summaryrefslogtreecommitdiff
path: root/vendor/github.com/seccomp
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-08-28 05:37:44 -0400
committerGitHub <noreply@github.com>2020-08-28 05:37:44 -0400
commitd6b13d8a0993aced5e227e7a516aadbf37e14dbc (patch)
tree276c3ffed36d0a12ba2ecce810edd5b831da8dec /vendor/github.com/seccomp
parenta38e77bbb56983a65419be375a25a336143759a3 (diff)
parent98ead36531378ea22d1298235a10ce476f20391d (diff)
downloadpodman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.tar.gz
podman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.tar.bz2
podman-d6b13d8a0993aced5e227e7a516aadbf37e14dbc.zip
Merge pull request #7480 from openSUSE/containers-common
Switch to containers/common for seccomp
Diffstat (limited to 'vendor/github.com/seccomp')
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/.travis.yml37
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md (renamed from vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES)92
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/README.md (renamed from vendor/github.com/seccomp/libseccomp-golang/README)26
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/go.mod3
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/go.sum23
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp.go84
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go53
7 files changed, 218 insertions, 100 deletions
diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
new file mode 100644
index 000000000..feef144d1
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
@@ -0,0 +1,37 @@
+# Travis CI configuration for libseccomp-golang
+
+# https://docs.travis-ci.com/user/reference/bionic
+# https://wiki.ubuntu.com/Releases
+
+dist: bionic
+sudo: false
+
+notifications:
+ email:
+ on_success: always
+ on_failure: always
+
+arch:
+ - amd64
+
+os:
+ - linux
+
+language: go
+
+addons:
+ apt:
+ packages:
+ - build-essential
+ # TODO: use the main libseccomp git repo instead of a distro package
+ - libseccomp2
+ - libseccomp-dev
+
+install:
+ - go get -u golang.org/x/lint/golint
+
+# run all of the tests independently, fail if any of the tests error
+script:
+ - make check-syntax
+ - make lint
+ - make check
diff --git a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md
index 744e5cd64..d6862cbd5 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES
+++ b/vendor/github.com/seccomp/libseccomp-golang/CONTRIBUTING.md
@@ -8,11 +8,11 @@ to the rules described here, but by following the instructions below you
should have a much easier time getting your work merged with the upstream
project.
-* Test Your Code
+## Test Your Code Using Existing Tests
-There are two possible tests you can run to verify your code. The first test
-is used to check the formatting and coding style of your changes, you can run
-the test with the following command:
+There are two possible tests you can run to verify your code. The first
+test is used to check the formatting and coding style of your changes, you
+can run the test with the following command:
# make check-syntax
@@ -27,30 +27,13 @@ with the following command:
... if there are any faults or errors they will be displayed.
-* Generate the Patch(es)
+## Add New Tests for New Functionality
-Depending on how you decided to work with the libseccomp code base and what
-tools you are using there are different ways to generate your patch(es).
-However, regardless of what tools you use, you should always generate your
-patches using the "unified" diff/patch format and the patches should always
-apply to the libseccomp source tree using the following command from the top
-directory of the libseccomp sources:
+Any submissions which add functionality, or significantly change the existing
+code, should include additional tests to verify the proper operation of the
+proposed changes.
- # patch -p1 < changes.patch
-
-If you are not using git, stacked git (stgit), or some other tool which can
-generate patch files for you automatically, you may find the following command
-helpful in generating patches, where "libseccomp.orig/" is the unmodified
-source code directory and "libseccomp/" is the source code directory with your
-changes:
-
- # diff -purN libseccomp-golang.orig/ libseccomp-golang/
-
-When in doubt please generate your patch and try applying it to an unmodified
-copy of the libseccomp sources; if it fails for you, it will fail for the rest
-of us.
-
-* Explain Your Work
+## Explain Your Work
At the top of every patch you should include a description of the problem you
are trying to solve, how you solved it, and why you chose the solution you
@@ -59,7 +42,7 @@ if you can describe/include a reproducer for the problem in the description as
well as instructions on how to test for the bug and verify that it has been
fixed.
-* Sign Your Work
+## Sign Your Work
The sign-off is a simple line at the end of the patch description, which
certifies that you wrote it or otherwise have the right to pass it on as an
@@ -97,16 +80,49 @@ your real name, saying:
Signed-off-by: Random J Developer <random@developer.example.org>
-* Email Your Patch(es)
+You can add this to your commit description in `git` with `git commit -s`
+
+## Post Your Patches Upstream
+
+The libseccomp project accepts both GitHub pull requests and patches sent via
+the mailing list. GitHub pull requests are preferred. This sections below
+explain how to contribute via either method. Please read each step and perform
+all steps that apply to your chosen contribution method.
+
+### Submitting via Email
+
+Depending on how you decided to work with the libseccomp code base and what
+tools you are using there are different ways to generate your patch(es).
+However, regardless of what tools you use, you should always generate your
+patches using the "unified" diff/patch format and the patches should always
+apply to the libseccomp source tree using the following command from the top
+directory of the libseccomp sources:
+
+ # patch -p1 < changes.patch
+
+If you are not using git, stacked git (stgit), or some other tool which can
+generate patch files for you automatically, you may find the following command
+helpful in generating patches, where "libseccomp.orig/" is the unmodified
+source code directory and "libseccomp/" is the source code directory with your
+changes:
+
+ # diff -purN libseccomp.orig/ libseccomp/
+
+When in doubt please generate your patch and try applying it to an unmodified
+copy of the libseccomp sources; if it fails for you, it will fail for the rest
+of us.
Finally, you will need to email your patches to the mailing list so they can
-be reviewed and potentially merged into the main libseccomp-golang repository.
-When sending patches to the mailing list it is important to send your email in
-text form, no HTML mail please, and ensure that your email client does not
-mangle your patches. It should be possible to save your raw email to disk and
-apply it directly to the libseccomp source code; if that fails then you likely
-have a problem with your email client. When in doubt try a test first by
-sending yourself an email with your patch and attempting to apply the emailed
-patch to the libseccomp-golang repository; if it fails for you, it will fail
-for the rest of us trying to test your patch and include it in the main
-libseccomp-golang repository.
+be reviewed and potentially merged into the main libseccomp repository. When
+sending patches to the mailing list it is important to send your email in text
+form, no HTML mail please, and ensure that your email client does not mangle
+your patches. It should be possible to save your raw email to disk and apply
+it directly to the libseccomp source code; if that fails then you likely have
+a problem with your email client. When in doubt try a test first by sending
+yourself an email with your patch and attempting to apply the emailed patch to
+the libseccomp repository; if it fails for you, it will fail for the rest of
+us trying to test your patch and include it in the main libseccomp repository.
+
+### Submitting via GitHub
+
+See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before.
diff --git a/vendor/github.com/seccomp/libseccomp-golang/README b/vendor/github.com/seccomp/libseccomp-golang/README.md
index 66839a466..27423f2d9 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/README
+++ b/vendor/github.com/seccomp/libseccomp-golang/README.md
@@ -1,7 +1,8 @@
-libseccomp-golang: Go Language Bindings for the libseccomp Project
+![libseccomp Golang Bindings](https://github.com/seccomp/libseccomp-artwork/blob/main/logo/libseccomp-color_text.png)
===============================================================================
https://github.com/seccomp/libseccomp-golang
-https://github.com/seccomp/libseccomp
+
+[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
The libseccomp library provides an easy to use, platform independent, interface
to the Linux Kernel's syscall filtering mechanism. The libseccomp API is
@@ -12,40 +13,39 @@ be familiar to, and easily adopted by, application developers.
The libseccomp-golang library provides a Go based interface to the libseccomp
library.
-* Online Resources
+## Online Resources
The library source repository currently lives on GitHub at the following URLs:
- -> https://github.com/seccomp/libseccomp-golang
- -> https://github.com/seccomp/libseccomp
+* https://github.com/seccomp/libseccomp-golang
+* https://github.com/seccomp/libseccomp
The project mailing list is currently hosted on Google Groups at the URL below,
please note that a Google account is not required to subscribe to the mailing
list.
- -> https://groups.google.com/d/forum/libseccomp
+* https://groups.google.com/d/forum/libseccomp
Documentation is also available at:
- -> https://godoc.org/github.com/seccomp/libseccomp-golang
+* https://godoc.org/github.com/seccomp/libseccomp-golang
-* Installing the package
+## Installing the package
The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4;
earlier versions may yield unpredictable results. If you meet these
requirements you can install this package using the command below:
- $ go get github.com/seccomp/libseccomp-golang
+ # go get github.com/seccomp/libseccomp-golang
-* Testing the Library
+## Testing the Library
A number of tests and lint related recipes are provided in the Makefile, if
you want to run the standard regression tests, you can excute the following:
- $ make check
+ # make check
In order to execute the 'make lint' recipe the 'golint' tool is needed, it
can be found at:
- -> https://github.com/golang/lint
-
+* https://github.com/golang/lint
diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.mod b/vendor/github.com/seccomp/libseccomp-golang/go.mod
new file mode 100644
index 000000000..6384b3769
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/go.mod
@@ -0,0 +1,3 @@
+module github.com/seccomp/libseccomp-golang
+
+go 1.14
diff --git a/vendor/github.com/seccomp/libseccomp-golang/go.sum b/vendor/github.com/seccomp/libseccomp-golang/go.sum
new file mode 100644
index 000000000..72ae16111
--- /dev/null
+++ b/vendor/github.com/seccomp/libseccomp-golang/go.sum
@@ -0,0 +1,23 @@
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200313205530-4303120df7d8 h1:gkI/wGGwpcG5W4hLCzZNGxA4wzWBGGDStRI1MrjDl2Q=
+golang.org/x/tools v0.0.0-20200313205530-4303120df7d8/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
index a3cc53822..e489b9ebd 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
@@ -125,7 +125,8 @@ const (
// ActInvalid is a placeholder to ensure uninitialized ScmpAction
// variables are invalid
ActInvalid ScmpAction = iota
- // ActKill kills the process
+ // ActKill kills the thread that violated the rule. It is the same as ActKillThread.
+ // All other threads from the same thread group will continue to execute.
ActKill ScmpAction = iota
// ActTrap throws SIGSYS
ActTrap ScmpAction = iota
@@ -141,6 +142,14 @@ const (
// This action is only usable when libseccomp API level 3 or higher is
// supported.
ActLog ScmpAction = iota
+ // ActKillThread kills the thread that violated the rule. It is the same as ActKill.
+ // All other threads from the same thread group will continue to execute.
+ ActKillThread ScmpAction = iota
+ // ActKillProcess kills the process that violated the rule.
+ // All threads in the thread group are also terminated.
+ // This action is only usable when libseccomp API level 3 or higher is
+ // supported.
+ ActKillProcess ScmpAction = iota
)
const (
@@ -290,8 +299,10 @@ func (a ScmpCompareOp) String() string {
// String returns a string representation of a seccomp match action
func (a ScmpAction) String() string {
switch a & 0xFFFF {
- case ActKill:
- return "Action: Kill Process"
+ case ActKill, ActKillThread:
+ return "Action: Kill thread"
+ case ActKillProcess:
+ return "Action: Kill process"
case ActTrap:
return "Action: Send SIGSYS"
case ActErrno:
@@ -334,23 +345,23 @@ func GetLibraryVersion() (major, minor, micro uint) {
return verMajor, verMinor, verMicro
}
-// GetApi returns the API level supported by the system.
+// GetAPI returns the API level supported by the system.
// Returns a positive int containing the API level, or 0 with an error if the
// API level could not be detected due to the library being older than v2.4.0.
// See the seccomp_api_get(3) man page for details on available API levels:
// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
-func GetApi() (uint, error) {
- return getApi()
+func GetAPI() (uint, error) {
+ return getAPI()
}
-// SetApi forcibly sets the API level. General use of this function is strongly
+// SetAPI forcibly sets the API level. General use of this function is strongly
// discouraged.
// Returns an error if the API level could not be set. An error is always
// returned if the library is older than v2.4.0
// See the seccomp_api_get(3) man page for details on available API levels:
// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
-func SetApi(api uint) error {
- return setApi(api)
+func SetAPI(api uint) error {
+ return setAPI(api)
}
// Syscall functions
@@ -552,9 +563,8 @@ func (f *ScmpFilter) Reset(defaultAction ScmpAction) error {
return errBadFilter
}
- retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative())
- if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()); retCode != 0 {
+ return errRc(retCode)
}
return nil
@@ -600,11 +610,12 @@ func (f *ScmpFilter) Merge(src *ScmpFilter) error {
}
// Merge the filters
- retCode := C.seccomp_merge(f.filterCtx, src.filterCtx)
- if syscall.Errno(-1*retCode) == syscall.EINVAL {
- return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_merge(f.filterCtx, src.filterCtx); retCode != 0 {
+ e := errRc(retCode)
+ if e == syscall.EINVAL {
+ return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter")
+ }
+ return e
}
src.valid = false
@@ -633,12 +644,13 @@ func (f *ScmpFilter) IsArchPresent(arch ScmpArch) (bool, error) {
return false, errBadFilter
}
- retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative())
- if syscall.Errno(-1*retCode) == syscall.EEXIST {
- // -EEXIST is "arch not present"
- return false, nil
- } else if retCode != 0 {
- return false, syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative()); retCode != 0 {
+ e := errRc(retCode)
+ if e == syscall.EEXIST {
+ // -EEXIST is "arch not present"
+ return false, nil
+ }
+ return false, e
}
return true, nil
@@ -661,9 +673,10 @@ func (f *ScmpFilter) AddArch(arch ScmpArch) error {
// Libseccomp returns -EEXIST if the specified architecture is already
// present. Succeed silently in this case, as it's not fatal, and the
// architecture is present already.
- retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative()); retCode != 0 {
+ if e := errRc(retCode); e != syscall.EEXIST {
+ return e
+ }
}
return nil
@@ -686,9 +699,10 @@ func (f *ScmpFilter) RemoveArch(arch ScmpArch) error {
// Similar to AddArch, -EEXIST is returned if the arch is not present
// Succeed silently in that case, this is not fatal and the architecture
// is not present in the filter after RemoveArch
- retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
+ if retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative()); retCode != 0 {
+ if e := errRc(retCode); e != syscall.EEXIST {
+ return e
+ }
}
return nil
@@ -705,7 +719,7 @@ func (f *ScmpFilter) Load() error {
}
if retCode := C.seccomp_load(f.filterCtx); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -764,7 +778,7 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
func (f *ScmpFilter) GetLogBit() (bool, error) {
log, err := f.getFilterAttr(filterAttrLog)
if err != nil {
- api, apiErr := getApi()
+ api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
@@ -818,7 +832,7 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
err := f.setFilterAttr(filterAttrLog, toSet)
if err != nil {
- api, apiErr := getApi()
+ api, apiErr := getAPI()
if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
@@ -842,7 +856,7 @@ func (f *ScmpFilter) SetSyscallPriority(call ScmpSyscall, priority uint8) error
if retCode := C.seccomp_syscall_priority(f.filterCtx, C.int(call),
C.uint8_t(priority)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -907,7 +921,7 @@ func (f *ScmpFilter) ExportPFC(file *os.File) error {
}
if retCode := C.seccomp_export_pfc(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -928,7 +942,7 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error {
}
if retCode := C.seccomp_export_bpf(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
index 4e36b27ae..0982e930f 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
@@ -72,7 +72,17 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X;
#define SCMP_ACT_LOG 0x7ffc0000U
#endif
+#ifndef SCMP_ACT_KILL_PROCESS
+#define SCMP_ACT_KILL_PROCESS 0x80000000U
+#endif
+
+#ifndef SCMP_ACT_KILL_THREAD
+#define SCMP_ACT_KILL_THREAD 0x00000000U
+#endif
+
const uint32_t C_ACT_KILL = SCMP_ACT_KILL;
+const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS;
+const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD;
const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP;
const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
@@ -203,7 +213,7 @@ const (
archEnd ScmpArch = ArchS390X
// Comparison boundaries to check for action validity
actionStart ScmpAction = ActKill
- actionEnd ScmpAction = ActLog
+ actionEnd ScmpAction = ActKillProcess
// Comparison boundaries to check for comparison operator validity
compareOpStart ScmpCompareOp = CompareNotEqual
compareOpEnd ScmpCompareOp = CompareMaskedEqual
@@ -236,7 +246,7 @@ func ensureSupportedVersion() error {
}
// Get the API level
-func getApi() (uint, error) {
+func getAPI() (uint, error) {
api := C.seccomp_api_get()
if api == 0 {
return 0, fmt.Errorf("API level operations are not supported")
@@ -246,9 +256,9 @@ func getApi() (uint, error) {
}
// Set the API level
-func setApi(api uint) error {
+func setAPI(api uint) error {
if retCode := C.seccomp_api_set(C.uint(api)); retCode != 0 {
- if syscall.Errno(-1*retCode) == syscall.EOPNOTSUPP {
+ if errRc(retCode) == syscall.EOPNOTSUPP {
return fmt.Errorf("API level operations are not supported")
}
@@ -265,6 +275,10 @@ func filterFinalizer(f *ScmpFilter) {
f.Release()
}
+func errRc(rc C.int) error {
+ return syscall.Errno(-1 * rc)
+}
+
// Get a raw filter attribute
func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
f.lock.Lock()
@@ -278,7 +292,7 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute)
if retCode != 0 {
- return 0x0, syscall.Errno(-1 * retCode)
+ return 0x0, errRc(retCode)
}
return attribute, nil
@@ -295,7 +309,7 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ return errRc(retCode)
}
return nil
@@ -316,14 +330,17 @@ func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact b
retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond)
}
- if syscall.Errno(-1*retCode) == syscall.EFAULT {
- return fmt.Errorf("unrecognized syscall %#x", int32(call))
- } else if syscall.Errno(-1*retCode) == syscall.EPERM {
- return fmt.Errorf("requested action matches default action of filter")
- } else if syscall.Errno(-1*retCode) == syscall.EINVAL {
- return fmt.Errorf("two checks on same syscall argument")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
+ if retCode != 0 {
+ switch e := errRc(retCode); e {
+ case syscall.EFAULT:
+ return fmt.Errorf("unrecognized syscall %#x", int32(call))
+ case syscall.EPERM:
+ return fmt.Errorf("requested action matches default action of filter")
+ case syscall.EINVAL:
+ return fmt.Errorf("two checks on same syscall argument")
+ default:
+ return e
+ }
}
return nil
@@ -517,6 +534,10 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
switch a & 0xFFFF0000 {
case C.C_ACT_KILL:
return ActKill, nil
+ case C.C_ACT_KILL_PROCESS:
+ return ActKillProcess, nil
+ case C.C_ACT_KILL_THREAD:
+ return ActKillThread, nil
case C.C_ACT_TRAP:
return ActTrap, nil
case C.C_ACT_ERRNO:
@@ -537,6 +558,10 @@ func (a ScmpAction) toNative() C.uint32_t {
switch a & 0xFFFF {
case ActKill:
return C.C_ACT_KILL
+ case ActKillProcess:
+ return C.C_ACT_KILL_PROCESS
+ case ActKillThread:
+ return C.C_ACT_KILL_THREAD
case ActTrap:
return C.C_ACT_TRAP
case ActErrno: