg)
|
||||
+ return "sendmmsg";
|
||||
+ else if (num == __PNR_sendto)
|
||||
+ return "sendto";
|
||||
+ else if (num == __PNR_setsockopt)
|
||||
+ return "setsockopt";
|
||||
+ else if (num == __PNR_shutdown)
|
||||
+ return "shutdown";
|
||||
+ else if (num == __PNR_socket)
|
||||
+ return "socket";
|
||||
+ else if (num == __PNR_socketpair)
|
||||
+ return "socketpair";
|
||||
+
|
||||
for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) {
|
||||
if (num == table[iter].num)
|
||||
return table[iter].name;
|
||||
diff --git a/src/arch-x86.c b/src/arch-x86.c
|
||||
index 76a1e7e..1bab53f 100644
|
||||
--- a/src/arch-x86.c
|
||||
+++ b/src/arch-x86.c
|
||||
@@ -104,6 +104,15 @@ int _x86_sock_demux(int socketcall)
|
||||
case -117:
|
||||
/* recvmsg */
|
||||
return 372;
|
||||
+ case -118:
|
||||
+ /* accept4 */
|
||||
+ return 364;
|
||||
+ case -119:
|
||||
+ /* recvmmsg */
|
||||
+ return 337;
|
||||
+ case -120:
|
||||
+ /* sendmmsg */
|
||||
+ return 345;
|
||||
}
|
||||
|
||||
return __NR_SCMP_ERROR;
|
||||
@@ -120,6 +129,12 @@ int _x86_sock_demux(int socketcall)
|
||||
int _x86_sock_mux(int syscall)
|
||||
{
|
||||
switch (syscall) {
|
||||
+ case 337:
|
||||
+ /* recvmmsg */
|
||||
+ return -119;
|
||||
+ case 345:
|
||||
+ /* sendmmsg */
|
||||
+ return -120;
|
||||
case 359:
|
||||
/* socket */
|
||||
return -101;
|
||||
@@ -137,7 +152,7 @@ int _x86_sock_mux(int syscall)
|
||||
return -104;
|
||||
case 364:
|
||||
/* accept4 */
|
||||
- return __NR_SCMP_UNDEF;
|
||||
+ return -118;
|
||||
case 365:
|
||||
/* getsockopt */
|
||||
return -115;
|
||||
@@ -183,7 +198,7 @@ int x86_syscall_rewrite(int *syscall)
|
||||
{
|
||||
int sys = *syscall;
|
||||
|
||||
- if (sys <= -100 && sys >= -117)
|
||||
+ if (sys <= -100 && sys >= -120)
|
||||
*syscall = __x86_NR_socketcall;
|
||||
else if (sys <= -200 && sys >= -211)
|
||||
*syscall = __x86_NR_ipc;
|
||||
@@ -215,8 +230,8 @@ int x86_rule_add(struct db_filter_col *col, struct db_filter *db, bool strict,
|
||||
int sys_a, sys_b;
|
||||
struct db_api_rule_list *rule_a, *rule_b;
|
||||
|
||||
- if ((sys <= -100 && sys >= -117) || (sys >= 359 && sys <= 373)) {
|
||||
- /* (-100 to -117) : multiplexed socket syscalls
|
||||
+ if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
|
||||
+ /* (-100 to -120) : multiplexed socket syscalls
|
||||
(359 to 373) : direct socket syscalls, Linux 4.4+ */
|
||||
|
||||
/* strict check for the multiplexed socket syscalls */
|
||||
diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests
|
||||
index 413629f..9d54b0e 100644
|
||||
--- a/tests/30-sim-socket_syscalls.tests
|
||||
+++ b/tests/30-sim-socket_syscalls.tests
|
||||
@@ -18,7 +18,8 @@ test type: bpf-sim
|
||||
30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
|
||||
30-sim-socket_syscalls +x86 accept 5 N N N N N ALLOW
|
||||
30-sim-socket_syscalls +x86 accept 0 1 2 N N N KILL
|
||||
-30-sim-socket_syscalls +x86 accept4 0 1 2 N N N ALLOW
|
||||
+30-sim-socket_syscalls +x86 accept4 18 1 2 N N N ALLOW
|
||||
+30-sim-socket_syscalls +x86 accept4 0 1 2 N N N KILL
|
||||
30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
|
||||
30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
|
||||
30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
|
||||
--
|
||||
2.6.6
|
||||
|
@ -1,76 +0,0 @@
|
||||
From 13e0bae9571c195ee979a66b329aa538b87ee65d Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moore <paul@paul-moore.com>
|
||||
Date: Tue, 19 Apr 2016 10:58:34 -0400
|
||||
Subject: [PATCH] tests: replace socket syscall references in 15-basic-resolver
|
||||
|
||||
On 32-bit x86 the resolved socket syscall() doesn't always resolve to
|
||||
the __NR_socket value due to the direct wired socket syscall so
|
||||
replace it with the read() syscall to ensure the test doesn't fail.
|
||||
|
||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
tests/15-basic-resolver.c | 8 ++++----
|
||||
tests/15-basic-resolver.py | 6 +++---
|
||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
|
||||
index eff54fe..b3c9497 100644
|
||||
--- a/tests/15-basic-resolver.c
|
||||
+++ b/tests/15-basic-resolver.c
|
||||
@@ -31,7 +31,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
if (seccomp_syscall_resolve_name("open") != __NR_open)
|
||||
goto fail;
|
||||
- if (seccomp_syscall_resolve_name("socket") != __NR_socket)
|
||||
+ if (seccomp_syscall_resolve_name("read") != __NR_read)
|
||||
goto fail;
|
||||
if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
|
||||
goto fail;
|
||||
@@ -40,7 +40,7 @@ int main(int argc, char *argv[])
|
||||
"open") != __NR_open)
|
||||
goto fail;
|
||||
if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE,
|
||||
- "socket") != __NR_socket)
|
||||
+ "read") != __NR_read)
|
||||
goto fail;
|
||||
if (seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE,
|
||||
"INVALID") != __NR_SCMP_ERROR)
|
||||
@@ -51,8 +51,8 @@ int main(int argc, char *argv[])
|
||||
goto fail;
|
||||
free(name);
|
||||
|
||||
- name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_socket);
|
||||
- if (name == NULL || strcmp(name, "socket") != 0)
|
||||
+ name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, __NR_read);
|
||||
+ if (name == NULL || strcmp(name, "read") != 0)
|
||||
goto fail;
|
||||
free(name);
|
||||
|
||||
diff --git a/tests/15-basic-resolver.py b/tests/15-basic-resolver.py
|
||||
index 329754e..12c4d7d 100755
|
||||
--- a/tests/15-basic-resolver.py
|
||||
+++ b/tests/15-basic-resolver.py
|
||||
@@ -33,7 +33,7 @@ def test():
|
||||
# this differs from the native test as we don't support the syscall
|
||||
# resolution functions by themselves
|
||||
f.add_rule(ALLOW, "open")
|
||||
- f.add_rule(ALLOW, "socket")
|
||||
+ f.add_rule(ALLOW, "read")
|
||||
try:
|
||||
f.add_rule(ALLOW, "INVALID")
|
||||
except RuntimeError:
|
||||
@@ -43,9 +43,9 @@ def test():
|
||||
sys_name = resolve_syscall(Arch(), sys_num)
|
||||
if (sys_name != "open"):
|
||||
raise RuntimeError("Test failure")
|
||||
- sys_num = resolve_syscall(Arch(), "socket")
|
||||
+ sys_num = resolve_syscall(Arch(), "read")
|
||||
sys_name = resolve_syscall(Arch(), sys_num)
|
||||
- if (sys_name != "socket"):
|
||||
+ if (sys_name != "read"):
|
||||
raise RuntimeError("Test failure")
|
||||
|
||||
test()
|
||||
--
|
||||
2.6.6
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d
|
||||
size 546948
|
@ -1,21 +0,0 @@
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA256
|
||||
|
||||
d756e3a77578259a808698a50c43d44612aae3339ea42ab5b15ea983f26b901d libseccomp-2.3.0.tar.gz
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCAAGBQJW1FzeAAoJEFXkWlroynyKK8QP/RsRk8DTEunGO2eWpUpMYSOO
|
||||
oBog4vn3zjqhgWd9kJOPCf3IYaEE2fC/Z87hvGm/2NWP6wNMnZ1g1D+W38TI2mq2
|
||||
P0ztM1rFgWCK/6tZ3O+255OLvgFpC3D7Dqfr+4BniGPyBedYV7d/4fC0qed3rMHY
|
||||
Y2wWRcjET5HlrWb4ef/uWWWN39YT1hRg1SSzShebKKOfGKTr6C458ggYIgBtBP/y
|
||||
1nid2Ym/oQwDlKqQV1pGHwf4q0dPBog2GTnavMM+ge7L1FbvRKWFEGex9C36wcN/
|
||||
hzxUTG9q7+w5l4YaFpc32TTzmLLRdEb9Ykhu4qJ2Il7x/LKVaavWfJMjSt/X4/65
|
||||
Ika+tPAUbyA4aWB+c0cBpRMmFtXJHueZCbb2edMGTwPJzkJnNWh1YIK9SBcCXF+8
|
||||
SZ85LdyFbK98tFMuUj+oSJLlFtxnsUshrN7+qPRXLfkIQ7tKaIE+GuLT3oDqwHOL
|
||||
q5H++4WJv63jFNLSkHoOJe9YSrUITqjKo6zDKMLkSsgbu8UNQrLLn4f8XZV0K352
|
||||
qHKP/PxaVaZvshrKZ4VR9/r8sihMtWpqYx/GpaQoJID9GI6z5L0b741FeJ4w0Enw
|
||||
IXRh4NIBe77LuRRy5I35diGoaiTlhDhOPUg7LCYHht/GTHkGgZ9Y06fhzCWuUNDA
|
||||
FS9ak169Uod6oSnX3X7Y
|
||||
=kJQO
|
||||
-----END PGP SIGNATURE-----
|
3
libseccomp-2.3.1.tar.gz
Normal file
3
libseccomp-2.3.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b
|
||||
size 552299
|
21
libseccomp-2.3.1.tar.gz.SHA256SUM.asc
Normal file
21
libseccomp-2.3.1.tar.gz.SHA256SUM.asc
Normal file
@ -0,0 +1,21 @@
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA256
|
||||
|
||||
ff5bdd2168790f1979e24eaa498f8606c2f2d96f08a8dc4006a2e88affa4562b libseccomp-2.3.1.tar.gz
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCAAGBQJXF+KwAAoJEFXkWlroynyKcUcP/18AlU1aohqM1V3KkUQgLv6P
|
||||
Ka6ZPddIdS3BqcXxScPhNUQuSK2QuxcxZb+RBXGS9Cx/zYrlcXrv6M0Uzgc5q9jB
|
||||
IS4fYHj8yB4odmjMWb1wohrwXHrt5+lmTsGmw7apKkuqeOjwFdKqaR10eWd7DaSq
|
||||
tJAQ7evImCRM3rsIXk0hvtkDCon5K5LZieHjejJ59D2z9Nrghp2Urf8dXwT1uFPq
|
||||
bFZ4AngMzs41K5052iWVZGAskcyi4tc8f11gd2Ao34rP6hmW0VaJCKszyvC0gOqV
|
||||
jBtHMwf3OwjuU9xUKHEqEB1uoF1AxZnwS3mkXBeli414XXXI8rKLtJUylyjJ+3b0
|
||||
CT6puXmoscBJaDxe6oVm6yRZrHOp3TtQzTVV0uAABiQcDbbIlmjRMvOTYcjispH8
|
||||
73CRupEb3eTl5Kwx/yB/0Z+ml0FI9pnB8UtaiBGJIfqL/uIEPcio4UxR4YJR0NiN
|
||||
Euc2pBVUHdK6bVIcc4ntLc9aaqxVvGj5Nvsy+ptfnUTWJ0MvzyX6mYsp5/iUNAL2
|
||||
lLux66+rUqr+GU2o+USNXIQ+CIb1mLZizYtgxYrEjE+fyVJWb9hoEHRIzuzdLI4d
|
||||
ZMJcCxe2QdHzl1CNtGalC0q4XDXJf9swxW4WjGFODkrdt5tG2zyjJ0WkscgduWCZ
|
||||
1BBGwp05jg84FtP5DzNE
|
||||
=JDAl
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat May 7 23:11:02 UTC 2016 - jengelh@inai.de
|
||||
|
||||
- Update to new upstream release 2.3.1
|
||||
* arch: fix the multiplexed ipc() syscalls
|
||||
* s390: handle multiplexed syscalls correctly
|
||||
- Remove 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch,
|
||||
0001-tests-replace-socket-syscall-references-in-15-basic-.patch
|
||||
(fixed upstream)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 19 16:00:29 UTC 2016 - jengelh@inai.de
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
Name: libseccomp
|
||||
%define lname libseccomp2
|
||||
Version: 2.3.0
|
||||
Version: 2.3.1
|
||||
Release: 0
|
||||
Summary: An enhanced Seccomp (mode 2) helper library
|
||||
License: LGPL-2.1
|
||||
@ -30,8 +30,6 @@ Source: https://github.com/seccomp/libseccomp/releases/download/v%versio
|
||||
Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/%name-%version.tar.gz.SHA256SUM.asc
|
||||
Source99: baselibs.conf
|
||||
Patch1: no-static.diff
|
||||
Patch2: 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch
|
||||
Patch3: 0001-tests-replace-socket-syscall-references-in-15-basic-.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake >= 1.11
|
||||
@ -99,15 +97,15 @@ This subpackage contains debug utilities for the seccomp interface.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -P 1 -P 2 -P 3 -p1
|
||||
%patch -P 1 -p1
|
||||
|
||||
%build
|
||||
if [ ! -e configure ]; then
|
||||
if [ ! -f configure ]; then
|
||||
perl -i -pe 's{AC_INIT\(\[libseccomp\], \[0\.0\.0\]\)}{AC_INIT([libseccomp], [2.3.0])}' configure.ac
|
||||
fi
|
||||
autoreconf -fi
|
||||
%configure --includedir="%_includedir/%name" --disable-static
|
||||
make %{?_smp_mflags};
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
Loading…
Reference in New Issue
Block a user